Auth: Add authed device tagging (#72442)

* add authed device tagging

* fix config

* implement feedback

* implement feedback

* add reverse untag behavior

* remove duplicate stat

* Update pkg/services/anonymous/anonimpl/impl.go
This commit is contained in:
Jo 2023-07-31 18:04:28 +02:00 committed by GitHub
parent d279d926a4
commit 3353b1a8aa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 286 additions and 90 deletions

View File

@ -3,6 +3,7 @@ package anonimpl
import (
"context"
"encoding/hex"
"encoding/json"
"fmt"
"hash/fnv"
"net/http"
@ -14,28 +15,30 @@ import (
"github.com/grafana/grafana/pkg/infra/network"
"github.com/grafana/grafana/pkg/infra/remotecache"
"github.com/grafana/grafana/pkg/infra/usagestats"
"github.com/grafana/grafana/pkg/services/anonymous"
"github.com/grafana/grafana/pkg/web"
)
const thirtyDays = 30 * 24 * time.Hour
const anonCachePrefix = "anon-session"
type Device struct {
ip string
userAgent string
Kind anonymous.DeviceKind `json:"kind"`
IP string `json:"ip"`
UserAgent string `json:"user_agent"`
LastSeen time.Time `json:"last_seen"`
}
func (a *Device) Key() (string, error) {
key := strings.Builder{}
key.WriteString(a.ip)
key.WriteString(a.userAgent)
key.WriteString(a.IP)
key.WriteString(a.UserAgent)
hash := fnv.New128a()
if _, err := hash.Write([]byte(key.String())); err != nil {
return "", fmt.Errorf("failed to write to hash: %w", err)
}
return strings.Join([]string{anonCachePrefix, hex.EncodeToString(hash.Sum(nil))}, ":"), nil
return strings.Join([]string{string(a.Kind), hex.EncodeToString(hash.Sum(nil))}, ":"), nil
}
type AnonDeviceService struct {
@ -57,17 +60,36 @@ func ProvideAnonymousDeviceService(remoteCache remotecache.CacheStorage, usageSt
}
func (a *AnonDeviceService) usageStatFn(ctx context.Context) (map[string]interface{}, error) {
sessionCount, err := a.remoteCache.Count(ctx, anonCachePrefix)
anonDeviceCount, err := a.remoteCache.Count(ctx, string(anonymous.AnonDevice))
if err != nil {
return nil, nil
}
authedDeviceCount, err := a.remoteCache.Count(ctx, string(anonymous.AuthedDevice))
if err != nil {
return nil, nil
}
return map[string]interface{}{
"stats.anonymous.session.count": sessionCount,
"stats.anonymous.session.count": anonDeviceCount, // keep session for legacy data
"stats.users.device.count": authedDeviceCount,
}, nil
}
func (a *AnonDeviceService) TagDevice(ctx context.Context, httpReq *http.Request) error {
func (a *AnonDeviceService) untagDevice(ctx context.Context, device *Device) error {
key, err := device.Key()
if err != nil {
return err
}
if err := a.remoteCache.Delete(ctx, key); err != nil {
return err
}
return nil
}
func (a *AnonDeviceService) TagDevice(ctx context.Context, httpReq *http.Request, kind anonymous.DeviceKind) error {
addr := web.RemoteAddr(httpReq)
ip, err := network.GetIPFromAddress(addr)
if err != nil {
@ -80,12 +102,14 @@ func (a *AnonDeviceService) TagDevice(ctx context.Context, httpReq *http.Request
clientIPStr = ""
}
anonDevice := &Device{
ip: clientIPStr,
userAgent: httpReq.UserAgent(),
taggedDevice := &Device{
Kind: kind,
IP: clientIPStr,
UserAgent: httpReq.UserAgent(),
LastSeen: time.Now().UTC(),
}
key, err := anonDevice.Key()
key, err := taggedDevice.Key()
if err != nil {
return err
}
@ -96,5 +120,27 @@ func (a *AnonDeviceService) TagDevice(ctx context.Context, httpReq *http.Request
a.localCache.SetDefault(key, struct{}{})
return a.remoteCache.Set(ctx, key, []byte(key), thirtyDays)
deviceJSON, err := json.Marshal(taggedDevice)
if err != nil {
return err
}
if err := a.remoteCache.Set(ctx, key, deviceJSON, thirtyDays); err != nil {
return err
}
// remove existing tag when device switches to another kind
untagKind := anonymous.AnonDevice
if kind == anonymous.AnonDevice {
untagKind = anonymous.AuthedDevice
}
if err := a.untagDevice(ctx, &Device{
Kind: untagKind,
IP: taggedDevice.IP,
UserAgent: taggedDevice.UserAgent,
}); err != nil {
return err
}
return nil
}

