mirror of
https://github.com/grafana/grafana.git
synced 2024-11-29 12:14:08 -06:00
5340a6e548
* reenable ext-jwt-client * fixup settings struct * add user and service auth * lint up * add user auth to grafana ext * fixes * Populate token permissions Co-authored-by: jguer <joao.guerreiro@grafana.com> * fix tests * fix lint * small prealloc * small prealloc * use special namespace for access policies * fix access policy auth * fix tests * fix uncalled settings expander * add feature toggle * small feedback fixes * rename entitlements to permissions * add authlibn * allow viewing the signed in user info for non user namespace * fix invalid namespacedID * use authlib as verifier for tokens * Update pkg/services/authn/clients/ext_jwt.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/authn/clients/ext_jwt_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * fix parameter names * change asserts to normal package * add rule for assert * fix ownerships * Local diff * test and lint * Fix test * Fix ac test * Fix pluginproxy test * Revert testdata changes * Force revert on test data --------- Co-authored-by: gamab <gabriel.mabille@grafana.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
206 lines
7.9 KiB
Go
206 lines
7.9 KiB
Go
package proxyutil
|
|
|
|
import (
|
|
"net/http"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/require"
|
|
|
|
"github.com/grafana/grafana/pkg/services/user"
|
|
)
|
|
|
|
func TestPrepareProxyRequest(t *testing.T) {
|
|
t.Run("Prepare proxy request should clear Origin and Referer headers", func(t *testing.T) {
|
|
req, err := http.NewRequest(http.MethodGet, "/", nil)
|
|
require.NoError(t, err)
|
|
req.Header.Set("Origin", "https://host.com")
|
|
req.Header.Set("Referer", "https://host.com/dashboard")
|
|
|
|
PrepareProxyRequest(req)
|
|
require.NotContains(t, req.Header, "Origin")
|
|
require.NotContains(t, req.Header, "Referer")
|
|
})
|
|
|
|
t.Run("Prepare proxy request should set X-Grafana-Referer header", func(t *testing.T) {
|
|
req, err := http.NewRequest(http.MethodGet, "/", nil)
|
|
require.NoError(t, err)
|
|
req.Header.Set("Referer", "https://host.com/dashboard")
|
|
|
|
PrepareProxyRequest(req)
|
|
require.Contains(t, req.Header, "X-Grafana-Referer")
|
|
require.Equal(t, "https://host.com/dashboard", req.Header.Get("X-Grafana-Referer"))
|
|
})
|
|
|
|
t.Run("Prepare proxy request X-Grafana-Referer handles multiline", func(t *testing.T) {
|
|
req, err := http.NewRequest(http.MethodGet, "/", nil)
|
|
require.NoError(t, err)
|
|
req.Header.Set("Referer", "https://www.google.ch\r\nOtherHeader:https://www.somethingelse.com")
|
|
|
|
PrepareProxyRequest(req)
|
|
require.Contains(t, req.Header, "X-Grafana-Referer")
|
|
require.NotContains(t, req.Header, "OtherHeader")
|
|
require.Equal(t, "https://www.google.ch\r\nOtherHeader:https://www.somethingelse.com", req.Header.Get("X-Grafana-Referer"))
|
|
})
|
|
|
|
t.Run("Prepare proxy request should clear X-Forwarded headers", func(t *testing.T) {
|
|
req, err := http.NewRequest(http.MethodGet, "/", nil)
|
|
require.NoError(t, err)
|
|
req.Header.Set("X-Forwarded-Host", "host")
|
|
req.Header.Set("X-Forwarded-Port", "123")
|
|
req.Header.Set("X-Forwarded-Proto", "http1")
|
|
|
|
PrepareProxyRequest(req)
|
|
