apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
The open and composable observability and data visualization platform. Visualize metrics, logs, and traces from multiple sources like Prometheus, Loki, Elasticsearch, InfluxDB, Postgres and many more.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
36061 Commits
2179 Branches
608 Tags
1.9 GiB
Tag: Branch: Tree: 2429fe1c70
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '2429fe1c70'
${ noResults }
grafana/pkg/api/login_test.go

729 lines
19 KiB
Raw Normal View History Unescape

Fix: Break redirect loop if oauth_auto_login = true and OAuth login fails (#17974) * Add tests for login view * Fix OAuth auto login redirect loop login_error cookie is only set when the OAuth login fails for some reason. Therefore, the login view should return immediately if a login_error cookie exists before trying to login the user using OAuth again. * Fix test Use 'index-template' instead of 'index' for testing * Add some comments
6 years ago
package api
import (
Chore: Imperative request data binding (#39837) * rename Bind to BindMiddleware * make things private * removed unused part of data bindings * provide json and form binding helpers * add example of binding migration in login api * implement validation * fix tests * remove debug output * put new bind api into macaron pacakge * revert bind api breaking change
4 years ago
"bytes"
Encryption: Refactor securejsondata.SecureJsonData to stop relying on global functions (#38865) * Encryption: Add support to encrypt/decrypt sjd * Add datasources.Service as a proxy to datasources db operations * Encrypt ds.SecureJsonData before calling SQLStore * Move ds cache code into ds service * Fix tlsmanager tests * Fix pluginproxy tests * Remove some securejsondata.GetEncryptedJsonData usages * Add pluginsettings.Service as a proxy for plugin settings db operations * Add AlertNotificationService as a proxy for alert notification db operations * Remove some securejsondata.GetEncryptedJsonData usages * Remove more securejsondata.GetEncryptedJsonData usages * Fix lint errors * Minor fixes * Remove encryption global functions usages from ngalert * Fix lint errors * Minor fixes * Minor fixes * Remove securejsondata.DecryptedValue usage * Refactor the refactor * Remove securejsondata.DecryptedValue usage * Move securejsondata to migrations package * Move securejsondata to migrations package * Minor fix * Fix integration test * Fix integration tests * Undo undesired changes * Fix tests * Add context.Context into encryption methods * Fix tests * Fix tests * Fix tests * Trigger CI * Fix test * Add names to params of encryption service interface * Remove bus from CacheServiceImpl * Add logging * Add keys to logger Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * Add missing key to logger Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * Undo changes in markdown files * Fix formatting * Add context to secrets service * Rename decryptSecureJsonData to decryptSecureJsonDataFn * Name args in GetDecryptedValueFn * Add template back to NewAlertmanagerNotifier * Copy GetDecryptedValueFn to ngalert * Add logging to pluginsettings * Fix pluginsettings test Co-authored-by: Tania B <yalyna.ts@gmail.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
4 years ago
"context"
Fix: Break redirect loop if oauth_auto_login = true and OAuth login fails (#17974) * Add tests for login view * Fix OAuth auto login redirect loop login_error cookie is only set when the OAuth login fails for some reason. Therefore, the login view should return immediately if a login_error cookie exists before trying to login the user using OAuth again. * Fix test Use 'index-template' instead of 'index' for testing * Add some comments
6 years ago
"encoding/hex"
"errors"
Security: refactor 'redirect_to' cookie to use 'Secure' flag (#19787) * Refactor redirect_to cookie with secure flag in middleware * Refactor redirect_to cookie with secure flag in api/login * Refactor redirect_to cookie with secure flag in api/login_oauth * Removed the deletion of 'Set-Cookie' header to prevent logout * Removed the deletion of 'Set-Cookie' at top of api/login.go * Add HttpOnly flag on redirect_to cookies where missing * Refactor duplicated code * Add tests * Refactor cookie options * Replace local function for deleting cookie * Delete redundant calls Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com>
6 years ago
"fmt"
Chore: Imperative request data binding (#39837) * rename Bind to BindMiddleware * make things private * removed unused part of data bindings * provide json and form binding helpers * add example of binding migration in login api * implement validation * fix tests * remove debug output * put new bind api into macaron pacakge * revert bind api breaking change
4 years ago
"io"
Fix: Break redirect loop if oauth_auto_login = true and OAuth login fails (#17974) * Add tests for login view * Fix OAuth auto login redirect loop login_error cookie is only set when the OAuth login fails for some reason. Therefore, the login view should return immediately if a login_error cookie exists before trying to login the user using OAuth again. * Fix test Use 'index-template' instead of 'index' for testing * Add some comments
6 years ago
"io/ioutil"
"net/http"
"net/http/httptest"
"strings"
"testing"
LDAP: Add API endpoint to debug user mapping from LDAP (#18833) * Move the ReloadLDAPCfg function to the debug file Appears to be a better suite place for this. * LDAP: Return the server information when we find a specific user We allow you to specify multiple LDAP servers as part of LDAP authentication integration. As part of searching for specific users, we need to understand from which server they come from. Returning the server configuration as part of the search will help us do two things: - Understand in which server we found the user - Have access the groups specified as part of the server configuration * LDAP: Adds the /api/admin/ldap/:username endpoint This endpoint returns a user found within the configured LDAP server(s). Moreso, it provides the mapping information for the user to help administrators understand how the users would be created within Grafana based on the current configuration. No changes are executed or saved to the database, this is all an in-memory representation of how the final result would look like.
6 years ago
Logging: Unify logging fakes (#48822)
3 years ago
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
LDAP: Add API endpoint to debug user mapping from LDAP (#18833) * Move the ReloadLDAPCfg function to the debug file Appears to be a better suite place for this. * LDAP: Return the server information when we find a specific user We allow you to specify multiple LDAP servers as part of LDAP authentication integration. As part of searching for specific users, we need to understand from which server they come from. Returning the server configuration as part of the search will help us do two things: - Understand in which server we found the user - Have access the groups specified as part of the server configuration * LDAP: Adds the /api/admin/ldap/:username endpoint This endpoint returns a user found within the configured LDAP server(s). Moreso, it provides the mapping information for the user to help administrators understand how the users would be created within Grafana based on the current configuration. No changes are executed or saved to the database, this is all an in-memory representation of how the final result would look like.
6 years ago
"github.com/grafana/grafana/pkg/api/dtos"
Chore: Moves common and response into separate packages (#30298) * Chore: moves common and response into separate packages * Chore: moves common and response into separate packages * Update pkg/api/utils/common.go Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> * Chore: changes after PR comments * Chore: move wrap to routing package * Chore: move functions in common to response package * Chore: move functions in common to response package * Chore: formats imports Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
5 years ago
"github.com/grafana/grafana/pkg/api/response"
"github.com/grafana/grafana/pkg/api/routing"
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
"github.com/grafana/grafana/pkg/components/simplejson"
AuthProxy: Can now login with auth proxy and get a login token (#20175) * AuthProxy: Can now login with auth proxy and get a login token * added unit tests * renamed setting and updated docs * AuthProxy: minor tweak * Fixed tests and namings * spellfix * fix * remove unused setting, probably from merge conflict * fix
6 years ago
"github.com/grafana/grafana/pkg/infra/log"
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
"github.com/grafana/grafana/pkg/login"
Chore: Refactor OAuth/social package to service (#35403) * Creating SocialService * Add GetOAuthProviders as socialService method * Add OAuthTokenService * Add GetOAuthHttpClient method to SocialService * Rename services, access socialMap from GetConnector * Fix tests by mocking oauthtoken methods * Move NewAuthService into Init * Move OAuthService to social pkg * Refactor OAuthService to OAuthProvider * Fix nil map error, rename file, simplify tests * Fix bug for Forward OAuth Identify * Remove file after rebase
4 years ago
"github.com/grafana/grafana/pkg/login/social"
LDAP: Add API endpoint to debug user mapping from LDAP (#18833) * Move the ReloadLDAPCfg function to the debug file Appears to be a better suite place for this. * LDAP: Return the server information when we find a specific user We allow you to specify multiple LDAP servers as part of LDAP authentication integration. As part of searching for specific users, we need to understand from which server they come from. Returning the server configuration as part of the search will help us do two things: - Understand in which server we found the user - Have access the groups specified as part of the server configuration * LDAP: Adds the /api/admin/ldap/:username endpoint This endpoint returns a user found within the configured LDAP server(s). Moreso, it provides the mapping information for the user to help administrators understand how the users would be created within Grafana based on the current configuration. No changes are executed or saved to the database, this is all an in-memory representation of how the final result would look like.
6 years ago
"github.com/grafana/grafana/pkg/models"
AuthProxy: Can now login with auth proxy and get a login token (#20175) * AuthProxy: Can now login with auth proxy and get a login token * added unit tests * renamed setting and updated docs * AuthProxy: minor tweak * Fixed tests and namings * spellfix * fix * remove unused setting, probably from merge conflict * fix
6 years ago
"github.com/grafana/grafana/pkg/services/auth"
API: replace SendLoginLogCommand with LoginHook (#28777) * API: replace SendLoginLogCommand with LoginHook * LoginInfo: Query -> LoginUsername
5 years ago
"github.com/grafana/grafana/pkg/services/hooks"
Auth: Remove trailing / in cookies' path (#22265) (#22265) According to the stackoverflow answer below, it is recommended to not include a trailing / in cookies' path. By removing the trailing / for our cookies path value, people's browsers visiting grafana will pass the cookie not only to /grafana/ sub paths but also to /grafana sub paths. This commit avoids the situation where a user would visit http://localhost/grafana, get redirected to http://localhost/grafana/login, and following login get redirected back to http://localhost/grafana, but since the grafana_session cookie isn't passed along get redirected back once more to http://localhost/grafana/login. ref: https://stackoverflow.com/questions/36131023/setting-a-slash-on-cookie-path/53784228#53784228 ref: https://tools.ietf.org/html/rfc6265#section-5.1.4
5 years ago
"github.com/grafana/grafana/pkg/services/licensing"
Encryption: Use secrets service (#40251) * Use secrets service in pluginproxy * Use secrets service in pluginxontext * Use secrets service in pluginsettings * Use secrets service in provisioning * Use secrets service in authinfoservice * Use secrets service in api * Use secrets service in sqlstore * Use secrets service in dashboardshapshots * Use secrets service in tsdb * Use secrets service in datasources * Use secrets service in alerting * Use secrets service in ngalert * Break cyclic dependancy * Refactor service * Break cyclic dependancy * Add FakeSecretsStore * Setup Secrets Service in sqlstore * Fix * Continue secrets service refactoring * Fix cyclic dependancy in sqlstore tests * Fix secrets service references * Fix linter errors * Add fake secrets service for tests * Refactor SetupTestSecretsService * Update setting up secret service in tests * Fix missing secrets service in multiorg_alertmanager_test * Use fake db in tests and sort imports * Use fake db in datasources tests * Fix more tests * Fix linter issues * Attempt to fix plugin proxy tests * Pass secrets service to getPluginProxiedRequest in pluginproxy tests * Fix pluginproxy tests * Revert using secrets service in alerting and provisioning * Update decryptFn in alerting migration * Rename defaultProvider to currentProvider * Use fake secrets service in alert channels tests * Refactor secrets service test helper * Update setting up secrets service in tests * Revert alerting changes in api * Add comments * Remove secrets service from background services * Convert global encryption functions into vars * Revert "Convert global encryption functions into vars" This reverts commit 498eb19859eba364a2400a6d7e73236b1c9a5b37. * Add feature toggle for envelope encryption * Rename toggle Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Joan López de la Franca Beltran <joanjan14@gmail.com>
4 years ago
"github.com/grafana/grafana/pkg/services/secrets"
"github.com/grafana/grafana/pkg/services/secrets/fakes"
secretsManager "github.com/grafana/grafana/pkg/services/secrets/manager"
LDAP: Add API endpoint to debug user mapping from LDAP (#18833) * Move the ReloadLDAPCfg function to the debug file Appears to be a better suite place for this. * LDAP: Return the server information when we find a specific user We allow you to specify multiple LDAP servers as part of LDAP authentication integration. As part of searching for specific users, we need to understand from which server they come from. Returning the server configuration as part of the search will help us do two things: - Understand in which server we found the user - Have access the groups specified as part of the server configuration * LDAP: Adds the /api/admin/ldap/:username endpoint This endpoint returns a user found within the configured LDAP server(s). Moreso, it provides the mapping information for the user to help administrators understand how the users would be created within Grafana based on the current configuration. No changes are executed or saved to the database, this is all an in-memory representation of how the final result would look like.
