apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
The open and composable observability and data visualization platform. Visualize metrics, logs, and traces from multiple sources like Prometheus, Loki, Elasticsearch, InfluxDB, Postgres and many more.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
22459 Commits
1677 Branches
650 Tags
2.2 GiB
Tag: Branch: Tree: bf82e6cded
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'bf82e6cded'
${ noResults }
grafana/pkg/middleware/middleware.go

314 lines
8.2 KiB
Raw Normal View History Unescape

Macaron rewrite
11 years ago
package middleware
import (
middleware: add security related HTTP(S) response headers (#17522) * x_xss_protection * strict_transport_security (HSTS) * x_content_type_options these are currently defaulted to false (off) until the next minor release. fixes #17509
7 years ago
"fmt"
move auth token middleware/hooks to middleware package fix/adds auth token middleware tests
7 years ago
"net/http"
"net/url"
OAuth remake
11 years ago
"strconv"
Security: Responses from backend should not be cached (#16848) Currently all API requests set Cache-control: no-cache to avoid browsers caching sensitive data. This fixes so that all responses returned from backend not are cached using http headers. The exception is the data proxy where we don't add these http headers in case datasource backend needs to control whether data can be cached or not. Fixes #16845
7 years ago
"strings"
changes needed for api/middleware due to configuration settings
7 years ago
"time"
Macaron rewrite
11 years ago
Feature: LDAP refactoring (#16950) * incapsulates multipleldap logic under one module * abstracts users upsert and get logic * changes some of the text error messages and import sort sequence * heavily refactors the LDAP module – LDAP module now only deals with LDAP related behaviour * integrates affected auth_proxy module and their tests * refactoring of the auth_proxy logic
7 years ago
macaron "gopkg.in/macaron.v1"
Changed go package path
11 years ago
"github.com/grafana/grafana/pkg/bus"
New implementation for API Keys that only stores hashed api keys, and the client key is base64 decoded json web token with the unhashed key, Closes #1440
11 years ago
"github.com/grafana/grafana/pkg/components/apikeygen"
move log package to /infra (#17023) ref #14679 Signed-off-by: zhulongcheng <zhulongcheng.me@gmail.com>
7 years ago
"github.com/grafana/grafana/pkg/infra/log"
Chore: use remote cache instead of session storage (#16114) Replaces session storage in auth_proxy middleware with remote cache Fixes #15161
7 years ago
"github.com/grafana/grafana/pkg/infra/remotecache"
Auth: Allow expiration of API keys (#17678) * Modify backend to allow expiration of API Keys * Add middleware test for expired api keys * Modify frontend to enable expiration of API Keys * Fix frontend tests * Fix migration and add index for `expires` field * Add api key tests for database access * Substitude time.Now() by a mock for test usage * Front-end modifications * Change input label to `Time to live` * Change input behavior to comply with the other similar * Add tooltip * Modify AddApiKey api call response Expiration should be *time.Time instead of string * Present expiration date in the selected timezone * Use kbn for transforming intervals to seconds * Use `assert` library for tests * Frontend fixes Add checks for empty/undefined/null values * Change expires column from datetime to integer * Restrict api key duration input It should be interval not number * AddApiKey must complain if SecondsToLive is negative * Declare ErrInvalidApiKeyExpiration * Move configuration to auth section * Update docs * Eliminate alias for models in modified files * Omit expiration from api response if empty * Eliminate Goconvey from test file * Fix test Do not sleep, use mocked timeNow() instead * Remove index for expires from api_key table The index should be anyway on both org_id and expires fields. However this commit eliminates completely the index for now since not many rows are expected to be in this table. * Use getTimeZone function * Minor change in api key listing The frontend should display a message instead of empty string if the key does not expire.
7 years ago
"github.com/grafana/grafana/pkg/models"
Changed go package path
11 years ago
"github.com/grafana/grafana/pkg/setting"
Auth: You can now authenicate against api with username / password using basic auth, Closes #2218
11 years ago
"github.com/grafana/grafana/pkg/util"
Macaron rewrite
11 years ago
)
Auth: Allow expiration of API keys (#17678) * Modify backend to allow expiration of API Keys * Add middleware test for expired api keys * Modify frontend to enable expiration of API Keys * Fix frontend tests * Fix migration and add index for `expires` field * Add api key tests for database access * Substitude time.Now() by a mock for test usage * Front-end modifications * Change input label to `Time to live` * Change input behavior to comply with the other similar * Add tooltip * Modify AddApiKey api call response Expiration should be *time.Time instead of string * Present expiration date in the selected timezone * Use kbn for transforming intervals to seconds * Use `assert` library for tests * Frontend fixes Add checks for empty/undefined/null values * Change expires column from datetime to integer * Restrict api key duration input It should be interval not number * AddApiKey must complain if SecondsToLive is negative * Declare ErrInvalidApiKeyExpiration * Move configuration to auth section * Update docs * Eliminate alias for models in modified files * Omit expiration from api response if empty * Eliminate Goconvey from test file * Fix test Do not sleep, use mocked timeNow() instead * Remove index for expires from api_key table The index should be anyway on both org_id and expires fields. However this commit eliminates completely the index for now since not many rows are expected to be in this table. * Use getTimeZone function * Minor change in api key listing The frontend should display a message instead of empty string if the key does not expire.