require.NotContains(t, req.Header, "X-Forwarded-Host")
|
|
require.NotContains(t, req.Header, "X-Forwarded-Port")
|
|
require.NotContains(t, req.Header, "X-Forwarded-Proto")
|
|
})
|
|
|
|
t.Run("Prepare proxy request should set X-Forwarded-For", func(t *testing.T) {
|
|
req, err := http.NewRequest(http.MethodGet, "/", nil)
|
|
req.RemoteAddr = "127.0.0.1:1234"
|
|
require.NoError(t, err)
|
|
|
|
PrepareProxyRequest(req)
|
|
require.Contains(t, req.Header, "X-Forwarded-For")
|
|
require.Equal(t, "127.0.0.1", req.Header.Get("X-Forwarded-For"))
|
|
})
|
|
|
|
t.Run("Prepare proxy request should append client ip at the end of X-Forwarded-For", func(t *testing.T) {
|
|
req, err := http.NewRequest(http.MethodGet, "/", nil)
|
|
req.RemoteAddr = "127.0.0.1:1234"
|
|
req.Header.Set("X-Forwarded-For", "192.168.0.1")
|
|
require.NoError(t, err)
|
|
|
|
PrepareProxyRequest(req)
|
|
require.Contains(t, req.Header, "X-Forwarded-For")
|
|
require.Equal(t, "192.168.0.1, 127.0.0.1", req.Header.Get("X-Forwarded-For"))
|
|
})
|
|
}
|
|
|
|
func TestClearCookieHeader(t *testing.T) {
|
|
t.Run("Clear cookie header should clear Cookie header", func(t *testing.T) {
|
|
req, err := http.NewRequest(http.MethodGet, "/", nil)
|
|
require.NoError(t, err)
|
|
req.AddCookie(&http.Cookie{Name: "cookie"})
|
|
|
|
ClearCookieHeader(req, nil, nil)
|
|
require.NotContains(t, req.Header, "Cookie")
|
|
})
|
|
|
|
t.Run("Clear cookie header with cookies to keep should clear Cookie header and keep cookies", func(t *testing.T) {
|
|
req, err := http.NewRequest(http.MethodGet, "/", nil)
|
|
require.NoError(t, err)
|
|
req.AddCookie(&http.Cookie{Name: "cookie1"})
|
|
req.AddCookie(&http.Cookie{Name: "cookie2"})
|
|
req.AddCookie(&http.Cookie{Name: "cookie3"})
|
|
|
|
ClearCookieHeader(req, []string{"cookie1", "cookie3"}, nil)
|
|
require.Contains(t, req.Header, "Cookie")
|
|
require.Equal(t, "cookie1=; cookie3=", req.Header.Get("Cookie"))
|
|
})
|
|
|
|
t.Run("Clear cookie header with cookies to keep and skip should clear Cookie header and keep cookies", func(t *testing.T) {
|
|
req, err := http.NewRequest(http.MethodGet, "/", nil)
|
|
require.NoError(t, err)
|
|
req.AddCookie(&http.Cookie{Name: "cookie1"})
|
|
req.AddCookie(&http.Cookie{Name: "cookie2"})
|
|
req.AddCookie(&http.Cookie{Name: "cookie3"})
|
|
|
|
ClearCookieHeader(req, []string{"cookie1", "cookie3"}, []string{"cookie3"})
|
|
require.Contains(t, req.Header, "Cookie")
|
|
require.Equal(t, "cookie1=", req.Header.Get("Cookie"))
|
|
})
|
|
|
|
t.Run("Clear cookie header with cookies to keep should clear Cookie header and keep cookies with optional matching", func(t *testing.T) {
|
|
req, err := http.NewRequest(http.MethodGet, "/", nil)
|
|
require.NoError(t, err)
|
|
req.AddCookie(&http.Cookie{Name: "cookie1"})
|
|
req.AddCookie(&http.Cookie{Name: "cookie3"})
|
|
|
|
ClearCookieHeader(req, []string{"cookie[]"}, nil)
|
|
require.Contains(t, req.Header, "Cookie")
|
|
require.Equal(t, "cookie1=; cookie3=", req.Header.Get("Cookie"))
|
|
})
|
|
|
|
t.Run("Clear cookie header with cookies to keep should clear Cookie header and keep cookies with matching pattern but with empty matching option", func(t *testing.T) {
|
|
req, err := http.NewRequest(http.MethodGet, "/", nil)
|
|
require.NoError(t, err)
|
|
req.AddCookie(&http.Cookie{Name: "cookie1"})
