mirror of
https://github.com/grafana/grafana.git
synced 2024-11-26 02:40:26 -06:00
e4afc8d518
The arching goal of this commit is to enable single user synchronisation with LDAP. Also, it included minor fixes of style, error messages and minor bug fixing. The changes are: - bug: The `multildap` package has its own errors when the user is not found. We fixed the conditional branch on this error by asserting on the `multildap` errors as opposed to the `ldap` one - bug: The previous interface usage of `RevokeAllUserTokens` did not work as expected. This replaces the manual injection of the service by leveraging the service injected as part of the `server` struct. - chore: Better error messages around not finding the user in LDAP. - fix: Enable the single sync button and disable it when we receive an error from LDAP. Please note, that you can enable it by dispatching the error. This allows you to try again without having to reload the page. - fix: Move the sync info to the top, then move the sync button above that information and clearfix to have more harmony with the UI.
339 lines
9.7 KiB
Go
339 lines
9.7 KiB
Go
package api
|
|
|
|
import (
|
|
"fmt"
|
|
"net/http"
|
|
|
|
"github.com/grafana/grafana/pkg/bus"
|
|
"github.com/grafana/grafana/pkg/infra/log"
|
|
"github.com/grafana/grafana/pkg/login"
|
|
"github.com/grafana/grafana/pkg/models"
|
|
"github.com/grafana/grafana/pkg/services/ldap"
|
|
"github.com/grafana/grafana/pkg/services/multildap"
|
|
"github.com/grafana/grafana/pkg/setting"
|
|
"github.com/grafana/grafana/pkg/util"
|
|
)
|
|
|
|
var (
|
|
getLDAPConfig = multildap.GetConfig
|
|
newLDAP = multildap.New
|
|
|
|
logger = log.New("LDAP.debug")
|
|
|
|
errOrganizationNotFound = func(orgId int64) error {
|
|
return fmt.Errorf("Unable to find organization with ID '%d'", orgId)
|
|
}
|
|
)
|
|
|
|
// LDAPAttribute is a serializer for user attributes mapped from LDAP. Is meant to display both the serialized value and the LDAP key we received it from.
|
|
type LDAPAttribute struct {
|
|
ConfigAttributeValue string `json:"cfgAttrValue"`
|
|
LDAPAttributeValue string `json:"ldapValue"`
|
|
}
|
|
|
|
// RoleDTO is a serializer for mapped roles from LDAP
|
|
type LDAPRoleDTO struct {
|
|
OrgId int64 `json:"orgId"`
|
|
OrgName string `json:"orgName"`
|
|
OrgRole models.RoleType `json:"orgRole"`
|
|
GroupDN string `json:"groupDN"`
|
|
}
|
|
|
|
// LDAPUserDTO is a serializer for users mapped from LDAP
|
|
type LDAPUserDTO struct {
|
|
Name *LDAPAttribute `json:"name"`
|
|
Surname *LDAPAttribute `json:"surname"`
|
|
Email *LDAPAttribute `json:"email"`
|
|
Username *LDAPAttribute `json:"login"`
|
|
IsGrafanaAdmin *bool `json:"isGrafanaAdmin"`
|
|
IsDisabled bool `json:"isDisabled"`
|
|
OrgRoles []LDAPRoleDTO `json:"roles"`
|
|
Teams []models.TeamOrgGroupDTO `json:"teams"`
|
|
}
|
|
|
|
// LDAPServerDTO is a serializer for LDAP server statuses
|
|
type LDAPServerDTO struct {
|
|
Host string `json:"host"`
|
|
Port int `json:"port"`
|
|
Available bool `json:"available"`
|
|
Error string `json:"error"`
|
|
}
|
|
|
|
// FetchOrgs fetches the organization(s) information by executing a single query to the database. Then, populating the DTO with the information retrieved.
|
|
func (user *LDAPUserDTO) FetchOrgs() error {
|
|
orgIds := []int64{}
|
|
|
|
for _, or := range user.OrgRoles {
|
|
orgIds = append(orgIds, or.OrgId)
|
|
}
|
|
|
|
q := &models.SearchOrgsQuery{}
|
|
q.Ids = orgIds
|
|
|
|
if err := bus.Dispatch(q); err != nil {
|
|
return err
|
|
}
|
|
|
|
orgNamesById := map[int64]string{}
|
|
for _, org := range q.Result {
|
|
orgNamesById[org.Id] = org.Name
|
|
}
|
|
|
|
for i, orgDTO := range user.OrgRoles {
|
|
if orgDTO.OrgId < 1 {
|
|
continue
|
|
}
|
|
|
|
orgName := orgNamesById[orgDTO.OrgId]
|
|
|
|
if orgName != "" {
|
|
user.OrgRoles[i].OrgName = orgName
|
|
} else {
|
|
return errOrganizationNotFound(orgDTO.OrgId)
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// ReloadLDAPCfg reloads the LDAP configuration
|
|
func (server *HTTPServer) ReloadLDAPCfg() Response {
|
|
if !ldap.IsEnabled() {
|
|
return Error(http.StatusBadRequest, "LDAP is not enabled", nil)
|
|
}
|
|
|
|
err := ldap.ReloadConfig()
|
|
if err != nil {
|
|
return Error(http.StatusInternalServerError, "Failed to reload LDAP config", err)
|
|
}
|
|
return Success("LDAP config reloaded")
|
|
}
|
|
|
|
// GetLDAPStatus attempts to connect to all the configured LDAP servers and returns information on whenever they're availabe or not.
