grafana/pkg/middleware/auth.go

package middleware

import (
	"net/url"
	"regexp"
	"strconv"
	"strings"

	macaron "gopkg.in/macaron.v1"

	"github.com/grafana/grafana/pkg/middleware/cookies"
	"github.com/grafana/grafana/pkg/models"
	"github.com/grafana/grafana/pkg/setting"
)

type AuthOptions struct {
	ReqGrafanaAdmin bool
	ReqSignedIn     bool
}

func accessForbidden(c *models.ReqContext) {
	if c.IsApiRequest() {
		c.JsonApiErr(403, "Permission denied", nil)
		return
	}

	c.Redirect(setting.AppSubUrl + "/")
}

func notAuthorized(c *models.ReqContext) {
	if c.IsApiRequest() {
		c.JsonApiErr(401, "Unauthorized", nil)
		return
	}

	redirectTo := c.Req.RequestURI
	if setting.AppSubUrl != "" && !strings.HasPrefix(redirectTo, setting.AppSubUrl) {
		redirectTo = setting.AppSubUrl + c.Req.RequestURI
	}

	// remove any forceLogin=true params
	redirectTo = removeForceLoginParams(redirectTo)

	cookies.WriteCookie(c.Resp, "redirect_to", url.QueryEscape(redirectTo), 0, nil)
	c.Redirect(setting.AppSubUrl + "/login")
}

var forceLoginParamsRegexp = regexp.MustCompile(`&?forceLogin=true`)

func removeForceLoginParams(str string) string {
	return forceLoginParamsRegexp.ReplaceAllString(str, "")
}

func EnsureEditorOrViewerCanEdit(c *models.ReqContext) {
	if !c.SignedInUser.HasRole(models.ROLE_EDITOR) && !setting.ViewersCanEdit {
		accessForbidden(c)
	}
}

func RoleAuth(roles ...models.RoleType) macaron.Handler {
	return func(c *models.ReqContext) {
		ok := false
		for _, role := range roles {
			if role == c.OrgRole {
				ok = true
				break
			}
		}
		if !ok {
			accessForbidden(c)
		}
	}
}

func Auth(options *AuthOptions) macaron.Handler {
	return func(c *models.ReqContext) {
		forceLogin := false
		if c.AllowAnonymous {
			forceLoginParam, err := strconv.ParseBool(c.Req.URL.Query().Get("forceLogin"))
			if err == nil {
				forceLogin = forceLoginParam
			}

			if !forceLogin {
				orgIDValue := c.Req.URL.Query().Get("orgId")
				orgID, err := strconv.ParseInt(orgIDValue, 10, 64)
				if err == nil && orgID > 0 && orgID != c.OrgId {
					forceLogin = true
				}
			}
		}
		requireLogin := !c.AllowAnonymous || forceLogin
		if !c.IsSignedIn && options.ReqSignedIn && requireLogin {
			notAuthorized(c)
			return
		}

		if !c.IsGrafanaAdmin && options.ReqGrafanaAdmin {
			accessForbidden(c)
			return
		}
	}
}

// AdminOrFeatureEnabled creates a middleware that allows access
// if the signed in user is either an Org Admin or if the
// feature flag is enabled.
// Intended for when feature flags open up access to APIs that
// are otherwise only available to admins.
func AdminOrFeatureEnabled(enabled bool) macaron.Handler {
	return func(c *models.ReqContext) {
		if c.OrgRole == models.ROLE_ADMIN {
			return
		}

		if !enabled {
			accessForbidden(c)
		}
	}
}

// SnapshotPublicModeOrSignedIn creates a middleware that allows access
// if snapshot public mode is enabled or if user is signed in.
func SnapshotPublicModeOrSignedIn(cfg *setting.Cfg) macaron.Handler {
	return func(c *models.ReqContext) {
		if cfg.SnapshotPublicMode {
			return
		}

		if !c.IsSignedIn {
			notAuthorized(c)
			return
		}
	}
}
macaron transition progress 2014-10-05 14:13:01 -05:00			`package middleware`

