mirror of
				https://github.com/grafana/grafana.git
				synced 2025-02-25 18:55:37 -06:00 
			
		
		
		
	* Remove usage of client token rotation flag * Remove client token rotation feature toggle
		
			
				
	
	
		
			372 lines
		
	
	
		
			13 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
			
		
		
	
	
			372 lines
		
	
	
		
			13 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
| package api
 | |
| 
 | |
| import (
 | |
| 	"context"
 | |
| 	"fmt"
 | |
| 	"net/http"
 | |
| 	"testing"
 | |
| 	"time"
 | |
| 
 | |
| 	"github.com/stretchr/testify/assert"
 | |
| 	"github.com/stretchr/testify/require"
 | |
| 
 | |
| 	"github.com/grafana/grafana/pkg/api/response"
 | |
| 	"github.com/grafana/grafana/pkg/api/routing"
 | |
| 	"github.com/grafana/grafana/pkg/infra/log"
 | |
| 	"github.com/grafana/grafana/pkg/services/auth"
 | |
| 	"github.com/grafana/grafana/pkg/services/auth/authtest"
 | |
| 	contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
 | |
| 	"github.com/grafana/grafana/pkg/services/org"
 | |
| 	"github.com/grafana/grafana/pkg/services/user"
 | |
| 	"github.com/grafana/grafana/pkg/services/user/usertest"
 | |
| 	"github.com/grafana/grafana/pkg/setting"
 | |
| )
 | |
| 
 | |
| func TestUserTokenAPIEndpoint(t *testing.T) {
 | |
| 	userMock := usertest.NewUserServiceFake()
 | |
| 	t.Run("When current user attempts to revoke an auth token for a non-existing user", func(t *testing.T) {
 | |
| 		cmd := auth.RevokeAuthTokenCmd{AuthTokenId: 2}
 | |
| 		userMock.ExpectedError = user.ErrUserNotFound
 | |
| 		revokeUserAuthTokenScenario(t, "Should return not found when calling POST on", "/api/user/revoke-auth-token",
 | |
| 			"/api/user/revoke-auth-token", cmd, 200, func(sc *scenarioContext) {
 | |
| 				sc.fakeReqWithParams("POST", sc.url, map[string]string{}).exec()
 | |
| 				assert.Equal(t, 404, sc.resp.Code)
 | |
| 			}, userMock)
 | |
| 	})
 | |
| 
 | |
| 	t.Run("When current user gets auth tokens for a non-existing user", func(t *testing.T) {
 | |
| 		mockUser := &usertest.FakeUserService{
 | |
| 			ExpectedUser:  &user.User{ID: 200},
 | |
| 			ExpectedError: user.ErrUserNotFound,
 | |
| 		}
 | |
| 		getUserAuthTokensScenario(t, "Should return not found when calling GET on", "/api/user/auth-tokens", "/api/user/auth-tokens", 200, func(sc *scenarioContext) {
 | |
| 			sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()
 | |
| 			assert.Equal(t, 404, sc.resp.Code)
 | |
| 		}, mockUser)
 | |
| 	})
 | |
| 
 | |
| 	t.Run("When logging out an existing user from all devices", func(t *testing.T) {
 | |
| 		userMock := &usertest.FakeUserService{
 | |
| 			ExpectedUser: &user.User{ID: 200},
 | |
| 		}
 | |
| 		logoutUserFromAllDevicesInternalScenario(t, "Should be successful", 1, func(sc *scenarioContext) {
 | |
| 			sc.fakeReqWithParams("POST", sc.url, map[string]string{}).exec()
 | |
| 			assert.Equal(t, 200, sc.resp.Code)
 | |
| 		}, userMock)
 | |
| 	})
 | |
| 
 | |
| 	t.Run("When logout a non-existing user from all devices", func(t *testing.T) {
 | |
| 		logoutUserFromAllDevicesInternalScenario(t, "Should return not found", testUserID, func(sc *scenarioContext) {
 | |
| 			userMock.ExpectedError = user.ErrUserNotFound
 | |
| 			sc.fakeReqWithParams("POST", sc.url, map[string]string{}).exec()
