grafana/pkg/middleware/middleware.go

package middleware

import (
	"fmt"
	"strings"

	contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
	"github.com/grafana/grafana/pkg/services/org"
	"github.com/grafana/grafana/pkg/setting"
	"github.com/grafana/grafana/pkg/web"
)

var (
	ReqGrafanaAdmin = Auth(&AuthOptions{
		ReqSignedIn:     true,
		ReqGrafanaAdmin: true,
	})
	ReqSignedIn            = Auth(&AuthOptions{ReqSignedIn: true})
	ReqSignedInNoAnonymous = Auth(&AuthOptions{ReqSignedIn: true, ReqNoAnonynmous: true})
	ReqEditorRole          = RoleAuth(org.RoleEditor, org.RoleAdmin)
	ReqOrgAdmin            = RoleAuth(org.RoleAdmin)
)

func HandleNoCacheHeader(ctx *contextmodel.ReqContext) {
	ctx.SkipCache = ctx.Req.Header.Get("X-Grafana-NoCache") == "true"
}

func AddDefaultResponseHeaders(cfg *setting.Cfg) web.Handler {
	t := web.NewTree()
	t.Add("/api/datasources/uid/:uid/resources/*", nil)
	t.Add("/api/datasources/:id/resources/*", nil)
	return func(c *web.Context) {
		c.Resp.Before(func(w web.ResponseWriter) { // if response has already been written, skip.
			if w.Written() {
				return
			}

			_, _, resourceURLMatch := t.Match(c.Req.URL.Path)
			resourceCachable := resourceURLMatch && allowCacheControl(c.Resp)
			if !strings.HasPrefix(c.Req.URL.Path, "/api/datasources/proxy/") && !resourceCachable {
				addNoCacheHeaders(c.Resp)
			}

			if !cfg.AllowEmbedding {
				addXFrameOptionsDenyHeader(w)
			}
			addSecurityHeaders(w, cfg)
		})
	}
}

// addSecurityHeaders adds HTTP(S) response headers that enable various security protections in the client's browser.
func addSecurityHeaders(w web.ResponseWriter, cfg *setting.Cfg) {
	if cfg.StrictTransportSecurity {
		strictHeaderValues := []string{fmt.Sprintf("max-age=%v", cfg.StrictTransportSecurityMaxAge)}
		if cfg.StrictTransportSecurityPreload {
			strictHeaderValues = append(strictHeaderValues, "preload")
		}
		if cfg.StrictTransportSecuritySubDomains {
			strictHeaderValues = append(strictHeaderValues, "includeSubDomains")
		}
		w.Header().Set("Strict-Transport-Security", strings.Join(strictHeaderValues, "; "))
	}

	if cfg.ContentTypeProtectionHeader {
		w.Header().Set("X-Content-Type-Options", "nosniff")
	}

	if cfg.XSSProtectionHeader {
		w.Header().Set("X-XSS-Protection", "1; mode=block")
	}
}

func addNoCacheHeaders(w web.ResponseWriter) {
	w.Header().Set("Cache-Control", "no-store")
	w.Header().Del("Pragma")
	w.Header().Del("Expires")
}

func addXFrameOptionsDenyHeader(w web.ResponseWriter) {
	w.Header().Set("X-Frame-Options", "deny")
}

func AddCustomResponseHeaders(cfg *setting.Cfg) web.Handler {
	return func(c *web.Context) {
		c.Resp.Before(func(w web.ResponseWriter) {
			if w.Written() {
				return
			}

			for header, value := range cfg.CustomResponseHeaders {
				// do not override existing headers
				if w.Header().Get(header) != "" {
					continue
				}
				w.Header().Set(header, value)
			}
		})
	}
}

func allowCacheControl(rw web.ResponseWriter) bool {
	ccHeaderValues := rw.Header().Values("Cache-Control")

	if len(ccHeaderValues) == 0 {
		return false
	}

	foundPrivate := false
	foundPublic := false
	for _, val := range ccHeaderValues {
		strings.Contains(val, "private")
		if strings.Contains(val, "private") {
			foundPrivate = true
		}
		if strings.Contains(val, "public") {
			foundPublic = true
		}
	}

	return foundPrivate && !foundPublic && rw.Header().Get("X-Grafana-Cache") != ""
}
Macaron rewrite 2014-10-05 09:50:04 -05:00			`package middleware`

