IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2024-11-26 02:40:26 -06:00
Code Issues Packages Projects Releases Wiki Activity
180a587f70
grafana/pkg/services/authn/clients/proxy.go
Karl Persson 95ea4bad6f
AuthN: Rebuild Authenticate so we only have to call it once in context handler (#61705) 
* API: Add reqSignedIn to router groups

* AuthN: Add fall through in context handler

* AuthN: Add IsAnonymous field

* AuthN: add priority to context aware clients

* ContextHandler: Add comment

* AuthN: Add a simple priority queue

* AuthN: Add Name to client interface

* AuthN: register clients with function

* AuthN: update mock and fake to implement interface

* AuthN: rewrite test without reflection

* AuthN: add comment

* AuthN: fix queue insert

* AuthN: rewrite tests

* AuthN: make the queue generic so we can reuse it for hooks

* ContextHandler: Add fixme for auth headers

* AuthN: remove unused variable

* AuthN: use multierror

* AuthN: write proper tests for queue

* AuthN: Add queue item that can store the value and priority

Co-authored-by: Jo <joao.guerreiro@grafana.com>
2023-01-26 10:50:44 +01:00

156 lines
3.8 KiB
Go
Raw Blame History

package clients
import (
"context"
"fmt"
"net"
"path"
"strings"
"github.com/grafana/grafana/pkg/services/authn"
"github.com/grafana/grafana/pkg/setting"
"github.com/grafana/grafana/pkg/util"
"github.com/grafana/grafana/pkg/util/errutil"
)
const (
proxyFieldName = "Name"
proxyFieldEmail = "Email"
proxyFieldLogin = "Login"
proxyFieldRole = "Role"
proxyFieldGroups = "Groups"
)
var proxyFields = [...]string{proxyFieldName, proxyFieldEmail, proxyFieldLogin, proxyFieldRole, proxyFieldGroups}
var (
errNotAcceptedIP = errutil.NewBase(errutil.StatusUnauthorized, "auth-proxy.invalid-ip")
errEmptyProxyHeader = errutil.NewBase(errutil.StatusUnauthorized, "auth-proxy.empty-header")
errInvalidProxyHeader = errutil.NewBase(errutil.StatusInternal, "auth-proxy.invalid-proxy-header")
)
var _ authn.ContextAwareClient = new(Proxy)
func ProvideProxy(cfg *setting.Cfg, clients ...authn.ProxyClient) (*Proxy, error) {
list, err := parseAcceptList(cfg.AuthProxyWhitelist)
if err != nil {
return nil, err
}
return &Proxy{cfg, clients, list}, nil
}
type Proxy struct {
cfg *setting.Cfg
clients []authn.ProxyClient
acceptedIPs []*net.IPNet
}
func (c *Proxy) Name() string {
return authn.ClientProxy
}
func (c *Proxy) Authenticate(ctx context.Context, r *authn.Request) (*authn.Identity, error) {
if !c.isAllowedIP(r) {
return nil, errNotAcceptedIP.Errorf("request ip is not in the configured accept list")
}
username := getProxyHeader(r, c.cfg.AuthProxyHeaderName, c.cfg.AuthProxyHeadersEncoded)
if len(username) == 0 {
return nil, errEmptyProxyHeader.Errorf("no username provided in auth proxy header")
}
additional := getAdditionalProxyHeaders(r, c.cfg)
// FIXME: add cache to prevent sync on every request
var clientErr error
for _, proxyClient := range c.clients {
var identity *authn.Identity
identity, clientErr = proxyClient.AuthenticateProxy(ctx, r, username, additional)
if identity != nil {
return identity, nil
}
}
return nil, clientErr
}
func (c *Proxy) Test(ctx context.Context, r *authn.Request) bool {
return len(getProxyHeader(r, c.cfg.AuthProxyHeaderName, c.cfg.AuthProxyHeadersEncoded)) != 0
}
func (c *Proxy) Priority() uint {
return 50
}
func (c *Proxy) isAllowedIP(r *authn.Request) bool {
if len(c.acceptedIPs) == 0 {
return true
}
host, _, err := net.SplitHostPort(r.HTTPRequest.RemoteAddr)
if err != nil {
return false
}
ip := net.ParseIP(host)
for _, v := range c.acceptedIPs {
if v.Contains(ip) {
return true
}
}
return false
}
func parseAcceptList(s string) ([]*net.IPNet, error) {
if len(strings.TrimSpace(s)) == 0 {
return nil, nil
}
addresses := strings.Split(s, ",")
list := make([]*net.IPNet, 0, len(addresses))
for _, addr := range addresses {
result, err := coerceProxyAddress(addr)
if err != nil {
return nil, err
}
list = append(list, result)
}
return list, nil
}
// coerceProxyAddress gets network of the presented CIDR notation
func coerceProxyAddress(proxyAddr string) (*net.IPNet, error) {
proxyAddr = strings.TrimSpace(proxyAddr)
if !strings.Contains(proxyAddr, "/") {
proxyAddr = path.Join(proxyAddr, "32")
}
_, network, err := net.ParseCIDR(proxyAddr)
if err != nil {
return nil, fmt.Errorf("could not parse the network: %w", err)
}
return network, nil
}
func getProxyHeader(r *authn.Request, headerName string, encoded bool) string {
if r.HTTPRequest == nil {
return ""
}
v := r.HTTPRequest.Header.Get(headerName)
if encoded {
v = util.DecodeQuotedPrintable(v)
}
return v
}
func getAdditionalProxyHeaders(r *authn.Request, cfg *setting.Cfg) map[string]string {
additional := make(map[string]string, len(proxyFields))
for _, k := range proxyFields {
if v := getProxyHeader(r, cfg.AuthProxyHeaders[k], cfg.AuthProxyHeadersEncoded); v != "" {
additional[k] = v
}
}
return additional
}
Reference in New Issue View Git Blame Copy Permalink