2014-10-05 09:50:04 -05:00
|
|
|
package middleware
|
|
|
|
|
|
|
|
import (
|
2019-06-12 06:15:50 -05:00
|
|
|
"fmt"
|
2019-05-06 02:22:59 -05:00
|
|
|
"strings"
|
2014-10-05 09:50:04 -05:00
|
|
|
|
2019-06-26 01:47:03 -05:00
|
|
|
"github.com/grafana/grafana/pkg/models"
|
2022-08-10 04:56:48 -05:00
|
|
|
"github.com/grafana/grafana/pkg/services/org"
|
2015-02-05 03:37:13 -06:00
|
|
|
"github.com/grafana/grafana/pkg/setting"
|
2021-10-11 07:30:59 -05:00
|
|
|
"github.com/grafana/grafana/pkg/web"
|
2019-08-02 04:16:31 -05:00
|
|
|
)
|
|
|
|
|
2018-10-11 05:36:04 -05:00
|
|
|
var (
|
2019-08-02 04:16:31 -05:00
|
|
|
ReqGrafanaAdmin = Auth(&AuthOptions{
|
|
|
|
ReqSignedIn: true,
|
|
|
|
ReqGrafanaAdmin: true,
|
|
|
|
})
|
2021-02-27 11:04:28 -06:00
|
|
|
ReqSignedIn = Auth(&AuthOptions{ReqSignedIn: true})
|
|
|
|
ReqSignedInNoAnonymous = Auth(&AuthOptions{ReqSignedIn: true, ReqNoAnonynmous: true})
|
2022-08-10 04:56:48 -05:00
|
|
|
ReqEditorRole = RoleAuth(org.RoleEditor, org.RoleAdmin)
|
|
|
|
ReqOrgAdmin = RoleAuth(org.RoleAdmin)
|
2018-10-11 05:36:04 -05:00
|
|
|
)
|
|
|
|
|
2021-01-12 00:42:32 -06:00
|
|
|
func HandleNoCacheHeader(ctx *models.ReqContext) {
|
|
|
|
ctx.SkipCache = ctx.Req.Header.Get("X-Grafana-NoCache") == "true"
|
|
|
|
}
|
|
|
|
|
2021-10-11 07:30:59 -05:00
|
|
|
func AddDefaultResponseHeaders(cfg *setting.Cfg) web.Handler {
|
|
|
|
return func(c *web.Context) {
|
|
|
|
c.Resp.Before(func(w web.ResponseWriter) {
|
2020-02-18 15:53:40 -06:00
|
|
|
// if response has already been written, skip.
|
|
|
|
if w.Written() {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2021-01-12 00:42:32 -06:00
|
|
|
if !strings.HasPrefix(c.Req.URL.Path, "/api/datasources/proxy/") {
|
|
|
|
addNoCacheHeaders(c.Resp)
|
2019-05-06 02:22:59 -05:00
|
|
|
}
|
2019-05-06 02:56:23 -05:00
|
|
|
|
2020-12-11 04:44:44 -06:00
|
|
|
if !cfg.AllowEmbedding {
|
|
|
|
addXFrameOptionsDenyHeader(w)
|
2019-05-06 02:56:23 -05:00
|
|
|
}
|
2019-06-12 06:15:50 -05:00
|
|
|
|
2020-12-11 04:44:44 -06:00
|
|
|
addSecurityHeaders(w, cfg)
|
2019-05-06 02:22:59 -05:00
|
|
|
})
|
2017-07-04 09:33:37 -05:00
|
|
|
}
|
|
|
|
}
|
2019-05-06 02:22:59 -05:00
|
|
|
|
2020-12-11 04:44:44 -06:00
|
|
|
// addSecurityHeaders adds HTTP(S) response headers that enable various security protections in the client's browser.
|
2021-10-11 07:30:59 -05:00
|
|
|
func addSecurityHeaders(w web.ResponseWriter, cfg *setting.Cfg) {
|
2022-01-28 00:23:28 -06:00
|
|
|
if cfg.StrictTransportSecurity {
|
2020-12-11 04:44:44 -06:00
|
|
|
strictHeaderValues := []string{fmt.Sprintf("max-age=%v", cfg.StrictTransportSecurityMaxAge)}
|
|
|
|
if cfg.StrictTransportSecurityPreload {
|
2019-06-18 13:24:23 -05:00
|
|
|
strictHeaderValues = append(strictHeaderValues, "preload")
|
2019-06-12 06:15:50 -05:00
|
|
|
}
|
2020-12-11 04:44:44 -06:00
|
|
|
if cfg.StrictTransportSecuritySubDomains {
|
2019-06-18 13:24:23 -05:00
|
|
|
strictHeaderValues = append(strictHeaderValues, "includeSubDomains")
|
2019-06-12 06:15:50 -05:00
|
|
|
}
|
2020-12-14 08:13:01 -06:00
|
|
|
w.Header().Set("Strict-Transport-Security", strings.Join(strictHeaderValues, "; "))
|
2019-06-12 06:15:50 -05:00
|
|
|
}
|
|
|
|
|
2020-12-11 04:44:44 -06:00
|
|
|
if cfg.ContentTypeProtectionHeader {
|
2020-12-14 08:13:01 -06:00
|
|
|
w.Header().Set("X-Content-Type-Options", "nosniff")
|
2019-06-12 06:15:50 -05:00
|
|
|
}
|
|
|
|
|
2020-12-11 04:44:44 -06:00
|
|
|
if cfg.XSSProtectionHeader {
|
2020-12-14 08:13:01 -06:00
|
|
|
w.Header().Set("X-XSS-Protection", "1; mode=block")
|
2019-06-12 06:15:50 -05:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-10-11 07:30:59 -05:00
|
|
|
func addNoCacheHeaders(w web.ResponseWriter) {
|
2020-12-14 08:13:01 -06:00
|
|
|
w.Header().Set("Cache-Control", "no-cache")
|
|
|
|
w.Header().Set("Pragma", "no-cache")
|
|
|
|
w.Header().Set("Expires", "-1")
|
2019-05-06 02:22:59 -05:00
|
|
|
}
|
2019-05-06 02:56:23 -05:00
|
|
|
|
2021-10-11 07:30:59 -05:00
|
|
|
func addXFrameOptionsDenyHeader(w web.ResponseWriter) {
|
2020-12-14 08:13:01 -06:00
|
|
|
w.Header().Set("X-Frame-Options", "deny")
|
2019-05-06 02:56:23 -05:00
|
|
|
}
|
2022-11-30 11:12:34 -06:00
|
|
|
|
|
|
|
func AddCustomResponseHeaders(cfg *setting.Cfg) web.Handler {
|
|
|
|
return func(c *web.Context) {
|
|
|
|
c.Resp.Before(func(w web.ResponseWriter) {
|
|
|
|
if w.Written() {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
for header, value := range cfg.CustomResponseHeaders {
|
|
|
|
// do not override existing headers
|
|
|
|
if w.Header().Get(header) != "" {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
w.Header().Set(header, value)
|
|
|
|
}
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|