6 years ago
"github.com/grafana/grafana/pkg/setting"
Fix: Break redirect loop if oauth_auto_login = true and OAuth login fails (#17974) * Add tests for login view * Fix OAuth auto login redirect loop login_error cookie is only set when the OAuth login fails for some reason. Therefore, the login view should return immediately if a login_error cookie exists before trying to login the user using OAuth again. * Fix test Use 'index-template' instead of 'index' for testing * Add some comments
6 years ago
)
Backend: Remove more globals (#29644) Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
5 years ago
func fakeSetIndexViewData(t *testing.T) {
origSetIndexViewData := setIndexViewData
t.Cleanup(func() {
setIndexViewData = origSetIndexViewData
})
Fix: Break redirect loop if oauth_auto_login = true and OAuth login fails (#17974) * Add tests for login view * Fix OAuth auto login redirect loop login_error cookie is only set when the OAuth login fails for some reason. Therefore, the login view should return immediately if a login_error cookie exists before trying to login the user using OAuth again. * Fix test Use 'index-template' instead of 'index' for testing * Add some comments
6 years ago
setIndexViewData = func(*HTTPServer, *models.ReqContext) (*dtos.IndexViewData, error) {
data := &dtos.IndexViewData{
User: &dtos.CurrentUser{},
Settings: map[string]interface{}{},
NavTree: []*dtos.NavLink{},
}
return data, nil
}
}
Backend: Remove more globals (#29644) Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
5 years ago
func fakeViewIndex(t *testing.T) {
origGetViewIndex := getViewIndex
t.Cleanup(func() {
getViewIndex = origGetViewIndex
})
Fix: Break redirect loop if oauth_auto_login = true and OAuth login fails (#17974) * Add tests for login view * Fix OAuth auto login redirect loop login_error cookie is only set when the OAuth login fails for some reason. Therefore, the login view should return immediately if a login_error cookie exists before trying to login the user using OAuth again. * Fix test Use 'index-template' instead of 'index' for testing * Add some comments
6 years ago
getViewIndex = func() string {
return "index-template"
}
}
func getBody(resp *httptest.ResponseRecorder) (string, error) {
responseData, err := ioutil.ReadAll(resp.Body)
if err != nil {
return "", err
}
return string(responseData), nil
}
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
type redirectCase struct {
API: Fix redirect issues (#22285) * Revert "API: Fix redirect issue when configured to use a subpath (#21652)" (#22671) This reverts commit 0e2d874ecf9277dcc17d562e05271917efc8b595. * Fix redirect validation (#22675) * Chore: Add test for parse of app url and app sub url Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> * Fix redirect: prepend subpath only if it's missing (#22676) * Validate redirect in login oauth (#22677) * Fix invalid redirect for authenticated user (#22678) * Login: Use correct path for OAuth logos Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
5 years ago
desc string
url string
status int
err error
appURL string
appSubURL string
redirectURL string
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
}
Chore: Refactor OAuth/social package to service (#35403) * Creating SocialService * Add GetOAuthProviders as socialService method * Add OAuthTokenService * Add GetOAuthHttpClient method to SocialService * Rename services, access socialMap from GetConnector * Fix tests by mocking oauthtoken methods * Move NewAuthService into Init * Move OAuthService to social pkg * Refactor OAuthService to OAuthProvider * Fix nil map error, rename file, simplify tests * Fix bug for Forward OAuth Identify * Remove file after rebase
4 years ago
var oAuthInfos = map[string]*social.OAuthInfo{
"github": {
ClientId: "fake",
ClientSecret: "fakefake",
Enabled: true,
AllowSignup: true,
Name: "github",
},
}
Backend: Remove more globals (#29644) Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
5 years ago
func TestLoginErrorCookieAPIEndpoint(t *testing.T) {
fakeSetIndexViewData(t)
Fix: Break redirect loop if oauth_auto_login = true and OAuth login fails (#17974) * Add tests for login view * Fix OAuth auto login redirect loop login_error cookie is only set when the OAuth login fails for some reason. Therefore, the login view should return immediately if a login_error cookie exists before trying to login the user using OAuth again. * Fix test Use 'index-template' instead of 'index' for testing * Add some comments
6 years ago
Backend: Remove more globals (#29644) Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
5 years ago
fakeViewIndex(t)
Fix: Break redirect loop if oauth_auto_login = true and OAuth login fails (#17974) * Add tests for login view * Fix OAuth auto login redirect loop login_error cookie is only set when the OAuth login fails for some reason. Therefore, the login view should return immediately if a login_error cookie exists before trying to login the user using OAuth again. * Fix test Use 'index-template' instead of 'index' for testing * Add some comments
6 years ago
Chore: Convert API tests to standard Go lib (#29009) * Chore: Convert tests to standard Go lib Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
5 years ago
sc := setupScenarioContext(t, "/login")
Backend: Remove more globals (#29644) Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
5 years ago
cfg := setting.NewCfg()
Encryption: Use secrets service (#40251) * Use secrets service in pluginproxy * Use secrets service in pluginxontext * Use secrets service in pluginsettings * Use secrets service in provisioning * Use secrets service in authinfoservice * Use secrets service in api * Use secrets service in sqlstore * Use secrets service in dashboardshapshots * Use secrets service in tsdb * Use secrets service in datasources * Use secrets service in alerting * Use secrets service in ngalert * Break cyclic dependancy * Refactor service * Break cyclic dependancy * Add FakeSecretsStore * Setup Secrets Service in sqlstore * Fix * Continue secrets service refactoring * Fix cyclic dependancy in sqlstore tests * Fix secrets service references * Fix linter errors * Add fake secrets service for tests * Refactor SetupTestSecretsService * Update setting up secret service in tests * Fix missing secrets service in multiorg_alertmanager_test * Use fake db in tests and sort imports * Use fake db in datasources tests * Fix more tests * Fix linter issues * Attempt to fix plugin proxy tests * Pass secrets service to getPluginProxiedRequest in pluginproxy tests * Fix pluginproxy tests * Revert using secrets service in alerting and provisioning * Update decryptFn in alerting migration * Rename defaultProvider to currentProvider * Use fake secrets service in alert channels tests * Refactor secrets service test helper * Update setting up secrets service in tests * Revert alerting changes in api * Add comments * Remove secrets service from background services * Convert global encryption functions into vars * Revert "Convert global encryption functions into vars" This reverts commit 498eb19859eba364a2400a6d7e73236b1c9a5b37. * Add feature toggle for envelope encryption * Rename toggle Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Joan López de la Franca Beltran <joanjan14@gmail.com>
4 years ago
secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
Fix: Break redirect loop if oauth_auto_login = true and OAuth login fails (#17974) * Add tests for login view * Fix OAuth auto login redirect loop login_error cookie is only set when the OAuth login fails for some reason. Therefore, the login view should return immediately if a login_error cookie exists before trying to login the user using OAuth again. * Fix test Use 'index-template' instead of 'index' for testing * Add some comments
6 years ago
hs := &HTTPServer{
Encryption: Use secrets service (#40251) * Use secrets service in pluginproxy * Use secrets service in pluginxontext * Use secrets service in pluginsettings * Use secrets service in provisioning * Use secrets service in authinfoservice * Use secrets service in api * Use secrets service in sqlstore * Use secrets service in dashboardshapshots * Use secrets service in tsdb * Use secrets service in datasources * Use secrets service in alerting * Use secrets service in ngalert * Break cyclic dependancy * Refactor service * Break cyclic dependancy * Add FakeSecretsStore * Setup Secrets Service in sqlstore * Fix * Continue secrets service refactoring * Fix cyclic dependancy in sqlstore tests * Fix secrets service references * Fix linter errors * Add fake secrets service for tests * Refactor SetupTestSecretsService * Update setting up secret service in tests * Fix missing secrets service in multiorg_alertmanager_test * Use fake db in tests and sort imports * Use fake db in datasources tests * Fix more tests * Fix linter issues * Attempt to fix plugin proxy tests * Pass secrets service to getPluginProxiedRequest in pluginproxy tests * Fix pluginproxy tests * Revert using secrets service in alerting and provisioning * Update decryptFn in alerting migration * Rename defaultProvider to currentProvider * Use fake secrets service in alert channels tests * Refactor secrets service test helper * Update setting up secrets service in tests * Revert alerting changes in api * Add comments * Remove secrets service from background services * Convert global encryption functions into vars * Revert "Convert global encryption functions into vars" This reverts commit 498eb19859eba364a2400a6d7e73236b1c9a5b37. * Add feature toggle for envelope encryption * Rename toggle Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Joan López de la Franca Beltran <joanjan14@gmail.com>
4 years ago
Cfg: cfg,
SettingsProvider: &setting.OSSImpl{Cfg: cfg},
License: &licensing.OSSLicensingService{},
SocialService: &mockSocialService{},
SecretsService: secretsService,
Fix: Break redirect loop if oauth_auto_login = true and OAuth login fails (#17974) * Add tests for login view * Fix OAuth auto login redirect loop login_error cookie is only set when the OAuth login fails for some reason. Therefore, the login view should return immediately if a login_error cookie exists before trying to login the user using OAuth again. * Fix test Use 'index-template' instead of 'index' for testing * Add some comments
6 years ago
}
Chore: Refactor api handlers to use web.Bind (#42199) * Chore: Refactor api handlers to use web.Bind * fix comments * fix comment * trying to fix most of the tests and force routing.Wrap type check * fix library panels tests * fix frontend logging tests * allow passing nil as a response to skip writing * return nil instead of the response * rewrite login handler function types * remove handlerFuncCtx * make linter happy * remove old bindings from the libraryelements * restore comments
4 years ago
sc.defaultHandler = routing.Wrap(func(c *models.ReqContext) response.Response {
Fix: Break redirect loop if oauth_auto_login = true and OAuth login fails (#17974) * Add tests for login view * Fix OAuth auto login redirect loop login_error cookie is only set when the OAuth login fails for some reason. Therefore, the login view should return immediately if a login_error cookie exists before trying to login the user using OAuth again. * Fix test Use 'index-template' instead of 'index' for testing * Add some comments
6 years ago
hs.LoginView(c)
Chore: Refactor api handlers to use web.Bind (#42199) * Chore: Refactor api handlers to use web.Bind * fix comments * fix comment * trying to fix most of the tests and force routing.Wrap type check * fix library panels tests * fix frontend logging tests * allow passing nil as a response to skip writing * return nil instead of the response * rewrite login handler function types * remove handlerFuncCtx * make linter happy * remove old bindings from the libraryelements * restore comments
4 years ago
return response.Empty(http.StatusOK)
Fix: Break redirect loop if oauth_auto_login = true and OAuth login fails (#17974) * Add tests for login view * Fix OAuth auto login redirect loop login_error cookie is only set when the OAuth login fails for some reason. Therefore, the login view should return immediately if a login_error cookie exists before trying to login the user using OAuth again. * Fix test Use 'index-template' instead of 'index' for testing * Add some comments
6 years ago
})
Backend: Remove more globals (#29644) Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
5 years ago
cfg.LoginCookieName = "grafana_session"
Fix: Break redirect loop if oauth_auto_login = true and OAuth login fails (#17974) * Add tests for login view * Fix OAuth auto login redirect loop login_error cookie is only set when the OAuth login fails for some reason. Therefore, the login view should return immediately if a login_error cookie exists before trying to login the user using OAuth again. * Fix test Use 'index-template' instead of 'index' for testing * Add some comments
6 years ago
setting.SecretKey = "login_testing"
setting.OAuthAutoLogin = true
oauthError := errors.New("User not a member of one of the required organizations")
Encryption: Use secrets service (#40251) * Use secrets service in pluginproxy * Use secrets service in pluginxontext * Use secrets service in pluginsettings * Use secrets service in provisioning * Use secrets service in authinfoservice * Use secrets service in api * Use secrets service in sqlstore * Use secrets service in dashboardshapshots * Use secrets service in tsdb * Use secrets service in datasources * Use secrets service in alerting * Use secrets service in ngalert * Break cyclic dependancy * Refactor service * Break cyclic dependancy * Add FakeSecretsStore * Setup Secrets Service in sqlstore * Fix * Continue secrets service refactoring * Fix cyclic dependancy in sqlstore tests * Fix secrets service references * Fix linter errors * Add fake secrets service for tests * Refactor SetupTestSecretsService * Update setting up secret service in tests * Fix missing secrets service in multiorg_alertmanager_test * Use fake db in tests and sort imports * Use fake db in datasources tests * Fix more tests * Fix linter issues * Attempt to fix plugin proxy tests * Pass secrets service to getPluginProxiedRequest in pluginproxy tests * Fix pluginproxy tests * Revert using secrets service in alerting and provisioning * Update decryptFn in alerting migration * Rename defaultProvider to currentProvider * Use fake secrets service in alert channels tests * Refactor secrets service test helper * Update setting up secrets service in tests * Revert alerting changes in api * Add comments * Remove secrets service from background services * Convert global encryption functions into vars * Revert "Convert global encryption functions into vars" This reverts commit 498eb19859eba364a2400a6d7e73236b1c9a5b37. * Add feature toggle for envelope encryption * Rename toggle Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Joan López de la Franca Beltran <joanjan14@gmail.com>