7 years ago
var getTime = time.Now
Auth: consistently return same basic auth errors (#18310) * Auth: consistently return same basic auth errors * Put repeated errors in consts and return only those consts as error strings * Add tests for errors basic auth cases and moves tests to separate test-case. Also names test cases consistently * Add more error logs and makes their messages consistent * A bit of code style * Add additional test helper * Auth: do not expose even incorrect password * Auth: address review comments Use `Debug` for the cases when it's an user error
6 years ago
const (
errStringInvalidUsernamePassword = "Invalid username or password"
errStringInvalidAPIKey = "Invalid API key"
)
made it possible to have frontend code in symlinked folders that can add routes
7 years ago
var (
Auth: consistently return same basic auth errors (#18310) * Auth: consistently return same basic auth errors * Put repeated errors in consts and return only those consts as error strings * Add tests for errors basic auth cases and moves tests to separate test-case. Also names test cases consistently * Add more error logs and makes their messages consistent * A bit of code style * Add additional test helper * Auth: do not expose even incorrect password * Auth: address review comments Use `Debug` for the cases when it's an user error
6 years ago
ReqGrafanaAdmin = Auth(&AuthOptions{
ReqSignedIn: true,
ReqGrafanaAdmin: true,
})
ReqSignedIn = Auth(&AuthOptions{ReqSignedIn: true})
ReqEditorRole = RoleAuth(models.ROLE_EDITOR, models.ROLE_ADMIN)
ReqOrgAdmin = RoleAuth(models.ROLE_ADMIN)
made it possible to have frontend code in symlinked folders that can add routes
7 years ago
)
LDAP: refactoring (#17479) * LDAP: use only one struct * Use only models.ExternalUserInfo * Add additional helper method :/ * Move all the helpers to one module * LDAP: refactoring * Rename some of the public methods and change their behaviour * Remove outdated methods * Simplify logic * More tests There is no and never were tests for settings.go, added tests for helper methods (cover is now about 100% for them). Added tests for the main LDAP logic, but there is some stuff to add. Dial() is not tested and not decoupled. It might be a challenge to do it properly * Restructure tests: * they wouldn't depend on external modules * more consistent naming * logical division * More guards for erroneous paths * Login: make login service an explicit dependency * LDAP: remove no longer needed test helper fns * LDAP: remove useless import * LDAP: Use new interface in multildap module * LDAP: corrections for the groups of multiple users * In case there is several users their groups weren't detected correctly * Simplify helpers module
7 years ago
func GetContextHandler(
Auth: Allow expiration of API keys (#17678) * Modify backend to allow expiration of API Keys * Add middleware test for expired api keys * Modify frontend to enable expiration of API Keys * Fix frontend tests * Fix migration and add index for `expires` field * Add api key tests for database access * Substitude time.Now() by a mock for test usage * Front-end modifications * Change input label to `Time to live` * Change input behavior to comply with the other similar * Add tooltip * Modify AddApiKey api call response Expiration should be *time.Time instead of string * Present expiration date in the selected timezone * Use kbn for transforming intervals to seconds * Use `assert` library for tests * Frontend fixes Add checks for empty/undefined/null values * Change expires column from datetime to integer * Restrict api key duration input It should be interval not number * AddApiKey must complain if SecondsToLive is negative * Declare ErrInvalidApiKeyExpiration * Move configuration to auth section * Update docs * Eliminate alias for models in modified files * Omit expiration from api response if empty * Eliminate Goconvey from test file * Fix test Do not sleep, use mocked timeNow() instead * Remove index for expires from api_key table The index should be anyway on both org_id and expires fields. However this commit eliminates completely the index for now since not many rows are expected to be in this table. * Use getTimeZone function * Minor change in api key listing The frontend should display a message instead of empty string if the key does not expire.
7 years ago
ats models.UserTokenService,
LDAP: refactoring (#17479) * LDAP: use only one struct * Use only models.ExternalUserInfo * Add additional helper method :/ * Move all the helpers to one module * LDAP: refactoring * Rename some of the public methods and change their behaviour * Remove outdated methods * Simplify logic * More tests There is no and never were tests for settings.go, added tests for helper methods (cover is now about 100% for them). Added tests for the main LDAP logic, but there is some stuff to add. Dial() is not tested and not decoupled. It might be a challenge to do it properly * Restructure tests: * they wouldn't depend on external modules * more consistent naming * logical division * More guards for erroneous paths * Login: make login service an explicit dependency * LDAP: remove no longer needed test helper fns * LDAP: remove useless import * LDAP: Use new interface in multildap module * LDAP: corrections for the groups of multiple users * In case there is several users their groups weren't detected correctly * Simplify helpers module
7 years ago
remoteCache *remotecache.RemoteCache,
) macaron.Handler {
A big refactoring for how sessions are handled, Api calls that authenticate with api key will no longer create a new session
11 years ago
return func(c *macaron.Context) {
Auth: Allow expiration of API keys (#17678) * Modify backend to allow expiration of API Keys * Add middleware test for expired api keys * Modify frontend to enable expiration of API Keys * Fix frontend tests * Fix migration and add index for `expires` field * Add api key tests for database access * Substitude time.Now() by a mock for test usage * Front-end modifications * Change input label to `Time to live` * Change input behavior to comply with the other similar * Add tooltip * Modify AddApiKey api call response Expiration should be *time.Time instead of string * Present expiration date in the selected timezone * Use kbn for transforming intervals to seconds * Use `assert` library for tests * Frontend fixes Add checks for empty/undefined/null values * Change expires column from datetime to integer * Restrict api key duration input It should be interval not number * AddApiKey must complain if SecondsToLive is negative * Declare ErrInvalidApiKeyExpiration * Move configuration to auth section * Update docs * Eliminate alias for models in modified files * Omit expiration from api response if empty * Eliminate Goconvey from test file * Fix test Do not sleep, use mocked timeNow() instead * Remove index for expires from api_key table The index should be anyway on both org_id and expires fields. However this commit eliminates completely the index for now since not many rows are expected to be in this table. * Use getTimeZone function * Minor change in api key listing The frontend should display a message instead of empty string if the key does not expire.
7 years ago
ctx := &models.ReqContext{
Fixed anonymous access mode, Closes #1586
11 years ago
Context: c,
Auth: Allow expiration of API keys (#17678) * Modify backend to allow expiration of API Keys * Add middleware test for expired api keys * Modify frontend to enable expiration of API Keys * Fix frontend tests * Fix migration and add index for `expires` field * Add api key tests for database access * Substitude time.Now() by a mock for test usage * Front-end modifications * Change input label to `Time to live` * Change input behavior to comply with the other similar * Add tooltip * Modify AddApiKey api call response Expiration should be *time.Time instead of string * Present expiration date in the selected timezone * Use kbn for transforming intervals to seconds * Use `assert` library for tests * Frontend fixes Add checks for empty/undefined/null values * Change expires column from datetime to integer * Restrict api key duration input It should be interval not number * AddApiKey must complain if SecondsToLive is negative * Declare ErrInvalidApiKeyExpiration * Move configuration to auth section * Update docs * Eliminate alias for models in modified files * Omit expiration from api response if empty * Eliminate Goconvey from test file * Fix test Do not sleep, use mocked timeNow() instead * Remove index for expires from api_key table The index should be anyway on both org_id and expires fields. However this commit eliminates completely the index for now since not many rows are expected to be in this table. * Use getTimeZone function * Minor change in api key listing The frontend should display a message instead of empty string if the key does not expire.
