Merge remote-tracking branch 'upstream/master' into dashboard_permissions

.gitignore

@@ -10,8 +10,8 @@ awsconfig
 /public_gen
 /public/vendor/npm
 /tmp
-vendor/phantomjs/phantomjs
-vendor/phantomjs/phantomjs.exe
+tools/phantomjs/phantomjs
+tools/phantomjs/phantomjs.exe
 profile.out
 coverage.txt
 

CHANGELOG.md

@@ -2,7 +2,7 @@
 
 Grafana v5.0 is going to be the biggest and most foundational release Grafana has ever had, coming with a ton of UX improvements, a new dashboard grid engine, dashboard folders, user teams and permissions. Checkout out this [video preview](https://www.youtube.com/watch?v=BC_YRNpqj5k) of Grafana v5.
 
-### New Features
+### New Major Features
 - **Dashboards** Dashboard folders, [#1611](https://github.com/grafana/grafana/issues/1611)
 - **Teams** User groups (teams) implemented. Can be used in folder & dashboard permission list.
 - **Dashboard grid**: Panels are now layed out in a two dimensional grid (with x, y, w, h). [#9093](https://github.com/grafana/grafana/issues/9093).
@@ -10,31 +10,22 @@ Grafana v5.0 is going to be the biggest and most foundational release Grafana ha
 - **UX**: Major update to page header and navigation
 - **Dashboard settings**: Combine dashboard settings views into one with side menu, [#9750](https://github.com/grafana/grafana/issues/9750)
 
-## New Dashboard Grid
-
-The new grid engine is major upgrade for how you can position and move panels. It enables new layouts and a much easier dashboard building experience. The change is backwards compatible. Grafana will automatically upgrade your dashboards to the new schema and position panels to match your existing layout. There might be minor differences in panel height.
-
-Dashboard panels and rows are positioned using a gridPos object `{x: 0, y: 0, w: 24, h: 5}`. Units are in grid dimensions (24 columns, 1 height unit 30px). Rows and Panels objects exist (together) in a flat array directly on the dashboard root object. Rows are not needed for layouts anymore and are mainly there for backward compatibility. Some panel plugins that do not respect their panel height might require an update.
-
-## New Features
-* **Alerting**: Add support for internal image store [#6922](https://github.com/grafana/grafana/issues/6922), thx [@FunkyM](https://github.com/FunkyM)
-
-## Minor
-* **Graph**: Don't hide graph display options (Lines/Points) when draw mode is unchecked [#9770](https://github.com/grafana/grafana/issues/9770), thx [@Jonnymcc](https://github.com/Jonnymcc)
-* **Prometheus**: Show label name in paren after by/without/on/ignoring/group_left/group_right [#9664](https://github.com/grafana/grafana/pull/9664), thx [@mtanda](https://github.com/mtanda)
-
-# 4.7.0 (unreleased / v4.7.x branch)
-
 ## Breaking changes
 
-`[dashboard.json]` have been replaced with [dashboard provisioning](http://docs.grafana.org/administration/provisioning/).
-
+* **[dashboard.json]** have been replaced with [dashboard provisioning](http://docs.grafana.org/administration/provisioning/).
 Config files for provisioning datasources as configuration have changed from `/conf/datasources` to `/conf/provisioning/datasources`.
 From `/etc/grafana/datasources` to `/etc/grafana/provisioning/datasources` when installed with deb/rpm packages.
 
-The pagerduty notifier now defaults to not auto resolve incidents. More details at [#10222](https://github.com/grafana/grafana/issues/10222)
+* **Pagerduty** The notifier now defaults to not auto resolve incidents. More details at [#10222](https://github.com/grafana/grafana/issues/10222)
+
+## New Dashboard Grid
+
+The new grid engine is a major upgrade for how you can position and move panels. It enables new layouts and a much easier dashboard building experience. The change is backward compatible. So you can upgrade your current version to 5.0 without breaking dashboards, but you cannot downgrade from 5.0 to previous versions. Grafana will automatically upgrade your dashboards to the new schema and position panels to match your existing layout. There might be minor differences in panel height. If you upgrade to 5.0 and for some reason want to rollback to the previous version you can restore dashboards to previous versions using dashboard history. But that should only be seen as an emergency solution.
+
+Dashboard panels and rows are positioned using a gridPos object `{x: 0, y: 0, w: 24, h: 5}`. Units are in grid dimensions (24 columns, 1 height unit 30px). Rows and Panels objects exist (together) in a flat array directly on the dashboard root object. Rows are not needed for layouts anymore and are mainly there for backward compatibility. Some panel plugins that do not respect their panel height might require an update.
 
 ## New Features
+* **Alerting**: Add support for internal image store [#6922](https://github.com/grafana/grafana/issues/6922), thx [@FunkyM](https://github.com/FunkyM)
 * **Data Source Proxy**: Add support for whitelisting specified cookies that will be passed through to the data source when proxying data source requests [#5457](https://github.com/grafana/grafana/issues/5457), thanks [@robingustafsson](https://github.com/robingustafsson)
 * **Postgres/MySQL**: add __timeGroup macro for mysql [#9596](https://github.com/grafana/grafana/pull/9596), thanks [@svenklemm](https://github.com/svenklemm)
 * **Text**: Text panel are now edited in the ace editor. [#9698](https://github.com/grafana/grafana/pull/9698), thx [@mtanda](https://github.com/mtanda)
@@ -45,8 +36,11 @@ The pagerduty notifier now defaults to not auto resolve incidents. More details
 * **Dashboard as cfg**: Load dashboards from file into Grafana on startup/change [#9654](https://github.com/grafana/grafana/issues/9654) [#5269](https://github.com/grafana/grafana/issues/5269)
 * **Prometheus**: Grafana can now send alerts to Prometheus Alertmanager while firing [#7481](https://github.com/grafana/grafana/issues/7481), thx [@Thib17](https://github.com/Thib17) and [@mtanda](https://github.com/mtanda)
 * **Table**: Support multiple table formated queries in table panel [#9170](https://github.com/grafana/grafana/issues/9170), thx [@davkal](https://github.com/davkal)
+* **Security**: Protect against brute force (frequent) login attempts [#7616](https://github.com/grafana/grafana/issues/7616)
 
 ## Minor
+* **Graph**: Don't hide graph display options (Lines/Points) when draw mode is unchecked [#9770](https://github.com/grafana/grafana/issues/9770), thx [@Jonnymcc](https://github.com/Jonnymcc)
+* **Prometheus**: Show label name in paren after by/without/on/ignoring/group_left/group_right [#9664](https://github.com/grafana/grafana/pull/9664), thx [@mtanda](https://github.com/mtanda)
 * **Alert panel**: Adds placeholder text when no alerts are within the time range [#9624](https://github.com/grafana/grafana/issues/9624), thx [@straend](https://github.com/straend)
 * **Mysql**: MySQL enable MaxOpenCon and MaxIdleCon regards how constring is configured.  [#9784](https://github.com/grafana/grafana/issues/9784), thx [@dfredell](https://github.com/dfredell)
 * **Cloudwatch**: Fixes broken query inspector for cloudwatch [#9661](https://github.com/grafana/grafana/issues/9661), thx [@mtanda](https://github.com/mtanda)
@@ -59,16 +53,15 @@ The pagerduty notifier now defaults to not auto resolve incidents. More details
 * **Azure**: Adds support for Azure blob storage as external image stor [#8955](https://github.com/grafana/grafana/issues/8955), thx [@saada](https://github.com/saada)
 * **Telegram**: Add support for inline image uploads to telegram notifier plugin [#9967](https://github.com/grafana/grafana/pull/9967), thx [@rburchell](https://github.com/rburchell)
 
-## Tech
-* **RabbitMq**: Remove support for publishing events to RabbitMQ [#9645](https://github.com/grafana/grafana/issues/9645)
-
-
 ## Fixes
 * **Sensu**: Send alert message to sensu output [#9551](https://github.com/grafana/grafana/issues/9551), thx [@cjchand](https://github.com/cjchand)
 * **Singlestat**: suppress error when result contains no datapoints [#9636](https://github.com/grafana/grafana/issues/9636), thx [@utkarshcmu](https://github.com/utkarshcmu)
 * **Postgres/MySQL**: Control quoting in SQL-queries when using template variables [#9030](https://github.com/grafana/grafana/issues/9030), thanks [@svenklemm](https://github.com/svenklemm)
 * **Pagerduty**: Pagerduty dont auto resolve incidents by default anymore. [#10222](https://github.com/grafana/grafana/issues/10222)
 
+## Tech
+* **RabbitMq**: Remove support for publishing events to RabbitMQ [#9645](https://github.com/grafana/grafana/issues/9645)
+
 # 4.6.3 (2017-12-14)
 
 ## Fixes

circle.yml

@@ -9,7 +9,7 @@ machine:
     GOPATH: "/home/ubuntu/.go_workspace"
     ORG_PATH: "github.com/grafana"
     REPO_PATH: "${ORG_PATH}/grafana"
-    GODIST: "go1.9.2.linux-amd64.tar.gz"
+    GODIST: "go1.9.3.linux-amd64.tar.gz"
   post:
     - mkdir -p ~/download
     - mkdir -p ~/docker

conf/defaults.ini

@@ -174,6 +174,9 @@ disable_gravatar = false
 # data source proxy whitelist (ip_or_domain:port separated by spaces)
 data_source_proxy_whitelist =
 
+# disable protection against brute force login attempts
+disable_brute_force_login_protection = false
+
 #################################### Snapshots ###########################
 [snapshots]
 # snapshot sharing options

conf/sample.ini

@@ -162,6 +162,9 @@ log_queries =
 # data source proxy whitelist (ip_or_domain:port separated by spaces)
 ;data_source_proxy_whitelist =
 
+# disable protection against brute force login attempts
+;disable_brute_force_login_protection = false
+
 #################################### Snapshots ###########################
 [snapshots]
 # snapshot sharing options

docker/blocks/prometheus/Dockerfile

-FROM prom/prometheus
+FROM prom/prometheus:v1.8.2
 ADD prometheus.yml /etc/prometheus/
 ADD alert.rules /etc/prometheus/

docs/sources/reference/sharing.md

@@ -39,7 +39,7 @@ Click a panel title to open the panel menu, then click share in the panel menu t
 
 ### Direct Link Rendered Image
 
-You also get a link to service side rendered PNG of the panel. Useful if you want to share an image of the panel. Please note that for OSX and Windows, you will need to ensure that a `phantomjs` binary is available under `vendor/phantomjs/phantomjs`. For Linux, a `phantomjs` binary is included - however, you should ensure that any requisite libraries (e.g. libfontconfig) are available.
+You also get a link to service side rendered PNG of the panel. Useful if you want to share an image of the panel. Please note that for OSX and Windows, you will need to ensure that a `phantomjs` binary is available under `tools/phantomjs/phantomjs`. For Linux, a `phantomjs` binary is included - however, you should ensure that any requisite libraries (e.g. libfontconfig) are available.
 
