Commit Graph

290 Commits

Author SHA1 Message Date
Arve Knudsen
41d432b5ae
Chore: Enable whitespace linter (#25903)
Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
2020-07-06 20:17:28 +02:00
Sofia Papagiannaki
44dff6fdd0
Auth: Fix POST request failures with anonymous access (#26049)
Macaron context.QueryBool() seems to modify the request context
that causes the POST and PUT requests to fail with:
"http: proxy error: net/http: HTTP/1.x transport connection broken: http: ContentLength=333 with Body length 0"
2020-07-06 15:59:00 +03:00
Arve Knudsen
dcd5752086
Chore: Upgrade macaron (#25869)
Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
2020-06-29 19:15:11 +02:00
Arve Knudsen
5070f7a75b
Chore: Start harmonizing linting with plugin SDK (#25854)
* Chore: Harmonize linting with plugin SDK

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>

* Chore: Fix linting issues

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
2020-06-29 14:08:32 +02:00
Arve Knudsen
ea2bb7036c
Auth proxy: Ignore stale cache entries (#23979)
* Auth proxy: Retry without cache if failing to get user
2020-06-17 18:43:16 +02:00
Torkel Ödegaard
d6ed8c522c
Dashboard: Redirects for old edit & view panel urls (#25653) 2020-06-17 12:51:41 +02:00
Sofia Papagiannaki
fefbbc65a8
Auth: Add support for forcing authentication in anonymous mode and modify SignIn to use it instead of redirect (#25567)
* Forbid additional redirect urls

* Optionally force login in anonymous mode

* Update LoginCtrl page to ignore redirect parameter

* Modify SignIn to set forceLogin query instead of redirect

* Pass appUrl to frontend and use URL API for updating url query

* Apply suggestions from code review

Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>

* Fix SignIn test

Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
2020-06-16 16:33:44 +03:00
Arve Knudsen
07582a8e85
Chore: Fix various spelling errors in back-end code (#25241)
* Chore: Fix various spelling errors in back-end code
Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com>
Co-authored-by: Josh Soref <jsoref@users.noreply.github.com>>
2020-06-01 17:11:25 +02:00
Erik Sundell
d94796a022
Auth: Remove trailing / in cookies' path (#22265) (#22265)
According to the stackoverflow answer below, it is recommended to not
include a trailing / in cookies' path. By removing the trailing / for
our cookies path value, people's browsers visiting grafana will pass the
cookie not only to /grafana/ sub paths but also to /grafana sub paths.

This commit avoids the situation where a user would visit
http://localhost/grafana, get redirected to
http://localhost/grafana/login, and following login get redirected back
to http://localhost/grafana, but since the grafana_session cookie isn't
passed along get redirected back once more to
http://localhost/grafana/login.

ref: https://stackoverflow.com/questions/36131023/setting-a-slash-on-cookie-path/53784228#53784228
ref: https://tools.ietf.org/html/rfc6265#section-5.1.4
2020-04-06 17:56:19 +03:00
Jon McKenzie
6c9d833602
AuthProxy: Fixes bug where long username could not be cached (#22926) 2020-03-20 21:50:27 +01:00
Sofia Papagiannaki
be022d4239
API: Fix redirect issues (#22285)
* Revert "API: Fix redirect issue when configured to use a subpath (#21652)" (#22671)

This reverts commit 0e2d874ecf.

* Fix redirect validation (#22675)

* Chore: Add test for parse of app url and app sub url

Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>

* Fix redirect: prepend subpath only if it's missing (#22676)

* Validate redirect in login oauth (#22677)

* Fix invalid redirect for authenticated user (#22678)

* Login: Use correct path for OAuth logos

Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
2020-03-11 11:04:48 +02:00
Marcus Efraimsson
4ff613a432
Backend Plugins: Support handling of streaming resource response (#22580)
Use v0.19.0 of SDK.
Support handling of streaming resource response.
Disable gzip/compression middleware for resources 
to allow chunked/streaming response to clients the gzip
middleware had to be disabled since it buffers the full
response before sending it to the client.