|
|
func (server *HTTPServer) GetLDAPStatus(c *models.ReqContext) Response {
|
|
if !ldap.IsEnabled() {
|
|
return Error(http.StatusBadRequest, "LDAP is not enabled", nil)
|
|
}
|
|
|
|
ldapConfig, err := getLDAPConfig()
|
|
|
|
if err != nil {
|
|
return Error(http.StatusBadRequest, "Failed to obtain the LDAP configuration. Please verify the configuration and try again", err)
|
|
}
|
|
|
|
ldap := newLDAP(ldapConfig.Servers)
|
|
|
|
if ldap == nil {
|
|
return Error(http.StatusInternalServerError, "Failed to find the LDAP server", nil)
|
|
}
|
|
|
|
statuses, err := ldap.Ping()
|
|
|
|
if err != nil {
|
|
return Error(http.StatusBadRequest, "Failed to connect to the LDAP server(s)", err)
|
|
}
|
|
|
|
serverDTOs := []*LDAPServerDTO{}
|
|
for _, status := range statuses {
|
|
s := &LDAPServerDTO{
|
|
Host: status.Host,
|
|
Available: status.Available,
|
|
Port: status.Port,
|
|
}
|
|
|
|
if status.Error != nil {
|
|
s.Error = status.Error.Error()
|
|
}
|
|
|
|
serverDTOs = append(serverDTOs, s)
|
|
}
|
|
|
|
return JSON(http.StatusOK, serverDTOs)
|
|
}
|
|
|
|
// PostSyncUserWithLDAP enables a single Grafana user to be synchronized against LDAP
|
|
func (server *HTTPServer) PostSyncUserWithLDAP(c *models.ReqContext) Response {
|
|
if !ldap.IsEnabled() {
|
|
return Error(http.StatusBadRequest, "LDAP is not enabled", nil)
|
|
}
|
|
|
|
ldapConfig, err := getLDAPConfig()
|
|
|
|
if err != nil {
|
|
return Error(http.StatusBadRequest, "Failed to obtain the LDAP configuration. Please verify the configuration and try again", err)
|
|
}
|
|
|
|
userId := c.ParamsInt64(":id")
|
|
|
|
query := models.GetUserByIdQuery{Id: userId}
|
|
|
|
if err := bus.Dispatch(&query); err != nil { // validate the userId exists
|
|
if err == models.ErrUserNotFound {
|
|
return Error(404, models.ErrUserNotFound.Error(), nil)
|
|
}
|
|
|
|
return Error(500, "Failed to get user", err)
|
|
}
|
|
|
|
authModuleQuery := &models.GetAuthInfoQuery{UserId: query.Result.Id, AuthModule: models.AuthModuleLDAP}
|
|
|
|
if err := bus.Dispatch(authModuleQuery); err != nil { // validate the userId comes from LDAP
|
|
if err == models.ErrUserNotFound {
|
|
return Error(404, models.ErrUserNotFound.Error(), nil)
|
|
}
|
|
|
|
return Error(500, "Failed to get user", err)
|
|
}
|
|
|
|
ldapServer := newLDAP(ldapConfig.Servers)
|
|
user, _, err := ldapServer.User(query.Result.Login)
|
|
|
|
if err != nil {
|
|
if err == multildap.ErrDidNotFindUser { // User was not in the LDAP server - we need to take action:
|
|
if setting.AdminUser == query.Result.Login { // User is *the* Grafana Admin. We cannot disable it.
|
|
errMsg := fmt.Sprintf(`Refusing to sync grafana super admin "%s" - it would be disabled`, query.Result.Login)
|
|
logger.Error(errMsg)
|
|
return Error(http.StatusBadRequest, errMsg, err)
|
|
}
|
|
|
|
// Since the user was not in the LDAP server. Let's disable it.
|
|
err := login.DisableExternalUser(query.Result.Login)
|
|
|
|
if err != nil {
|
|
return Error(http.StatusInternalServerError, "Failed to disable the user", err)
|
|
}
|
|
|
|
err = server.AuthTokenService.RevokeAllUserTokens(c.Req.Context(), userId)
|
|
if err != nil {
|
|
return Error(http.StatusInternalServerError, "Failed to remove session tokens for the user", err)
|
|
}
|
|
|
|
return Error(http.StatusBadRequest, "User not found in LDAP. Disabled the user without updating information", nil) // should this be a success?