4 years ago
encryptedError, err := hs.SecretsService.Encrypt(context.Background(), []byte(oauthError.Error()), secrets.WithoutScope())
Middleware: Add CSP support (#29740) * Middleware: Add support for CSP Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored by @iOrcohen
5 years ago
require.NoError(t, err)
Auth: Remove trailing / in cookies' path (#22265) (#22265) According to the stackoverflow answer below, it is recommended to not include a trailing / in cookies' path. By removing the trailing / for our cookies path value, people's browsers visiting grafana will pass the cookie not only to /grafana/ sub paths but also to /grafana sub paths. This commit avoids the situation where a user would visit http://localhost/grafana, get redirected to http://localhost/grafana/login, and following login get redirected back to http://localhost/grafana, but since the grafana_session cookie isn't passed along get redirected back once more to http://localhost/grafana/login. ref: https://stackoverflow.com/questions/36131023/setting-a-slash-on-cookie-path/53784228#53784228 ref: https://tools.ietf.org/html/rfc6265#section-5.1.4
5 years ago
expCookiePath := "/"
if len(setting.AppSubUrl) > 0 {
expCookiePath = setting.AppSubUrl
}
Fix: Break redirect loop if oauth_auto_login = true and OAuth login fails (#17974) * Add tests for login view * Fix OAuth auto login redirect loop login_error cookie is only set when the OAuth login fails for some reason. Therefore, the login view should return immediately if a login_error cookie exists before trying to login the user using OAuth again. * Fix test Use 'index-template' instead of 'index' for testing * Add some comments
6 years ago
cookie := http.Cookie{
Middleware: Add CSP support (#29740) * Middleware: Add support for CSP Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored by @iOrcohen
5 years ago
Name: loginErrorCookieName,
Fix: Break redirect loop if oauth_auto_login = true and OAuth login fails (#17974) * Add tests for login view * Fix OAuth auto login redirect loop login_error cookie is only set when the OAuth login fails for some reason. Therefore, the login view should return immediately if a login_error cookie exists before trying to login the user using OAuth again. * Fix test Use 'index-template' instead of 'index' for testing * Add some comments
6 years ago
MaxAge: 60,
Value: hex.EncodeToString(encryptedError),
HttpOnly: true,
Auth: Remove trailing / in cookies' path (#22265) (#22265) According to the stackoverflow answer below, it is recommended to not include a trailing / in cookies' path. By removing the trailing / for our cookies path value, people's browsers visiting grafana will pass the cookie not only to /grafana/ sub paths but also to /grafana sub paths. This commit avoids the situation where a user would visit http://localhost/grafana, get redirected to http://localhost/grafana/login, and following login get redirected back to http://localhost/grafana, but since the grafana_session cookie isn't passed along get redirected back once more to http://localhost/grafana/login. ref: https://stackoverflow.com/questions/36131023/setting-a-slash-on-cookie-path/53784228#53784228 ref: https://tools.ietf.org/html/rfc6265#section-5.1.4
5 years ago
Path: expCookiePath,
Fix: Break redirect loop if oauth_auto_login = true and OAuth login fails (#17974) * Add tests for login view * Fix OAuth auto login redirect loop login_error cookie is only set when the OAuth login fails for some reason. Therefore, the login view should return immediately if a login_error cookie exists before trying to login the user using OAuth again. * Fix test Use 'index-template' instead of 'index' for testing * Add some comments
6 years ago
Secure: hs.Cfg.CookieSecure,
Add disabled option for cookie samesite attribute (#21472) Breaking change: If disabled the cookie samesite cookie attribute will not be set, but if none the attribute will be set and is a breaking change compared to before where none did not render the attribute. This was due to a known issue in Safari. Co-Authored-By: Arve Knudsen <arve.knudsen@gmail.com> Co-Authored-By: Diana Payton <52059945+oddlittlebird@users.noreply.github.com> Fixes #19847
6 years ago
SameSite: hs.Cfg.CookieSameSiteMode,
Fix: Break redirect loop if oauth_auto_login = true and OAuth login fails (#17974) * Add tests for login view * Fix OAuth auto login redirect loop login_error cookie is only set when the OAuth login fails for some reason. Therefore, the login view should return immediately if a login_error cookie exists before trying to login the user using OAuth again. * Fix test Use 'index-template' instead of 'index' for testing * Add some comments
6 years ago
}
sc.m.Get(sc.url, sc.defaultHandler)
sc.fakeReqNoAssertionsWithCookie("GET", sc.url, cookie).exec()
Middleware: Add CSP support (#29740) * Middleware: Add support for CSP Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored by @iOrcohen
5 years ago
require.Equal(t, 200, sc.resp.Code)
Fix: Break redirect loop if oauth_auto_login = true and OAuth login fails (#17974) * Add tests for login view * Fix OAuth auto login redirect loop login_error cookie is only set when the OAuth login fails for some reason. Therefore, the login view should return immediately if a login_error cookie exists before trying to login the user using OAuth again. * Fix test Use 'index-template' instead of 'index' for testing * Add some comments
6 years ago
responseString, err := getBody(sc.resp)
Middleware: Add CSP support (#29740) * Middleware: Add support for CSP Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored by @iOrcohen
5 years ago
require.NoError(t, err)
Fix: Break redirect loop if oauth_auto_login = true and OAuth login fails (#17974) * Add tests for login view * Fix OAuth auto login redirect loop login_error cookie is only set when the OAuth login fails for some reason. Therefore, the login view should return immediately if a login_error cookie exists before trying to login the user using OAuth again. * Fix test Use 'index-template' instead of 'index' for testing * Add some comments
6 years ago
assert.True(t, strings.Contains(responseString, oauthError.Error()))
}
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
func TestLoginViewRedirect(t *testing.T) {
Backend: Remove more globals (#29644) Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
5 years ago
fakeSetIndexViewData(t)
fakeViewIndex(t)
Chore: Convert API tests to standard Go lib (#29009) * Chore: Convert tests to standard Go lib Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
5 years ago
sc := setupScenarioContext(t, "/login")
Settings: Encapsulate settings within an extensible provider (#32219) * Encapsulate settings with a provider with support for runtime reloads * SettingsProvider: reload is controlled by the services * naive impl of reload handlers for settings * working naive detection on new changes * Trigger settings reload from API endpoint * validation step added * validation of settings * Fix linting errors * Replace DB_Varchar by DB_NVarchar * Reduce settings columns (section, key) lenghts * wip db update logic * Db Settings: separate updates and removals * Fix: removes incorrectly added code * Minor code improvements * Runtime settings: moved oss -> ee * Remove no longer used setting.Cfg SAML-related fields * Rename file setting/settings.go => setting/provider.go * Apply suggestions from code review Co-authored-by: Agnès Toulet <35176601+AgnesToulet@users.noreply.github.com> * Minor code improvements on OSS settings provider * Fix some login API tests * Correct some GoDoc comments * Apply suggestions from code review Co-authored-by: Agnès Toulet <35176601+AgnesToulet@users.noreply.github.com> Co-authored-by: Leonard Gram <leo@xlson.com> Co-authored-by: Agnès Toulet <35176601+AgnesToulet@users.noreply.github.com>
4 years ago
cfg := setting.NewCfg()
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
hs := &HTTPServer{
Settings: Encapsulate settings within an extensible provider (#32219) * Encapsulate settings with a provider with support for runtime reloads * SettingsProvider: reload is controlled by the services * naive impl of reload handlers for settings * working naive detection on new changes * Trigger settings reload from API endpoint * validation step added * validation of settings * Fix linting errors * Replace DB_Varchar by DB_NVarchar * Reduce settings columns (section, key) lenghts * wip db update logic * Db Settings: separate updates and removals * Fix: removes incorrectly added code * Minor code improvements * Runtime settings: moved oss -> ee * Remove no longer used setting.Cfg SAML-related fields * Rename file setting/settings.go => setting/provider.go * Apply suggestions from code review Co-authored-by: Agnès Toulet <35176601+AgnesToulet@users.noreply.github.com> * Minor code improvements on OSS settings provider * Fix some login API tests * Correct some GoDoc comments * Apply suggestions from code review Co-authored-by: Agnès Toulet <35176601+AgnesToulet@users.noreply.github.com> Co-authored-by: Leonard Gram <leo@xlson.com> Co-authored-by: Agnès Toulet <35176601+AgnesToulet@users.noreply.github.com>
4 years ago
Cfg: cfg,
SettingsProvider: &setting.OSSImpl{Cfg: cfg},
License: &licensing.OSSLicensingService{},
Chore: Refactor OAuth/social package to service (#35403) * Creating SocialService * Add GetOAuthProviders as socialService method * Add OAuthTokenService * Add GetOAuthHttpClient method to SocialService * Rename services, access socialMap from GetConnector * Fix tests by mocking oauthtoken methods * Move NewAuthService into Init * Move OAuthService to social pkg * Refactor OAuthService to OAuthProvider * Fix nil map error, rename file, simplify tests * Fix bug for Forward OAuth Identify * Remove file after rebase
4 years ago
SocialService: &mockSocialService{},
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
}
Security: refactor 'redirect_to' cookie to use 'Secure' flag (#19787) * Refactor redirect_to cookie with secure flag in middleware * Refactor redirect_to cookie with secure flag in api/login * Refactor redirect_to cookie with secure flag in api/login_oauth * Removed the deletion of 'Set-Cookie' header to prevent logout * Removed the deletion of 'Set-Cookie' at top of api/login.go * Add HttpOnly flag on redirect_to cookies where missing * Refactor duplicated code * Add tests * Refactor cookie options * Replace local function for deleting cookie * Delete redundant calls Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com>
6 years ago
hs.Cfg.CookieSecure = true
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
Chore: Refactor api handlers to use web.Bind (#42199) * Chore: Refactor api handlers to use web.Bind * fix comments * fix comment * trying to fix most of the tests and force routing.Wrap type check * fix library panels tests * fix frontend logging tests * allow passing nil as a response to skip writing * return nil instead of the response * rewrite login handler function types * remove handlerFuncCtx * make linter happy * remove old bindings from the libraryelements * restore comments
4 years ago
sc.defaultHandler = routing.Wrap(func(c *models.ReqContext) response.Response {
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
c.IsSignedIn = true
c.SignedInUser = &models.SignedInUser{
UserId: 10,
}
hs.LoginView(c)
Chore: Refactor api handlers to use web.Bind (#42199) * Chore: Refactor api handlers to use web.Bind * fix comments * fix comment * trying to fix most of the tests and force routing.Wrap type check * fix library panels tests * fix frontend logging tests * allow passing nil as a response to skip writing * return nil instead of the response * rewrite login handler function types * remove handlerFuncCtx * make linter happy * remove old bindings from the libraryelements * restore comments
4 years ago
return response.Empty(http.StatusOK)
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
})
redirectCases := []redirectCase{
{
API: Fix redirect issues (#22285) * Revert "API: Fix redirect issue when configured to use a subpath (#21652)" (#22671) This reverts commit 0e2d874ecf9277dcc17d562e05271917efc8b595. * Fix redirect validation (#22675) * Chore: Add test for parse of app url and app sub url Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> * Fix redirect: prepend subpath only if it's missing (#22676) * Validate redirect in login oauth (#22677) * Fix invalid redirect for authenticated user (#22678) * Login: Use correct path for OAuth logos Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
5 years ago
desc: "grafana relative url without subpath",
url: "/profile",
redirectURL: "/profile",
appURL: "http://localhost:3000/",
status: 302,
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
},
{
API: Fix redirect issues (#22285) * Revert "API: Fix redirect issue when configured to use a subpath (#21652)" (#22671) This reverts commit 0e2d874ecf9277dcc17d562e05271917efc8b595. * Fix redirect validation (#22675) * Chore: Add test for parse of app url and app sub url Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> * Fix redirect: prepend subpath only if it's missing (#22676) * Validate redirect in login oauth (#22677) * Fix invalid redirect for authenticated user (#22678) * Login: Use correct path for OAuth logos Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
5 years ago
desc: "grafana invalid relative url starting with the subpath",
url: "/grafanablah",
redirectURL: "/grafana/",
appURL: "http://localhost:3000/",
appSubURL: "/grafana",
status: 302,
API: Fix redirect issue when configured to use a subpath (#21652) * request uri will contain the subpath
5 years ago
},
{
API: Fix redirect issues (#22285) * Revert "API: Fix redirect issue when configured to use a subpath (#21652)" (#22671) This reverts commit 0e2d874ecf9277dcc17d562e05271917efc8b595. * Fix redirect validation (#22675) * Chore: Add test for parse of app url and app sub url Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> * Fix redirect: prepend subpath only if it's missing (#22676) * Validate redirect in login oauth (#22677) * Fix invalid redirect for authenticated user (#22678) * Login: Use correct path for OAuth logos Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
5 years ago
desc: "grafana relative url with subpath with leading slash",
url: "/grafana/profile",
redirectURL: "/grafana/profile",
appURL: "http://localhost:3000",
appSubURL: "/grafana",
status: 302,
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
},
{
API: Fix redirect issues (#22285) * Revert "API: Fix redirect issue when configured to use a subpath (#21652)" (#22671) This reverts commit 0e2d874ecf9277dcc17d562e05271917efc8b595. * Fix redirect validation (#22675) * Chore: Add test for parse of app url and app sub url Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> * Fix redirect: prepend subpath only if it's missing (#22676) * Validate redirect in login oauth (#22677) * Fix invalid redirect for authenticated user (#22678) * Login: Use correct path for OAuth logos Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
5 years ago
desc: "relative url with missing subpath",
url: "/profile",
redirectURL: "/grafana/",
appURL: "http://localhost:3000/",
appSubURL: "/grafana",
status: 302,
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
},
API: Fix redirect issue when configured to use a subpath (#21652) * request uri will contain the subpath
5 years ago
{
API: Fix redirect issues (#22285) * Revert "API: Fix redirect issue when configured to use a subpath (#21652)" (#22671) This reverts commit 0e2d874ecf9277dcc17d562e05271917efc8b595. * Fix redirect validation (#22675) * Chore: Add test for parse of app url and app sub url Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> * Fix redirect: prepend subpath only if it's missing (#22676) * Validate redirect in login oauth (#22677) * Fix invalid redirect for authenticated user (#22678) * Login: Use correct path for OAuth logos Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
5 years ago
desc: "grafana absolute url",
url: "http://localhost:3000/profile",
redirectURL: "/",
appURL: "http://localhost:3000/",
status: 302,
API: Fix redirect issue when configured to use a subpath (#21652) * request uri will contain the subpath
5 years ago
},
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
{
API: Fix redirect issues (#22285) * Revert "API: Fix redirect issue when configured to use a subpath (#21652)" (#22671) This reverts commit 0e2d874ecf9277dcc17d562e05271917efc8b595. * Fix redirect validation (#22675) * Chore: Add test for parse of app url and app sub url Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> * Fix redirect: prepend subpath only if it's missing (#22676) * Validate redirect in login oauth (#22677) * Fix invalid redirect for authenticated user (#22678) * Login: Use correct path for OAuth logos Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
5 years ago
desc: "non grafana absolute url",
url: "http://example.com",
redirectURL: "/",
appURL: "http://localhost:3000/",
status: 302,
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
},
{
API: Fix redirect issues (#22285) * Revert "API: Fix redirect issue when configured to use a subpath (#21652)" (#22671) This reverts commit 0e2d874ecf9277dcc17d562e05271917efc8b595. * Fix redirect validation (#22675) * Chore: Add test for parse of app url and app sub url Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> * Fix redirect: prepend subpath only if it's missing (#22676) * Validate redirect in login oauth (#22677) * Fix invalid redirect for authenticated user (#22678) * Login: Use correct path for OAuth logos Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
5 years ago
desc: "invalid url",
url: ":foo",
redirectURL: "/",
appURL: "http://localhost:3000/",
status: 302,
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
},
Auth: Add support for forcing authentication in anonymous mode and modify SignIn to use it instead of redirect (#25567) * Forbid additional redirect urls * Optionally force login in anonymous mode * Update LoginCtrl page to ignore redirect parameter * Modify SignIn to set forceLogin query instead of redirect * Pass appUrl to frontend and use URL API for updating url query * Apply suggestions from code review Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix SignIn test Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
5 years ago
{
desc: "non-Grafana URL without scheme",
url: "example.com",
redirectURL: "/",
appURL: "http://localhost:3000/",
status: 302,
},
{
desc: "non-Grafana URL without scheme",
url: "www.example.com",
redirectURL: "/",
appURL: "http://localhost:3000/",
status: 302,
},
{
desc: "URL path is a host with two leading slashes",
url: "//example.com",
redirectURL: "/",
appURL: "http://localhost:3000/",
status: 302,
},
{
desc: "URL path is a host with three leading slashes",
url: "///example.com",
redirectURL: "/",
appURL: "http://localhost:3000/",
status: 302,
},
{
desc: "URL path is an IP address with two leading slashes",
url: "//0.0.0.0",
redirectURL: "/",
appURL: "http://localhost:3000/",
status: 302,
},
{
desc: "URL path is an IP address with three leading slashes",
url: "///0.0.0.0",
redirectURL: "/",
appURL: "http://localhost:3000/",
status: 302,
},
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
}
for _, c := range redirectCases {
Chore: Convert API tests to standard Go lib (#29009) * Chore: Convert tests to standard Go lib Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
5 years ago
hs.Cfg.AppURL = c.appURL
hs.Cfg.AppSubURL = c.appSubURL
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
t.Run(c.desc, func(t *testing.T) {
Auth: Remove trailing / in cookies' path (#22265) (#22265) According to the stackoverflow answer below, it is recommended to not include a trailing / in cookies' path. By removing the trailing / for our cookies path value, people's browsers visiting grafana will pass the cookie not only to /grafana/ sub paths but also to /grafana sub paths. This commit avoids the situation where a user would visit http://localhost/grafana, get redirected to http://localhost/grafana/login, and following login get redirected back to http://localhost/grafana, but since the grafana_session cookie isn't passed along get redirected back once more to http://localhost/grafana/login. ref: https://stackoverflow.com/questions/36131023/setting-a-slash-on-cookie-path/53784228#53784228 ref: https://tools.ietf.org/html/rfc6265#section-5.1.4
5 years ago
expCookiePath := "/"
Chore: Convert API tests to standard Go lib (#29009) * Chore: Convert tests to standard Go lib Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
5 years ago
if len(hs.Cfg.AppSubURL) > 0 {
expCookiePath = hs.Cfg.AppSubURL
Auth: Remove trailing / in cookies' path (#22265) (#22265) According to the stackoverflow answer below, it is recommended to not include a trailing / in cookies' path. By removing the trailing / for our cookies path value, people's browsers visiting grafana will pass the cookie not only to /grafana/ sub paths but also to /grafana sub paths. This commit avoids the situation where a user would visit http://localhost/grafana, get redirected to http://localhost/grafana/login, and following login get redirected back to http://localhost/grafana, but since the grafana_session cookie isn't passed along get redirected back once more to http://localhost/grafana/login. ref: https://stackoverflow.com/questions/36131023/setting-a-slash-on-cookie-path/53784228#53784228 ref: https://tools.ietf.org/html/rfc6265#section-5.1.4
5 years ago
}
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
cookie := http.Cookie{
Name: "redirect_to",
MaxAge: 60,
Value: c.url,
HttpOnly: true,
Auth: Remove trailing / in cookies' path (#22265) (#22265) According to the stackoverflow answer below, it is recommended to not include a trailing / in cookies' path. By removing the trailing / for our cookies path value, people's browsers visiting grafana will pass the cookie not only to /grafana/ sub paths but also to /grafana sub paths. This commit avoids the situation where a user would visit http://localhost/grafana, get redirected to http://localhost/grafana/login, and following login get redirected back to http://localhost/grafana, but since the grafana_session cookie isn't passed along get redirected back once more to http://localhost/grafana/login. ref: https://stackoverflow.com/questions/36131023/setting-a-slash-on-cookie-path/53784228#53784228 ref: https://tools.ietf.org/html/rfc6265#section-5.1.4
5 years ago
Path: expCookiePath,
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
Secure: hs.Cfg.CookieSecure,
Add disabled option for cookie samesite attribute (#21472) Breaking change: If disabled the cookie samesite cookie attribute will not be set, but if none the attribute will be set and is a breaking change compared to before where none did not render the attribute. This was due to a known issue in Safari. Co-Authored-By: Arve Knudsen <arve.knudsen@gmail.com> Co-Authored-By: Diana Payton <52059945+oddlittlebird@users.noreply.github.com> Fixes #19847
6 years ago
SameSite: hs.Cfg.CookieSameSiteMode,
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
}
sc.m.Get(sc.url, sc.defaultHandler)
sc.fakeReqNoAssertionsWithCookie("GET", sc.url, cookie).exec()
Middleware: Add CSP support (#29740) * Middleware: Add support for CSP Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored by @iOrcohen
5 years ago
require.Equal(t, c.status, sc.resp.Code)
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
if c.status == 302 {
location, ok := sc.resp.Header()["Location"]
assert.True(t, ok)
Auth: Add support for forcing authentication in anonymous mode and modify SignIn to use it instead of redirect (#25567) * Forbid additional redirect urls * Optionally force login in anonymous mode * Update LoginCtrl page to ignore redirect parameter * Modify SignIn to set forceLogin query instead of redirect * Pass appUrl to frontend and use URL API for updating url query * Apply suggestions from code review Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix SignIn test Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
5 years ago
assert.Equal(t, c.redirectURL, location[0])
Security: refactor 'redirect_to' cookie to use 'Secure' flag (#19787) * Refactor redirect_to cookie with secure flag in middleware * Refactor redirect_to cookie with secure flag in api/login * Refactor redirect_to cookie with secure flag in api/login_oauth * Removed the deletion of 'Set-Cookie' header to prevent logout * Removed the deletion of 'Set-Cookie' at top of api/login.go * Add HttpOnly flag on redirect_to cookies where missing * Refactor duplicated code * Add tests * Refactor cookie options * Replace local function for deleting cookie * Delete redundant calls Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com>
6 years ago
setCookie, ok := sc.resp.Header()["Set-Cookie"]
assert.True(t, ok, "Set-Cookie exists")
assert.Greater(t, len(setCookie), 0)
var redirectToCookieFound bool
API: Fix redirect issues (#22285) * Revert "API: Fix redirect issue when configured to use a subpath (#21652)" (#22671) This reverts commit 0e2d874ecf9277dcc17d562e05271917efc8b595. * Fix redirect validation (#22675) * Chore: Add test for parse of app url and app sub url Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> * Fix redirect: prepend subpath only if it's missing (#22676) * Validate redirect in login oauth (#22677) * Fix invalid redirect for authenticated user (#22678) * Login: Use correct path for OAuth logos Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
5 years ago
redirectToCookieShouldBeDeleted := c.url != c.redirectURL
expCookieValue := c.redirectURL
expCookieMaxAge := 60
if redirectToCookieShouldBeDeleted {
expCookieValue = ""
expCookieMaxAge = 0
}
Auth: Remove trailing / in cookies' path (#22265) (#22265) According to the stackoverflow answer below, it is recommended to not include a trailing / in cookies' path. By removing the trailing / for our cookies path value, people's browsers visiting grafana will pass the cookie not only to /grafana/ sub paths but also to /grafana sub paths. This commit avoids the situation where a user would visit http://localhost/grafana, get redirected to http://localhost/grafana/login, and following login get redirected back to http://localhost/grafana, but since the grafana_session cookie isn't passed along get redirected back once more to http://localhost/grafana/login. ref: https://stackoverflow.com/questions/36131023/setting-a-slash-on-cookie-path/53784228#53784228 ref: https://tools.ietf.org/html/rfc6265#section-5.1.4
5 years ago
expCookie := fmt.Sprintf("redirect_to=%v; Path=%v; Max-Age=%v; HttpOnly; Secure", expCookieValue, expCookiePath, expCookieMaxAge)
Security: refactor 'redirect_to' cookie to use 'Secure' flag (#19787) * Refactor redirect_to cookie with secure flag in middleware * Refactor redirect_to cookie with secure flag in api/login * Refactor redirect_to cookie with secure flag in api/login_oauth * Removed the deletion of 'Set-Cookie' header to prevent logout * Removed the deletion of 'Set-Cookie' at top of api/login.go * Add HttpOnly flag on redirect_to cookies where missing * Refactor duplicated code * Add tests * Refactor cookie options * Replace local function for deleting cookie * Delete redundant calls Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com>
6 years ago
for _, cookieValue := range setCookie {
API: Fix redirect issues (#22285) * Revert "API: Fix redirect issue when configured to use a subpath (#21652)" (#22671) This reverts commit 0e2d874ecf9277dcc17d562e05271917efc8b595. * Fix redirect validation (#22675) * Chore: Add test for parse of app url and app sub url Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> * Fix redirect: prepend subpath only if it's missing (#22676) * Validate redirect in login oauth (#22677) * Fix invalid redirect for authenticated user (#22678) * Login: Use correct path for OAuth logos Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
5 years ago
if cookieValue == expCookie {
Security: refactor 'redirect_to' cookie to use 'Secure' flag (#19787) * Refactor redirect_to cookie with secure flag in middleware * Refactor redirect_to cookie with secure flag in api/login * Refactor redirect_to cookie with secure flag in api/login_oauth * Removed the deletion of 'Set-Cookie' header to prevent logout * Removed the deletion of 'Set-Cookie' at top of api/login.go * Add HttpOnly flag on redirect_to cookies where missing * Refactor duplicated code * Add tests * Refactor cookie options * Replace local function for deleting cookie * Delete redundant calls Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com>
6 years ago
redirectToCookieFound = true
break
}
}
assert.True(t, redirectToCookieFound)
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
}
responseString, err := getBody(sc.resp)
Middleware: Add CSP support (#29740) * Middleware: Add support for CSP Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored by @iOrcohen
5 years ago
require.NoError(t, err)
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
if c.err != nil {
assert.True(t, strings.Contains(responseString, c.err.Error()))
}
})
}
}
func TestLoginPostRedirect(t *testing.T) {
Backend: Remove more globals (#29644) Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
5 years ago
fakeSetIndexViewData(t)
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
Backend: Remove more globals (#29644) Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
5 years ago
fakeViewIndex(t)
