2015-05-01 04:55:59 -05:00
|
|
|
package middleware
|
|
|
|
|
|
|
|
import (
|
2015-05-01 15:26:16 -05:00
|
|
|
"encoding/json"
|
2015-05-01 04:55:59 -05:00
|
|
|
"net/http"
|
|
|
|
"net/http/httptest"
|
2015-05-01 15:26:16 -05:00
|
|
|
"path/filepath"
|
2015-05-01 04:55:59 -05:00
|
|
|
"testing"
|
|
|
|
|
2019-01-23 05:41:15 -06:00
|
|
|
msession "github.com/go-macaron/session"
|
2015-05-01 15:26:16 -05:00
|
|
|
"github.com/grafana/grafana/pkg/bus"
|
|
|
|
m "github.com/grafana/grafana/pkg/models"
|
2018-03-06 16:59:45 -06:00
|
|
|
"github.com/grafana/grafana/pkg/services/session"
|
2015-05-02 02:24:56 -05:00
|
|
|
"github.com/grafana/grafana/pkg/setting"
|
2015-05-01 15:26:16 -05:00
|
|
|
"github.com/grafana/grafana/pkg/util"
|
2015-05-01 04:55:59 -05:00
|
|
|
. "github.com/smartystreets/goconvey/convey"
|
2016-01-13 08:38:54 -06:00
|
|
|
"gopkg.in/macaron.v1"
|
2015-05-01 04:55:59 -05:00
|
|
|
)
|
|
|
|
|
2015-05-01 09:23:36 -05:00
|
|
|
func TestMiddlewareContext(t *testing.T) {
|
2018-11-02 04:49:46 -05:00
|
|
|
setting.ERR_TEMPLATE_NAME = "error-template"
|
2015-05-01 04:55:59 -05:00
|
|
|
|
2015-05-02 02:24:56 -05:00
|
|
|
Convey("Given the grafana middleware", t, func() {
|
2015-05-01 09:23:36 -05:00
|
|
|
middlewareScenario("middleware should add context to injector", func(sc *scenarioContext) {
|
2015-05-02 02:24:56 -05:00
|
|
|
sc.fakeReq("GET", "/").exec()
|
2015-05-01 09:23:36 -05:00
|
|
|
So(sc.context, ShouldNotBeNil)
|
2015-05-01 04:55:59 -05:00
|
|
|
})
|
|
|
|
|
2015-05-01 09:23:36 -05:00
|
|
|
middlewareScenario("Default middleware should allow get request", func(sc *scenarioContext) {
|
2015-05-02 02:24:56 -05:00
|
|
|
sc.fakeReq("GET", "/").exec()
|
2015-05-01 09:23:36 -05:00
|
|
|
So(sc.resp.Code, ShouldEqual, 200)
|
2015-05-01 04:55:59 -05:00
|
|
|
})
|
2015-05-01 09:23:36 -05:00
|
|
|
|
2017-07-04 09:33:37 -05:00
|
|
|
middlewareScenario("middleware should add Cache-Control header for GET requests to API", func(sc *scenarioContext) {
|
|
|
|
sc.fakeReq("GET", "/api/search").exec()
|
|
|
|
So(sc.resp.Header().Get("Cache-Control"), ShouldEqual, "no-cache")
|
2017-07-06 11:56:22 -05:00
|
|
|
So(sc.resp.Header().Get("Pragma"), ShouldEqual, "no-cache")
|
|
|
|
So(sc.resp.Header().Get("Expires"), ShouldEqual, "-1")
|
2017-07-04 09:33:37 -05:00
|
|
|
})
|
|
|
|
|
|
|
|
middlewareScenario("middleware should not add Cache-Control header to for non-API GET requests", func(sc *scenarioContext) {
|
|
|
|
sc.fakeReq("GET", "/").exec()
|
|
|
|
So(sc.resp.Header().Get("Cache-Control"), ShouldBeEmpty)
|
|
|
|
})
|
|
|
|
|
2015-05-01 15:26:16 -05:00
|
|
|
middlewareScenario("Invalid api key", func(sc *scenarioContext) {
|
|
|
|
sc.apiKey = "invalid_key_test"
|
2015-05-02 02:24:56 -05:00
|
|
|
sc.fakeReq("GET", "/").exec()
|
2015-05-01 15:26:16 -05:00
|
|
|
|
|
|
|
Convey("Should not init session", func() {
|
|
|
|
So(sc.resp.Header().Get("Set-Cookie"), ShouldBeEmpty)
|
|
|
|
})
|
|
|
|
|
|
|
|
Convey("Should return 401", func() {
|
|
|
|
So(sc.resp.Code, ShouldEqual, 401)
|
|
|
|
So(sc.respJson["message"], ShouldEqual, "Invalid API key")
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
2015-06-30 02:37:52 -05:00
|
|
|
middlewareScenario("Using basic auth", func(sc *scenarioContext) {
|
|
|
|
|
|
|
|
bus.AddHandler("test", func(query *m.GetUserByLoginQuery) error {
|
|
|
|
query.Result = &m.User{
|
|
|
|
Password: util.EncodePassword("myPass", "salt"),
|
|
|
|
Salt: "salt",
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
})
|
|
|
|
|
2018-02-08 16:13:58 -06:00
|
|
|
bus.AddHandler("test", func(loginUserQuery *m.LoginUserQuery) error {
|
2016-12-13 03:00:33 -06:00
|
|
|
return nil
|
|
|
|
})
|
|
|
|
|
2015-06-30 02:37:52 -05:00
|
|
|
bus.AddHandler("test", func(query *m.GetSignedInUserQuery) error {
|
|
|
|
query.Result = &m.SignedInUser{OrgId: 2, UserId: 12}
|
|
|
|
return nil
|
|
|
|
})
|
|
|
|
|
|
|
|
setting.BasicAuthEnabled = true
|
|
|
|
authHeader := util.GetBasicAuthHeader("myUser", "myPass")
|
2018-06-28 05:08:32 -05:00
|
|
|
sc.fakeReq("GET", "/").withAuthorizationHeader(authHeader).exec()
|
2015-06-30 02:37:52 -05:00
|
|
|
|
|
|
|
Convey("Should init middleware context with user", func() {
|
|
|
|
So(sc.context.IsSignedIn, ShouldEqual, true)
|
|
|
|
So(sc.context.OrgId, ShouldEqual, 2)
|
|
|
|
So(sc.context.UserId, ShouldEqual, 12)