			`import (`
middleware: add security related HTTP(S) response headers (#17522) * x_xss_protection * strict_transport_security (HSTS) * x_content_type_options these are currently defaulted to false (off) until the next minor release. fixes #17509 2019-06-12 06:15:50 -05:00			`"fmt"`
Security: Responses from backend should not be cached (#16848) Currently all API requests set Cache-control: no-cache to avoid browsers caching sensitive data. This fixes so that all responses returned from backend not are cached using http headers. The exception is the data proxy where we don't add these http headers in case datasource backend needs to control whether data can be cached or not. Fixes #16845 2019-05-06 02:22:59 -05:00			`"strings"`
Macaron rewrite 2014-10-05 09:50:04 -05:00
Chore: Move ReqContext to contexthandler service (#62102) * Chore: Move ReqContext to contexthandler service * Rename package to contextmodel * Generate ngalert files * Remove unused imports 2023-01-27 01:50:36 -06:00			`contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"`
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2 2022-08-10 04:56:48 -05:00			`"github.com/grafana/grafana/pkg/services/org"`
Changed go package path 2015-02-05 03:37:13 -06:00			`"github.com/grafana/grafana/pkg/setting"`
Chore: replace macaron with web package (#40136) * replace macaron with web package * add web.go 2021-10-11 07:30:59 -05:00			`"github.com/grafana/grafana/pkg/web"`
Auth: consistently return same basic auth errors (#18310) * Auth: consistently return same basic auth errors * Put repeated errors in consts and return only those consts as error strings * Add tests for errors basic auth cases and moves tests to separate test-case. Also names test cases consistently * Add more error logs and makes their messages consistent * A bit of code style * Add additional test helper * Auth: do not expose even incorrect password * Auth: address review comments Use `Debug` for the cases when it's an user error 2019-08-02 04:16:31 -05:00			`)`

made it possible to have frontend code in symlinked folders that can add routes 2018-10-11 05:36:04 -05:00			`var (`
Auth: consistently return same basic auth errors (#18310) * Auth: consistently return same basic auth errors * Put repeated errors in consts and return only those consts as error strings * Add tests for errors basic auth cases and moves tests to separate test-case. Also names test cases consistently * Add more error logs and makes their messages consistent * A bit of code style * Add additional test helper * Auth: do not expose even incorrect password * Auth: address review comments Use `Debug` for the cases when it's an user error 2019-08-02 04:16:31 -05:00			`ReqGrafanaAdmin = Auth(&AuthOptions{`
			`ReqSignedIn: true,`
			`ReqGrafanaAdmin: true,`
			`})`
Profile: Fixes profile preferences being accessible when anonymous access was enabled (#31516) * Profile: Fixes profile preferences page being available when anonymous access was enabled * Minor change * Renamed property 2021-02-27 11:04:28 -06:00			`ReqSignedIn = Auth(&AuthOptions{ReqSignedIn: true})`
			`ReqSignedInNoAnonymous = Auth(&AuthOptions{ReqSignedIn: true, ReqNoAnonynmous: true})`
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2 2022-08-10 04:56:48 -05:00			`ReqEditorRole = RoleAuth(org.RoleEditor, org.RoleAdmin)`
			`ReqOrgAdmin = RoleAuth(org.RoleAdmin)`
made it possible to have frontend code in symlinked folders that can add routes 2018-10-11 05:36:04 -05:00			`)`

Chore: Move ReqContext to contexthandler service (#62102) * Chore: Move ReqContext to contexthandler service * Rename package to contextmodel * Generate ngalert files * Remove unused imports 2023-01-27 01:50:36 -06:00			`func HandleNoCacheHeader(ctx *contextmodel.ReqContext) {`
Middleware: Add CSP support (#29740) * Middleware: Add support for CSP Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored by @iOrcohen 2021-01-12 00:42:32 -06:00			`ctx.SkipCache = ctx.Req.Header.Get("X-Grafana-NoCache") == "true"`
			`}`