Chore: Convert API tests to standard Go lib (#29009) * Chore: Convert tests to standard Go lib Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
5 years ago
sc := setupScenarioContext(t, "/login")
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
hs := &HTTPServer{
Logging: Unify logging fakes (#48822)
3 years ago
log: log.NewNopLogger(),
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
Cfg: setting.NewCfg(),
API: replace SendLoginLogCommand with LoginHook (#28777) * API: replace SendLoginLogCommand with LoginHook * LoginInfo: Query -> LoginUsername
5 years ago
HooksService: &hooks.HooksService{},
Admin: Add promotional page for Grafana Enterprise (#21422) Co-authored-by: Torkel Ödegaard <torkel@grafana.com>
6 years ago
License: &licensing.OSSLicensingService{},
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
AuthTokenService: auth.NewFakeUserAuthTokenService(),
}
Security: refactor 'redirect_to' cookie to use 'Secure' flag (#19787) * Refactor redirect_to cookie with secure flag in middleware * Refactor redirect_to cookie with secure flag in api/login * Refactor redirect_to cookie with secure flag in api/login_oauth * Removed the deletion of 'Set-Cookie' header to prevent logout * Removed the deletion of 'Set-Cookie' at top of api/login.go * Add HttpOnly flag on redirect_to cookies where missing * Refactor duplicated code * Add tests * Refactor cookie options * Replace local function for deleting cookie * Delete redundant calls Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com>
6 years ago
hs.Cfg.CookieSecure = true
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
Chore: Refactor api handlers to use web.Bind (#42199) * Chore: Refactor api handlers to use web.Bind * fix comments * fix comment * trying to fix most of the tests and force routing.Wrap type check * fix library panels tests * fix frontend logging tests * allow passing nil as a response to skip writing * return nil instead of the response * rewrite login handler function types * remove handlerFuncCtx * make linter happy * remove old bindings from the libraryelements * restore comments
4 years ago
sc.defaultHandler = routing.Wrap(func(c *models.ReqContext) response.Response {
Chore: Imperative request data binding (#39837) * rename Bind to BindMiddleware * make things private * removed unused part of data bindings * provide json and form binding helpers * add example of binding migration in login api * implement validation * fix tests * remove debug output * put new bind api into macaron pacakge * revert bind api breaking change
4 years ago
c.Req.Header.Set("Content-Type", "application/json")
c.Req.Body = io.NopCloser(bytes.NewBufferString(`{"user":"admin","password":"admin"}`))
return hs.LoginPost(c)
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
})
remove bus from login (#44995) * remove bus from login * remove comments and format correctly * remove the downcast
3 years ago
user := &models.User{
Id: 42,
Email: "",
}
Chore: Remove bus.Dispatch from some login packages (#47248) * Chore: Remove bus.Dispatch from some login packages * remove debug log Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * remove login.Init() * remove unused reset function * remove AuthenticateUserFunc global * swap conditional branches Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * fix formatting Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
3 years ago
hs.authenticator = &fakeAuthenticator{user, "", nil}
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
redirectCases := []redirectCase{
{
desc: "grafana relative url without subpath",
url: "/profile",
API: Fix redirect issues (#22285) * Revert "API: Fix redirect issue when configured to use a subpath (#21652)" (#22671) This reverts commit 0e2d874ecf9277dcc17d562e05271917efc8b595. * Fix redirect validation (#22675) * Chore: Add test for parse of app url and app sub url Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> * Fix redirect: prepend subpath only if it's missing (#22676) * Validate redirect in login oauth (#22677) * Fix invalid redirect for authenticated user (#22678) * Login: Use correct path for OAuth logos Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
5 years ago
appURL: "https://localhost:3000/",
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
},
{
API: Fix redirect issues (#22285) * Revert "API: Fix redirect issue when configured to use a subpath (#21652)" (#22671) This reverts commit 0e2d874ecf9277dcc17d562e05271917efc8b595. * Fix redirect validation (#22675) * Chore: Add test for parse of app url and app sub url Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> * Fix redirect: prepend subpath only if it's missing (#22676) * Validate redirect in login oauth (#22677) * Fix invalid redirect for authenticated user (#22678) * Login: Use correct path for OAuth logos Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
5 years ago
desc: "grafana relative url with subpath with leading slash",
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
url: "/grafana/profile",
API: Fix redirect issues (#22285) * Revert "API: Fix redirect issue when configured to use a subpath (#21652)" (#22671) This reverts commit 0e2d874ecf9277dcc17d562e05271917efc8b595. * Fix redirect validation (#22675) * Chore: Add test for parse of app url and app sub url Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> * Fix redirect: prepend subpath only if it's missing (#22676) * Validate redirect in login oauth (#22677) * Fix invalid redirect for authenticated user (#22678) * Login: Use correct path for OAuth logos Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
5 years ago
appURL: "https://localhost:3000/",
appSubURL: "/grafana",
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
},
API: Fix redirect issue when configured to use a subpath (#21652) * request uri will contain the subpath
5 years ago
{
API: Fix redirect issues (#22285) * Revert "API: Fix redirect issue when configured to use a subpath (#21652)" (#22671) This reverts commit 0e2d874ecf9277dcc17d562e05271917efc8b595. * Fix redirect validation (#22675) * Chore: Add test for parse of app url and app sub url Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> * Fix redirect: prepend subpath only if it's missing (#22676) * Validate redirect in login oauth (#22677) * Fix invalid redirect for authenticated user (#22678) * Login: Use correct path for OAuth logos Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
5 years ago
desc: "grafana invalid relative url starting with subpath",
url: "/grafanablah",
appURL: "https://localhost:3000/",
appSubURL: "/grafana",
err: login.ErrInvalidRedirectTo,
API: Fix redirect issue when configured to use a subpath (#21652) * request uri will contain the subpath
5 years ago
},
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
{
desc: "relative url with missing subpath",
url: "/profile",
API: Fix redirect issues (#22285) * Revert "API: Fix redirect issue when configured to use a subpath (#21652)" (#22671) This reverts commit 0e2d874ecf9277dcc17d562e05271917efc8b595. * Fix redirect validation (#22675) * Chore: Add test for parse of app url and app sub url Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> * Fix redirect: prepend subpath only if it's missing (#22676) * Validate redirect in login oauth (#22677) * Fix invalid redirect for authenticated user (#22678) * Login: Use correct path for OAuth logos Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
5 years ago
appURL: "https://localhost:3000/",
appSubURL: "/grafana",
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
err: login.ErrInvalidRedirectTo,
},
{
desc: "grafana absolute url",
url: "http://localhost:3000/profile",
API: Fix redirect issues (#22285) * Revert "API: Fix redirect issue when configured to use a subpath (#21652)" (#22671) This reverts commit 0e2d874ecf9277dcc17d562e05271917efc8b595. * Fix redirect validation (#22675) * Chore: Add test for parse of app url and app sub url Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> * Fix redirect: prepend subpath only if it's missing (#22676) * Validate redirect in login oauth (#22677) * Fix invalid redirect for authenticated user (#22678) * Login: Use correct path for OAuth logos Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
5 years ago
appURL: "http://localhost:3000/",
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
err: login.ErrAbsoluteRedirectTo,
},
{
desc: "non grafana absolute url",
url: "http://example.com",
API: Fix redirect issues (#22285) * Revert "API: Fix redirect issue when configured to use a subpath (#21652)" (#22671) This reverts commit 0e2d874ecf9277dcc17d562e05271917efc8b595. * Fix redirect validation (#22675) * Chore: Add test for parse of app url and app sub url Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> * Fix redirect: prepend subpath only if it's missing (#22676) * Validate redirect in login oauth (#22677) * Fix invalid redirect for authenticated user (#22678) * Login: Use correct path for OAuth logos Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
5 years ago
appURL: "https://localhost:3000/",
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
err: login.ErrAbsoluteRedirectTo,
},
Auth: Add support for forcing authentication in anonymous mode and modify SignIn to use it instead of redirect (#25567) * Forbid additional redirect urls * Optionally force login in anonymous mode * Update LoginCtrl page to ignore redirect parameter * Modify SignIn to set forceLogin query instead of redirect * Pass appUrl to frontend and use URL API for updating url query * Apply suggestions from code review Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix SignIn test Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
5 years ago
{
desc: "invalid URL",
url: ":foo",
appURL: "http://localhost:3000/",
err: login.ErrInvalidRedirectTo,
},
{
desc: "non-Grafana URL without scheme",
url: "example.com",
appURL: "http://localhost:3000/",
err: login.ErrForbiddenRedirectTo,
},
{
desc: "non-Grafana URL without scheme",
url: "www.example.com",
appURL: "http://localhost:3000/",
err: login.ErrForbiddenRedirectTo,
},
{
desc: "URL path is a host with two leading slashes",
url: "//example.com",
appURL: "http://localhost:3000/",
err: login.ErrForbiddenRedirectTo,
},
{
desc: "URL path is a host with three leading slashes",
url: "///example.com",
appURL: "http://localhost:3000/",
err: login.ErrForbiddenRedirectTo,
},
{
desc: "URL path is an IP address with two leading slashes",
url: "//0.0.0.0",
appURL: "http://localhost:3000/",
err: login.ErrForbiddenRedirectTo,
},
{
desc: "URL path is an IP address with three leading slashes",
url: "///0.0.0.0",
appURL: "http://localhost:3000/",
err: login.ErrForbiddenRedirectTo,
},
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
}
for _, c := range redirectCases {
Chore: Convert API tests to standard Go lib (#29009) * Chore: Convert tests to standard Go lib Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
5 years ago
hs.Cfg.AppURL = c.appURL
hs.Cfg.AppSubURL = c.appSubURL
remove bus from login (#44995) * remove bus from login * remove comments and format correctly * remove the downcast
3 years ago
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
t.Run(c.desc, func(t *testing.T) {
Auth: Remove trailing / in cookies' path (#22265) (#22265) According to the stackoverflow answer below, it is recommended to not include a trailing / in cookies' path. By removing the trailing / for our cookies path value, people's browsers visiting grafana will pass the cookie not only to /grafana/ sub paths but also to /grafana sub paths. This commit avoids the situation where a user would visit http://localhost/grafana, get redirected to http://localhost/grafana/login, and following login get redirected back to http://localhost/grafana, but since the grafana_session cookie isn't passed along get redirected back once more to http://localhost/grafana/login. ref: https://stackoverflow.com/questions/36131023/setting-a-slash-on-cookie-path/53784228#53784228 ref: https://tools.ietf.org/html/rfc6265#section-5.1.4
5 years ago
expCookiePath := "/"
Chore: Convert API tests to standard Go lib (#29009) * Chore: Convert tests to standard Go lib Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
5 years ago
if len(hs.Cfg.AppSubURL) > 0 {
expCookiePath = hs.Cfg.AppSubURL
Auth: Remove trailing / in cookies' path (#22265) (#22265) According to the stackoverflow answer below, it is recommended to not include a trailing / in cookies' path. By removing the trailing / for our cookies path value, people's browsers visiting grafana will pass the cookie not only to /grafana/ sub paths but also to /grafana sub paths. This commit avoids the situation where a user would visit http://localhost/grafana, get redirected to http://localhost/grafana/login, and following login get redirected back to http://localhost/grafana, but since the grafana_session cookie isn't passed along get redirected back once more to http://localhost/grafana/login. ref: https://stackoverflow.com/questions/36131023/setting-a-slash-on-cookie-path/53784228#53784228 ref: https://tools.ietf.org/html/rfc6265#section-5.1.4
5 years ago
}
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
cookie := http.Cookie{
Name: "redirect_to",
MaxAge: 60,
Value: c.url,
HttpOnly: true,
Auth: Remove trailing / in cookies' path (#22265) (#22265) According to the stackoverflow answer below, it is recommended to not include a trailing / in cookies' path. By removing the trailing / for our cookies path value, people's browsers visiting grafana will pass the cookie not only to /grafana/ sub paths but also to /grafana sub paths. This commit avoids the situation where a user would visit http://localhost/grafana, get redirected to http://localhost/grafana/login, and following login get redirected back to http://localhost/grafana, but since the grafana_session cookie isn't passed along get redirected back once more to http://localhost/grafana/login. ref: https://stackoverflow.com/questions/36131023/setting-a-slash-on-cookie-path/53784228#53784228 ref: https://tools.ietf.org/html/rfc6265#section-5.1.4
5 years ago
Path: expCookiePath,
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
Secure: hs.Cfg.CookieSecure,
Add disabled option for cookie samesite attribute (#21472) Breaking change: If disabled the cookie samesite cookie attribute will not be set, but if none the attribute will be set and is a breaking change compared to before where none did not render the attribute. This was due to a known issue in Safari. Co-Authored-By: Arve Knudsen <arve.knudsen@gmail.com> Co-Authored-By: Diana Payton <52059945+oddlittlebird@users.noreply.github.com> Fixes #19847
6 years ago
SameSite: hs.Cfg.CookieSameSiteMode,
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
}
sc.m.Post(sc.url, sc.defaultHandler)
sc.fakeReqNoAssertionsWithCookie("POST", sc.url, cookie).exec()