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
2015-05-01 15:26:16 -05:00
|
|
|
middlewareScenario("Valid api key", func(sc *scenarioContext) {
|
|
|
|
keyhash := util.EncodePassword("v5nAwpMafFP6znaS4urhdWDLS5511M42", "asd")
|
|
|
|
|
|
|
|
bus.AddHandler("test", func(query *m.GetApiKeyByNameQuery) error {
|
|
|
|
query.Result = &m.ApiKey{OrgId: 12, Role: m.ROLE_EDITOR, Key: keyhash}
|
|
|
|
return nil
|
|
|
|
})
|
|
|
|
|
2015-05-02 02:24:56 -05:00
|
|
|
sc.fakeReq("GET", "/").withValidApiKey().exec()
|
2015-05-01 15:26:16 -05:00
|
|
|
|
|
|
|
Convey("Should return 200", func() {
|
|
|
|
So(sc.resp.Code, ShouldEqual, 200)
|
|
|
|
})
|
|
|
|
|
|
|
|
Convey("Should init middleware context", func() {
|
2015-05-02 02:24:56 -05:00
|
|
|
So(sc.context.IsSignedIn, ShouldEqual, true)
|
2015-05-01 15:26:16 -05:00
|
|
|
So(sc.context.OrgId, ShouldEqual, 12)
|
|
|
|
So(sc.context.OrgRole, ShouldEqual, m.ROLE_EDITOR)
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
2015-05-02 02:24:56 -05:00
|
|
|
middlewareScenario("Valid api key, but does not match db hash", func(sc *scenarioContext) {
|
|
|
|
keyhash := "something_not_matching"
|
|
|
|
|
|
|
|
bus.AddHandler("test", func(query *m.GetApiKeyByNameQuery) error {
|
|
|
|
query.Result = &m.ApiKey{OrgId: 12, Role: m.ROLE_EDITOR, Key: keyhash}
|
|
|
|
return nil
|
|
|
|
})
|
|
|
|
|
|
|
|
sc.fakeReq("GET", "/").withValidApiKey().exec()
|
|
|
|
|
|
|
|
Convey("Should return api key invalid", func() {
|
|
|
|
So(sc.resp.Code, ShouldEqual, 401)
|
|
|
|
So(sc.respJson["message"], ShouldEqual, "Invalid API key")
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
2018-06-28 05:08:32 -05:00
|
|
|
middlewareScenario("Valid api key via Basic auth", func(sc *scenarioContext) {
|
|
|
|
keyhash := util.EncodePassword("v5nAwpMafFP6znaS4urhdWDLS5511M42", "asd")
|
|
|
|
|
|
|
|
bus.AddHandler("test", func(query *m.GetApiKeyByNameQuery) error {
|
|
|
|
query.Result = &m.ApiKey{OrgId: 12, Role: m.ROLE_EDITOR, Key: keyhash}
|
|
|
|
return nil
|
|
|
|
})
|
|
|
|
|
|
|
|
authHeader := util.GetBasicAuthHeader("api_key", "eyJrIjoidjVuQXdwTWFmRlA2em5hUzR1cmhkV0RMUzU1MTFNNDIiLCJuIjoiYXNkIiwiaWQiOjF9")
|
|
|
|
sc.fakeReq("GET", "/").withAuthorizationHeader(authHeader).exec()
|
|
|
|
|
|
|
|
Convey("Should return 200", func() {
|
|
|
|
So(sc.resp.Code, ShouldEqual, 200)
|
|
|
|
})
|
|
|
|
|
|
|
|
Convey("Should init middleware context", func() {
|
|
|
|
So(sc.context.IsSignedIn, ShouldEqual, true)
|
|
|
|
So(sc.context.OrgId, ShouldEqual, 12)
|
|
|
|
So(sc.context.OrgRole, ShouldEqual, m.ROLE_EDITOR)
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
2019-01-22 06:51:55 -06:00
|
|
|
middlewareScenario("Auth token service", func(sc *scenarioContext) {
|
|
|
|
var wasCalled bool
|
|
|
|
sc.userAuthTokenService.initContextWithTokenProvider = func(ctx *m.ReqContext, orgId int64) bool {
|
|
|
|
wasCalled = true
|
|
|
|
return false
|
|
|
|
}
|
2015-05-02 02:24:56 -05:00
|
|
|
|
|
|
|
sc.fakeReq("GET", "/").exec()
|
|
|
|
|
2019-01-22 06:51:55 -06:00
|
|
|
Convey("should call middleware", func() {
|
|
|
|
So(wasCalled, ShouldBeTrue)
|
2015-05-02 02:24:56 -05:00
|
|
|
})
|
|
|
|
})
|
|
|
|
|
|
|
|
middlewareScenario("When anonymous access is enabled", func(sc *scenarioContext) {
|
|
|
|
setting.AnonymousEnabled = true
|
|
|
|
setting.AnonymousOrgName = "test"
|
|
|
|
setting.AnonymousOrgRole = string(m.ROLE_EDITOR)
|
|
|
|
|
|
|
|
bus.AddHandler("test", func(query *m.GetOrgByNameQuery) error {
|
|
|
|
So(query.Name, ShouldEqual, "test")
|
|
|
|
|
|
|
|
query.Result = &m.Org{Id: 2, Name: "test"}
|
|
|
|
return nil
|
|
|
|
})
|
|
|
|
|
|
|
|
sc.fakeReq("GET", "/").exec()
|
|
|
|
|
|
|
|
Convey("should init context with org info", func() {
|
|
|
|
So(sc.context.UserId, ShouldEqual, 0)
|
|
|
|
So(sc.context.OrgId, ShouldEqual, 2)
|
|
|
|
So(sc.context.OrgRole, ShouldEqual, m.ROLE_EDITOR)
|
|
|
|
})
|
|
|
|
|
|
|
|
Convey("context signed in should be false", func() {
|
|
|
|
So(sc.context.IsSignedIn, ShouldBeFalse)
|
|
|
|
})
|
|
|
|
})
|
2015-05-02 05:06:58 -05:00
|
|
|
|
|
|
|
middlewareScenario("When auth_proxy is enabled enabled and user exists", func(sc *scenarioContext) {
|
|
|
|
setting.AuthProxyEnabled = true
|
|
|
|
setting.AuthProxyHeaderName = "X-WEBAUTH-USER"
|
|
|
|
setting.AuthProxyHeaderProperty = "username"
|
2018-04-16 15:17:01 -05:00
|
|
|
setting.LdapEnabled = false
|
