grafana/pkg/services/contexthandler/auth_jwt.go

package contexthandler

import (
	"errors"
	"net/http"

	"github.com/grafana/grafana/pkg/login"
	"github.com/grafana/grafana/pkg/models"
	"github.com/grafana/grafana/pkg/services/user"
)

const InvalidJWT = "Invalid JWT"
const UserNotFound = "User not found"

func (h *ContextHandler) initContextWithJWT(ctx *models.ReqContext, orgId int64) bool {
	if !h.Cfg.JWTAuthEnabled || h.Cfg.JWTAuthHeaderName == "" {
		return false
	}

	jwtToken := ctx.Req.Header.Get(h.Cfg.JWTAuthHeaderName)
	if jwtToken == "" && h.Cfg.JWTAuthURLLogin {
		jwtToken = ctx.Req.URL.Query().Get("auth_token")
	}

	if jwtToken == "" {
		return false
	}

	claims, err := h.JWTAuthService.Verify(ctx.Req.Context(), jwtToken)
	if err != nil {
		ctx.Logger.Debug("Failed to verify JWT", "error", err)
		ctx.JsonApiErr(http.StatusUnauthorized, InvalidJWT, err)
		return true
	}

	query := models.GetSignedInUserQuery{OrgId: orgId}

	sub, _ := claims["sub"].(string)

	if sub == "" {
		ctx.Logger.Warn("Got a JWT without the mandatory 'sub' claim", "error", err)
		ctx.JsonApiErr(http.StatusUnauthorized, InvalidJWT, err)
		return true
	}
	extUser := &models.ExternalUserInfo{
		AuthModule: "jwt",
		AuthId:     sub,
	}

	if key := h.Cfg.JWTAuthUsernameClaim; key != "" {
		query.Login, _ = claims[key].(string)
		extUser.Login, _ = claims[key].(string)
	}
	if key := h.Cfg.JWTAuthEmailClaim; key != "" {
		query.Email, _ = claims[key].(string)
		extUser.Email, _ = claims[key].(string)
	}

	if name, _ := claims["name"].(string); name != "" {
		extUser.Name = name
	}

	if query.Login == "" && query.Email == "" {
		ctx.Logger.Debug("Failed to get an authentication claim from JWT")
		ctx.JsonApiErr(http.StatusUnauthorized, InvalidJWT, err)
		return true
	}

	if h.Cfg.JWTAuthAutoSignUp {
		upsert := &models.UpsertUserCommand{
			ReqContext:    ctx,
			SignupAllowed: h.Cfg.JWTAuthAutoSignUp,
			ExternalUser:  extUser,
			UserLookupParams: models.UserLookupParams{
				UserID: nil,
				Login:  &query.Login,
				Email:  &query.Email,
			},
		}
		if err := h.loginService.UpsertUser(ctx.Req.Context(), upsert); err != nil {
			ctx.Logger.Error("Failed to upsert JWT user", "error", err)
			return false
		}
	}

	if err := h.SQLStore.GetSignedInUserWithCacheCtx(ctx.Req.Context(), &query); err != nil {
		if errors.Is(err, user.ErrUserNotFound) {
			ctx.Logger.Debug(
				"Failed to find user using JWT claims",
				"email_claim", query.Email,
				"username_claim", query.Login,
			)
			err = login.ErrInvalidCredentials
			ctx.JsonApiErr(http.StatusUnauthorized, UserNotFound, err)
		} else {
			ctx.Logger.Error("Failed to get signed in user", "error", err)
			ctx.JsonApiErr(http.StatusUnauthorized, InvalidJWT, err)
		}
		return true
	}

	ctx.SignedInUser = query.Result
	ctx.IsSignedIn = true

	return true
}
Auth: support JWT Authentication (#29995) 2021-03-31 10:40:44 -05:00			`package contexthandler`

			`import (`
			`"errors"`
JWT: Add JWT proxy setup devenv (#51731) * JWT: Add JWT Auth devenv * Auth: JWT allow retrieving login token Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * JWT: Add JWT Auth Proxy devenv * JWT: Add instructions to readme * JWT: Add JWT users * JWT: Remove oauth users * revert session changes, unnecessary Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2022-07-07 09:28:04 -05:00			`"net/http"`
Auth: support JWT Authentication (#29995) 2021-03-31 10:40:44 -05:00
			`"github.com/grafana/grafana/pkg/login"`
			`"github.com/grafana/grafana/pkg/models"`
Chore: Move user errors to user service (#52460) * Move user not found err to user service * User ErrCaseInsensitive from user pkg * User ErrUserAlreadyExists from user pkg * User ErrLastGrafanaAdmin from user pkg * Remove errors from model 2022-07-20 07:50:06 -05:00			`"github.com/grafana/grafana/pkg/services/user"`
Auth: support JWT Authentication (#29995) 2021-03-31 10:40:44 -05:00			`)`

