Auth Proxy improvements

- adds the option to use ldap groups for authorization in combination with an auth proxy
- adds an option to limit where auth proxy requests come from by configure a list of ip's
- fixes a security issue, session could be reused

pkg/middleware/auth_proxy_test.go

@@ -0,0 +1,123 @@
+package middleware
+
+import (
+	"testing"
+	"time"
+
+	"github.com/grafana/grafana/pkg/login"
+	m "github.com/grafana/grafana/pkg/models"
+	"github.com/grafana/grafana/pkg/setting"
+	. "github.com/smartystreets/goconvey/convey"
+)
+
+func TestAuthProxyWithLdapEnabled(t *testing.T) {
+	Convey("When calling sync grafana user with ldap user", t, func() {
+
+		setting.LdapEnabled = true
+		setting.AuthProxyLdapSyncTtl = 60
+
+		servers := []*login.LdapServerConf{{Host: "127.0.0.1"}}
+		login.ldapCfg = login.LdapConfig{Servers: servers}
+		mockLdapAuther := mockLdapAuthenticator{}
+
+		login.NewLdapAuthenticator = func(server *login.LdapServerConf) login.ILdapAuther {
+			return &mockLdapAuther
+		}
+
+		signedInUser := m.SignedInUser{}
+		query := m.GetSignedInUserQuery{Result: &signedInUser}
+
+		Convey("When session variable lastLdapSync not set, call syncSignedInUser and set lastLdapSync", func() {
+			// arrange
+			session := mockSession{}
+			ctx := Context{Session: &session}
+			So(session.Get(SESS_KEY_LASTLDAPSYNC), ShouldBeNil)
+
+			// act
+			syncGrafanaUserWithLdapUser(&ctx, &query)
+
+			// assert
+			So(mockLdapAuther.syncSignedInUserCalled, ShouldBeTrue)
+			So(session.Get(SESS_KEY_LASTLDAPSYNC), ShouldBeGreaterThan, 0)
+		})
+
+		Convey("When session variable not expired, don't sync and don't change session var", func() {
+			// arrange
+			session := mockSession{}
+			ctx := Context{Session: &session}
+			now := time.Now().Unix()
+			session.Set(SESS_KEY_LASTLDAPSYNC, now)
+
+			// act
+			syncGrafanaUserWithLdapUser(&ctx, &query)
+
+			// assert
+			So(session.Get(SESS_KEY_LASTLDAPSYNC), ShouldEqual, now)
+			So(mockLdapAuther.syncSignedInUserCalled, ShouldBeFalse)
+		})
+
+		Convey("When lastldapsync is expired, session variable should be updated", func() {
+			// arrange
+			session := mockSession{}
+			ctx := Context{Session: &session}
+			expiredTime := time.Now().Add(time.Duration(-120) * time.Minute).Unix()
+			session.Set(SESS_KEY_LASTLDAPSYNC, expiredTime)
+
+			// act
+			syncGrafanaUserWithLdapUser(&ctx, &query)
+
+			// assert
+			So(session.Get(SESS_KEY_LASTLDAPSYNC), ShouldBeGreaterThan, expiredTime)
+			So(mockLdapAuther.syncSignedInUserCalled, ShouldBeTrue)
+		})
+	})
+}
+
+type mockSession struct {
+	value interface{}
+}
+
+func (s *mockSession) Start(c *Context) error {
+	return nil
+}
+
+func (s *mockSession) Set(k interface{}, v interface{}) error {
+	s.value = v
+	return nil
+}
+
+func (s *mockSession) Get(k interface{}) interface{} {
+	return s.value
+}
+
+func (s *mockSession) ID() string {
+	return ""
+}
+
+func (s *mockSession) Release() error {
+	return nil
+}
+
+func (s *mockSession) Destory(c *Context) error {
+	return nil
+}
+
+type mockLdapAuthenticator struct {
+	syncSignedInUserCalled bool
+}
+
+func (a *mockLdapAuthenticator) Login(query *login.LoginUserQuery) error {
+	return nil
+}
+
+func (a *mockLdapAuthenticator) SyncSignedInUser(signedInUser *m.SignedInUser) error {
+	a.syncSignedInUserCalled = true
+	return nil
+}
+
+func (a *mockLdapAuthenticator) GetGrafanaUserFor(ldapUser *login.LdapUserInfo) (*m.User, error) {
+	return nil, nil
+}
+func (a *mockLdapAuthenticator) SyncOrgRoles(user *m.User, ldapUser *login.LdapUserInfo) error {
+	return nil
+}