diff --git a/pkg/services/anonymous/anonimpl/impl.go b/pkg/services/anonymous/anonimpl/impl.go index c060b948f64..f8867643af8 100644 --- a/pkg/services/anonymous/anonimpl/impl.go +++ b/pkg/services/anonymous/anonimpl/impl.go @@ -3,6 +3,7 @@ package anonimpl import ( "context" "encoding/hex" + "encoding/json" "fmt" "hash/fnv" "net/http" @@ -14,28 +15,30 @@ import ( "github.com/grafana/grafana/pkg/infra/network" "github.com/grafana/grafana/pkg/infra/remotecache" "github.com/grafana/grafana/pkg/infra/usagestats" + "github.com/grafana/grafana/pkg/services/anonymous" "github.com/grafana/grafana/pkg/web" ) const thirtyDays = 30 * 24 * time.Hour -const anonCachePrefix = "anon-session" type Device struct { - ip string - userAgent string + Kind anonymous.DeviceKind `json:"kind"` + IP string `json:"ip"` + UserAgent string `json:"user_agent"` + LastSeen time.Time `json:"last_seen"` } func (a *Device) Key() (string, error) { key := strings.Builder{} - key.WriteString(a.ip) - key.WriteString(a.userAgent) + key.WriteString(a.IP) + key.WriteString(a.UserAgent) hash := fnv.New128a() if _, err := hash.Write([]byte(key.String())); err != nil { return "", fmt.Errorf("failed to write to hash: %w", err) } - return strings.Join([]string{anonCachePrefix, hex.EncodeToString(hash.Sum(nil))}, ":"), nil + return strings.Join([]string{string(a.Kind), hex.EncodeToString(hash.Sum(nil))}, ":"), nil } type AnonDeviceService struct { @@ -57,17 +60,36 @@ func ProvideAnonymousDeviceService(remoteCache remotecache.CacheStorage, usageSt } func (a *AnonDeviceService) usageStatFn(ctx context.Context) (map[string]interface{}, error) { - sessionCount, err := a.remoteCache.Count(ctx, anonCachePrefix) + anonDeviceCount, err := a.remoteCache.Count(ctx, string(anonymous.AnonDevice)) + if err != nil { + return nil, nil + } + + authedDeviceCount, err := a.remoteCache.Count(ctx, string(anonymous.AuthedDevice)) if err != nil { return nil, nil } return map[string]interface{}{ - "stats.anonymous.session.count": sessionCount, + "stats.anonymous.session.count": anonDeviceCount, // keep session for legacy data + "stats.users.device.count": authedDeviceCount, }, nil } -func (a *AnonDeviceService) TagDevice(ctx context.Context, httpReq *http.Request) error { +func (a *AnonDeviceService) untagDevice(ctx context.Context, device *Device) error { + key, err := device.Key() + if err != nil { + return err + } + + if err := a.remoteCache.Delete(ctx, key); err != nil { + return err + } + + return nil +} + +func (a *AnonDeviceService) TagDevice(ctx context.Context, httpReq *http.Request, kind anonymous.DeviceKind) error { addr := web.RemoteAddr(httpReq) ip, err := network.GetIPFromAddress(addr) if err != nil { @@ -80,12 +102,14 @@ func (a *AnonDeviceService) TagDevice(ctx context.Context, httpReq *http.Request clientIPStr = "" } - anonDevice := &Device{ - ip: clientIPStr, - userAgent: httpReq.UserAgent(), + taggedDevice := &Device{ + Kind: kind, + IP: clientIPStr, + UserAgent: httpReq.UserAgent(), + LastSeen: time.Now().UTC(), } - key, err := anonDevice.Key() + key, err := taggedDevice.Key() if err != nil { return err } @@ -96,5 +120,27 @@ func (a *AnonDeviceService) TagDevice(ctx context.Context, httpReq *http.Request a.localCache.SetDefault(key, struct{}{}) - return a.remoteCache.Set(ctx, key, []byte(key), thirtyDays) + deviceJSON, err := json.Marshal(taggedDevice) + if err != nil { + return err + } + + if err := a.remoteCache.Set(ctx, key, deviceJSON, thirtyDays); err != nil { + return err + } + + // remove existing tag when device switches to another kind + untagKind := anonymous.AnonDevice + if kind == anonymous.AnonDevice { + untagKind = anonymous.AuthedDevice + } + if err := a.untagDevice(ctx, &Device{ + Kind: untagKind, + IP: taggedDevice.IP, + UserAgent: taggedDevice.UserAgent, + }); err != nil { + return err + } + + return nil } diff --git a/pkg/services/anonymous/anonimpl/impl_test.go b/pkg/services/anonymous/anonimpl/impl_test.go index db3d5d4fd29..dd59f6767b4 100644 --- a/pkg/services/anonymous/anonimpl/impl_test.go +++ b/pkg/services/anonymous/anonimpl/impl_test.go @@ -2,14 +2,17 @@ package anonimpl import ( "context" + "encoding/json" "net/http" "testing" + "time" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "github.com/grafana/grafana/pkg/infra/remotecache" "github.com/grafana/grafana/pkg/infra/usagestats" + "github.com/grafana/grafana/pkg/services/anonymous" ) func TestAnonDeviceKey(t *testing.T) { @@ -21,24 +24,27 @@ func TestAnonDeviceKey(t *testing.T) { { name: "should hash correctly", session: &Device{ - ip: "10.10.10.10", - userAgent: "test", + Kind: anonymous.AnonDevice, + IP: "10.10.10.10", + UserAgent: "test", }, expected: "anon-session:ad9f5c6bf504a9fa77c37a3a6658c0cd", }, { name: "should hash correctly with different ip", session: &Device{ - ip: "10.10.10.1", - userAgent: "test", + Kind: anonymous.AnonDevice, + IP: "10.10.10.1", + UserAgent: "test", }, expected: "anon-session:580605320245e8289e0b301074a027c3", }, { name: "should hash correctly with different user agent", session: &Device{ - ip: "10.10.10.1", - userAgent: "test2", + Kind: anonymous.AnonDevice, + IP: "10.10.10.1", + UserAgent: "test2", }, expected: "anon-session:5fdd04b0bd04a9fa77c4243f8111258b", }, @@ -58,75 +64,149 @@ func TestAnonDeviceKey(t *testing.T) { } } -func TestIntegrationAnonDeviceService_tag(t *testing.T) { +func TestIntegrationDeviceService_tag(t *testing.T) { + type tagReq struct { + httpReq *http.Request + kind anonymous.DeviceKind + } testCases := []struct { - name string - req []*http.Request - expectedCount int64 + name string + req []tagReq + expectedAnonCount int64 + expectedAuthedCount int64 + expectedDevice *Device }{ { - name: "no requests", - req: []*http.Request{}, - expectedCount: 0, + name: "no requests", + req: []tagReq{{httpReq: &http.Request{}, kind: anonymous.AnonDevice}}, + expectedAnonCount: 0, + expectedAuthedCount: 0, }, { name: "missing info should not tag", - req: []*http.Request{ - { - Header: http.Header{ - "User-Agent": []string{"test"}, - }, + req: []tagReq{{httpReq: &http.Request{ + Header: http.Header{ + "User-Agent": []string{"test"}, }, }, - expectedCount: 0, + kind: anonymous.AnonDevice, + }}, + expectedAnonCount: 0, + expectedAuthedCount: 0, }, { name: "should tag once", - req: []*http.Request{ - { - Header: http.Header{ - "User-Agent": []string{"test"}, - "X-Forwarded-For": []string{"10.30.30.1"}, - }, + req: []tagReq{{httpReq: &http.Request{ + Header: http.Header{ + "User-Agent": []string{"test"}, + "X-Forwarded-For": []string{"10.30.30.1"}, }, }, - expectedCount: 1, + kind: anonymous.AnonDevice, + }, + }, + expectedAnonCount: 1, + expectedAuthedCount: 0, + expectedDevice: &Device{ + Kind: anonymous.AnonDevice, + IP: "10.30.30.1", + UserAgent: "test"}, }, { name: "repeat request should not tag", - req: []*http.Request{ - { - Header: http.Header{ - "User-Agent": []string{"test"}, - "X-Forwarded-For": []string{"10.30.30.1"}, - }, - }, - { - Header: http.Header{ - "User-Agent": []string{"test"}, - "X-Forwarded-For": []string{"10.30.30.1"}, - }, + req: []tagReq{{httpReq: &http.Request{ + Header: http.Header{ + "User-Agent": []string{"test"}, + "X-Forwarded-For": []string{"10.30.30.1"}, }, }, - expectedCount: 1, + kind: anonymous.AnonDevice, + }, {httpReq: &http.Request{ + Header: http.Header{ + "User-Agent": []string{"test"}, + "X-Forwarded-For": []string{"10.30.30.1"}, + }, + }, + kind: anonymous.AnonDevice, + }, + }, + expectedAnonCount: 1, + expectedAuthedCount: 0, + }, { + name: "authed request should untag anon", + req: []tagReq{{httpReq: &http.Request{ + Header: http.Header{ + "User-Agent": []string{"test"}, + "X-Forwarded-For": []string{"10.30.30.1"}, + }, + }, + kind: anonymous.AnonDevice, + }, {httpReq: &http.Request{ + Header: http.Header{ + "User-Agent": []string{"test"}, + "X-Forwarded-For": []string{"10.30.30.1"}, + }, + }, + kind: anonymous.AuthedDevice, + }, + }, + expectedAnonCount: 0, + expectedAuthedCount: 1, + }, { + name: "anon request should untag authed", + req: []tagReq{{httpReq: &http.Request{ + Header: http.Header{ + "User-Agent": []string{"test"}, + "X-Forwarded-For": []string{"10.30.30.1"}, + }, + }, + kind: anonymous.AuthedDevice, + }, {httpReq: &http.Request{ + Header: http.Header{ + "User-Agent": []string{"test"}, + "X-Forwarded-For": []string{"10.30.30.1"}, + }, + }, + kind: anonymous.AnonDevice, + }, + }, + expectedAnonCount: 1, + expectedAuthedCount: 0, }, { - name: "tag 2 different requests", - req: []*http.Request{ - { - Header: http.Header{ - "User-Agent": []string{"test"}, - "X-Forwarded-For": []string{"10.30.30.1"}, - }, - }, - { - Header: http.Header{ - "User-Agent": []string{"test"}, - "X-Forwarded-For": []string{"10.30.30.2"}, - }, + name: "tag 4 different requests", + req: []tagReq{{httpReq: &http.Request{ + Header: http.Header{ + "User-Agent": []string{"test"}, + "X-Forwarded-For": []string{"10.30.30.1"}, }, }, - expectedCount: 2, + kind: anonymous.AnonDevice, + }, {httpReq: &http.Request{ + Header: http.Header{ + "User-Agent": []string{"test"}, + "X-Forwarded-For": []string{"10.30.30.2"}, + }, + }, + kind: anonymous.AnonDevice, + }, {httpReq: &http.Request{ + Header: http.Header{ + "User-Agent": []string{"test"}, + "X-Forwarded-For": []string{"10.30.30.3"}, + }, + }, + kind: anonymous.AuthedDevice, + }, {httpReq: &http.Request{ + Header: http.Header{ + "User-Agent": []string{"test"}, + "X-Forwarded-For": []string{"10.30.30.4"}, + }, + }, + kind: anonymous.AuthedDevice, + }, + }, + expectedAnonCount: 2, + expectedAuthedCount: 2, }, } @@ -137,14 +217,32 @@ func TestIntegrationAnonDeviceService_tag(t *testing.T) { anonService := ProvideAnonymousDeviceService(fakeStore, &usagestats.UsageStatsMock{}) for _, req := range tc.req { - err := anonService.TagDevice(context.Background(), req) + err := anonService.TagDevice(context.Background(), req.httpReq, req.kind) require.NoError(t, err) } stats, err := anonService.usageStatFn(context.Background()) require.NoError(t, err) - assert.Equal(t, tc.expectedCount, stats["stats.anonymous.session.count"].(int64)) + assert.Equal(t, tc.expectedAnonCount, stats["stats.anonymous.session.count"].(int64)) + assert.Equal(t, tc.expectedAuthedCount, stats["stats.users.device.count"].