View File

@ -2,14 +2,17 @@ package anonimpl
import (
"context"
"encoding/json"
"net/http"
"testing"
"time"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/grafana/grafana/pkg/infra/remotecache"
"github.com/grafana/grafana/pkg/infra/usagestats"
"github.com/grafana/grafana/pkg/services/anonymous"
)
func TestAnonDeviceKey(t *testing.T) {
@ -21,24 +24,27 @@ func TestAnonDeviceKey(t *testing.T) {
{
name: "should hash correctly",
session: &Device{
ip: "10.10.10.10",
userAgent: "test",
Kind: anonymous.AnonDevice,
IP: "10.10.10.10",
UserAgent: "test",
},
expected: "anon-session:ad9f5c6bf504a9fa77c37a3a6658c0cd",
},
{
name: "should hash correctly with different ip",
session: &Device{
ip: "10.10.10.1",
userAgent: "test",
Kind: anonymous.AnonDevice,
IP: "10.10.10.1",
UserAgent: "test",
},
expected: "anon-session:580605320245e8289e0b301074a027c3",
},
{
name: "should hash correctly with different user agent",
session: &Device{
ip: "10.10.10.1",
userAgent: "test2",
Kind: anonymous.AnonDevice,
IP: "10.10.10.1",
UserAgent: "test2",
},
expected: "anon-session:5fdd04b0bd04a9fa77c4243f8111258b",
},
@ -58,75 +64,149 @@ func TestAnonDeviceKey(t *testing.T) {
}
}
func TestIntegrationAnonDeviceService_tag(t *testing.T) {
func TestIntegrationDeviceService_tag(t *testing.T) {
type tagReq struct {
httpReq *http.Request
kind anonymous.DeviceKind
}
testCases := []struct {
name string
req []*http.Request
expectedCount int64
name string
req []tagReq
expectedAnonCount int64
expectedAuthedCount int64
expectedDevice *Device
}{
{
name: "no requests",
req: []*http.Request{},
expectedCount: 0,
name: "no requests",
req: []tagReq{{httpReq: &http.Request{}, kind: anonymous.AnonDevice}},
expectedAnonCount: 0,
expectedAuthedCount: 0,
},
{
name: "missing info should not tag",
req: []*http.Request{
{
Header: http.Header{
"User-Agent": []string{"test"},
},
req: []tagReq{{httpReq: &http.Request{
Header: http.Header{
"User-Agent": []string{"test"},
},
},
expectedCount: 0,
kind: anonymous.AnonDevice,
}},
expectedAnonCount: 0,
expectedAuthedCount: 0,
},
{
name: "should tag once",
req: []*http.Request{
{
Header: http.Header{
"User-Agent": []string{"test"},
"X-Forwarded-For": []string{"10.30.30.1"},
},
req: []tagReq{{httpReq: &http.Request{
Header: http.Header{
"User-Agent": []string{"test"},
"X-Forwarded-For": []string{"10.30.30.1"},
},
},
expectedCount: 1,
kind: anonymous.AnonDevice,
},
},
expectedAnonCount: 1,
expectedAuthedCount: 0,
expectedDevice: &Device{
Kind: anonymous.AnonDevice,
IP: "10.30.30.1",
UserAgent: "test"},
},
{
name: "repeat request should not tag",
req: []*http.Request{
{
Header: http.Header{
"User-Agent": []string{"test"},
"X-Forwarded-For": []string{"10.30.30.1"},
},
},
{
Header: http.Header{
"User-Agent": []string{"test"},
"X-Forwarded-For": []string{"10.30.30.1"},
},
req: []tagReq{{httpReq: &http.Request{
Header: http.Header{
"User-Agent": []string{"test"},
"X-Forwarded-For": []string{"10.30.30.1"},
},
},
expectedCount: 1,
kind: anonymous.AnonDevice,
}, {httpReq: &http.Request{
Header: http.Header{
"User-Agent": []string{"test"},
"X-Forwarded-For": []string{"10.30.30.1"},
},
},
kind: anonymous.AnonDevice,
},
},
expectedAnonCount: 1,
expectedAuthedCount: 0,
}, {
name: "authed request should untag anon",
req: []tagReq{{httpReq: &http.Request{
Header: http.Header{
"User-Agent": []string{"test"},
"X-Forwarded-For": []string{"10.30.30.1"},
},
