Merge branch 'master' into sql-proxy

pkg/api/api.go

@@ -123,6 +123,7 @@ func (hs *HttpServer) registerRoutes() {
 		// users (admin permission required)
 		r.Group("/users", func() {
 			r.Get("/", wrap(SearchUsers))
+			r.Get("/search", wrap(SearchUsersWithPaging))
 			r.Get("/:id", wrap(GetUserById))
 			r.Get("/:id/orgs", wrap(GetUserOrgList))
 			// query parameters /users/lookup?loginOrEmail=admin@example.com
@@ -195,10 +196,11 @@ func (hs *HttpServer) registerRoutes() {
 
 		// Data sources
 		r.Group("/datasources", func() {
-			r.Get("/", GetDataSources)
+			r.Get("/", wrap(GetDataSources))
 			r.Post("/", quota("data_source"), bind(m.AddDataSourceCommand{}), AddDataSource)
 			r.Put("/:id", bind(m.UpdateDataSourceCommand{}), wrap(UpdateDataSource))
-			r.Delete("/:id", DeleteDataSource)
+			r.Delete("/:id", DeleteDataSourceById)
+			r.Delete("/name/:name", DeleteDataSourceByName)
 			r.Get("/:id", wrap(GetDataSourceById))
 			r.Get("/name/:name", wrap(GetDataSourceByName))
 		}, reqOrgAdmin)

pkg/api/api_test.go

@@ -1,35 +0,0 @@
-package api
-
-import (
-	"testing"
-)
-
-func TestHttpApi(t *testing.T) {
-
-	// Convey("Given the grafana api", t, func() {
-	// 	ConveyApiScenario("Can sign up", func(c apiTestContext) {
-	// 		c.PostJson()
-	// 		So(c.Resp, ShouldEqualJsonApiResponse, "User created and logged in")
-	// 	})
-	//
-	// 	m := macaron.New()
-	// 	m.Use(middleware.GetContextHandler())
-	// 	m.Use(middleware.Sessioner(&session.Options{}))
-	// 	Register(m)
-	//
-	// 	var context *middleware.Context
-	// 	m.Get("/", func(c *middleware.Context) {
-	// 		context = c
-	// 	})
-	//
-	// 	resp := httptest.NewRecorder()
-	// 	req, err := http.NewRequest("GET", "/", nil)
-	// 	So(err, ShouldBeNil)
-	//
-	// 	m.ServeHTTP(resp, req)
-	//
-	// 	Convey("should red 200", func() {
-	// 		So(resp.Code, ShouldEqual, 200)
-	// 	})
-	// })
-}

pkg/api/cloudwatch/cloudwatch.go

@@ -3,7 +3,9 @@ package cloudwatch
 import (
 	"encoding/json"
 	"errors"
+	"fmt"
 	"io/ioutil"
+	"os"
 	"strings"
 	"sync"
 	"time"
@@ -12,6 +14,7 @@ import (
 	"github.com/aws/aws-sdk-go/aws/awsutil"
 	"github.com/aws/aws-sdk-go/aws/credentials"
 	"github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds"
+	"github.com/aws/aws-sdk-go/aws/credentials/endpointcreds"
 	"github.com/aws/aws-sdk-go/aws/ec2metadata"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/cloudwatch"
@@ -114,19 +117,26 @@ func getCredentials(dsInfo *datasourceInfo) (*credentials.Credentials, error) {
 			DurationSeconds: aws.Int64(900),
 		}
 
-		stsSess := session.New()
+		stsSess, err := session.NewSession()
+		if err != nil {
+			return nil, err
+		}
 		stsCreds := credentials.NewChainCredentials(
 			[]credentials.Provider{
 				&credentials.EnvProvider{},
 				&credentials.SharedCredentialsProvider{Filename: "", Profile: dsInfo.Profile},
-				&ec2rolecreds.EC2RoleProvider{Client: ec2metadata.New(stsSess), ExpiryWindow: 5 * time.Minute},
+				remoteCredProvider(stsSess),
 			})
 		stsConfig := &aws.Config{
 			Region:      aws.String(dsInfo.Region),
 			Credentials: stsCreds,
 		}
 
-		svc := sts.New(session.New(stsConfig), stsConfig)
+		sess, err := session.NewSession(stsConfig)
+		if err != nil {
+			return nil, err
+		}
+		svc := sts.New(sess, stsConfig)
 		resp, err := svc.AssumeRole(params)
 		if err != nil {
 			return nil, err
@@ -139,7 +149,10 @@ func getCredentials(dsInfo *datasourceInfo) (*credentials.Credentials, error) {
 		}
 	}
 
-	sess := session.New()
+	sess, err := session.NewSession()
+	if err != nil {
+		return nil, err
+	}
 	creds := credentials.NewChainCredentials(
 		[]credentials.Provider{
 			&credentials.StaticProvider{Value: credentials.Value{
@@ -166,6 +179,30 @@ func getCredentials(dsInfo *datasourceInfo) (*credentials.Credentials, error) {
 	return creds, nil
 }
 