|
|
}
|
|
|
|
logger.Debug("Failed to sync the user with LDAP", "err", err)
|
|
return Error(http.StatusBadRequest, "Something went wrong while finding the user in LDAP", err)
|
|
}
|
|
|
|
upsertCmd := &models.UpsertUserCommand{
|
|
ExternalUser: user,
|
|
SignupAllowed: setting.LDAPAllowSignup,
|
|
}
|
|
|
|
err = bus.Dispatch(upsertCmd)
|
|
|
|
if err != nil {
|
|
return Error(http.StatusInternalServerError, "Failed to udpate the user", err)
|
|
}
|
|
|
|
return Success("User synced successfully")
|
|
}
|
|
|
|
// GetUserFromLDAP finds an user based on a username in LDAP. This helps illustrate how would the particular user be mapped in Grafana when synced.
|
|
func (server *HTTPServer) GetUserFromLDAP(c *models.ReqContext) Response {
|
|
if !ldap.IsEnabled() {
|
|
return Error(http.StatusBadRequest, "LDAP is not enabled", nil)
|
|
}
|
|
|
|
ldapConfig, err := getLDAPConfig()
|
|
|
|
if err != nil {
|
|
return Error(http.StatusBadRequest, "Failed to obtain the LDAP configuration", err)
|
|
}
|
|
|
|
ldap := newLDAP(ldapConfig.Servers)
|
|
|
|
username := c.Params(":username")
|
|
|
|
if len(username) == 0 {
|
|
return Error(http.StatusBadRequest, "Validation error. You must specify an username", nil)
|
|
}
|
|
|
|
user, serverConfig, err := ldap.User(username)
|
|
|
|
if user == nil {
|
|
return Error(http.StatusNotFound, "No user was found in the LDAP server(s) with that username", err)
|
|
}
|
|
|
|
logger.Debug("user found", "user", user)
|
|
|
|
name, surname := splitName(user.Name)
|
|
|
|
u := &LDAPUserDTO{
|
|
Name: &LDAPAttribute{serverConfig.Attr.Name, name},
|
|
Surname: &LDAPAttribute{serverConfig.Attr.Surname, surname},
|
|
Email: &LDAPAttribute{serverConfig.Attr.Email, user.Email},
|
|
Username: &LDAPAttribute{serverConfig.Attr.Username, user.Login},
|
|
IsGrafanaAdmin: user.IsGrafanaAdmin,
|
|
IsDisabled: user.IsDisabled,
|
|
}
|
|
|
|
orgRoles := []LDAPRoleDTO{}
|
|
|
|
// Need to iterate based on the config groups as only the first match for an org is used
|
|
// We are showing all matches as that should help in understanding why one match wins out
|
|
// over another.
|
|
for _, configGroup := range serverConfig.Groups {
|
|
for _, userGroup := range user.Groups {
|
|
if configGroup.GroupDN == userGroup {
|
|
r := &LDAPRoleDTO{GroupDN: configGroup.GroupDN, OrgId: configGroup.OrgId, OrgRole: configGroup.OrgRole}
|
|
orgRoles = append(orgRoles, *r)
|
|
break
|
|
}
|
|
}
|
|
//}
|
|
}
|
|
|
|
// Then, we find what we did not match by inspecting the list of groups returned from
|
|
// LDAP against what we have already matched above.
|
|
for _, userGroup := range user.Groups {
|
|
var matched bool
|
|
|
|
for _, orgRole := range orgRoles {
|
|
if orgRole.GroupDN == userGroup { // we already matched it
|
|
matched = true
|
|
break
|
|
}
|
|
}
|
|
|
|
if !matched {
|
|
r := &LDAPRoleDTO{GroupDN: userGroup}
|
|
orgRoles = append(orgRoles, *r)
|
|
}
|
|
}
|
|
|
|
u.OrgRoles = orgRoles
|
|
|
|
logger.Debug("mapping org roles", "orgsRoles", u.OrgRoles)
|
|
err = u.FetchOrgs()
|
|
|
|
if err != nil {
|
|
return Error(http.StatusBadRequest, "An oganization was not found - Please verify your LDAP configuration", err)
|
|
}
|
|
|
|
cmd := &models.GetTeamsForLDAPGroupCommand{Groups: user.Groups}
|
|
err = bus.Dispatch(cmd)
|
|
|
|
if err != bus.ErrHandlerNotFound && err != nil {
|
|
return Error(http.StatusBadRequest, "Unable to find the teams for this user", err)
|
|
}
|
|
|
|
u.Teams = cmd.Result
|
|
|
|
return JSON(200, u)
|
|
}
|
|
|
|
// splitName receives the full name of a user and splits it into two parts: A name and a surname.
|
|
func splitName(name string) (string, string) {
|
|
names := util.SplitString(name)
|
|
|
|
switch len(names) {
|
|
case 0:
|
|
return "", ""
|
|
case 1:
|
|
return names[0], ""
|
|
default:
|
|
return names[0], names[1]
|
|
}
|
|
}
|