Add check so that header is not sent for anonymous users

697a87b7 · Andrej Ocenas · 6587a967 · 697a87b7 · 697a87b7 · 697a87b7
Commit 697a87b7 authored Mar 14, 2019 by Andrej Ocenas
7 changed files
--- a/conf/defaults.ini
+++ b/conf/defaults.ini
@@ -157,7 +157,7 @@ logging = false
 # How long the data proxy should wait before timing out default is 30 (seconds)
 timeout = 30

-# If enabled data proxy will add X-Grafana-User header with username into the request, default is false.
+# If enabled and user is not anonymous, data proxy will add X-Grafana-User header with username into the request, default is false.
 send_user_header = false

 #################################### Analytics ###########################

--- a/conf/sample.ini
+++ b/conf/sample.ini
@@ -144,7 +144,7 @@ log_queries =
 # How long the data proxy should wait before timing out default is 30 (seconds)
 ;timeout = 30

-# If enabled data proxy will add X-Grafana-User header with username into the request, default is false.
+# If enabled and user is not anonymous, data proxy will add X-Grafana-User header with username into the request, default is false.
 ;send_user_header = false

 #################################### Analytics ####################################

--- a/docs/sources/installation/configuration.md
+++ b/docs/sources/installation/configuration.md
@@ -423,7 +423,7 @@ How long the data proxy should wait before timing out default is 30 (seconds)

 ### send_user_header

-If enabled data proxy will add X-Grafana-User header with username into the request, default is false.
+If enabled and user is not anonymous, data proxy will add X-Grafana-User header with username into the request, default is false.

 <hr />


--- a/pkg/api/pluginproxy/ds_proxy.go
+++ b/pkg/api/pluginproxy/ds_proxy.go
@@ -172,7 +172,7 @@ func (proxy *DataSourceProxy) getDirector() func(req *http.Request) {
 			req.Header.Add("Authorization", dsAuth)
 		}

-		if proxy.cfg.SendUserHeader {
+		if proxy.cfg.SendUserHeader && !proxy.ctx.SignedInUser.IsAnonymous {
 			req.Header.Add("X-Grafana-User", proxy.ctx.SignedInUser.Login)
 		}


--- a/pkg/api/pluginproxy/ds_proxy_test.go
+++ b/pkg/api/pluginproxy/ds_proxy_test.go
@@ -417,6 +417,19 @@ func TestDSRouteRule(t *testing.T) {
 				So(req.Header.Get("X-Grafana-User"), ShouldEqual, "")
 			})
 		})
+
+		Convey("When SendUserHeader config is enabled but user is anonymous", func() {
+			req := getDatasourceProxiedRequest(
+				&m.ReqContext{
+					SignedInUser: &m.SignedInUser{IsAnonymous: true},
+				},
+				&setting.Cfg{SendUserHeader: true},
+			)
+			Convey("Should not add header with username", func() {
+				// Get will return empty string even if header is not set
+				So(req.Header.Get("X-Grafana-User"), ShouldEqual, "")
+			})
+		})
 	})
 }


--- a/pkg/api/pluginproxy/pluginproxy.go
+++ b/pkg/api/pluginproxy/pluginproxy.go
@@ -80,7 +80,7 @@ func NewApiPluginProxy(ctx *m.ReqContext, proxyPath string, route *plugins.AppPl

 		req.Header.Add("X-Grafana-Context", string(ctxJson))

-		if cfg.SendUserHeader {
+		if cfg.SendUserHeader && !ctx.SignedInUser.IsAnonymous {
 			req.Header.Add("X-Grafana-User", ctx.SignedInUser.Login)
 		}


--- a/pkg/api/pluginproxy/pluginproxy_test.go
+++ b/pkg/api/pluginproxy/pluginproxy_test.go
@@ -75,6 +75,20 @@ func TestPluginProxy(t *testing.T) {
 			So(req.Header.Get("X-Grafana-User"), ShouldEqual, "")
 		})
 	})
+
+	Convey("When SendUserHeader config is enabled but user is anonymous", t, func() {
+		req := getPluginProxiedRequest(
+			&m.ReqContext{
+				SignedInUser: &m.SignedInUser{IsAnonymous: true},
+			},
+			&setting.Cfg{SendUserHeader: true},
+		)
+
+		Convey("Should not add header with username", func() {
+			// Get will return empty string even if header is not set
+			So(req.Header.Get("X-Grafana-User"), ShouldEqual, "")
+		})
+	})
 }

 // getPluginProxiedRequest is a helper for easier setup of tests based on global config and ReqContext.