+func remoteCredProvider(sess *session.Session) credentials.Provider {
+	ecsCredURI := os.Getenv("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI")
+
+	if len(ecsCredURI) > 0 {
+		return ecsCredProvider(sess, ecsCredURI)
+	}
+	return ec2RoleProvider(sess)
+}
+
+func ecsCredProvider(sess *session.Session, uri string) credentials.Provider {
+	const host = `169.254.170.2`
+
+	c := ec2metadata.New(sess)
+	return endpointcreds.NewProviderClient(
+		c.Client.Config,
+		c.Client.Handlers,
+		fmt.Sprintf("http://%s%s", host, uri),
+		func(p *endpointcreds.Provider) { p.ExpiryWindow = 5 * time.Minute })
+}
+
+func ec2RoleProvider(sess *session.Session) credentials.Provider {
+	return &ec2rolecreds.EC2RoleProvider{Client: ec2metadata.New(sess), ExpiryWindow: 5 * time.Minute}
+}
+
 func getAwsConfig(req *cwRequest) (*aws.Config, error) {
 	creds, err := getCredentials(req.GetDatasourceInfo())
 	if err != nil {
@@ -185,7 +222,12 @@ func handleGetMetricStatistics(req *cwRequest, c *middleware.Context) {
 		c.JsonApiErr(500, "Unable to call AWS API", err)
 		return
 	}
-	svc := cloudwatch.New(session.New(cfg), cfg)
+	sess, err := session.NewSession(cfg)
+	if err != nil {
+		c.JsonApiErr(500, "Unable to call AWS API", err)
+		return
+	}
+	svc := cloudwatch.New(sess, cfg)
 
 	reqParam := &struct {
 		Parameters struct {
@@ -232,7 +274,12 @@ func handleListMetrics(req *cwRequest, c *middleware.Context) {
 		c.JsonApiErr(500, "Unable to call AWS API", err)
 		return
 	}
-	svc := cloudwatch.New(session.New(cfg), cfg)
+	sess, err := session.NewSession(cfg)
+	if err != nil {
+		c.JsonApiErr(500, "Unable to call AWS API", err)
+		return
+	}
+	svc := cloudwatch.New(sess, cfg)
 
 	reqParam := &struct {
 		Parameters struct {
@@ -273,7 +320,12 @@ func handleDescribeAlarms(req *cwRequest, c *middleware.Context) {
 		c.JsonApiErr(500, "Unable to call AWS API", err)
 		return
 	}
-	svc := cloudwatch.New(session.New(cfg), cfg)
+	sess, err := session.NewSession(cfg)
+	if err != nil {
+		c.JsonApiErr(500, "Unable to call AWS API", err)
+		return
+	}
+	svc := cloudwatch.New(sess, cfg)
 
 	reqParam := &struct {
 		Parameters struct {
@@ -316,7 +368,12 @@ func handleDescribeAlarmsForMetric(req *cwRequest, c *middleware.Context) {
 		c.JsonApiErr(500, "Unable to call AWS API", err)
 		return
 	}
-	svc := cloudwatch.New(session.New(cfg), cfg)
+	sess, err := session.NewSession(cfg)
+	if err != nil {
+		c.JsonApiErr(500, "Unable to call AWS API", err)
+		return
+	}
+	svc := cloudwatch.New(sess, cfg)
 
 	reqParam := &struct {
 		Parameters struct {
@@ -360,7 +417,12 @@ func handleDescribeAlarmHistory(req *cwRequest, c *middleware.Context) {
 		c.JsonApiErr(500, "Unable to call AWS API", err)
 		return
 	}
-	svc := cloudwatch.New(session.New(cfg), cfg)
+	sess, err := session.NewSession(cfg)
+	if err != nil {
+		c.JsonApiErr(500, "Unable to call AWS API", err)
+		return
+	}
+	svc := cloudwatch.New(sess, cfg)
 
 	reqParam := &struct {
 		Parameters struct {
@@ -396,7 +458,12 @@ func handleDescribeInstances(req *cwRequest, c *middleware.Context) {
 		c.JsonApiErr(500, "Unable to call AWS API", err)
 		return
 	}
-	svc := ec2.New(session.New(cfg), cfg)
+	sess, err := session.NewSession(cfg)
+	if err != nil {
+		c.JsonApiErr(500, "Unable to call AWS API", err)
+		return
+	}
+	svc := ec2.New(sess, cfg)
 