			`const InvalidJWT = "Invalid JWT"`
Auth: implement auto_sign_up for auth.jwt (#43502) Co-authored-by: James Brown <jbrown@easypost.com> 2022-01-13 10:15:22 -06:00			`const UserNotFound = "User not found"`
Auth: support JWT Authentication (#29995) 2021-03-31 10:40:44 -05:00
			`func (h ContextHandler) initContextWithJWT(ctx models.ReqContext, orgId int64) bool {`
			`if !h.Cfg.JWTAuthEnabled \|\| h.Cfg.JWTAuthHeaderName == "" {`
			`return false`
			`}`

			`jwtToken := ctx.Req.Header.Get(h.Cfg.JWTAuthHeaderName)`
Auth: Implement Token URL JWT Auth (#52662) * Auth: check of auth_token in url and resolve user if present * check if auth_token is passed in url * Auth: Pass auth_token for request if present in path * no need to decode token in index * temp * use loadURLToken and set authorization header * cache token in memory and strip it from url * Use loadURLToken * Keep token in url * strip sensitive query strings from url used by context logger * adapt login by url to jwt token * add jwt iframe devenv * add jwt iframe devenv instructions * add access note * add test for cleaning request * ensure jwt token is not carried into handlers * do not reshuffle queries, might be important * add correct db dump location * prefer set token instead of cached token Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> 2022-07-27 09:10:47 -05:00			`if jwtToken == "" && h.Cfg.JWTAuthURLLogin {`
			`jwtToken = ctx.Req.URL.Query().Get("auth_token")`
			`}`

Auth: support JWT Authentication (#29995) 2021-03-31 10:40:44 -05:00			`if jwtToken == "" {`
			`return false`
			`}`

			`claims, err := h.JWTAuthService.Verify(ctx.Req.Context(), jwtToken)`
			`if err != nil {`
			`ctx.Logger.Debug("Failed to verify JWT", "error", err)`
JWT: Add JWT proxy setup devenv (#51731) * JWT: Add JWT Auth devenv * Auth: JWT allow retrieving login token Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * JWT: Add JWT Auth Proxy devenv * JWT: Add instructions to readme * JWT: Add JWT users * JWT: Remove oauth users * revert session changes, unnecessary Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2022-07-07 09:28:04 -05:00			`ctx.JsonApiErr(http.StatusUnauthorized, InvalidJWT, err)`
Auth: support JWT Authentication (#29995) 2021-03-31 10:40:44 -05:00			`return true`
			`}`

			`query := models.GetSignedInUserQuery{OrgId: orgId}`

Auth: implement auto_sign_up for auth.jwt (#43502) Co-authored-by: James Brown <jbrown@easypost.com> 2022-01-13 10:15:22 -06:00			`sub, _ := claims["sub"].(string)`

			`if sub == "" {`
			`ctx.Logger.Warn("Got a JWT without the mandatory 'sub' claim", "error", err)`
JWT: Add JWT proxy setup devenv (#51731) * JWT: Add JWT Auth devenv * Auth: JWT allow retrieving login token Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * JWT: Add JWT Auth Proxy devenv * JWT: Add instructions to readme * JWT: Add JWT users * JWT: Remove oauth users * revert session changes, unnecessary Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2022-07-07 09:28:04 -05:00			`ctx.JsonApiErr(http.StatusUnauthorized, InvalidJWT, err)`
Auth: implement auto_sign_up for auth.jwt (#43502) Co-authored-by: James Brown <jbrown@easypost.com> 2022-01-13 10:15:22 -06:00			`return true`
			`}`
			`extUser := &models.ExternalUserInfo{`
			`AuthModule: "jwt",`
			`AuthId: sub,`
			`}`

Auth: support JWT Authentication (#29995) 2021-03-31 10:40:44 -05:00			`if key := h.Cfg.JWTAuthUsernameClaim; key != "" {`
			`query.Login, _ = claims[key].(string)`
Auth: implement auto_sign_up for auth.jwt (#43502) Co-authored-by: James Brown <jbrown@easypost.com> 2022-01-13 10:15:22 -06:00			`extUser.Login, _ = claims[key].(string)`
Auth: support JWT Authentication (#29995) 2021-03-31 10:40:44 -05:00			`}`
			`if key := h.Cfg.JWTAuthEmailClaim; key != "" {`
			`query.Email, _ = claims[key].(string)`
Auth: implement auto_sign_up for auth.jwt (#43502) Co-authored-by: James Brown <jbrown@easypost.com> 2022-01-13 10:15:22 -06:00			`extUser.Email, _ = claims[key].(string)`
			`}`

			`if name, _ := claims["name"].(string); name != "" {`
			`extUser.Name = name`
Auth: support JWT Authentication (#29995) 2021-03-31 10:40:44 -05:00			`}`