2015-05-02 05:06:58 -05:00
|
|
|
|
|
|
|
bus.AddHandler("test", func(query *m.GetSignedInUserQuery) error {
|
|
|
|
query.Result = &m.SignedInUser{OrgId: 2, UserId: 12}
|
|
|
|
return nil
|
|
|
|
})
|
|
|
|
|
2018-03-23 14:50:07 -05:00
|
|
|
bus.AddHandler("test", func(cmd *m.UpsertUserCommand) error {
|
2018-03-23 10:16:11 -05:00
|
|
|
cmd.Result = &m.User{Id: 12}
|
2018-03-22 16:02:34 -05:00
|
|
|
return nil
|
2018-03-23 14:50:07 -05:00
|
|
|
})
|
2018-03-22 16:02:34 -05:00
|
|
|
|
2019-01-23 05:41:15 -06:00
|
|
|
setting.SessionOptions = msession.Options{}
|
2015-05-02 05:06:58 -05:00
|
|
|
sc.fakeReq("GET", "/")
|
|
|
|
sc.req.Header.Add("X-WEBAUTH-USER", "torkelo")
|
|
|
|
sc.exec()
|
|
|
|
|
|
|
|
Convey("should init context with user info", func() {
|
|
|
|
So(sc.context.IsSignedIn, ShouldBeTrue)
|
|
|
|
So(sc.context.UserId, ShouldEqual, 12)
|
|
|
|
So(sc.context.OrgId, ShouldEqual, 2)
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
|
|
|
middlewareScenario("When auth_proxy is enabled enabled and user does not exists", func(sc *scenarioContext) {
|
|
|
|
setting.AuthProxyEnabled = true
|
|
|
|
setting.AuthProxyHeaderName = "X-WEBAUTH-USER"
|
|
|
|
setting.AuthProxyHeaderProperty = "username"
|
|
|
|
setting.AuthProxyAutoSignUp = true
|
2018-04-16 15:17:01 -05:00
|
|
|
setting.LdapEnabled = false
|
2015-05-02 05:06:58 -05:00
|
|
|
|
|
|
|
bus.AddHandler("test", func(query *m.GetSignedInUserQuery) error {
|
|
|
|
if query.UserId > 0 {
|
|
|
|
query.Result = &m.SignedInUser{OrgId: 4, UserId: 33}
|
|
|
|
return nil
|
|
|
|
}
|
Outdent code after if block that ends with return (golint)
This commit fixes the following golint warnings:
pkg/bus/bus.go:64:9: if block ends with a return statement, so drop this else and outdent its block
pkg/bus/bus.go:84:9: if block ends with a return statement, so drop this else and outdent its block
pkg/components/dynmap/dynmap.go:137:10: if block ends with a return statement, so drop this else and outdent its block
pkg/components/dynmap/dynmap.go:177:9: if block ends with a return statement, so drop this else and outdent its block
pkg/components/dynmap/dynmap.go:183:10: if block ends with a return statement, so drop this else and outdent its block
pkg/components/dynmap/dynmap.go:199:9: if block ends with a return statement, so drop this else and outdent its block
pkg/components/dynmap/dynmap.go:208:9: if block ends with a return statement, so drop this else and outdent its block (move short variable declaration to its own line if necessary)
pkg/components/dynmap/dynmap.go:236:9: if block ends with a return statement, so drop this else and outdent its block
pkg/components/dynmap/dynmap.go:242:10: if block ends with a return statement, so drop this else and outdent its block
pkg/components/dynmap/dynmap.go:257:9: if block ends with a return statement, so drop this else and outdent its block
pkg/components/dynmap/dynmap.go:263:10: if block ends with a return statement, so drop this else and outdent its block
pkg/components/dynmap/dynmap.go:278:9: if block ends with a return statement, so drop this else and outdent its block
pkg/components/dynmap/dynmap.go:284:10: if block ends with a return statement, so drop this else and outdent its block
pkg/components/dynmap/dynmap.go:299:9: if block ends with a return statement, so drop this else and outdent its block
pkg/components/dynmap/dynmap.go:331:9: if block ends with a return statement, so drop this else and outdent its block
pkg/components/dynmap/dynmap.go:350:9: if block ends with a return statement, so drop this else and outdent its block
pkg/components/dynmap/dynmap.go:356:10: if block ends with a return statement, so drop this else and outdent its block
pkg/components/dynmap/dynmap.go:366:12: if block ends with a return statement, so drop this else and outdent its block
pkg/components/dynmap/dynmap.go:390:9: if block ends with a return statement, so drop this else and outdent its block
pkg/components/dynmap/dynmap.go:396:10: if block ends with a return statement, so drop this else and outdent its block
pkg/components/dynmap/dynmap.go:405:12: if block ends with a return statement, so drop this else and outdent its block
pkg/components/dynmap/dynmap.go:427:9: if block ends with a return statement, so drop this else and outdent its block
pkg/components/dynmap/dynmap.go:433:10: if block ends with a return statement, so drop this else and outdent its block
