mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
3d3a7cbba8
* Chore: Fix issues reported by staticcheck Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Undo changes Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Chore: Fix issues reported by staticcheck Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix test Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix test Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
78 lines
2.3 KiB
Go
78 lines
2.3 KiB
Go
package login
|
|
|
|
import (
|
|
"errors"
|
|
|
|
"github.com/grafana/grafana/pkg/bus"
|
|
"github.com/grafana/grafana/pkg/infra/log"
|
|
"github.com/grafana/grafana/pkg/models"
|
|
"github.com/grafana/grafana/pkg/services/ldap"
|
|
)
|
|
|
|
var (
|
|
ErrEmailNotAllowed = errors.New("required email domain not fulfilled")
|
|
ErrInvalidCredentials = errors.New("invalid username or password")
|
|
ErrNoEmail = errors.New("login provider didn't return an email address")
|
|
ErrProviderDeniedRequest = errors.New("login provider denied login request")
|
|
ErrSignUpNotAllowed = errors.New("signup is not allowed for this adapter")
|
|
ErrTooManyLoginAttempts = errors.New("too many consecutive incorrect login attempts for user - login for user temporarily blocked")
|
|
ErrPasswordEmpty = errors.New("no password provided")
|
|
ErrUserDisabled = errors.New("user is disabled")
|
|
ErrAbsoluteRedirectTo = errors.New("absolute URLs are not allowed for redirect_to cookie value")
|
|
ErrInvalidRedirectTo = errors.New("invalid redirect_to cookie value")
|
|
ErrForbiddenRedirectTo = errors.New("forbidden redirect_to cookie value")
|
|
)
|
|
|
|
var loginLogger = log.New("login")
|
|
|
|
func Init() {
|
|
bus.AddHandler("auth", AuthenticateUser)
|
|
}
|
|
|
|
// AuthenticateUser authenticates the user via username & password
|
|
func AuthenticateUser(query *models.LoginUserQuery) error {
|
|
if err := validateLoginAttempts(query.Username); err != nil {
|
|
return err
|
|
}
|
|
|
|
if err := validatePasswordSet(query.Password); err != nil {
|
|
return err
|
|
}
|
|
|
|
err := loginUsingGrafanaDB(query)
|
|
if err == nil || (err != models.ErrUserNotFound && err != ErrInvalidCredentials && err != ErrUserDisabled) {
|
|
query.AuthModule = "grafana"
|
|
return err
|
|
}
|
|
|
|
ldapEnabled, ldapErr := loginUsingLDAP(query)
|
|
if ldapEnabled {
|
|
query.AuthModule = models.AuthModuleLDAP
|
|
if ldapErr == nil || ldapErr != ldap.ErrInvalidCredentials {
|
|
return ldapErr
|
|
}
|
|
|
|
if err != ErrUserDisabled || ldapErr != ldap.ErrInvalidCredentials {
|
|
err = ldapErr
|
|
}
|
|
}
|
|
|
|
if err == ErrInvalidCredentials || err == ldap.ErrInvalidCredentials {
|
|
if err := saveInvalidLoginAttempt(query); err != nil {
|
|
loginLogger.Error("Failed to save invalid login attempt", "err", err)
|
|
}
|
|
|
|
return ErrInvalidCredentials
|
|
}
|
|
|
|
return err
|
|
}
|
|
|
|
func validatePasswordSet(password string) error {
|
|
if len(password) == 0 {
|
|
return ErrPasswordEmpty
|
|
}
|
|
|
|
return nil
|
|
}
|