7 years ago
SignedInUser: &models.SignedInUser{},
Fixed anonymous access mode, Closes #1586
11 years ago
IsSignedIn: false,
AllowAnonymous: false,
refactor datasource caching
7 years ago
SkipCache: false,
feat(logging): a lot of progress on moving to new logging lib, #4590
10 years ago
Logger: log.New("context"),
Macaron rewrite
11 years ago
}
use X-Grafana-Org-Id header to ensure backend uses correct org (#8122)
9 years ago
orgId := int64(0)
orgIdHeader := ctx.Req.Header.Get("X-Grafana-Org-Id")
if orgIdHeader != "" {
orgId, _ = strconv.ParseInt(orgIdHeader, 10, 64)
}
HTTP API: grafana /render calls nows with api keys, Fixes #1649
11 years ago
// the order in which these are tested are important
// look for api key in Authorization header first
// then init session and look for userId in session
// then look for api key in session (special case for render calls via api)
// then test if anonymous access is enabled
pkg/middleware/middleware.go: Fix empty branch warning. See, $ gometalinter --vendor --deadline 10m --disable-all --enable=megacheck ./... pkg/middleware/middleware.go:46:3:warning: empty branch (SA9003) (megacheck)
7 years ago
switch {
case initContextWithRenderAuth(ctx):
case initContextWithApiKey(ctx):
case initContextWithBasicAuth(ctx, orgId):
Chore: use remote cache instead of session storage (#16114) Replaces session storage in auth_proxy middleware with remote cache Fixes #15161
7 years ago
case initContextWithAuthProxy(remoteCache, ctx, orgId):
move auth token middleware/hooks to middleware package fix/adds auth token middleware tests
7 years ago
case initContextWithToken(ats, ctx, orgId):
pkg/middleware/middleware.go: Fix empty branch warning. See, $ gometalinter --vendor --deadline 10m --disable-all --enable=megacheck ./... pkg/middleware/middleware.go:46:3:warning: empty branch (SA9003) (megacheck)
7 years ago
case initContextWithAnonymousUser(ctx):
Refactoring of auth middleware, and starting work on account admin
11 years ago
}
feat(logging): added uname to context logger
10 years ago
ctx.Logger = log.New("context", "userId", ctx.UserId, "orgId", ctx.OrgId, "uname", ctx.Login)
feat(logging): progress on new logging #4590
10 years ago
ctx.Data["ctx"] = ctx
feat(logging): a lot of progress on moving to new logging lib, #4590
10 years ago
Macaron rewrite
11 years ago
c.Map(ctx)
feat: store last seen date for users and present in stats and user lists, closes #9007
8 years ago
// update last seen every 5min
if ctx.ShouldUpdateLastSeenAt() {
ctx.Logger.Debug("Updating last user_seen_at", "user_id", ctx.UserId)
Auth: Allow expiration of API keys (#17678) * Modify backend to allow expiration of API Keys * Add middleware test for expired api keys * Modify frontend to enable expiration of API Keys * Fix frontend tests * Fix migration and add index for `expires` field * Add api key tests for database access * Substitude time.Now() by a mock for test usage * Front-end modifications * Change input label to `Time to live` * Change input behavior to comply with the other similar * Add tooltip * Modify AddApiKey api call response Expiration should be *time.Time instead of string * Present expiration date in the selected timezone * Use kbn for transforming intervals to seconds * Use `assert` library for tests * Frontend fixes Add checks for empty/undefined/null values * Change expires column from datetime to integer * Restrict api key duration input It should be interval not number * AddApiKey must complain if SecondsToLive is negative * Declare ErrInvalidApiKeyExpiration * Move configuration to auth section * Update docs * Eliminate alias for models in modified files * Omit expiration from api response if empty * Eliminate Goconvey from test file * Fix test Do not sleep, use mocked timeNow() instead * Remove index for expires from api_key table The index should be anyway on both org_id and expires fields. However this commit eliminates completely the index for now since not many rows are expected to be in this table. * Use getTimeZone function * Minor change in api key listing The frontend should display a message instead of empty string if the key does not expire.
7 years ago
if err := bus.Dispatch(&models.UpdateUserLastSeenAtCommand{UserId: ctx.UserId}); err != nil {
feat: store last seen date for users and present in stats and user lists, closes #9007
8 years ago
ctx.Logger.Error("Failed to update last_seen_at", "error", err)
}
}
Macaron rewrite
11 years ago
}
}
Auth: Allow expiration of API keys (#17678) * Modify backend to allow expiration of API Keys * Add middleware test for expired api keys * Modify frontend to enable expiration of API Keys * Fix frontend tests * Fix migration and add index for `expires` field * Add api key tests for database access * Substitude time.Now() by a mock for test usage * Front-end modifications * Change input label to `Time to live` * Change input behavior to comply with the other similar * Add tooltip * Modify AddApiKey api call response Expiration should be *time.Time instead of string * Present expiration date in the selected timezone * Use kbn for transforming intervals to seconds * Use `assert` library for tests * Frontend fixes Add checks for empty/undefined/null values * Change expires column from datetime to integer * Restrict api key duration input It should be interval not number * AddApiKey must complain if SecondsToLive is negative * Declare ErrInvalidApiKeyExpiration * Move configuration to auth section * Update docs * Eliminate alias for models in modified files * Omit expiration from api response if empty * Eliminate Goconvey from test file * Fix test Do not sleep, use mocked timeNow() instead * Remove index for expires from api_key table The index should be anyway on both org_id and expires fields. However this commit eliminates completely the index for now since not many rows are expected to be in this table. * Use getTimeZone function * Minor change in api key listing The frontend should display a message instead of empty string if the key does not expire.
7 years ago
func initContextWithAnonymousUser(ctx *models.ReqContext) bool {
A big refactoring for how sessions are handled, Api calls that authenticate with api key will no longer create a new session
11 years ago
if !setting.AnonymousEnabled {
return false
}
Auth: Allow expiration of API keys (#17678) * Modify backend to allow expiration of API Keys * Add middleware test for expired api keys * Modify frontend to enable expiration of API Keys * Fix frontend tests * Fix migration and add index for `expires` field * Add api key tests for database access * Substitude time.Now() by a mock for test usage * Front-end modifications * Change input label to `Time to live` * Change input behavior to comply with the other similar * Add tooltip * Modify AddApiKey api call response Expiration should be *time.Time instead of string * Present expiration date in the selected timezone * Use kbn for transforming intervals to seconds * Use `assert` library for tests * Frontend fixes Add checks for empty/undefined/null values * Change expires column from datetime to integer * Restrict api key duration input It should be interval not number * AddApiKey must complain if SecondsToLive is negative * Declare ErrInvalidApiKeyExpiration * Move configuration to auth section * Update docs * Eliminate alias for models in modified files * Omit expiration from api response if empty * Eliminate Goconvey from test file * Fix test Do not sleep, use mocked timeNow() instead * Remove index for expires from api_key table The index should be anyway on both org_id and expires fields. However this commit eliminates completely the index for now since not many rows are expected to be in this table. * Use getTimeZone function * Minor change in api key listing The frontend should display a message instead of empty string if the key does not expire.
7 years ago
orgQuery := models.GetOrgByNameQuery{Name: setting.AnonymousOrgName}
A big refactoring for how sessions are handled, Api calls that authenticate with api key will no longer create a new session
11 years ago
if err := bus.Dispatch(&orgQuery); err != nil {
log.Error(3, "Anonymous access organization error: '%s': %s", setting.AnonymousOrgName, err)
return false
}
use X-Grafana-Org-Id header to ensure backend uses correct org (#8122)
9 years ago
ctx.IsSignedIn = false
ctx.AllowAnonymous = true
Auth: Allow expiration of API keys (#17678) * Modify backend to allow expiration of API Keys * Add middleware test for expired api keys * Modify frontend to enable expiration of API Keys * Fix frontend tests * Fix migration and add index for `expires` field * Add api key tests for database access * Substitude time.Now() by a mock for test usage * Front-end modifications * Change input label to `Time to live` * Change input behavior to comply with the other similar * Add tooltip * Modify AddApiKey api call response Expiration should be *time.Time instead of string * Present expiration date in the selected timezone * Use kbn for transforming intervals to seconds * Use `assert` library for tests * Frontend fixes Add checks for empty/undefined/null values * Change expires column from datetime to integer * Restrict api key duration input It should be interval not number * AddApiKey must complain if SecondsToLive is negative * Declare ErrInvalidApiKeyExpiration * Move configuration to auth section * Update docs * Eliminate alias for models in modified files * Omit expiration from api response if empty * Eliminate Goconvey from test file * Fix test Do not sleep, use mocked timeNow() instead * Remove index for expires from api_key table The index should be anyway on both org_id and expires fields. However this commit eliminates completely the index for now since not many rows are expected to be in this table. * Use getTimeZone function * Minor change in api key listing The frontend should display a message instead of empty string if the key does not expire.
