mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
Auth: Fix catch both both ErrInvalidAPIKey for context with APIKey (#62193)
* fix: capture both ErrInvalidAPIKey * rename of variable
This commit is contained in:
parent
7d8ec6199d
commit
c5cb5be3cc
@ -306,13 +306,13 @@ func (h *ContextHandler) initContextWithAPIKey(reqContext *models.ReqContext) bo
|
||||
*reqContext.Req = *reqContext.Req.WithContext(ctx)
|
||||
|
||||
var (
|
||||
apikey *apikey.APIKey
|
||||
apiKey *apikey.APIKey
|
||||
errKey error
|
||||
)
|
||||
if strings.HasPrefix(keyString, apikeygenprefix.GrafanaPrefix) {
|
||||
apikey, errKey = h.getPrefixedAPIKey(reqContext.Req.Context(), keyString) // decode prefixed key
|
||||
apiKey, errKey = h.getPrefixedAPIKey(reqContext.Req.Context(), keyString) // decode prefixed key
|
||||
} else {
|
||||
apikey, errKey = h.getAPIKey(reqContext.Req.Context(), keyString) // decode legacy api key
|
||||
apiKey, errKey = h.getAPIKey(reqContext.Req.Context(), keyString) // decode legacy api key
|
||||
}
|
||||
|
||||
if errKey != nil {
|
||||
@ -320,6 +320,11 @@ func (h *ContextHandler) initContextWithAPIKey(reqContext *models.ReqContext) bo
|
||||
if errors.Is(errKey, apikeygen.ErrInvalidApiKey) {
|
||||
status = http.StatusUnauthorized
|
||||
}
|
||||
// this is when the getPrefixAPIKey return error form the apikey package instead of the apikeygen
|
||||
// when called in the sqlx store methods
|
||||
if errors.Is(errKey, apikey.ErrInvalid) {
|
||||
status = http.StatusUnauthorized
|
||||
}
|
||||
reqContext.JsonApiErr(status, InvalidAPIKey, errKey)
|
||||
return true
|
||||
}
|
||||
@ -329,12 +334,12 @@ func (h *ContextHandler) initContextWithAPIKey(reqContext *models.ReqContext) bo
|
||||
if getTime == nil {
|
||||
getTime = time.Now
|
||||
}
|
||||
if apikey.Expires != nil && *apikey.Expires <= getTime().Unix() {
|
||||
if apiKey.Expires != nil && *apiKey.Expires <= getTime().Unix() {
|
||||
reqContext.JsonApiErr(http.StatusUnauthorized, "Expired API key", nil)
|
||||
return true
|
||||
}
|
||||
|
||||
if apikey.IsRevoked != nil && *apikey.IsRevoked {
|
||||
if apiKey.IsRevoked != nil && *apiKey.IsRevoked {
|
||||
reqContext.JsonApiErr(http.StatusUnauthorized, "Revoked token", nil)
|
||||
|
||||
return true
|
||||
@ -350,15 +355,15 @@ func (h *ContextHandler) initContextWithAPIKey(reqContext *models.ReqContext) bo
|
||||
if err := h.apiKeyService.UpdateAPIKeyLastUsedDate(context.Background(), id); err != nil {
|
||||
reqContext.Logger.Warn("failed to update last use date for api key", "id", id)
|
||||
}
|
||||
}(apikey.Id)
|
||||
}(apiKey.Id)
|
||||
|
||||
if apikey.ServiceAccountId == nil || *apikey.ServiceAccountId < 1 { //There is no service account attached to the apikey
|
||||
if apiKey.ServiceAccountId == nil || *apiKey.ServiceAccountId < 1 { //There is no service account attached to the apikey
|
||||
// Use the old APIkey method. This provides backwards compatibility.
|
||||
// will probably have to be supported for a long time.
|
||||
reqContext.SignedInUser = &user.SignedInUser{}
|
||||
reqContext.OrgRole = apikey.Role
|
||||
reqContext.ApiKeyID = apikey.Id
|
||||
reqContext.OrgID = apikey.OrgId
|
||||
reqContext.OrgRole = apiKey.Role
|
||||
reqContext.ApiKeyID = apiKey.Id
|
||||
reqContext.OrgID = apiKey.OrgId
|
||||
reqContext.IsSignedIn = true
|
||||
return true
|
||||
}
|
||||
@ -366,7 +371,7 @@ func (h *ContextHandler) initContextWithAPIKey(reqContext *models.ReqContext) bo
|
||||
//There is a service account attached to the API key
|
||||
|
||||
//Use service account linked to API key as the signed in user
|
||||
querySignedInUser := user.GetSignedInUserQuery{UserID: *apikey.ServiceAccountId, OrgID: apikey.OrgId}
|
||||
querySignedInUser := user.GetSignedInUserQuery{UserID: *apiKey.ServiceAccountId, OrgID: apiKey.OrgId}
|
||||
querySignedInUserResult, err := h.userService.GetSignedInUserWithCacheCtx(reqContext.Req.Context(), &querySignedInUser)
|
||||
if err != nil {
|
||||
reqContext.Logger.Error(
|
||||
|
Loading…
Reference in New Issue
Block a user