 Example of a link to a server-side rendered PNG:
 

pkg/api/login.go

@@ -102,12 +102,13 @@ func LoginPost(c *middleware.Context, cmd dtos.LoginCommand) Response {
 	}
 
 	authQuery := login.LoginUserQuery{
-		Username: cmd.User,
-		Password: cmd.Password,
+		Username:  cmd.User,
+		Password:  cmd.Password,
+		IpAddress: c.Req.RemoteAddr,
 	}
 
 	if err := bus.Dispatch(&authQuery); err != nil {
-		if err == login.ErrInvalidCredentials {
+		if err == login.ErrInvalidCredentials || err == login.ErrTooManyLoginAttempts {
 			return ApiError(401, "Invalid username or password", err)
 		}
 

pkg/login/auth.go

@@ -3,21 +3,20 @@ package login
 import (
 	"errors"
 
-	"crypto/subtle"
 	"github.com/grafana/grafana/pkg/bus"
 	m "github.com/grafana/grafana/pkg/models"
-	"github.com/grafana/grafana/pkg/setting"
-	"github.com/grafana/grafana/pkg/util"
 )
 
 var (
-	ErrInvalidCredentials = errors.New("Invalid Username or Password")
+	ErrInvalidCredentials   = errors.New("Invalid Username or Password")
+	ErrTooManyLoginAttempts = errors.New("Too many consecutive incorrect login attempts for user. Login for user temporarily blocked")
 )
 
 type LoginUserQuery struct {
-	Username string
-	Password string
-	User     *m.User
+	Username  string
+	Password  string
+	User      *m.User
+	IpAddress string
 }
 
 func Init() {
@@ -26,41 +25,31 @@ func Init() {
 }
 
 func AuthenticateUser(query *LoginUserQuery) error {
-	err := loginUsingGrafanaDB(query)
-	if err == nil || err != ErrInvalidCredentials {
+	if err := validateLoginAttempts(query.Username); err != nil {
 		return err
 	}
 
-	if setting.LdapEnabled {
-		for _, server := range LdapCfg.Servers {
-			author := NewLdapAuthenticator(server)
-			err = author.Login(query)
-			if err == nil || err != ErrInvalidCredentials {
-				return err
-			}
-		}
+	err := loginUsingGrafanaDB(query)
+	if err == nil || (err != m.ErrUserNotFound && err != ErrInvalidCredentials) {
+		return err
 	}
 
-	return err
-}
-
-func loginUsingGrafanaDB(query *LoginUserQuery) error {
-	userQuery := m.GetUserByLoginQuery{LoginOrEmail: query.Username}
-
-	if err := bus.Dispatch(&userQuery); err != nil {
-		if err == m.ErrUserNotFound {
-			return ErrInvalidCredentials
+	ldapEnabled, ldapErr := loginUsingLdap(query)
+	if ldapEnabled {
+		if ldapErr == nil || ldapErr != ErrInvalidCredentials {
+			return ldapErr
 		}
-		return err
+
+		err = ldapErr
 	}
 
-	user := userQuery.Result
+	if err == ErrInvalidCredentials {
+		saveInvalidLoginAttempt(query)
+	}
 
-	passwordHashed := util.EncodePassword(query.Password, user.Salt)
-	if subtle.ConstantTimeCompare([]byte(passwordHashed), []byte(user.Password)) != 1 {
+	if err == m.ErrUserNotFound {
 		return ErrInvalidCredentials
 	}
 
-	query.User = user
-	return nil
+	return err
 }

pkg/login/auth_test.go

+package login
+
+import (
+	"errors"
+	"testing"
+
+	m "github.com/grafana/grafana/pkg/models"
+	. "github.com/smartystreets/goconvey/convey"
+)
+
+func TestAuthenticateUser(t *testing.T) {
+	Convey("Authenticate user", t, func() {
+		authScenario("When a user authenticates having too many login attempts", func(sc *authScenarioContext) {
+			mockLoginAttemptValidation(ErrTooManyLoginAttempts, sc)
+			mockLoginUsingGrafanaDB(nil, sc)
+			mockLoginUsingLdap(true, nil, sc)
+			mockSaveInvalidLoginAttempt(sc)
+
+			err := AuthenticateUser(sc.loginUserQuery)
+
+			Convey("it should result in", func() {
+				So(err, ShouldEqual, ErrTooManyLoginAttempts)
+				So(sc.loginAttemptValidationWasCalled, ShouldBeTrue)
+				So(sc.grafanaLoginWasCalled, ShouldBeFalse)
+				So(sc.ldapLoginWasCalled, ShouldBeFalse)
+				So(sc.saveInvalidLoginAttemptWasCalled, ShouldBeFalse)
+			})
+		})
+
+		authScenario("When grafana user authenticate with valid credentials", func(sc *authScenarioContext) {
+			mockLoginAttemptValidation(nil, sc)
+			mockLoginUsingGrafanaDB(nil, sc)
+			mockLoginUsingLdap(true, ErrInvalidCredentials, sc)
+			mockSaveInvalidLoginAttempt(sc)
+
+			err := AuthenticateUser(sc.loginUserQuery)
+
+			Convey("it should result in", func() {
+				So(err, ShouldEqual, nil)
+				So(sc.loginAttemptValidationWasCalled, ShouldBeTrue)
+				So(sc.grafanaLoginWasCalled, ShouldBeTrue)
+				So(sc.ldapLoginWasCalled, ShouldBeFalse)
+				So(sc.saveInvalidLoginAttemptWasCalled, ShouldBeFalse)
+			})
+		})
+
+		authScenario("When grafana user authenticate and unexpected error occurs", func(sc *authScenarioContext) {
+			customErr := errors.New("custom")
+			mockLoginAttemptValidation(nil, sc)
+			mockLoginUsingGrafanaDB(customErr, sc)
+			mockLoginUsingLdap(true, ErrInvalidCredentials, sc)
+			mockSaveInvalidLoginAttempt(sc)
+
+			err := AuthenticateUser(sc.loginUserQuery)
+
+			Convey("it should result in", func() {
+				So(err, ShouldEqual, customErr)
+				So(sc.loginAttemptValidationWasCalled, ShouldBeTrue)
+				So(sc.grafanaLoginWasCalled, ShouldBeTrue)
+				So(sc.ldapLoginWasCalled, ShouldBeFalse)
+				So(sc.saveInvalidLoginAttemptWasCalled, ShouldBeFalse)
+			})
+		})
+
+		authScenario("When a non-existing grafana user authenticate and ldap disabled", func(sc *authScenarioContext) {
+			mockLoginAttemptValidation(nil, sc)
+			mockLoginUsingGrafanaDB(m.ErrUserNotFound, sc)
+			mockLoginUsingLdap(false, nil, sc)
+			mockSaveInvalidLoginAttempt(sc)
+
+			err := AuthenticateUser(sc.loginUserQuery)
+
+			Convey("it should result in", func() {
+				So(err, ShouldEqual, ErrInvalidCredentials)
+				So(sc.loginAttemptValidationWasCalled, ShouldBeTrue)
+				So(sc.grafanaLoginWasCalled, ShouldBeTrue)
+				So(sc.ldapLoginWasCalled, ShouldBeTrue)
+				So(sc.saveInvalidLoginAttemptWasCalled, ShouldBeFalse)
+			})
+		})
+
+		authScenario("When a non-existing grafana user authenticate and invalid ldap credentials", func(sc *authScenarioContext) {
+			mockLoginAttemptValidation(nil, sc)
+			mockLoginUsingGrafanaDB(m.ErrUserNotFound, sc)
+			mockLoginUsingLdap(true, ErrInvalidCredentials, sc)
+			mockSaveInvalidLoginAttempt(sc)
+
+			err := AuthenticateUser(sc.loginUserQuery)
+
+			Convey("it should result in", func() {
+				So(err, ShouldEqual, ErrInvalidCredentials)
+				So(sc.loginAttemptValidationWasCalled, ShouldBeTrue)
+				So(sc.grafanaLoginWasCalled, ShouldBeTrue)
+				So(sc.ldapLoginWasCalled, ShouldBeTrue)
+				So(sc.saveInvalidLoginAttemptWasCalled, ShouldBeTrue)
+			})
+		})
+
+		authScenario("When a non-existing grafana user authenticate and valid ldap credentials", func(sc *authScenarioContext) {
+			mockLoginAttemptValidation(nil, sc)
+			mockLoginUsingGrafanaDB(m.ErrUserNotFound, sc)
+			mockLoginUsingLdap(true, nil, sc)
+			mockSaveInvalidLoginAttempt(sc)
+
+			err := AuthenticateUser(sc.loginUserQuery)
+
+			Convey("it should result in", func() {
+				So(err, ShouldBeNil)
+				So(sc.loginAttemptValidationWasCalled, ShouldBeTrue)
+				So(sc.grafanaLoginWasCalled, ShouldBeTrue)
+				So(sc.ldapLoginWasCalled, ShouldBeTrue)
+				So(sc.saveInvalidLoginAttemptWasCalled, ShouldBeFalse)
+			})
+		})
+
+		authScenario("When a non-existing grafana user authenticate and ldap returns unexpected error", func(sc *authScenarioContext) {
+			customErr := errors.New("custom")
+			mockLoginAttemptValidation(nil, sc)
+			mockLoginUsingGrafanaDB(m.ErrUserNotFound, sc)
+			mockLoginUsingLdap(true, customErr, sc)
+			mockSaveInvalidLoginAttempt(sc)
+
+			err := AuthenticateUser(sc.loginUserQuery)
+
+			Convey("it should result in", func() {
+				So(err, ShouldEqual, customErr)
+				So(sc.loginAttemptValidationWasCalled, ShouldBeTrue)
+				So(sc.grafanaLoginWasCalled, ShouldBeTrue)
+				So(sc.ldapLoginWasCalled, ShouldBeTrue)
+				So(sc.saveInvalidLoginAttemptWasCalled, ShouldBeFalse)
+			})
+		})
+
+		authScenario("When grafana user authenticate with invalid credentials and invalid ldap credentials", func(sc *authScenarioContext) {
+			mockLoginAttemptValidation(nil, sc)
+			mockLoginUsingGrafanaDB(ErrInvalidCredentials, sc)
+			mockLoginUsingLdap(true, ErrInvalidCredentials, sc)
+			mockSaveInvalidLoginAttempt(sc)
+
+			err := AuthenticateUser(sc.loginUserQuery)
+
+			Convey("it should result in", func() {
+				So(err, ShouldEqual, ErrInvalidCredentials)
+				So(sc.loginAttemptValidationWasCalled, ShouldBeTrue)
+				So(sc.grafanaLoginWasCalled, ShouldBeTrue)
+				So(sc.ldapLoginWasCalled, ShouldBeTrue)
+				So(sc.saveInvalidLoginAttemptWasCalled, ShouldBeTrue)
+			})
+		})
+	})
+}
+
+type authScenarioContext struct {
+	loginUserQuery                   *LoginUserQuery
+	grafanaLoginWasCalled            bool
+	ldapLoginWasCalled               bool
+	loginAttemptValidationWasCalled  bool
+	saveInvalidLoginAttemptWasCalled bool
+}
+
+type authScenarioFunc func(sc *authScenarioContext)
+
+func mockLoginUsingGrafanaDB(err error, sc *authScenarioContext) {
+	loginUsingGrafanaDB = func(query *LoginUserQuery) error {
+		sc.grafanaLoginWasCalled = true
+		return err
+	}
+}
+
+func mockLoginUsingLdap(enabled bool, err error, sc *authScenarioContext) {
+	loginUsingLdap = func(query *LoginUserQuery) (bool, error) {
+		sc.ldapLoginWasCalled = true
+		return enabled, err
+	}
+}
+
+func mockLoginAttemptValidation(err error, sc *authScenarioContext) {
+	validateLoginAttempts = func(username string) error {
+		sc.loginAttemptValidationWasCalled = true
+		return err
+	}
+}
+
+func mockSaveInvalidLoginAttempt(sc *authScenarioContext) {
+	saveInvalidLoginAttempt = func(query *LoginUserQuery) {
+		sc.saveInvalidLoginAttemptWasCalled = true
+	}
+}
+
+func authScenario(desc string, fn authScenarioFunc) {
+	Convey(desc, func() {
+		origLoginUsingGrafanaDB := loginUsingGrafanaDB
+		origLoginUsingLdap := loginUsingLdap
+		origValidateLoginAttempts := validateLoginAttempts
+		origSaveInvalidLoginAttempt := saveInvalidLoginAttempt
+
+		sc := &authScenarioContext{
+			loginUserQuery: &LoginUserQuery{
+				Username:  "user",
+				Password:  "pwd",
+				IpAddress: "192.168.1.1:56433",
+			},
+		}
+
+		defer func() {
+			loginUsingGrafanaDB = origLoginUsingGrafanaDB
+			loginUsingLdap = origLoginUsingLdap
+			validateLoginAttempts = origValidateLoginAttempts
+			saveInvalidLoginAttempt = origSaveInvalidLoginAttempt
+		}()
+
+		fn(sc)
+	})
+}