7 years ago
ctx.SignedInUser = &models.SignedInUser{IsAnonymous: true}
ctx.OrgRole = models.RoleType(setting.AnonymousOrgRole)
use X-Grafana-Org-Id header to ensure backend uses correct org (#8122)
9 years ago
ctx.OrgId = orgQuery.Result.Id
ctx.OrgName = orgQuery.Result.Name
return true
A big refactoring for how sessions are handled, Api calls that authenticate with api key will no longer create a new session
11 years ago
}
Auth: Allow expiration of API keys (#17678) * Modify backend to allow expiration of API Keys * Add middleware test for expired api keys * Modify frontend to enable expiration of API Keys * Fix frontend tests * Fix migration and add index for `expires` field * Add api key tests for database access * Substitude time.Now() by a mock for test usage * Front-end modifications * Change input label to `Time to live` * Change input behavior to comply with the other similar * Add tooltip * Modify AddApiKey api call response Expiration should be *time.Time instead of string * Present expiration date in the selected timezone * Use kbn for transforming intervals to seconds * Use `assert` library for tests * Frontend fixes Add checks for empty/undefined/null values * Change expires column from datetime to integer * Restrict api key duration input It should be interval not number * AddApiKey must complain if SecondsToLive is negative * Declare ErrInvalidApiKeyExpiration * Move configuration to auth section * Update docs * Eliminate alias for models in modified files * Omit expiration from api response if empty * Eliminate Goconvey from test file * Fix test Do not sleep, use mocked timeNow() instead * Remove index for expires from api_key table The index should be anyway on both org_id and expires fields. However this commit eliminates completely the index for now since not many rows are expected to be in this table. * Use getTimeZone function * Minor change in api key listing The frontend should display a message instead of empty string if the key does not expire.
7 years ago
func initContextWithApiKey(ctx *models.ReqContext) bool {
A big refactoring for how sessions are handled, Api calls that authenticate with api key will no longer create a new session
11 years ago
var keyString string
if keyString = getApiKey(ctx); keyString == "" {
return false
}
// base64 decode key
decoded, err := apikeygen.Decode(keyString)
if err != nil {
Auth: consistently return same basic auth errors (#18310) * Auth: consistently return same basic auth errors * Put repeated errors in consts and return only those consts as error strings * Add tests for errors basic auth cases and moves tests to separate test-case. Also names test cases consistently * Add more error logs and makes their messages consistent * A bit of code style * Add additional test helper * Auth: do not expose even incorrect password * Auth: address review comments Use `Debug` for the cases when it's an user error
6 years ago
ctx.JsonApiErr(401, errStringInvalidAPIKey, err)
A big refactoring for how sessions are handled, Api calls that authenticate with api key will no longer create a new session
11 years ago
return true
}
use X-Grafana-Org-Id header to ensure backend uses correct org (#8122)
9 years ago
A big refactoring for how sessions are handled, Api calls that authenticate with api key will no longer create a new session
11 years ago
// fetch key
Auth: Allow expiration of API keys (#17678) * Modify backend to allow expiration of API Keys * Add middleware test for expired api keys * Modify frontend to enable expiration of API Keys * Fix frontend tests * Fix migration and add index for `expires` field * Add api key tests for database access * Substitude time.Now() by a mock for test usage * Front-end modifications * Change input label to `Time to live` * Change input behavior to comply with the other similar * Add tooltip * Modify AddApiKey api call response Expiration should be *time.Time instead of string * Present expiration date in the selected timezone * Use kbn for transforming intervals to seconds * Use `assert` library for tests * Frontend fixes Add checks for empty/undefined/null values * Change expires column from datetime to integer * Restrict api key duration input It should be interval not number * AddApiKey must complain if SecondsToLive is negative * Declare ErrInvalidApiKeyExpiration * Move configuration to auth section * Update docs * Eliminate alias for models in modified files * Omit expiration from api response if empty * Eliminate Goconvey from test file * Fix test Do not sleep, use mocked timeNow() instead * Remove index for expires from api_key table The index should be anyway on both org_id and expires fields. However this commit eliminates completely the index for now since not many rows are expected to be in this table. * Use getTimeZone function * Minor change in api key listing The frontend should display a message instead of empty string if the key does not expire.
7 years ago
keyQuery := models.GetApiKeyByNameQuery{KeyName: decoded.Name, OrgId: decoded.OrgId}
A big refactoring for how sessions are handled, Api calls that authenticate with api key will no longer create a new session
11 years ago
if err := bus.Dispatch(&keyQuery); err != nil {
Auth: consistently return same basic auth errors (#18310) * Auth: consistently return same basic auth errors * Put repeated errors in consts and return only those consts as error strings * Add tests for errors basic auth cases and moves tests to separate test-case. Also names test cases consistently * Add more error logs and makes their messages consistent * A bit of code style * Add additional test helper * Auth: do not expose even incorrect password * Auth: address review comments Use `Debug` for the cases when it's an user error
6 years ago
ctx.JsonApiErr(401, errStringInvalidAPIKey, err)
A big refactoring for how sessions are handled, Api calls that authenticate with api key will no longer create a new session
11 years ago
return true
use X-Grafana-Org-Id header to ensure backend uses correct org (#8122)
9 years ago
}
A big refactoring for how sessions are handled, Api calls that authenticate with api key will no longer create a new session
11 years ago
use X-Grafana-Org-Id header to ensure backend uses correct org (#8122)
9 years ago
apikey := keyQuery.Result
A big refactoring for how sessions are handled, Api calls that authenticate with api key will no longer create a new session
11 years ago
use X-Grafana-Org-Id header to ensure backend uses correct org (#8122)
9 years ago
// validate api key
if !apikeygen.IsValid(decoded, apikey.Key) {
Auth: consistently return same basic auth errors (#18310) * Auth: consistently return same basic auth errors * Put repeated errors in consts and return only those consts as error strings * Add tests for errors basic auth cases and moves tests to separate test-case. Also names test cases consistently * Add more error logs and makes their messages consistent * A bit of code style * Add additional test helper * Auth: do not expose even incorrect password * Auth: address review comments Use `Debug` for the cases when it's an user error
6 years ago
ctx.JsonApiErr(401, errStringInvalidAPIKey, err)
HTTP API: grafana /render calls nows with api keys, Fixes #1649
11 years ago
return true
}
use X-Grafana-Org-Id header to ensure backend uses correct org (#8122)
9 years ago
Auth: Allow expiration of API keys (#17678) * Modify backend to allow expiration of API Keys * Add middleware test for expired api keys * Modify frontend to enable expiration of API Keys * Fix frontend tests * Fix migration and add index for `expires` field * Add api key tests for database access * Substitude time.Now() by a mock for test usage * Front-end modifications * Change input label to `Time to live` * Change input behavior to comply with the other similar * Add tooltip * Modify AddApiKey api call response Expiration should be *time.Time instead of string * Present expiration date in the selected timezone * Use kbn for transforming intervals to seconds * Use `assert` library for tests * Frontend fixes Add checks for empty/undefined/null values * Change expires column from datetime to integer * Restrict api key duration input It should be interval not number * AddApiKey must complain if SecondsToLive is negative * Declare ErrInvalidApiKeyExpiration * Move configuration to auth section * Update docs * Eliminate alias for models in modified files * Omit expiration from api response if empty * Eliminate Goconvey from test file * Fix test Do not sleep, use mocked timeNow() instead * Remove index for expires from api_key table The index should be anyway on both org_id and expires fields. However this commit eliminates completely the index for now since not many rows are expected to be in this table. * Use getTimeZone function * Minor change in api key listing The frontend should display a message instead of empty string if the key does not expire.