 	reqParam := &struct {
 		Parameters struct {

pkg/api/cloudwatch/cloudwatch_test.go

@@ -0,0 +1,41 @@
+package cloudwatch
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds"
+	"github.com/aws/aws-sdk-go/aws/credentials/endpointcreds"
+	"github.com/aws/aws-sdk-go/aws/session"
+	. "github.com/smartystreets/goconvey/convey"
+)
+
+func TestECSCredProvider(t *testing.T) {
+	Convey("Running in an ECS container task", t, func() {
+		defer os.Clearenv()
+		os.Setenv("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI", "/abc/123")
+
+		provider := remoteCredProvider(&session.Session{})
+
+		So(provider, ShouldNotBeNil)
+
+		ecsProvider, ok := provider.(*endpointcreds.Provider)
+		So(ecsProvider, ShouldNotBeNil)
+		So(ok, ShouldBeTrue)
+
+		So(ecsProvider.Client.Endpoint, ShouldEqual, fmt.Sprintf("http://169.254.170.2/abc/123"))
+	})
+}
+
+func TestDefaultEC2RoleProvider(t *testing.T) {
+	Convey("Running outside an ECS container task", t, func() {
+		provider := remoteCredProvider(&session.Session{})
+
+		So(provider, ShouldNotBeNil)
+
+		ec2Provider, ok := provider.(*ec2rolecreds.EC2RoleProvider)
+		So(ec2Provider, ShouldNotBeNil)
+		So(ok, ShouldBeTrue)
+	})
+}

pkg/api/cloudwatch/metrics.go

@@ -81,7 +81,8 @@ func init() {
 		"AWS/Redshift":         {"CPUUtilization", "DatabaseConnections", "HealthStatus", "MaintenanceMode", "NetworkReceiveThroughput", "NetworkTransmitThroughput", "PercentageDiskSpaceUsed", "ReadIOPS", "ReadLatency", "ReadThroughput", "WriteIOPS", "WriteLatency", "WriteThroughput"},
 		"AWS/RDS":              {"ActiveTransactions", "AuroraBinlogReplicaLag", "AuroraReplicaLag", "AuroraReplicaLagMaximum", "AuroraReplicaLagMinimum", "BinLogDiskUsage", "BlockedTransactions", "BufferCacheHitRatio", "CommitLatency", "CommitThroughput", "CPUCreditBalance", "CPUCreditUsage", "CPUUtilization", "DatabaseConnections", "DDLLatency", "DDLThroughput", "Deadlocks", "DiskQueueDepth", "DMLLatency", "DMLThroughput", "FailedSqlStatements", "FreeableMemory", "FreeStorageSpace", "LoginFailures", "NetworkReceiveThroughput", "NetworkTransmitThroughput", "ReadIOPS", "ReadLatency", "ReadThroughput", "ReplicaLag", "ResultSetCacheHitRatio", "SelectLatency", "SelectThroughput", "SwapUsage", "TotalConnections", "VolumeReadIOPS", "VolumeWriteIOPS", "WriteIOPS", "WriteLatency", "WriteThroughput"},
 		"AWS/Route53":          {"HealthCheckStatus", "HealthCheckPercentageHealthy", "ConnectionTime", "SSLHandshakeTime", "TimeToFirstByte"},
-		"AWS/S3":               {"BucketSizeBytes", "NumberOfObjects"},
+		"AWS/S3":               {"BucketSizeBytes", "NumberOfObjects", "AllRequests", "GetRequests", "PutRequests", "DeleteRequests", "HeadRequests", "PostRequests", "ListRequests", "BytesDownloaded", "BytesUploaded", "4xxErrors", "5xxErrors", "FirstByteLatency", "TotalRequestLatency"},
+		"AWS/SES":              {"Bounce", "Complaint", "Delivery", "Reject", "Send"},
 		"AWS/SNS":              {"NumberOfMessagesPublished", "PublishSize", "NumberOfNotificationsDelivered", "NumberOfNotificationsFailed"},
 		"AWS/SQS":              {"NumberOfMessagesSent", "SentMessageSize", "NumberOfMessagesReceived", "NumberOfEmptyReceives", "NumberOfMessagesDeleted", "ApproximateNumberOfMessagesDelayed", "ApproximateNumberOfMessagesVisible", "ApproximateNumberOfMessagesNotVisible"},
 		"AWS/StorageGateway": {"CacheHitPercent", "CachePercentUsed", "CachePercentDirty", "CloudBytesDownloaded", "CloudDownloadLatency", "CloudBytesUploaded", "UploadBufferFree", "UploadBufferPercentUsed", "UploadBufferUsed", "QueuedWrites", "ReadBytes", "ReadTime", "TotalCacheSize", "WriteBytes", "WriteTime", "TimeSinceLastRecoveryPoint", "WorkingStorageFree", "WorkingStoragePercentUsed", "WorkingStorageUsed",
@@ -122,7 +123,8 @@ func init() {
 		"AWS/Redshift":         {"NodeID", "ClusterIdentifier"},
 		"AWS/RDS":              {"DBInstanceIdentifier", "DBClusterIdentifier", "DatabaseClass", "EngineName"},
 		"AWS/Route53":          {"HealthCheckId"},
-		"AWS/S3":               {"BucketName", "StorageType"},
+		"AWS/S3":               {"BucketName", "StorageType", "FilterId"},
+		"AWS/SES":              {},
 		"AWS/SNS":              {"Application", "Platform", "TopicName"},
 		"AWS/SQS":              {"QueueName"},
 		"AWS/StorageGateway":   {"GatewayId", "GatewayName", "VolumeId"},
@@ -256,8 +258,11 @@ func getAllMetrics(cwData *datasourceInfo) (cloudwatch.ListMetricsOutput, error)
 		Region:      aws.String(cwData.Region),
 		Credentials: creds,
 	}
-
-	svc := cloudwatch.New(session.New(cfg), cfg)
+	sess, err := session.NewSession(cfg)
+	if err != nil {
+		return cloudwatch.ListMetricsOutput{}, err
+	}
+	svc := cloudwatch.New(sess, cfg)
 
 	params := &cloudwatch.ListMetricsInput{
 		Namespace: aws.String(cwData.Namespace),

pkg/api/dataproxy.go

@@ -6,6 +6,7 @@ import (
 	"net/http"
 	"net/http/httputil"
 	"net/url"
+	"strings"
 	"time"
 
 	"github.com/grafana/grafana/pkg/api/cloudwatch"
@@ -115,6 +116,13 @@ func ProxyDataSourceRequest(c *middleware.Context) {
 
 	proxyPath := c.Params("*")
 
+	if ds.Type == m.DS_PROMETHEUS {
+		if c.Req.Request.Method != http.MethodGet || !strings.HasPrefix(proxyPath, "api/") {
+			c.JsonApiErr(403, "GET is only allowed on proxied Prometheus datasource", nil)
+			return
+		}
+	}
+
 	if ds.Type == m.DS_ES {
 		if c.Req.Request.Method == "DELETE" {
 			c.JsonApiErr(403, "Deletes not allowed on proxied Elasticsearch datasource", nil)

pkg/api/datasources.go

@@ -11,12 +11,11 @@ import (
 	"github.com/grafana/grafana/pkg/util"
 )
 
-func GetDataSources(c *middleware.Context) {
+func GetDataSources(c *middleware.Context) Response {
 	query := m.GetDataSourcesQuery{OrgId: c.OrgId}
 
 	if err := bus.Dispatch(&query); err != nil {
-		c.JsonApiErr(500, "Failed to query datasources", err)
-		return
+		return ApiError(500, "Failed to query datasources", err)
 	}
 
 	result := make(dtos.DataSourceList, 0)
@@ -46,7 +45,8 @@ func GetDataSources(c *middleware.Context) {
 	}
 
 	sort.Sort(result)
-	c.JSON(200, result)
+
+	return Json(200, &result)
 }
 
 func GetDataSourceById(c *middleware.Context) Response {
@@ -68,7 +68,7 @@ func GetDataSourceById(c *middleware.Context) Response {
 	return Json(200, &dtos)
 }
 
-func DeleteDataSource(c *middleware.Context) {
+func DeleteDataSourceById(c *middleware.Context) {
 	id := c.ParamsInt64(":id")
 
 	if id <= 0 {
@@ -76,7 +76,26 @@ func DeleteDataSource(c *middleware.Context) {
 		return
 	}
 
-	cmd := &m.DeleteDataSourceCommand{Id: id, OrgId: c.OrgId}
+	cmd := &m.DeleteDataSourceByIdCommand{Id: id, OrgId: c.OrgId}
+
+	err := bus.Dispatch(cmd)
+	if err != nil {
+		c.JsonApiErr(500, "Failed to delete datasource", err)
+		return
+	}
+
+	c.JsonOK("Data source deleted")
+}
+
+func DeleteDataSourceByName(c *middleware.Context) {
+	name := c.Params(":name")
+
+	if name == "" {
+		c.JsonApiErr(400, "Missing valid datasource name", nil)
+		return
+	}
+
+	cmd := &m.DeleteDataSourceByNameCommand{Name: name, OrgId: c.OrgId}
 
