IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

AuthProxy: Do not allow sessions to be assigned with other methods (#78602)

Browse Source 
do not allow login token with other methods
This commit is contained in:
Jo 2023-11-24 11:00:53 +01:00 committed by GitHub
parent 11d4f604f5
commit 7d559bc69a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
pkg/api/login.go
View File

@ -129,7 +129,9 @@ func (hs *HTTPServer) LoginView(c *contextmodel.ReqContext) {
if c.IsSignedIn {
// Assign login token to auth proxy users if enable_login_token = true
if hs.Cfg.AuthProxyEnabled && hs.Cfg.AuthProxyEnableLoginToken {
if hs.Cfg.AuthProxyEnabled &&
hs.Cfg.AuthProxyEnableLoginToken &&
c.SignedInUser.AuthenticatedBy == loginservice.AuthProxyAuthModule {
user := &user.User{ID: c.SignedInUser.UserID, Email: c.SignedInUser.Email, Login: c.SignedInUser.Login}
err := hs.loginUserWithUser(user, c)
if err != nil {

7
pkg/api/login_test.go
View File

@ -29,6 +29,7 @@ import (
"github.com/grafana/grafana/pkg/services/featuremgmt"
"github.com/grafana/grafana/pkg/services/hooks"
"github.com/grafana/grafana/pkg/services/licensing"
loginservice "github.com/grafana/grafana/pkg/services/login"
"github.com/grafana/grafana/pkg/services/navtree"
"github.com/grafana/grafana/pkg/services/secrets"
"github.com/grafana/grafana/pkg/services/secrets/fakes"
@ -587,7 +588,8 @@ func TestAuthProxyLoginWithEnableLoginTokenAndEnabledOauthAutoLogin(t *testing.T
sc.defaultHandler = routing.Wrap(func(c *contextmodel.ReqContext) response.Response {
c.IsSignedIn = true
c.SignedInUser = &user.SignedInUser{
UserID: 10,
UserID: 10,
AuthenticatedBy: loginservice.AuthProxyAuthModule,
}
hs.LoginView(c)
return response.Empty(http.StatusOK)
@ -626,7 +628,8 @@ func setupAuthProxyLoginTest(t *testing.T, enableLoginToken bool) *scenarioConte
sc.defaultHandler = routing.Wrap(func(c *contextmodel.ReqContext) response.Response {
c.IsSignedIn = true
c.SignedInUser = &user.SignedInUser{
UserID: 10,
UserID: 10,
AuthenticatedBy: loginservice.AuthProxyAuthModule,
}
hs.LoginView(c)
return response.Empty(http.StatusOK)

1
pkg/services/authn/clients/proxy.go
View File

@ -114,6 +114,7 @@ func (c *Proxy) Authenticate(ctx context.Context, r *authn.Request) (*authn.Iden
identity, clientErr = proxyClient.AuthenticateProxy(ctx, r, username, additional)
if identity != nil {
identity.ClientParams.CacheAuthProxyKey = cacheKey
identity.AuthenticatedBy = login.AuthProxyAuthModule
return identity, nil
}
}