Auth: Fix catch both both ErrInvalidAPIKey for context with APIKey (#62193)

* fix: capture both ErrInvalidAPIKey

* rename of variable
This commit is contained in:
Eric Leijonmarck 2023-01-26 14:42:50 +01:00 committed by GitHub
parent 7d8ec6199d
commit c5cb5be3cc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -306,13 +306,13 @@ func (h *ContextHandler) initContextWithAPIKey(reqContext *models.ReqContext) bo
*reqContext.Req = *reqContext.Req.WithContext(ctx)
var (
apikey *apikey.APIKey
apiKey *apikey.APIKey
errKey error
)
if strings.HasPrefix(keyString, apikeygenprefix.GrafanaPrefix) {
apikey, errKey = h.getPrefixedAPIKey(reqContext.Req.Context(), keyString) // decode prefixed key
apiKey, errKey = h.getPrefixedAPIKey(reqContext.Req.Context(), keyString) // decode prefixed key
} else {
apikey, errKey = h.getAPIKey(reqContext.Req.Context(), keyString) // decode legacy api key
apiKey, errKey = h.getAPIKey(reqContext.Req.Context(), keyString) // decode legacy api key
}
if errKey != nil {
@ -320,6 +320,11 @@ func (h *ContextHandler) initContextWithAPIKey(reqContext *models.ReqContext) bo
if errors.Is(errKey, apikeygen.ErrInvalidApiKey) {
status = http.StatusUnauthorized
}
// this is when the getPrefixAPIKey return error form the apikey package instead of the apikeygen
// when called in the sqlx store methods
if errors.Is(errKey, apikey.ErrInvalid) {
status = http.StatusUnauthorized
}
reqContext.JsonApiErr(status, InvalidAPIKey, errKey)
return true
}
@ -329,12 +334,12 @@ func (h *ContextHandler) initContextWithAPIKey(reqContext *models.ReqContext) bo
if getTime == nil {
getTime = time.Now
}
if apikey.Expires != nil && *apikey.Expires <= getTime().Unix() {
if apiKey.Expires != nil && *apiKey.Expires <= getTime().Unix() {
reqContext.JsonApiErr(http.StatusUnauthorized, "Expired API key", nil)
return true
}
if apikey.IsRevoked != nil && *apikey.IsRevoked {
if apiKey.IsRevoked != nil && *apiKey.IsRevoked {
reqContext.JsonApiErr(http.StatusUnauthorized, "Revoked token", nil)
return true
@ -350,15 +355,15 @@ func (h *ContextHandler) initContextWithAPIKey(reqContext *models.ReqContext) bo
if err := h.apiKeyService.UpdateAPIKeyLastUsedDate(context.Background(), id); err != nil {
reqContext.Logger.Warn("failed to update last use date for api key", "id", id)
}
}(apikey.Id)
}(apiKey.Id)
if apikey.ServiceAccountId == nil || *apikey.ServiceAccountId < 1 { //There is no service account attached to the apikey
if apiKey.ServiceAccountId == nil || *apiKey.ServiceAccountId < 1 { //There is no service account attached to the apikey
// Use the old APIkey method. This provides backwards compatibility.
// will probably have to be supported for a long time.
reqContext.SignedInUser = &user.SignedInUser{}
reqContext.OrgRole = apikey.Role
reqContext.ApiKeyID = apikey.Id
reqContext.OrgID = apikey.OrgId
reqContext.OrgRole = apiKey.Role
reqContext.ApiKeyID = apiKey.Id
reqContext.OrgID = apiKey.OrgId
reqContext.IsSignedIn = true
return true
}
@ -366,7 +371,7 @@ func (h *ContextHandler) initContextWithAPIKey(reqContext *models.ReqContext) bo
//There is a service account attached to the API key
//Use service account linked to API key as the signed in user
querySignedInUser := user.GetSignedInUserQuery{UserID: *apikey.ServiceAccountId, OrgID: apikey.OrgId}
querySignedInUser := user.GetSignedInUserQuery{UserID: *apiKey.ServiceAccountId, OrgID: apiKey.OrgId}
querySignedInUserResult, err := h.userService.GetSignedInUserWithCacheCtx(reqContext.Req.Context(), &querySignedInUser)
if err != nil {
reqContext.Logger.Error(