Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
N
nexpie-grafana-theme
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Registry
Registry
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Kornkitt Poolsup
nexpie-grafana-theme
Commits
391868c5
Commit
391868c5
authored
Mar 21, 2018
by
Julian Kornberger
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Use net.SplitHostPort to support IPv6
- Add some tests - Make error message more helpful
parent
a20f3d19
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
33 additions
and
19 deletions
+33
-19
pkg/middleware/auth_proxy.go
+11
-15
pkg/middleware/middleware_test.go
+22
-4
No files found.
pkg/middleware/auth_proxy.go
View file @
391868c5
package
middleware
import
(
"errors"
"fmt"
"net"
"strings"
"time"
...
...
@@ -25,7 +25,7 @@ func initContextWithAuthProxy(ctx *m.ReqContext, orgID int64) bool {
}
// if auth proxy ip(s) defined, check if request comes from one of those
if
err
:=
checkAuthenticationProxy
(
ctx
,
proxyHeaderValue
);
err
!=
nil
{
if
err
:=
checkAuthenticationProxy
(
ctx
.
Req
.
RemoteAddr
,
proxyHeaderValue
);
err
!=
nil
{
ctx
.
Handle
(
407
,
"Proxy authentication required"
,
err
)
return
true
}
...
...
@@ -123,29 +123,25 @@ var syncGrafanaUserWithLdapUser = func(ctx *m.ReqContext, query *m.GetSignedInUs
return
nil
}
func
checkAuthenticationProxy
(
ctx
*
m
.
ReqContext
,
proxyHeaderValue
string
)
error
{
func
checkAuthenticationProxy
(
remoteAddr
string
,
proxyHeaderValue
string
)
error
{
if
len
(
strings
.
TrimSpace
(
setting
.
AuthProxyWhitelist
))
==
0
{
return
nil
}
proxies
:=
strings
.
Split
(
setting
.
AuthProxyWhitelist
,
","
)
remoteAddrSplit
:=
strings
.
Split
(
ctx
.
Req
.
RemoteAddr
,
":"
)
sourceIP
:=
remoteAddrSplit
[
0
]
sourceIP
,
_
,
err
:=
net
.
SplitHostPort
(
remoteAddr
)
if
err
!=
nil
{
return
err
}
found
:=
false
// Compare allowed IP addresses to actual address
for
_
,
proxyIP
:=
range
proxies
{
if
sourceIP
==
strings
.
TrimSpace
(
proxyIP
)
{
found
=
true
break
return
nil
}
}
if
!
found
{
msg
:=
fmt
.
Sprintf
(
"Request for user (%s) is not from the authentication proxy"
,
proxyHeaderValue
)
err
:=
errors
.
New
(
msg
)
return
err
}
return
nil
return
fmt
.
Errorf
(
"Request for user (%s) from %s is not from the authentication proxy"
,
proxyHeaderValue
,
sourceIP
)
}
func
getSignedInUserQueryForProxyAuth
(
headerVal
string
)
*
m
.
GetSignedInUserQuery
{
...
...
pkg/middleware/middleware_test.go
View file @
391868c5
...
...
@@ -226,11 +226,11 @@ func TestMiddlewareContext(t *testing.T) {
})
})
middlewareScenario
(
"When auth_proxy is enabled and request RemoteAddr is not trusted"
,
func
(
sc
*
scenarioContext
)
{
middlewareScenario
(
"When auth_proxy is enabled and
IPv4
request RemoteAddr is not trusted"
,
func
(
sc
*
scenarioContext
)
{
setting
.
AuthProxyEnabled
=
true
setting
.
AuthProxyHeaderName
=
"X-WEBAUTH-USER"
setting
.
AuthProxyHeaderProperty
=
"username"
setting
.
AuthProxyWhitelist
=
"192.168.1.1,
192.168.2.1
"
setting
.
AuthProxyWhitelist
=
"192.168.1.1,
2001::23
"
sc
.
fakeReq
(
"GET"
,
"/"
)
sc
.
req
.
Header
.
Add
(
"X-WEBAUTH-USER"
,
"torkelo"
)
...
...
@@ -239,6 +239,24 @@ func TestMiddlewareContext(t *testing.T) {
Convey
(
"should return 407 status code"
,
func
()
{
So
(
sc
.
resp
.
Code
,
ShouldEqual
,
407
)
So
(
sc
.
resp
.
Body
.
String
(),
ShouldContainSubstring
,
"Request for user (torkelo) from 192.168.3.1 is not from the authentication proxy"
)
})
})
middlewareScenario
(
"When auth_proxy is enabled and IPv6 request RemoteAddr is not trusted"
,
func
(
sc
*
scenarioContext
)
{
setting
.
AuthProxyEnabled
=
true
setting
.
AuthProxyHeaderName
=
"X-WEBAUTH-USER"
setting
.
AuthProxyHeaderProperty
=
"username"
setting
.
AuthProxyWhitelist
=
"192.168.1.1, 2001::23"
sc
.
fakeReq
(
"GET"
,
"/"
)
sc
.
req
.
Header
.
Add
(
"X-WEBAUTH-USER"
,
"torkelo"
)
sc
.
req
.
RemoteAddr
=
"[2001:23]:12345"
sc
.
exec
()
Convey
(
"should return 407 status code"
,
func
()
{
So
(
sc
.
resp
.
Code
,
ShouldEqual
,
407
)
So
(
sc
.
resp
.
Body
.
String
(),
ShouldContainSubstring
,
"Request for user (torkelo) from 2001:23 is not from the authentication proxy"
)
})
})
...
...
@@ -246,7 +264,7 @@ func TestMiddlewareContext(t *testing.T) {
setting
.
AuthProxyEnabled
=
true
setting
.
AuthProxyHeaderName
=
"X-WEBAUTH-USER"
setting
.
AuthProxyHeaderProperty
=
"username"
setting
.
AuthProxyWhitelist
=
"192.168.1.1,
192.168.2.1
"
setting
.
AuthProxyWhitelist
=
"192.168.1.1,
2001::23
"
bus
.
AddHandler
(
"test"
,
func
(
query
*
m
.
GetSignedInUserQuery
)
error
{
query
.
Result
=
&
m
.
SignedInUser
{
OrgId
:
4
,
UserId
:
33
}
...
...
@@ -255,7 +273,7 @@ func TestMiddlewareContext(t *testing.T) {
sc
.
fakeReq
(
"GET"
,
"/"
)
sc
.
req
.
Header
.
Add
(
"X-WEBAUTH-USER"
,
"torkelo"
)
sc
.
req
.
RemoteAddr
=
"
192.168.2.1
:12345"
sc
.
req
.
RemoteAddr
=
"
[2001::23]
:12345"
sc
.
exec
()
Convey
(
"Should init context with user info"
,
func
()
{
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment