grafana/pkg/middleware/middleware_test.go

package middleware

import (
	"encoding/json"
	"net/http"
	"net/http/httptest"
	"path/filepath"
	"testing"

	"github.com/go-macaron/session"
	"github.com/grafana/grafana/pkg/bus"
	l "github.com/grafana/grafana/pkg/login"
	m "github.com/grafana/grafana/pkg/models"
	"github.com/grafana/grafana/pkg/setting"
	"github.com/grafana/grafana/pkg/util"
	. "github.com/smartystreets/goconvey/convey"
	"gopkg.in/macaron.v1"
)

func TestMiddlewareContext(t *testing.T) {

	Convey("Given the grafana middleware", t, func() {
		middlewareScenario("middleware should add context to injector", func(sc *scenarioContext) {
			sc.fakeReq("GET", "/").exec()
			So(sc.context, ShouldNotBeNil)
		})

		middlewareScenario("Default middleware should allow get request", func(sc *scenarioContext) {
			sc.fakeReq("GET", "/").exec()
			So(sc.resp.Code, ShouldEqual, 200)
		})

		middlewareScenario("middleware should add Cache-Control header for GET requests to API", func(sc *scenarioContext) {
			sc.fakeReq("GET", "/api/search").exec()
			So(sc.resp.Header().Get("Cache-Control"), ShouldEqual, "no-cache")
		})

		middlewareScenario("middleware should not add Cache-Control header to for non-API GET requests", func(sc *scenarioContext) {
			sc.fakeReq("GET", "/").exec()
			So(sc.resp.Header().Get("Cache-Control"), ShouldBeEmpty)
		})

		middlewareScenario("Non api request should init session", func(sc *scenarioContext) {
			sc.fakeReq("GET", "/").exec()
			So(sc.resp.Header().Get("Set-Cookie"), ShouldContainSubstring, "grafana_sess")
		})

		middlewareScenario("Invalid api key", func(sc *scenarioContext) {
			sc.apiKey = "invalid_key_test"
			sc.fakeReq("GET", "/").exec()

			Convey("Should not init session", func() {
				So(sc.resp.Header().Get("Set-Cookie"), ShouldBeEmpty)
			})

			Convey("Should return 401", func() {
				So(sc.resp.Code, ShouldEqual, 401)
				So(sc.respJson["message"], ShouldEqual, "Invalid API key")
			})
		})

		middlewareScenario("Using basic auth", func(sc *scenarioContext) {

			bus.AddHandler("test", func(query *m.GetUserByLoginQuery) error {
				query.Result = &m.User{
					Password: util.EncodePassword("myPass", "salt"),
					Salt:     "salt",
				}
				return nil
			})

			bus.AddHandler("test", func(loginUserQuery *l.LoginUserQuery) error {
				return nil
			})

			bus.AddHandler("test", func(query *m.GetSignedInUserQuery) error {
				query.Result = &m.SignedInUser{OrgId: 2, UserId: 12}
				return nil
			})

			setting.BasicAuthEnabled = true
			authHeader := util.GetBasicAuthHeader("myUser", "myPass")
			sc.fakeReq("GET", "/").withAuthoriziationHeader(authHeader).exec()

			Convey("Should init middleware context with user", func() {
				So(sc.context.IsSignedIn, ShouldEqual, true)
				So(sc.context.OrgId, ShouldEqual, 2)
				So(sc.context.UserId, ShouldEqual, 12)
			})
		})

		middlewareScenario("Valid api key", func(sc *scenarioContext) {
			keyhash := util.EncodePassword("v5nAwpMafFP6znaS4urhdWDLS5511M42", "asd")

			bus.AddHandler("test", func(query *m.GetApiKeyByNameQuery) error {
				query.Result = &m.ApiKey{OrgId: 12, Role: m.ROLE_EDITOR, Key: keyhash}
				return nil
			})

			sc.fakeReq("GET", "/").withValidApiKey().exec()

			Convey("Should return 200", func() {
				So(sc.resp.Code, ShouldEqual, 200)
			})

			Convey("Should init middleware context", func() {
				So(sc.context.IsSignedIn, ShouldEqual, true)
				So(sc.context.OrgId, ShouldEqual, 12)
				So(sc.context.OrgRole, ShouldEqual, m.ROLE_EDITOR)
			})
		})

		middlewareScenario("Valid api key, but does not match db hash", func(sc *scenarioContext) {
			keyhash := "something_not_matching"

			bus.AddHandler("test", func(query *m.GetApiKeyByNameQuery) error {
				query.Result = &m.ApiKey{OrgId: 12, Role: m.ROLE_EDITOR, Key: keyhash}
				return nil
			})

			sc.fakeReq("GET", "/").withValidApiKey().exec()