Chore: replace macaron with web package (#40136) * replace macaron with web package * add web.go 2021-10-11 07:30:59 -05:00			`func AddDefaultResponseHeaders(cfg *setting.Cfg) web.Handler {`
API: Permit Cache-Control (browser caching) for datasource resources (#62033) * Start work on allowing certain resources to pass through Cache-Control headers. --------- Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> 2023-02-02 14:34:55 -06:00			`t := web.NewTree()`
			`t.Add("/api/datasources/uid/:uid/resources/*", nil)`
			`t.Add("/api/datasources/:id/resources/*", nil)`
Chore: replace macaron with web package (#40136) * replace macaron with web package * add web.go 2021-10-11 07:30:59 -05:00			`return func(c *web.Context) {`
API: Permit Cache-Control (browser caching) for datasource resources (#62033) * Start work on allowing certain resources to pass through Cache-Control headers. --------- Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> 2023-02-02 14:34:55 -06:00			`c.Resp.Before(func(w web.ResponseWriter) { // if response has already been written, skip.`
API: Improve recovery middleware when response already been written (#22256) Suppresses stacktrace in recovery middleware if error is http.ErrAbortHandler. Skips writing response error in recovery middleware if resoonse have already been written. Skips try rotate of auth token if response have already been written. Skips adding default response headers if response have already been written. Fixes #15728 Ref #18082 Co-Authored-By: Arve Knudsen <arve.knudsen@gmail.com> 2020-02-18 15:53:40 -06:00			`if w.Written() {`
			`return`
			`}`

API: Permit Cache-Control (browser caching) for datasource resources (#62033) * Start work on allowing certain resources to pass through Cache-Control headers. --------- Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> 2023-02-02 14:34:55 -06:00			`_, _, resourceURLMatch := t.Match(c.Req.URL.Path)`
			`resourceCachable := resourceURLMatch && allowCacheControl(c.Resp)`
			`if !strings.HasPrefix(c.Req.URL.Path, "/api/datasources/proxy/") && !resourceCachable {`
Middleware: Add CSP support (#29740) * Middleware: Add support for CSP Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored by @iOrcohen 2021-01-12 00:42:32 -06:00			`addNoCacheHeaders(c.Resp)`
Security: Responses from backend should not be cached (#16848) Currently all API requests set Cache-control: no-cache to avoid browsers caching sensitive data. This fixes so that all responses returned from backend not are cached using http headers. The exception is the data proxy where we don't add these http headers in case datasource backend needs to control whether data can be cached or not. Fixes #16845 2019-05-06 02:22:59 -05:00			`}`
Security: Add new setting allow_embedding (#16853) When allow_embedding is false (default) the Grafana backend will set the http header `X-Frame-Options: deny` in all responses to non-static content which will instruct browser to not allow Grafana to be embedded in `<frame>`, `<iframe>`, `<embed>` or `<object>`. Closes #14189 2019-05-06 02:56:23 -05:00
Move middleware context handler logic to service (#29605) * middleware: Move context handler to own service Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Emil Tullsted <sakjur@users.noreply.github.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com> 2020-12-11 04:44:44 -06:00			`if !cfg.AllowEmbedding {`
			`addXFrameOptionsDenyHeader(w)`
Security: Add new setting allow_embedding (#16853) When allow_embedding is false (default) the Grafana backend will set the http header `X-Frame-Options: deny` in all responses to non-static content which will instruct browser to not allow Grafana to be embedded in `<frame>`, `<iframe>`, `<embed>` or `<object>`. Closes #14189 2019-05-06 02:56:23 -05:00			`}`
Move middleware context handler logic to service (#29605) * middleware: Move context handler to own service Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Emil Tullsted <sakjur@users.noreply.github.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com> 2020-12-11 04:44:44 -06:00			`addSecurityHeaders(w, cfg)`
Security: Responses from backend should not be cached (#16848) Currently all API requests set Cache-control: no-cache to avoid browsers caching sensitive data. This fixes so that all responses returned from backend not are cached using http headers. The exception is the data proxy where we don't add these http headers in case datasource backend needs to control whether data can be cached or not. Fixes #16845 2019-05-06 02:22:59 -05:00			`})`
api: adds no-cache header for GET requests Fixes #5356. Internet Explorer aggressively caches GET requests which means that all API calls fetching data are cached. This fix adds a Cache-Control header with the value no-cache to all GET requests to the API. 2017-07-04 09:33:37 -05:00			`}`
			`}`
Security: Responses from backend should not be cached (#16848) Currently all API requests set Cache-control: no-cache to avoid browsers caching sensitive data. This fixes so that all responses returned from backend not are cached using http headers. The exception is the data proxy where we don't add these http headers in case datasource backend needs to control whether data can be cached or not. Fixes #16845 2019-05-06 02:22:59 -05:00
Move middleware context handler logic to service (#29605) * middleware: Move context handler to own service Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Emil Tullsted <sakjur@users.noreply.github.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com> 2020-12-11 04:44:44 -06:00			`// addSecurityHeaders adds HTTP(S) response headers that enable various security protections in the client's browser.`
Chore: replace macaron with web package (#40136) * replace macaron with web package * add web.go 2021-10-11 07:30:59 -05:00			`func addSecurityHeaders(w web.ResponseWriter, cfg *setting.Cfg) {`
Middleware: Don't require HTTPS for HSTS headers to be emitted (#35147) Grafana itself may not be serving content over HTTPS, but it may be behind a transparent proxy which does. Fixes #26770. Based on #26868. 2022-01-28 00:23:28 -06:00			`if cfg.StrictTransportSecurity {`
Move middleware context handler logic to service (#29605) * middleware: Move context handler to own service Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Emil Tullsted <sakjur@users.noreply.github.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com> 2020-12-11 04:44:44 -06:00			`strictHeaderValues := []string{fmt.Sprintf("max-age=%v", cfg.StrictTransportSecurityMaxAge)}`
			`if cfg.StrictTransportSecurityPreload {`
middleware: fix Strict-Transport-Security header (#17644) fixes #17641 2019-06-18 13:24:23 -05:00			`strictHeaderValues = append(strictHeaderValues, "preload")`
middleware: add security related HTTP(S) response headers (#17522) * x_xss_protection * strict_transport_security (HSTS) * x_content_type_options these are currently defaulted to false (off) until the next minor release. fixes #17509 2019-06-12 06:15:50 -05:00			`}`
Move middleware context handler logic to service (#29605) * middleware: Move context handler to own service Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Emil Tullsted <sakjur@users.noreply.github.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com> 2020-12-11 04:44:44 -06:00			`if cfg.StrictTransportSecuritySubDomains {`
middleware: fix Strict-Transport-Security header (#17644) fixes #17641 2019-06-18 13:24:23 -05:00			`strictHeaderValues = append(strictHeaderValues, "includeSubDomains")`
middleware: add security related HTTP(S) response headers (#17522) * x_xss_protection * strict_transport_security (HSTS) * x_content_type_options these are currently defaulted to false (off) until the next minor release. fixes #17509 2019-06-12 06:15:50 -05:00			`}`
Chore: Use Header.Set method instead of Header.Add (#29804) Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> 2020-12-14 08:13:01 -06:00			`w.Header().Set("Strict-Transport-Security", strings.Join(strictHeaderValues, "; "))`
middleware: add security related HTTP(S) response headers (#17522) * x_xss_protection * strict_transport_security (HSTS) * x_content_type_options these are currently defaulted to false (off) until the next minor release. fixes #17509 2019-06-12 06:15:50 -05:00			`}`