 	err := bus.Dispatch(cmd)
 	if err != nil {

pkg/api/datasources_test.go

@@ -0,0 +1,132 @@
+package api
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"path/filepath"
+	"testing"
+
+	"github.com/grafana/grafana/pkg/models"
+	macaron "gopkg.in/macaron.v1"
+
+	"github.com/go-macaron/session"
+	"github.com/grafana/grafana/pkg/bus"
+	"github.com/grafana/grafana/pkg/middleware"
+	. "github.com/smartystreets/goconvey/convey"
+)
+
+const (
+	TestOrgID  = 1
+	TestUserID = 1
+)
+
+func TestDataSourcesProxy(t *testing.T) {
+	Convey("Given a user is logged in", t, func() {
+		loggedInUserScenario("When calling GET on", "/api/datasources/", func(sc *scenarioContext) {
+
+			// Stubs the database query
+			bus.AddHandler("test", func(query *models.GetDataSourcesQuery) error {
+				So(query.OrgId, ShouldEqual, TestOrgID)
+				query.Result = []*models.DataSource{
+					{Name: "mmm"},
+					{Name: "ZZZ"},
+					{Name: "BBB"},
+					{Name: "aaa"},
+				}
+				return nil
+			})
+
+			// handler func being tested
+			sc.handlerFunc = GetDataSources
+			sc.fakeReq("GET", "/api/datasources").exec()
+
+			respJSON := []map[string]interface{}{}
+			err := json.NewDecoder(sc.resp.Body).Decode(&respJSON)
+			So(err, ShouldBeNil)
+
+			Convey("should return list of datasources for org sorted alphabetically and case insensitively", func() {
+				So(respJSON[0]["name"], ShouldEqual, "aaa")
+				So(respJSON[1]["name"], ShouldEqual, "BBB")
+				So(respJSON[2]["name"], ShouldEqual, "mmm")
+				So(respJSON[3]["name"], ShouldEqual, "ZZZ")
+			})
+		})
+	})
+}
+
+func loggedInUserScenario(desc string, url string, fn scenarioFunc) {
+	Convey(desc+" "+url, func() {
+		defer bus.ClearBusHandlers()
+
+		sc := &scenarioContext{
+			url: url,
+		}
+		viewsPath, _ := filepath.Abs("../../public/views")
+
+		sc.m = macaron.New()
+		sc.m.Use(macaron.Renderer(macaron.RenderOptions{
+			Directory: viewsPath,
+			Delims:    macaron.Delims{Left: "[[", Right: "]]"},
+		}))
+
+		sc.m.Use(middleware.GetContextHandler())
+		sc.m.Use(middleware.Sessioner(&session.Options{}))
+
+		sc.defaultHandler = wrap(func(c *middleware.Context) Response {
+			sc.context = c
+			sc.context.UserId = TestUserID
+			sc.context.OrgId = TestOrgID
+			sc.context.OrgRole = models.ROLE_EDITOR
+			if sc.handlerFunc != nil {
+				return sc.handlerFunc(sc.context)
+			}
+
+			return nil
+		})
+
+		sc.m.Get(url, sc.defaultHandler)
+
+		fn(sc)
+	})
+}
+
+func (sc *scenarioContext) fakeReq(method, url string) *scenarioContext {
+	sc.resp = httptest.NewRecorder()
+	req, err := http.NewRequest(method, url, nil)
+	So(err, ShouldBeNil)
+	sc.req = req
+
+	return sc
+}
+
+func (sc *scenarioContext) fakeReqWithParams(method, url string, queryParams map[string]string) *scenarioContext {
+	sc.resp = httptest.NewRecorder()
+	req, err := http.NewRequest(method, url, nil)
+	q := req.URL.Query()
+	for k, v := range queryParams {
+		q.Add(k, v)
+	}
+	req.URL.RawQuery = q.Encode()
+	So(err, ShouldBeNil)
+	sc.req = req
+
+	return sc
+}
+
+type scenarioContext struct {
+	m              *macaron.Macaron
+	context        *middleware.Context
+	resp           *httptest.ResponseRecorder
+	handlerFunc    handlerFunc
+	defaultHandler macaron.Handler
+	req            *http.Request
+	url            string
+}
+
+func (sc *scenarioContext) exec() {
+	sc.m.ServeHTTP(sc.resp, sc.req)
+}
+
+type scenarioFunc func(c *scenarioContext)
+type handlerFunc func(c *middleware.Context) Response

pkg/api/dtos/models.go

@@ -91,7 +91,7 @@ func (slice DataSourceList) Len() int {
 }
 
 func (slice DataSourceList) Less(i, j int) bool {
-	return slice[i].Name < slice[j].Name
+	return strings.ToLower(slice[i].Name) < strings.ToLower(slice[j].Name)
 }
 
 func (slice DataSourceList) Swap(i, j int) {

pkg/api/frontendsettings.go

@@ -133,14 +133,17 @@ func getFrontendSettingsMap(c *middleware.Context) (map[string]interface{}, erro
 	}
 
 	jsonObj := map[string]interface{}{
-		"defaultDatasource": defaultDatasource,
-		"datasources":       datasources,
-		"panels":            panels,
-		"appSubUrl":         setting.AppSubUrl,
-		"allowOrgCreate":    (setting.AllowUserOrgCreate && c.IsSignedIn) || c.IsGrafanaAdmin,
-		"authProxyEnabled":  setting.AuthProxyEnabled,
-		"ldapEnabled":       setting.LdapEnabled,
-		"alertingEnabled":   setting.AlertingEnabled,
+		"defaultDatasource":  defaultDatasource,
+		"datasources":        datasources,
+		"panels":             panels,
+		"appSubUrl":          setting.AppSubUrl,
+		"allowOrgCreate":     (setting.AllowUserOrgCreate && c.IsSignedIn) || c.IsGrafanaAdmin,
+		"authProxyEnabled":   setting.AuthProxyEnabled,
+		"ldapEnabled":        setting.LdapEnabled,
+		"alertingEnabled":    setting.AlertingEnabled,
+		"googleAnalyticsId":  setting.GoogleAnalyticsId,
+		"disableLoginForm":   setting.DisableLoginForm,
+		"disableSignoutMenu": setting.DisableSignoutMenu,
 		"buildInfo": map[string]interface{}{
 			"version":       setting.BuildVersion,
 			"commit":        setting.BuildCommit,

pkg/api/http_server.go

@@ -2,6 +2,7 @@ package api
 
 import (
 	"context"
+	"crypto/tls"
 	"errors"
 	"fmt"
 	"net/http"
@@ -24,6 +25,8 @@ type HttpServer struct {
 	macaron       *macaron.Macaron
 	context       context.Context
 	streamManager *live.StreamManager
+
+	httpSrv *http.Server
 }
 
 func NewHttpServer() *HttpServer {
@@ -45,11 +48,20 @@ func (hs *HttpServer) Start(ctx context.Context) error {
 	listenAddr := fmt.Sprintf("%s:%s", setting.HttpAddr, setting.HttpPort)
 	hs.log.Info("Initializing HTTP Server", "address", listenAddr, "protocol", setting.Protocol, "subUrl", setting.AppSubUrl)
 
+	hs.httpSrv = &http.Server{Addr: listenAddr, Handler: hs.macaron}
 	switch setting.Protocol {
 	case setting.HTTP:
-		err = http.ListenAndServe(listenAddr, hs.macaron)
+		err = hs.httpSrv.ListenAndServe()
+		if err == http.ErrServerClosed {
+			hs.log.Debug("server was shutdown gracefully")
+			return nil
+		}
 	case setting.HTTPS:
-		err = hs.listenAndServeTLS(listenAddr, setting.CertFile, setting.KeyFile)
+		err = hs.httpSrv.ListenAndServeTLS(setting.CertFile, setting.KeyFile)
+		if err == http.ErrServerClosed {
+			hs.log.Debug("server was shutdown gracefully")
+			return nil
+		}
 	default:
 		hs.log.Error("Invalid protocol", "protocol", setting.Protocol)
 		err = errors.New("Invalid Protocol")
@@ -58,6 +70,12 @@ func (hs *HttpServer) Start(ctx context.Context) error {
 	return err
 }
 
+func (hs *HttpServer) Shutdown(ctx context.Context) error {
+	err := hs.httpSrv.Shutdown(ctx)
+	hs.log.Info("stopped http server")
+	return err
+}
+
 func (hs *HttpServer) listenAndServeTLS(listenAddr, certfile, keyfile string) error {
 	if certfile == "" {
 		return fmt.Errorf("cert_file cannot be empty when using HTTPS")
@@ -75,7 +93,32 @@ func (hs *HttpServer) listenAndServeTLS(listenAddr, certfile, keyfile string) er
 		return fmt.Errorf(`Cannot find SSL key_file at %v`, setting.KeyFile)
 	}
 
-	return http.ListenAndServeTLS(listenAddr, setting.CertFile, setting.KeyFile, hs.macaron)
+	tlsCfg := &tls.Config{
+		MinVersion:               tls.VersionTLS12,
+		PreferServerCipherSuites: true,
+		CipherSuites: []uint16{
+			tls.TLS_RSA_WITH_AES_128_CBC_SHA,
+			tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+			tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+		},
+	}
+	srv := &http.Server{
+		Addr:         listenAddr,
+		Handler:      hs.macaron,
+		TLSConfig:    tlsCfg,
+		TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler), 0),
+	}
+
+	return srv.ListenAndServeTLS(setting.CertFile, setting.KeyFile)
 }
 
 func (hs *HttpServer) newMacaron() *macaron.Macaron {
@@ -107,6 +150,7 @@ func (hs *HttpServer) newMacaron() *macaron.Macaron {
 	m.Use(middleware.GetContextHandler())
 	m.Use(middleware.Sessioner(&setting.SessionOptions))
 	m.Use(middleware.RequestMetrics())
+	m.Use(middleware.OrgRedirect())
 
 	// needs to be after context handler
 	if setting.EnforceDomain {

pkg/api/login.go

@@ -35,6 +35,11 @@ func LoginView(c *middleware.Context) {
 	viewData.Settings["loginHint"] = setting.LoginHint
 	viewData.Settings["disableLoginForm"] = setting.DisableLoginForm
 
+	if loginError, ok := c.Session.Get("loginError").(string); ok {
+		c.Session.Delete("loginError")
+		viewData.Settings["loginError"] = loginError
+	}
+
 	if !tryLoginUsingRememberCookie(c) {
 		c.HTML(200, VIEW_INDEX, viewData)
 		return
@@ -94,6 +99,10 @@ func LoginApiPing(c *middleware.Context) {
 }
 
 func LoginPost(c *middleware.Context, cmd dtos.LoginCommand) Response {
+	if setting.DisableLoginForm {
+		return ApiError(401, "Login is disabled", nil)
+	}
+
 	authQuery := login.LoginUserQuery{
 		Username: cmd.User,
 		Password: cmd.Password,

pkg/api/login_oauth.go

@@ -10,6 +10,7 @@ import (
 	"io/ioutil"
 	"log"
 	"net/http"
+	"net/url"
 
 	"golang.org/x/net/context"
 	"golang.org/x/oauth2"
@@ -22,6 +23,13 @@ import (
 	"github.com/grafana/grafana/pkg/social"
 )
 