			`import (`
Worked on login remember cookie, and redirect after login 2015-01-27 05:05:23 -06:00			`"net/url"`
Dashboard: Fixes kiosk state after being redirected to login page and back (#29273) * Login: Fixes issue where url parameters where modified by golang url code * Add tests * Fix test cases * Update pkg/middleware/auth_test.go Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com> * fixed formatting Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com> 2020-11-20 12:30:37 -06:00			`"regexp"`
Auth: Fix POST request failures with anonymous access (#26049) Macaron context.QueryBool() seems to modify the request context that causes the POST and PUT requests to fail with: "http: proxy error: net/http: HTTP/1.x transport connection broken: http: ContentLength=333 with Body length 0" 2020-07-06 07:59:00 -05:00			`"strconv"`
add Token authentication support Added CRUD methods for Tokens. Extend Auth Handler to check for the presence of a Bearer Authorization header to authenticate against. If there is no header, or the token is not valid, the Auth Handler falls back to looking for a Session. 2015-01-14 02:33:34 -06:00			`"strings"`
Progress on account and dashboard save/load 2014-11-20 08:19:44 -06:00
Viewers with viewers_can_edit should be able to access /explore (#15787) * fix: Viewers with viewers_can_edit should be able to access /explore #15773 * refactoring initial PR a bit to simplify function and reduce duplication 2019-03-05 05:41:01 -06:00			`macaron "gopkg.in/macaron.v1"`
Refactoring of api routes 2015-01-14 07:25:12 -06:00
Move middleware context handler logic to service (#29605) * middleware: Move context handler to own service Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Emil Tullsted <sakjur@users.noreply.github.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com> 2020-12-11 04:44:44 -06:00			`"github.com/grafana/grafana/pkg/middleware/cookies"`
chore: avoid aliasing models in middleware (#22484) 2020-02-28 05:50:58 -06:00			`"github.com/grafana/grafana/pkg/models"`
Changed go package path 2015-02-05 03:37:13 -06:00			`"github.com/grafana/grafana/pkg/setting"`
macaron transition progress 2014-10-05 14:13:01 -05:00			`)`

Refactoring of auth middleware, and starting work on account admin 2015-01-15 05:16:54 -06:00			`type AuthOptions struct {`
Big refactoring for context.User, and how current user info is fetching, now included collaborator role 2015-01-16 07:32:18 -06:00			`ReqGrafanaAdmin bool`
			`ReqSignedIn bool`
Refactoring of auth middleware, and starting work on account admin 2015-01-15 05:16:54 -06:00			`}`

chore: avoid aliasing models in middleware (#22484) 2020-02-28 05:50:58 -06:00			`func accessForbidden(c *models.ReqContext) {`
Refactoring of api routes 2015-01-14 07:25:12 -06:00			`if c.IsApiRequest() {`
fix(api auth): return 401 for authentication errors and 403 for access denied errors, fixes #2693 2015-09-08 03:46:31 -05:00			`c.JsonApiErr(403, "Permission denied", nil)`
			`return`
			`}`

redirect "permission denied" requests to "/" (#10773) 2018-02-05 11:17:47 -06:00			`c.Redirect(setting.AppSubUrl + "/")`
fix(api auth): return 401 for authentication errors and 403 for access denied errors, fixes #2693 2015-09-08 03:46:31 -05:00			`}`

chore: avoid aliasing models in middleware (#22484) 2020-02-28 05:50:58 -06:00			`func notAuthorized(c *models.ReqContext) {`
fix(api auth): return 401 for authentication errors and 403 for access denied errors, fixes #2693 2015-09-08 03:46:31 -05:00			`if c.IsApiRequest() {`
			`c.JsonApiErr(401, "Unauthorized", nil)`
Worked on login remember cookie, and redirect after login 2015-01-27 05:05:23 -06:00			`return`
Refactoring of api routes 2015-01-14 07:25:12 -06:00			`}`

API: Fix redirect issues (#22285) * Revert "API: Fix redirect issue when configured to use a subpath (#21652)" (#22671) This reverts commit 0e2d874ecf9277dcc17d562e05271917efc8b595. * Fix redirect validation (#22675) * Chore: Add test for parse of app url and app sub url Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> * Fix redirect: prepend subpath only if it's missing (#22676) * Validate redirect in login oauth (#22677) * Fix invalid redirect for authenticated user (#22678) * Login: Use correct path for OAuth logos Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> 2020-03-11 04:04:48 -05:00			`redirectTo := c.Req.RequestURI`
			`if setting.AppSubUrl != "" && !strings.HasPrefix(redirectTo, setting.AppSubUrl) {`
			`redirectTo = setting.AppSubUrl + c.Req.RequestURI`
			`}`
mark redirect_to cookie as http only closes #10829 2018-02-15 03:56:29 -06:00
Dashboard: Fixes kiosk state after being redirected to login page and back (#29273) * Login: Fixes issue where url parameters where modified by golang url code * Add tests * Fix test cases * Update pkg/middleware/auth_test.go Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com> * fixed formatting Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com> 2020-11-20 12:30:37 -06:00			`// remove any forceLogin=true params`
			`redirectTo = removeForceLoginParams(redirectTo)`

