mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
moves cookie https setting to [security]
This commit is contained in:
parent
9153b6ed96
commit
d6edaa1328
@ -113,9 +113,6 @@ cache_mode = private
|
|||||||
# Login cookie name
|
# Login cookie name
|
||||||
cookie_name = grafana_session
|
cookie_name = grafana_session
|
||||||
|
|
||||||
# If you want login cookies to be https only. default is false
|
|
||||||
cookie_secure = false
|
|
||||||
|
|
||||||
# How many days an session can be unused before we inactivate it
|
# How many days an session can be unused before we inactivate it
|
||||||
login_remember_days = 7
|
login_remember_days = 7
|
||||||
|
|
||||||
@ -203,6 +200,9 @@ data_source_proxy_whitelist =
|
|||||||
# disable protection against brute force login attempts
|
# disable protection against brute force login attempts
|
||||||
disable_brute_force_login_protection = false
|
disable_brute_force_login_protection = false
|
||||||
|
|
||||||
|
# set cookies as https only. default is false
|
||||||
|
https_flag_cookies = false
|
||||||
|
|
||||||
#################################### Snapshots ###########################
|
#################################### Snapshots ###########################
|
||||||
[snapshots]
|
[snapshots]
|
||||||
# snapshot sharing options
|
# snapshot sharing options
|
||||||
|
@ -109,9 +109,6 @@ log_queries =
|
|||||||
# Login cookie name
|
# Login cookie name
|
||||||
;cookie_name = grafana_session
|
;cookie_name = grafana_session
|
||||||
|
|
||||||
# If you want login cookies to be https only. default is false
|
|
||||||
;cookie_secure = false
|
|
||||||
|
|
||||||
# How many days an session can be unused before we inactivate it
|
# How many days an session can be unused before we inactivate it
|
||||||
;login_remember_days = 7
|
;login_remember_days = 7
|
||||||
|
|
||||||
@ -190,6 +187,9 @@ log_queries =
|
|||||||
# disable protection against brute force login attempts
|
# disable protection against brute force login attempts
|
||||||
;disable_brute_force_login_protection = false
|
;disable_brute_force_login_protection = false
|
||||||
|
|
||||||
|
# set cookies as https only. default is false
|
||||||
|
;https_flag_cookies = false
|
||||||
|
|
||||||
#################################### Snapshots ###########################
|
#################################### Snapshots ###########################
|
||||||
[snapshots]
|
[snapshots]
|
||||||
# snapshot sharing options
|
# snapshot sharing options
|
||||||
|
@ -176,7 +176,7 @@ func (hs *HTTPServer) trySetEncryptedCookie(ctx *m.ReqContext, cookieName string
|
|||||||
Value: hex.EncodeToString(encryptedError),
|
Value: hex.EncodeToString(encryptedError),
|
||||||
HttpOnly: true,
|
HttpOnly: true,
|
||||||
Path: setting.AppSubUrl + "/",
|
Path: setting.AppSubUrl + "/",
|
||||||
Secure: hs.Cfg.LoginCookieSecure,
|
Secure: hs.Cfg.SecurityHTTPSCookies,
|
||||||
})
|
})
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
|
@ -60,8 +60,7 @@ func (hs *HTTPServer) OAuthLogin(ctx *m.ReqContext) {
|
|||||||
if code == "" {
|
if code == "" {
|
||||||
state := GenStateString()
|
state := GenStateString()
|
||||||
