apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
The open and composable observability and data visualization platform. Visualize metrics, logs, and traces from multiple sources like Prometheus, Loki, Elasticsearch, InfluxDB, Postgres and many more.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
32634 Commits
5978 Branches
596 Tags
1.7 GiB
Tag: Branch: Tree: c4aaf5f9d1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'c4aaf5f9d1'
${ noResults }
grafana/pkg/middleware/middleware.go

79 lines
2.2 KiB
Raw Normal View History Unescape

Macaron rewrite
11 years ago
package middleware
import (
middleware: add security related HTTP(S) response headers (#17522) * x_xss_protection * strict_transport_security (HSTS) * x_content_type_options these are currently defaulted to false (off) until the next minor release. fixes #17509
6 years ago
"fmt"
Security: Responses from backend should not be cached (#16848) Currently all API requests set Cache-control: no-cache to avoid browsers caching sensitive data. This fixes so that all responses returned from backend not are cached using http headers. The exception is the data proxy where we don't add these http headers in case datasource backend needs to control whether data can be cached or not. Fixes #16845
6 years ago
"strings"
Macaron rewrite
11 years ago
Auth: Allow expiration of API keys (#17678) * Modify backend to allow expiration of API Keys * Add middleware test for expired api keys * Modify frontend to enable expiration of API Keys * Fix frontend tests * Fix migration and add index for `expires` field * Add api key tests for database access * Substitude time.Now() by a mock for test usage * Front-end modifications * Change input label to `Time to live` * Change input behavior to comply with the other similar * Add tooltip * Modify AddApiKey api call response Expiration should be *time.Time instead of string * Present expiration date in the selected timezone * Use kbn for transforming intervals to seconds * Use `assert` library for tests * Frontend fixes Add checks for empty/undefined/null values * Change expires column from datetime to integer * Restrict api key duration input It should be interval not number * AddApiKey must complain if SecondsToLive is negative * Declare ErrInvalidApiKeyExpiration * Move configuration to auth section * Update docs * Eliminate alias for models in modified files * Omit expiration from api response if empty * Eliminate Goconvey from test file * Fix test Do not sleep, use mocked timeNow() instead * Remove index for expires from api_key table The index should be anyway on both org_id and expires fields. However this commit eliminates completely the index for now since not many rows are expected to be in this table. * Use getTimeZone function * Minor change in api key listing The frontend should display a message instead of empty string if the key does not expire.
6 years ago
"github.com/grafana/grafana/pkg/models"
Changed go package path
10 years ago
"github.com/grafana/grafana/pkg/setting"
Chore: replace macaron with web package (#40136) * replace macaron with web package * add web.go
4 years ago
"github.com/grafana/grafana/pkg/web"
Auth: consistently return same basic auth errors (#18310) * Auth: consistently return same basic auth errors * Put repeated errors in consts and return only those consts as error strings * Add tests for errors basic auth cases and moves tests to separate test-case. Also names test cases consistently * Add more error logs and makes their messages consistent * A bit of code style * Add additional test helper * Auth: do not expose even incorrect password * Auth: address review comments Use `Debug` for the cases when it's an user error
6 years ago
)
made it possible to have frontend code in symlinked folders that can add routes
7 years ago
var (
Auth: consistently return same basic auth errors (#18310) * Auth: consistently return same basic auth errors * Put repeated errors in consts and return only those consts as error strings * Add tests for errors basic auth cases and moves tests to separate test-case. Also names test cases consistently * Add more error logs and makes their messages consistent * A bit of code style * Add additional test helper * Auth: do not expose even incorrect password * Auth: address review comments Use `Debug` for the cases when it's an user error
6 years ago
ReqGrafanaAdmin = Auth(&AuthOptions{
ReqSignedIn: true,
ReqGrafanaAdmin: true,
})
Profile: Fixes profile preferences being accessible when anonymous access was enabled (#31516) * Profile: Fixes profile preferences page being available when anonymous access was enabled * Minor change * Renamed property
4 years ago
ReqSignedIn = Auth(&AuthOptions{ReqSignedIn: true})
ReqSignedInNoAnonymous = Auth(&AuthOptions{ReqSignedIn: true, ReqNoAnonynmous: true})
ReqEditorRole = RoleAuth(models.ROLE_EDITOR, models.ROLE_ADMIN)
ReqOrgAdmin = RoleAuth(models.ROLE_ADMIN)
made it possible to have frontend code in symlinked folders that can add routes
7 years ago
)
Middleware: Add CSP support (#29740) * Middleware: Add support for CSP Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored by @iOrcohen
4 years ago
func HandleNoCacheHeader(ctx *models.ReqContext) {
ctx.SkipCache = ctx.Req.Header.Get("X-Grafana-NoCache") == "true"
}
Chore: replace macaron with web package (#40136) * replace macaron with web package * add web.go
4 years ago
func AddDefaultResponseHeaders(cfg *setting.Cfg) web.Handler {
return func(c *web.Context) {
c.Resp.Before(func(w web.ResponseWriter) {
API: Improve recovery middleware when response already been written (#22256) Suppresses stacktrace in recovery middleware if error is http.ErrAbortHandler. Skips writing response error in recovery middleware if resoonse have already been written. Skips try rotate of auth token if response have already been written. Skips adding default response headers if response have already been written. Fixes #15728 Ref #18082 Co-Authored-By: Arve Knudsen <arve.knudsen@gmail.com>
5 years ago
// if response has already been written, skip.
