mirror of
https://github.com/grafana/grafana.git
synced 2024-11-26 10:50:37 -06:00
382b24742a
* FeatureToggle: Add toggle to use a new way of rotating tokens * API: Add endpoints to perform token rotation, one endpoint for api request and one endpoint for redirectsd * Auth: Aling not authorized handling between auth middleware and access control middleware * API: add utility function to get redirect for login * API: Handle token rotation redirect for login page * Frontend: Add job scheduling for token rotation and make call to token rotation as fallback in retry request * ContextHandler: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * AuthN: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * Cookies: Add option NotHttpOnly * AuthToken: Add helper function to get next rotation time and another function to check if token need to be rotated * AuthN: Add function to delete session cookie and set expiry cookie Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
87 lines
2.4 KiB
Go
87 lines
2.4 KiB
Go
package auth
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"net"
|
|
|
|
"github.com/grafana/grafana/pkg/models/usertoken"
|
|
"github.com/grafana/grafana/pkg/registry"
|
|
"github.com/grafana/grafana/pkg/services/auth/jwt"
|
|
"github.com/grafana/grafana/pkg/services/quota"
|
|
"github.com/grafana/grafana/pkg/services/user"
|
|
)
|
|
|
|
const (
|
|
QuotaTargetSrv quota.TargetSrv = "auth"
|
|
QuotaTarget quota.Target = "session"
|
|
)
|
|
|
|
// Typed errors
|
|
var (
|
|
ErrUserTokenNotFound = errors.New("user token not found")
|
|
ErrInvalidSessionToken = usertoken.ErrInvalidSessionToken
|
|
)
|
|
|
|
type (
|
|
TokenRevokedError = usertoken.TokenRevokedError
|
|
UserToken = usertoken.UserToken
|
|
)
|
|
|
|
// CreateTokenErr represents a token creation error; used in Enterprise
|
|
type CreateTokenErr struct {
|
|
StatusCode int
|
|
InternalErr error
|
|
ExternalErr string
|
|
}
|
|
|
|
func (e *CreateTokenErr) Error() string {
|
|
if e.InternalErr != nil {
|
|
return e.InternalErr.Error()
|
|
}
|
|
return "failed to create token"
|
|
}
|
|
|
|
type TokenExpiredError struct {
|
|
UserID int64
|
|
TokenID int64
|
|
}
|
|
|
|
func (e *TokenExpiredError) Unwrap() error { return ErrInvalidSessionToken }
|
|
|
|
func (e *TokenExpiredError) Error() string {
|
|
return fmt.Sprintf("%s: user token expired", ErrInvalidSessionToken)
|
|
}
|
|
|
|
type RevokeAuthTokenCmd struct {
|
|
AuthTokenId int64 `json:"authTokenId"`
|
|
}
|
|
|
|
type RotateCommand struct {
|
|
// token is the un-hashed token
|
|
UnHashedToken string
|
|
IP net.IP
|
|
UserAgent string
|
|
}
|
|
|
|
// UserTokenService are used for generating and validating user tokens
|
|
type UserTokenService interface {
|
|
CreateToken(ctx context.Context, user *user.User, clientIP net.IP, userAgent string) (*UserToken, error)
|
|
LookupToken(ctx context.Context, unhashedToken string) (*UserToken, error)
|
|
// RotateToken will always rotate a valid token
|
|
RotateToken(ctx context.Context, cmd RotateCommand) (*UserToken, error)
|
|
TryRotateToken(ctx context.Context, token *UserToken, clientIP net.IP, userAgent string) (bool, *UserToken, error)
|
|
RevokeToken(ctx context.Context, token *UserToken, soft bool) error
|
|
RevokeAllUserTokens(ctx context.Context, userId int64) error
|
|
GetUserToken(ctx context.Context, userId, userTokenId int64) (*UserToken, error)
|
|
GetUserTokens(ctx context.Context, userId int64) ([]*UserToken, error)
|
|
GetUserRevokedTokens(ctx context.Context, userId int64) ([]*UserToken, error)
|
|
}
|
|
|
|
type UserTokenBackgroundService interface {
|
|
registry.BackgroundService
|
|
}
|
|
|
|
type JWTVerifierService = jwt.JWTService
|