refactor login/auth token configuration settings

remove login section and reuse existing sections security and auth
2025-02-25 18:55:37 -06:00 · 2019-02-05 21:09:55 +01:00
parent 1d1b617cee
commit 3c2fd02bc0
3 changed files with 89 additions and 77 deletions
--- a/conf/defaults.ini
+++ b/conf/defaults.ini
@@ -106,25 +106,6 @@ path = grafana.db
 # For "sqlite3" only. cache mode setting used for connecting to the database
 cache_mode = private
 #################################### Login ###############################
 [login]
 # Login cookie name
 cookie_name = grafana_session
 # Login cookie same site setting. defaults to `lax`. can be set to "lax", "strict" and "none"
 cookie_samesite = lax
 # How many days an session can be unused before we inactivate it
 login_remember_days = 7
 # How often should the login token be rotated. default to '10m'
 rotate_token_minutes = 10
 # How long should Grafana keep expired tokens before deleting them
 delete_expired_token_after_days = 30
 #################################### Session #############################
 [session]
 # Either "memory", "file", "redis", "mysql", "postgres", "memcache", default is "file"
@@ -206,8 +187,11 @@ data_source_proxy_whitelist =
 # disable protection against brute force login attempts
 disable_brute_force_login_protection = false
-# set cookies as https only. default is false
+# set to true if you host Grafana behind HTTPS. default is false.
-https_flag_cookies = false
+cookie_secure = false
 # set cookie SameSite attribute. defaults to `lax`. can be set to "lax", "strict" and "none"
 cookie_samesite = lax
 #################################### Snapshots ###########################
 [snapshots]
@@ -260,6 +244,21 @@ external_manage_info =
 viewers_can_edit = false
 [auth]
 # Login cookie name
 login_cookie_name = grafana_session
 # The lifetime (days) an authenticated user can be inactive before being required to login at next visit. Default is 7 days.
 login_maximum_inactive_lifetime_days = 7
 # The maximum lifetime (days) an autenticated user can be logged in since login time before being required to login. Default is 30 days.
 login_maximum_lifetime_days = 30
 # How often should auth tokens be rotated for authenticated users when being active. The default is each 10 minutes.
 token_rotation_interval_minutes = 10
 # How often should expired auth tokens be deleted from the database. The default is 7 days.
 expired_tokens_cleanup_interval_days = 7
 # Set to true to disable (hide) the login form, useful if you use OAuth
 disable_login_form = false
--- a/conf/sample.ini
+++ b/conf/sample.ini
@@ -102,25 +102,6 @@ log_queries =
 # For "sqlite3" only. cache mode setting used for connecting to the database. (private, shared)
 ;cache_mode = private
 #################################### Login ###############################
 [login]
 # Login cookie name
 ;cookie_name = grafana_session
 # Login cookie same site setting. defaults to `lax`. can be set to "lax", "strict" and "none"
 ;cookie_samesite = lax
 # How many days an session can be unused before we inactivate it
 ;login_remember_days = 7
 # How often should the login token be rotated. default to '10'
 ;rotate_token_minutes = 10
 # How long should Grafana keep expired tokens before deleting them
 ;delete_expired_token_after_days = 30
 #################################### Session ####################################
 [session]
 # Either "memory", "file", "redis", "mysql", "postgres", default is "file"
@@ -193,8 +174,11 @@ log_queries =
 # disable protection against brute force login attempts
 ;disable_brute_force_login_protection = false
-# set cookies as https only. default is false
+# set to true if you host Grafana behind HTTPS. default is false.
-;https_flag_cookies = false
+;cookie_secure = false
 # set cookie SameSite attribute. defaults to `lax`. can be set to "lax", "strict" and "none"
 ;cookie_samesite = lax
 #################################### Snapshots ###########################
 [snapshots]
@@ -240,6 +224,21 @@ log_queries =
 ;viewers_can_edit = false
 [auth]
 # Login cookie name
 ;login_cookie_name = grafana_session
 # The lifetime (days) an authenticated user can be inactive before being required to login at next visit. Default is 7 days,
 ;login_maximum_inactive_lifetime_days = 7
 # The maximum lifetime (days) an autenticated user can be logged in since login time before being required to login. Default is 30 days.
