apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

User: Verify external user status for accessing certain user routes (#79909)

Browse Source 
stricter user profile route checking
pull/79732/head
Jo 2 years ago committed by GitHub
parent 99582b48d7
commit 814d62406e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 66 additions and 21 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 34
      pkg/api/admin_users.go
  2. 47
      pkg/api/password.go
  3. 6
      pkg/api/user.go

34
pkg/api/admin_users.go
Unescape View File

@ -58,7 +58,7 @@ func (hs *HTTPServer) AdminCreateUser(c *contextmodel.ReqContext) response.Respo
}
if len(cmd.Password) < 4 {
return response.Error(400, "Password is missing or too short", nil)
return response.Error(http.StatusBadRequest, "Password is missing or too short", nil)
}
usr, err := hs.userService.Create(c.Req.Context(), &cmd)
@ -100,6 +100,11 @@ func (hs *HTTPServer) AdminCreateUser(c *contextmodel.ReqContext) response.Respo
// 403: forbiddenError
// 500: internalServerError
func (hs *HTTPServer) AdminUpdateUserPassword(c *contextmodel.ReqContext) response.Response {
if hs.Cfg.DisableLoginForm || hs.Cfg.DisableLogin {
return response.Error(http.StatusForbidden,
"Not allowed to reset password when login form is disabled", nil)
}
form := dtos.AdminUpdateUserPasswordForm{}
if err := web.Bind(c.Req, &form); err != nil {
return response.Error(http.StatusBadRequest, "bad request data", err)
@ -111,19 +116,27 @@ func (hs *HTTPServer) AdminUpdateUserPassword(c *contextmodel.ReqContext) respon
}
if len(form.Password) < 4 {
return response.Error(400, "New password too short", nil)
return response.Error(http.StatusBadRequest, "New password too short", nil)
}
userQuery := user.GetUserByIDQuery{ID: userID}
usr, err := hs.userService.GetByID(c.Req.Context(), &userQuery)
if err != nil {
return response.Error(500, "Could not read user from database", err)
return response.Error(http.StatusInternalServerError, "Could not read user from database", err)
}
getAuthQuery := login.GetAuthInfoQuery{UserId: usr.ID}
if authInfo, err := hs.authInfoService.GetAuthInfo(c.Req.Context(), &getAuthQuery); err == nil {
oauthInfo := hs.SocialService.GetOAuthInfoProvider(authInfo.AuthModule)
if login.IsProviderEnabled(hs.Cfg, authInfo.AuthModule, oauthInfo) {
return response.Error(http.StatusBadRequest, "Cannot update external user password", err)
}
}
passwordHashed, err := util.EncodePassword(form.Password, usr.Salt)
if err != nil {
return response.Error(500, "Could not encode password", err)
return response.Error(http.StatusInternalServerError, "Could not encode password", err)
}
cmd := user.ChangeUserPasswordCommand{
@ -132,7 +145,18 @@ func (hs *HTTPServer) AdminUpdateUserPassword(c *contextmodel.ReqContext) respon
}
if err := hs.userService.ChangePassword(c.Req.Context(), &cmd); err != nil {
return response.Error(500, "Failed to update user password", err)
return response.Error(http.StatusInternalServerError, "Failed to update user password", err)
}
if err := hs.loginAttemptService.Reset(c.Req.Context(),
usr.Login); err != nil {
c.Logger.Warn("could not reset login attempts", "err", err, "username", usr.Login)
}
if err := hs.AuthTokenService.RevokeAllUserTokens(c.Req.Context(),
userID); err != nil {
return response.Error(http.StatusExpectationFailed,
"User password updated but unable to revoke user sessions", err)
}
return response.Success("User password updated")