7 years ago
// check for expiration
if apikey.Expires != nil && *apikey.Expires <= getTime().Unix() {
ctx.JsonApiErr(401, "Expired API key", err)
return true
}
use X-Grafana-Org-Id header to ensure backend uses correct org (#8122)
9 years ago
ctx.IsSignedIn = true
Auth: Allow expiration of API keys (#17678) * Modify backend to allow expiration of API Keys * Add middleware test for expired api keys * Modify frontend to enable expiration of API Keys * Fix frontend tests * Fix migration and add index for `expires` field * Add api key tests for database access * Substitude time.Now() by a mock for test usage * Front-end modifications * Change input label to `Time to live` * Change input behavior to comply with the other similar * Add tooltip * Modify AddApiKey api call response Expiration should be *time.Time instead of string * Present expiration date in the selected timezone * Use kbn for transforming intervals to seconds * Use `assert` library for tests * Frontend fixes Add checks for empty/undefined/null values * Change expires column from datetime to integer * Restrict api key duration input It should be interval not number * AddApiKey must complain if SecondsToLive is negative * Declare ErrInvalidApiKeyExpiration * Move configuration to auth section * Update docs * Eliminate alias for models in modified files * Omit expiration from api response if empty * Eliminate Goconvey from test file * Fix test Do not sleep, use mocked timeNow() instead * Remove index for expires from api_key table The index should be anyway on both org_id and expires fields. However this commit eliminates completely the index for now since not many rows are expected to be in this table. * Use getTimeZone function * Minor change in api key listing The frontend should display a message instead of empty string if the key does not expire.
7 years ago
ctx.SignedInUser = &models.SignedInUser{}
use X-Grafana-Org-Id header to ensure backend uses correct org (#8122)
9 years ago
ctx.OrgRole = apikey.Role
ctx.ApiKeyId = apikey.Id
ctx.OrgId = apikey.OrgId
return true
HTTP API: grafana /render calls nows with api keys, Fixes #1649
11 years ago
}
Auth: Allow expiration of API keys (#17678) * Modify backend to allow expiration of API Keys * Add middleware test for expired api keys * Modify frontend to enable expiration of API Keys * Fix frontend tests * Fix migration and add index for `expires` field * Add api key tests for database access * Substitude time.Now() by a mock for test usage * Front-end modifications * Change input label to `Time to live` * Change input behavior to comply with the other similar * Add tooltip * Modify AddApiKey api call response Expiration should be *time.Time instead of string * Present expiration date in the selected timezone * Use kbn for transforming intervals to seconds * Use `assert` library for tests * Frontend fixes Add checks for empty/undefined/null values * Change expires column from datetime to integer * Restrict api key duration input It should be interval not number * AddApiKey must complain if SecondsToLive is negative * Declare ErrInvalidApiKeyExpiration * Move configuration to auth section * Update docs * Eliminate alias for models in modified files * Omit expiration from api response if empty * Eliminate Goconvey from test file * Fix test Do not sleep, use mocked timeNow() instead * Remove index for expires from api_key table The index should be anyway on both org_id and expires fields. However this commit eliminates completely the index for now since not many rows are expected to be in this table. * Use getTimeZone function * Minor change in api key listing The frontend should display a message instead of empty string if the key does not expire.
7 years ago
func initContextWithBasicAuth(ctx *models.ReqContext, orgId int64) bool {
Auth: You can now authenicate against api with username / password using basic auth, Closes #2218
11 years ago
if !setting.BasicAuthEnabled {
return false
}
header := ctx.Req.Header.Get("Authorization")
if header == "" {
return false
}
username, password, err := util.DecodeBasicAuthHeader(header)
if err != nil {
ctx.JsonApiErr(401, "Invalid Basic Auth Header", err)
return true
}
Auth: Do not search for the user twice (#18366) * Auth: Do not search for the user twice Previously `initContextWithBasicAuth` did not use `LoginUserQuery`, doing `GetUserByLoginQuery` only i.e. looking user in DB only, things changed when this function started to check LDAP provider via `LoginUserQuery` (#6940), however, this request was placed after `GetUserByLoginQuery`, so we first looking in DB then in the LDAP - if LDAP user hasn't logged in we will not find it in DB, so `LoginUserQuery` will never be reached. `LoginUserQuery` request already performs `GetUserByLoginQuery` request in correct sequence. So we can just remove redundant request. * Correct sequence execution during authentification & introduce tests for it * Move basic auth tests to separate test file, since main test file already pretty large * Introduce `testing.go` for the middleware module * Remove redundant test helper function * Make handler names more explicit Ref 5777f65d05a8dc141c34e470ef1d5fe956f8173c Fixes #18329 * Auth: address review comment
6 years ago
authQuery := models.LoginUserQuery{
Auth: consistently return same basic auth errors (#18310) * Auth: consistently return same basic auth errors * Put repeated errors in consts and return only those consts as error strings * Add tests for errors basic auth cases and moves tests to separate test-case. Also names test cases consistently * Add more error logs and makes their messages consistent * A bit of code style * Add additional test helper * Auth: do not expose even incorrect password * Auth: address review comments Use `Debug` for the cases when it's an user error
6 years ago
Username: username,
Password: password,
}
Auth: Do not search for the user twice (#18366) * Auth: Do not search for the user twice Previously `initContextWithBasicAuth` did not use `LoginUserQuery`, doing `GetUserByLoginQuery` only i.e. looking user in DB only, things changed when this function started to check LDAP provider via `LoginUserQuery` (#6940), however, this request was placed after `GetUserByLoginQuery`, so we first looking in DB then in the LDAP - if LDAP user hasn't logged in we will not find it in DB, so `LoginUserQuery` will never be reached. `LoginUserQuery` request already performs `GetUserByLoginQuery` request in correct sequence. So we can just remove redundant request. * Correct sequence execution during authentification & introduce tests for it * Move basic auth tests to separate test file, since main test file already pretty large * Introduce `testing.go` for the middleware module * Remove redundant test helper function * Make handler names more explicit Ref 5777f65d05a8dc141c34e470ef1d5fe956f8173c Fixes #18329 * Auth: address review comment
6 years ago
if err := bus.Dispatch(&authQuery); err != nil {