},
kind: anonymous.AnonDevice,
}, {httpReq: &http.Request{
Header: http.Header{
"User-Agent": []string{"test"},
"X-Forwarded-For": []string{"10.30.30.1"},
},
},
kind: anonymous.AuthedDevice,
},
},
expectedAnonCount: 0,
expectedAuthedCount: 1,
}, {
name: "anon request should untag authed",
req: []tagReq{{httpReq: &http.Request{
Header: http.Header{
"User-Agent": []string{"test"},
"X-Forwarded-For": []string{"10.30.30.1"},
},
},
kind: anonymous.AuthedDevice,
}, {httpReq: &http.Request{
Header: http.Header{
"User-Agent": []string{"test"},
"X-Forwarded-For": []string{"10.30.30.1"},
},
},
kind: anonymous.AnonDevice,
},
},
expectedAnonCount: 1,
expectedAuthedCount: 0,
},
{
name: "tag 2 different requests",
req: []*http.Request{
{
Header: http.Header{
"User-Agent": []string{"test"},
"X-Forwarded-For": []string{"10.30.30.1"},
},
},
{
Header: http.Header{
"User-Agent": []string{"test"},
"X-Forwarded-For": []string{"10.30.30.2"},
},
name: "tag 4 different requests",
req: []tagReq{{httpReq: &http.Request{
Header: http.Header{
"User-Agent": []string{"test"},
"X-Forwarded-For": []string{"10.30.30.1"},
},
},
expectedCount: 2,
kind: anonymous.AnonDevice,
}, {httpReq: &http.Request{
Header: http.Header{
"User-Agent": []string{"test"},
"X-Forwarded-For": []string{"10.30.30.2"},
},
},
kind: anonymous.AnonDevice,
}, {httpReq: &http.Request{
Header: http.Header{
"User-Agent": []string{"test"},
"X-Forwarded-For": []string{"10.30.30.3"},
},
},
kind: anonymous.AuthedDevice,
}, {httpReq: &http.Request{
Header: http.Header{
"User-Agent": []string{"test"},
"X-Forwarded-For": []string{"10.30.30.4"},
},
},
kind: anonymous.AuthedDevice,
},
},
expectedAnonCount: 2,
expectedAuthedCount: 2,
},
}
@ -137,14 +217,32 @@ func TestIntegrationAnonDeviceService_tag(t *testing.T) {
anonService := ProvideAnonymousDeviceService(fakeStore, &usagestats.UsageStatsMock{})
for _, req := range tc.req {
err := anonService.TagDevice(context.Background(), req)
err := anonService.TagDevice(context.Background(), req.httpReq, req.kind)
require.NoError(t, err)
}
stats, err := anonService.usageStatFn(context.Background())
require.NoError(t, err)
assert.Equal(t, tc.expectedCount, stats["stats.anonymous.session.count"].(int64))
assert.Equal(t, tc.expectedAnonCount, stats["stats.anonymous.session.count"].(int64))
assert.Equal(t, tc.expectedAuthedCount, stats["stats.users.device.count"].(int64))
if tc.expectedDevice != nil {
key, err := tc.expectedDevice.Key()
require.NoError(t, err)
k, err := fakeStore.Get(context.Background(), key)
require.NoError(t, err)
gotDevice := &Device{}
err = json.Unmarshal(k, gotDevice)
require.NoError(t, err)
assert.NotNil(t, gotDevice.LastSeen)
gotDevice.LastSeen = time.Time{}
assert.Equal(t, tc.expectedDevice, gotDevice)
}
})
}
}
@ -162,8 +260,10 @@ func TestIntegrationAnonDeviceService_localCacheSafety(t *testing.T) {
}
anonDevice := &Device{
ip: "10.30.30.2",
userAgent: "test",
Kind: anonymous.AnonDevice,
IP: "10.30.30.2",
UserAgent: "test",
LastSeen: time.Now().UTC(),
}
key, err := anonDevice.Key()
@ -171,7 +271,7 @@ func TestIntegrationAnonDeviceService_localCacheSafety(t *testing.T) {
anonService.localCache.SetDefault(key, true)
err = anonService.TagDevice(context.Background(), req)
err = anonService.TagDevice(context.Background(), req, anonymous.AnonDevice)
require.NoError(t, err)
stats, err := anonService.usageStatFn(context.Background())