 | |
| 			assert.Equal(t, 404, sc.resp.Code)
 | |
| 		}, userMock)
 | |
| 	})
 | |
| 
 | |
| 	t.Run("When revoke an auth token for a user", func(t *testing.T) {
 | |
| 		cmd := auth.RevokeAuthTokenCmd{AuthTokenId: 2}
 | |
| 		token := &auth.UserToken{Id: 1}
 | |
| 		mockUser := &usertest.FakeUserService{
 | |
| 			ExpectedUser: &user.User{ID: 200},
 | |
| 		}
 | |
| 
 | |
| 		revokeUserAuthTokenInternalScenario(t, "Should be successful", cmd, 200, token, func(sc *scenarioContext) {
 | |
| 			sc.userAuthTokenService.GetUserTokenProvider = func(ctx context.Context, userId, userTokenId int64) (*auth.UserToken, error) {
 | |
| 				return &auth.UserToken{Id: 2}, nil
 | |
| 			}
 | |
| 			sc.fakeReqWithParams("POST", sc.url, map[string]string{}).exec()
 | |
| 			assert.Equal(t, 200, sc.resp.Code)
 | |
| 		}, mockUser)
 | |
| 	})
 | |
| 
 | |
| 	t.Run("When revoke the active auth token used by himself", func(t *testing.T) {
 | |
| 		cmd := auth.RevokeAuthTokenCmd{AuthTokenId: 2}
 | |
| 		token := &auth.UserToken{Id: 2}
 | |
| 		mockUser := usertest.NewUserServiceFake()
 | |
| 		revokeUserAuthTokenInternalScenario(t, "Should not be successful", cmd, testUserID, token, func(sc *scenarioContext) {
 | |
| 			sc.userAuthTokenService.GetUserTokenProvider = func(ctx context.Context, userId, userTokenId int64) (*auth.UserToken, error) {
 | |
| 				return token, nil
 | |
| 			}
 | |
| 			sc.fakeReqWithParams("POST", sc.url, map[string]string{}).exec()
 | |
| 			assert.Equal(t, 400, sc.resp.Code)
 | |
| 		}, mockUser)
 | |
| 	})
 | |
| 
 | |
| 	t.Run("When gets auth tokens for a user", func(t *testing.T) {
 | |
| 		currentToken := &auth.UserToken{Id: 1}
 | |
| 		mockUser := usertest.NewUserServiceFake()
 | |
| 		getUserAuthTokensInternalScenario(t, "Should be successful", currentToken, func(sc *scenarioContext) {
 | |
| 			tokens := []*auth.UserToken{
 | |
| 				{
 | |
| 					Id:        1,
 | |
| 					ClientIp:  "127.0.0.1",
 | |
| 					UserAgent: "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36",
 | |
| 					CreatedAt: time.Now().Unix(),
 | |
| 					SeenAt:    time.Now().Unix(),
 | |
| 				},
 | |
| 				{
 | |
| 					Id:        2,
 | |
| 					ClientIp:  "127.0.0.2",
 | |
| 					UserAgent: "Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1",
 | |
| 					CreatedAt: time.Now().Unix(),
 | |
| 					SeenAt:    0,
 | |
| 				},
 | |
| 			}
 | |
| 			sc.userAuthTokenService.GetUserTokensProvider = func(ctx context.Context, userId int64) ([]*auth.UserToken, error) {
 | |
| 				return tokens, nil
 | |
| 			}
 | |
| 			sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()
 | |
| 
 | |
| 			assert.Equal(t, 200, sc.resp.Code)
 | |
| 			result := sc.ToJSON()
 | |
| 			assert.Len(t, result.MustArray(), 2)
 | |
| 
 | |
| 			resultOne := result.GetIndex(0)
 | |
| 			assert.Equal(t, tokens[0].Id, resultOne.Get("id").MustInt64())
 | |
| 			assert.True(t, resultOne.Get("isActive").MustBool())
 | |
| 			assert.Equal(t, "127.0.0.1", resultOne.Get("clientIp").MustString())
 | |
| 			assert.Equal(t, time.Unix(tokens[0].CreatedAt, 0).Format(time.RFC3339), resultOne.Get("createdAt").MustString())
 | |
| 			assert.Equal(t, time.Unix(tokens[0].SeenAt, 0).Format(time.RFC3339), resultOne.Get("seenAt").MustString())
 | |
| 
 | |