pkg/login/brute_force_login_protection.go

+package login
+
+import (
+	"time"
+
+	"github.com/grafana/grafana/pkg/bus"
+	m "github.com/grafana/grafana/pkg/models"
+	"github.com/grafana/grafana/pkg/setting"
+)
+
+var (
+	maxInvalidLoginAttempts int64         = 5
+	loginAttemptsWindow     time.Duration = time.Minute * 5
+)
+
+var validateLoginAttempts = func(username string) error {
+	if setting.DisableBruteForceLoginProtection {
+		return nil
+	}
+
+	loginAttemptCountQuery := m.GetUserLoginAttemptCountQuery{
+		Username: username,
+		Since:    time.Now().Add(-loginAttemptsWindow),
+	}
+
+	if err := bus.Dispatch(&loginAttemptCountQuery); err != nil {
+		return err
+	}
+
+	if loginAttemptCountQuery.Result >= maxInvalidLoginAttempts {
+		return ErrTooManyLoginAttempts
+	}
+
+	return nil
+}
+
+var saveInvalidLoginAttempt = func(query *LoginUserQuery) {
+	if setting.DisableBruteForceLoginProtection {
+		return
+	}
+
+	loginAttemptCommand := m.CreateLoginAttemptCommand{
+		Username:  query.Username,
+		IpAddress: query.IpAddress,
+	}
+
+	bus.Dispatch(&loginAttemptCommand)
+}

pkg/login/brute_force_login_protection_test.go

+package login
+
+import (
+	"testing"
+
+	"github.com/grafana/grafana/pkg/bus"
+	m "github.com/grafana/grafana/pkg/models"
+	"github.com/grafana/grafana/pkg/setting"
+	. "github.com/smartystreets/goconvey/convey"
+)
+
+func TestLoginAttemptsValidation(t *testing.T) {
+	Convey("Validate login attempts", t, func() {
+		Convey("Given brute force login protection enabled", func() {
+			setting.DisableBruteForceLoginProtection = false
+
+			Convey("When user login attempt count equals max-1 ", func() {
+				withLoginAttempts(maxInvalidLoginAttempts - 1)
+				err := validateLoginAttempts("user")
+
+				Convey("it should not result in error", func() {
+					So(err, ShouldBeNil)
+				})
+			})
+
+			Convey("When user login attempt count equals max ", func() {
+				withLoginAttempts(maxInvalidLoginAttempts)
+				err := validateLoginAttempts("user")
+
+				Convey("it should result in too many login attempts error", func() {
+					So(err, ShouldEqual, ErrTooManyLoginAttempts)
+				})
+			})
+
+			Convey("When user login attempt count is greater than max ", func() {
+				withLoginAttempts(maxInvalidLoginAttempts + 5)
+				err := validateLoginAttempts("user")
+
+				Convey("it should result in too many login attempts error", func() {
+					So(err, ShouldEqual, ErrTooManyLoginAttempts)
+				})
+			})
+
+			Convey("When saving invalid login attempt", func() {
+				defer bus.ClearBusHandlers()
+				createLoginAttemptCmd := &m.CreateLoginAttemptCommand{}
+
+				bus.AddHandler("test", func(cmd *m.CreateLoginAttemptCommand) error {
+					createLoginAttemptCmd = cmd
+					return nil
+				})
+
+				saveInvalidLoginAttempt(&LoginUserQuery{
+					Username:  "user",
+					Password:  "pwd",
+					IpAddress: "192.168.1.1:56433",
+				})
+
+				Convey("it should dispatch command", func() {
+					So(createLoginAttemptCmd, ShouldNotBeNil)
+					So(createLoginAttemptCmd.Username, ShouldEqual, "user")
+					So(createLoginAttemptCmd.IpAddress, ShouldEqual, "192.168.1.1:56433")
+				})
+			})
+		})
+
+		Convey("Given brute force login protection disabled", func() {
+			setting.DisableBruteForceLoginProtection = true
+
+			Convey("When user login attempt count equals max-1 ", func() {
+				withLoginAttempts(maxInvalidLoginAttempts - 1)
+				err := validateLoginAttempts("user")
+
+				Convey("it should not result in error", func() {
+					So(err, ShouldBeNil)
+				})
+			})
+
+			Convey("When user login attempt count equals max ", func() {
+				withLoginAttempts(maxInvalidLoginAttempts)
+				err := validateLoginAttempts("user")
+
+				Convey("it should not result in error", func() {
+					So(err, ShouldBeNil)
+				})
+			})
+
+			Convey("When user login attempt count is greater than max ", func() {
+				withLoginAttempts(maxInvalidLoginAttempts + 5)
+				err := validateLoginAttempts("user")
+
+				Convey("it should not result in error", func() {
+					So(err, ShouldBeNil)
+				})
+			})
+
+			Convey("When saving invalid login attempt", func() {
+				defer bus.ClearBusHandlers()
+				createLoginAttemptCmd := (*m.CreateLoginAttemptCommand)(nil)
+
+				bus.AddHandler("test", func(cmd *m.CreateLoginAttemptCommand) error {
+					createLoginAttemptCmd = cmd
+					return nil
+				})
+
+				saveInvalidLoginAttempt(&LoginUserQuery{
+					Username:  "user",
+					Password:  "pwd",
+					IpAddress: "192.168.1.1:56433",
+				})
+
+				Convey("it should not dispatch command", func() {
+					So(createLoginAttemptCmd, ShouldBeNil)
+				})
+			})
+		})
+	})
+}
+
+func withLoginAttempts(loginAttempts int64) {
+	bus.AddHandler("test", func(query *m.GetUserLoginAttemptCountQuery) error {
+		query.Result = loginAttempts
+		return nil
+	})
+}

pkg/login/grafana_login.go

+package login
+
+import (
+	"crypto/subtle"
+
+	"github.com/grafana/grafana/pkg/bus"
+	m "github.com/grafana/grafana/pkg/models"
+	"github.com/grafana/grafana/pkg/util"
+)
+
+var validatePassword = func(providedPassword string, userPassword string, userSalt string) error {
+	passwordHashed := util.EncodePassword(providedPassword, userSalt)
+	if subtle.ConstantTimeCompare([]byte(passwordHashed), []byte(userPassword)) != 1 {
+		return ErrInvalidCredentials
+	}
+
+	return nil
+}
+
+var loginUsingGrafanaDB = func(query *LoginUserQuery) error {
+	userQuery := m.GetUserByLoginQuery{LoginOrEmail: query.Username}
+
+	if err := bus.Dispatch(&userQuery); err != nil {
+		return err
+	}
+
+	user := userQuery.Result
+
+	if err := validatePassword(query.Password, user.Password, user.Salt); err != nil {
+		return err
+	}
+
+	query.User = user
+	return nil
+}