if w.Written() {
return
}
Middleware: Add CSP support (#29740) * Middleware: Add support for CSP Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored by @iOrcohen
4 years ago
if !strings.HasPrefix(c.Req.URL.Path, "/api/datasources/proxy/") {
addNoCacheHeaders(c.Resp)
Security: Responses from backend should not be cached (#16848) Currently all API requests set Cache-control: no-cache to avoid browsers caching sensitive data. This fixes so that all responses returned from backend not are cached using http headers. The exception is the data proxy where we don't add these http headers in case datasource backend needs to control whether data can be cached or not. Fixes #16845
6 years ago
}
Security: Add new setting allow_embedding (#16853) When allow_embedding is false (default) the Grafana backend will set the http header `X-Frame-Options: deny` in all responses to non-static content which will instruct browser to not allow Grafana to be embedded in `<frame>`, `<iframe>`, `<embed>` or `<object>`. Closes #14189
6 years ago
Move middleware context handler logic to service (#29605) * middleware: Move context handler to own service Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Emil Tullsted <sakjur@users.noreply.github.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
5 years ago
if !cfg.AllowEmbedding {
addXFrameOptionsDenyHeader(w)
Security: Add new setting allow_embedding (#16853) When allow_embedding is false (default) the Grafana backend will set the http header `X-Frame-Options: deny` in all responses to non-static content which will instruct browser to not allow Grafana to be embedded in `<frame>`, `<iframe>`, `<embed>` or `<object>`. Closes #14189
6 years ago
}
middleware: add security related HTTP(S) response headers (#17522) * x_xss_protection * strict_transport_security (HSTS) * x_content_type_options these are currently defaulted to false (off) until the next minor release. fixes #17509
6 years ago
Move middleware context handler logic to service (#29605) * middleware: Move context handler to own service Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Emil Tullsted <sakjur@users.noreply.github.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
5 years ago
addSecurityHeaders(w, cfg)
Security: Responses from backend should not be cached (#16848) Currently all API requests set Cache-control: no-cache to avoid browsers caching sensitive data. This fixes so that all responses returned from backend not are cached using http headers. The exception is the data proxy where we don't add these http headers in case datasource backend needs to control whether data can be cached or not. Fixes #16845
6 years ago
})
api: adds no-cache header for GET requests Fixes #5356. Internet Explorer aggressively caches GET requests which means that all API calls fetching data are cached. This fix adds a Cache-Control header with the value no-cache to all GET requests to the API.
8 years ago
}
}
Security: Responses from backend should not be cached (#16848) Currently all API requests set Cache-control: no-cache to avoid browsers caching sensitive data. This fixes so that all responses returned from backend not are cached using http headers. The exception is the data proxy where we don't add these http headers in case datasource backend needs to control whether data can be cached or not. Fixes #16845
6 years ago
Move middleware context handler logic to service (#29605) * middleware: Move context handler to own service Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Emil Tullsted <sakjur@users.noreply.github.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
5 years ago
// addSecurityHeaders adds HTTP(S) response headers that enable various security protections in the client's browser.