(int64)) + + if tc.expectedDevice != nil { + key, err := tc.expectedDevice.Key() + require.NoError(t, err) + + k, err := fakeStore.Get(context.Background(), key) + require.NoError(t, err) + + gotDevice := &Device{} + err = json.Unmarshal(k, gotDevice) + require.NoError(t, err) + + assert.NotNil(t, gotDevice.LastSeen) + gotDevice.LastSeen = time.Time{} + + assert.Equal(t, tc.expectedDevice, gotDevice) + } }) } } @@ -162,8 +260,10 @@ func TestIntegrationAnonDeviceService_localCacheSafety(t *testing.T) { } anonDevice := &Device{ - ip: "10.30.30.2", - userAgent: "test", + Kind: anonymous.AnonDevice, + IP: "10.30.30.2", + UserAgent: "test", + LastSeen: time.Now().UTC(), } key, err := anonDevice.Key() @@ -171,7 +271,7 @@ func TestIntegrationAnonDeviceService_localCacheSafety(t *testing.T) { anonService.localCache.SetDefault(key, true) - err = anonService.TagDevice(context.Background(), req) + err = anonService.TagDevice(context.Background(), req, anonymous.AnonDevice) require.NoError(t, err) stats, err := anonService.usageStatFn(context.Background()) diff --git a/pkg/services/anonymous/anontest/fake.go b/pkg/services/anonymous/anontest/fake.go index 147a5c3ed20..44b1fcca0ce 100644 --- a/pkg/services/anonymous/anontest/fake.go +++ b/pkg/services/anonymous/anontest/fake.go @@ -3,11 +3,13 @@ package anontest import ( "context" "net/http" + + "github.com/grafana/grafana/pkg/services/anonymous" ) type FakeAnonymousSessionService struct { } -func (f *FakeAnonymousSessionService) TagDevice(ctx context.Context, httpReq *http.Request) error { +func (f *FakeAnonymousSessionService) TagDevice(ctx context.Context, httpReq *http.Request, kind anonymous.DeviceKind) error { return nil } diff --git a/pkg/services/anonymous/service.go b/pkg/services/anonymous/service.go index 3d9fdf5969c..5100800ce26 100644 --- a/pkg/services/anonymous/service.go +++ b/pkg/services/anonymous/service.go @@ -5,6 +5,13 @@ import ( "net/http" ) +type DeviceKind string + +const ( + AnonDevice DeviceKind = "anon-session" + AuthedDevice DeviceKind = "authed-session" +) + type Service interface { - TagDevice(context.Context, *http.Request) error + TagDevice(context.Context, *http.Request, DeviceKind) error } diff --git a/pkg/services/authn/authnimpl/service.go b/pkg/services/authn/authnimpl/service.go index 7ad7b36a559..652d919306c 100644 --- a/pkg/services/authn/authnimpl/service.go +++ b/pkg/services/authn/authnimpl/service.go @@ -84,7 +84,7 @@ func ProvideService( s.RegisterClient(clients.ProvideAPIKey(apikeyService, userService)) if cfg.LoginCookieName != "" { - s.RegisterClient(clients.ProvideSession(cfg, sessionService, features)) + s.RegisterClient(clients.ProvideSession(cfg, sessionService, features, anonDeviceService)) } if s.cfg.AnonymousEnabled { diff --git a/pkg/services/authn/clients/anonymous.go b/pkg/services/authn/clients/anonymous.go index 81ffa9903df..65934dc2292 100644 --- a/pkg/services/authn/clients/anonymous.go +++ b/pkg/services/authn/clients/anonymous.go @@ -4,6 +4,7 @@ import ( "context" "net/http" "strings" + "time" "github.com/grafana/grafana/pkg/infra/log" "github.com/grafana/grafana/pkg/services/anonymous" @@ -14,6 +15,8 @@ import ( var _ authn.ContextAwareClient = new(Anonymous) +const timeoutTag = 2 * time.Minute + func ProvideAnonymous(cfg *setting.Cfg, orgService org.Service, anonDeviceService anonymous.Service) *Anonymous { return &Anonymous{ cfg: cfg, @@ -54,7 +57,10 @@ func (a *Anonymous) Authenticate(ctx context.Context, r *authn.Request) (*authn. a.log.Warn("tag