pkg/login/grafana_login_test.go

+package login
+
+import (
+	"testing"
+
+	"github.com/grafana/grafana/pkg/bus"
+	m "github.com/grafana/grafana/pkg/models"
+	. "github.com/smartystreets/goconvey/convey"
+)
+
+func TestGrafanaLogin(t *testing.T) {
+	Convey("Login using Grafana DB", t, func() {
+		grafanaLoginScenario("When login with non-existing user", func(sc *grafanaLoginScenarioContext) {
+			sc.withNonExistingUser()
+			err := loginUsingGrafanaDB(sc.loginUserQuery)
+
+			Convey("it should result in user not found error", func() {
+				So(err, ShouldEqual, m.ErrUserNotFound)
+			})
+
+			Convey("it should not call password validation", func() {
+				So(sc.validatePasswordCalled, ShouldBeFalse)
+			})
+
+			Convey("it should not pupulate user object", func() {
+				So(sc.loginUserQuery.User, ShouldBeNil)
+			})
+		})
+
+		grafanaLoginScenario("When login with invalid credentials", func(sc *grafanaLoginScenarioContext) {
+			sc.withInvalidPassword()
+			err := loginUsingGrafanaDB(sc.loginUserQuery)
+
+			Convey("it should result in invalid credentials error", func() {
+				So(err, ShouldEqual, ErrInvalidCredentials)
+			})
+
+			Convey("it should call password validation", func() {
+				So(sc.validatePasswordCalled, ShouldBeTrue)
+			})
+
+			Convey("it should not pupulate user object", func() {
+				So(sc.loginUserQuery.User, ShouldBeNil)
+			})
+		})
+
+		grafanaLoginScenario("When login with valid credentials", func(sc *grafanaLoginScenarioContext) {
+			sc.withValidCredentials()
+			err := loginUsingGrafanaDB(sc.loginUserQuery)
+
+			Convey("it should not result in error", func() {
+				So(err, ShouldBeNil)
+			})
+
+			Convey("it should call password validation", func() {
+				So(sc.validatePasswordCalled, ShouldBeTrue)
+			})
+
+			Convey("it should pupulate user object", func() {
+				So(sc.loginUserQuery.User, ShouldNotBeNil)
+				So(sc.loginUserQuery.User.Login, ShouldEqual, sc.loginUserQuery.Username)
+				So(sc.loginUserQuery.User.Password, ShouldEqual, sc.loginUserQuery.Password)
+			})
+		})
+	})
+}
+
+type grafanaLoginScenarioContext struct {
+	loginUserQuery         *LoginUserQuery
+	validatePasswordCalled bool
+}
+
+type grafanaLoginScenarioFunc func(c *grafanaLoginScenarioContext)
+
+func grafanaLoginScenario(desc string, fn grafanaLoginScenarioFunc) {
+	Convey(desc, func() {
+		origValidatePassword := validatePassword
+
+		sc := &grafanaLoginScenarioContext{
+			loginUserQuery: &LoginUserQuery{
+				Username:  "user",
+				Password:  "pwd",
+				IpAddress: "192.168.1.1:56433",
+			},
+			validatePasswordCalled: false,
+		}
+
+		defer func() {
+			validatePassword = origValidatePassword
+		}()
+
+		fn(sc)
+	})
+}
+
+func mockPasswordValidation(valid bool, sc *grafanaLoginScenarioContext) {
+	validatePassword = func(providedPassword string, userPassword string, userSalt string) error {
+		sc.validatePasswordCalled = true
+
+		if !valid {
+			return ErrInvalidCredentials
+		}
+
+		return nil
+	}
+}
+
+func (sc *grafanaLoginScenarioContext) getUserByLoginQueryReturns(user *m.User) {
+	bus.AddHandler("test", func(query *m.GetUserByLoginQuery) error {
+		if user == nil {
+			return m.ErrUserNotFound
+		}
+
+		query.Result = user
+		return nil
+	})
+}
+
+func (sc *grafanaLoginScenarioContext) withValidCredentials() {
+	sc.getUserByLoginQueryReturns(&m.User{
+		Id:       1,
+		Login:    sc.loginUserQuery.Username,
+		Password: sc.loginUserQuery.Password,
+		Salt:     "salt",
+	})
+	mockPasswordValidation(true, sc)
+}
+
+func (sc *grafanaLoginScenarioContext) withNonExistingUser() {
+	sc.getUserByLoginQueryReturns(nil)
+}
+
+func (sc *grafanaLoginScenarioContext) withInvalidPassword() {
+	sc.getUserByLoginQueryReturns(&m.User{
+		Password: sc.loginUserQuery.Password,
+		Salt:     "salt",
+	})
+	mockPasswordValidation(false, sc)
+}

pkg/login/ldap_login.go

+package login
+
+import (
+	"github.com/grafana/grafana/pkg/setting"
+)
+
+var loginUsingLdap = func(query *LoginUserQuery) (bool, error) {
+	if !setting.LdapEnabled {
+		return false, nil
+	}
+
+	for _, server := range LdapCfg.Servers {
+		author := NewLdapAuthenticator(server)
+		err := author.Login(query)
+		if err == nil || err != ErrInvalidCredentials {
+			return true, err
+		}
+	}
+
+	return true, ErrInvalidCredentials
+}

pkg/login/ldap_login_test.go

+package login
+
+import (
+	"testing"
+
+	m "github.com/grafana/grafana/pkg/models"
+	"github.com/grafana/grafana/pkg/setting"
+	. "github.com/smartystreets/goconvey/convey"
+)
+
+func TestLdapLogin(t *testing.T) {
+	Convey("Login using ldap", t, func() {
+		Convey("Given ldap enabled and a server configured", func() {
+			setting.LdapEnabled = true
+			LdapCfg.Servers = append(LdapCfg.Servers,
+				&LdapServerConf{
+					Host: "",
+				})
+
+			ldapLoginScenario("When login with invalid credentials", func(sc *ldapLoginScenarioContext) {
+				sc.withLoginResult(false)
+				enabled, err := loginUsingLdap(sc.loginUserQuery)
+
+				Convey("it should return true", func() {
+					So(enabled, ShouldBeTrue)
+				})
+
+				Convey("it should return invalid credentials error", func() {
+					So(err, ShouldEqual, ErrInvalidCredentials)
+				})
+
+				Convey("it should call ldap login", func() {
+					So(sc.ldapAuthenticatorMock.loginCalled, ShouldBeTrue)
+				})
+			})
+
+			ldapLoginScenario("When login with valid credentials", func(sc *ldapLoginScenarioContext) {
+				sc.withLoginResult(true)
+				enabled, err := loginUsingLdap(sc.loginUserQuery)
+
+				Convey("it should return true", func() {
+					So(enabled, ShouldBeTrue)
+				})
+
+				Convey("it should not return error", func() {
+					So(err, ShouldBeNil)
+				})
+
+				Convey("it should call ldap login", func() {
+					So(sc.ldapAuthenticatorMock.loginCalled, ShouldBeTrue)
+				})
+			})
+		})
+
+		Convey("Given ldap enabled and no server configured", func() {
+			setting.LdapEnabled = true
+			LdapCfg.Servers = make([]*LdapServerConf, 0)
+
+			ldapLoginScenario("When login", func(sc *ldapLoginScenarioContext) {
+				sc.withLoginResult(true)
+				enabled, err := loginUsingLdap(sc.loginUserQuery)
+
+				Convey("it should return true", func() {
+					So(enabled, ShouldBeTrue)
+				})
+
+				Convey("it should return invalid credentials error", func() {
+					So(err, ShouldEqual, ErrInvalidCredentials)
+				})
+
+				Convey("it should not call ldap login", func() {
+					So(sc.ldapAuthenticatorMock.loginCalled, ShouldBeFalse)
+				})
+			})
+		})
+
+		Convey("Given ldap disabled", func() {
+			setting.LdapEnabled = false
+
+			ldapLoginScenario("When login", func(sc *ldapLoginScenarioContext) {
+				sc.withLoginResult(false)
+				enabled, err := loginUsingLdap(&LoginUserQuery{
+					Username: "user",
+					Password: "pwd",
+				})
+
+				Convey("it should return false", func() {
+					So(enabled, ShouldBeFalse)
+				})
+
+				Convey("it should not return error", func() {
+					So(err, ShouldBeNil)
+				})
+
+				Convey("it should not call ldap login", func() {
+					So(sc.ldapAuthenticatorMock.loginCalled, ShouldBeFalse)
+				})
+			})
+		})
+	})
+}
+
+func mockLdapAuthenticator(valid bool) *mockLdapAuther {
+	mock := &mockLdapAuther{
+		validLogin: valid,
+	}
+
+	NewLdapAuthenticator = func(server *LdapServerConf) ILdapAuther {
+		return mock
+	}
+
+	return mock
+}
+
+type mockLdapAuther struct {
+	validLogin  bool
+	loginCalled bool
+}
+
+func (a *mockLdapAuther) Login(query *LoginUserQuery) error {
+	a.loginCalled = true
+
+	if !a.validLogin {
+		return ErrInvalidCredentials
+	}
+
+	return nil
+}
+
+func (a *mockLdapAuther) SyncSignedInUser(signedInUser *m.SignedInUser) error {
+	return nil
+}
+
+func (a *mockLdapAuther) GetGrafanaUserFor(ldapUser *LdapUserInfo) (*m.User, error) {
+	return nil, nil
+}
+
+func (a *mockLdapAuther) SyncOrgRoles(user *m.User, ldapUser *LdapUserInfo) error {
+	return nil
+}
+
+type ldapLoginScenarioContext struct {
+	loginUserQuery        *LoginUserQuery
+	ldapAuthenticatorMock *mockLdapAuther
+}
+
+type ldapLoginScenarioFunc func(c *ldapLoginScenarioContext)
+
+func ldapLoginScenario(desc string, fn ldapLoginScenarioFunc) {
+	Convey(desc, func() {
+		origNewLdapAuthenticator := NewLdapAuthenticator
+
+		sc := &ldapLoginScenarioContext{
+			loginUserQuery: &LoginUserQuery{
+				Username:  "user",
+				Password:  "pwd",
+				IpAddress: "192.168.1.1:56433",
+			},
+			ldapAuthenticatorMock: &mockLdapAuther{},
+		}
+
+		defer func() {
+			NewLdapAuthenticator = origNewLdapAuthenticator
+		}()
+
+		fn(sc)
+	})
+}
+
+func (sc *ldapLoginScenarioContext) withLoginResult(valid bool) {
+	sc.ldapAuthenticatorMock = mockLdapAuthenticator(valid)
+}