+var (
+	ErrProviderDeniedRequest = errors.New("Login provider denied login request")
+	ErrEmailNotAllowed       = errors.New("Required email domain not fulfilled")
+	ErrSignUpNotAllowed      = errors.New("Signup is not allowed for this adapter")
+	ErrUsersQuotaReached     = errors.New("Users quota reached")
+)
+
 func GenStateString() string {
 	rnd := make([]byte, 32)
 	rand.Read(rnd)
@@ -44,8 +52,7 @@ func OAuthLogin(ctx *middleware.Context) {
 	error := ctx.Query("error")
 	if error != "" {
 		errorDesc := ctx.Query("error_description")
-		ctx.Logger.Info("OAuthLogin Failed", "error", error, "errorDesc", errorDesc)
-		ctx.Redirect(setting.AppSubUrl + "/login?failCode=1003")
+		redirectWithError(ctx, ErrProviderDeniedRequest, "error", error, "errorDesc", errorDesc)
 		return
 	}
 
@@ -117,10 +124,8 @@ func OAuthLogin(ctx *middleware.Context) {
 	// get user info
 	userInfo, err := connect.UserInfo(client)
 	if err != nil {
-		if err == social.ErrMissingTeamMembership {
-			ctx.Redirect(setting.AppSubUrl + "/login?failCode=1000")
-		} else if err == social.ErrMissingOrganizationMembership {
-			ctx.Redirect(setting.AppSubUrl + "/login?failCode=1001")
+		if sErr, ok := err.(*social.Error); ok {
+			redirectWithError(ctx, sErr)
 		} else {
 			ctx.Handle(500, fmt.Sprintf("login.OAuthLogin(get info from %s)", name), err)
 		}
@@ -131,8 +136,7 @@ func OAuthLogin(ctx *middleware.Context) {
 
 	// validate that the email is allowed to login to grafana
 	if !connect.IsEmailAllowed(userInfo.Email) {
-		ctx.Logger.Info("OAuth login attempt with unallowed email", "email", userInfo.Email)
-		ctx.Redirect(setting.AppSubUrl + "/login?failCode=1002")
+		redirectWithError(ctx, ErrEmailNotAllowed)
 		return
 	}
 
@@ -142,7 +146,7 @@ func OAuthLogin(ctx *middleware.Context) {
 	// create account if missing
 	if err == m.ErrUserNotFound {
 		if !connect.IsSignupAllowed() {
-			ctx.Redirect(setting.AppSubUrl + "/login")
+			redirectWithError(ctx, ErrSignUpNotAllowed)
 			return
 		}
 		limitReached, err := middleware.QuotaReached(ctx, "user")
@@ -151,7 +155,7 @@ func OAuthLogin(ctx *middleware.Context) {
 			return
 		}
 		if limitReached {
-			ctx.Redirect(setting.AppSubUrl + "/login")
+			redirectWithError(ctx, ErrUsersQuotaReached)
 			return
 		}
 		cmd := m.CreateUserCommand{
@@ -177,5 +181,18 @@ func OAuthLogin(ctx *middleware.Context) {
 
 	metrics.M_Api_Login_OAuth.Inc(1)
 
+	if redirectTo, _ := url.QueryUnescape(ctx.GetCookie("redirect_to")); len(redirectTo) > 0 {
+		ctx.SetCookie("redirect_to", "", -1, setting.AppSubUrl+"/")
+		ctx.Redirect(redirectTo)
+		return
+	}
+
 	ctx.Redirect(setting.AppSubUrl + "/")
 }
+
+func redirectWithError(ctx *middleware.Context, err error, v ...interface{}) {
+	ctx.Logger.Info(err.Error(), v...)
+	// TODO: we can use the flash storage here once it's implemented
+	ctx.Session.Set("loginError", err.Error())
+	ctx.Redirect(setting.AppSubUrl + "/login")
+}

pkg/api/metrics.go

@@ -33,7 +33,7 @@ func QueryMetrics(c *middleware.Context, reqDto dtos.MetricRequest) Response {
 		})
 	}
 
-	resp, err := tsdb.HandleRequest(context.TODO(), request)
+	resp, err := tsdb.HandleRequest(context.Background(), request)
 	if err != nil {
 		return ApiError(500, "Metric request error", err)
 	}

pkg/api/org_invite.go

@@ -38,6 +38,10 @@ func AddOrgInvite(c *middleware.Context, inviteDto dtos.AddInviteForm) Response
 		if err != m.ErrUserNotFound {
 			return ApiError(500, "Failed to query db for existing user check", err)
 		}
+
+		if setting.DisableLoginForm {
+			return ApiError(401, "User could not be found", nil)
+		}
 	} else {
 		return inviteExistingUserToOrg(c, userQuery.Result, &inviteDto)
 	}

pkg/api/user.go

@@ -210,14 +210,48 @@ func ChangeUserPassword(c *middleware.Context, cmd m.ChangeUserPasswordCommand)
 