pkg/components/dynmap/dynmap.go:442:12: if block ends with a return statement, so drop this else and outdent its block
pkg/components/dynmap/dynmap.go:459:9: if block ends with a return statement, so drop this else and outdent its block
pkg/components/dynmap/dynmap.go:465:10: if block ends with a return statement, so drop this else and outdent its block
pkg/components/dynmap/dynmap.go:474:12: if block ends with a return statement, so drop this else and outdent its block
pkg/components/dynmap/dynmap.go:491:9: if block ends with a return statement, so drop this else and outdent its block
pkg/components/dynmap/dynmap.go:497:10: if block ends with a return statement, so drop this else and outdent its block
pkg/components/dynmap/dynmap.go:506:12: if block ends with a return statement, so drop this else and outdent its block
pkg/components/dynmap/dynmap.go:523:9: if block ends with a return statement, so drop this else and outdent its block
pkg/components/dynmap/dynmap.go:529:10: if block ends with a return statement, so drop this else and outdent its block
pkg/components/dynmap/dynmap.go:538:12: if block ends with a return statement, so drop this else and outdent its block
pkg/components/dynmap/dynmap.go:555:9: if block ends with a return statement, so drop this else and outdent its block
pkg/components/dynmap/dynmap.go:561:10: if block ends with a return statement, so drop this else and outdent its block
pkg/components/dynmap/dynmap.go:570:12: if block ends with a return statement, so drop this else and outdent its block
pkg/login/ldap.go:55:11: if block ends with a return statement, so drop this else and outdent its block (move short variable declaration to its own line if necessary)
pkg/login/ldap_test.go:372:10: if block ends with a return statement, so drop this else and outdent its block
pkg/middleware/middleware_test.go:213:12: if block ends with a return statement, so drop this else and outdent its block
pkg/plugins/dashboard_importer.go:153:11: if block ends with a return statement, so drop this else and outdent its block (move short variable declaration to its own line if necessary)
pkg/plugins/dashboards_updater.go:39:9: if block ends with a return statement, so drop this else and outdent its block (move short variable declaration to its own line if necessary)
pkg/plugins/dashboards_updater.go:121:10: if block ends with a return statement, so drop this else and outdent its block (move short variable declaration to its own line if necessary)
pkg/plugins/plugins.go:210:9: if block ends with a return statement, so drop this else and outdent its block (move short variable declaration to its own line if necessary)
pkg/plugins/plugins.go:235:9: if block ends with a return statement, so drop this else and outdent its block (move short variable declaration to its own line if necessary)
pkg/services/alerting/eval_context.go:111:9: if block ends with a return statement, so drop this else and outdent its block (move short variable declaration to its own line if necessary)
pkg/services/alerting/notifier.go:92:9: if block ends with a return statement, so drop this else and outdent its block (move short variable declaration to its own line if necessary)
pkg/services/alerting/notifier.go:98:9: if block ends with a return statement, so drop this else and outdent its block (move short variable declaration to its own line if necessary)
pkg/services/alerting/notifier.go:122:10: if block ends with a return statement, so drop this else and outdent its block (move short variable declaration to its own line if necessary)
pkg/services/alerting/rule.go:108:10: if block ends with a return statement, so drop this else and outdent its block (move short variable declaration to its own line if necessary)
pkg/services/alerting/rule.go:118:10: if block ends with a return statement, so drop this else and outdent its block (move short variable declaration to its own line if necessary)
pkg/services/alerting/rule.go:121:11: if block ends with a return statement, so drop this else and outdent its block (move short variable declaration to its own line if necessary)
pkg/services/alerting/notifiers/telegram.go:94:10: if block ends with a return statement, so drop this else and outdent its block
