grafana/pkg/api/utils.go

package api

import (
	"context"
	"errors"
	"net/http"
	"net/mail"

	"github.com/grafana/grafana/pkg/api/response"
	"github.com/grafana/grafana/pkg/middleware/cookies"
	contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
	"github.com/grafana/grafana/pkg/services/login"
	"github.com/grafana/grafana/pkg/services/user"
	"go.opentelemetry.io/otel/trace"
)

func (hs *HTTPServer) GetRedirectURL(c *contextmodel.ReqContext) string {
	redirectURL := hs.Cfg.AppSubURL + "/"
	if redirectTo := c.GetCookie("redirect_to"); len(redirectTo) > 0 {
		if err := hs.ValidateRedirectTo(redirectTo); err == nil {
			redirectURL = redirectTo
		} else {
			hs.log.FromContext(c.Req.Context()).Debug("Ignored invalid redirect_to cookie value", "redirect_to", redirectTo)
		}
		cookies.DeleteCookie(c.Resp, "redirect_to", hs.CookieOptionsFromCfg)
	}
	return redirectURL
}

func (hs *HTTPServer) errOnExternalUser(ctx context.Context, userID int64) response.Response {
	isExternal, err := hs.isExternalUser(ctx, userID)
	if err != nil {
		return response.Error(http.StatusInternalServerError, "Failed to validate User", err)
	}
	if isExternal {
		return response.Error(http.StatusForbidden, "Cannot update external User", nil)
	}
	return nil
}

func (hs *HTTPServer) isExternalUser(ctx context.Context, userID int64) (bool, error) {
	info, err := hs.authInfoService.GetAuthInfo(ctx, &login.GetAuthInfoQuery{UserId: userID})

	if errors.Is(err, user.ErrUserNotFound) {
		return false, nil
	}

	if err != nil {
		return true, err
	}

	return login.IsProviderEnabled(hs.Cfg, info.AuthModule, hs.SocialService.GetOAuthInfoProvider(info.AuthModule)), nil
}

func ValidateAndNormalizeEmail(email string) (string, error) {
	if email == "" {
		return "", nil
	}

	e, err := mail.ParseAddress(email)
	if err != nil {
		return "", err
	}

	return e.Address, nil
}

func (hs *HTTPServer) injectSpan(c *contextmodel.ReqContext, name string) (*contextmodel.ReqContext, trace.Span) {
	ctx, span := hs.tracer.Start(c.Req.Context(), name)
	c.Req = c.Req.WithContext(ctx)
	return c, span
}
Permissions: Validate against Team/User permission role update (#29101) * validate against role field update * lowercase error string * make all msgs consistent style * fix wording Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> * sayonara simple json Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> 2020-11-18 08:36:41 -06:00			`package api`