pkg/models/login_attempt.go

+package models
+
+import (
+	"time"
+)
+
+type LoginAttempt struct {
+	Id        int64
+	Username  string
+	IpAddress string
+	Created   time.Time
+}
+
+// ---------------------
+// COMMANDS
+
+type CreateLoginAttemptCommand struct {
+	Username  string
+	IpAddress string
+
+	Result LoginAttempt
+}
+
+type DeleteOldLoginAttemptsCommand struct {
+	OlderThan   time.Time
+	DeletedRows int64
+}
+
+// ---------------------
+// QUERIES
+
+type GetUserLoginAttemptCountQuery struct {
+	Username string
+	Since    time.Time
+	Result   int64
+}

pkg/plugins/datasource/wrapper/datasource_plugin_wrapper.go

@@ -69,10 +69,13 @@ func (tw *DatasourcePluginWrapper) Query(ctx context.Context, ds *models.DataSou
 
 	for _, r := range pbres.Results {
 		qr := &tsdb.QueryResult{
-			RefId:       r.RefId,
-			Series:      []*tsdb.TimeSeries{},
-			Error:       errors.New(r.Error),
-			ErrorString: r.Error,
+			RefId:  r.RefId,
+			Series: []*tsdb.TimeSeries{},
+		}
+
+		if r.Error != "" {
+			qr.Error = errors.New(r.Error)
+			qr.ErrorString = r.Error
 		}
 
 		for _, s := range r.GetSeries() {

pkg/services/cleanup/cleanup.go

@@ -46,6 +46,7 @@ func (service *CleanUpService) start(ctx context.Context) error {
 			service.cleanUpTmpFiles()
 			service.deleteExpiredSnapshots()
 			service.deleteExpiredDashboardVersions()
+			service.deleteOldLoginAttempts()
 		case <-ctx.Done():
 			return ctx.Err()
 		}
@@ -88,3 +89,18 @@ func (service *CleanUpService) deleteExpiredSnapshots() {
 func (service *CleanUpService) deleteExpiredDashboardVersions() {
 	bus.Dispatch(&m.DeleteExpiredVersionsCommand{})
 }
+
+func (service *CleanUpService) deleteOldLoginAttempts() {
+	if setting.DisableBruteForceLoginProtection {
+		return
+	}
+
+	cmd := m.DeleteOldLoginAttemptsCommand{
+		OlderThan: time.Now().Add(time.Minute * -10),
+	}
+	if err := bus.Dispatch(&cmd); err != nil {
+		service.log.Error("Problem deleting expired login attempts", "error", err.Error())
+	} else {
+		service.log.Debug("Deleted expired login attempts", "rows affected", cmd.DeletedRows)
+	}
+}

pkg/services/sqlstore/login_attempt.go

+package sqlstore
+
+import (
+	"strconv"
+	"time"
+
+	"github.com/grafana/grafana/pkg/bus"
+	m "github.com/grafana/grafana/pkg/models"
+)
+
+var getTimeNow = time.Now
+
+func init() {
+	bus.AddHandler("sql", CreateLoginAttempt)
+	bus.AddHandler("sql", DeleteOldLoginAttempts)
+	bus.AddHandler("sql", GetUserLoginAttemptCount)
+}
+
+func CreateLoginAttempt(cmd *m.CreateLoginAttemptCommand) error {
+	return inTransaction(func(sess *DBSession) error {
+		loginAttempt := m.LoginAttempt{
+			Username:  cmd.Username,
+			IpAddress: cmd.IpAddress,
+			Created:   getTimeNow(),
+		}
+
+		if _, err := sess.Insert(&loginAttempt); err != nil {
+			return err
+		}
+
+		cmd.Result = loginAttempt
+
+		return nil
+	})
+}
+
+func DeleteOldLoginAttempts(cmd *m.DeleteOldLoginAttemptsCommand) error {
+	return inTransaction(func(sess *DBSession) error {
+		var maxId int64
+		sql := "SELECT max(id) as id FROM login_attempt WHERE created < " + dialect.DateTimeFunc("?")
+		result, err := sess.Query(sql, cmd.OlderThan)
+
+		if err != nil {
+			return err
+		}
+
+		maxId = toInt64(result[0]["id"])
+
+		if maxId == 0 {
+			return nil
+		}
+
+		sql = "DELETE FROM login_attempt WHERE id <= ?"
+
+		if result, err := sess.Exec(sql, maxId); err != nil {
+			return err
+		} else if cmd.DeletedRows, err = result.RowsAffected(); err != nil {
+			return err
+		}
+
+		return nil
+	})
+}
+
+func GetUserLoginAttemptCount(query *m.GetUserLoginAttemptCountQuery) error {
+	loginAttempt := new(m.LoginAttempt)
+	total, err := x.
+		Where("username = ?", query.Username).
+		And("created >="+dialect.DateTimeFunc("?"), query.Since).
+		Count(loginAttempt)
+
+	if err != nil {
+		return err
+	}
+
+	query.Result = total
+	return nil
+}
+
+func toInt64(i interface{}) int64 {
+	switch i.(type) {
+	case []byte:
+		n, _ := strconv.ParseInt(string(i.([]byte)), 10, 64)
+		return n
+	case int:
+		return int64(i.(int))
+	case int64:
+		return i.(int64)
+	}
+	return 0
+}

pkg/services/sqlstore/login_attempt_test.go

+package sqlstore
+
+import (
+	"testing"
+	"time"
+
+	m "github.com/grafana/grafana/pkg/models"
+	. "github.com/smartystreets/goconvey/convey"
+)
+
+func mockTime(mock time.Time) time.Time {
+	getTimeNow = func() time.Time { return mock }
+	return mock
+}
+
+func TestLoginAttempts(t *testing.T) {
+	Convey("Testing Login Attempts DB Access", t, func() {
+		InitTestDB(t)
+
+		user := "user"
+		beginningOfTime := mockTime(time.Date(2017, 10, 22, 8, 0, 0, 0, time.Local))
+
+		err := CreateLoginAttempt(&m.CreateLoginAttemptCommand{
+			Username:  user,
+			IpAddress: "192.168.0.1",
+		})
+		So(err, ShouldBeNil)
+
+		timePlusOneMinute := mockTime(beginningOfTime.Add(time.Minute * 1))
+
+		err = CreateLoginAttempt(&m.CreateLoginAttemptCommand{
+			Username:  user,
+			IpAddress: "192.168.0.1",
+		})
+		So(err, ShouldBeNil)
+
+		timePlusTwoMinutes := mockTime(beginningOfTime.Add(time.Minute * 2))
+
+		err = CreateLoginAttempt(&m.CreateLoginAttemptCommand{
+			Username:  user,
+			IpAddress: "192.168.0.1",
+		})
+		So(err, ShouldBeNil)
+
+		Convey("Should return a total count of zero login attempts when comparing since beginning of time + 2min and 1s", func() {
+			query := m.GetUserLoginAttemptCountQuery{
+				Username: user,
+				Since:    timePlusTwoMinutes.Add(time.Second * 1),
+			}
+			err := GetUserLoginAttemptCount(&query)
+			So(err, ShouldBeNil)
+			So(query.Result, ShouldEqual, 0)
+		})
+
+		Convey("Should return the total count of login attempts since beginning of time", func() {
+			query := m.GetUserLoginAttemptCountQuery{
+				Username: user,
+				Since:    beginningOfTime,
+			}
+			err := GetUserLoginAttemptCount(&query)
+			So(err, ShouldBeNil)
+			So(query.Result, ShouldEqual, 3)
+		})
+
+		Convey("Should return the total count of login attempts since beginning of time + 1min", func() {
+			query := m.GetUserLoginAttemptCountQuery{
+				Username: user,
+				Since:    timePlusOneMinute,
+			}
+			err := GetUserLoginAttemptCount(&query)
+			So(err, ShouldBeNil)
+			So(query.Result, ShouldEqual, 2)
+		})
+
+		Convey("Should return the total count of login attempts since beginning of time + 2min", func() {
+			query := m.GetUserLoginAttemptCountQuery{
+				Username: user,
+				Since:    timePlusTwoMinutes,
+			}
+			err := GetUserLoginAttemptCount(&query)
+			So(err, ShouldBeNil)
+			So(query.Result, ShouldEqual, 1)
+		})
+
+		Convey("Should return deleted rows older than beginning of time", func() {
+			cmd := m.DeleteOldLoginAttemptsCommand{
+				OlderThan: beginningOfTime,
+			}
+			err := DeleteOldLoginAttempts(&cmd)
+
+			So(err, ShouldBeNil)
+			So(cmd.DeletedRows, ShouldEqual, 0)
+		})
+
+		Convey("Should return deleted rows older than beginning of time + 1min", func() {
+			cmd := m.DeleteOldLoginAttemptsCommand{
+				OlderThan: timePlusOneMinute,
+			}
+			err := DeleteOldLoginAttempts(&cmd)
+
+			So(err, ShouldBeNil)
+			So(cmd.DeletedRows, ShouldEqual, 1)
+		})
+
+		Convey("Should return deleted rows older than beginning of time + 2min", func() {
+			cmd := m.DeleteOldLoginAttemptsCommand{
+				OlderThan: timePlusTwoMinutes,
+			}
+			err := DeleteOldLoginAttempts(&cmd)
+
+			So(err, ShouldBeNil)
+			So(cmd.DeletedRows, ShouldEqual, 2)
+		})
+
+		Convey("Should return deleted rows older than beginning of time + 2min and 1s", func() {
+			cmd := m.DeleteOldLoginAttemptsCommand{
+				OlderThan: timePlusTwoMinutes.Add(time.Second * 1),
+			}
+			err := DeleteOldLoginAttempts(&cmd)
+
+			So(err, ShouldBeNil)
+			So(cmd.DeletedRows, ShouldEqual, 3)
+		})
+	})
+}