hashedState := hashStatecode(state, setting.OAuthService.OAuthInfos[name].ClientSecret)
|
hashedState := hashStatecode(state, setting.OAuthService.OAuthInfos[name].ClientSecret)
|
||||||
hs.writeOauthStateCookie(ctx, hashedState, 60)
|
hs.writeCookie(ctx.Resp, OauthStateCookieName, hashedState, 60)
|
||||||
|
|
||||||
if setting.OAuthService.OAuthInfos[name].HostedDomain == "" {
|
if setting.OAuthService.OAuthInfos[name].HostedDomain == "" {
|
||||||
ctx.Redirect(connect.AuthCodeURL(state, oauth2.AccessTypeOnline))
|
ctx.Redirect(connect.AuthCodeURL(state, oauth2.AccessTypeOnline))
|
||||||
} else {
|
} else {
|
||||||
@ -70,19 +69,20 @@ func (hs *HTTPServer) OAuthLogin(ctx *m.ReqContext) {
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
savedState := ctx.GetCookie(OauthStateCookieName)
|
cookieState := ctx.GetCookie(OauthStateCookieName)
|
||||||
|
|
||||||
// delete cookie
|
// delete cookie
|
||||||
ctx.Resp.Header().Del("Set-Cookie")
|
ctx.Resp.Header().Del("Set-Cookie")
|
||||||
hs.writeOauthStateCookie(ctx, "", -1)
|
hs.deleteCookie(ctx.Resp, OauthStateCookieName)
|
||||||
|
|
||||||
if savedState == "" {
|
if cookieState == "" {
|
||||||
ctx.Handle(500, "login.OAuthLogin(missing saved state)", nil)
|
ctx.Handle(500, "login.OAuthLogin(missing saved state)", nil)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
queryState := hashStatecode(ctx.Query("state"), setting.OAuthService.OAuthInfos[name].ClientSecret)
|
queryState := hashStatecode(ctx.Query("state"), setting.OAuthService.OAuthInfos[name].ClientSecret)
|
||||||
if savedState != queryState {
|
oauthLogger.Info("state check", "queryState", queryState, "cookieState", cookieState)
|
||||||
|
if cookieState != queryState {
|
||||||
ctx.Handle(500, "login.OAuthLogin(state mismatch)", nil)
|
ctx.Handle(500, "login.OAuthLogin(state mismatch)", nil)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
@ -203,14 +203,18 @@ func (hs *HTTPServer) OAuthLogin(ctx *m.ReqContext) {
|
|||||||
ctx.Redirect(setting.AppSubUrl + "/")
|
ctx.Redirect(setting.AppSubUrl + "/")
|
||||||
}
|
}
|
||||||
|
|
||||||
func (hs *HTTPServer) writeOauthStateCookie(ctx *m.ReqContext, value string, maxAge int) {
|
func (hs *HTTPServer) deleteCookie(w http.ResponseWriter, name string) {
|
||||||
http.SetCookie(ctx.Resp, &http.Cookie{
|
hs.writeCookie(w, name, "", -1)
|
||||||
Name: OauthStateCookieName,
|
}
|
||||||
|
|
||||||
|
func (hs *HTTPServer) writeCookie(w http.ResponseWriter, name string, value string, maxAge int) {
|
||||||
|
http.SetCookie(w, &http.Cookie{
|
||||||
|
Name: name,
|
||||||
MaxAge: maxAge,
|
MaxAge: maxAge,
|
||||||
Value: value,
|
Value: value,
|
||||||
HttpOnly: true,
|
HttpOnly: true,
|
||||||
Path: setting.AppSubUrl + "/",
|
Path: setting.AppSubUrl + "/",
|
||||||
Secure: hs.Cfg.LoginCookieSecure,
|
Secure: hs.Cfg.SecurityHTTPSCookies,
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -95,7 +95,7 @@ func (s *UserAuthTokenServiceImpl) writeSessionCookie(ctx *models.ReqContext, va
|
|||||||
HttpOnly: true,
|
HttpOnly: true,
|
||||||
Domain: setting.Domain,
|
Domain: setting.Domain,
|
||||||
Path: setting.AppSubUrl + "/",
|
Path: setting.AppSubUrl + "/",