Fix: Email and username trimming and invitation validation (#58442) * fix: email and username trimming and invitation validation * Trim leading and trailing whitespaces from email and username on signup * Check whether the provided email address is the same as where the invitation sent * Align tests Co-authored-by: Mihaly Gyongyosi <mgyongyosi@users.noreply.github.com> 2022-11-14 06:11:26 -06:00			`import (`
User: use update function for password updates (#86419) * Update password through Update function instead * Remove duplicated to lower * Refactor password code 2024-04-17 08:24:36 -05:00			`"context"`
			`"errors"`
			`"net/http"`
Fix: Email and username trimming and invitation validation (#58442) * fix: email and username trimming and invitation validation * Trim leading and trailing whitespaces from email and username on signup * Check whether the provided email address is the same as where the invitation sent * Align tests Co-authored-by: Mihaly Gyongyosi <mgyongyosi@users.noreply.github.com> 2022-11-14 06:11:26 -06:00			`"net/mail"`
Auth: Add feature flag to move token rotation to client (#65060) * FeatureToggle: Add toggle to use a new way of rotating tokens * API: Add endpoints to perform token rotation, one endpoint for api request and one endpoint for redirectsd * Auth: Aling not authorized handling between auth middleware and access control middleware * API: add utility function to get redirect for login * API: Handle token rotation redirect for login page * Frontend: Add job scheduling for token rotation and make call to token rotation as fallback in retry request * ContextHandler: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * AuthN: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * Cookies: Add option NotHttpOnly * AuthToken: Add helper function to get next rotation time and another function to check if token need to be rotated * AuthN: Add function to delete session cookie and set expiry cookie Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> 2023-03-23 08:39:04 -05:00
User: use update function for password updates (#86419) * Update password through Update function instead * Remove duplicated to lower * Refactor password code 2024-04-17 08:24:36 -05:00			`"github.com/grafana/grafana/pkg/api/response"`
Auth: Add feature flag to move token rotation to client (#65060) * FeatureToggle: Add toggle to use a new way of rotating tokens * API: Add endpoints to perform token rotation, one endpoint for api request and one endpoint for redirectsd * Auth: Aling not authorized handling between auth middleware and access control middleware * API: add utility function to get redirect for login * API: Handle token rotation redirect for login page * Frontend: Add job scheduling for token rotation and make call to token rotation as fallback in retry request * ContextHandler: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * AuthN: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * Cookies: Add option NotHttpOnly * AuthToken: Add helper function to get next rotation time and another function to check if token need to be rotated * AuthN: Add function to delete session cookie and set expiry cookie Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> 2023-03-23 08:39:04 -05:00			`"github.com/grafana/grafana/pkg/middleware/cookies"`
			`contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"`
User: use update function for password updates (#86419) * Update password through Update function instead * Remove duplicated to lower * Refactor password code 2024-04-17 08:24:36 -05:00			`"github.com/grafana/grafana/pkg/services/login"`
			`"github.com/grafana/grafana/pkg/services/user"`
chore(tracing): add tracing for frontend and db session (#91509) This PR adds instrumentation for loading frontend SPA along with select methods in the dashboard service, and cleans up span handling in sqlstore. --------- Co-authored-by: Dave Henderson <dave.henderson@grafana.com> 2024-08-05 20:17:39 -05:00			`"go.opentelemetry.io/otel/trace"`
Fix: Email and username trimming and invitation validation (#58442) * fix: email and username trimming and invitation validation * Trim leading and trailing whitespaces from email and username on signup * Check whether the provided email address is the same as where the invitation sent * Align tests Co-authored-by: Mihaly Gyongyosi <mgyongyosi@users.noreply.github.com> 2022-11-14 06:11:26 -06:00			`)`
Permissions: Validate against Team/User permission role update (#29101) * validate against role field update * lowercase error string * make all msgs consistent style * fix wording Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> * sayonara simple json Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> 2020-11-18 08:36:41 -06:00
Auth: Add feature flag to move token rotation to client (#65060) * FeatureToggle: Add toggle to use a new way of rotating tokens * API: Add endpoints to perform token rotation, one endpoint for api request and one endpoint for redirectsd * Auth: Aling not authorized handling between auth middleware and access control middleware * API: add utility function to get redirect for login * API: Handle token rotation redirect for login page * Frontend: Add job scheduling for token rotation and make call to token rotation as fallback in retry request * ContextHandler: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * AuthN: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * Cookies: Add option NotHttpOnly * AuthToken: Add helper function to get next rotation time and another function to check if token need to be rotated * AuthN: Add function to delete session cookie and set expiry cookie Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> 2023-03-23 08:39:04 -05:00			`func (hs HTTPServer) GetRedirectURL(c contextmodel.ReqContext) string {`
			`redirectURL := hs.Cfg.AppSubURL + "/"`
			`if redirectTo := c.GetCookie("redirect_to"); len(redirectTo) > 0 {`
			`if err := hs.ValidateRedirectTo(redirectTo); err == nil {`
			`redirectURL = redirectTo`
			`} else {`
			`hs.log.FromContext(c.Req.Context()).Debug("Ignored invalid redirect_to cookie value", "redirect_to", redirectTo)`
			`}`
			`cookies.DeleteCookie(c.Resp, "redirect_to", hs.CookieOptionsFromCfg)`
			`}`
			`return redirectURL`
			`}`

User: use update function for password updates (#86419) * Update password through Update function instead * Remove duplicated to lower * Refactor password code 2024-04-17 08:24:36 -05:00			`func (hs *HTTPServer) errOnExternalUser(ctx context.Context, userID int64) response.Response {`
			`isExternal, err := hs.isExternalUser(ctx, userID)`
			`if err != nil {`
			`return response.Error(http.StatusInternalServerError, "Failed to validate User", err)`
			`}`
			`if isExternal {`
			`return response.Error(http.StatusForbidden, "Cannot update external User", nil)`
			`}`
			`return nil`
			`}`

			`func (hs *HTTPServer) isExternalUser(ctx context.Context, userID int64) (bool, error) {`
			`info, err := hs.authInfoService.GetAuthInfo(ctx, &login.GetAuthInfoQuery{UserId: userID})`

			`if errors.Is(err, user.ErrUserNotFound) {`
			`return false, nil`
			`}`

			`if err != nil {`
			`return true, err`
			`}`

			`return login.IsProviderEnabled(hs.Cfg, info.AuthModule, hs.SocialService.GetOAuthInfoProvider(info.AuthModule)), nil`
			`}`

Fix: Email and username trimming and invitation validation (#58442) * fix: email and username trimming and invitation validation * Trim leading and trailing whitespaces from email and username on signup * Check whether the provided email address is the same as where the invitation sent * Align tests Co-authored-by: Mihaly Gyongyosi <mgyongyosi@users.noreply.github.com> 2022-11-14 06:11:26 -06:00			`func ValidateAndNormalizeEmail(email string) (string, error) {`
			`if email == "" {`
			`return "", nil`
			`}`

			`e, err := mail.ParseAddress(email)`
			`if err != nil {`
			`return "", err`
			`}`

			`return e.Address, nil`
			`}`
chore(tracing): add tracing for frontend and db session (#91509) This PR adds instrumentation for loading frontend SPA along with select methods in the dashboard service, and cleans up span handling in sqlstore. --------- Co-authored-by: Dave Henderson <dave.henderson@grafana.com> 2024-08-05 20:17:39 -05:00
			`func (hs HTTPServer) injectSpan(c contextmodel.ReqContext, name string) (*contextmodel.ReqContext, trace.Span) {`
			`ctx, span := hs.tracer.Start(c.Req.Context(), name)`
			`c.Req = c.Req.WithContext(ctx)`
			`return c, span`
			`}`