| 			assert.Equal(t, "Other", resultOne.Get("device").MustString())
 | |
| 			assert.Equal(t, "Chrome", resultOne.Get("browser").MustString())
 | |
| 			assert.Equal(t, "72.0", resultOne.Get("browserVersion").MustString())
 | |
| 			assert.Equal(t, "Linux", resultOne.Get("os").MustString())
 | |
| 			assert.Empty(t, resultOne.Get("osVersion").MustString())
 | |
| 
 | |
| 			resultTwo := result.GetIndex(1)
 | |
| 			assert.Equal(t, tokens[1].Id, resultTwo.Get("id").MustInt64())
 | |
| 			assert.False(t, resultTwo.Get("isActive").MustBool())
 | |
| 			assert.Equal(t, "127.0.0.2", resultTwo.Get("clientIp").MustString())
 | |
| 			assert.Equal(t, time.Unix(tokens[1].CreatedAt, 0).Format(time.RFC3339), resultTwo.Get("createdAt").MustString())
 | |
| 			assert.Equal(t, time.Unix(tokens[1].CreatedAt, 0).Format(time.RFC3339), resultTwo.Get("seenAt").MustString())
 | |
| 
 | |
| 			assert.Equal(t, "iPhone", resultTwo.Get("device").MustString())
 | |
| 			assert.Equal(t, "Mobile Safari", resultTwo.Get("browser").MustString())
 | |
| 			assert.Equal(t, "11.0", resultTwo.Get("browserVersion").MustString())
 | |
| 			assert.Equal(t, "iOS", resultTwo.Get("os").MustString())
 | |
| 			assert.Equal(t, "11.0", resultTwo.Get("osVersion").MustString())
 | |
| 		}, mockUser)
 | |
| 	})
 | |
| }
 | |
| 
 | |
| func TestHTTPServer_RotateUserAuthToken(t *testing.T) {
 | |
| 	type testCase struct {
 | |
| 		desc                 string
 | |
| 		cookie               *http.Cookie
 | |
| 		rotatedToken         *auth.UserToken
 | |
| 		rotatedErr           error
 | |
| 		expectedStatus       int
 | |
| 		expectNewSession     bool
 | |
| 		expectSessionDeleted bool
 | |
| 	}
 | |
| 
 | |
| 	tests := []testCase{
 | |
| 		{
 | |
| 			desc:                 "Should return 401 and delete cookie if the token is invalid",
 | |
| 			cookie:               &http.Cookie{Name: "grafana_session", Value: "123", Path: "/"},
 | |
| 			rotatedErr:           auth.ErrInvalidSessionToken,
 | |
| 			expectSessionDeleted: true,
 | |
| 			expectedStatus:       http.StatusUnauthorized,
 | |
| 		},
 | |
| 		{
 | |
| 			desc:           "Should return 401 and when token not found",
 | |
| 			cookie:         &http.Cookie{Name: "grafana_session", Value: "123", Path: "/"},
 | |
| 			rotatedErr:     auth.ErrUserTokenNotFound,
 | |
| 			expectedStatus: http.StatusUnauthorized,
 | |
| 		},
 | |
| 		{
 | |
| 			desc:           "Should return 200 and but not set new cookie if token was not rotated",
 | |
| 			cookie:         &http.Cookie{Name: "grafana_session", Value: "123", Path: "/"},
 | |
| 			rotatedToken:   &auth.UserToken{UnhashedToken: "123"},
 | |
| 			expectedStatus: http.StatusOK,
 | |
| 		},
 | |
| 		{
 | |
| 			desc:             "Should return 200 and set new session and expiry cookies",
 | |
| 			cookie:           &http.Cookie{Name: "grafana_session", Value: "123", Path: "/"},
 | |
| 			rotatedToken:     &auth.UserToken{UnhashedToken: "new"},
 | |
| 			expectNewSession: true,
 | |
| 			expectedStatus:   http.StatusOK,
 | |
| 		},
 | |
| 	}
 | |
| 
 | |
| 	for _, tt := range tests {
 | |
| 		t.Run(tt.desc, func(t *testing.T) {
 | |
| 			server := SetupAPITestServer(t, func(hs *HTTPServer) {
 | |
| 				cfg := setting.NewCfg()
 | |
| 				cfg.LoginCookieName = "grafana_session"