Middleware: Add CSP support (#29740) * Middleware: Add support for CSP Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored by @iOrcohen
5 years ago
require.Equal(t, 200, sc.resp.Code)
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
respJSON, err := simplejson.NewJson(sc.resp.Body.Bytes())
Middleware: Add CSP support (#29740) * Middleware: Add support for CSP Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored by @iOrcohen
5 years ago
require.NoError(t, err)
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
redirectURL := respJSON.Get("redirectUrl").MustString()
if c.err != nil {
assert.Equal(t, "", redirectURL)
} else {
assert.Equal(t, c.url, redirectURL)
}
Security: refactor 'redirect_to' cookie to use 'Secure' flag (#19787) * Refactor redirect_to cookie with secure flag in middleware * Refactor redirect_to cookie with secure flag in api/login * Refactor redirect_to cookie with secure flag in api/login_oauth * Removed the deletion of 'Set-Cookie' header to prevent logout * Removed the deletion of 'Set-Cookie' at top of api/login.go * Add HttpOnly flag on redirect_to cookies where missing * Refactor duplicated code * Add tests * Refactor cookie options * Replace local function for deleting cookie * Delete redundant calls Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com>
6 years ago
// assert redirect_to cookie is deleted
setCookie, ok := sc.resp.Header()["Set-Cookie"]
assert.True(t, ok, "Set-Cookie exists")
assert.Greater(t, len(setCookie), 0)
var redirectToCookieFound bool
Auth: Remove trailing / in cookies' path (#22265) (#22265) According to the stackoverflow answer below, it is recommended to not include a trailing / in cookies' path. By removing the trailing / for our cookies path value, people's browsers visiting grafana will pass the cookie not only to /grafana/ sub paths but also to /grafana sub paths. This commit avoids the situation where a user would visit http://localhost/grafana, get redirected to http://localhost/grafana/login, and following login get redirected back to http://localhost/grafana, but since the grafana_session cookie isn't passed along get redirected back once more to http://localhost/grafana/login. ref: https://stackoverflow.com/questions/36131023/setting-a-slash-on-cookie-path/53784228#53784228 ref: https://tools.ietf.org/html/rfc6265#section-5.1.4
5 years ago
expCookieValue := fmt.Sprintf("redirect_to=; Path=%v; Max-Age=0; HttpOnly; Secure", expCookiePath)
Security: refactor 'redirect_to' cookie to use 'Secure' flag (#19787) * Refactor redirect_to cookie with secure flag in middleware * Refactor redirect_to cookie with secure flag in api/login * Refactor redirect_to cookie with secure flag in api/login_oauth * Removed the deletion of 'Set-Cookie' header to prevent logout * Removed the deletion of 'Set-Cookie' at top of api/login.go * Add HttpOnly flag on redirect_to cookies where missing * Refactor duplicated code * Add tests * Refactor cookie options * Replace local function for deleting cookie * Delete redundant calls Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com>
6 years ago
for _, cookieValue := range setCookie {
if cookieValue == expCookieValue {
redirectToCookieFound = true
break
}
}
assert.True(t, redirectToCookieFound)
API: Validate redirect_to cookie has valid (Grafana) url (#21057) * Restrict redirect_to to valid relative paths * Add tests
6 years ago
})
}
}
Fix: Break redirect loop if oauth_auto_login = true and OAuth login fails (#17974) * Add tests for login view * Fix OAuth auto login redirect loop login_error cookie is only set when the OAuth login fails for some reason. Therefore, the login view should return immediately if a login_error cookie exists before trying to login the user using OAuth again. * Fix test Use 'index-template' instead of 'index' for testing * Add some comments
6 years ago
func TestLoginOAuthRedirect(t *testing.T) {
Backend: Remove more globals (#29644) Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
5 years ago
fakeSetIndexViewData(t)
Fix: Break redirect loop if oauth_auto_login = true and OAuth login fails (#17974) * Add tests for login view * Fix OAuth auto login redirect loop login_error cookie is only set when the OAuth login fails for some reason. Therefore, the login view should return immediately if a login_error cookie exists before trying to login the user using OAuth again. * Fix test Use 'index-template' instead of 'index' for testing * Add some comments
6 years ago
Chore: Convert API tests to standard Go lib (#29009) * Chore: Convert tests to standard Go lib Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
5 years ago
sc := setupScenarioContext(t, "/login")
Settings: Encapsulate settings within an extensible provider (#32219) * Encapsulate settings with a provider with support for runtime reloads * SettingsProvider: reload is controlled by the services * naive impl of reload handlers for settings * working naive detection on new changes * Trigger settings reload from API endpoint * validation step added * validation of settings * Fix linting errors * Replace DB_Varchar by DB_NVarchar * Reduce settings columns (section, key) lenghts * wip db update logic * Db Settings: separate updates and removals * Fix: removes incorrectly added code * Minor code improvements * Runtime settings: moved oss -> ee * Remove no longer used setting.Cfg SAML-related fields * Rename file setting/settings.go => setting/provider.go * Apply suggestions from code review Co-authored-by: Agnès Toulet <35176601+AgnesToulet@users.noreply.github.com> * Minor code improvements on OSS settings provider * Fix some login API tests * Correct some GoDoc comments * Apply suggestions from code review Co-authored-by: Agnès Toulet <35176601+AgnesToulet@users.noreply.github.com> Co-authored-by: Leonard Gram <leo@xlson.com> Co-authored-by: Agnès Toulet <35176601+AgnesToulet@users.noreply.github.com>
4 years ago
cfg := setting.NewCfg()
Chore: Refactor OAuth/social package to service (#35403) * Creating SocialService * Add GetOAuthProviders as socialService method * Add OAuthTokenService * Add GetOAuthHttpClient method to SocialService * Rename services, access socialMap from GetConnector * Fix tests by mocking oauthtoken methods * Move NewAuthService into Init * Move OAuthService to social pkg * Refactor OAuthService to OAuthProvider * Fix nil map error, rename file, simplify tests * Fix bug for Forward OAuth Identify * Remove file after rebase
4 years ago
mock := &mockSocialService{
oAuthInfo: &social.OAuthInfo{
ClientId: "fake",
ClientSecret: "fakefake",
Enabled: true,
AllowSignup: true,
Name: "github",
},
oAuthInfos: oAuthInfos,
}
Fix: Break redirect loop if oauth_auto_login = true and OAuth login fails (#17974) * Add tests for login view * Fix OAuth auto login redirect loop login_error cookie is only set when the OAuth login fails for some reason. Therefore, the login view should return immediately if a login_error cookie exists before trying to login the user using OAuth again. * Fix test Use 'index-template' instead of 'index' for testing * Add some comments
6 years ago
hs := &HTTPServer{
Settings: Encapsulate settings within an extensible provider (#32219) * Encapsulate settings with a provider with support for runtime reloads * SettingsProvider: reload is controlled by the services * naive impl of reload handlers for settings * working naive detection on new changes * Trigger settings reload from API endpoint * validation step added * validation of settings * Fix linting errors * Replace DB_Varchar by DB_NVarchar * Reduce settings columns (section, key) lenghts * wip db update logic * Db Settings: separate updates and removals * Fix: removes incorrectly added code * Minor code improvements * Runtime settings: moved oss -> ee * Remove no longer used setting.Cfg SAML-related fields * Rename file setting/settings.go => setting/provider.go * Apply suggestions from code review Co-authored-by: Agnès Toulet <35176601+AgnesToulet@users.noreply.github.com> * Minor code improvements on OSS settings provider * Fix some login API tests * Correct some GoDoc comments * Apply suggestions from code review Co-authored-by: Agnès Toulet <35176601+AgnesToulet@users.noreply.github.com> Co-authored-by: Leonard Gram <leo@xlson.com> Co-authored-by: Agnès Toulet <35176601+AgnesToulet@users.noreply.github.com>
4 years ago
Cfg: cfg,
SettingsProvider: &setting.OSSImpl{Cfg: cfg},
License: &licensing.OSSLicensingService{},
Chore: Refactor OAuth/social package to service (#35403) * Creating SocialService * Add GetOAuthProviders as socialService method * Add OAuthTokenService * Add GetOAuthHttpClient method to SocialService * Rename services, access socialMap from GetConnector * Fix tests by mocking oauthtoken methods * Move NewAuthService into Init * Move OAuthService to social pkg * Refactor OAuthService to OAuthProvider * Fix nil map error, rename file, simplify tests * Fix bug for Forward OAuth Identify * Remove file after rebase
4 years ago
SocialService: mock,
Fix: Break redirect loop if oauth_auto_login = true and OAuth login fails (#17974) * Add tests for login view * Fix OAuth auto login redirect loop login_error cookie is only set when the OAuth login fails for some reason. Therefore, the login view should return immediately if a login_error cookie exists before trying to login the user using OAuth again. * Fix test Use 'index-template' instead of 'index' for testing * Add some comments
6 years ago
}
Chore: Refactor api handlers to use web.Bind (#42199) * Chore: Refactor api handlers to use web.Bind * fix comments * fix comment * trying to fix most of the tests and force routing.Wrap type check * fix library panels tests * fix frontend logging tests * allow passing nil as a response to skip writing * return nil instead of the response * rewrite login handler function types * remove handlerFuncCtx * make linter happy * remove old bindings from the libraryelements * restore comments
4 years ago
sc.defaultHandler = routing.Wrap(func(c *models.ReqContext) response.Response {
Fix: Break redirect loop if oauth_auto_login = true and OAuth login fails (#17974) * Add tests for login view * Fix OAuth auto login redirect loop login_error cookie is only set when the OAuth login fails for some reason. Therefore, the login view should return immediately if a login_error cookie exists before trying to login the user using OAuth again. * Fix test Use 'index-template' instead of 'index' for testing * Add some comments
6 years ago
hs.LoginView(c)
Chore: Refactor api handlers to use web.Bind (#42199) * Chore: Refactor api handlers to use web.Bind * fix comments * fix comment * trying to fix most of the tests and force routing.Wrap type check * fix library panels tests * fix frontend logging tests * allow passing nil as a response to skip writing * return nil instead of the response * rewrite login handler function types * remove handlerFuncCtx * make linter happy * remove old bindings from the libraryelements * restore comments
4 years ago
return response.Empty(http.StatusOK)
Fix: Break redirect loop if oauth_auto_login = true and OAuth login fails (#17974) * Add tests for login view * Fix OAuth auto login redirect loop login_error cookie is only set when the OAuth login fails for some reason. Therefore, the login view should return immediately if a login_error cookie exists before trying to login the user using OAuth again. * Fix test Use 'index-template' instead of 'index' for testing * Add some comments
6 years ago
})
setting.OAuthAutoLogin = true
sc.m.Get(sc.url, sc.defaultHandler)
sc.fakeReqNoAssertions("GET", sc.url).exec()
Middleware: Add CSP support (#29740) * Middleware: Add support for CSP Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored by @iOrcohen
5 years ago
require.Equal(t, 307, sc.resp.Code)
Fix: Break redirect loop if oauth_auto_login = true and OAuth login fails (#17974) * Add tests for login view * Fix OAuth auto login redirect loop login_error cookie is only set when the OAuth login fails for some reason. Therefore, the login view should return immediately if a login_error cookie exists before trying to login the user using OAuth again. * Fix test Use 'index-template' instead of 'index' for testing * Add some comments
6 years ago
location, ok := sc.resp.Header()["Location"]
assert.True(t, ok)
Middleware: Add CSP support (#29740) * Middleware: Add support for CSP Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored by @iOrcohen
5 years ago
assert.Equal(t, "/login/github", location[0])
Fix: Break redirect loop if oauth_auto_login = true and OAuth login fails (#17974) * Add tests for login view * Fix OAuth auto login redirect loop login_error cookie is only set when the OAuth login fails for some reason. Therefore, the login view should return immediately if a login_error cookie exists before trying to login the user using OAuth again. * Fix test Use 'index-template' instead of 'index' for testing * Add some comments
6 years ago
}
AuthProxy: Can now login with auth proxy and get a login token (#20175) * AuthProxy: Can now login with auth proxy and get a login token * added unit tests * renamed setting and updated docs * AuthProxy: minor tweak * Fixed tests and namings * spellfix * fix * remove unused setting, probably from merge conflict * fix
6 years ago
OAuth: Able to skip auto login (#28357) * OAuth: able to skip auto login * OAuth: tests for internal login param * OAuth: rename internal -> disableAutoLogin * OAuth: update log message * OAuth: fix tests
5 years ago
func TestLoginInternal(t *testing.T) {
Backend: Remove more globals (#29644) Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
5 years ago
fakeSetIndexViewData(t)
OAuth: Able to skip auto login (#28357) * OAuth: able to skip auto login * OAuth: tests for internal login param * OAuth: rename internal -> disableAutoLogin * OAuth: update log message * OAuth: fix tests
5 years ago
Backend: Remove more globals (#29644) Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
5 years ago
fakeViewIndex(t)
Chore: Convert API tests to standard Go lib (#29009) * Chore: Convert tests to standard Go lib Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
5 years ago
sc := setupScenarioContext(t, "/login")
OAuth: Able to skip auto login (#28357) * OAuth: able to skip auto login * OAuth: tests for internal login param * OAuth: rename internal -> disableAutoLogin * OAuth: update log message * OAuth: fix tests
5 years ago
hs := &HTTPServer{
Cfg: setting.NewCfg(),
License: &licensing.OSSLicensingService{},
log: log.New("test"),
}
Chore: Refactor api handlers to use web.Bind (#42199) * Chore: Refactor api handlers to use web.Bind * fix comments * fix comment * trying to fix most of the tests and force routing.Wrap type check * fix library panels tests * fix frontend logging tests * allow passing nil as a response to skip writing * return nil instead of the response * rewrite login handler function types * remove handlerFuncCtx * make linter happy * remove old bindings from the libraryelements * restore comments