Closes #22569

Co-Authored-By: Arve Knudsen <arve.knudsen@gmail.com>
2020-03-06 01:44:07 +07:00
Carl Bergquist
f2f2722bb1
chore: avoid aliasing models in middleware (#22484) 2020-02-28 12:50:58 +01:00
Marcus Efraimsson
d0a80c59f3
Rendering: Store render key in remote cache (#22031)
By storing render key in remote cache it will enable
image renderer to use public facing url or load
balancer url to render images and thereby remove
the requirement of image renderer having to use the
url of the originating Grafana instance when running
HA setup (multiple Grafana instances).

Fixes #17704
Ref grafana/grafana-image-renderer#91
2020-02-19 19:47:39 +01:00
Carl Bergquist
b0b46991ec
Metrics: Add gauge for requests currently in flight (#22168)
Add gauge for requests currently in flight.

Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
2020-02-19 18:29:47 +01:00
Marcus Efraimsson
fd52570b7f
API: Improve recovery middleware when response already been written (#22256)
Suppresses stacktrace in recovery middleware if error is
http.ErrAbortHandler.
Skips writing response error in recovery middleware if
resoonse have already been written.
Skips try rotate of auth token if response have already
been written.
Skips adding default response headers if response have
already been written.

Fixes #15728
Ref #18082

Co-Authored-By: Arve Knudsen <arve.knudsen@gmail.com>
2020-02-18 22:53:40 +01:00
Carl Bergquist
fe16028e02
Auth: Don't rotate auth token when requests are cancelled by client (#22106)
if the client closes the connection we should not
rotate token since the client will never receive the
new token.

Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
2020-02-17 17:31:44 +01:00
Brian Gann
0e2d874ecf
API: Fix redirect issue when configured to use a subpath (#21652)
* request uri will contain the subpath
2020-02-14 14:51:35 +01:00
Anthony Woods
f56f54b1a3 Auth: Rotate auth tokens at the end of requests (#21347)
By rotating the auth tokens at the end of the request we ensure
that there is minimum delay between a new token being generated
and the client receiving it.
Adds auth token slow load test which uses random latency for all 
tsdb queries..
Cleans up datasource proxy response handling.
DefaultHandler in middleware tests should write a response, the 
responseWriter BeforeFuncs wont get executed unless a response
is written.

Fixes #18644 

Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
2020-01-15 13:03:12 +01:00
Marcus Efraimsson
a1579283a6
Add disabled option for cookie samesite attribute (#21472)
Breaking change: If disabled the cookie samesite cookie attribute
will not be set, but if none the attribute will be set and is a
breaking change compared to before where none did not render the
attribute. This was due to a known issue in Safari.

Co-Authored-By: Arve Knudsen <arve.knudsen@gmail.com>
Co-Authored-By: Diana Payton <52059945+oddlittlebird@users.noreply.github.com>

Fixes #19847
2020-01-14 17:41:54 +01:00
Jeffrey Descan
c5f906f472 Security: refactor 'redirect_to' cookie to use 'Secure' flag (#19787)
* Refactor redirect_to cookie with secure flag in middleware

* Refactor redirect_to cookie with secure flag in api/login

* Refactor redirect_to cookie with secure flag in api/login_oauth

* Removed the deletion of 'Set-Cookie' header to prevent logout

* Removed the deletion of 'Set-Cookie' at top of api/login.go

* Add HttpOnly flag on redirect_to cookies where missing

* Refactor duplicated code

* Add tests

* Refactor cookie options

* Replace local function for deleting cookie

* Delete redundant calls

Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com>
2020-01-10 15:55:30 +02:00
Torkel Ödegaard
be2bf1a297
AuthProxy: Can now login with auth proxy and get a login token (#20175)
* AuthProxy: Can now login with auth proxy and get a login token