Chore: replace macaron with web package (#40136) * replace macaron with web package * add web.go
4 years ago
func addSecurityHeaders(w web.ResponseWriter, cfg *setting.Cfg) {
Move middleware context handler logic to service (#29605) * middleware: Move context handler to own service Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Emil Tullsted <sakjur@users.noreply.github.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
5 years ago
if (cfg.Protocol == setting.HTTPSScheme || cfg.Protocol == setting.HTTP2Scheme) && cfg.StrictTransportSecurity {
strictHeaderValues := []string{fmt.Sprintf("max-age=%v", cfg.StrictTransportSecurityMaxAge)}
if cfg.StrictTransportSecurityPreload {
middleware: fix Strict-Transport-Security header (#17644) fixes #17641
6 years ago
strictHeaderValues = append(strictHeaderValues, "preload")
middleware: add security related HTTP(S) response headers (#17522) * x_xss_protection * strict_transport_security (HSTS) * x_content_type_options these are currently defaulted to false (off) until the next minor release. fixes #17509
6 years ago
}
Move middleware context handler logic to service (#29605) * middleware: Move context handler to own service Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Emil Tullsted <sakjur@users.noreply.github.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
5 years ago
if cfg.StrictTransportSecuritySubDomains {
middleware: fix Strict-Transport-Security header (#17644) fixes #17641
6 years ago
strictHeaderValues = append(strictHeaderValues, "includeSubDomains")
middleware: add security related HTTP(S) response headers (#17522) * x_xss_protection * strict_transport_security (HSTS) * x_content_type_options these are currently defaulted to false (off) until the next minor release. fixes #17509
6 years ago
}
Chore: Use Header.Set method instead of Header.Add (#29804) Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
5 years ago
w.Header().Set("Strict-Transport-Security", strings.Join(strictHeaderValues, "; "))
middleware: add security related HTTP(S) response headers (#17522) * x_xss_protection * strict_transport_security (HSTS) * x_content_type_options these are currently defaulted to false (off) until the next minor release. fixes #17509
6 years ago
}
Move middleware context handler logic to service (#29605) * middleware: Move context handler to own service Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Emil Tullsted <sakjur@users.noreply.github.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
5 years ago
if cfg.ContentTypeProtectionHeader {
Chore: Use Header.Set method instead of Header.Add (#29804) Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
5 years ago
w.Header().Set("X-Content-Type-Options", "nosniff")
middleware: add security related HTTP(S) response headers (#17522) * x_xss_protection * strict_transport_security (HSTS) * x_content_type_options these are currently defaulted to false (off) until the next minor release. fixes #17509
6 years ago
}
Move middleware context handler logic to service (#29605) * middleware: Move context handler to own service Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Emil Tullsted <sakjur@users.noreply.github.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
5 years ago
if cfg.XSSProtectionHeader {
Chore: Use Header.Set method instead of Header.Add (#29804) Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
5 years ago
w.Header().Set("X-XSS-Protection", "1; mode=block")
middleware: add security related HTTP(S) response headers (#17522) * x_xss_protection * strict_transport_security (HSTS) * x_content_type_options these are currently defaulted to false (off) until the next minor release. fixes #17509
6 years ago
}
}
Chore: replace macaron with web package (#40136) * replace macaron with web package * add web.go
4 years ago
func addNoCacheHeaders(w web.ResponseWriter) {
Chore: Use Header.Set method instead of Header.Add (#29804) Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
5 years ago
w.Header().Set("Cache-Control", "no-cache")
w.Header().Set("Pragma", "no-cache")
w.Header().Set("Expires", "-1")
Security: Responses from backend should not be cached (#16848) Currently all API requests set Cache-control: no-cache to avoid browsers caching sensitive data. This fixes so that all responses returned from backend not are cached using http headers. The exception is the data proxy where we don't add these http headers in case datasource backend needs to control whether data can be cached or not. Fixes #16845
6 years ago
}
Security: Add new setting allow_embedding (#16853) When allow_embedding is false (default) the Grafana backend will set the http header `X-Frame-Options: deny` in all responses to non-static content which will instruct browser to not allow Grafana to be embedded in `<frame>`, `<iframe>`, `<embed>` or `<object>`. Closes #14189
6 years ago
Chore: replace macaron with web package (#40136) * replace macaron with web package * add web.go
4 years ago
func addXFrameOptionsDenyHeader(w web.ResponseWriter) {
Chore: Use Header.Set method instead of Header.Add (#29804) Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
5 years ago
w.Header().Set("X-Frame-Options", "deny")
Security: Add new setting allow_embedding (#16853) When allow_embedding is false (default) the Grafana backend will set the http header `X-Frame-Options: deny` in all responses to non-static content which will instruct browser to not allow Grafana to be embedded in `<frame>`, `<iframe>`, `<embed>` or `<object>`. Closes #14189
6 years ago
}