|
|
req.AddCookie(&http.Cookie{Name: "cookie2"})
|
|
req.AddCookie(&http.Cookie{Name: "cookie3"})
|
|
|
|
ClearCookieHeader(req, []string{"cookie[]"}, []string{"cookie2"})
|
|
require.Contains(t, req.Header, "Cookie")
|
|
require.Equal(t, "cookie1=; cookie3=", req.Header.Get("Cookie"))
|
|
})
|
|
|
|
t.Run("Clear cookie header with cookie match pattern to keep and skip should clear Cookie header and keep cookies", func(t *testing.T) {
|
|
req, err := http.NewRequest(http.MethodGet, "/", nil)
|
|
require.NoError(t, err)
|
|
req.AddCookie(&http.Cookie{Name: "cook1"})
|
|
req.AddCookie(&http.Cookie{Name: "special23"})
|
|
req.AddCookie(&http.Cookie{Name: "special_1asd987dsf9a"})
|
|
req.AddCookie(&http.Cookie{Name: "c00k1e"})
|
|
|
|
ClearCookieHeader(req, []string{"special_[]"}, nil)
|
|
require.Contains(t, req.Header, "Cookie")
|
|
require.Equal(t, "special_1asd987dsf9a=", req.Header.Get("Cookie"))
|
|
})
|
|
|
|
t.Run("Clear cookie header with cookie should not match BAD pattern and return no cookies", func(t *testing.T) {
|
|
req, err := http.NewRequest(http.MethodGet, "/", nil)
|
|
require.NoError(t, err)
|
|
req.AddCookie(&http.Cookie{Name: "cookie1"})
|
|
req.AddCookie(&http.Cookie{Name: "special23"})
|
|
|
|
ClearCookieHeader(req, []string{"[]cookie"}, nil)
|
|
require.NotContains(t, req.Header, "Cookie")
|
|
})
|
|
|
|
t.Run("Clear cookie header with cookie should match all cookies when keepCookies is *", func(t *testing.T) {
|
|
req, err := http.NewRequest(http.MethodGet, "/", nil)
|
|
require.NoError(t, err)
|
|
req.AddCookie(&http.Cookie{Name: "cookie1"})
|
|
req.AddCookie(&http.Cookie{Name: "special23"})
|
|
|
|
ClearCookieHeader(req, []string{"[]"}, nil)
|
|
require.Equal(t, "cookie1=; special23=", req.Header.Get("Cookie"))
|
|
})
|
|
}
|
|
|
|
func TestApplyUserHeader(t *testing.T) {
|
|
t.Run("Should not apply user header when not enabled, should remove the existing", func(t *testing.T) {
|
|
req, err := http.NewRequest(http.MethodGet, "/", nil)
|
|
require.NoError(t, err)
|
|
req.Header.Set("X-Grafana-User", "admin")
|
|
|
|
ApplyUserHeader(false, req, &user.SignedInUser{Login: "admin", NamespacedID: "user:1"})
|
|
require.NotContains(t, req.Header, "X-Grafana-User")
|
|
})
|
|
|
|
t.Run("Should not apply user header when user is nil, should remove the existing", func(t *testing.T) {
|
|
req, err := http.NewRequest(http.MethodGet, "/", nil)
|
|
require.NoError(t, err)
|
|
req.Header.Set("X-Grafana-User", "admin")
|
|
|
|
ApplyUserHeader(false, req, nil)
|
|
require.NotContains(t, req.Header, "X-Grafana-User")
|
|
})
|
|
|
|
t.Run("Should not apply user header for anonomous user", func(t *testing.T) {
|
|
req, err := http.NewRequest(http.MethodGet, "/", nil)
|
|
require.NoError(t, err)
|
|
|
|
ApplyUserHeader(true, req, &user.SignedInUser{IsAnonymous: true, NamespacedID: "anonymous:1"})
|
|
require.NotContains(t, req.Header, "X-Grafana-User")
|
|
})
|
|
|
|
t.Run("Should apply user header for non-anonomous user", func(t *testing.T) {
|
|
req, err := http.NewRequest(http.MethodGet, "/", nil)
|
|
require.NoError(t, err)
|
|
|
|
ApplyUserHeader(true, req, &user.SignedInUser{Login: "admin", NamespacedID: "user:1"})
|
|
require.Equal(t, "admin", req.Header.Get("X-Grafana-User"))
|
|
})
|
|
}
|