Move middleware context handler logic to service (#29605) * middleware: Move context handler to own service Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Emil Tullsted <sakjur@users.noreply.github.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com> 2020-12-11 04:44:44 -06:00			`cookies.WriteCookie(c.Resp, "redirect_to", url.QueryEscape(redirectTo), 0, nil)`
Work on making grafana work in sub url 2015-01-04 14:03:40 -06:00			`c.Redirect(setting.AppSubUrl + "/login")`
macaron transition progress 2014-10-05 14:13:01 -05:00			`}`

Dashboard: Fixes kiosk state after being redirected to login page and back (#29273) * Login: Fixes issue where url parameters where modified by golang url code * Add tests * Fix test cases * Update pkg/middleware/auth_test.go Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com> * fixed formatting Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com> 2020-11-20 12:30:37 -06:00			var forceLoginParamsRegexp = regexp.MustCompile(`&?forceLogin=true`)

			`func removeForceLoginParams(str string) string {`
			`return forceLoginParamsRegexp.ReplaceAllString(str, "")`
			`}`

chore: avoid aliasing models in middleware (#22484) 2020-02-28 05:50:58 -06:00			`func EnsureEditorOrViewerCanEdit(c *models.ReqContext) {`
			`if !c.SignedInUser.HasRole(models.ROLE_EDITOR) && !setting.ViewersCanEdit {`
Viewers with viewers_can_edit should be able to access /explore (#15787) * fix: Viewers with viewers_can_edit should be able to access /explore #15773 * refactoring initial PR a bit to simplify function and reduce duplication 2019-03-05 05:41:01 -06:00			`accessForbidden(c)`
			`}`
			`}`

chore: avoid aliasing models in middleware (#22484) 2020-02-28 05:50:58 -06:00			`func RoleAuth(roles ...models.RoleType) macaron.Handler {`
			`return func(c *models.ReqContext) {`
Role checking when saving dashboard, making sure that the user has owner or editor role 2015-01-16 08:28:44 -06:00			`ok := false`
			`for _, role := range roles {`
Big Backend Refatoring: Renamed Account -> Org 2015-02-23 13:07:49 -06:00			`if role == c.OrgRole {`
Role checking when saving dashboard, making sure that the user has owner or editor role 2015-01-16 08:28:44 -06:00			`ok = true`
			`break`
			`}`
			`}`
			`if !ok {`
fix(api auth): return 401 for authentication errors and 403 for access denied errors, fixes #2693 2015-09-08 03:46:31 -05:00			`accessForbidden(c)`
Role checking when saving dashboard, making sure that the user has owner or editor role 2015-01-16 08:28:44 -06:00			`}`
			`}`
			`}`

