Backend: Do not set SameSite cookie attribute if cookie_samesite is none (#18462)

* Do not set SameSite login_error cookie attribute if cookie_samesite is none

* Do not set SameSite grafana_session cookie attribute if cookie_samesite is none

* Update middleware tests

pkg/api/login.go

@@ -199,15 +199,18 @@ func (hs *HTTPServer) trySetEncryptedCookie(ctx *models.ReqContext, cookieName s
 		return err
 		return err
 	}
 	}
 
 
-	http.SetCookie(ctx.Resp, &http.Cookie{
+	cookie := http.Cookie{
 		Name:     cookieName,
 		Name:     cookieName,
 		MaxAge:   60,
 		MaxAge:   60,
 		Value:    hex.EncodeToString(encryptedError),
 		Value:    hex.EncodeToString(encryptedError),
 		HttpOnly: true,
 		HttpOnly: true,
 		Path:     setting.AppSubUrl + "/",
 		Path:     setting.AppSubUrl + "/",
 		Secure:   hs.Cfg.CookieSecure,
 		Secure:   hs.Cfg.CookieSecure,
-		SameSite: hs.Cfg.CookieSameSite,
-	})
+	}
+	if hs.Cfg.CookieSameSite != http.SameSiteDefaultMode {
+		cookie.SameSite = hs.Cfg.CookieSameSite
+	}
+	http.SetCookie(ctx.Resp, &cookie)
 
 
 	return nil
 	return nil
 }
 }

pkg/middleware/middleware.go

@@ -256,7 +256,9 @@ func WriteSessionCookie(ctx *models.ReqContext, value string, maxLifetimeDays in
 		Path:     setting.AppSubUrl + "/",
 		Path:     setting.AppSubUrl + "/",
 		Secure:   setting.CookieSecure,
 		Secure:   setting.CookieSecure,
 		MaxAge:   maxAge,
 		MaxAge:   maxAge,
-		SameSite: setting.CookieSameSite,
+	}
+	if setting.CookieSameSite != http.SameSiteDefaultMode {
+		cookie.SameSite = setting.CookieSameSite
 	}
 	}
 
 
 	http.SetCookie(ctx.Resp, &cookie)
 	http.SetCookie(ctx.Resp, &cookie)

pkg/middleware/middleware_test.go

@@ -252,6 +252,13 @@ func TestMiddlewareContext(t *testing.T) {
 			maxAgeHours := (time.Duration(setting.LoginMaxLifetimeDays) * 24 * time.Hour)
 			maxAgeHours := (time.Duration(setting.LoginMaxLifetimeDays) * 24 * time.Hour)
 			maxAge := (maxAgeHours + time.Hour).Seconds()
 			maxAge := (maxAgeHours + time.Hour).Seconds()
 
 
+			sameSitePolicies := []http.SameSite{
+				http.SameSiteDefaultMode,
+				http.SameSiteLaxMode,
+				http.SameSiteStrictMode,
+			}
+			for _, sameSitePolicy := range sameSitePolicies {
+				setting.CookieSameSite = sameSitePolicy
 				expectedCookie := &http.Cookie{
 				expectedCookie := &http.Cookie{
 					Name:     setting.LoginCookieName,
 					Name:     setting.LoginCookieName,
 					Value:    "rotated",
 					Value:    "rotated",
@@ -259,21 +266,24 @@ func TestMiddlewareContext(t *testing.T) {
 					HttpOnly: true,
 					HttpOnly: true,
 					MaxAge:   int(maxAge),
 					MaxAge:   int(maxAge),
 					Secure:   setting.CookieSecure,
 					Secure:   setting.CookieSecure,
-				SameSite: setting.CookieSameSite,
+				}
+				if sameSitePolicy != http.SameSiteDefaultMode {
+					expectedCookie.SameSite = sameSitePolicy
 				}
 				}
 
 
 				sc.fakeReq("GET", "/").exec()
 				sc.fakeReq("GET", "/").exec()
 
 
-			Convey("Should init context with user info", func() {
+				Convey(fmt.Sprintf("Should init context with user info and setting.SameSite=%v", sameSitePolicy), func() {
 					So(sc.context.IsSignedIn, ShouldBeTrue)
 					So(sc.context.IsSignedIn, ShouldBeTrue)
 					So(sc.context.UserId, ShouldEqual, 12)
 					So(sc.context.UserId, ShouldEqual, 12)
 					So(sc.context.UserToken.UserId, ShouldEqual, 12)
 					So(sc.context.UserToken.UserId, ShouldEqual, 12)
 					So(sc.context.UserToken.UnhashedToken, ShouldEqual, "rotated")
 					So(sc.context.UserToken.UnhashedToken, ShouldEqual, "rotated")
 				})
 				})
 
 
-			Convey("Should set cookie", func() {
+				Convey(fmt.Sprintf("Should set cookie with setting.SameSite=%v", sameSitePolicy), func() {
 					So(sc.resp.Header().Get("Set-Cookie"), ShouldEqual, expectedCookie.String())
 					So(sc.resp.Header().Get("Set-Cookie"), ShouldEqual, expectedCookie.String())
 				})
 				})
+			}
 		})
 		})
 
 
 		middlewareScenario(t, "Invalid/expired auth token in cookie", func(sc *scenarioContext) {
 		middlewareScenario(t, "Invalid/expired auth token in cookie", func(sc *scenarioContext) {