Move middleware context handler logic to service (#29605) * middleware: Move context handler to own service Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Emil Tullsted <sakjur@users.noreply.github.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com> 2020-12-11 04:44:44 -06:00			`if cfg.ContentTypeProtectionHeader {`
Chore: Use Header.Set method instead of Header.Add (#29804) Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> 2020-12-14 08:13:01 -06:00			`w.Header().Set("X-Content-Type-Options", "nosniff")`
middleware: add security related HTTP(S) response headers (#17522) * x_xss_protection * strict_transport_security (HSTS) * x_content_type_options these are currently defaulted to false (off) until the next minor release. fixes #17509 2019-06-12 06:15:50 -05:00			`}`

Move middleware context handler logic to service (#29605) * middleware: Move context handler to own service Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Emil Tullsted <sakjur@users.noreply.github.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com> 2020-12-11 04:44:44 -06:00			`if cfg.XSSProtectionHeader {`
Chore: Use Header.Set method instead of Header.Add (#29804) Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> 2020-12-14 08:13:01 -06:00			`w.Header().Set("X-XSS-Protection", "1; mode=block")`
middleware: add security related HTTP(S) response headers (#17522) * x_xss_protection * strict_transport_security (HSTS) * x_content_type_options these are currently defaulted to false (off) until the next minor release. fixes #17509 2019-06-12 06:15:50 -05:00			`}`
			`}`