* added unit tests

* renamed setting and updated docs

* AuthProxy: minor tweak

* Fixed tests and namings

* spellfix

* fix

* remove unused setting, probably from merge conflict

* fix
2019-11-07 17:48:56 +01:00
Jon Gyllenswärd
53f8088316
Auth Proxy: replace ini setting ldap_sync_ttl with sync_ttl (#20191)
* Renamed ttl config in code to be more consistent with behaviour
* Introduced new setting `sync_ttl` in .ini file
* Keeping the old setting `ldap_sync_ttl` in the .ini file as fallback and compatibility.
2019-11-07 11:24:54 +01:00
Arve Knudsen
35e0e078b7
pkg/util: Check errors (#19832)
* pkg/util: Check errors
* pkg/services: DRY up code
2019-10-23 10:40:12 +02:00
Arve Knudsen
6e7c18fc1c
pkg/middleware: Check errors (#19749)
* pkg/middleware: Check errors
* pkg/middleware: Log when gzip middleware handler fails
2019-10-15 18:08:06 +02:00
gotjosh
0cbbb43222
LDAP: Add API endpoint to debug user mapping from LDAP (#18833)
* Move the ReloadLDAPCfg function to the debug file

Appears to be a better suite place for this.

* LDAP: Return the server information when we find a specific user

We allow you to specify multiple LDAP servers as part of LDAP authentication integration. As part of searching for specific users, we need to understand from which server they come from. Returning the server configuration as part of the search will help us do two things:

- Understand in which server we found the user
- Have access the groups specified as part of the server configuration

* LDAP: Adds the /api/admin/ldap/:username endpoint

This endpoint returns a user found within the configured LDAP server(s). Moreso, it provides the mapping information for the user to help administrators understand how the users would be created within Grafana based on the current configuration.

No changes are executed or saved to the database, this is all an in-memory representation of how the final result would look like.
2019-09-03 18:34:44 +01:00
Marcus Efraimsson
964c2e722f
Snapshot: Fix http api (#18830)
(cherry picked from commit be2e2330f5)
2019-09-02 15:15:46 +02:00
Oleg Gaidarenko
6ca1a6c8da
Auth: change the error HTTP status codes (#18584)
* Auth: change the error HTTP status codes

* Use 407 HTTP status code for incorrect credentials error

* Improve proxy auth logs

* Remove no longer needed TODO comment

Fixes #18439
2019-08-20 20:13:27 +03:00
kay delaney
fb0cec5591
Backend: Adds support for HTTP/2 (#18358)
* Backend: Adds support for HTTP/2

* Adds mozilla recommended ciphers

* Updates sample.ini and config documentation
2019-08-16 16:06:54 +01:00
Sofia Papagiannaki
4e29357d15
Backend: Do not set SameSite cookie attribute if cookie_samesite is none (#18462)
* Do not set SameSite login_error cookie attribute if cookie_samesite is none

* Do not set SameSite grafana_session cookie attribute if cookie_samesite is none

* Update middleware tests
2019-08-09 09:10:08 +03:00
Oleg Gaidarenko
d88fdc86fc Auth: Do not search for the user twice (#18366)
* Auth: Do not search for the user twice

Previously `initContextWithBasicAuth` did not use `LoginUserQuery`, doing
`GetUserByLoginQuery` only i.e. looking user in DB only, things changed when
this function started to check LDAP provider via `LoginUserQuery` (#6940),
however, this request was placed after `GetUserByLoginQuery`, so we first
looking in DB then in the LDAP - if LDAP user hasn't logged in we will
not find it in DB, so `LoginUserQuery` will never be reached.

`LoginUserQuery` request already performs `GetUserByLoginQuery`
request in correct sequence. So we can just remove redundant request.