pkg/services/sqlstore/migrations/login_attempt_mig.go

+package migrations
+
+import . "github.com/grafana/grafana/pkg/services/sqlstore/migrator"
+
+func addLoginAttemptMigrations(mg *Migrator) {
+	loginAttemptV1 := Table{
+		Name: "login_attempt",
+		Columns: []*Column{
+			{Name: "id", Type: DB_BigInt, IsPrimaryKey: true, IsAutoIncrement: true},
+			{Name: "username", Type: DB_NVarchar, Length: 190, Nullable: false},
+			{Name: "ip_address", Type: DB_NVarchar, Length: 30, Nullable: false},
+			{Name: "created", Type: DB_DateTime, Nullable: false},
+		},
+		Indices: []*Index{
+			{Cols: []string{"username"}},
+		},
+	}
+
+	// create table
+	mg.AddMigration("create login attempt table", NewAddTableMigration(loginAttemptV1))
+	// add indices
+	mg.AddMigration("add index login_attempt.username", NewAddIndexMigration(loginAttemptV1, loginAttemptV1.Indices[0]))
+}

pkg/services/sqlstore/migrations/migrations.go

@@ -29,6 +29,7 @@ func AddMigrations(mg *Migrator) {
 	addTeamMigrations(mg)
 	addDashboardAclMigrations(mg)
 	addTagMigration(mg)
+	addLoginAttemptMigrations(mg)
 }
 
 func addMigrationLogMigrations(mg *Migrator) {

pkg/services/sqlstore/migrator/dialect.go

@@ -19,6 +19,7 @@ type Dialect interface {
 	LikeStr() string
 	Default(col *Column) string
 	BooleanStr(bool) string
+	DateTimeFunc(string) string
 
 	CreateIndexSql(tableName string, index *Index) string
 	CreateTableSql(table *Table) string
@@ -78,6 +79,10 @@ func (b *BaseDialect) Default(col *Column) string {
 	return col.Default
 }
 
+func (db *BaseDialect) DateTimeFunc(value string) string {
+	return value
+}
+
 func (b *BaseDialect) CreateTableSql(table *Table) string {
 	var sql string
 	sql = "CREATE TABLE IF NOT EXISTS "

pkg/services/sqlstore/migrator/sqlite_dialect.go

@@ -36,6 +36,10 @@ func (db *Sqlite3) BooleanStr(value bool) string {
 	return "0"
 }
 
+func (db *Sqlite3) DateTimeFunc(value string) string {
+	return "datetime(" + value + ")"
+}
+
 func (db *Sqlite3) SqlType(c *Column) string {
 	switch c.Type {
 	case DB_Date, DB_DateTime, DB_TimeStamp, DB_Time:

pkg/services/sqlstore/sqlutil/sqlutil.go

@@ -12,7 +12,7 @@ type TestDB struct {
 }
 
 var TestDB_Sqlite3 = TestDB{DriverName: "sqlite3", ConnStr: ":memory:?_loc=Local"}
-var TestDB_Mysql = TestDB{DriverName: "mysql", ConnStr: "grafana:password@tcp(localhost:3306)/grafana_tests?collation=utf8mb4_unicode_ci"}
+var TestDB_Mysql = TestDB{DriverName: "mysql", ConnStr: "grafana:password@tcp(localhost:3306)/grafana_tests?collation=utf8mb4_unicode_ci&loc=Local"}
 var TestDB_Postgres = TestDB{DriverName: "postgres", ConnStr: "user=grafanatest password=grafanatest host=localhost port=5432 dbname=grafanatest sslmode=disable"}
 
 func CleanDB(x *xorm.Engine) {

pkg/setting/setting.go

@@ -75,13 +75,14 @@ var (
 	EnforceDomain      bool
 
 	// Security settings.
-	SecretKey             string
-	LogInRememberDays     int
-	CookieUserName        string
-	CookieRememberName    string
-	DisableGravatar       bool
-	EmailCodeValidMinutes int
-	DataProxyWhiteList    map[string]bool
+	SecretKey                        string
+	LogInRememberDays                int
+	CookieUserName                   string
+	CookieRememberName               string
+	DisableGravatar                  bool
+	EmailCodeValidMinutes            int
+	DataProxyWhiteList               map[string]bool
+	DisableBruteForceLoginProtection bool
 
 	// Snapshots
 	ExternalSnapshotUrl   string
@@ -514,6 +515,7 @@ func NewConfigContext(args *CommandLineArgs) error {
 	CookieUserName = security.Key("cookie_username").String()
 	CookieRememberName = security.Key("cookie_remember_name").String()
 	DisableGravatar = security.Key("disable_gravatar").MustBool(true)
+	DisableBruteForceLoginProtection = security.Key("disable_brute_force_login_protection").MustBool(false)
 
 	// read snapshots settings
 	snapshots := Cfg.Section("snapshots")
@@ -578,7 +580,7 @@ func NewConfigContext(args *CommandLineArgs) error {
 
 	// PhantomJS rendering
 	ImagesDir = filepath.Join(DataPath, "png")
-	PhantomDir = filepath.Join(HomePath, "vendor/phantomjs")
+	PhantomDir = filepath.Join(HomePath, "tools/phantomjs")
 
 	analytics := Cfg.Section("analytics")
 	ReportingEnabled = analytics.Key("reporting_enabled").MustBool(true)

public/app/core/components/grafana_app.ts

@@ -71,6 +71,7 @@ export function grafanaAppDirective(playlistSrv, contextSrv, $timeout, $rootScop
       body.toggleClass('sidemenu-open', sidemenuOpen);
 
       appEvents.on('toggle-sidemenu', () => {
+        sidemenuOpen = scope.contextSrv.sidemenu;
         body.toggleClass('sidemenu-open');
       });
 
@@ -167,6 +168,8 @@ export function grafanaAppDirective(playlistSrv, contextSrv, $timeout, $rootScop
       // mouse and keyboard is user activity
       body.mousemove(userActivityDetected);
       body.keydown(userActivityDetected);
+      // set useCapture = true to catch event here
+      document.addEventListener('wheel', userActivityDetected, true);
       // treat tab change as activity
       document.addEventListener('visibilitychange', userActivityDetected);
 

public/app/core/services/segment_srv.js

@@ -89,7 +89,7 @@ function (angular, _, coreModule) {
         if (addTemplateVars) {
           _.each(templateSrv.variables, function(variable) {
             if (variableTypeFilter === void 0 || variableTypeFilter === variable.type) {
-              segments.unshift(self.newSegment({ type: 'template', value: '$' + variable.name, expandable: true }));
+              segments.unshift(self.newSegment({ type: 'value', value: '$' + variable.name, expandable: true }));
             }
           });
         }

public/app/features/dashboard/dashboard_model.ts

@@ -354,6 +354,14 @@ export class DashboardModel {
       if (panel.repeatDirection === REPEAT_DIR_VERTICAL) {
         copy.gridPos.y = yPos;
         yPos += copy.gridPos.h;
+
+        // Update gridPos for panels below
+        let panelBelowIndex = panelIndex + index + 1;
+        for (let i = panelBelowIndex; i < this.panels.length; i++) {
+          if (this.panels[i].gridPos.y < yPos) {
+            this.panels[i].gridPos.y += copy.gridPos.h;
+          }
+        }
       } else {
         // set width based on how many are selected
         // assumed the repeated panels should take up full row width

public/app/features/dashboard/dashgrid/DashboardRow.tsx

@@ -27,6 +27,7 @@ export class DashboardRow extends React.Component<DashboardRowProps, any> {
     this.toggle = this.toggle.bind(this);
     this.openSettings = this.openSettings.bind(this);
     this.delete = this.delete.bind(this);
+    this.update = this.update.bind(this);
   }
 
   toggle() {
@@ -37,13 +38,18 @@ export class DashboardRow extends React.Component<DashboardRowProps, any> {
     });
   }
 
+  update() {
+    this.dashboard.processRepeats();
+    this.forceUpdate();
+  }
+
   openSettings() {
     appEvents.emit('show-modal', {
       templateHtml: `<row-options row="model.row" on-updated="model.onUpdated()" dismiss="dismiss()"></row-options>`,
       modalClass: 'modal--narrow',
       model: {
         row: this.props.panel,
-        onUpdated: this.forceUpdate.bind(this),
+        onUpdated: this.update.bind(this),
       },
     });
   }

public/app/features/dashboard/specs/repeat.jest.ts

@@ -142,12 +142,9 @@ describe('given dashboard with panel repeat in vertical direction', function() {
   beforeEach(function() {
     dashboard = new DashboardModel({
       panels: [
-        {
-          id: 2,
-          repeat: 'apps',
-          repeatDirection: 'v',
-          gridPos: { x: 5, y: 0, h: 2, w: 8 },
-        },
+        { id: 1, type: 'row', gridPos: { x: 0, y: 0, h: 1, w: 24 } },
+        { id: 2, repeat: 'apps', repeatDirection: 'v', gridPos: { x: 5, y: 1, h: 2, w: 8 } },
+        { id: 3, type: 'row', gridPos: { x: 0, y: 3, h: 1, w: 24 } },
       ],
       templating: {
         list: [
@@ -171,24 +168,13 @@ describe('given dashboard with panel repeat in vertical direction', function() {
   });
 
   it('should place on items on top of each other and keep witdh', function() {
-    expect(dashboard.panels[0].gridPos).toMatchObject({
-      x: 5,
-      y: 0,
-      h: 2,
-      w: 8,
-    });
-    expect(dashboard.panels[1].gridPos).toMatchObject({
-      x: 5,
-      y: 2,
-      h: 2,
-      w: 8,
-    });
-    expect(dashboard.panels[2].gridPos).toMatchObject({
-      x: 5,
-      y: 4,
-      h: 2,
-      w: 8,
-    });
+    expect(dashboard.panels[0].gridPos).toMatchObject({ x: 0, y: 0, h: 1, w: 24 }); // first row
+
+    expect(dashboard.panels[1].gridPos).toMatchObject({ x: 5, y: 1, h: 2, w: 8 });
+    expect(dashboard.panels[2].gridPos).toMatchObject({ x: 5, y: 3, h: 2, w: 8 });
+    expect(dashboard.panels[3].gridPos).toMatchObject({ x: 5, y: 5, h: 2, w: 8 });
+
+    expect(dashboard.panels[4].gridPos).toMatchObject({ x: 0, y: 7, h: 1, w: 24 }); // last row
   });
 });
 

public/app/plugins/datasource/cloudwatch/datasource.ts

@@ -36,7 +36,7 @@ export default class CloudWatchDatasource {
       item.region = this.templateSrv.replace(this.getActualRegion(item.region), options.scopedVars);
       item.namespace = this.templateSrv.replace(item.namespace, options.scopedVars);
       item.metricName = this.templateSrv.replace(item.metricName, options.scopedVars);
-      item.dimensions = this.convertDimensionFormat(item.dimensions, options.scopeVars);
+      item.dimensions = this.convertDimensionFormat(item.dimensions, options.scopedVars);
       item.period = String(this.getPeriod(item, options)); // use string format for period in graph query, and alerting
 
       return _.extend(

public/app/plugins/datasource/graphite/graphite_query.ts

@@ -181,6 +181,22 @@ export default class GraphiteQuery {
     var nestedSeriesRefRegex = /\#([A-Z])/g;
     var targetWithNestedQueries = target.target;
 