pkg/services/sqlstore/annotation.go:34:11: if block ends with a return statement, so drop this else and outdent its block (move short variable declaration to its own line if necessary)
pkg/services/sqlstore/annotation.go:99:11: if block ends with a return statement, so drop this else and outdent its block (move short variable declaration to its own line if necessary)
pkg/services/sqlstore/dashboard_test.go:107:13: if block ends with a return statement, so drop this else and outdent its block
pkg/services/sqlstore/plugin_setting.go:78:10: if block ends with a return statement, so drop this else and outdent its block
pkg/services/sqlstore/preferences.go:91:10: if block ends with a return statement, so drop this else and outdent its block
pkg/services/sqlstore/user.go:50:10: if block ends with a return statement, so drop this else and outdent its block
pkg/services/sqlstore/migrator/migrator.go:106:11: if block ends with a return statement, so drop this else and outdent its block (move short variable declaration to its own line if necessary)
pkg/services/sqlstore/migrator/postgres_dialect.go:48:10: if block ends with a return statement, so drop this else and outdent its block
pkg/tsdb/time_range.go:59:9: if block ends with a return statement, so drop this else and outdent its block (move short variable declaration to its own line if necessary)
pkg/tsdb/time_range.go:67:9: if block ends with a return statement, so drop this else and outdent its block (move short variable declaration to its own line if necessary)
pkg/tsdb/cloudwatch/metric_find_query.go:225:9: if block ends with a return statement, so drop this else and outdent its block
pkg/util/filepath.go:68:11: if block ends with a return statement, so drop this else and outdent its block (move short variable declaration to its own line if necessary)
2018-04-27 15:42:49 -05:00
|
|
|
return m.ErrUserNotFound
|
2015-05-02 05:06:58 -05:00
|
|
|
})
|
|
|
|
|
2018-03-23 14:50:07 -05:00
|
|
|
bus.AddHandler("test", func(cmd *m.UpsertUserCommand) error {
|
2018-03-23 10:16:11 -05:00
|
|
|
cmd.Result = &m.User{Id: 33}
|
2015-05-02 05:06:58 -05:00
|
|
|
return nil
|
2018-03-23 14:50:07 -05:00
|
|
|
})
|
2015-05-02 05:06:58 -05:00
|
|
|
|
|
|
|
sc.fakeReq("GET", "/")
|
|
|
|
sc.req.Header.Add("X-WEBAUTH-USER", "torkelo")
|
|
|
|
sc.exec()
|
|
|
|
|
|
|
|
Convey("Should create user if auto sign up is enabled", func() {
|
|
|
|
So(sc.context.IsSignedIn, ShouldBeTrue)
|
|
|
|
So(sc.context.UserId, ShouldEqual, 33)
|
|
|
|
So(sc.context.OrgId, ShouldEqual, 4)
|
|
|
|
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
2018-03-21 12:28:56 -05:00
|
|
|
middlewareScenario("When auth_proxy is enabled and IPv4 request RemoteAddr is not trusted", func(sc *scenarioContext) {
|
2016-02-23 07:22:28 -06:00
|
|
|
setting.AuthProxyEnabled = true
|
|
|
|
setting.AuthProxyHeaderName = "X-WEBAUTH-USER"
|
|
|
|
setting.AuthProxyHeaderProperty = "username"
|
2018-03-21 12:28:56 -05:00
|
|
|
setting.AuthProxyWhitelist = "192.168.1.1, 2001::23"
|
2016-02-23 07:22:28 -06:00
|
|
|
|
|
|
|
sc.fakeReq("GET", "/")
|
|
|
|
sc.req.Header.Add("X-WEBAUTH-USER", "torkelo")
|
|
|
|
sc.req.RemoteAddr = "192.168.3.1:12345"
|
|
|
|
sc.exec()
|
|
|
|
|
|
|
|
Convey("should return 407 status code", func() {
|
|
|
|
So(sc.resp.Code, ShouldEqual, 407)
|
2018-03-21 12:28:56 -05:00
|
|
|
So(sc.resp.Body.String(), ShouldContainSubstring, "Request for user (torkelo) from 192.168.3.1 is not from the authentication proxy")
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
2018-12-18 21:16:29 -06:00
|
|
|
middlewareScenario("When auth_proxy is enabled and IPv4 request RemoteAddr is not within trusted CIDR block", func(sc *scenarioContext) {
|
|
|
|
setting.AuthProxyEnabled = true
|
|
|
|
setting.AuthProxyHeaderName = "X-WEBAUTH-USER"
|
|
|
|
setting.AuthProxyHeaderProperty = "username"
|
|
|
|
setting.AuthProxyWhitelist = "192.168.1.0/24, 2001::0/120"
|
|
|
|
|
|
|
|
sc.fakeReq("GET", "/")
|
|
|
|
sc.req.Header.Add("X-WEBAUTH-USER", "torkelo")
|
|
|
|
sc.req.RemoteAddr = "192.168.3.1:12345"
|
|
|
|
sc.exec()
|
|
|
|
|
|
|
|
Convey("should return 407 status code", func() {
|
|
|
|
So(sc.resp.Code, ShouldEqual, 407)
|
|
|
|
So(sc.resp.Body.String(), ShouldContainSubstring, "Request for user (torkelo) from 192.168.3.1 is not from the authentication proxy")
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
2018-03-21 12:28:56 -05:00
|
|
|