* Correct sequence execution during authentification &
  introduce tests for it

* Move basic auth tests to separate test file, since main test file already
  pretty large

* Introduce `testing.go` for the middleware module

* Remove redundant test helper function

* Make handler names more explicit

Ref 5777f65d05
Fixes #18329

* Auth: address review comment
2019-08-03 21:50:05 +02:00
Oleg Gaidarenko
7e89a93b5f
Auth: introduce more tests for middleware module (#18365)
* Add tests for errors basic auth cases and moves tests to separate test-case.
Also names test cases consistently

* Add additional test helper

Ref 82661b9f69
2019-08-02 20:56:58 +03:00
Oleg Gaidarenko
82661b9f69 Auth: consistently return same basic auth errors (#18310)
* Auth: consistently return same basic auth errors

* Put repeated errors in consts and return only those consts as error strings

* Add tests for errors basic auth cases and moves tests to separate test-case.
  Also names test cases consistently

* Add more error logs and makes their messages consistent

* A bit of code style

* Add additional test helper

* Auth: do not expose even incorrect password

* Auth: address review comments

Use `Debug` for the cases when it's an user error
2019-08-02 11:16:31 +02:00
gotjosh
ed8aeb2999
Auth Proxy: Include additional headers as part of the cache key (#18298)
* Auth Proxy: Include additional headers as part of the cache key

Auth proxy has support to send additional user attributes as part of the
authentication flow. These attributes (e.g. Groups) need to be monitored
as part of the process in case of change.

This commit changes the way we compute the cache key to include all of the
attributes sent as part of the authentication request. That way, if we
change any user attributes we'll upsert the user information.
2019-07-31 11:23:00 +01:00
Oleg Gaidarenko
75fa1f0207 Metrics: use consistent naming for exported variables (#18134)
* Metrics: remove unused metrics

Metric `M_Grafana_Version` is not used anywhere, nor the mentioned
`M_Grafana_Build_Version`. Seems to be an artefact?

* Metrics: make the naming consistent

* Metrics: add comments to exported vars

* Metrics: use proper naming

Fixes #18110
2019-07-16 16:58:46 +02:00
gotjosh
332920954e
SAML: Show SAML login button even if OAuth is disabled (#17993)
* Move the SAML button outside of the oauth div
* Don't attempt to search cookies with an empty name
2019-07-09 10:15:52 +01:00
Oleg Gaidarenko
caa1314f44
Build: use golangci-lint as a make command (#17739)
* Build: use golangci-lint as a make command

* Since gometalinter was deprecated in favor of golangci-lint so it was
  replaced by it. Responsibilities held by the gometalinter was moved to
  golangci-lint

* There was some changes in implementation (that was also mentioned in
  the code comment) between the tools, which uncovered couple errors
  in the code. Those issues were either solved or disabled by
  the inline comments

* Introduce the golangci-lint config, to make their
  configuration more manageable

* Build: replace backend-lint.sh script with make
2019-07-02 16:06:59 +03:00
Sofia Papagiannaki
f3f03ceb6a
Auth Proxy: Respect auto_sign_up setting (#17843)
* Add test for disabled auth proxy auto signup option

* Set correctly auth proxy auto signup
2019-07-01 14:29:41 +03:00
Alexander Zobnin
c2affdee1e
OAuth: return github teams as a part of user info (enable team sync) (#17797)
* OAuth: github team sync POC

* OAuth: minor refactor of github module

* OAuth: able to use team shorthands for github team sync

* support passing a list of groups via auth-proxy header
2019-07-01 12:30:17 +03:00
Sofia Papagiannaki
dc9ec7dc91
Auth: Allow expiration of API keys (#17678)
* Modify backend to allow expiration of API Keys

* Add middleware test for expired api keys

* Modify frontend to enable expiration of API Keys

* Fix frontend tests

* Fix migration and add index for `expires` field

* Add api key tests for database access

* Substitude time.Now() by a mock for test usage

* Front-end modifications

* Change input label to `Time to live`
* Change input behavior to comply with the other similar
* Add tooltip