 // GET /api/users
 func SearchUsers(c *middleware.Context) Response {
-	query := m.SearchUsersQuery{Query: "", Page: 0, Limit: 1000}
-	if err := bus.Dispatch(&query); err != nil {
+	query, err := searchUser(c)
+	if err != nil {
+		return ApiError(500, "Failed to fetch users", err)
+	}
+
+	return Json(200, query.Result.Users)
+}
+
+// GET /api/search
+func SearchUsersWithPaging(c *middleware.Context) Response {
+	query, err := searchUser(c)
+	if err != nil {
 		return ApiError(500, "Failed to fetch users", err)
 	}
 
 	return Json(200, query.Result)
 }
 
+func searchUser(c *middleware.Context) (*m.SearchUsersQuery, error) {
+	perPage := c.QueryInt("perpage")
+	if perPage <= 0 {
+		perPage = 1000
+	}
+	page := c.QueryInt("page")
+
+	if page < 1 {
+		page = 1
+	}
+
+	searchQuery := c.Query("query")
+
+	query := &m.SearchUsersQuery{Query: searchQuery, Page: page, Limit: perPage}
+	if err := bus.Dispatch(query); err != nil {
+		return nil, err
+	}
+
+	query.Result.Page = page
+	query.Result.PerPage = perPage
+
+	return query, nil
+}
+
 func SetHelpFlag(c *middleware.Context) Response {
 	flag := c.ParamsInt64(":id")
 

pkg/api/user_test.go

@@ -0,0 +1,109 @@
+package api
+
+import (
+	"testing"
+
+	"github.com/grafana/grafana/pkg/models"
+
+	"github.com/grafana/grafana/pkg/bus"
+	"github.com/grafana/grafana/pkg/components/simplejson"
+	. "github.com/smartystreets/goconvey/convey"
+)
+
+func TestUserApiEndpoint(t *testing.T) {
+	Convey("Given a user is logged in", t, func() {
+		mockResult := models.SearchUserQueryResult{
+			Users: []*models.UserSearchHitDTO{
+				{Name: "user1"},
+				{Name: "user2"},
+			},
+			TotalCount: 2,
+		}
+
+		loggedInUserScenario("When calling GET on", "/api/users", func(sc *scenarioContext) {
+			var sentLimit int
+			var sendPage int
+			bus.AddHandler("test", func(query *models.SearchUsersQuery) error {
+				query.Result = mockResult
+
+				sentLimit = query.Limit
+				sendPage = query.Page
+
+				return nil
+			})
+
+			sc.handlerFunc = SearchUsers
+			sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()
+
+			So(sentLimit, ShouldEqual, 1000)
+			So(sendPage, ShouldEqual, 1)
+
+			respJSON, err := simplejson.NewJson(sc.resp.Body.Bytes())
+			So(err, ShouldBeNil)
+			So(len(respJSON.MustArray()), ShouldEqual, 2)
+		})
+
+		loggedInUserScenario("When calling GET with page and limit querystring parameters on", "/api/users", func(sc *scenarioContext) {
+			var sentLimit int
+			var sendPage int
+			bus.AddHandler("test", func(query *models.SearchUsersQuery) error {
+				query.Result = mockResult
+
+				sentLimit = query.Limit
+				sendPage = query.Page
+
+				return nil
+			})
+
+			sc.handlerFunc = SearchUsers
+			sc.fakeReqWithParams("GET", sc.url, map[string]string{"perpage": "10", "page": "2"}).exec()
+
+			So(sentLimit, ShouldEqual, 10)
+			So(sendPage, ShouldEqual, 2)
+		})
+
+		loggedInUserScenario("When calling GET on", "/api/users/search", func(sc *scenarioContext) {
+			var sentLimit int
+			var sendPage int
+			bus.AddHandler("test", func(query *models.SearchUsersQuery) error {
+				query.Result = mockResult
+
+				sentLimit = query.Limit
+				sendPage = query.Page
+
+				return nil
+			})
+
+			sc.handlerFunc = SearchUsersWithPaging
+			sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()
+
+			So(sentLimit, ShouldEqual, 1000)
+			So(sendPage, ShouldEqual, 1)
+
+			respJSON, err := simplejson.NewJson(sc.resp.Body.Bytes())
+			So(err, ShouldBeNil)
+
+			So(respJSON.Get("totalCount").MustInt(), ShouldEqual, 2)
+			So(len(respJSON.Get("users").MustArray()), ShouldEqual, 2)
+		})
+
+		loggedInUserScenario("When calling GET with page and perpage querystring parameters on", "/api/users/search", func(sc *scenarioContext) {
+			var sentLimit int
+			var sendPage int
+			bus.AddHandler("test", func(query *models.SearchUsersQuery) error {
+				query.Result = mockResult
+
+				sentLimit = query.Limit
+				sendPage = query.Page
+
+				return nil
+			})
+
+			sc.handlerFunc = SearchUsersWithPaging
+			sc.fakeReqWithParams("GET", sc.url, map[string]string{"perpage": "10", "page": "2"}).exec()
+
+			So(sentLimit, ShouldEqual, 10)
+			So(sendPage, ShouldEqual, 2)
+		})
+	})
+}