			Convey("Should return api key invalid", func() {
				So(sc.resp.Code, ShouldEqual, 401)
				So(sc.respJson["message"], ShouldEqual, "Invalid API key")
			})
		})

		middlewareScenario("UserId in session", func(sc *scenarioContext) {

			sc.fakeReq("GET", "/").handler(func(c *Context) {
				c.Session.Set(SESS_KEY_USERID, int64(12))
			}).exec()

			bus.AddHandler("test", func(query *m.GetSignedInUserQuery) error {
				query.Result = &m.SignedInUser{OrgId: 2, UserId: 12}
				return nil
			})

			sc.fakeReq("GET", "/").exec()

			Convey("should init context with user info", func() {
				So(sc.context.IsSignedIn, ShouldBeTrue)
				So(sc.context.UserId, ShouldEqual, 12)
			})
		})

		middlewareScenario("When anonymous access is enabled", func(sc *scenarioContext) {
			setting.AnonymousEnabled = true
			setting.AnonymousOrgName = "test"
			setting.AnonymousOrgRole = string(m.ROLE_EDITOR)

			bus.AddHandler("test", func(query *m.GetOrgByNameQuery) error {
				So(query.Name, ShouldEqual, "test")

				query.Result = &m.Org{Id: 2, Name: "test"}
				return nil
			})

			sc.fakeReq("GET", "/").exec()

			Convey("should init context with org info", func() {
				So(sc.context.UserId, ShouldEqual, 0)
				So(sc.context.OrgId, ShouldEqual, 2)
				So(sc.context.OrgRole, ShouldEqual, m.ROLE_EDITOR)
			})

			Convey("context signed in should be false", func() {
				So(sc.context.IsSignedIn, ShouldBeFalse)
			})
		})

		middlewareScenario("When auth_proxy is enabled enabled and user exists", func(sc *scenarioContext) {
			setting.AuthProxyEnabled = true
			setting.AuthProxyHeaderName = "X-WEBAUTH-USER"
			setting.AuthProxyHeaderProperty = "username"

			bus.AddHandler("test", func(query *m.GetSignedInUserQuery) error {
				query.Result = &m.SignedInUser{OrgId: 2, UserId: 12}
				return nil
			})

			sc.fakeReq("GET", "/")
			sc.req.Header.Add("X-WEBAUTH-USER", "torkelo")
			sc.exec()

			Convey("should init context with user info", func() {
				So(sc.context.IsSignedIn, ShouldBeTrue)
				So(sc.context.UserId, ShouldEqual, 12)
				So(sc.context.OrgId, ShouldEqual, 2)
			})
		})

		middlewareScenario("When auth_proxy is enabled enabled and user does not exists", func(sc *scenarioContext) {
			setting.AuthProxyEnabled = true
			setting.AuthProxyHeaderName = "X-WEBAUTH-USER"
			setting.AuthProxyHeaderProperty = "username"
			setting.AuthProxyAutoSignUp = true

			bus.AddHandler("test", func(query *m.GetSignedInUserQuery) error {
				if query.UserId > 0 {
					query.Result = &m.SignedInUser{OrgId: 4, UserId: 33}
					return nil
				} else {
					return m.ErrUserNotFound
				}
			})

			bus.AddHandler("test", func(cmd *m.CreateUserCommand) error {
				cmd.Result = m.User{Id: 33}
				return nil
			})

			sc.fakeReq("GET", "/")
			sc.req.Header.Add("X-WEBAUTH-USER", "torkelo")
			sc.exec()

			Convey("Should create user if auto sign up is enabled", func() {
				So(sc.context.IsSignedIn, ShouldBeTrue)
				So(sc.context.UserId, ShouldEqual, 33)
				So(sc.context.OrgId, ShouldEqual, 4)

			})
		})

		middlewareScenario("When auth_proxy is enabled and request RemoteAddr is not trusted", func(sc *scenarioContext) {
			setting.AuthProxyEnabled = true
			setting.AuthProxyHeaderName = "X-WEBAUTH-USER"
			setting.AuthProxyHeaderProperty = "username"
			setting.AuthProxyWhitelist = "192.168.1.1, 192.168.2.1"

			sc.fakeReq("GET", "/")
			sc.req.Header.Add("X-WEBAUTH-USER", "torkelo")
			sc.req.RemoteAddr = "192.168.3.1:12345"
			sc.exec()

			Convey("should return 407 status code", func() {
				So(sc.resp.Code, ShouldEqual, 407)
			})
		})

		middlewareScenario("When auth_proxy is enabled and request RemoteAddr is trusted", func(sc *scenarioContext) {
			setting.AuthProxyEnabled = true
			setting.AuthProxyHeaderName = "X-WEBAUTH-USER"
			setting.AuthProxyHeaderProperty = "username"
			setting.AuthProxyWhitelist = "192.168.1.1, 192.168.2.1"

			bus.AddHandler("test", func(query *m.GetSignedInUserQuery) error {
				query.Result = &m.SignedInUser{OrgId: 4, UserId: 33}
				return nil
			})

			sc.fakeReq("GET", "/")
			sc.req.Header.Add("X-WEBAUTH-USER", "torkelo")
			sc.req.RemoteAddr = "192.168.2.1:12345"
			sc.exec()

			Convey("Should init context with user info", func() {
				So(sc.context.IsSignedIn, ShouldBeTrue)
				So(sc.context.UserId, ShouldEqual, 33)
				So(sc.context.OrgId, ShouldEqual, 4)
			})
		})

		middlewareScenario("When session exists for previous user, create a new session", func(sc *scenarioContext) {
			setting.AuthProxyEnabled = true
			setting.AuthProxyHeaderName = "X-WEBAUTH-USER"
			setting.AuthProxyHeaderProperty = "username"
			setting.AuthProxyWhitelist = ""

			bus.AddHandler("test", func(query *m.GetSignedInUserQuery) error {
				query.Result = &m.SignedInUser{OrgId: 4, UserId: 32}
				return nil
			})

			// create session
			sc.fakeReq("GET", "/").handler(func(c *Context) {
				c.Session.Set(SESS_KEY_USERID, int64(33))
			}).exec()

			oldSessionID := sc.context.Session.ID()

			sc.req.Header.Add("X-WEBAUTH-USER", "torkelo")
			sc.exec()

			newSessionID := sc.context.Session.ID()

			Convey("Should not share session with other user", func() {
				So(oldSessionID, ShouldNotEqual, newSessionID)
			})
		})

		middlewareScenario("When auth_proxy and ldap enabled call sync with ldap user", func(sc *scenarioContext) {
			setting.AuthProxyEnabled = true
			setting.AuthProxyHeaderName = "X-WEBAUTH-USER"
			setting.AuthProxyHeaderProperty = "username"
			setting.AuthProxyWhitelist = ""
			setting.LdapEnabled = true

			called := false
			syncGrafanaUserWithLdapUser = func(ctx *Context, query *m.GetSignedInUserQuery) error {
				called = true
				return nil
			}

			bus.AddHandler("test", func(query *m.GetSignedInUserQuery) error {
				query.Result = &m.SignedInUser{OrgId: 4, UserId: 32}
				return nil
			})

			sc.fakeReq("GET", "/")
			sc.req.Header.Add("X-WEBAUTH-USER", "torkelo")
			sc.exec()

			Convey("Should call syncGrafanaUserWithLdapUser", func() {
				So(called, ShouldBeTrue)
			})
		})
	})
}

func middlewareScenario(desc string, fn scenarioFunc) {
	Convey(desc, func() {
		defer bus.ClearBusHandlers()

		sc := &scenarioContext{}
		viewsPath, _ := filepath.Abs("../../public/views")

		sc.m = macaron.New()
		sc.m.Use(macaron.Renderer(macaron.RenderOptions{
			Directory: viewsPath,
			Delims:    macaron.Delims{Left: "[[", Right: "]]"},
		}))

		sc.m.Use(GetContextHandler())
		// mock out gc goroutine
		startSessionGC = func() {}
		sc.m.Use(Sessioner(&session.Options{}))
		sc.m.Use(OrgRedirect())
		sc.m.Use(AddDefaultResponseHeaders())

		sc.defaultHandler = func(c *Context) {
			sc.context = c
			if sc.handlerFunc != nil {
				sc.handlerFunc(sc.context)
			}
		}

		sc.m.Get("/", sc.defaultHandler)

		fn(sc)
	})
}

type scenarioContext struct {
	m              *macaron.Macaron
	context        *Context
	resp           *httptest.ResponseRecorder
	apiKey         string
	authHeader     string
	respJson       map[string]interface{}
	handlerFunc    handlerFunc
	defaultHandler macaron.Handler

	req *http.Request
}

func (sc *scenarioContext) withValidApiKey() *scenarioContext {
	sc.apiKey = "eyJrIjoidjVuQXdwTWFmRlA2em5hUzR1cmhkV0RMUzU1MTFNNDIiLCJuIjoiYXNkIiwiaWQiOjF9"
	return sc
}

func (sc *scenarioContext) withInvalidApiKey() *scenarioContext {
	sc.apiKey = "nvalidhhhhds"
	return sc
}

func (sc *scenarioContext) withAuthoriziationHeader(authHeader string) *scenarioContext {
	sc.authHeader = authHeader
	return sc
}

func (sc *scenarioContext) fakeReq(method, url string) *scenarioContext {
	sc.resp = httptest.NewRecorder()
	req, err := http.NewRequest(method, url, nil)
	So(err, ShouldBeNil)
	sc.req = req

	// add session cookie from last request
	if sc.context != nil {
		if sc.context.Session.ID() != "" {
			req.Header.Add("Cookie", "grafana_sess="+sc.context.Session.ID()+";")
		}
	}

	return sc
}

func (sc *scenarioContext) handler(fn handlerFunc) *scenarioContext {
	sc.handlerFunc = fn
	return sc
}

func (sc *scenarioContext) exec() {
	if sc.apiKey != "" {
		sc.req.Header.Add("Authorization", "Bearer "+sc.apiKey)
	}

	if sc.authHeader != "" {
		sc.req.Header.Add("Authorization", sc.authHeader)
	}

	sc.m.ServeHTTP(sc.resp, sc.req)

	if sc.resp.Header().Get("Content-Type") == "application/json; charset=UTF-8" {
		err := json.NewDecoder(sc.resp.Body).Decode(&sc.respJson)
		So(err, ShouldBeNil)
	}
}

type scenarioFunc func(c *scenarioContext)
type handlerFunc func(c *Context)
Began work on auth_proxy feature (#1932), and began work on testing http api, and auth middleware 2015-05-01 04:55:59 -05:00			`package middleware`

			`import (`
More middleware unit test, starting to look really good 2015-05-01 15:26:16 -05:00			`"encoding/json"`
Began work on auth_proxy feature (#1932), and began work on testing http api, and auth middleware 2015-05-01 04:55:59 -05:00			`"net/http"`
			`"net/http/httptest"`
More middleware unit test, starting to look really good 2015-05-01 15:26:16 -05:00			`"path/filepath"`
Began work on auth_proxy feature (#1932), and began work on testing http api, and auth middleware 2015-05-01 04:55:59 -05:00			`"testing"`

fix(build): fixed dependency and build issue 2016-01-13 08:38:54 -06:00			`"github.com/go-macaron/session"`
More middleware unit test, starting to look really good 2015-05-01 15:26:16 -05:00			`"github.com/grafana/grafana/pkg/bus"`
Fixed failing tests (#6941) 2016-12-13 03:00:33 -06:00			`l "github.com/grafana/grafana/pkg/login"`
More middleware unit test, starting to look really good 2015-05-01 15:26:16 -05:00			`m "github.com/grafana/grafana/pkg/models"`
More middleware unit tests cover all current auth mechanisms 2015-05-02 02:24:56 -05:00			`"github.com/grafana/grafana/pkg/setting"`
More middleware unit test, starting to look really good 2015-05-01 15:26:16 -05:00			`"github.com/grafana/grafana/pkg/util"`
Began work on auth_proxy feature (#1932), and began work on testing http api, and auth middleware 2015-05-01 04:55:59 -05:00			`. "github.com/smartystreets/goconvey/convey"`
fix(build): fixed dependency and build issue 2016-01-13 08:38:54 -06:00			`"gopkg.in/macaron.v1"`
Began work on auth_proxy feature (#1932), and began work on testing http api, and auth middleware 2015-05-01 04:55:59 -05:00			`)`

Refactoring, worked on middleware unit tests, and began thinking about api unit tests, #1921 2015-05-01 09:23:36 -05:00			`func TestMiddlewareContext(t *testing.T) {`
Began work on auth_proxy feature (#1932), and began work on testing http api, and auth middleware 2015-05-01 04:55:59 -05:00
More middleware unit tests cover all current auth mechanisms 2015-05-02 02:24:56 -05:00			`Convey("Given the grafana middleware", t, func() {`
Refactoring, worked on middleware unit tests, and began thinking about api unit tests, #1921 2015-05-01 09:23:36 -05:00			`middlewareScenario("middleware should add context to injector", func(sc *scenarioContext) {`
More middleware unit tests cover all current auth mechanisms 2015-05-02 02:24:56 -05:00			`sc.fakeReq("GET", "/").exec()`
Refactoring, worked on middleware unit tests, and began thinking about api unit tests, #1921 2015-05-01 09:23:36 -05:00			`So(sc.context, ShouldNotBeNil)`
Began work on auth_proxy feature (#1932), and began work on testing http api, and auth middleware 2015-05-01 04:55:59 -05:00			`})`

Refactoring, worked on middleware unit tests, and began thinking about api unit tests, #1921 2015-05-01 09:23:36 -05:00			`middlewareScenario("Default middleware should allow get request", func(sc *scenarioContext) {`
More middleware unit tests cover all current auth mechanisms 2015-05-02 02:24:56 -05:00			`sc.fakeReq("GET", "/").exec()`
Refactoring, worked on middleware unit tests, and began thinking about api unit tests, #1921 2015-05-01 09:23:36 -05:00			`So(sc.resp.Code, ShouldEqual, 200)`
Began work on auth_proxy feature (#1932), and began work on testing http api, and auth middleware 2015-05-01 04:55:59 -05:00			`})`
Refactoring, worked on middleware unit tests, and began thinking about api unit tests, #1921 2015-05-01 09:23:36 -05:00
api: adds no-cache header for GET requests Fixes #5356. Internet Explorer aggressively caches GET requests which means that all API calls fetching data are cached. This fix adds a Cache-Control header with the value no-cache to all GET requests to the API. 2017-07-04 09:33:37 -05:00			`middlewareScenario("middleware should add Cache-Control header for GET requests to API", func(sc *scenarioContext) {`
			`sc.fakeReq("GET", "/api/search").exec()`
			`So(sc.resp.Header().Get("Cache-Control"), ShouldEqual, "no-cache")`
			`})`

			`middlewareScenario("middleware should not add Cache-Control header to for non-API GET requests", func(sc *scenarioContext) {`
			`sc.fakeReq("GET", "/").exec()`
			`So(sc.resp.Header().Get("Cache-Control"), ShouldBeEmpty)`
			`})`

More middleware unit test, starting to look really good 2015-05-01 15:26:16 -05:00			`middlewareScenario("Non api request should init session", func(sc *scenarioContext) {`
More middleware unit tests cover all current auth mechanisms 2015-05-02 02:24:56 -05:00			`sc.fakeReq("GET", "/").exec()`
More middleware unit test, starting to look really good 2015-05-01 15:26:16 -05:00			`So(sc.resp.Header().Get("Set-Cookie"), ShouldContainSubstring, "grafana_sess")`
			`})`

			`middlewareScenario("Invalid api key", func(sc *scenarioContext) {`
			`sc.apiKey = "invalid_key_test"`
More middleware unit tests cover all current auth mechanisms 2015-05-02 02:24:56 -05:00			`sc.fakeReq("GET", "/").exec()`
More middleware unit test, starting to look really good 2015-05-01 15:26:16 -05:00
			`Convey("Should not init session", func() {`
			`So(sc.resp.Header().Get("Set-Cookie"), ShouldBeEmpty)`
			`})`

			`Convey("Should return 401", func() {`
			`So(sc.resp.Code, ShouldEqual, 401)`
			`So(sc.respJson["message"], ShouldEqual, "Invalid API key")`
			`})`
			`})`

Auth: You can now authenicate against api with username / password using basic auth, Closes #2218 2015-06-30 02:37:52 -05:00			`middlewareScenario("Using basic auth", func(sc *scenarioContext) {`

			`bus.AddHandler("test", func(query *m.GetUserByLoginQuery) error {`
			`query.Result = &m.User{`
			`Password: util.EncodePassword("myPass", "salt"),`
			`Salt: "salt",`
			`}`
			`return nil`
			`})`

Fixed failing tests (#6941) 2016-12-13 03:00:33 -06:00			`bus.AddHandler("test", func(loginUserQuery *l.LoginUserQuery) error {`
			`return nil`
			`})`

Auth: You can now authenicate against api with username / password using basic auth, Closes #2218 2015-06-30 02:37:52 -05:00			`bus.AddHandler("test", func(query *m.GetSignedInUserQuery) error {`
			`query.Result = &m.SignedInUser{OrgId: 2, UserId: 12}`
			`return nil`
			`})`

			`setting.BasicAuthEnabled = true`
			`authHeader := util.GetBasicAuthHeader("myUser", "myPass")`
			`sc.fakeReq("GET", "/").withAuthoriziationHeader(authHeader).exec()`

			`Convey("Should init middleware context with user", func() {`
			`So(sc.context.IsSignedIn, ShouldEqual, true)`
			`So(sc.context.OrgId, ShouldEqual, 2)`
			`So(sc.context.UserId, ShouldEqual, 12)`
			`})`
			`})`

More middleware unit test, starting to look really good 2015-05-01 15:26:16 -05:00			`middlewareScenario("Valid api key", func(sc *scenarioContext) {`
			`keyhash := util.EncodePassword("v5nAwpMafFP6znaS4urhdWDLS5511M42", "asd")`

			`bus.AddHandler("test", func(query *m.GetApiKeyByNameQuery) error {`
			`query.Result = &m.ApiKey{OrgId: 12, Role: m.ROLE_EDITOR, Key: keyhash}`
			`return nil`
			`})`

More middleware unit tests cover all current auth mechanisms 2015-05-02 02:24:56 -05:00			`sc.fakeReq("GET", "/").withValidApiKey().exec()`
More middleware unit test, starting to look really good 2015-05-01 15:26:16 -05:00
			`Convey("Should return 200", func() {`
			`So(sc.resp.Code, ShouldEqual, 200)`
			`})`

			`Convey("Should init middleware context", func() {`
More middleware unit tests cover all current auth mechanisms 2015-05-02 02:24:56 -05:00			`So(sc.context.IsSignedIn, ShouldEqual, true)`
More middleware unit test, starting to look really good 2015-05-01 15:26:16 -05:00			`So(sc.context.OrgId, ShouldEqual, 12)`
			`So(sc.context.OrgRole, ShouldEqual, m.ROLE_EDITOR)`
			`})`
			`})`

More middleware unit tests cover all current auth mechanisms 2015-05-02 02:24:56 -05:00			`middlewareScenario("Valid api key, but does not match db hash", func(sc *scenarioContext) {`
			`keyhash := "something_not_matching"`

			`bus.AddHandler("test", func(query *m.GetApiKeyByNameQuery) error {`
			`query.Result = &m.ApiKey{OrgId: 12, Role: m.ROLE_EDITOR, Key: keyhash}`
			`return nil`
			`})`

			`sc.fakeReq("GET", "/").withValidApiKey().exec()`

			`Convey("Should return api key invalid", func() {`
			`So(sc.resp.Code, ShouldEqual, 401)`
			`So(sc.respJson["message"], ShouldEqual, "Invalid API key")`
			`})`
			`})`

			`middlewareScenario("UserId in session", func(sc *scenarioContext) {`

			`sc.fakeReq("GET", "/").handler(func(c *Context) {`
			`c.Session.Set(SESS_KEY_USERID, int64(12))`
			`}).exec()`

			`bus.AddHandler("test", func(query *m.GetSignedInUserQuery) error {`
			`query.Result = &m.SignedInUser{OrgId: 2, UserId: 12}`
			`return nil`
			`})`

			`sc.fakeReq("GET", "/").exec()`

			`Convey("should init context with user info", func() {`
			`So(sc.context.IsSignedIn, ShouldBeTrue)`
			`So(sc.context.UserId, ShouldEqual, 12)`
			`})`
			`})`

			`middlewareScenario("When anonymous access is enabled", func(sc *scenarioContext) {`
			`setting.AnonymousEnabled = true`
			`setting.AnonymousOrgName = "test"`
			`setting.AnonymousOrgRole = string(m.ROLE_EDITOR)`

			`bus.AddHandler("test", func(query *m.GetOrgByNameQuery) error {`
			`So(query.Name, ShouldEqual, "test")`

			`query.Result = &m.Org{Id: 2, Name: "test"}`
			`return nil`
			`})`

			`sc.fakeReq("GET", "/").exec()`

			`Convey("should init context with org info", func() {`
			`So(sc.context.UserId, ShouldEqual, 0)`
			`So(sc.context.OrgId, ShouldEqual, 2)`
			`So(sc.context.OrgRole, ShouldEqual, m.ROLE_EDITOR)`
			`})`

			`Convey("context signed in should be false", func() {`
			`So(sc.context.IsSignedIn, ShouldBeFalse)`
			`})`
			`})`
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 05:06:58 -05:00
			`middlewareScenario("When auth_proxy is enabled enabled and user exists", func(sc *scenarioContext) {`
			`setting.AuthProxyEnabled = true`
			`setting.AuthProxyHeaderName = "X-WEBAUTH-USER"`
			`setting.AuthProxyHeaderProperty = "username"`

			`bus.AddHandler("test", func(query *m.GetSignedInUserQuery) error {`
			`query.Result = &m.SignedInUser{OrgId: 2, UserId: 12}`
			`return nil`
			`})`

			`sc.fakeReq("GET", "/")`
			`sc.req.Header.Add("X-WEBAUTH-USER", "torkelo")`
			`sc.exec()`

			`Convey("should init context with user info", func() {`
			`So(sc.context.IsSignedIn, ShouldBeTrue)`
			`So(sc.context.UserId, ShouldEqual, 12)`
			`So(sc.context.OrgId, ShouldEqual, 2)`
			`})`
			`})`

			`middlewareScenario("When auth_proxy is enabled enabled and user does not exists", func(sc *scenarioContext) {`
			`setting.AuthProxyEnabled = true`
			`setting.AuthProxyHeaderName = "X-WEBAUTH-USER"`
			`setting.AuthProxyHeaderProperty = "username"`
			`setting.AuthProxyAutoSignUp = true`

			`bus.AddHandler("test", func(query *m.GetSignedInUserQuery) error {`
			`if query.UserId > 0 {`
			`query.Result = &m.SignedInUser{OrgId: 4, UserId: 33}`
			`return nil`
			`} else {`
			`return m.ErrUserNotFound`
			`}`
			`})`

			`bus.AddHandler("test", func(cmd *m.CreateUserCommand) error {`
			`cmd.Result = m.User{Id: 33}`
			`return nil`
			`})`

			`sc.fakeReq("GET", "/")`
			`sc.req.Header.Add("X-WEBAUTH-USER", "torkelo")`
			`sc.exec()`

			`Convey("Should create user if auto sign up is enabled", func() {`
			`So(sc.context.IsSignedIn, ShouldBeTrue)`
			`So(sc.context.UserId, ShouldEqual, 33)`
			`So(sc.context.OrgId, ShouldEqual, 4)`

			`})`
			`})`

Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 07:22:28 -06:00			`middlewareScenario("When auth_proxy is enabled and request RemoteAddr is not trusted", func(sc *scenarioContext) {`
			`setting.AuthProxyEnabled = true`
			`setting.AuthProxyHeaderName = "X-WEBAUTH-USER"`
			`setting.AuthProxyHeaderProperty = "username"`
			`setting.AuthProxyWhitelist = "192.168.1.1, 192.168.2.1"`

			`sc.fakeReq("GET", "/")`
			`sc.req.Header.Add("X-WEBAUTH-USER", "torkelo")`
			`sc.req.RemoteAddr = "192.168.3.1:12345"`
			`sc.exec()`

			`Convey("should return 407 status code", func() {`
			`So(sc.resp.Code, ShouldEqual, 407)`
			`})`
			`})`

			`middlewareScenario("When auth_proxy is enabled and request RemoteAddr is trusted", func(sc *scenarioContext) {`
			`setting.AuthProxyEnabled = true`
			`setting.AuthProxyHeaderName = "X-WEBAUTH-USER"`
			`setting.AuthProxyHeaderProperty = "username"`
			`setting.AuthProxyWhitelist = "192.168.1.1, 192.168.2.1"`

			`bus.AddHandler("test", func(query *m.GetSignedInUserQuery) error {`
			`query.Result = &m.SignedInUser{OrgId: 4, UserId: 33}`
			`return nil`
			`})`

			`sc.fakeReq("GET", "/")`
			`sc.req.Header.Add("X-WEBAUTH-USER", "torkelo")`
			`sc.req.RemoteAddr = "192.168.2.1:12345"`
			`sc.exec()`

			`Convey("Should init context with user info", func() {`
			`So(sc.context.IsSignedIn, ShouldBeTrue)`
			`So(sc.context.UserId, ShouldEqual, 33)`
			`So(sc.context.OrgId, ShouldEqual, 4)`
			`})`
			`})`

			`middlewareScenario("When session exists for previous user, create a new session", func(sc *scenarioContext) {`
			`setting.AuthProxyEnabled = true`
			`setting.AuthProxyHeaderName = "X-WEBAUTH-USER"`
			`setting.AuthProxyHeaderProperty = "username"`
			`setting.AuthProxyWhitelist = ""`

			`bus.AddHandler("test", func(query *m.GetSignedInUserQuery) error {`
			`query.Result = &m.SignedInUser{OrgId: 4, UserId: 32}`
			`return nil`
			`})`

			`// create session`
			`sc.fakeReq("GET", "/").handler(func(c *Context) {`
			`c.Session.Set(SESS_KEY_USERID, int64(33))`
			`}).exec()`

			`oldSessionID := sc.context.Session.ID()`

			`sc.req.Header.Add("X-WEBAUTH-USER", "torkelo")`
			`sc.exec()`

			`newSessionID := sc.context.Session.ID()`

			`Convey("Should not share session with other user", func() {`
			`So(oldSessionID, ShouldNotEqual, newSessionID)`
			`})`
			`})`

			`middlewareScenario("When auth_proxy and ldap enabled call sync with ldap user", func(sc *scenarioContext) {`
			`setting.AuthProxyEnabled = true`
			`setting.AuthProxyHeaderName = "X-WEBAUTH-USER"`
			`setting.AuthProxyHeaderProperty = "username"`
			`setting.AuthProxyWhitelist = ""`
			`setting.LdapEnabled = true`

			`called := false`
			`syncGrafanaUserWithLdapUser = func(ctx Context, query m.GetSignedInUserQuery) error {`
			`called = true`
			`return nil`
			`}`

			`bus.AddHandler("test", func(query *m.GetSignedInUserQuery) error {`
			`query.Result = &m.SignedInUser{OrgId: 4, UserId: 32}`
			`return nil`
			`})`

			`sc.fakeReq("GET", "/")`
			`sc.req.Header.Add("X-WEBAUTH-USER", "torkelo")`
			`sc.exec()`

			`Convey("Should call syncGrafanaUserWithLdapUser", func() {`
			`So(called, ShouldBeTrue)`
			`})`
			`})`
Began work on auth_proxy feature (#1932), and began work on testing http api, and auth middleware 2015-05-01 04:55:59 -05:00			`})`
			`}`
More middleware unit tests cover all current auth mechanisms 2015-05-02 02:24:56 -05:00
			`func middlewareScenario(desc string, fn scenarioFunc) {`
			`Convey(desc, func() {`
			`defer bus.ClearBusHandlers()`

			`sc := &scenarioContext{}`
			`viewsPath, _ := filepath.Abs("../../public/views")`

			`sc.m = macaron.New()`
			`sc.m.Use(macaron.Renderer(macaron.RenderOptions{`
			`Directory: viewsPath,`
			`Delims: macaron.Delims{Left: "[[", Right: "]]"},`
			`}))`

			`sc.m.Use(GetContextHandler())`
			`// mock out gc goroutine`
			`startSessionGC = func() {}`
			`sc.m.Use(Sessioner(&session.Options{}))`
middlware: change org when url contains orgid closes #6948 ref #1613 2017-02-17 08:02:14 -06:00			`sc.m.Use(OrgRedirect())`
api: adds no-cache header for GET requests Fixes #5356. Internet Explorer aggressively caches GET requests which means that all API calls fetching data are cached. This fix adds a Cache-Control header with the value no-cache to all GET requests to the API. 2017-07-04 09:33:37 -05:00			`sc.m.Use(AddDefaultResponseHeaders())`
More middleware unit tests cover all current auth mechanisms 2015-05-02 02:24:56 -05:00
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 05:06:58 -05:00			`sc.defaultHandler = func(c *Context) {`
More middleware unit tests cover all current auth mechanisms 2015-05-02 02:24:56 -05:00			`sc.context = c`
			`if sc.handlerFunc != nil {`
			`sc.handlerFunc(sc.context)`
			`}`
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 05:06:58 -05:00			`}`

			`sc.m.Get("/", sc.defaultHandler)`
More middleware unit tests cover all current auth mechanisms 2015-05-02 02:24:56 -05:00
			`fn(sc)`
			`})`
			`}`

			`type scenarioContext struct {`
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 05:06:58 -05:00			`m *macaron.Macaron`
			`context *Context`
			`resp *httptest.ResponseRecorder`
			`apiKey string`
Auth: You can now authenicate against api with username / password using basic auth, Closes #2218 2015-06-30 02:37:52 -05:00			`authHeader string`
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 05:06:58 -05:00			`respJson map[string]interface{}`
			`handlerFunc handlerFunc`
			`defaultHandler macaron.Handler`
More middleware unit tests cover all current auth mechanisms 2015-05-02 02:24:56 -05:00
			`req *http.Request`
			`}`

			`func (sc scenarioContext) withValidApiKey() scenarioContext {`
			`sc.apiKey = "eyJrIjoidjVuQXdwTWFmRlA2em5hUzR1cmhkV0RMUzU1MTFNNDIiLCJuIjoiYXNkIiwiaWQiOjF9"`
			`return sc`
			`}`

			`func (sc scenarioContext) withInvalidApiKey() scenarioContext {`
			`sc.apiKey = "nvalidhhhhds"`
			`return sc`
			`}`

Auth: You can now authenicate against api with username / password using basic auth, Closes #2218 2015-06-30 02:37:52 -05:00			`func (sc scenarioContext) withAuthoriziationHeader(authHeader string) scenarioContext {`
			`sc.authHeader = authHeader`
			`return sc`
			`}`

More middleware unit tests cover all current auth mechanisms 2015-05-02 02:24:56 -05:00			`func (sc scenarioContext) fakeReq(method, url string) scenarioContext {`
			`sc.resp = httptest.NewRecorder()`
			`req, err := http.NewRequest(method, url, nil)`
			`So(err, ShouldBeNil)`
			`sc.req = req`

			`// add session cookie from last request`
			`if sc.context != nil {`
			`if sc.context.Session.ID() != "" {`
			`req.Header.Add("Cookie", "grafana_sess="+sc.context.Session.ID()+";")`
			`}`
			`}`

			`return sc`
			`}`

			`func (sc scenarioContext) handler(fn handlerFunc) scenarioContext {`
			`sc.handlerFunc = fn`
			`return sc`
			`}`

			`func (sc *scenarioContext) exec() {`
			`if sc.apiKey != "" {`
			`sc.req.Header.Add("Authorization", "Bearer "+sc.apiKey)`
			`}`

Auth: You can now authenicate against api with username / password using basic auth, Closes #2218 2015-06-30 02:37:52 -05:00			`if sc.authHeader != "" {`
			`sc.req.Header.Add("Authorization", sc.authHeader)`
			`}`

More middleware unit tests cover all current auth mechanisms 2015-05-02 02:24:56 -05:00			`sc.m.ServeHTTP(sc.resp, sc.req)`

			`if sc.resp.Header().Get("Content-Type") == "application/json; charset=UTF-8" {`
			`err := json.NewDecoder(sc.resp.Body).Decode(&sc.respJson)`
			`So(err, ShouldBeNil)`
			`}`
			`}`

			`type scenarioFunc func(c *scenarioContext)`
			`type handlerFunc func(c *Context)`