Refactoring of auth middleware, and starting work on account admin 2015-01-15 05:16:54 -06:00			`func Auth(options *AuthOptions) macaron.Handler {`
chore: avoid aliasing models in middleware (#22484) 2020-02-28 05:50:58 -06:00			`return func(c *models.ReqContext) {`
Auth: Fix POST request failures with anonymous access (#26049) Macaron context.QueryBool() seems to modify the request context that causes the POST and PUT requests to fail with: "http: proxy error: net/http: HTTP/1.x transport connection broken: http: ContentLength=333 with Body length 0" 2020-07-06 07:59:00 -05:00			`forceLogin := false`
			`if c.AllowAnonymous {`
			`forceLoginParam, err := strconv.ParseBool(c.Req.URL.Query().Get("forceLogin"))`
			`if err == nil {`
			`forceLogin = forceLoginParam`
			`}`
Auth: Should redirect to login when anonymous enabled and URL with different org than anonymous specified (#28158) If anonymous access is enabled for an org and there are multiple orgs. When requesting a page that requires user to be logged in and orgId query string is set in the request url to an org not equal the anonymous org, if the user is not logged in should be redirected to the login page. Fixes #26120 Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com> 2020-10-23 09:34:35 -05:00
			`if !forceLogin {`
			`orgIDValue := c.Req.URL.Query().Get("orgId")`
			`orgID, err := strconv.ParseInt(orgIDValue, 10, 64)`
			`if err == nil && orgID > 0 && orgID != c.OrgId {`
			`forceLogin = true`
			`}`
			`}`
Auth: Fix POST request failures with anonymous access (#26049) Macaron context.QueryBool() seems to modify the request context that causes the POST and PUT requests to fail with: "http: proxy error: net/http: HTTP/1.x transport connection broken: http: ContentLength=333 with Body length 0" 2020-07-06 07:59:00 -05:00			`}`
Auth: Add support for forcing authentication in anonymous mode and modify SignIn to use it instead of redirect (#25567) * Forbid additional redirect urls * Optionally force login in anonymous mode * Update LoginCtrl page to ignore redirect parameter * Modify SignIn to set forceLogin query instead of redirect * Pass appUrl to frontend and use URL API for updating url query * Apply suggestions from code review Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix SignIn test Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> 2020-06-16 08:33:44 -05:00			`requireLogin := !c.AllowAnonymous \|\| forceLogin`
			`if !c.IsSignedIn && options.ReqSignedIn && requireLogin {`
fix(api auth): return 401 for authentication errors and 403 for access denied errors, fixes #2693 2015-09-08 03:46:31 -05:00			`notAuthorized(c)`
Refactoring of auth middleware, and starting work on account admin 2015-01-15 05:16:54 -06:00			`return`
			`}`
add Token authentication support Added CRUD methods for Tokens. Extend Auth Handler to check for the presence of a Bearer Authorization header to authenticate against. If there is no header, or the token is not valid, the Auth Handler falls back to looking for a Session. 2015-01-14 02:33:34 -06:00
fix(api auth): return 401 for authentication errors and 403 for access denied errors, fixes #2693 2015-09-08 03:46:31 -05:00			`if !c.IsGrafanaAdmin && options.ReqGrafanaAdmin {`
			`accessForbidden(c)`
Refactoring of auth middleware, and starting work on account admin 2015-01-15 05:16:54 -06:00			`return`
add Token authentication support Added CRUD methods for Tokens. Extend Auth Handler to check for the presence of a Bearer Authorization header to authenticate against. If there is no header, or the token is not valid, the Auth Handler falls back to looking for a Session. 2015-01-14 02:33:34 -06:00			`}`
macaron transition progress 2014-10-05 14:13:01 -05:00			`}`
			`}`
teams: editors can work with teams. 2019-03-06 03:27:38 -06:00
teams: better names for api permissions. 2019-03-14 04:02:46 -05:00			`// AdminOrFeatureEnabled creates a middleware that allows access`
			`// if the signed in user is either an Org Admin or if the`
			`// feature flag is enabled.`
			`// Intended for when feature flags open up access to APIs that`
			`// are otherwise only available to admins.`
			`func AdminOrFeatureEnabled(enabled bool) macaron.Handler {`
chore: avoid aliasing models in middleware (#22484) 2020-02-28 05:50:58 -06:00			`return func(c *models.ReqContext) {`
			`if c.OrgRole == models.ROLE_ADMIN {`
teams: viewers and editors can view teams 2019-03-13 04:38:09 -05:00			`return`
teams: editors can work with teams. 2019-03-06 03:27:38 -06:00			`}`

teams: viewers and editors can view teams 2019-03-13 04:38:09 -05:00			`if !enabled {`
teams: editors can work with teams. 2019-03-06 03:27:38 -06:00			`accessForbidden(c)`
			`}`
			`}`
			`}`
Snapshot: Fix http api (#18830) (cherry picked from commit be2e2330f5c1f92082841d7eb13c5583143963a4) 2019-09-02 08:15:46 -05:00
Snapshots: Disallow anonymous user to create snapshots (#31263) 2021-02-17 02:51:50 -06:00			`// SnapshotPublicModeOrSignedIn creates a middleware that allows access`
			`// if snapshot public mode is enabled or if user is signed in.`
Move middleware context handler logic to service (#29605) * middleware: Move context handler to own service Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Emil Tullsted <sakjur@users.noreply.github.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com> 2020-12-11 04:44:44 -06:00			`func SnapshotPublicModeOrSignedIn(cfg *setting.Cfg) macaron.Handler {`
chore: avoid aliasing models in middleware (#22484) 2020-02-28 05:50:58 -06:00			`return func(c *models.ReqContext) {`
Move middleware context handler logic to service (#29605) * middleware: Move context handler to own service Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Emil Tullsted <sakjur@users.noreply.github.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com> 2020-12-11 04:44:44 -06:00			`if cfg.SnapshotPublicMode {`
Snapshot: Fix http api (#18830) (cherry picked from commit be2e2330f5c1f92082841d7eb13c5583143963a4) 2019-09-02 08:15:46 -05:00			`return`
			`}`

Snapshots: Disallow anonymous user to create snapshots (#31263) 2021-02-17 02:51:50 -06:00			`if !c.IsSignedIn {`
			`notAuthorized(c)`
			`return`
Snapshot: Fix http api (#18830) (cherry picked from commit be2e2330f5c1f92082841d7eb13c5583143963a4) 2019-09-02 08:15:46 -05:00			`}`
			`}`
			`}`