View File

@ -3,11 +3,13 @@ package anontest
import (
"context"
"net/http"
"github.com/grafana/grafana/pkg/services/anonymous"
)
type FakeAnonymousSessionService struct {
}
func (f *FakeAnonymousSessionService) TagDevice(ctx context.Context, httpReq *http.Request) error {
func (f *FakeAnonymousSessionService) TagDevice(ctx context.Context, httpReq *http.Request, kind anonymous.DeviceKind) error {
return nil
}

View File

@ -5,6 +5,13 @@ import (
"net/http"
)
type DeviceKind string
const (
AnonDevice DeviceKind = "anon-session"
AuthedDevice DeviceKind = "authed-session"
)
type Service interface {
TagDevice(context.Context, *http.Request) error
TagDevice(context.Context, *http.Request, DeviceKind) error
}

View File

@ -84,7 +84,7 @@ func ProvideService(
s.RegisterClient(clients.ProvideAPIKey(apikeyService, userService))
if cfg.LoginCookieName != "" {
s.RegisterClient(clients.ProvideSession(cfg, sessionService, features))
s.RegisterClient(clients.ProvideSession(cfg, sessionService, features, anonDeviceService))
}
if s.cfg.AnonymousEnabled {

View File

@ -4,6 +4,7 @@ import (
"context"
"net/http"
"strings"
"time"
"github.com/grafana/grafana/pkg/infra/log"
"github.com/grafana/grafana/pkg/services/anonymous"
@ -14,6 +15,8 @@ import (
var _ authn.ContextAwareClient = new(Anonymous)
const timeoutTag = 2 * time.Minute
func ProvideAnonymous(cfg *setting.Cfg, orgService org.Service, anonDeviceService anonymous.Service) *Anonymous {
return &Anonymous{
cfg: cfg,
@ -54,7 +57,10 @@ func (a *Anonymous) Authenticate(ctx context.Context, r *authn.Request) (*authn.
a.log.Warn("tag anon session panic", "err", err)
}
}()
if err := a.anonDeviceService.TagDevice(context.Background(), httpReqCopy); err != nil {
newCtx, cancel := context.WithTimeout(context.Background(), timeoutTag)
defer cancel()
if err := a.anonDeviceService.TagDevice(newCtx, httpReqCopy, anonymous.AnonDevice); err != nil {
a.log.Warn("failed to tag anonymous session", "error", err)
}
}()

View File

@ -3,11 +3,13 @@ package clients
import (
"context"
"errors"
"net/http"
"net/url"
"time"
"github.com/grafana/grafana/pkg/infra/log"
"github.com/grafana/grafana/pkg/infra/network"
"github.com/grafana/grafana/pkg/services/anonymous"
"github.com/grafana/grafana/pkg/services/auth"
"github.com/grafana/grafana/pkg/services/authn"
"github.com/grafana/grafana/pkg/services/featuremgmt"
@ -18,20 +20,25 @@ import (
var _ authn.HookClient = new(Session)
var _ authn.ContextAwareClient = new(Session)
func ProvideSession(cfg *setting.Cfg, sessionService auth.UserTokenService, features *featuremgmt.FeatureManager) *Session {
func ProvideSession(cfg *setting.Cfg, sessionService auth.UserTokenService,
features *featuremgmt.FeatureManager, anonDeviceService anonymous.Service) *Session {
return &Session{
cfg: cfg,
features: features,
sessionService: sessionService,
log: log.New(authn.ClientSession),
cfg: cfg,
features: features,
sessionService: sessionService,
log: log.New(authn.ClientSession),
anonDeviceService: anonDeviceService,
tagDevices: cfg.TagAuthedDevices,
}
}
type Session struct {
cfg *setting.Cfg
features *featuremgmt.FeatureManager
sessionService auth.UserTokenService
log log.Logger
cfg *setting.Cfg
features *featuremgmt.FeatureManager
sessionService auth.UserTokenService
log log.Logger
tagDevices bool
anonDeviceService anonymous.Service
}
func (s *Session) Name() string {
@ -60,6 +67,29 @@ func (s *Session) Authenticate(ctx context.Context, r *authn.Request) (*authn.Id
}
}
if s.tagDevices {
// Tag authed devices
httpReqCopy := &http.Request{}
if r.HTTPRequest != nil && r.HTTPRequest.Header != nil {
// avoid r.HTTPRequest.Clone(context.Background()) as we do not require a full clone
httpReqCopy.Header = r.HTTPRequest.Header.Clone()
httpReqCopy.RemoteAddr = r.HTTPRequest.RemoteAddr
}
go func() {
defer func() {
if err := recover(); err != nil {
s.log.Warn("tag anon session panic", "err", err)
}
}()
newCtx, cancel := context.WithTimeout(context.Background(), timeoutTag)
defer cancel()
if err := s.anonDeviceService.TagDevice(newCtx, httpReqCopy, anonymous.AuthedDevice); err != nil {
s.log.Warn("failed to tag anonymous session", "error", err)
}
}()
}
return &authn.Identity{
ID: authn.NamespacedID(authn.NamespaceUser, token.UserId),
SessionToken: token,