 | |
| 				cfg.LoginMaxLifetime = 10 * time.Hour
 | |
| 				hs.Cfg = cfg
 | |
| 				hs.log = log.New()
 | |
| 				hs.Cfg.LoginCookieName = "grafana_session"
 | |
| 				hs.AuthTokenService = &authtest.FakeUserAuthTokenService{
 | |
| 					RotateTokenProvider: func(ctx context.Context, cmd auth.RotateCommand) (*auth.UserToken, error) {
 | |
| 						return tt.rotatedToken, tt.rotatedErr
 | |
| 					},
 | |
| 				}
 | |
| 			})
 | |
| 
 | |
| 			req := server.NewPostRequest("/api/user/auth-tokens/rotate", nil)
 | |
| 			if tt.cookie != nil {
 | |
| 				req.AddCookie(tt.cookie)
 | |
| 			}
 | |
| 
 | |
| 			res, err := server.Send(req)
 | |
| 			require.NoError(t, err)
 | |
| 			assert.Equal(t, tt.expectedStatus, res.StatusCode)
 | |
| 
 | |
| 			if tt.expectedStatus != http.StatusOK {
 | |
| 				if tt.expectSessionDeleted {
 | |
| 					cookies := res.Header.Values("Set-Cookie")
 | |
| 					require.Len(t, cookies, 2)
 | |
| 					assert.Equal(t, "grafana_session=; Path=/; Max-Age=0; HttpOnly", cookies[0])
 | |
| 					assert.Equal(t, "grafana_session_expiry=; Path=/; Max-Age=0", cookies[1])
 | |
| 				} else {
 | |
| 					assert.Empty(t, res.Header.Get("Set-Cookie"))
 | |
| 				}
 | |
| 			} else {
 | |
| 				if tt.expectNewSession {
 | |
| 					cookies := res.Header.Values("Set-Cookie")
 | |
| 					require.Len(t, cookies, 2)
 | |
| 					assert.Equal(t, "grafana_session=new; Path=/; Max-Age=36000; HttpOnly", cookies[0])
 | |
| 					assert.Equal(t, "grafana_session_expiry=-5; Path=/; Max-Age=36000", cookies[1])
 | |
| 				} else {
 | |
| 					assert.Empty(t, res.Header.Get("Set-Cookie"))
 | |
| 				}
 | |
| 			}
 | |
| 
 | |
| 			require.NoError(t, res.Body.Close())
 | |
| 		})
 | |
| 	}
 | |
| }
 | |
| 
 | |
| func revokeUserAuthTokenScenario(t *testing.T, desc string, url string, routePattern string, cmd auth.RevokeAuthTokenCmd,
 | |
| 	userId int64, fn scenarioFunc, userService user.Service) {
 | |
| 	t.Run(fmt.Sprintf("%s %s", desc, url), func(t *testing.T) {
 | |
| 		fakeAuthTokenService := authtest.NewFakeUserAuthTokenService()
 | |
| 
 | |
| 		hs := HTTPServer{
 | |
| 			AuthTokenService: fakeAuthTokenService,
 | |
| 			userService:      userService,
 | |
| 		}
 | |
| 
 | |
| 		sc := setupScenarioContext(t, url)
 | |
| 		sc.userAuthTokenService = fakeAuthTokenService
 | |
| 		sc.defaultHandler = routing.Wrap(func(c *contextmodel.ReqContext) response.Response {
 | |
| 			c.Req.Body = mockRequestBody(cmd)
 | |
| 			sc.context = c
 | |
| 			sc.context.UserID = userId
 | |
| 			sc.context.OrgID = testOrgID
 | |
| 			sc.context.OrgRole = org.RoleAdmin
 | |
| 
 | |
| 			return hs.RevokeUserAuthToken(c)
 | |
| 		})
 | |
| 
 | |
| 		sc.m.Post(routePattern, sc.defaultHandler)
 | |
| 
 | |
| 		fn(sc)
 | |
| 	})
 | |
| }
 | |
| 
 | |
| func getUserAuthTokensScenario(t *testing.T, desc string, url string, routePattern string, userId int64, fn scenarioFunc, userService user.Service) {
 | |
| 	t.Run(fmt.Sprintf("%s %s", desc, url), func(t *testing.T) {
 | |
| 		fakeAuthTokenService := authtest.NewFakeUserAuthTokenService()
 | |
| 
 | |
| 		hs := HTTPServer{
 | |
| 			AuthTokenService: fakeAuthTokenService,
 | |
| 			userService:      userService,
 | |
| 		}
 | |
| 
 | |
| 		sc := setupScenarioContext(t, url)