			`if query.Login == "" && query.Email == "" {`
			`ctx.Logger.Debug("Failed to get an authentication claim from JWT")`
JWT: Add JWT proxy setup devenv (#51731) * JWT: Add JWT Auth devenv * Auth: JWT allow retrieving login token Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * JWT: Add JWT Auth Proxy devenv * JWT: Add instructions to readme * JWT: Add JWT users * JWT: Remove oauth users * revert session changes, unnecessary Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2022-07-07 09:28:04 -05:00			`ctx.JsonApiErr(http.StatusUnauthorized, InvalidJWT, err)`
Auth: support JWT Authentication (#29995) 2021-03-31 10:40:44 -05:00			`return true`
			`}`

Auth: implement auto_sign_up for auth.jwt (#43502) Co-authored-by: James Brown <jbrown@easypost.com> 2022-01-13 10:15:22 -06:00			`if h.Cfg.JWTAuthAutoSignUp {`
			`upsert := &models.UpsertUserCommand{`
			`ReqContext: ctx,`
			`SignupAllowed: h.Cfg.JWTAuthAutoSignUp,`
			`ExternalUser: extUser,`
Fix: Choose Lookup params per auth module (#395) (#52312) Co-authored-by: Karl Persson <kalle.persson@grafana.com> Fix: Prefer pointer to struct in lookup Co-authored-by: Karl Persson <kalle.persson@grafana.com> Fix: user email for ldap Co-authored-by: Karl Persson <kalle.persson@grafana.com> Fix: Use only login for lookup in LDAP Co-authored-by: Karl Persson <kalle.persson@grafana.com> Fix: use user email for ldap Co-authored-by: Karl Persson <kalle.persson@grafana.com> fix remaining test fix nit picks 2022-07-15 04:21:09 -05:00			`UserLookupParams: models.UserLookupParams{`
			`UserID: nil,`
			`Login: &query.Login,`
			`Email: &query.Email,`
			`},`
Auth: implement auto_sign_up for auth.jwt (#43502) Co-authored-by: James Brown <jbrown@easypost.com> 2022-01-13 10:15:22 -06:00			`}`
Chore: Remove bus from contexthandler (#47458) * Chore: remove bus from contexthandler * remove bus from orgredirect 2022-04-08 03:33:19 -05:00			`if err := h.loginService.UpsertUser(ctx.Req.Context(), upsert); err != nil {`
Auth: implement auto_sign_up for auth.jwt (#43502) Co-authored-by: James Brown <jbrown@easypost.com> 2022-01-13 10:15:22 -06:00			`ctx.Logger.Error("Failed to upsert JWT user", "error", err)`
			`return false`
			`}`
			`}`

Chore: Remove bus from contexthandler (#47374) * Chore: Remove bus from contexthandler * fix tests * try different wire binding * maybe remove a few more dispatches * fix tests 2022-04-06 09:31:26 -05:00			`if err := h.SQLStore.GetSignedInUserWithCacheCtx(ctx.Req.Context(), &query); err != nil {`
Chore: Move user errors to user service (#52460) * Move user not found err to user service * User ErrCaseInsensitive from user pkg * User ErrUserAlreadyExists from user pkg * User ErrLastGrafanaAdmin from user pkg * Remove errors from model 2022-07-20 07:50:06 -05:00			`if errors.Is(err, user.ErrUserNotFound) {`
Auth: support JWT Authentication (#29995) 2021-03-31 10:40:44 -05:00			`ctx.Logger.Debug(`
			`"Failed to find user using JWT claims",`
			`"email_claim", query.Email,`
			`"username_claim", query.Login,`
			`)`
			`err = login.ErrInvalidCredentials`
JWT: Add JWT proxy setup devenv (#51731) * JWT: Add JWT Auth devenv * Auth: JWT allow retrieving login token Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * JWT: Add JWT Auth Proxy devenv * JWT: Add instructions to readme * JWT: Add JWT users * JWT: Remove oauth users * revert session changes, unnecessary Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2022-07-07 09:28:04 -05:00			`ctx.JsonApiErr(http.StatusUnauthorized, UserNotFound, err)`
Auth: support JWT Authentication (#29995) 2021-03-31 10:40:44 -05:00			`} else {`
			`ctx.Logger.Error("Failed to get signed in user", "error", err)`
JWT: Add JWT proxy setup devenv (#51731) * JWT: Add JWT Auth devenv * Auth: JWT allow retrieving login token Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * JWT: Add JWT Auth Proxy devenv * JWT: Add instructions to readme * JWT: Add JWT users * JWT: Remove oauth users * revert session changes, unnecessary Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2022-07-07 09:28:04 -05:00			`ctx.JsonApiErr(http.StatusUnauthorized, InvalidJWT, err)`
Auth: support JWT Authentication (#29995) 2021-03-31 10:40:44 -05:00			`}`
			`return true`
			`}`

			`ctx.SignedInUser = query.Result`
			`ctx.IsSignedIn = true`

			`return true`
			`}`