middlewareScenario("When auth_proxy is enabled and IPv6 request RemoteAddr is not trusted", func(sc *scenarioContext) {
|
|
|
|
setting.AuthProxyEnabled = true
|
|
|
|
setting.AuthProxyHeaderName = "X-WEBAUTH-USER"
|
|
|
|
setting.AuthProxyHeaderProperty = "username"
|
|
|
|
setting.AuthProxyWhitelist = "192.168.1.1, 2001::23"
|
|
|
|
|
|
|
|
sc.fakeReq("GET", "/")
|
|
|
|
sc.req.Header.Add("X-WEBAUTH-USER", "torkelo")
|
|
|
|
sc.req.RemoteAddr = "[2001:23]:12345"
|
|
|
|
sc.exec()
|
|
|
|
|
|
|
|
Convey("should return 407 status code", func() {
|
|
|
|
So(sc.resp.Code, ShouldEqual, 407)
|
|
|
|
So(sc.resp.Body.String(), ShouldContainSubstring, "Request for user (torkelo) from 2001:23 is not from the authentication proxy")
|
2016-02-23 07:22:28 -06:00
|
|
|
})
|
|
|
|
})
|
|
|
|
|
2018-12-18 21:16:29 -06:00
|
|
|
middlewareScenario("When auth_proxy is enabled and IPv6 request RemoteAddr is not within trusted CIDR block", func(sc *scenarioContext) {
|
|
|
|
setting.AuthProxyEnabled = true
|
|
|
|
setting.AuthProxyHeaderName = "X-WEBAUTH-USER"
|
|
|
|
setting.AuthProxyHeaderProperty = "username"
|
|
|
|
setting.AuthProxyWhitelist = "192.168.1.0/24, 2001::0/120"
|
|
|
|
|
|
|
|
sc.fakeReq("GET", "/")
|
|
|
|
sc.req.Header.Add("X-WEBAUTH-USER", "torkelo")
|
|
|
|
sc.req.RemoteAddr = "[2001:23]:12345"
|
|
|
|
sc.exec()
|
|
|
|
|
|
|
|
Convey("should return 407 status code", func() {
|
|
|
|
So(sc.resp.Code, ShouldEqual, 407)
|
|
|
|
So(sc.resp.Body.String(), ShouldContainSubstring, "Request for user (torkelo) from 2001:23 is not from the authentication proxy")
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
2016-02-23 07:22:28 -06:00
|
|
|
middlewareScenario("When auth_proxy is enabled and request RemoteAddr is trusted", func(sc *scenarioContext) {
|
|
|
|
setting.AuthProxyEnabled = true
|
|
|
|
setting.AuthProxyHeaderName = "X-WEBAUTH-USER"
|
|
|
|
setting.AuthProxyHeaderProperty = "username"
|
2018-03-21 12:28:56 -05:00
|
|
|
setting.AuthProxyWhitelist = "192.168.1.1, 2001::23"
|
2016-02-23 07:22:28 -06:00
|
|
|
|
|
|
|
bus.AddHandler("test", func(query *m.GetSignedInUserQuery) error {
|
|
|
|
query.Result = &m.SignedInUser{OrgId: 4, UserId: 33}
|
2018-12-18 21:16:29 -06:00
|
|
|
return nil
|
|
|
|
})
|
|
|
|
|
|
|
|
bus.AddHandler("test", func(cmd *m.UpsertUserCommand) error {
|
|
|
|
cmd.Result = &m.User{Id: 33}
|
|
|
|
return nil
|
|
|
|
})
|
|
|
|
|
|
|
|
sc.fakeReq("GET", "/")
|
|
|
|
sc.req.Header.Add("X-WEBAUTH-USER", "torkelo")
|
|
|
|
sc.req.RemoteAddr = "[2001::23]:12345"
|
|
|
|
sc.exec()
|
|
|
|
|
|
|
|
Convey("Should init context with user info", func() {
|
|
|
|
So(sc.context.IsSignedIn, ShouldBeTrue)
|
|
|
|
So(sc.context.UserId, ShouldEqual, 33)
|
|
|
|
So(sc.context.OrgId, ShouldEqual, 4)
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
|
|
|
middlewareScenario("When auth_proxy is enabled and IPv4 request RemoteAddr is within trusted CIDR block", func(sc *scenarioContext) {
|
|
|
|
setting.AuthProxyEnabled = true
|
|
|
|
setting.AuthProxyHeaderName = "X-WEBAUTH-USER"
|
|
|
|
setting.AuthProxyHeaderProperty = "username"
|
|
|
|
setting.AuthProxyWhitelist = "192.168.1.0/24, 2001::0/120"
|
|
|
|
|
|
|
|
bus.AddHandler("test", func(query *m.GetSignedInUserQuery) error {
|
|
|
|
query.Result = &m.SignedInUser{OrgId: 4, UserId: 33}
|
|
|
|
return nil
|
|
|
|
})
|
|
|
|
|
|
|
|
bus.AddHandler("test", func(cmd *m.UpsertUserCommand) error {
|
|
|
|
cmd.Result = &m.User{Id: 33}
|
|
|
|
return nil
|
|
|
|
})
|
|
|
|
|
|
|
|
sc.fakeReq("GET", "/")
|
|
|
|
sc.req.Header.Add("X-WEBAUTH-USER", "torkelo")
|
|
|
|
sc.req.RemoteAddr = "192.168.1.10:12345"
|
|
|
|
sc.exec()
|
|
|
|
|
|
|
|
Convey("Should init context with user info", func() {
|
|
|
|
So(sc.context.IsSignedIn, ShouldBeTrue)
|
|
|
|
So(sc.context.UserId, ShouldEqual, 33)
|
|
|
|
So(sc.context.OrgId, ShouldEqual, 4)
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
|
|
|
middlewareScenario("When auth_proxy is enabled and IPv6 request RemoteAddr is within trusted CIDR block", func(sc *scenarioContext) {
|
|
|
|
setting.AuthProxyEnabled = true
|
|
|
|
setting.AuthProxyHeaderName = "X-WEBAUTH-USER"
|
|
|
|
setting.AuthProxyHeaderProperty = "username"
|
|
|
|
setting.AuthProxyWhitelist = "192.168.1.0/24, 2001::0/120"
|
|
|
|
|
|
|
|
bus.AddHandler("test", func(query *m.GetSignedInUserQuery) error {
|
|
|
|