+    // Use ref count to track circular references
+    function countTargetRefs(targetsByRefId, refId) {
+      let refCount = 0;
+      _.each(targetsByRefId, (t, id) => {
+        if (id !== refId) {
+          let match = nestedSeriesRefRegex.exec(t.target);
+          let count = match && match.length ? match.length - 1 : 0;
+          refCount += count;
+        }
+      });
+      targetsByRefId[refId].refCount = refCount;
+    }
+    _.each(targetsByRefId, (t, id) => {
+      countTargetRefs(targetsByRefId, id);
+    });
+
     // Keep interpolating until there are no query references
     // The reason for the loop is that the referenced query might contain another reference to another query
     while (targetWithNestedQueries.match(nestedSeriesRefRegex)) {
@@ -191,7 +207,11 @@ export default class GraphiteQuery {
         }
 
         // no circular references
-        delete targetsByRefId[g1];
+        if (t.refCount === 0) {
+          delete targetsByRefId[g1];
+        }
+        t.refCount--;
+
         return t.target;
       });
 

public/app/plugins/datasource/graphite/specs/graphite_query.jest.ts

+import gfunc from '../gfunc';
+import GraphiteQuery from '../graphite_query';
+
+describe('Graphite query model', () => {
+  let ctx: any = {
+    datasource: {
+      getFuncDef: gfunc.getFuncDef,
+      getFuncDefs: jest.fn().mockReturnValue(Promise.resolve(gfunc.getFuncDefs('1.0'))),
+      waitForFuncDefsLoaded: jest.fn().mockReturnValue(Promise.resolve(null)),
+      createFuncInstance: gfunc.createFuncInstance,
+    },
+    templateSrv: {},
+    targets: [],
+  };
+
+  beforeEach(() => {
+    ctx.target = { refId: 'A', target: 'scaleToSeconds(#A, 60)' };
+    ctx.queryModel = new GraphiteQuery(ctx.datasource, ctx.target, ctx.templateSrv);
+  });
+
+  describe('when updating targets with nested queries', () => {
+    beforeEach(() => {
+      ctx.target = { refId: 'D', target: 'asPercent(#A, #C)' };
+      ctx.targets = [
+        { refId: 'A', target: 'first.query.count' },
+        { refId: 'B', target: 'second.query.count' },
+        { refId: 'C', target: 'diffSeries(#A, #B)' },
+        { refId: 'D', target: 'asPercent(#A, #C)' },
+      ];
+      ctx.queryModel = new GraphiteQuery(ctx.datasource, ctx.target, ctx.templateSrv);
+    });
+
+    it('targetFull should include nested queries', () => {
+      ctx.queryModel.updateRenderedTarget(ctx.target, ctx.targets);
+      const targetFullExpected = 'asPercent(first.query.count, diffSeries(first.query.count, second.query.count))';
+      expect(ctx.queryModel.target.targetFull).toBe(targetFullExpected);
+    });
+
+    it('should not hang on circular references', () => {
+      ctx.target.target = 'asPercent(#A, #B)';
+      ctx.targets = [{ refId: 'A', target: 'asPercent(#B, #C)' }, { refId: 'B', target: 'asPercent(#A, #C)' }];
+      ctx.queryModel.updateRenderedTarget(ctx.target, ctx.targets);
+      // Just ensure updateRenderedTarget() is completed and doesn't hang
+      expect(ctx.queryModel.target.targetFull).toBeDefined();
+    });
+  });
+});

public/app/plugins/datasource/influxdb/query_ctrl.ts

@@ -255,7 +255,7 @@ export class InfluxQueryCtrl extends QueryCtrl {
         for (let variable of this.templateSrv.variables) {
           segments.unshift(
             this.uiSegmentSrv.newSegment({
-              type: 'template',
+              type: 'value',
               value: '/^$' + variable.name + '$/',
               expandable: true,
             })

public/app/plugins/panel/graph/graph.ts

@@ -355,33 +355,16 @@ function graphDirective(timeSrv, popoverSrv, contextSrv) {
       function sortSeries(series, panel) {
         var sortBy = panel.legend.sort;
         var sortOrder = panel.legend.sortDesc;
-        var haveSortBy = sortBy !== null || sortBy !== undefined;
-        var haveSortOrder = sortOrder !== null || sortOrder !== undefined;
+        var haveSortBy = sortBy !== null && sortBy !== undefined;
+        var haveSortOrder = sortOrder !== null && sortOrder !== undefined;
         var shouldSortBy = panel.stack && haveSortBy && haveSortOrder;
         var sortDesc = panel.legend.sortDesc === true ? -1 : 1;
 
-        series.sort((x, y) => {
-          if (x.zindex > y.zindex) {
-            return 1;
-          }
-
-          if (x.zindex < y.zindex) {
-            return -1;
-          }
-
-          if (shouldSortBy) {
-            if (x.stats[sortBy] > y.stats[sortBy]) {
-              return 1 * sortDesc;
-            }
-            if (x.stats[sortBy] < y.stats[sortBy]) {
-              return -1 * sortDesc;
-            }
-          }
-
-          return 0;
-        });
-
-        return series;
+        if (shouldSortBy) {
+          return _.sortBy(series, s => s.stats[sortBy] * sortDesc);
+        } else {
+          return _.sortBy(series, s => s.zindex);
+        }
       }
 
       function translateFillOption(fill) {

public/app/plugins/panel/table/column_options.html

-
 <div class="edit-tab-with-sidemenu">
-	<aside class="edit-sidemenu-aside">
-		<ul class="edit-sidemenu">
+  <aside class="edit-sidemenu-aside">
+    <ul class="edit-sidemenu">
       <li ng-repeat="style in editor.panel.styles" ng-class="{active: editor.activeStyleIndex === $index}">
-        <a ng-click="editor.activeStyleIndex = $index" >{{style.pattern || 'New rule'}}</a>
+        <a ng-click="editor.activeStyleIndex = $index">{{style.pattern || 'New rule'}}</a>
       </li>
       <li>
         <a class="pointer" ng-click="editor.addColumnStyle()">
           <i class="fa fa-plus"></i>&nbsp;Add
         </a>
       </li>
-		</ul>
-	</aside>
+    </ul>
+  </aside>
 
   <div class="edit-tab-content" ng-repeat="style in editor.panel.styles" ng-if="editor.activeStyleIndex === $index">
 
@@ -20,7 +19,9 @@
       <div class="gf-form-inline">
         <div class="gf-form">
           <label class="gf-form-label width-13">Apply to columns named</label>
-          <input type="text" placeholder="Name or regex" class="gf-form-input width-13" ng-model="style.pattern" bs-tooltip="'Specify regex using /my.*regex/ syntax'" bs-typeahead="editor.getColumnNames" ng-blur="editor.render()" data-min-length=0 data-items=100 ng-model-onblur data-placement="right">
+          <input type="text" placeholder="Name or regex" class="gf-form-input width-13" ng-model="style.pattern" bs-tooltip="'Specify regex using /my.*regex/ syntax'"
+            bs-typeahead="editor.getColumnNames" ng-blur="editor.render()" data-min-length=0 data-items=100 ng-model-onblur
+            data-placement="right">
         </div>
       </div>
       <div class="gf-form" ng-if="style.type !== 'hidden'">
@@ -39,18 +40,20 @@
           <select class="gf-form-input" ng-model="style.type" ng-options="c.value as c.text for c in editor.columnTypes" ng-change="editor.render()"></select>
         </div>
       </div>
-      <div class="gf-form"  ng-if="style.type === 'date'">
+      <div class="gf-form" ng-if="style.type === 'date'">
         <label class="gf-form-label width-11">Date Format</label>
-        <div class="gf-form-select-wrapper width-16">
-          <select class="gf-form-input" ng-model="style.dateFormat" ng-options="c.value as c.text for c in editor.dateFormats" ng-change="editor.render()"></select>
-        </div>
+        <gf-form-dropdown model="style.dateFormat" css-class="gf-form-input width-16" lookup-text="true"
+        	get-options="editor.dateFormats" on-change="editor.render()" allow-custom="true">
+        </gf-form-dropdown>
       </div>
 
       <div ng-if="style.type === 'string'">
-        <gf-form-switch class="gf-form" label-class="width-11" ng-if="style.type === 'string'" label="Sanitize HTML" checked="style.sanitize" change="editor.render()"></gf-form-switch>
+        <gf-form-switch class="gf-form" label-class="width-11" ng-if="style.type === 'string'" label="Sanitize HTML" checked="style.sanitize"
+          change="editor.render()"></gf-form-switch>
       </div>
       <div ng-if="style.type === 'string'">
-        <gf-form-switch class="gf-form" label-class="width-11" ng-if="style.type === 'string'" label="Preserve Formatting" checked="style.preserveFormat" change="editor.render()"></gf-form-switch>
+        <gf-form-switch class="gf-form" label-class="width-11" ng-if="style.type === 'string'" label="Preserve Formatting" checked="style.preserveFormat"
+          change="editor.render()"></gf-form-switch>
       </div>
 