 ;login_maximum_lifetime_days = 30
 # How often should auth tokens be rotated for authenticated users when being active. The default is each 10 minutes.
 ;token_rotation_interval_minutes = 10
 # How often should expired auth tokens be deleted from the database. The default is 7 days.
 ;expired_tokens_cleanup_interval_days = 7
 # Set to true to disable (hide) the login form, useful if you use OAuth, defaults to false
 ;disable_login_form = false
@@ -253,7 +252,7 @@ log_queries =
 # This setting is ignored if multiple OAuth providers are configured.
 ;oauth_auto_login = false
-#################################### Anonymous Auth ##########################
+#################################### Anonymous Auth ######################
 [auth.anonymous]
 # enable anonymous access
 ;enabled = false
--- a/pkg/setting/setting.go
+++ b/pkg/setting/setting.go
@@ -89,6 +89,8 @@ var (
 	EmailCodeValidMinutes            int
 	DataProxyWhiteList               map[string]bool
 	DisableBruteForceLoginProtection bool
 	CookieSecure                     bool
 	CookieSameSite                   http.SameSite
 	// Snapshots
 	ExternalSnapshotUrl   string
@@ -118,8 +120,10 @@ var (
 	ViewersCanEdit          bool
 	// Http auth
-	AdminUser     string
+	AdminUser            string
-	AdminPassword string
+	AdminPassword        string
 	LoginCookieName      string
 	LoginMaxLifetimeDays int
 	AnonymousEnabled bool
 	AnonymousOrgName string
@@ -215,7 +219,11 @@ type Cfg struct {
 	RendererLimit         int
 	RendererLimitAlerting int
 	// Security
 	DisableBruteForceLoginProtection bool
 	CookieSecure                     bool
 	CookieSameSite                   http.SameSite
 	TempDataLifetime                 time.Duration
 	MetricsEndpointEnabled           bool
 	MetricsEndpointBasicAuthUsername string
@@ -224,13 +232,12 @@ type Cfg struct {
 	DisableSanitizeHtml              bool
 	EnterpriseLicensePath            string
-	LoginCookieName                   string
+	// Auth
-	LoginCookieMaxDays                int
+	LoginCookieName                  string
-	LoginCookieRotation               int
+	LoginMaxInactiveLifetimeDays     int
-	LoginDeleteExpiredTokensAfterDays int
+	LoginMaxLifetimeDays             int
-	LoginCookieSameSite               http.SameSite
+	TokenRotationIntervalMinutes     int
-
+	ExpiredTokensCleanupIntervalDays int
 	SecurityHTTPSCookies bool
 }
 type CommandLineArgs struct {
@@ -554,30 +561,6 @@ func (cfg *Cfg) Load(args *CommandLineArgs) error {
 		ApplicationName = APP_NAME_ENTERPRISE
 	}
 	//login
 	login := iniFile.Section("login")
 	cfg.LoginCookieName = login.Key("cookie_name").MustString("grafana_session")
 	cfg.LoginCookieMaxDays = login.Key("login_remember_days").MustInt(7)
 	cfg.LoginDeleteExpiredTokensAfterDays = login.Key("delete_expired_token_after_days").MustInt(30)
 	samesiteString := login.Key("cookie_samesite").MustString("lax")
 	validSameSiteValues := map[string]http.SameSite{
 		"lax":    http.SameSiteLaxMode,
 		"strict": http.SameSiteStrictMode,
 		"none":   http.SameSiteDefaultMode,
 	}
 	if samesite, ok := validSameSiteValues[samesiteString]; ok {
 		cfg.LoginCookieSameSite = samesite
 	} else {
 		cfg.LoginCookieSameSite = http.SameSiteLaxMode
 	}
 	cfg.LoginCookieRotation = login.Key("rotate_token_minutes").MustInt(10)
 	if cfg.LoginCookieRotation < 2 {
 		cfg.LoginCookieRotation = 2
 	}
 	Env = iniFile.Section("").Key("app_mode").MustString("development")
 	InstanceName = iniFile.Section("").Key("instance_name").MustString("unknown_instance_name")
 	PluginsPath = makeAbsolute(iniFile.Section("paths").Key("plugins").String(), HomePath)
@@ -621,9 +604,26 @@ func (cfg *Cfg) Load(args *CommandLineArgs) error {
 	SecretKey = security.Key("secret_key").String()
 	DisableGravatar = security.Key("disable_gravatar").MustBool(true)
 	cfg.DisableBruteForceLoginProtection = security.Key("disable_brute_force_login_protection").MustBool(false)
 	cfg.SecurityHTTPSCookies = security.Key("https_flag_cookies").MustBool(false)
 	DisableBruteForceLoginProtection = cfg.DisableBruteForceLoginProtection
 	CookieSecure = security.Key("cookie_secure").MustBool(false)
 	cfg.CookieSecure = CookieSecure
 	samesiteString := security.Key("cookie_samesite").MustString("lax")
 	validSameSiteValues := map[string]http.SameSite{
 		"lax":    http.SameSiteLaxMode,
 		"strict": http.SameSiteStrictMode,
 		"none":   http.SameSiteDefaultMode,
 	}
 	if samesite, ok := validSameSiteValues[samesiteString]; ok {
 		CookieSameSite = samesite
 		cfg.CookieSameSite = CookieSameSite
 	} else {
 		CookieSameSite = http.SameSiteLaxMode
 		cfg.CookieSameSite = CookieSameSite
 	}
 	// read snapshots settings
 	snapshots := iniFile.Section("snapshots")
 	ExternalSnapshotUrl = snapshots.Key("external_snapshot_url").String()
@@ -661,6 +661,20 @@ func (cfg *Cfg) Load(args *CommandLineArgs) error {
 	// auth
 	auth := iniFile.Section("auth")
 	LoginCookieName = auth.Key("login_cookie_name").MustString("grafana_session")
 	cfg.LoginCookieName = LoginCookieName
 	cfg.LoginMaxInactiveLifetimeDays = auth.Key("login_maximum_inactive_lifetime_days").MustInt(7)
 	LoginMaxLifetimeDays = auth.Key("login_maximum_lifetime_days").MustInt(30)
 	cfg.LoginMaxLifetimeDays = LoginMaxLifetimeDays
 	cfg.TokenRotationIntervalMinutes = auth.Key("token_rotation_interval_minutes").MustInt(10)
 	if cfg.TokenRotationIntervalMinutes < 2 {
 		cfg.TokenRotationIntervalMinutes = 2
 	}
 	cfg.ExpiredTokensCleanupIntervalDays = auth.Key("expired_tokens_cleanup_interval_days").MustInt(7)
 	DisableLoginForm = auth.Key("disable_login_form").MustBool(false)
 	DisableSignoutMenu = auth.Key("disable_signout_menu").MustBool(false)
 	OAuthAutoLogin = auth.Key("oauth_auto_login").MustBool(false)