View File

@ -11,6 +11,7 @@ import (
"github.com/stretchr/testify/require"
"github.com/grafana/grafana/pkg/models/usertoken"
"github.com/grafana/grafana/pkg/services/anonymous/anontest"
"github.com/grafana/grafana/pkg/services/auth"
"github.com/grafana/grafana/pkg/services/auth/authtest"
"github.com/grafana/grafana/pkg/services/authn"
@ -29,7 +30,7 @@ func TestSession_Test(t *testing.T) {
cfg := setting.NewCfg()
cfg.LoginCookieName = ""
cfg.LoginMaxLifetime = 20 * time.Second
s := ProvideSession(cfg, &authtest.FakeUserAuthTokenService{}, featuremgmt.WithFeatures())
s := ProvideSession(cfg, &authtest.FakeUserAuthTokenService{}, featuremgmt.WithFeatures(), &anontest.FakeAnonymousSessionService{})
disabled := s.Test(context.Background(), &authn.Request{HTTPRequest: validHTTPReq})
assert.False(t, disabled)
@ -145,7 +146,7 @@ func TestSession_Authenticate(t *testing.T) {
cfg.LoginCookieName = cookieName
cfg.TokenRotationIntervalMinutes = 10
cfg.LoginMaxLifetime = 20 * time.Second
s := ProvideSession(cfg, tt.fields.sessionService, tt.fields.features)
s := ProvideSession(cfg, tt.fields.sessionService, tt.fields.features, &anontest.FakeAnonymousSessionService{})
got, err := s.Authenticate(context.Background(), tt.args.r)
require.True(t, (err != nil) == tt.wantErr, err)
@ -185,7 +186,7 @@ func TestSession_Hook(t *testing.T) {
token.UnhashedToken = "new-token"
return true, token, nil
},
}, featuremgmt.WithFeatures())
}, featuremgmt.WithFeatures(), &anontest.FakeAnonymousSessionService{})
sampleID := &authn.Identity{
SessionToken: &auth.UserToken{
@ -219,7 +220,7 @@ func TestSession_Hook(t *testing.T) {
})
t.Run("should not rotate token with feature flag", func(t *testing.T) {
s := ProvideSession(setting.NewCfg(), nil, featuremgmt.WithFeatures(featuremgmt.FlagClientTokenRotation))
s := ProvideSession(setting.NewCfg(), nil, featuremgmt.WithFeatures(featuremgmt.FlagClientTokenRotation), &anontest.FakeAnonymousSessionService{})
req := &authn.Request{}
identity := &authn.Identity{}

View File

@ -282,7 +282,8 @@ func (h *ContextHandler) initContextWithAnonymousUser(reqContext *contextmodel.R
reqContext.Logger.Warn("tag anon session panic", "err", err)
}
}()
if err := h.anonDeviceService.TagDevice(context.Background(), httpReqCopy); err != nil {
if err := h.anonDeviceService.TagDevice(context.Background(), httpReqCopy, anonymous.AnonDevice); err != nil {
reqContext.Logger.Warn("Failed to tag anonymous session", "error", err)
}
}()

View File

@ -282,6 +282,8 @@ type Cfg struct {
AuthConfigUIAdminAccess bool
// TO REMOVE: Not documented & not supported. Remove with legacy handlers in 10.2
AuthBrokerEnabled bool
// TO REMOVE: Not documented & not supported. Remove in 10.3
TagAuthedDevices bool
// AWS Plugin Auth
AWSAllowedAuthProviders []string
@ -1528,6 +1530,7 @@ func readAuthSettings(iniFile *ini.File, cfg *Cfg) (err error) {
// Do not use
cfg.AuthConfigUIAdminAccess = auth.Key("config_ui_admin_access").MustBool(false)
cfg.AuthBrokerEnabled = auth.Key("broker").MustBool(true)
cfg.TagAuthedDevices = auth.Key("tag_authed_devices").MustBool(true)
cfg.DisableLoginForm = auth.Key("disable_login_form").MustBool(false)
DisableSignoutMenu = auth.Key("disable_signout_menu").MustBool(false)