Auth: consistently return same basic auth errors (#18310) * Auth: consistently return same basic auth errors * Put repeated errors in consts and return only those consts as error strings * Add tests for errors basic auth cases and moves tests to separate test-case. Also names test cases consistently * Add more error logs and makes their messages consistent * A bit of code style * Add additional test helper * Auth: do not expose even incorrect password * Auth: address review comments Use `Debug` for the cases when it's an user error
6 years ago
ctx.Logger.Debug(
"Failed to authorize the user",
"username", username,
)
ctx.JsonApiErr(401, errStringInvalidUsernamePassword, err)
Auth: You can now authenicate against api with username / password using basic auth, Closes #2218
11 years ago
return true
}
Auth: Do not search for the user twice (#18366) * Auth: Do not search for the user twice Previously `initContextWithBasicAuth` did not use `LoginUserQuery`, doing `GetUserByLoginQuery` only i.e. looking user in DB only, things changed when this function started to check LDAP provider via `LoginUserQuery` (#6940), however, this request was placed after `GetUserByLoginQuery`, so we first looking in DB then in the LDAP - if LDAP user hasn't logged in we will not find it in DB, so `LoginUserQuery` will never be reached. `LoginUserQuery` request already performs `GetUserByLoginQuery` request in correct sequence. So we can just remove redundant request. * Correct sequence execution during authentification & introduce tests for it * Move basic auth tests to separate test file, since main test file already pretty large * Introduce `testing.go` for the middleware module * Remove redundant test helper function * Make handler names more explicit Ref 5777f65d05a8dc141c34e470ef1d5fe956f8173c Fixes #18329 * Auth: address review comment
6 years ago
user := authQuery.User
Auth: Allow expiration of API keys (#17678) * Modify backend to allow expiration of API Keys * Add middleware test for expired api keys * Modify frontend to enable expiration of API Keys * Fix frontend tests * Fix migration and add index for `expires` field * Add api key tests for database access * Substitude time.Now() by a mock for test usage * Front-end modifications * Change input label to `Time to live` * Change input behavior to comply with the other similar * Add tooltip * Modify AddApiKey api call response Expiration should be *time.Time instead of string * Present expiration date in the selected timezone * Use kbn for transforming intervals to seconds * Use `assert` library for tests * Frontend fixes Add checks for empty/undefined/null values * Change expires column from datetime to integer * Restrict api key duration input It should be interval not number * AddApiKey must complain if SecondsToLive is negative * Declare ErrInvalidApiKeyExpiration * Move configuration to auth section * Update docs * Eliminate alias for models in modified files * Omit expiration from api response if empty * Eliminate Goconvey from test file * Fix test Do not sleep, use mocked timeNow() instead * Remove index for expires from api_key table The index should be anyway on both org_id and expires fields. However this commit eliminates completely the index for now since not many rows are expected to be in this table. * Use getTimeZone function * Minor change in api key listing The frontend should display a message instead of empty string if the key does not expire.
7 years ago
query := models.GetSignedInUserQuery{UserId: user.Id, OrgId: orgId}
Auth: You can now authenicate against api with username / password using basic auth, Closes #2218
11 years ago
if err := bus.Dispatch(&query); err != nil {
Auth: consistently return same basic auth errors (#18310) * Auth: consistently return same basic auth errors * Put repeated errors in consts and return only those consts as error strings * Add tests for errors basic auth cases and moves tests to separate test-case. Also names test cases consistently * Add more error logs and makes their messages consistent * A bit of code style * Add additional test helper * Auth: do not expose even incorrect password * Auth: address review comments Use `Debug` for the cases when it's an user error
6 years ago
ctx.Logger.Error(
"Failed at user signed in",
"id", user.Id,
"org", orgId,
)
ctx.JsonApiErr(401, errStringInvalidUsernamePassword, err)
Auth: You can now authenicate against api with username / password using basic auth, Closes #2218
11 years ago
return true
}
use X-Grafana-Org-Id header to ensure backend uses correct org (#8122)
9 years ago
ctx.SignedInUser = query.Result
ctx.IsSignedIn = true
return true
Auth: You can now authenicate against api with username / password using basic auth, Closes #2218
11 years ago
}
Auth: Allow expiration of API keys (#17678) * Modify backend to allow expiration of API Keys * Add middleware test for expired api keys * Modify frontend to enable expiration of API Keys * Fix frontend tests * Fix migration and add index for `expires` field * Add api key tests for database access * Substitude time.Now() by a mock for test usage * Front-end modifications * Change input label to `Time to live` * Change input behavior to comply with the other similar * Add tooltip * Modify AddApiKey api call response Expiration should be *time.Time instead of string * Present expiration date in the selected timezone * Use kbn for transforming intervals to seconds * Use `assert` library for tests * Frontend fixes Add checks for empty/undefined/null values * Change expires column from datetime to integer * Restrict api key duration input It should be interval not number * AddApiKey must complain if SecondsToLive is negative * Declare ErrInvalidApiKeyExpiration * Move configuration to auth section * Update docs * Eliminate alias for models in modified files * Omit expiration from api response if empty * Eliminate Goconvey from test file * Fix test Do not sleep, use mocked timeNow() instead * Remove index for expires from api_key table The index should be anyway on both org_id and expires fields. However this commit eliminates completely the index for now since not many rows are expected to be in this table. * Use getTimeZone function * Minor change in api key listing The frontend should display a message instead of empty string if the key does not expire.
7 years ago
func initContextWithToken(authTokenService models.UserTokenService, ctx *models.ReqContext, orgID int64) bool {
SAML: Show SAML login button even if OAuth is disabled (#17993) * Move the SAML button outside of the oauth div * Don't attempt to search cookies with an empty name
7 years ago
if setting.LoginCookieName == "" {
return false
}
changes needed for api/middleware due to configuration settings
7 years ago
rawToken := ctx.GetCookie(setting.LoginCookieName)
move auth token middleware/hooks to middleware package fix/adds auth token middleware tests
7 years ago
if rawToken == "" {
return false
}
Auth: Enable retries and transaction for some db calls for auth tokens (#16785) the WithSession wrapper handles retries and connection management so the caller dont have to worry about it.