4 years ago
sc.defaultHandler = routing.Wrap(func(c *models.ReqContext) response.Response {
OAuth: Able to skip auto login (#28357) * OAuth: able to skip auto login * OAuth: tests for internal login param * OAuth: rename internal -> disableAutoLogin * OAuth: update log message * OAuth: fix tests
5 years ago
c.Req.URL.RawQuery = "disableAutoLogin=true"
hs.LoginView(c)
Chore: Refactor api handlers to use web.Bind (#42199) * Chore: Refactor api handlers to use web.Bind * fix comments * fix comment * trying to fix most of the tests and force routing.Wrap type check * fix library panels tests * fix frontend logging tests * allow passing nil as a response to skip writing * return nil instead of the response * rewrite login handler function types * remove handlerFuncCtx * make linter happy * remove old bindings from the libraryelements * restore comments
4 years ago
return response.Empty(http.StatusOK)
OAuth: Able to skip auto login (#28357) * OAuth: able to skip auto login * OAuth: tests for internal login param * OAuth: rename internal -> disableAutoLogin * OAuth: update log message * OAuth: fix tests
5 years ago
})
setting.OAuthAutoLogin = true
sc.m.Get(sc.url, sc.defaultHandler)
sc.fakeReqNoAssertions("GET", sc.url).exec()
// Shouldn't redirect to the OAuth login URL
Middleware: Add CSP support (#29740) * Middleware: Add support for CSP Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored by @iOrcohen
5 years ago
assert.Equal(t, 200, sc.resp.Code)
OAuth: Able to skip auto login (#28357) * OAuth: able to skip auto login * OAuth: tests for internal login param * OAuth: rename internal -> disableAutoLogin * OAuth: update log message * OAuth: fix tests
5 years ago
}
AuthProxy: Can now login with auth proxy and get a login token (#20175) * AuthProxy: Can now login with auth proxy and get a login token * added unit tests * renamed setting and updated docs * AuthProxy: minor tweak * Fixed tests and namings * spellfix * fix * remove unused setting, probably from merge conflict * fix
6 years ago
func TestAuthProxyLoginEnableLoginTokenDisabled(t *testing.T) {
Chore: Convert API tests to standard Go lib (#29009) * Chore: Convert tests to standard Go lib Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
5 years ago
sc := setupAuthProxyLoginTest(t, false)
AuthProxy: Can now login with auth proxy and get a login token (#20175) * AuthProxy: Can now login with auth proxy and get a login token * added unit tests * renamed setting and updated docs * AuthProxy: minor tweak * Fixed tests and namings * spellfix * fix * remove unused setting, probably from merge conflict * fix
6 years ago
Middleware: Add CSP support (#29740) * Middleware: Add support for CSP Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored by @iOrcohen
5 years ago
require.Equal(t, 302, sc.resp.Code)
AuthProxy: Can now login with auth proxy and get a login token (#20175) * AuthProxy: Can now login with auth proxy and get a login token * added unit tests * renamed setting and updated docs * AuthProxy: minor tweak * Fixed tests and namings * spellfix * fix * remove unused setting, probably from merge conflict * fix
6 years ago
location, ok := sc.resp.Header()["Location"]
assert.True(t, ok)
Middleware: Add CSP support (#29740) * Middleware: Add support for CSP Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored by @iOrcohen
5 years ago
assert.Equal(t, "/", location[0])
AuthProxy: Can now login with auth proxy and get a login token (#20175) * AuthProxy: Can now login with auth proxy and get a login token * added unit tests * renamed setting and updated docs * AuthProxy: minor tweak * Fixed tests and namings * spellfix * fix * remove unused setting, probably from merge conflict * fix
6 years ago
_, ok = sc.resp.Header()["Set-Cookie"]
assert.False(t, ok, "Set-Cookie does not exist")
}
func TestAuthProxyLoginWithEnableLoginToken(t *testing.T) {
Chore: Convert API tests to standard Go lib (#29009) * Chore: Convert tests to standard Go lib Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
5 years ago
sc := setupAuthProxyLoginTest(t, true)
Middleware: Add CSP support (#29740) * Middleware: Add support for CSP Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored by @iOrcohen
5 years ago
require.Equal(t, 302, sc.resp.Code)
AuthProxy: Can now login with auth proxy and get a login token (#20175) * AuthProxy: Can now login with auth proxy and get a login token * added unit tests * renamed setting and updated docs * AuthProxy: minor tweak * Fixed tests and namings * spellfix * fix * remove unused setting, probably from merge conflict * fix
6 years ago
location, ok := sc.resp.Header()["Location"]
assert.True(t, ok)
Middleware: Add CSP support (#29740) * Middleware: Add support for CSP Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored by @iOrcohen
5 years ago
assert.Equal(t, "/", location[0])
Backend: Remove more globals (#29644) Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
5 years ago
setCookie := sc.resp.Header()["Set-Cookie"]
require.NotNil(t, setCookie, "Set-Cookie should exist")
AuthProxy: Can now login with auth proxy and get a login token (#20175) * AuthProxy: Can now login with auth proxy and get a login token * added unit tests * renamed setting and updated docs * AuthProxy: minor tweak * Fixed tests and namings * spellfix * fix * remove unused setting, probably from merge conflict * fix
6 years ago
assert.Equal(t, "grafana_session=; Path=/; Max-Age=0; HttpOnly", setCookie[0])
}
Chore: Convert API tests to standard Go lib (#29009) * Chore: Convert tests to standard Go lib Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
5 years ago
func setupAuthProxyLoginTest(t *testing.T, enableLoginToken bool) *scenarioContext {
Backend: Remove more globals (#29644) Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
5 years ago
fakeSetIndexViewData(t)
AuthProxy: Can now login with auth proxy and get a login token (#20175) * AuthProxy: Can now login with auth proxy and get a login token * added unit tests * renamed setting and updated docs * AuthProxy: minor tweak * Fixed tests and namings * spellfix * fix * remove unused setting, probably from merge conflict * fix
6 years ago
Chore: Convert API tests to standard Go lib (#29009) * Chore: Convert tests to standard Go lib Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
5 years ago
sc := setupScenarioContext(t, "/login")
Backend: Remove more globals (#29644) Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
5 years ago
sc.cfg.LoginCookieName = "grafana_session"
AuthProxy: Can now login with auth proxy and get a login token (#20175) * AuthProxy: Can now login with auth proxy and get a login token * added unit tests * renamed setting and updated docs * AuthProxy: minor tweak * Fixed tests and namings * spellfix * fix * remove unused setting, probably from merge conflict * fix
6 years ago
hs := &HTTPServer{
Backend: Remove more globals (#29644) Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
5 years ago
Cfg: sc.cfg,
Settings: Encapsulate settings within an extensible provider (#32219) * Encapsulate settings with a provider with support for runtime reloads * SettingsProvider: reload is controlled by the services * naive impl of reload handlers for settings * working naive detection on new changes * Trigger settings reload from API endpoint * validation step added * validation of settings * Fix linting errors * Replace DB_Varchar by DB_NVarchar * Reduce settings columns (section, key) lenghts * wip db update logic * Db Settings: separate updates and removals * Fix: removes incorrectly added code * Minor code improvements * Runtime settings: moved oss -> ee * Remove no longer used setting.Cfg SAML-related fields * Rename file setting/settings.go => setting/provider.go * Apply suggestions from code review Co-authored-by: Agnès Toulet <35176601+AgnesToulet@users.noreply.github.com> * Minor code improvements on OSS settings provider * Fix some login API tests * Correct some GoDoc comments * Apply suggestions from code review Co-authored-by: Agnès Toulet <35176601+AgnesToulet@users.noreply.github.com> Co-authored-by: Leonard Gram <leo@xlson.com> Co-authored-by: Agnès Toulet <35176601+AgnesToulet@users.noreply.github.com>
4 years ago
SettingsProvider: &setting.OSSImpl{Cfg: sc.cfg},
Admin: Add promotional page for Grafana Enterprise (#21422) Co-authored-by: Torkel Ödegaard <torkel@grafana.com>
6 years ago
License: &licensing.OSSLicensingService{},
AuthProxy: Can now login with auth proxy and get a login token (#20175) * AuthProxy: Can now login with auth proxy and get a login token * added unit tests * renamed setting and updated docs * AuthProxy: minor tweak * Fixed tests and namings * spellfix * fix * remove unused setting, probably from merge conflict * fix
6 years ago
AuthTokenService: auth.NewFakeUserAuthTokenService(),
log: log.New("hello"),
Chore: Refactor OAuth/social package to service (#35403) * Creating SocialService * Add GetOAuthProviders as socialService method * Add OAuthTokenService * Add GetOAuthHttpClient method to SocialService * Rename services, access socialMap from GetConnector * Fix tests by mocking oauthtoken methods * Move NewAuthService into Init * Move OAuthService to social pkg * Refactor OAuthService to OAuthProvider * Fix nil map error, rename file, simplify tests * Fix bug for Forward OAuth Identify * Remove file after rebase
4 years ago
SocialService: &mockSocialService{},
AuthProxy: Can now login with auth proxy and get a login token (#20175) * AuthProxy: Can now login with auth proxy and get a login token * added unit tests * renamed setting and updated docs * AuthProxy: minor tweak * Fixed tests and namings * spellfix * fix * remove unused setting, probably from merge conflict * fix
6 years ago
}
Chore: Refactor api handlers to use web.Bind (#42199) * Chore: Refactor api handlers to use web.Bind * fix comments * fix comment * trying to fix most of the tests and force routing.Wrap type check * fix library panels tests * fix frontend logging tests * allow passing nil as a response to skip writing * return nil instead of the response * rewrite login handler function types * remove handlerFuncCtx * make linter happy * remove old bindings from the libraryelements * restore comments
4 years ago
sc.defaultHandler = routing.Wrap(func(c *models.ReqContext) response.Response {
AuthProxy: Can now login with auth proxy and get a login token (#20175) * AuthProxy: Can now login with auth proxy and get a login token * added unit tests * renamed setting and updated docs * AuthProxy: minor tweak * Fixed tests and namings * spellfix * fix * remove unused setting, probably from merge conflict * fix
6 years ago
c.IsSignedIn = true
c.SignedInUser = &models.SignedInUser{
UserId: 10,
}
hs.LoginView(c)
Chore: Refactor api handlers to use web.Bind (#42199) * Chore: Refactor api handlers to use web.Bind * fix comments * fix comment * trying to fix most of the tests and force routing.Wrap type check * fix library panels tests * fix frontend logging tests * allow passing nil as a response to skip writing * return nil instead of the response * rewrite login handler function types * remove handlerFuncCtx * make linter happy * remove old bindings from the libraryelements * restore comments
4 years ago
return response.Empty(http.StatusOK)
AuthProxy: Can now login with auth proxy and get a login token (#20175) * AuthProxy: Can now login with auth proxy and get a login token * added unit tests * renamed setting and updated docs * AuthProxy: minor tweak * Fixed tests and namings * spellfix * fix * remove unused setting, probably from merge conflict * fix
6 years ago
})
Backend: Remove more globals (#29644) Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
5 years ago
sc.cfg.AuthProxyEnabled = true
sc.cfg.AuthProxyEnableLoginToken = enableLoginToken
AuthProxy: Can now login with auth proxy and get a login token (#20175) * AuthProxy: Can now login with auth proxy and get a login token * added unit tests * renamed setting and updated docs * AuthProxy: minor tweak * Fixed tests and namings * spellfix * fix * remove unused setting, probably from merge conflict * fix
6 years ago
sc.m.Get(sc.url, sc.defaultHandler)
sc.fakeReqNoAssertions("GET", sc.url).exec()
return sc
}
API: send Login actions (#27249) * API: first version to send events about login actions * API: improve login actions events * Login: update auth test with new behavior * Login: update auth test for auth module * Login OAuth: improve functions structure * API: make struct public to use for saml * API: add send login log tests for grafana and ldap login * API: remove log from tests * Login API: fix test linting * Update pkg/api/login_oauth.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * Login API: refactor using defer Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
5 years ago
API: replace SendLoginLogCommand with LoginHook (#28777) * API: replace SendLoginLogCommand with LoginHook * LoginInfo: Query -> LoginUsername
5 years ago
type loginHookTest struct {
info *models.LoginInfo
API: send Login actions (#27249) * API: first version to send events about login actions * API: improve login actions events * Login: update auth test with new behavior * Login: update auth test for auth module * Login OAuth: improve functions structure * API: make struct public to use for saml * API: add send login log tests for grafana and ldap login * API: remove log from tests * Login API: fix test linting * Update pkg/api/login_oauth.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * Login API: refactor using defer Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
5 years ago
}
API: replace SendLoginLogCommand with LoginHook (#28777) * API: replace SendLoginLogCommand with LoginHook * LoginInfo: Query -> LoginUsername
5 years ago
func (r *loginHookTest) LoginHook(loginInfo *models.LoginInfo, req *models.ReqContext) {
r.info = loginInfo
API: send Login actions (#27249) * API: first version to send events about login actions * API: improve login actions events * Login: update auth test with new behavior * Login: update auth test for auth module * Login OAuth: improve functions structure * API: make struct public to use for saml * API: add send login log tests for grafana and ldap login * API: remove log from tests * Login API: fix test linting * Update pkg/api/login_oauth.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * Login API: refactor using defer Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
5 years ago
}
API: replace SendLoginLogCommand with LoginHook (#28777) * API: replace SendLoginLogCommand with LoginHook * LoginInfo: Query -> LoginUsername
5 years ago
func TestLoginPostRunLokingHook(t *testing.T) {