* Modify AddApiKey api call response

Expiration should be *time.Time instead of string

* Present expiration date in the selected timezone

* Use kbn for transforming intervals to seconds

* Use `assert` library for tests

* Frontend fixes

Add checks for empty/undefined/null values

* Change expires column from datetime to integer

* Restrict api key duration input

It should be interval not number

* AddApiKey must complain if SecondsToLive is negative

* Declare ErrInvalidApiKeyExpiration

* Move configuration to auth section

* Update docs

* Eliminate alias for models in modified files

* Omit expiration from api response if empty

* Eliminate Goconvey from test file

* Fix test

Do not sleep, use mocked timeNow() instead

* Remove index for expires from api_key table

The index should be anyway on both org_id and expires fields.
However this commit eliminates completely the index for now
since not many rows are expected to be in this table.

* Use getTimeZone function

* Minor change in api key listing

The frontend should display a message instead of empty string
if the key does not expire.
2019-06-26 09:47:03 +03:00
Kyle Brandt
bd08d8ce8e
middleware: fix Strict-Transport-Security header (#17644)
fixes #17641
2019-06-18 14:24:23 -04:00
Yann Verry
ed613194ac HTTPServer: Fix X-XSS-Protection header formatting (#17620)
Fixes #17619
2019-06-17 23:46:35 +02:00
Oleg Gaidarenko
1b1d951495 LDAP: refactoring (#17479)
* LDAP: use only one struct

* Use only models.ExternalUserInfo

* Add additional helper method :/

* Move all the helpers to one module

* LDAP: refactoring

* Rename some of the public methods and change their behaviour

* Remove outdated methods

* Simplify logic

* More tests
  There is no and never were tests for settings.go, added tests for helper
  methods (cover is now about 100% for them). Added tests for the main
  LDAP logic, but there is some stuff to add. Dial() is not tested and not
  decoupled. It might be a challenge to do it properly

* Restructure tests:
   * they wouldn't depend on external modules
   * more consistent naming
   * logical division

* More guards for erroneous paths

* Login: make login service an explicit dependency

* LDAP: remove no longer needed test helper fns

* LDAP: remove useless import

* LDAP: Use new interface in multildap module

* LDAP: corrections for the groups of multiple users

* In case there is several users their groups weren't detected correctly

* Simplify helpers module
2019-06-13 16:47:51 +02:00
Kyle Brandt
599514ad68
middleware: add security related HTTP(S) response headers (#17522)
* x_xss_protection
  * strict_transport_security (HSTS)
  * x_content_type_options

these are currently defaulted to false (off) until the next minor release.

fixes #17509
2019-06-12 13:15:50 +02:00
Kyle Brandt
826d33ea37
auth_proxy: non-negative cache TTL (#17495)
fixes setex error with redis on #17377
2019-06-10 15:25:23 +02:00
Marcus Efraimsson
b9181df212
Auth Proxy: Log any error in middleware (#17275)
Fixes so that errors happening in auth proxy middleware is logged.

Ref #17247
2019-05-27 10:38:17 +02:00
Oleg Gaidarenko
9b7f9dd9be
LDAP: consistently name the LDAP entities (#17203) 2019-05-22 15:30:03 +03:00
Mario Trangoni
66ba2aa524 Fix gosimple issues (#17179)
Signed-off-by: Mario Trangoni <mjtrangoni@gmail.com>
2019-05-21 07:50:44 +02:00
Oleg Gaidarenko
35f227de11
Feature: LDAP refactoring (#16950)
* incapsulates multipleldap logic under one module

* abstracts users upsert and get logic

* changes some of the text error messages and import sort sequence

* heavily refactors the LDAP module – LDAP module now only deals with LDAP related behaviour

* integrates affected auth_proxy module and their tests

* refactoring of the auth_proxy logic
2019-05-17 14:57:26 +03:00
Oleg Gaidarenko
79ac3fd699
Chore: remove use of == false (#17036)
Interestingly enough, golint or revive doesn't not prohibit
the use that construction :)

Ref #17035
2019-05-14 10:18:28 +03:00