Chore: replace macaron with web package (#40136) * replace macaron with web package * add web.go 2021-10-11 07:30:59 -05:00			`func addNoCacheHeaders(w web.ResponseWriter) {`
API: Change how Cache-Control and related headers are set (#62021) - change Cache-Control from no-cache to no-store - do not set (and remove if set) older Pragma/Expires 2023-01-25 08:09:27 -06:00			`w.Header().Set("Cache-Control", "no-store")`
			`w.Header().Del("Pragma")`
			`w.Header().Del("Expires")`
Security: Responses from backend should not be cached (#16848) Currently all API requests set Cache-control: no-cache to avoid browsers caching sensitive data. This fixes so that all responses returned from backend not are cached using http headers. The exception is the data proxy where we don't add these http headers in case datasource backend needs to control whether data can be cached or not. Fixes #16845 2019-05-06 02:22:59 -05:00			`}`
Security: Add new setting allow_embedding (#16853) When allow_embedding is false (default) the Grafana backend will set the http header `X-Frame-Options: deny` in all responses to non-static content which will instruct browser to not allow Grafana to be embedded in `<frame>`, `<iframe>`, `<embed>` or `<object>`. Closes #14189 2019-05-06 02:56:23 -05:00
Chore: replace macaron with web package (#40136) * replace macaron with web package * add web.go 2021-10-11 07:30:59 -05:00			`func addXFrameOptionsDenyHeader(w web.ResponseWriter) {`
Chore: Use Header.Set method instead of Header.Add (#29804) Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> 2020-12-14 08:13:01 -06:00			`w.Header().Set("X-Frame-Options", "deny")`
Security: Add new setting allow_embedding (#16853) When allow_embedding is false (default) the Grafana backend will set the http header `X-Frame-Options: deny` in all responses to non-static content which will instruct browser to not allow Grafana to be embedded in `<frame>`, `<iframe>`, `<embed>` or `<object>`. Closes #14189 2019-05-06 02:56:23 -05:00			`}`
Middleware: Add Custom Headers to HTTP responses (#59018) * Middleware: Add Custom Headers to HTTP responses * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Update conf/defaults.ini Co-authored-by: Dave Henderson <dave.henderson@grafana.com> * Update conf/sample.ini Co-authored-by: Dave Henderson <dave.henderson@grafana.com> * Update _index.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> Co-authored-by: Dave Henderson <dave.henderson@grafana.com> 2022-11-30 11:12:34 -06:00
			`func AddCustomResponseHeaders(cfg *setting.Cfg) web.Handler {`
			`return func(c *web.Context) {`
			`c.Resp.Before(func(w web.ResponseWriter) {`
			`if w.Written() {`
			`return`
			`}`

			`for header, value := range cfg.CustomResponseHeaders {`
			`// do not override existing headers`
			`if w.Header().Get(header) != "" {`
			`continue`
			`}`
			`w.Header().Set(header, value)`
			`}`
			`})`
			`}`
			`}`
API: Permit Cache-Control (browser caching) for datasource resources (#62033) * Start work on allowing certain resources to pass through Cache-Control headers. --------- Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> 2023-02-02 14:34:55 -06:00
			`func allowCacheControl(rw web.ResponseWriter) bool {`
			`ccHeaderValues := rw.Header().Values("Cache-Control")`

			`if len(ccHeaderValues) == 0 {`
			`return false`
			`}`

			`foundPrivate := false`
			`foundPublic := false`
			`for _, val := range ccHeaderValues {`
API: Cache-Control (browser caching) for datasource resources: part 2 (#63060) * Check if header string contains "public" or "private" target values 2023-02-27 14:55:22 -06:00			`strings.Contains(val, "private")`
			`if strings.Contains(val, "private") {`
API: Permit Cache-Control (browser caching) for datasource resources (#62033) * Start work on allowing certain resources to pass through Cache-Control headers. --------- Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> 2023-02-02 14:34:55 -06:00			`foundPrivate = true`
			`}`
API: Cache-Control (browser caching) for datasource resources: part 2 (#63060) * Check if header string contains "public" or "private" target values 2023-02-27 14:55:22 -06:00			`if strings.Contains(val, "public") {`
API: Permit Cache-Control (browser caching) for datasource resources (#62033) * Start work on allowing certain resources to pass through Cache-Control headers. --------- Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> 2023-02-02 14:34:55 -06:00			`foundPublic = true`
			`}`
			`}`

			`return foundPrivate && !foundPublic && rw.Header().Get("X-Grafana-Cache") != ""`
			`}`