Chore: Convert API tests to standard Go lib (#29009) * Chore: Convert tests to standard Go lib Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
5 years ago
sc := setupScenarioContext(t, "/login")
API: replace SendLoginLogCommand with LoginHook (#28777) * API: replace SendLoginLogCommand with LoginHook * LoginInfo: Query -> LoginUsername
5 years ago
hookService := &hooks.HooksService{}
API: send Login actions (#27249) * API: first version to send events about login actions * API: improve login actions events * Login: update auth test with new behavior * Login: update auth test for auth module * Login OAuth: improve functions structure * API: make struct public to use for saml * API: add send login log tests for grafana and ldap login * API: remove log from tests * Login API: fix test linting * Update pkg/api/login_oauth.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * Login API: refactor using defer Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
5 years ago
hs := &HTTPServer{
log: log.New("test"),
Cfg: setting.NewCfg(),
License: &licensing.OSSLicensingService{},
AuthTokenService: auth.NewFakeUserAuthTokenService(),
API: replace SendLoginLogCommand with LoginHook (#28777) * API: replace SendLoginLogCommand with LoginHook * LoginInfo: Query -> LoginUsername
5 years ago
HooksService: hookService,
API: send Login actions (#27249) * API: first version to send events about login actions * API: improve login actions events * Login: update auth test with new behavior * Login: update auth test for auth module * Login OAuth: improve functions structure * API: make struct public to use for saml * API: add send login log tests for grafana and ldap login * API: remove log from tests * Login API: fix test linting * Update pkg/api/login_oauth.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * Login API: refactor using defer Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
5 years ago
}
Chore: Refactor api handlers to use web.Bind (#42199) * Chore: Refactor api handlers to use web.Bind * fix comments * fix comment * trying to fix most of the tests and force routing.Wrap type check * fix library panels tests * fix frontend logging tests * allow passing nil as a response to skip writing * return nil instead of the response * rewrite login handler function types * remove handlerFuncCtx * make linter happy * remove old bindings from the libraryelements * restore comments
4 years ago
sc.defaultHandler = routing.Wrap(func(c *models.ReqContext) response.Response {
Chore: Imperative request data binding (#39837) * rename Bind to BindMiddleware * make things private * removed unused part of data bindings * provide json and form binding helpers * add example of binding migration in login api * implement validation * fix tests * remove debug output * put new bind api into macaron pacakge * revert bind api breaking change
4 years ago
c.Req.Header.Set("Content-Type", "application/json")
c.Req.Body = io.NopCloser(bytes.NewBufferString(`{"user":"admin","password":"admin"}`))
x := hs.LoginPost(c)
return x
API: send Login actions (#27249) * API: first version to send events about login actions * API: improve login actions events * Login: update auth test with new behavior * Login: update auth test for auth module * Login OAuth: improve functions structure * API: make struct public to use for saml * API: add send login log tests for grafana and ldap login * API: remove log from tests * Login API: fix test linting * Update pkg/api/login_oauth.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * Login API: refactor using defer Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
5 years ago
})
API: replace SendLoginLogCommand with LoginHook (#28777) * API: replace SendLoginLogCommand with LoginHook * LoginInfo: Query -> LoginUsername
5 years ago
testHook := loginHookTest{}
hookService.AddLoginHook(testHook.LoginHook)
API: send Login actions (#27249) * API: first version to send events about login actions * API: improve login actions events * Login: update auth test with new behavior * Login: update auth test for auth module * Login OAuth: improve functions structure * API: make struct public to use for saml * API: add send login log tests for grafana and ldap login * API: remove log from tests * Login API: fix test linting * Update pkg/api/login_oauth.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * Login API: refactor using defer Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
5 years ago
testUser := &models.User{
Id: 42,
Email: "",
}
API: replace SendLoginLogCommand with LoginHook (#28777) * API: replace SendLoginLogCommand with LoginHook * LoginInfo: Query -> LoginUsername
5 years ago
testCases := []struct {
desc string
authUser *models.User
authModule string
authErr error
info models.LoginInfo
}{
API: send Login actions (#27249) * API: first version to send events about login actions * API: improve login actions events * Login: update auth test with new behavior * Login: update auth test for auth module * Login OAuth: improve functions structure * API: make struct public to use for saml * API: add send login log tests for grafana and ldap login * API: remove log from tests * Login API: fix test linting * Update pkg/api/login_oauth.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * Login API: refactor using defer Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
5 years ago
{
desc: "invalid credentials",
authErr: login.ErrInvalidCredentials,
API: replace SendLoginLogCommand with LoginHook (#28777) * API: replace SendLoginLogCommand with LoginHook * LoginInfo: Query -> LoginUsername
5 years ago
info: models.LoginInfo{
AuthModule: "",
API: send Login actions (#27249) * API: first version to send events about login actions * API: improve login actions events * Login: update auth test with new behavior * Login: update auth test for auth module * Login OAuth: improve functions structure * API: make struct public to use for saml * API: add send login log tests for grafana and ldap login * API: remove log from tests * Login API: fix test linting * Update pkg/api/login_oauth.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * Login API: refactor using defer Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
5 years ago
HTTPStatus: 401,
Error: login.ErrInvalidCredentials,
},
},
{
desc: "user disabled",
authErr: login.ErrUserDisabled,
API: replace SendLoginLogCommand with LoginHook (#28777) * API: replace SendLoginLogCommand with LoginHook * LoginInfo: Query -> LoginUsername
5 years ago
info: models.LoginInfo{
AuthModule: "",
API: send Login actions (#27249) * API: first version to send events about login actions * API: improve login actions events * Login: update auth test with new behavior * Login: update auth test for auth module * Login OAuth: improve functions structure * API: make struct public to use for saml * API: add send login log tests for grafana and ldap login * API: remove log from tests * Login API: fix test linting * Update pkg/api/login_oauth.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * Login API: refactor using defer Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
5 years ago
HTTPStatus: 401,
Error: login.ErrUserDisabled,
},
},
{
desc: "valid Grafana user",
authUser: testUser,
authModule: "grafana",
API: replace SendLoginLogCommand with LoginHook (#28777) * API: replace SendLoginLogCommand with LoginHook * LoginInfo: Query -> LoginUsername
5 years ago
info: models.LoginInfo{
AuthModule: "grafana",
API: send Login actions (#27249) * API: first version to send events about login actions * API: improve login actions events * Login: update auth test with new behavior * Login: update auth test for auth module * Login OAuth: improve functions structure * API: make struct public to use for saml * API: add send login log tests for grafana and ldap login * API: remove log from tests * Login API: fix test linting * Update pkg/api/login_oauth.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * Login API: refactor using defer Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
5 years ago
User: testUser,
HTTPStatus: 200,
},
},
{
desc: "valid LDAP user",
authUser: testUser,
authModule: "ldap",
API: replace SendLoginLogCommand with LoginHook (#28777) * API: replace SendLoginLogCommand with LoginHook * LoginInfo: Query -> LoginUsername
5 years ago
info: models.LoginInfo{
AuthModule: "ldap",
API: send Login actions (#27249) * API: first version to send events about login actions * API: improve login actions events * Login: update auth test with new behavior * Login: update auth test for auth module * Login OAuth: improve functions structure * API: make struct public to use for saml * API: add send login log tests for grafana and ldap login * API: remove log from tests * Login API: fix test linting * Update pkg/api/login_oauth.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * Login API: refactor using defer Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
5 years ago
User: testUser,
HTTPStatus: 200,
},
},
}
for _, c := range testCases {
t.Run(c.desc, func(t *testing.T) {
Chore: Remove bus.Dispatch from some login packages (#47248) * Chore: Remove bus.Dispatch from some login packages * remove debug log Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * remove login.Init() * remove unused reset function * remove AuthenticateUserFunc global * swap conditional branches Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * fix formatting Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
3 years ago
hs.authenticator = &fakeAuthenticator{c.authUser, c.authModule, c.authErr}
API: send Login actions (#27249) * API: first version to send events about login actions * API: improve login actions events * Login: update auth test with new behavior * Login: update auth test for auth module * Login OAuth: improve functions structure * API: make struct public to use for saml * API: add send login log tests for grafana and ldap login * API: remove log from tests * Login API: fix test linting * Update pkg/api/login_oauth.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * Login API: refactor using defer Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
5 years ago
sc.m.Post(sc.url, sc.defaultHandler)
sc.fakeReqNoAssertions("POST", sc.url).exec()
API: replace SendLoginLogCommand with LoginHook (#28777) * API: replace SendLoginLogCommand with LoginHook * LoginInfo: Query -> LoginUsername
5 years ago
info := testHook.info
assert.Equal(t, c.info.AuthModule, info.AuthModule)
assert.Equal(t, "admin", info.LoginUsername)
assert.Equal(t, c.info.HTTPStatus, info.HTTPStatus)
assert.Equal(t, c.info.Error, info.Error)
API: send Login actions (#27249) * API: first version to send events about login actions * API: improve login actions events * Login: update auth test with new behavior * Login: update auth test for auth module * Login OAuth: improve functions structure * API: make struct public to use for saml * API: add send login log tests for grafana and ldap login * API: remove log from tests * Login API: fix test linting * Update pkg/api/login_oauth.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * Login API: refactor using defer Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
5 years ago
API: replace SendLoginLogCommand with LoginHook (#28777) * API: replace SendLoginLogCommand with LoginHook * LoginInfo: Query -> LoginUsername
5 years ago
if c.info.User != nil {
require.NotEmpty(t, info.User)
assert.Equal(t, c.info.User.Id, info.User.Id)
API: send Login actions (#27249) * API: first version to send events about login actions * API: improve login actions events * Login: update auth test with new behavior * Login: update auth test for auth module * Login OAuth: improve functions structure * API: make struct public to use for saml * API: add send login log tests for grafana and ldap login * API: remove log from tests * Login API: fix test linting * Update pkg/api/login_oauth.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * Login API: refactor using defer Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
5 years ago
}
})
}
}
Chore: Refactor OAuth/social package to service (#35403) * Creating SocialService * Add GetOAuthProviders as socialService method * Add OAuthTokenService * Add GetOAuthHttpClient method to SocialService * Rename services, access socialMap from GetConnector * Fix tests by mocking oauthtoken methods * Move NewAuthService into Init * Move OAuthService to social pkg * Refactor OAuthService to OAuthProvider * Fix nil map error, rename file, simplify tests * Fix bug for Forward OAuth Identify * Remove file after rebase
4 years ago
type mockSocialService struct {
oAuthInfo *social.OAuthInfo
oAuthInfos map[string]*social.OAuthInfo
oAuthProviders map[string]bool
httpClient *http.Client
socialConnector social.SocialConnector
err error
}
func (m *mockSocialService) GetOAuthInfoProvider(name string) *social.OAuthInfo {
return m.oAuthInfo
}
func (m *mockSocialService) GetOAuthInfoProviders() map[string]*social.OAuthInfo {
return m.oAuthInfos
}
func (m *mockSocialService) GetOAuthProviders() map[string]bool {
return m.oAuthProviders
}
func (m *mockSocialService) GetOAuthHttpClient(name string) (*http.Client, error) {
return m.httpClient, m.err
}
func (m *mockSocialService) GetConnector(string) (social.SocialConnector, error) {
return m.socialConnector, m.err
}
remove bus from login (#44995) * remove bus from login * remove comments and format correctly * remove the downcast
3 years ago
Chore: Remove bus.Dispatch from some login packages (#47248) * Chore: Remove bus.Dispatch from some login packages * remove debug log Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * remove login.Init() * remove unused reset function * remove AuthenticateUserFunc global * swap conditional branches Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * fix formatting Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
3 years ago
type fakeAuthenticator struct {
ExpectedUser *models.User
ExpectedAuthModule string
ExpectedError error
remove bus from login (#44995) * remove bus from login * remove comments and format correctly * remove the downcast
3 years ago
}
Chore: Remove bus.Dispatch from some login packages (#47248) * Chore: Remove bus.Dispatch from some login packages * remove debug log Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * remove login.Init() * remove unused reset function * remove AuthenticateUserFunc global * swap conditional branches Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * fix formatting Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
3 years ago
func (fa *fakeAuthenticator) AuthenticateUser(c context.Context, query *models.LoginUserQuery) error {
query.User = fa.ExpectedUser
query.AuthModule = fa.ExpectedAuthModule
return fa.ExpectedError
remove bus from login (#44995) * remove bus from login * remove comments and format correctly * remove the downcast
3 years ago
}