 | |
| 		sc.userAuthTokenService = fakeAuthTokenService
 | |
| 		sc.defaultHandler = routing.Wrap(func(c *contextmodel.ReqContext) response.Response {
 | |
| 			sc.context = c
 | |
| 			sc.context.UserID = userId
 | |
| 			sc.context.OrgID = testOrgID
 | |
| 			sc.context.OrgRole = org.RoleAdmin
 | |
| 
 | |
| 			return hs.GetUserAuthTokens(c)
 | |
| 		})
 | |
| 
 | |
| 		sc.m.Get(routePattern, sc.defaultHandler)
 | |
| 
 | |
| 		fn(sc)
 | |
| 	})
 | |
| }
 | |
| 
 | |
| func logoutUserFromAllDevicesInternalScenario(t *testing.T, desc string, userId int64, fn scenarioFunc, userService user.Service) {
 | |
| 	t.Run(desc, func(t *testing.T) {
 | |
| 		hs := HTTPServer{
 | |
| 			AuthTokenService: authtest.NewFakeUserAuthTokenService(),
 | |
| 			userService:      userService,
 | |
| 		}
 | |
| 
 | |
| 		sc := setupScenarioContext(t, "/")
 | |
| 		sc.defaultHandler = routing.Wrap(func(c *contextmodel.ReqContext) response.Response {
 | |
| 			sc.context = c
 | |
| 			sc.context.UserID = testUserID
 | |
| 			sc.context.OrgID = testOrgID
 | |
| 			sc.context.OrgRole = org.RoleAdmin
 | |
| 
 | |
| 			return hs.logoutUserFromAllDevicesInternal(context.Background(), userId)
 | |
| 		})
 | |
| 
 | |
| 		sc.m.Post("/", sc.defaultHandler)
 | |
| 
 | |
| 		fn(sc)
 | |
| 	})
 | |
| }
 | |
| 
 | |
| func revokeUserAuthTokenInternalScenario(t *testing.T, desc string, cmd auth.RevokeAuthTokenCmd, userId int64,
 | |
| 	token *auth.UserToken, fn scenarioFunc, userService user.Service) {
 | |
| 	t.Run(desc, func(t *testing.T) {
 | |
| 		fakeAuthTokenService := authtest.NewFakeUserAuthTokenService()
 | |
| 
 | |
| 		hs := HTTPServer{
 | |
| 			AuthTokenService: fakeAuthTokenService,
 | |
| 			userService:      userService,
 | |
| 		}
 | |
| 
 | |
| 		sc := setupScenarioContext(t, "/")
 | |
| 		sc.userAuthTokenService = fakeAuthTokenService
 | |
| 		sc.defaultHandler = routing.Wrap(func(c *contextmodel.ReqContext) response.Response {
 | |
| 			sc.context = c
 | |
| 			sc.context.UserID = testUserID
 | |
| 			sc.context.OrgID = testOrgID
 | |
| 			sc.context.OrgRole = org.RoleAdmin
 | |
| 			sc.context.UserToken = token
 | |
| 
 | |
| 			return hs.revokeUserAuthTokenInternal(c, userId, cmd)
 | |
| 		})
 | |
| 		sc.m.Post("/", sc.defaultHandler)
 | |
| 		fn(sc)
 | |
| 	})
 | |
| }
 | |
| 
 | |
| func getUserAuthTokensInternalScenario(t *testing.T, desc string, token *auth.UserToken, fn scenarioFunc, userService user.Service) {
 | |
| 	t.Run(desc, func(t *testing.T) {
 | |
| 		fakeAuthTokenService := authtest.NewFakeUserAuthTokenService()
 | |
| 
 | |
| 		hs := HTTPServer{
 | |
| 			AuthTokenService: fakeAuthTokenService,
 | |
| 			userService:      userService,
 | |
| 		}
 | |
| 
 | |
| 		sc := setupScenarioContext(t, "/")
 | |
| 		sc.userAuthTokenService = fakeAuthTokenService
 | |
| 		sc.defaultHandler = routing.Wrap(func(c *contextmodel.ReqContext) response.Response {
 | |
| 			sc.context = c
 | |
| 			sc.context.UserID = testUserID
 | |
| 			sc.context.OrgID = testOrgID
 | |
| 			sc.context.OrgRole = org.RoleAdmin
 | |
| 			sc.context.UserToken = token
 | |
| 
 | |
| 			return hs.getUserAuthTokensInternal(c, testUserID)
 | |
| 		})
 | |
| 
 | |
| 		sc.m.Get("/", sc.defaultHandler)
 | |
| 
 | |
| 		fn(sc)
 | |
| 	})
 | |
| }
 |