anon session panic", "err", err) } }() - if err := a.anonDeviceService.TagDevice(context.Background(), httpReqCopy); err != nil { + + newCtx, cancel := context.WithTimeout(context.Background(), timeoutTag) + defer cancel() + if err := a.anonDeviceService.TagDevice(newCtx, httpReqCopy, anonymous.AnonDevice); err != nil { a.log.Warn("failed to tag anonymous session", "error", err) } }() diff --git a/pkg/services/authn/clients/session.go b/pkg/services/authn/clients/session.go index 1c0204df55c..6e4ca37985f 100644 --- a/pkg/services/authn/clients/session.go +++ b/pkg/services/authn/clients/session.go @@ -3,11 +3,13 @@ package clients import ( "context" "errors" + "net/http" "net/url" "time" "github.com/grafana/grafana/pkg/infra/log" "github.com/grafana/grafana/pkg/infra/network" + "github.com/grafana/grafana/pkg/services/anonymous" "github.com/grafana/grafana/pkg/services/auth" "github.com/grafana/grafana/pkg/services/authn" "github.com/grafana/grafana/pkg/services/featuremgmt" @@ -18,20 +20,25 @@ import ( var _ authn.HookClient = new(Session) var _ authn.ContextAwareClient = new(Session) -func ProvideSession(cfg *setting.Cfg, sessionService auth.UserTokenService, features *featuremgmt.FeatureManager) *Session { +func ProvideSession(cfg *setting.Cfg, sessionService auth.UserTokenService, + features *featuremgmt.FeatureManager, anonDeviceService anonymous.Service) *Session { return &Session{ - cfg: cfg, - features: features, - sessionService: sessionService, - log: log.New(authn.ClientSession), + cfg: cfg, + features: features, + sessionService: sessionService, + log: log.New(authn.ClientSession), + anonDeviceService: anonDeviceService, + tagDevices: cfg.TagAuthedDevices, } } type Session struct { - cfg *setting.Cfg - features *featuremgmt.FeatureManager - sessionService auth.UserTokenService - log log.Logger + cfg *setting.Cfg + features *featuremgmt.FeatureManager + sessionService auth.UserTokenService + log log.Logger + tagDevices bool + anonDeviceService anonymous.Service } func (s *Session) Name() string { @@ -60,6 +67,29 @@ func (s *Session) Authenticate(ctx context.Context, r *authn.Request) (*authn.Id } } + if s.tagDevices { + // Tag authed devices + httpReqCopy := &http.Request{} + if r.HTTPRequest != nil && r.HTTPRequest.Header != nil { + // avoid r.HTTPRequest.Clone(context.Background()) as we do not require a full clone + httpReqCopy.Header = r.HTTPRequest.Header.Clone() + httpReqCopy.RemoteAddr = r.HTTPRequest.RemoteAddr + } + go func() { + defer func() { + if err := recover(); err != nil { + s.log.Warn("tag anon session panic", "err", err) + } + }() + + newCtx, cancel := context.WithTimeout(context.Background(), timeoutTag) + defer cancel() + if err := s.anonDeviceService.TagDevice(newCtx, httpReqCopy, anonymous.AuthedDevice); err != nil { + s.log.Warn("failed to tag anonymous session", "error", err) + } + }() + } + return &authn.Identity{ ID: authn.NamespacedID(authn.NamespaceUser, token.UserId), SessionToken: token, diff --git a/pkg/services/authn/clients/session_test.go b/pkg/services/authn/clients/session_test.go index 8dd7555cd26..c394b6735d5 100644 --- a/pkg/services/authn/clients/session_test.go +++ b/pkg/services/authn/clients/session_test.go @@ -11,6 +11,7 @@ import ( "github.com/stretchr/testify/require" "github.com/grafana/grafana/pkg/models/usertoken" + "github.com/grafana/grafana/pkg/services/anonymous/anontest" "github.com/grafana/grafana/pkg/services/auth" "github.com/grafana/grafana/pkg/services/auth/authtest" "github.com/grafana/grafana/pkg/services/authn" @@ -29,7 +30,7 @@ func TestSession_Test(t *testing.T) { cfg := setting.NewCfg() cfg.LoginCookieName = "" cfg.LoginMaxLifetime = 20 * time.Second - s := ProvideSession(cfg, &authtest.FakeUserAuthTokenService{}, featuremgmt.WithFeatures()) + s := ProvideSession(cfg, &authtest.FakeUserAuthTokenService{}, featuremgmt.WithFeatures(), &anontest.FakeAnonymousSessionService{}) disabled := s.Test(context.Background(), &authn.Request{HTTPRequest: validHTTPReq}) assert.False(t, disabled) @@ -145,7 +146,7 @@ func TestSession_Authenticate(t *testing.T) { cfg.LoginCookieName = cookieName cfg.TokenRotationIntervalMinutes = 10 cfg.LoginMaxLifetime = 20 * time.Second - s := ProvideSession(cfg, tt.fields.sessionService, tt.fields.features) + s := ProvideSession(cfg, tt.fields.sessionService, tt.fields.features, &anontest.FakeAnonymousSessionService{}) got, err := s.Authenticate(context.Background(), tt.args.r) require.True(t, (err != nil) == tt.wantErr, err) @@ -185,7 +186,7 @@ func TestSession_Hook(t *testing.T) { token.UnhashedToken = "new-token" return true, token, nil }, - }, featuremgmt.WithFeatures()) + }, featuremgmt.WithFeatures(), &anontest.FakeAnonymousSessionService{}) sampleID := &authn.Identity{ SessionToken: &auth.UserToken{ @@ -219,7 +220,7 @@ func TestSession_Hook(t *testing.T) { }) t.Run("should not rotate token with feature flag", func(t *testing.T) { - s := ProvideSession(setting.NewCfg(), nil, featuremgmt.WithFeatures(featuremgmt.FlagClientTokenRotation)) + s := ProvideSession(setting.NewCfg(), nil, featuremgmt.WithFeatures(featuremgmt.FlagClientTokenRotation), &anontest.FakeAnonymousSessionService{}) req := &authn.Request{} identity := &authn.Identity{} diff --git a/pkg/services/contexthandler/contexthandler.go b/pkg/services/contexthandler/contexthandler.go index fdeaf39da2f..731862b6643 100644 --- a/pkg/services/contexthandler/contexthandler.go +++ b/pkg/services/contexthandler/contexthandler.go @@ -282,7 +282,8 @@ func (h *ContextHandler) initContextWithAnonymousUser(reqContext *contextmodel.R reqContext.Logger.Warn("tag anon session panic", "err", err) } }() - if err := h.anonDeviceService.TagDevice(context.Background(), httpReqCopy); err != nil { + + if err := h.anonDeviceService.TagDevice(context.Background(), httpReqCopy, anonymous.AnonDevice); err != nil { reqContext.Logger.Warn("Failed to tag anonymous session", "error", err) } }() diff --git a/pkg/setting/setting.go b/pkg/setting/setting.go index bff440f9234..9ffdd9cf93f 100644 --- a/pkg/setting/setting.go +++ b/pkg/setting/setting.go @@ -282,6 +282,8 @@ type Cfg struct { AuthConfigUIAdminAccess bool // TO REMOVE: Not documented & not supported. Remove with legacy handlers in 10.2 AuthBrokerEnabled bool + // TO REMOVE: Not documented & not supported. Remove in 10.3 + TagAuthedDevices bool // AWS Plugin Auth AWSAllowedAuthProviders []string @@ -1528,6 +1530,7 @@ func readAuthSettings(iniFile *ini.File, cfg *Cfg) (err error) { // Do not use cfg.AuthConfigUIAdminAccess = auth.Key("config_ui_admin_access").MustBool(false) cfg.AuthBrokerEnabled = auth.Key("broker").MustBool(true) + cfg.TagAuthedDevices = auth.Key("tag_authed_devices").MustBool(true) cfg.DisableLoginForm = auth.Key("disable_login_form").MustBool(false) DisableSignoutMenu = auth.Key("disable_signout_menu").MustBool(false)