|
||||||
Secure: s.Cfg.LoginCookieSecure,
|
Secure: s.Cfg.SecurityHTTPSCookies,
|
||||||
MaxAge: maxAge,
|
MaxAge: maxAge,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -293,7 +293,6 @@ func createTestContext(t *testing.T) *testContext {
|
|||||||
SQLStore: sqlstore,
|
SQLStore: sqlstore,
|
||||||
Cfg: &setting.Cfg{
|
Cfg: &setting.Cfg{
|
||||||
LoginCookieName: "grafana_session",
|
LoginCookieName: "grafana_session",
|
||||||
LoginCookieSecure: false,
|
|
||||||
LoginCookieMaxDays: 7,
|
LoginCookieMaxDays: 7,
|
||||||
LoginDeleteExpiredTokensAfterDays: 30,
|
LoginDeleteExpiredTokensAfterDays: 30,
|
||||||
LoginCookieRotation: 10,
|
LoginCookieRotation: 10,
|
||||||
|
@ -223,10 +223,11 @@ type Cfg struct {
|
|||||||
EnterpriseLicensePath string
|
EnterpriseLicensePath string
|
||||||
|
|
||||||
LoginCookieName string
|
LoginCookieName string
|
||||||
LoginCookieSecure bool
|
|
||||||
LoginCookieMaxDays int
|
LoginCookieMaxDays int
|
||||||
LoginCookieRotation int
|
LoginCookieRotation int
|
||||||
LoginDeleteExpiredTokensAfterDays int
|
LoginDeleteExpiredTokensAfterDays int
|
||||||
|
|
||||||
|
SecurityHTTPSCookies bool
|
||||||
}
|
}
|
||||||
|
|
||||||
type CommandLineArgs struct {
|
type CommandLineArgs struct {
|
||||||
@ -554,7 +555,6 @@ func (cfg *Cfg) Load(args *CommandLineArgs) error {
|
|||||||
login := iniFile.Section("login")
|
login := iniFile.Section("login")
|
||||||
cfg.LoginCookieName = login.Key("cookie_name").MustString("grafana_session")
|
cfg.LoginCookieName = login.Key("cookie_name").MustString("grafana_session")
|
||||||
cfg.LoginCookieMaxDays = login.Key("login_remember_days").MustInt(7)
|
cfg.LoginCookieMaxDays = login.Key("login_remember_days").MustInt(7)
|
||||||
cfg.LoginCookieSecure = login.Key("cookie_secure").MustBool(false)
|
|
||||||
cfg.LoginDeleteExpiredTokensAfterDays = login.Key("delete_expired_token_after_days").MustInt(30)
|
cfg.LoginDeleteExpiredTokensAfterDays = login.Key("delete_expired_token_after_days").MustInt(30)
|
||||||
cfg.LoginCookieRotation = login.Key("rotate_token_minutes").MustInt(30)
|
cfg.LoginCookieRotation = login.Key("rotate_token_minutes").MustInt(30)
|
||||||
if cfg.LoginCookieRotation < 2 {
|
if cfg.LoginCookieRotation < 2 {
|
||||||
@ -603,6 +603,7 @@ func (cfg *Cfg) Load(args *CommandLineArgs) error {
|
|||||||
SecretKey = security.Key("secret_key").String()
|
SecretKey = security.Key("secret_key").String()
|
||||||
DisableGravatar = security.Key("disable_gravatar").MustBool(true)
|
DisableGravatar = security.Key("disable_gravatar").MustBool(true)
|
||||||
cfg.DisableBruteForceLoginProtection = security.Key("disable_brute_force_login_protection").MustBool(false)
|
cfg.DisableBruteForceLoginProtection = security.Key("disable_brute_force_login_protection").MustBool(false)
|
||||||
|
cfg.SecurityHTTPSCookies = security.Key("https_flag_cookies").MustBool(false)
|
||||||
DisableBruteForceLoginProtection = cfg.DisableBruteForceLoginProtection
|
DisableBruteForceLoginProtection = cfg.DisableBruteForceLoginProtection
|
||||||
|
|
||||||
// read snapshots settings
|
// read snapshots settings
|
||||||
|
Loading…
Reference in New Issue
Block a user