Commit 6c9d8336 by Jon McKenzie Committed by GitHub

AuthProxy: Fixes bug where long username could not be cached (#22926)

parent 5df00abf
package authproxy package authproxy
import ( import (
"encoding/base32" "encoding/hex"
"fmt" "fmt"
"hash/fnv"
"net" "net"
"net/mail" "net/mail"
"reflect" "reflect"
...@@ -146,6 +147,13 @@ func (auth *AuthProxy) IsAllowedIP() (bool, *Error) { ...@@ -146,6 +147,13 @@ func (auth *AuthProxy) IsAllowedIP() (bool, *Error) {
return false, newError("Proxy authentication required", err) return false, newError("Proxy authentication required", err)
} }
func HashCacheKey(key string) string {
hasher := fnv.New128a()
// according to the documentation, Hash.Write cannot error, but linter is complaining
hasher.Write([]byte(key)) // nolint: errcheck
return hex.EncodeToString(hasher.Sum(nil))
}
// getKey forms a key for the cache based on the headers received as part of the authentication flow. // getKey forms a key for the cache based on the headers received as part of the authentication flow.
// Our configuration supports multiple headers. The main header contains the email or username. // Our configuration supports multiple headers. The main header contains the email or username.
// And the additional ones that allow us to specify extra attributes: Name, Email or Groups. // And the additional ones that allow us to specify extra attributes: Name, Email or Groups.
...@@ -156,7 +164,7 @@ func (auth *AuthProxy) getKey() string { ...@@ -156,7 +164,7 @@ func (auth *AuthProxy) getKey() string {
key = strings.Join([]string{key, header}, "-") // compose the key with any additional headers key = strings.Join([]string{key, header}, "-") // compose the key with any additional headers
}) })
hashedKey := base32.StdEncoding.EncodeToString([]byte(key)) hashedKey := HashCacheKey(key)
return fmt.Sprintf(CachePrefix, hashedKey) return fmt.Sprintf(CachePrefix, hashedKey)
} }
......
package authproxy package authproxy
import ( import (
"encoding/base32"
"errors" "errors"
"fmt" "fmt"
"net/http" "net/http"
...@@ -79,7 +78,7 @@ func TestMiddlewareContext(t *testing.T) { ...@@ -79,7 +78,7 @@ func TestMiddlewareContext(t *testing.T) {
Convey("with a simple cache key", func() { Convey("with a simple cache key", func() {
// Set cache key // Set cache key
key := fmt.Sprintf(CachePrefix, base32.StdEncoding.EncodeToString([]byte(name))) key := fmt.Sprintf(CachePrefix, HashCacheKey(name))
err := store.Set(key, int64(33), 0) err := store.Set(key, int64(33), 0)
So(err, ShouldBeNil) So(err, ShouldBeNil)
...@@ -88,7 +87,7 @@ func TestMiddlewareContext(t *testing.T) { ...@@ -88,7 +87,7 @@ func TestMiddlewareContext(t *testing.T) {
id, err := auth.Login() id, err := auth.Login()
So(err, ShouldBeNil) So(err, ShouldBeNil)
So(auth.getKey(), ShouldEqual, "auth-proxy-sync-ttl:NVQXE23FNRXWO===") So(auth.getKey(), ShouldEqual, "auth-proxy-sync-ttl:0a7f3374e9659b10980fd66247b0cf2f")
So(id, ShouldEqual, 33) So(id, ShouldEqual, 33)
}) })
...@@ -97,7 +96,7 @@ func TestMiddlewareContext(t *testing.T) { ...@@ -97,7 +96,7 @@ func TestMiddlewareContext(t *testing.T) {
group := "grafana-core-team" group := "grafana-core-team"
req.Header.Add("X-WEBAUTH-GROUPS", group) req.Header.Add("X-WEBAUTH-GROUPS", group)
key := fmt.Sprintf(CachePrefix, base32.StdEncoding.EncodeToString([]byte(name+"-"+group))) key := fmt.Sprintf(CachePrefix, HashCacheKey(name+"-"+group))
err := store.Set(key, int64(33), 0) err := store.Set(key, int64(33), 0)
So(err, ShouldBeNil) So(err, ShouldBeNil)
...@@ -105,7 +104,7 @@ func TestMiddlewareContext(t *testing.T) { ...@@ -105,7 +104,7 @@ func TestMiddlewareContext(t *testing.T) {
id, err := auth.Login() id, err := auth.Login()
So(err, ShouldBeNil) So(err, ShouldBeNil)
So(auth.getKey(), ShouldEqual, "auth-proxy-sync-ttl:NVQXE23FNRXWOLLHOJQWMYLOMEWWG33SMUWXIZLBNU======") So(auth.getKey(), ShouldEqual, "auth-proxy-sync-ttl:14f69b7023baa0ac98c96b31cec07bc0")
So(id, ShouldEqual, 33) So(id, ShouldEqual, 33)
}) })
......
...@@ -2,7 +2,6 @@ package middleware ...@@ -2,7 +2,6 @@ package middleware
import ( import (
"context" "context"
"encoding/base32"
"errors" "errors"
"fmt" "fmt"
"net/http" "net/http"
...@@ -364,7 +363,7 @@ func TestMiddlewareContext(t *testing.T) { ...@@ -364,7 +363,7 @@ func TestMiddlewareContext(t *testing.T) {
return nil return nil
}) })
key := fmt.Sprintf(authproxy.CachePrefix, base32.StdEncoding.EncodeToString([]byte(name+"-"+group))) key := fmt.Sprintf(authproxy.CachePrefix, authproxy.HashCacheKey(name+"-"+group))
err := sc.remoteCacheService.Set(key, int64(33), 0) err := sc.remoteCacheService.Set(key, int64(33), 0)
So(err, ShouldBeNil) So(err, ShouldBeNil)
sc.fakeReq("GET", "/") sc.fakeReq("GET", "/")
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment