grafana/pkg/middleware/auth_proxy.go

package middleware

import (
	"fmt"
	"net"
	"net/mail"
	"reflect"
	"strings"
	"time"

	"github.com/grafana/grafana/pkg/bus"
	"github.com/grafana/grafana/pkg/log"
	"github.com/grafana/grafana/pkg/login"
	m "github.com/grafana/grafana/pkg/models"
	"github.com/grafana/grafana/pkg/services/session"
	"github.com/grafana/grafana/pkg/setting"
)

var (
	AUTH_PROXY_SESSION_VAR = "authProxyHeaderValue"
)

func initContextWithAuthProxy(ctx *m.ReqContext, orgID int64) bool {
	if !setting.AuthProxyEnabled {
		return false
	}

	proxyHeaderValue := ctx.Req.Header.Get(setting.AuthProxyHeaderName)
	if len(proxyHeaderValue) == 0 {
		return false
	}

	// if auth proxy ip(s) defined, check if request comes from one of those
	if err := checkAuthenticationProxy(ctx.Req.RemoteAddr, proxyHeaderValue); err != nil {
		ctx.Handle(407, "Proxy authentication required", err)
		return true
	}

	// initialize session
	if err := ctx.Session.Start(ctx.Context); err != nil {
		log.Error(3, "Failed to start session. error %v", err)
		return false
	}

	query := &m.GetSignedInUserQuery{OrgId: orgID}

	// if this session has already been authenticated by authProxy just load the user
	sessProxyValue := ctx.Session.Get(AUTH_PROXY_SESSION_VAR)
	if sessProxyValue != nil && sessProxyValue.(string) == proxyHeaderValue && getRequestUserId(ctx) > 0 {
		// if we're using ldap, sync user periodically
		if setting.LdapEnabled {
			syncQuery := &m.LoginUserQuery{
				ReqContext: ctx,
				Username:   proxyHeaderValue,
			}

			if err := syncGrafanaUserWithLdapUser(syncQuery); err != nil {
				if err == login.ErrInvalidCredentials {
					ctx.Handle(500, "Unable to authenticate user", err)
					return false
				}

				ctx.Handle(500, "Failed to sync user", err)
				return false
			}
		}

		query.UserId = getRequestUserId(ctx)
		// if we're using ldap, pass authproxy login name to ldap user sync
	} else if setting.LdapEnabled {
		ctx.Session.Delete(session.SESS_KEY_LASTLDAPSYNC) //makes sure we always sync with ldap if session if we only have last sync info in session but not user.

		syncQuery := &m.LoginUserQuery{
			ReqContext: ctx,
			Username:   proxyHeaderValue,
		}

		if err := syncGrafanaUserWithLdapUser(syncQuery); err != nil {
			if err == login.ErrInvalidCredentials {
				ctx.Handle(500, "Unable to authenticate user", err)
				return false
			}

			ctx.Handle(500, "Failed to sync user", err)
			return false
		}

		if syncQuery.User == nil {
			ctx.Handle(500, "Failed to sync user", nil)
			return false
		}

		query.UserId = syncQuery.User.Id
		// no ldap, just use the info we have
	} else {
		extUser := &m.ExternalUserInfo{
			AuthModule: "authproxy",
			AuthId:     proxyHeaderValue,
		}

		if setting.AuthProxyHeaderProperty == "username" {
			extUser.Login = proxyHeaderValue

			// only set Email if it can be parsed as an email address
			emailAddr, emailErr := mail.ParseAddress(proxyHeaderValue)
			if emailErr == nil {
				extUser.Email = emailAddr.Address
			}
		} else if setting.AuthProxyHeaderProperty == "email" {
			extUser.Email = proxyHeaderValue
			extUser.Login = proxyHeaderValue
		} else {
			ctx.Handle(500, "Auth proxy header property invalid", nil)
			return true
		}

		for _, field := range []string{"Name", "Email", "Login"} {
			if setting.AuthProxyHeaders[field] == "" {
				continue
			}

			if val := ctx.Req.Header.Get(setting.AuthProxyHeaders[field]); val != "" {
				reflect.ValueOf(extUser).Elem().FieldByName(field).SetString(val)
			}
		}

		// add/update user in grafana
		cmd := &m.UpsertUserCommand{
			ReqContext:    ctx,
			ExternalUser:  extUser,
			SignupAllowed: setting.AuthProxyAutoSignUp,
		}
		err := bus.Dispatch(cmd)
		if err != nil {
			ctx.Handle(500, "Failed to login as user specified in auth proxy header", err)
			return true
		}

		query.UserId = cmd.Result.Id
	}

	if err := bus.Dispatch(query); err != nil {
		ctx.Handle(500, "Failed to find user", err)
		return true
	}

	// Make sure that we cannot share a session between different users!
	if getRequestUserId(ctx) > 0 && getRequestUserId(ctx) != query.Result.UserId {
		// remove session
		if err := ctx.Session.Destory(ctx.Context); err != nil {
			log.Error(3, "Failed to destroy session. error: %v", err)
		}

		// initialize a new session
		if err := ctx.Session.Start(ctx.Context); err != nil {
			log.Error(3, "Failed to start session. error: %v", err)
		}
	}

	ctx.Session.Set(AUTH_PROXY_SESSION_VAR, proxyHeaderValue)

	ctx.SignedInUser = query.Result
	ctx.IsSignedIn = true
	ctx.Session.Set(session.SESS_KEY_USERID, ctx.UserId)

	if err := ctx.Session.Release(); err != nil {
		ctx.Logger.Error("failed to save session data", "error", err)
	}

	return true
}

var syncGrafanaUserWithLdapUser = func(query *m.LoginUserQuery) error {
	expireEpoch := time.Now().Add(time.Duration(-setting.AuthProxyLdapSyncTtl) * time.Minute).Unix()

	var lastLdapSync int64
	if lastLdapSyncInSession := query.ReqContext.Session.Get(session.SESS_KEY_LASTLDAPSYNC); lastLdapSyncInSession != nil {
		lastLdapSync = lastLdapSyncInSession.(int64)
	}

	if lastLdapSync < expireEpoch {
		ldapCfg := login.LdapCfg

		if len(ldapCfg.Servers) < 1 {
			return fmt.Errorf("No LDAP servers available")
		}

		for _, server := range ldapCfg.Servers {
			author := login.NewLdapAuthenticator(server)
			if err := author.SyncUser(query); err != nil {
				return err
			}
		}

		query.ReqContext.Session.Set(session.SESS_KEY_LASTLDAPSYNC, time.Now().Unix())
	}

	return nil
}

func getRequestUserId(c *m.ReqContext) int64 {
	userID := c.Session.Get(session.SESS_KEY_USERID)

	if userID != nil {
		return userID.(int64)
	}

	return 0
}

func checkAuthenticationProxy(remoteAddr string, proxyHeaderValue string) error {
	if len(strings.TrimSpace(setting.AuthProxyWhitelist)) == 0 {
		return nil
	}

	proxies := strings.Split(setting.AuthProxyWhitelist, ",")
	var proxyObjs []*net.IPNet
	for _, proxy := range proxies {
		proxyObjs = append(proxyObjs, coerceProxyAddress(proxy))
	}

	sourceIP, _, _ := net.SplitHostPort(remoteAddr)
	sourceObj := net.ParseIP(sourceIP)

	for _, proxyObj := range proxyObjs {
		if proxyObj.Contains(sourceObj) {
			return nil
		}
	}
	return fmt.Errorf("Request for user (%s) from %s is not from the authentication proxy", proxyHeaderValue, sourceIP)
}

func coerceProxyAddress(proxyAddr string) *net.IPNet {
	proxyAddr = strings.TrimSpace(proxyAddr)
	if !strings.Contains(proxyAddr, "/") {
		proxyAddr = strings.Join([]string{proxyAddr, "32"}, "/")
	}

	_, network, err := net.ParseCIDR(proxyAddr)
	if err != nil {
		fmt.Println(err)
	}
	return network
}
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 05:06:58 -05:00			`package middleware`

			`import (`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 07:22:28 -06:00			`"fmt"`
Revert "auth proxy: use real ip when validating white listed ip's" 2018-06-28 08:43:33 -05:00			`"net"`
update auth proxy 2018-03-22 16:02:34 -05:00			`"net/mail"`
support additional fields in authproxy (#11661) 2018-05-07 03:39:16 -05:00			`"reflect"`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 07:22:28 -06:00			`"strings"`
			`"time"`

Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 05:06:58 -05:00			`"github.com/grafana/grafana/pkg/bus"`
fix(auth proxy): Fix for server side rendering of panel when using auth proxy, fixes #2568 2015-08-21 00:49:49 -05:00			`"github.com/grafana/grafana/pkg/log"`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 07:22:28 -06:00			`"github.com/grafana/grafana/pkg/login"`
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 05:06:58 -05:00			`m "github.com/grafana/grafana/pkg/models"`
move Context and session out of middleware 2018-03-06 16:59:45 -06:00			`"github.com/grafana/grafana/pkg/services/session"`
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 05:06:58 -05:00			`"github.com/grafana/grafana/pkg/setting"`
			`)`

restrict session usage to auth_proxy 2019-01-23 05:41:15 -06:00			`var (`
			`AUTH_PROXY_SESSION_VAR = "authProxyHeaderValue"`
			`)`
update auth proxy 2018-03-22 16:02:34 -05:00
Make golint happier 2018-03-22 16:13:46 -05:00			`func initContextWithAuthProxy(ctx *m.ReqContext, orgID int64) bool {`
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 05:06:58 -05:00			`if !setting.AuthProxyEnabled {`
			`return false`
			`}`

			`proxyHeaderValue := ctx.Req.Header.Get(setting.AuthProxyHeaderName)`
Final tweaks to auth proxy feature 2015-05-02 05:30:53 -05:00			`if len(proxyHeaderValue) == 0 {`
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 05:06:58 -05:00			`return false`
			`}`

Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 07:22:28 -06:00			`// if auth proxy ip(s) defined, check if request comes from one of those`
Revert "auth proxy: use real ip when validating white listed ip's" 2018-06-28 08:43:33 -05:00			`if err := checkAuthenticationProxy(ctx.Req.RemoteAddr, proxyHeaderValue); err != nil {`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 07:22:28 -06:00			`ctx.Handle(407, "Proxy authentication required", err)`
			`return true`
			`}`

update auth proxy 2018-03-22 16:02:34 -05:00			`// initialize session`
			`if err := ctx.Session.Start(ctx.Context); err != nil {`
string formating fixes 2018-08-28 15:26:47 -05:00			`log.Error(3, "Failed to start session. error %v", err)`
update auth proxy 2018-03-22 16:02:34 -05:00			`return false`
			`}`

			`query := &m.GetSignedInUserQuery{OrgId: orgID}`

			`// if this session has already been authenticated by authProxy just load the user`
			`sessProxyValue := ctx.Session.Get(AUTH_PROXY_SESSION_VAR)`
			`if sessProxyValue != nil && sessProxyValue.(string) == proxyHeaderValue && getRequestUserId(ctx) > 0 {`
refactor authproxy & ldap integration, address comments 2018-04-16 15:17:01 -05:00			`// if we're using ldap, sync user periodically`
			`if setting.LdapEnabled {`
			`syncQuery := &m.LoginUserQuery{`
			`ReqContext: ctx,`
			`Username: proxyHeaderValue,`
			`}`

			`if err := syncGrafanaUserWithLdapUser(syncQuery); err != nil {`
			`if err == login.ErrInvalidCredentials {`
			`ctx.Handle(500, "Unable to authenticate user", err)`
			`return false`
			`}`

			`ctx.Handle(500, "Failed to sync user", err)`
			`return false`
			`}`
			`}`

update auth proxy 2018-03-22 16:02:34 -05:00			`query.UserId = getRequestUserId(ctx)`
refactor authproxy & ldap integration, address comments 2018-04-16 15:17:01 -05:00			`// if we're using ldap, pass authproxy login name to ldap user sync`
			`} else if setting.LdapEnabled {`
fixes nil ref in tests 2019-01-22 09:16:32 -06:00			`ctx.Session.Delete(session.SESS_KEY_LASTLDAPSYNC) //makes sure we always sync with ldap if session if we only have last sync info in session but not user.`
cleanup, make sure users are always synced with ldap 2018-04-17 16:48:56 -05:00
refactor authproxy & ldap integration, address comments 2018-04-16 15:17:01 -05:00			`syncQuery := &m.LoginUserQuery{`
			`ReqContext: ctx,`
			`Username: proxyHeaderValue,`
			`}`

			`if err := syncGrafanaUserWithLdapUser(syncQuery); err != nil {`
			`if err == login.ErrInvalidCredentials {`
			`ctx.Handle(500, "Unable to authenticate user", err)`
			`return false`
			`}`

			`ctx.Handle(500, "Failed to sync user", err)`
			`return false`
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 05:06:58 -05:00			`}`
refactor authproxy & ldap integration, address comments 2018-04-16 15:17:01 -05:00
			`if syncQuery.User == nil {`
			`ctx.Handle(500, "Failed to sync user", nil)`
			`return false`
			`}`

			`query.UserId = syncQuery.User.Id`
			`// no ldap, just use the info we have`
update auth proxy 2018-03-22 16:02:34 -05:00			`} else {`
switch to passing ReqContext as a property 2018-03-23 14:50:07 -05:00			`extUser := &m.ExternalUserInfo{`
update auth proxy 2018-03-22 16:02:34 -05:00			`AuthModule: "authproxy",`
			`AuthId: proxyHeaderValue,`
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 05:06:58 -05:00			`}`
Make golint happier 2018-03-22 16:13:46 -05:00
update auth proxy 2018-03-22 16:02:34 -05:00			`if setting.AuthProxyHeaderProperty == "username" {`
			`extUser.Login = proxyHeaderValue`

			`// only set Email if it can be parsed as an email address`
			`emailAddr, emailErr := mail.ParseAddress(proxyHeaderValue)`
			`if emailErr == nil {`
			`extUser.Email = emailAddr.Address`
			`}`
			`} else if setting.AuthProxyHeaderProperty == "email" {`
			`extUser.Email = proxyHeaderValue`
			`extUser.Login = proxyHeaderValue`
			`} else {`
			`ctx.Handle(500, "Auth proxy header property invalid", nil)`
cleanup 2018-03-23 10:58:38 -05:00			`return true`
Make golint happier 2018-03-22 16:13:46 -05:00			`}`

support additional fields in authproxy (#11661) 2018-05-07 03:39:16 -05:00			`for _, field := range []string{"Name", "Email", "Login"} {`
			`if setting.AuthProxyHeaders[field] == "" {`
			`continue`
			`}`

			`if val := ctx.Req.Header.Get(setting.AuthProxyHeaders[field]); val != "" {`
			`reflect.ValueOf(extUser).Elem().FieldByName(field).SetString(val)`
			`}`
			`}`

update auth proxy 2018-03-22 16:02:34 -05:00			`// add/update user in grafana`
switch to Result 2018-03-23 10:16:11 -05:00			`cmd := &m.UpsertUserCommand{`
switch to passing ReqContext as a property 2018-03-23 14:50:07 -05:00			`ReqContext: ctx,`
			`ExternalUser: extUser,`
update auth proxy 2018-03-22 16:02:34 -05:00			`SignupAllowed: setting.AuthProxyAutoSignUp,`
			`}`
switch to passing ReqContext as a property 2018-03-23 14:50:07 -05:00			`err := bus.Dispatch(cmd)`
update auth proxy 2018-03-22 16:02:34 -05:00			`if err != nil {`
			`ctx.Handle(500, "Failed to login as user specified in auth proxy header", err)`
Make golint happier 2018-03-22 16:13:46 -05:00			`return true`
			`}`
update auth proxy 2018-03-22 16:02:34 -05:00
switch to Result 2018-03-23 10:16:11 -05:00			`query.UserId = cmd.Result.Id`
refactor authproxy & ldap integration, address comments 2018-04-16 15:17:01 -05:00			`}`
update auth proxy 2018-03-22 16:02:34 -05:00
refactor authproxy & ldap integration, address comments 2018-04-16 15:17:01 -05:00			`if err := bus.Dispatch(query); err != nil {`
			`ctx.Handle(500, "Failed to find user", err)`
			`return true`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 07:22:28 -06:00			`}`

refactor authproxy & ldap integration, address comments 2018-04-16 15:17:01 -05:00			`// Make sure that we cannot share a session between different users!`
			`if getRequestUserId(ctx) > 0 && getRequestUserId(ctx) != query.Result.UserId {`
			`// remove session`
			`if err := ctx.Session.Destory(ctx.Context); err != nil {`
string formating fixes 2018-08-28 15:26:47 -05:00			`log.Error(3, "Failed to destroy session. error: %v", err)`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 07:22:28 -06:00			`}`

refactor authproxy & ldap integration, address comments 2018-04-16 15:17:01 -05:00			`// initialize a new session`
			`if err := ctx.Session.Start(ctx.Context); err != nil {`
string formating fixes 2018-08-28 15:26:47 -05:00			`log.Error(3, "Failed to start session. error: %v", err)`
refactor authproxy & ldap integration, address comments 2018-04-16 15:17:01 -05:00			`}`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 07:22:28 -06:00			`}`

refactor authproxy & ldap integration, address comments 2018-04-16 15:17:01 -05:00			`ctx.Session.Set(AUTH_PROXY_SESSION_VAR, proxyHeaderValue)`

Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 05:06:58 -05:00			`ctx.SignedInUser = query.Result`
			`ctx.IsSignedIn = true`
move Context and session out of middleware 2018-03-06 16:59:45 -06:00			`ctx.Session.Set(session.SESS_KEY_USERID, ctx.UserId)`
fix(auth proxy): Fix for server side rendering of panel when using auth proxy, fixes #2568 2015-08-21 00:49:49 -05:00
restrict session usage to auth_proxy 2019-01-23 05:41:15 -06:00			`if err := ctx.Session.Release(); err != nil {`
			`ctx.Logger.Error("failed to save session data", "error", err)`
			`}`

Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 05:06:58 -05:00			`return true`
			`}`

refactor authproxy & ldap integration, address comments 2018-04-16 15:17:01 -05:00			`var syncGrafanaUserWithLdapUser = func(query *m.LoginUserQuery) error {`
Make golint happier 2018-03-22 16:13:46 -05:00			`expireEpoch := time.Now().Add(time.Duration(-setting.AuthProxyLdapSyncTtl) * time.Minute).Unix()`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 07:22:28 -06:00
Make golint happier 2018-03-22 16:13:46 -05:00			`var lastLdapSync int64`
refactor authproxy & ldap integration, address comments 2018-04-16 15:17:01 -05:00			`if lastLdapSyncInSession := query.ReqContext.Session.Get(session.SESS_KEY_LASTLDAPSYNC); lastLdapSyncInSession != nil {`
Make golint happier 2018-03-22 16:13:46 -05:00			`lastLdapSync = lastLdapSyncInSession.(int64)`
			`}`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 07:22:28 -06:00
Make golint happier 2018-03-22 16:13:46 -05:00			`if lastLdapSync < expireEpoch {`
			`ldapCfg := login.LdapCfg`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 07:22:28 -06:00
refactor authproxy & ldap integration, address comments 2018-04-16 15:17:01 -05:00			`if len(ldapCfg.Servers) < 1 {`
			`return fmt.Errorf("No LDAP servers available")`
			`}`

Make golint happier 2018-03-22 16:13:46 -05:00			`for _, server := range ldapCfg.Servers {`
			`author := login.NewLdapAuthenticator(server)`
refactor authproxy & ldap integration, address comments 2018-04-16 15:17:01 -05:00			`if err := author.SyncUser(query); err != nil {`
Make golint happier 2018-03-22 16:13:46 -05:00			`return err`
			`}`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 07:22:28 -06:00			`}`
Make golint happier 2018-03-22 16:13:46 -05:00
refactor authproxy & ldap integration, address comments 2018-04-16 15:17:01 -05:00			`query.ReqContext.Session.Set(session.SESS_KEY_LASTLDAPSYNC, time.Now().Unix())`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 07:22:28 -06:00			`}`

			`return nil`
			`}`

restrict session usage to auth_proxy 2019-01-23 05:41:15 -06:00			`func getRequestUserId(c *m.ReqContext) int64 {`
			`userID := c.Session.Get(session.SESS_KEY_USERID)`

			`if userID != nil {`
			`return userID.(int64)`
			`}`

			`return 0`
			`}`

Use net.SplitHostPort to support IPv6 - Add some tests - Make error message more helpful 2018-03-21 12:28:56 -05:00			`func checkAuthenticationProxy(remoteAddr string, proxyHeaderValue string) error {`
Make golint happier 2018-03-22 16:13:46 -05:00			`if len(strings.TrimSpace(setting.AuthProxyWhitelist)) == 0 {`
			`return nil`
			`}`
Use net.SplitHostPort to support IPv6 - Add some tests - Make error message more helpful 2018-03-21 12:28:56 -05:00
make sure to use real ip when validating white listed ip's 2018-06-15 06:40:42 -05:00			`proxies := strings.Split(setting.AuthProxyWhitelist, ",")`
Adding CIDR capability to auth_proxy whitelist 2018-12-17 23:43:14 -06:00			`var proxyObjs []*net.IPNet`
			`for _, proxy := range proxies {`
			`proxyObjs = append(proxyObjs, coerceProxyAddress(proxy))`
Revert "auth proxy: use real ip when validating white listed ip's" 2018-06-28 08:43:33 -05:00			`}`
make sure to use real ip when validating white listed ip's 2018-06-15 06:40:42 -05:00
Adding CIDR capability to auth_proxy whitelist 2018-12-17 23:43:14 -06:00			`sourceIP, _, _ := net.SplitHostPort(remoteAddr)`
			`sourceObj := net.ParseIP(sourceIP)`

			`for _, proxyObj := range proxyObjs {`
			`if proxyObj.Contains(sourceObj) {`
Use net.SplitHostPort to support IPv6 - Add some tests - Make error message more helpful 2018-03-21 12:28:56 -05:00			`return nil`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 07:22:28 -06:00			`}`
Make golint happier 2018-03-22 16:13:46 -05:00			`}`
Revert "auth proxy: use real ip when validating white listed ip's" 2018-06-28 08:43:33 -05:00			`return fmt.Errorf("Request for user (%s) from %s is not from the authentication proxy", proxyHeaderValue, sourceIP)`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 07:22:28 -06:00			`}`
Adding CIDR capability to auth_proxy whitelist 2018-12-17 23:43:14 -06:00
			`func coerceProxyAddress(proxyAddr string) *net.IPNet {`
			`proxyAddr = strings.TrimSpace(proxyAddr)`
			`if !strings.Contains(proxyAddr, "/") {`
			`proxyAddr = strings.Join([]string{proxyAddr, "32"}, "/")`
			`}`

			`_, network, err := net.ParseCIDR(proxyAddr)`
			`if err != nil {`
			`fmt.Println(err)`
			`}`
			`return network`
			`}`