47
pkg/api/password.go
Unescape View File

@ -16,13 +16,14 @@ import (
)
func (hs *HTTPServer) SendResetPasswordEmail(c *contextmodel.ReqContext) response.Response {
if hs.Cfg.DisableLoginForm || hs.Cfg.DisableLogin {
return response.Error(http.StatusUnauthorized, "Not allowed to reset password when login form is disabled", nil)
}
form := dtos.SendResetPasswordEmailForm{}
if err := web.Bind(c.Req, &form); err != nil {
return response.Error(http.StatusBadRequest, "bad request data", err)
}
if hs.Cfg.DisableLoginForm {
return response.Error(401, "Not allowed to reset password when login form is disabled", nil)
}
userQuery := user.GetUserByLoginQuery{LoginOrEmail: form.UserOrEmail}
@ -39,21 +40,27 @@ func (hs *HTTPServer) SendResetPasswordEmail(c *contextmodel.ReqContext) respons
getAuthQuery := login.GetAuthInfoQuery{UserId: usr.ID}
if authInfo, err := hs.authInfoService.GetAuthInfo(c.Req.Context(), &getAuthQuery); err == nil {
authModule := authInfo.AuthModule
if authModule == login.LDAPAuthModule || authModule == login.AuthProxyAuthModule {
return response.Error(401, "Not allowed to reset password for LDAP or Auth Proxy user", nil)
oauthInfo := hs.SocialService.GetOAuthInfoProvider(authInfo.AuthModule)
if login.IsProviderEnabled(hs.Cfg, authInfo.AuthModule, oauthInfo) {
c.Logger.Info("Requested password reset for external user", nil)
return response.Error(http.StatusOK, "Email sent", nil)
}
}
emailCmd := notifications.SendResetPasswordEmailCommand{User: usr}
if err := hs.NotificationService.SendResetPasswordEmail(c.Req.Context(), &emailCmd); err != nil {
return response.Error(500, "Failed to send email", err)
return response.Error(http.StatusInternalServerError, "Failed to send email", err)
}
return response.Success("Email sent")
}
func (hs *HTTPServer) ResetPassword(c *contextmodel.ReqContext) response.Response {
if hs.Cfg.DisableLoginForm || hs.Cfg.DisableLogin {
return response.Error(http.StatusUnauthorized,
"Not allowed to reset password when grafana authentication is disabled", nil)
}
form := dtos.ResetUserPasswordForm{}
if err := web.Bind(c.Req, &form); err != nil {
return response.Error(http.StatusBadRequest, "bad request data", err)
@ -73,34 +80,48 @@ func (hs *HTTPServer) ResetPassword(c *contextmodel.ReqContext) response.Respons
userResult, err := hs.NotificationService.ValidateResetPasswordCode(c.Req.Context(), &query, getUserByLogin)
if err != nil {
if errors.Is(err, notifications.ErrInvalidEmailCode) {
return response.Error(400, "Invalid or expired reset password code", nil)
return response.Error(http.StatusBadRequest, "Invalid or expired reset password code", nil)
}
return response.Error(http.StatusInternalServerError, "Unknown error validating email code", err)
}
getAuthQuery := login.GetAuthInfoQuery{UserId: userResult.ID}
if authInfo, err := hs.authInfoService.GetAuthInfo(c.Req.Context(), &getAuthQuery); err == nil {
oauthInfo := hs.SocialService.GetOAuthInfoProvider(authInfo.AuthModule)
if login.IsProviderEnabled(hs.Cfg, authInfo.AuthModule, oauthInfo) {
return response.Error(http.StatusBadRequest, "Cannot update external user password", err)
}
return response.Error(500, "Unknown error validating email code", err)
}
if form.NewPassword != form.ConfirmPassword {
return response.Error(400, "Passwords do not match", nil)
return response.Error(http.StatusBadRequest, "Passwords do not match", nil)
}
password := user.Password(form.NewPassword)
if password.IsWeak() {
return response.Error(400, "New password is too short", nil)
return response.Error(http.StatusBadRequest, "New password is too short", nil)
}
cmd := user.ChangeUserPasswordCommand{}
cmd.UserID = userResult.ID
cmd.NewPassword, err = util.EncodePassword(form.NewPassword, userResult.Salt)
if err != nil {
return response.Error(500, "Failed to encode password", err)
return response.Error(http.StatusInternalServerError, "Failed to encode password", err)
}
if err := hs.userService.ChangePassword(c.Req.Context(), &cmd); err != nil {
return response.Error(500, "Failed to change user password", err)
return response.Error(http.StatusInternalServerError, "Failed to change user password", err)
}
if err := hs.loginAttemptService.Reset(c.Req.Context(), username); err != nil {
c.Logger.Warn("could not reset login attempts", "err", err, "username", username)
}
if err := hs.AuthTokenService.RevokeAllUserTokens(c.Req.Context(),
userResult.ID); err != nil {
return response.Error(http.StatusExpectationFailed,
"User password updated but unable to revoke user sessions", err)
}
return response.Success("User password changed")
}

6
pkg/api/user.go
Unescape View File

@ -484,9 +484,9 @@ func (hs *HTTPServer) ChangeUserPassword(c *contextmodel.ReqContext) response.Re
getAuthQuery := login.GetAuthInfoQuery{UserId: usr.ID}
if authInfo, err := hs.authInfoService.GetAuthInfo(c.Req.Context(), &getAuthQuery); err == nil {
authModule := authInfo.AuthModule
if authModule == login.LDAPAuthModule || authModule == login.AuthProxyAuthModule {
return response.Error(http.StatusBadRequest, "Not allowed to reset password for LDAP or Auth Proxy user", nil)
oauthInfo := hs.SocialService.GetOAuthInfoProvider(authInfo.AuthModule)
if login.IsProviderEnabled(hs.Cfg, authInfo.AuthModule, oauthInfo) {
return response.Error(http.StatusBadRequest, "Cannot update external user password", err)
}
}

Write Preview
Loading…
Cancel
Save