query.Result = &m.SignedInUser{OrgId: 4, UserId: 33}
|
2016-02-23 07:22:28 -06:00
|
|
|
return nil
|
|
|
|
})
|
|
|
|
|
2018-03-23 14:50:07 -05:00
|
|
|
bus.AddHandler("test", func(cmd *m.UpsertUserCommand) error {
|
2018-03-23 10:16:11 -05:00
|
|
|
cmd.Result = &m.User{Id: 33}
|
2018-03-22 16:02:34 -05:00
|
|
|
return nil
|
2018-03-23 14:50:07 -05:00
|
|
|
})
|
2018-03-22 16:02:34 -05:00
|
|
|
|
2016-02-23 07:22:28 -06:00
|
|
|
sc.fakeReq("GET", "/")
|
|
|
|
sc.req.Header.Add("X-WEBAUTH-USER", "torkelo")
|
2018-03-21 12:28:56 -05:00
|
|
|
sc.req.RemoteAddr = "[2001::23]:12345"
|
2016-02-23 07:22:28 -06:00
|
|
|
sc.exec()
|
|
|
|
|
|
|
|
Convey("Should init context with user info", func() {
|
|
|
|
So(sc.context.IsSignedIn, ShouldBeTrue)
|
|
|
|
So(sc.context.UserId, ShouldEqual, 33)
|
|
|
|
So(sc.context.OrgId, ShouldEqual, 4)
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
|
|
|
middlewareScenario("When session exists for previous user, create a new session", func(sc *scenarioContext) {
|
|
|
|
setting.AuthProxyEnabled = true
|
|
|
|
setting.AuthProxyHeaderName = "X-WEBAUTH-USER"
|
|
|
|
setting.AuthProxyHeaderProperty = "username"
|
|
|
|
setting.AuthProxyWhitelist = ""
|
|
|
|
|
2018-03-23 14:50:07 -05:00
|
|
|
bus.AddHandler("test", func(query *m.UpsertUserCommand) error {
|
|
|
|
query.Result = &m.User{Id: 32}
|
|
|
|
return nil
|
|
|
|
})
|
|
|
|
|
2016-02-23 07:22:28 -06:00
|
|
|
bus.AddHandler("test", func(query *m.GetSignedInUserQuery) error {
|
|
|
|
query.Result = &m.SignedInUser{OrgId: 4, UserId: 32}
|
|
|
|
return nil
|
|
|
|
})
|
|
|
|
|
|
|
|
// create session
|
2018-03-07 10:54:50 -06:00
|
|
|
sc.fakeReq("GET", "/").handler(func(c *m.ReqContext) {
|
2018-03-06 16:59:45 -06:00
|
|
|
c.Session.Set(session.SESS_KEY_USERID, int64(33))
|
2016-02-23 07:22:28 -06:00
|
|
|
}).exec()
|
|
|
|
|
|
|
|
oldSessionID := sc.context.Session.ID()
|
|
|
|
|
|
|
|
sc.req.Header.Add("X-WEBAUTH-USER", "torkelo")
|
|
|
|
sc.exec()
|
|
|
|
|
|
|
|
newSessionID := sc.context.Session.ID()
|
|
|
|
|
|
|
|
Convey("Should not share session with other user", func() {
|
|
|
|
So(oldSessionID, ShouldNotEqual, newSessionID)
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
|
|
|
middlewareScenario("When auth_proxy and ldap enabled call sync with ldap user", func(sc *scenarioContext) {
|
|
|
|
setting.AuthProxyEnabled = true
|
|
|
|
setting.AuthProxyHeaderName = "X-WEBAUTH-USER"
|
|
|
|
setting.AuthProxyHeaderProperty = "username"
|
|
|
|
setting.AuthProxyWhitelist = ""
|
|
|
|
setting.LdapEnabled = true
|
|
|
|
|
|
|
|
called := false
|
2018-04-16 15:17:01 -05:00
|
|
|
syncGrafanaUserWithLdapUser = func(query *m.LoginUserQuery) error {
|
2016-02-23 07:22:28 -06:00
|
|
|
called = true
|
2018-04-16 15:17:01 -05:00
|
|
|
query.User = &m.User{Id: 32}
|
2016-02-23 07:22:28 -06:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2018-03-23 14:50:07 -05:00
|
|
|
bus.AddHandler("test", func(query *m.UpsertUserCommand) error {
|
|
|
|
query.Result = &m.User{Id: 32}
|
|
|
|
return nil
|
|
|
|
})
|
|
|
|
|
2016-02-23 07:22:28 -06:00
|
|
|
bus.AddHandler("test", func(query *m.GetSignedInUserQuery) error {
|
|
|
|
query.Result = &m.SignedInUser{OrgId: 4, UserId: 32}
|
|
|
|
return nil
|
|
|
|
})
|
|
|
|
|
|
|
|
sc.fakeReq("GET", "/")
|
|
|
|
sc.req.Header.Add("X-WEBAUTH-USER", "torkelo")
|
|
|
|
sc.exec()
|
|
|
|
|
|
|
|
Convey("Should call syncGrafanaUserWithLdapUser", func() {
|
|
|
|
So(called, ShouldBeTrue)
|
|
|
|
})
|
|
|
|
})
|
2015-05-01 04:55:59 -05:00
|
|
|
})
|
|
|
|
}
|
2015-05-02 02:24:56 -05:00
|
|
|
|
|
|
|
func middlewareScenario(desc string, fn scenarioFunc) {
|
|
|
|
Convey(desc, func() {
|
|
|
|
defer bus.ClearBusHandlers()
|
|
|
|
|
|
|
|
sc := &scenarioContext{}
|
2019-01-23 05:41:15 -06:00
|
|
|
|
2015-05-02 02:24:56 -05:00
|
|
|
viewsPath, _ := filepath.Abs("../../public/views")
|
|
|
|
|
|
|
|
sc.m = macaron.New()
|
|
|
|
sc.m.Use(macaron.Renderer(macaron.RenderOptions{
|
|
|
|
Directory: viewsPath,
|
|
|
|
Delims: macaron.Delims{Left: "[[", Right: "]]"},
|
|
|
|
}))
|
|
|
|
|
2019-01-23 05:41:15 -06:00
|
|
|
session.Init(&msession.Options{}, 0)
|
2019-01-22 06:51:55 -06:00
|
|
|
sc.userAuthTokenService = newFakeUserAuthTokenService()
|
|
|
|
sc.m.Use(GetContextHandler(sc.userAuthTokenService))
|
2015-05-02 02:24:56 -05:00
|
|
|
// mock out gc goroutine
|
2018-03-06 16:59:45 -06:00
|
|
|