7 years ago
token, err := authTokenService.LookupToken(ctx.Req.Context(), rawToken)
move auth token middleware/hooks to middleware package fix/adds auth token middleware tests
7 years ago
if err != nil {
Auth: consistently return same basic auth errors (#18310) * Auth: consistently return same basic auth errors * Put repeated errors in consts and return only those consts as error strings * Add tests for errors basic auth cases and moves tests to separate test-case. Also names test cases consistently * Add more error logs and makes their messages consistent * A bit of code style * Add additional test helper * Auth: do not expose even incorrect password * Auth: address review comments Use `Debug` for the cases when it's an user error
6 years ago
ctx.Logger.Error("Failed to look up user based on cookie", "error", err)
middleware fix
7 years ago
WriteSessionCookie(ctx, "", -1)
move auth token middleware/hooks to middleware package fix/adds auth token middleware tests
7 years ago
return false
}
Auth: Allow expiration of API keys (#17678) * Modify backend to allow expiration of API Keys * Add middleware test for expired api keys * Modify frontend to enable expiration of API Keys * Fix frontend tests * Fix migration and add index for `expires` field * Add api key tests for database access * Substitude time.Now() by a mock for test usage * Front-end modifications * Change input label to `Time to live` * Change input behavior to comply with the other similar * Add tooltip * Modify AddApiKey api call response Expiration should be *time.Time instead of string * Present expiration date in the selected timezone * Use kbn for transforming intervals to seconds * Use `assert` library for tests * Frontend fixes Add checks for empty/undefined/null values * Change expires column from datetime to integer * Restrict api key duration input It should be interval not number * AddApiKey must complain if SecondsToLive is negative * Declare ErrInvalidApiKeyExpiration * Move configuration to auth section * Update docs * Eliminate alias for models in modified files * Omit expiration from api response if empty * Eliminate Goconvey from test file * Fix test Do not sleep, use mocked timeNow() instead * Remove index for expires from api_key table The index should be anyway on both org_id and expires fields. However this commit eliminates completely the index for now since not many rows are expected to be in this table. * Use getTimeZone function * Minor change in api key listing The frontend should display a message instead of empty string if the key does not expire.
7 years ago
query := models.GetSignedInUserQuery{UserId: token.UserId, OrgId: orgID}
move auth token middleware/hooks to middleware package fix/adds auth token middleware tests
7 years ago
if err := bus.Dispatch(&query); err != nil {
Auth: consistently return same basic auth errors (#18310) * Auth: consistently return same basic auth errors * Put repeated errors in consts and return only those consts as error strings * Add tests for errors basic auth cases and moves tests to separate test-case. Also names test cases consistently * Add more error logs and makes their messages consistent * A bit of code style * Add additional test helper * Auth: do not expose even incorrect password * Auth: address review comments Use `Debug` for the cases when it's an user error
6 years ago
ctx.Logger.Error("Failed to get user with id", "userId", token.UserId, "error", err)
move auth token middleware/hooks to middleware package fix/adds auth token middleware tests
7 years ago
return false
}
ctx.SignedInUser = query.Result
ctx.IsSignedIn = true
ctx.UserToken = token
Auth: Enable retries and transaction for some db calls for auth tokens (#16785) the WithSession wrapper handles retries and connection management so the caller dont have to worry about it.
7 years ago
rotated, err := authTokenService.TryRotateToken(ctx.Req.Context(), token, ctx.RemoteAddr(), ctx.Req.UserAgent())
move auth token middleware/hooks to middleware package fix/adds auth token middleware tests
7 years ago
if err != nil {
Auth: consistently return same basic auth errors (#18310) * Auth: consistently return same basic auth errors * Put repeated errors in consts and return only those consts as error strings * Add tests for errors basic auth cases and moves tests to separate test-case. Also names test cases consistently * Add more error logs and makes their messages consistent * A bit of code style * Add additional test helper * Auth: do not expose even incorrect password * Auth: address review comments Use `Debug` for the cases when it's an user error
6 years ago
ctx.Logger.Error("Failed to rotate token", "error", err)
move auth token middleware/hooks to middleware package fix/adds auth token middleware tests
7 years ago
return true
}
if rotated {
change UserToken from interface to struct
7 years ago
WriteSessionCookie(ctx, token.UnhashedToken, setting.LoginMaxLifetimeDays)
move auth token middleware/hooks to middleware package fix/adds auth token middleware tests
7 years ago
}
return true
}
Auth: Allow expiration of API keys (#17678) * Modify backend to allow expiration of API Keys * Add middleware test for expired api keys * Modify frontend to enable expiration of API Keys * Fix frontend tests * Fix migration and add index for `expires` field * Add api key tests for database access * Substitude time.Now() by a mock for test usage * Front-end modifications * Change input label to `Time to live` * Change input behavior to comply with the other similar * Add tooltip * Modify AddApiKey api call response Expiration should be *time.Time instead of string * Present expiration date in the selected timezone * Use kbn for transforming intervals to seconds * Use `assert` library for tests * Frontend fixes Add checks for empty/undefined/null values * Change expires column from datetime to integer * Restrict api key duration input It should be interval not number * AddApiKey must complain if SecondsToLive is negative * Declare ErrInvalidApiKeyExpiration * Move configuration to auth section * Update docs * Eliminate alias for models in modified files * Omit expiration from api response if empty * Eliminate Goconvey from test file * Fix test Do not sleep, use mocked timeNow() instead * Remove index for expires from api_key table The index should be anyway on both org_id and expires fields. However this commit eliminates completely the index for now since not many rows are expected to be in this table. * Use getTimeZone function * Minor change in api key listing The frontend should display a message instead of empty string if the key does not expire.
7 years ago
func WriteSessionCookie(ctx *models.ReqContext, value string, maxLifetimeDays int) {
move auth token middleware/hooks to middleware package fix/adds auth token middleware tests
7 years ago
if setting.Env == setting.DEV {
Auth: consistently return same basic auth errors (#18310) * Auth: consistently return same basic auth errors * Put repeated errors in consts and return only those consts as error strings * Add tests for errors basic auth cases and moves tests to separate test-case. Also names test cases consistently * Add more error logs and makes their messages consistent * A bit of code style * Add additional test helper * Auth: do not expose even incorrect password * Auth: address review comments Use `Debug` for the cases when it's an user error
6 years ago
ctx.Logger.Info("New token", "unhashed token", value)
move auth token middleware/hooks to middleware package fix/adds auth token middleware tests
7 years ago
}
changes needed for api/middleware due to configuration settings
7 years ago
var maxAge int
if maxLifetimeDays <= 0 {
maxAge = -1
} else {
maxAgeHours := (time.Duration(setting.LoginMaxLifetimeDays) * 24 * time.Hour) + time.Hour
maxAge = int(maxAgeHours.Seconds())
}
move auth token middleware/hooks to middleware package fix/adds auth token middleware tests
7 years ago
ctx.Resp.Header().Del("Set-Cookie")
cookie := http.Cookie{
changes needed for api/middleware due to configuration settings
7 years ago
Name: setting.LoginCookieName,
move auth token middleware/hooks to middleware package fix/adds auth token middleware tests
7 years ago
Value: url.QueryEscape(value),
HttpOnly: true,
Path: setting.AppSubUrl + "/",
changes needed for api/middleware due to configuration settings
7 years ago
Secure: setting.CookieSecure,
move auth token middleware/hooks to middleware package fix/adds auth token middleware tests
7 years ago
MaxAge: maxAge,
Backend: Do not set SameSite cookie attribute if cookie_samesite is none (#18462) * Do not set SameSite login_error cookie attribute if cookie_samesite is none * Do not set SameSite grafana_session cookie attribute if cookie_samesite is none * Update middleware tests
6 years ago
}
if setting.CookieSameSite != http.SameSiteDefaultMode {
cookie.SameSite = setting.CookieSameSite
move auth token middleware/hooks to middleware package fix/adds auth token middleware tests
7 years ago
}
http.SetCookie(ctx.Resp, &cookie)
}
api: adds no-cache header for GET requests Fixes #5356. Internet Explorer aggressively caches GET requests which means that all API calls fetching data are cached. This fix adds a Cache-Control header with the value no-cache to all GET requests to the API.