       <div ng-if="style.type === 'number'">
@@ -60,16 +63,20 @@
         </div>
         <div class="gf-form">
           <label class="gf-form-label width-11">Decimals</label>
-          <input type="number" class="gf-form-input width-4" data-placement="right" ng-model="style.decimals" ng-change="editor.render()" ng-model-onblur>
+          <input type="number" class="gf-form-input width-4" data-placement="right" ng-model="style.decimals" ng-change="editor.render()"
+            ng-model-onblur>
         </div>
       </div>
     </div>
 
-    <div class="section gf-form-group"  ng-if="style.type === 'number'">
+    <div class="section gf-form-group" ng-if="style.type === 'number'">
       <h5 class="section-heading">Thresholds</h5>
       <div class="gf-form">
-        <label class="gf-form-label width-8">Thresholds<tip>Comma separated values</tip></label>
-        <input type="text" class="gf-form-input width-10" ng-model="style.thresholds" placeholder="50,80" ng-blur="editor.render()" array-join>
+        <label class="gf-form-label width-8">Thresholds
+          <tip>Comma separated values</tip>
+        </label>
+        <input type="text" class="gf-form-input width-10" ng-model="style.thresholds" placeholder="50,80" ng-blur="editor.render()"
+          array-join>
       </div>
       <div class="gf-form">
         <label class="gf-form-label width-8">Color Mode</label>
@@ -102,21 +109,23 @@
         <info-popover mode="right-absolute">
           <p>Specify an URL (relative or absolute)</p>
           <span>
-            Use special variables to specify cell values: <br>
-            <em>$__cell</em> refers to current cell value <br>
+            Use special variables to specify cell values:
+            <br>
+            <em>$__cell</em> refers to current cell value
+            <br>
             <em>$__cell_n</em> refers to Nth column value in current row. Column indexes are started from 0. For instance,
-              <em>$__cell_1</em> refers to second column's value.
+            <em>$__cell_1</em> refers to second column's value.
           </span>
         </info-popover>
       </div>
       <div class="gf-form">
         <label class="gf-form-label width-9">Tooltip</label>
-        <input type="text" class="gf-form-input width-29" ng-model="style.linkTooltip" ng-blur="editor.render()" ng-model-onblur data-placement="right">
+        <input type="text" class="gf-form-input width-29" ng-model="style.linkTooltip" ng-blur="editor.render()" ng-model-onblur
+          data-placement="right">
         <info-popover mode="right-absolute">
           <p>Specify text for link tooltip.</p>
           <span>
-            This title appears when user hovers pointer over the cell with link.
-            Use the same variables as for URL.
+            This title appears when user hovers pointer over the cell with link. Use the same variables as for URL.
           </span>
         </info-popover>
       </div>

public/sass/components/_dropdown.scss

@@ -33,7 +33,7 @@
   border-top: 4px solid $text-color-weak;
   border-right: 4px solid transparent;
   border-left: 4px solid transparent;
-  content: "";
+  content: '';
 }
 
 // Place the caret
@@ -218,7 +218,7 @@
   .caret {
     border-top: 0;
     border-bottom: 4px solid $black;
-    content: "";
+    content: '';
   }
   // Different positioning for bottom up menu
   .dropdown-menu {
@@ -255,9 +255,9 @@
 }
 
 // Caret to indicate there is a submenu
-.dropdown-submenu > a::after {
+.dropdown-submenu > a::before {
   display: block;
-  content: " ";
+  content: ' ';
   float: right;
   width: 0;
   height: 0;
@@ -312,7 +312,7 @@
     width: 2rem;
     display: inline-block;
     text-align: center;
-    content: "\f11c";
+    content: '\f11c';
   }
 }
 

public/sass/components/_search.scss

@@ -10,7 +10,7 @@
 }
 
 .search-container {
-  left: $side-menu-width;
+  left: 0;
   top: 0;
   right: 0;
   bottom: 0;
@@ -38,13 +38,6 @@
     background-color: $navbarButtonBackground;
     flex-grow: 10;
   }
-
-  // .tag-filter {
-  //   .Select-control {
-  //     width: 300px;
-  //     background-color: $navbarBackground;
-  //   }
-  // }
 }
 
 .search-field-spacer {
@@ -58,7 +51,7 @@
 
 .search-dropdown {
   display: flex;
-  flex-direction: row;
+  flex-direction: column;
   height: calc(100% - #{$navbarHeight});
 }
 
@@ -74,9 +67,8 @@
   flex-grow: 1;
   height: 100%;
   padding-top: 16px;
-  display: flex;
+  display: none;
   flex-direction: column;
-  align-items: flex-start;
 }
 
 .search-filter-box {
@@ -85,7 +77,6 @@
   padding: $spacer*1.5;
   min-width: 340px;
   margin-bottom: $spacer * 1.5;
-  margin-left: $spacer * 1.5;
 }
 
 .search-filter-box__header {
@@ -215,7 +206,8 @@
 }
 
 .search-item__tags {
-  padding: 10px;
+  display: none;
+  //padding: 10px;
 }
 
 .search-item__actions {
@@ -248,16 +240,46 @@
   background: $panel-bg;
 }
 
-@include media-breakpoint-down(xs) {
+@include media-breakpoint-up(sm) {
   .search-container {
-    left: 0;
+    left: $side-menu-width;
+  }
+
+  .search-dropdown__col_2 {
+    display: flex;
+    margin-bottom: 1rem;
+  }
+}
+
+@include media-breakpoint-up(md) {
+  .search-dropdown__col_2 {
+    flex-direction: row;
+    justify-content: space-between;
+    max-width: 700px;
+    height: 260px;
+    align-items: flex-start;
+  }
+
+  .search-dropdown__col_1 {
+    height: 100%;
+  }
+
+  .search-filter-box {
+    margin: 0;
+  }
+}
+
+@include media-breakpoint-up(lg) {
+  .search-dropdown {
+    flex-direction: row;
   }
 
   .search-dropdown__col_2 {
-    display: none;
+    flex-direction: column;
   }
 
-  .search-item__tags {
-    display: none;
+  .search-filter-box {
+    margin-left: $spacer * 1.5;
+    margin-bottom: $spacer * 1.5;
   }
 }

scripts/build/Dockerfile

@@ -21,7 +21,7 @@ RUN gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A170311380
 RUN curl --silent --location https://rpm.nodesource.com/setup_6.x | bash - && \
     yum install -y nodejs --nogpgcheck
 
-ENV GOLANG_VERSION 1.9.2
+ENV GOLANG_VERSION 1.9.3
 
 RUN wget https://dl.yarnpkg.com/rpm/yarn.repo -O /etc/yum.repos.d/yarn.repo && \
     yum install -y yarn --nogpgcheck && \

scripts/grunt/options/phantomjs.js

@@ -3,7 +3,7 @@ module.exports = function(config,grunt) {
 
   grunt.registerTask('phantomjs', 'Copy phantomjs binary to vendor/', function() {
 
-    var dest = './vendor/phantomjs/phantomjs';
+    var dest = './tools/phantomjs/phantomjs';
     var confDir = './node_modules/phantomjs-prebuilt/lib/';
 
     if (process.platform === "win32") {

scripts/grunt/release_task.js

@@ -26,7 +26,7 @@ module.exports = function(grunt) {
     });
     grunt.config('copy.backend_files', {
       expand: true,
-      src: ['conf/**', 'vendor/phantomjs/*', 'scripts/*'],
+      src: ['conf/**', 'tools/phantomjs/*', 'scripts/*'],
       options: { mode: true},
       dest: '<%= tempDir %>'
     });

tools/phantomjs/render.js

+(function() {
+    'use strict';
+  
+    var page = require('webpage').create();
+    var args = require('system').args;
+    var params = {};
+    var regexp = /^([^=]+)=([^$]+)/;
+  
+    args.forEach(function(arg) {
+      var parts = arg.match(regexp);
+      if (!parts) { return; }
+      params[parts[1]] = parts[2];
+    });
+  
+    var usage = "url=<url> png=<filename> width=<width> height=<height> renderKey=<key>";
+  
+    if (!params.url || !params.png ||  !params.renderKey || !params.domain) {
+      console.log(usage);
+      phantom.exit();
+    }
+  
+    phantom.addCookie({
+      'name': 'renderKey',
+      'value': params.renderKey,
+      'domain': params.domain,
+    });
+  
+    page.viewportSize = {
+      width: params.width || '800',
+      height: params.height || '400'
+    };
+  
+    var timeoutMs = (parseInt(params.timeout) || 10) * 1000;
+    var waitBetweenReadyCheckMs = 50;
+    var totalWaitMs = 0;
+  
+    page.open(params.url, function (status) {
+      console.log('Loading a web page: ' + params.url + ' status: ' + status, timeoutMs);
+  
+      page.onError = function(msg, trace) {
+        var msgStack = ['ERROR: ' + msg];
+        if (trace && trace.length) {
+          msgStack.push('TRACE:');
+          trace.forEach(function(t) {
+            msgStack.push(' -> ' + t.file + ': ' + t.line + (t.function ? ' (in function "' + t.function +'")' : ''));
+          });
+        }
+        console.error(msgStack.join('\n'));
+      };
+  
+      function checkIsReady() {
+        var panelsRendered = page.evaluate(function() {
+          if (!window.angular) { return false; }
+          var body = window.angular.element(document.body);
+          if (!body.injector) { return false; }
+          if (!body.injector()) { return false; }
+  
+          var rootScope = body.injector().get('$rootScope');
+          if (!rootScope) {return false;}
+          var panels = angular.element('div.panel:visible').length;
+          return rootScope.panelsRendered >= panels;
+        });
+  
+        if (panelsRendered || totalWaitMs > timeoutMs) {
+          var bb = page.evaluate(function () {
+            return document.getElementsByClassName("main-view")[0].getBoundingClientRect();
+          });
+  
+          page.clipRect = {
+            top:    bb.top,
+            left:   bb.left,
+            width:  bb.width,
+            height: bb.height
+          };
+  
+          page.render(params.png);
+          phantom.exit();
+        } else {
+          totalWaitMs += waitBetweenReadyCheckMs;
+          setTimeout(checkIsReady, waitBetweenReadyCheckMs);
+        }
+      }
+  
+      setTimeout(checkIsReady, waitBetweenReadyCheckMs);
+    });
+  })();
\ No newline at end of file