session.StartSessionGC = func() {}
|
2019-01-23 05:41:15 -06:00
|
|
|
setting.SessionOptions = msession.Options{}
|
|
|
|
|
2017-02-17 08:02:14 -06:00
|
|
|
sc.m.Use(OrgRedirect())
|
2017-07-04 09:33:37 -05:00
|
|
|
sc.m.Use(AddDefaultResponseHeaders())
|
2015-05-02 02:24:56 -05:00
|
|
|
|
2018-03-07 10:54:50 -06:00
|
|
|
sc.defaultHandler = func(c *m.ReqContext) {
|
2015-05-02 02:24:56 -05:00
|
|
|
sc.context = c
|
|
|
|
if sc.handlerFunc != nil {
|
|
|
|
sc.handlerFunc(sc.context)
|
|
|
|
}
|
2015-05-02 05:06:58 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
sc.m.Get("/", sc.defaultHandler)
|
2015-05-02 02:24:56 -05:00
|
|
|
|
|
|
|
fn(sc)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
type scenarioContext struct {
|
2019-01-22 06:51:55 -06:00
|
|
|
m *macaron.Macaron
|
|
|
|
context *m.ReqContext
|
|
|
|
resp *httptest.ResponseRecorder
|
|
|
|
apiKey string
|
|
|
|
authHeader string
|
|
|
|
respJson map[string]interface{}
|
|
|
|
handlerFunc handlerFunc
|
|
|
|
defaultHandler macaron.Handler
|
|
|
|
url string
|
|
|
|
userAuthTokenService *fakeUserAuthTokenService
|
2015-05-02 02:24:56 -05:00
|
|
|
|
|
|
|
req *http.Request
|
|
|
|
}
|
|
|
|
|
|
|
|
func (sc *scenarioContext) withValidApiKey() *scenarioContext {
|
|
|
|
sc.apiKey = "eyJrIjoidjVuQXdwTWFmRlA2em5hUzR1cmhkV0RMUzU1MTFNNDIiLCJuIjoiYXNkIiwiaWQiOjF9"
|
|
|
|
return sc
|
|
|
|
}
|
|
|
|
|
2018-06-28 05:08:32 -05:00
|
|
|
func (sc *scenarioContext) withAuthorizationHeader(authHeader string) *scenarioContext {
|
2015-06-30 02:37:52 -05:00
|
|
|
sc.authHeader = authHeader
|
|
|
|
return sc
|
|
|
|
}
|
|
|
|
|
2015-05-02 02:24:56 -05:00
|
|
|
func (sc *scenarioContext) fakeReq(method, url string) *scenarioContext {
|
|
|
|
sc.resp = httptest.NewRecorder()
|
|
|
|
req, err := http.NewRequest(method, url, nil)
|
|
|
|
So(err, ShouldBeNil)
|
|
|
|
sc.req = req
|
|
|
|
|
|
|
|
// add session cookie from last request
|
|
|
|
if sc.context != nil {
|
|
|
|
if sc.context.Session.ID() != "" {
|
|
|
|
req.Header.Add("Cookie", "grafana_sess="+sc.context.Session.ID()+";")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return sc
|
|
|
|
}
|
|
|
|
|
2018-01-31 07:05:24 -06:00
|
|
|
func (sc *scenarioContext) fakeReqWithParams(method, url string, queryParams map[string]string) *scenarioContext {
|
|
|
|
sc.resp = httptest.NewRecorder()
|
|
|
|
req, err := http.NewRequest(method, url, nil)
|
|
|
|
q := req.URL.Query()
|
|
|
|
for k, v := range queryParams {
|
|
|
|
q.Add(k, v)
|
|
|
|
}
|
|
|
|
req.URL.RawQuery = q.Encode()
|
|
|
|
So(err, ShouldBeNil)
|
|
|
|
sc.req = req
|
|
|
|
|
|
|
|
return sc
|
|
|
|
}
|
|
|
|
|
2015-05-02 02:24:56 -05:00
|
|
|
func (sc *scenarioContext) handler(fn handlerFunc) *scenarioContext {
|
|
|
|
sc.handlerFunc = fn
|
|
|
|
return sc
|
|
|
|
}
|
|
|
|
|
|
|
|
func (sc *scenarioContext) exec() {
|
|
|
|
if sc.apiKey != "" {
|
|
|
|
sc.req.Header.Add("Authorization", "Bearer "+sc.apiKey)
|
|
|
|
}
|
|
|
|
|
2015-06-30 02:37:52 -05:00
|
|
|
if sc.authHeader != "" {
|
|
|
|
sc.req.Header.Add("Authorization", sc.authHeader)
|
|
|
|
}
|
|
|
|
|
2015-05-02 02:24:56 -05:00
|
|
|
sc.m.ServeHTTP(sc.resp, sc.req)
|
|
|
|
|
|
|
|
if sc.resp.Header().Get("Content-Type") == "application/json; charset=UTF-8" {
|
|
|
|
err := json.NewDecoder(sc.resp.Body).Decode(&sc.respJson)
|
|
|
|
So(err, ShouldBeNil)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
type scenarioFunc func(c *scenarioContext)
|
2018-03-07 10:54:50 -06:00
|
|
|
type handlerFunc func(c *m.ReqContext)
|
2019-01-22 06:51:55 -06:00
|
|
|
|
|
|
|
type fakeUserAuthTokenService struct {
|
|
|
|
initContextWithTokenProvider func(ctx *m.ReqContext, orgID int64) bool
|
|
|
|
}
|
|
|
|
|
|
|
|
func newFakeUserAuthTokenService() *fakeUserAuthTokenService {
|
|
|
|
return &fakeUserAuthTokenService{
|
|
|
|
initContextWithTokenProvider: func(ctx *m.ReqContext, orgID int64) bool {
|
|
|
|
return false
|
|
|
|
},
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *fakeUserAuthTokenService) InitContextWithToken(ctx *m.ReqContext, orgID int64) bool {
|
|
|
|
return s.initContextWithTokenProvider(ctx, orgID)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *fakeUserAuthTokenService) UserAuthenticatedHook(user *m.User, c *m.ReqContext) error {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *fakeUserAuthTokenService) UserSignedOutHook(c *m.ReqContext) {}
|