9 years ago
func AddDefaultResponseHeaders() macaron.Handler {
Security: Responses from backend should not be cached (#16848) Currently all API requests set Cache-control: no-cache to avoid browsers caching sensitive data. This fixes so that all responses returned from backend not are cached using http headers. The exception is the data proxy where we don't add these http headers in case datasource backend needs to control whether data can be cached or not. Fixes #16845
7 years ago
return func(ctx *macaron.Context) {
ctx.Resp.Before(func(w macaron.ResponseWriter) {
if !strings.HasPrefix(ctx.Req.URL.Path, "/api/datasources/proxy/") {
AddNoCacheHeaders(ctx.Resp)
}
Security: Add new setting allow_embedding (#16853) When allow_embedding is false (default) the Grafana backend will set the http header `X-Frame-Options: deny` in all responses to non-static content which will instruct browser to not allow Grafana to be embedded in `<frame>`, `<iframe>`, `<embed>` or `<object>`. Closes #14189
7 years ago
if !setting.AllowEmbedding {
AddXFrameOptionsDenyHeader(w)
}
middleware: add security related HTTP(S) response headers (#17522) * x_xss_protection * strict_transport_security (HSTS) * x_content_type_options these are currently defaulted to false (off) until the next minor release. fixes #17509
7 years ago
AddSecurityHeaders(w)
Security: Responses from backend should not be cached (#16848) Currently all API requests set Cache-control: no-cache to avoid browsers caching sensitive data. This fixes so that all responses returned from backend not are cached using http headers. The exception is the data proxy where we don't add these http headers in case datasource backend needs to control whether data can be cached or not. Fixes #16845
7 years ago
})
api: adds no-cache header for GET requests Fixes #5356. Internet Explorer aggressively caches GET requests which means that all API calls fetching data are cached. This fix adds a Cache-Control header with the value no-cache to all GET requests to the API.
9 years ago
}
}
Security: Responses from backend should not be cached (#16848) Currently all API requests set Cache-control: no-cache to avoid browsers caching sensitive data. This fixes so that all responses returned from backend not are cached using http headers. The exception is the data proxy where we don't add these http headers in case datasource backend needs to control whether data can be cached or not. Fixes #16845
7 years ago
middleware: add security related HTTP(S) response headers (#17522) * x_xss_protection * strict_transport_security (HSTS) * x_content_type_options these are currently defaulted to false (off) until the next minor release. fixes #17509
7 years ago
// AddSecurityHeaders adds various HTTP(S) response headers that enable various security protections behaviors in the client's browser.
func AddSecurityHeaders(w macaron.ResponseWriter) {
if setting.Protocol == setting.HTTPS && setting.StrictTransportSecurity {
middleware: fix Strict-Transport-Security header (#17644) fixes #17641
7 years ago
strictHeaderValues := []string{fmt.Sprintf("max-age=%v", setting.StrictTransportSecurityMaxAge)}
middleware: add security related HTTP(S) response headers (#17522) * x_xss_protection * strict_transport_security (HSTS) * x_content_type_options these are currently defaulted to false (off) until the next minor release. fixes #17509
7 years ago
if setting.StrictTransportSecurityPreload {
middleware: fix Strict-Transport-Security header (#17644) fixes #17641
7 years ago
strictHeaderValues = append(strictHeaderValues, "preload")
middleware: add security related HTTP(S) response headers (#17522) * x_xss_protection * strict_transport_security (HSTS) * x_content_type_options these are currently defaulted to false (off) until the next minor release. fixes #17509
7 years ago
}
if setting.StrictTransportSecuritySubDomains {
middleware: fix Strict-Transport-Security header (#17644) fixes #17641
7 years ago
strictHeaderValues = append(strictHeaderValues, "includeSubDomains")
middleware: add security related HTTP(S) response headers (#17522) * x_xss_protection * strict_transport_security (HSTS) * x_content_type_options these are currently defaulted to false (off) until the next minor release. fixes #17509
7 years ago
}
middleware: fix Strict-Transport-Security header (#17644) fixes #17641
7 years ago
w.Header().Add("Strict-Transport-Security", strings.Join(strictHeaderValues, "; "))
middleware: add security related HTTP(S) response headers (#17522) * x_xss_protection * strict_transport_security (HSTS) * x_content_type_options these are currently defaulted to false (off) until the next minor release. fixes #17509
7 years ago
}
if setting.ContentTypeProtectionHeader {
w.Header().Add("X-Content-Type-Options", "nosniff")
}
if setting.XSSProtectionHeader {
HTTPServer: Fix X-XSS-Protection header formatting (#17620) Fixes #17619
7 years ago
w.Header().Add("X-XSS-Protection", "1; mode=block")
middleware: add security related HTTP(S) response headers (#17522) * x_xss_protection * strict_transport_security (HSTS) * x_content_type_options these are currently defaulted to false (off) until the next minor release. fixes #17509
7 years ago
}
}
Security: Responses from backend should not be cached (#16848) Currently all API requests set Cache-control: no-cache to avoid browsers caching sensitive data. This fixes so that all responses returned from backend not are cached using http headers. The exception is the data proxy where we don't add these http headers in case datasource backend needs to control whether data can be cached or not. Fixes #16845
7 years ago
func AddNoCacheHeaders(w macaron.ResponseWriter) {
w.Header().Add("Cache-Control", "no-cache")
w.Header().Add("Pragma", "no-cache")
w.Header().Add("Expires", "-1")
}
Security: Add new setting allow_embedding (#16853) When allow_embedding is false (default) the Grafana backend will set the http header `X-Frame-Options: deny` in all responses to non-static content which will instruct browser to not allow Grafana to be embedded in `<frame>`, `<iframe>`, `<embed>` or `<object>`. Closes #14189
7 years ago
func AddXFrameOptionsDenyHeader(w macaron.ResponseWriter) {
w.Header().Add("X-Frame-Options", "deny")
}