Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
N
nexpie-grafana-theme
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Registry
Registry
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Kornkitt Poolsup
nexpie-grafana-theme
Commits
8af5da73
Unverified
Commit
8af5da73
authored
Jun 28, 2018
by
Marcus Efraimsson
Committed by
GitHub
Jun 28, 2018
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Revert "auth proxy: use real ip when validating white listed ip's"
parent
7a2be69a
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
8 additions
and
67 deletions
+8
-67
pkg/middleware/auth_proxy.go
+8
-12
pkg/middleware/middleware_test.go
+0
-55
No files found.
pkg/middleware/auth_proxy.go
View file @
8af5da73
...
@@ -2,6 +2,7 @@ package middleware
...
@@ -2,6 +2,7 @@ package middleware
import
(
import
(
"fmt"
"fmt"
"net"
"net/mail"
"net/mail"
"reflect"
"reflect"
"strings"
"strings"
...
@@ -28,7 +29,7 @@ func initContextWithAuthProxy(ctx *m.ReqContext, orgID int64) bool {
...
@@ -28,7 +29,7 @@ func initContextWithAuthProxy(ctx *m.ReqContext, orgID int64) bool {
}
}
// if auth proxy ip(s) defined, check if request comes from one of those
// if auth proxy ip(s) defined, check if request comes from one of those
if
err
:=
checkAuthenticationProxy
(
ctx
.
Re
moteAddr
()
,
proxyHeaderValue
);
err
!=
nil
{
if
err
:=
checkAuthenticationProxy
(
ctx
.
Re
q
.
RemoteAddr
,
proxyHeaderValue
);
err
!=
nil
{
ctx
.
Handle
(
407
,
"Proxy authentication required"
,
err
)
ctx
.
Handle
(
407
,
"Proxy authentication required"
,
err
)
return
true
return
true
}
}
...
@@ -196,23 +197,18 @@ func checkAuthenticationProxy(remoteAddr string, proxyHeaderValue string) error
...
@@ -196,23 +197,18 @@ func checkAuthenticationProxy(remoteAddr string, proxyHeaderValue string) error
return
nil
return
nil
}
}
// Multiple ip addresses? Right-most IP address is the IP address of the most recent proxy
if
strings
.
Contains
(
remoteAddr
,
","
)
{
sourceIPs
:=
strings
.
Split
(
remoteAddr
,
","
)
remoteAddr
=
strings
.
TrimSpace
(
sourceIPs
[
len
(
sourceIPs
)
-
1
])
}
remoteAddr
=
strings
.
TrimPrefix
(
remoteAddr
,
"["
)
remoteAddr
=
strings
.
TrimSuffix
(
remoteAddr
,
"]"
)
proxies
:=
strings
.
Split
(
setting
.
AuthProxyWhitelist
,
","
)
proxies
:=
strings
.
Split
(
setting
.
AuthProxyWhitelist
,
","
)
sourceIP
,
_
,
err
:=
net
.
SplitHostPort
(
remoteAddr
)
if
err
!=
nil
{
return
err
}
// Compare allowed IP addresses to actual address
// Compare allowed IP addresses to actual address
for
_
,
proxyIP
:=
range
proxies
{
for
_
,
proxyIP
:=
range
proxies
{
if
remoteAddr
==
strings
.
TrimSpace
(
proxyIP
)
{
if
sourceIP
==
strings
.
TrimSpace
(
proxyIP
)
{
return
nil
return
nil
}
}
}
}
return
fmt
.
Errorf
(
"Request for user (%s) from %s is not from the authentication proxy"
,
proxyHeaderValue
,
remoteAddr
)
return
fmt
.
Errorf
(
"Request for user (%s) from %s is not from the authentication proxy"
,
proxyHeaderValue
,
sourceIP
)
}
}
pkg/middleware/middleware_test.go
View file @
8af5da73
...
@@ -315,61 +315,6 @@ func TestMiddlewareContext(t *testing.T) {
...
@@ -315,61 +315,6 @@ func TestMiddlewareContext(t *testing.T) {
})
})
})
})
middlewareScenario
(
"When auth_proxy is enabled and request has X-Forwarded-For that is not trusted"
,
func
(
sc
*
scenarioContext
)
{
setting
.
AuthProxyEnabled
=
true
setting
.
AuthProxyHeaderName
=
"X-WEBAUTH-USER"
setting
.
AuthProxyHeaderProperty
=
"username"
setting
.
AuthProxyWhitelist
=
"192.168.1.1, 2001::23"
bus
.
AddHandler
(
"test"
,
func
(
query
*
m
.
GetSignedInUserQuery
)
error
{
query
.
Result
=
&
m
.
SignedInUser
{
OrgId
:
4
,
UserId
:
33
}
return
nil
})
bus
.
AddHandler
(
"test"
,
func
(
cmd
*
m
.
UpsertUserCommand
)
error
{
cmd
.
Result
=
&
m
.
User
{
Id
:
33
}
return
nil
})
sc
.
fakeReq
(
"GET"
,
"/"
)
sc
.
req
.
Header
.
Add
(
"X-WEBAUTH-USER"
,
"torkelo"
)
sc
.
req
.
Header
.
Add
(
"X-Forwarded-For"
,
"client-ip, 192.168.1.1, 192.168.1.2"
)
sc
.
exec
()
Convey
(
"should return 407 status code"
,
func
()
{
So
(
sc
.
resp
.
Code
,
ShouldEqual
,
407
)
So
(
sc
.
resp
.
Body
.
String
(),
ShouldContainSubstring
,
"Request for user (torkelo) from 192.168.1.2 is not from the authentication proxy"
)
})
})
middlewareScenario
(
"When auth_proxy is enabled and request has X-Forwarded-For that is trusted"
,
func
(
sc
*
scenarioContext
)
{
setting
.
AuthProxyEnabled
=
true
setting
.
AuthProxyHeaderName
=
"X-WEBAUTH-USER"
setting
.
AuthProxyHeaderProperty
=
"username"
setting
.
AuthProxyWhitelist
=
"192.168.1.1, 2001::23"
bus
.
AddHandler
(
"test"
,
func
(
query
*
m
.
GetSignedInUserQuery
)
error
{
query
.
Result
=
&
m
.
SignedInUser
{
OrgId
:
4
,
UserId
:
33
}
return
nil
})
bus
.
AddHandler
(
"test"
,
func
(
cmd
*
m
.
UpsertUserCommand
)
error
{
cmd
.
Result
=
&
m
.
User
{
Id
:
33
}
return
nil
})
sc
.
fakeReq
(
"GET"
,
"/"
)
sc
.
req
.
Header
.
Add
(
"X-WEBAUTH-USER"
,
"torkelo"
)
sc
.
req
.
Header
.
Add
(
"X-Forwarded-For"
,
"client-ip, 192.168.1.2, 192.168.1.1"
)
sc
.
exec
()
Convey
(
"Should init context with user info"
,
func
()
{
So
(
sc
.
context
.
IsSignedIn
,
ShouldBeTrue
)
So
(
sc
.
context
.
UserId
,
ShouldEqual
,
33
)
So
(
sc
.
context
.
OrgId
,
ShouldEqual
,
4
)
})
})
middlewareScenario
(
"When session exists for previous user, create a new session"
,
func
(
sc
*
scenarioContext
)
{
middlewareScenario
(
"When session exists for previous user, create a new session"
,
func
(
sc
*
scenarioContext
)
{
setting
.
AuthProxyEnabled
=
true
setting
.
AuthProxyEnabled
=
true
setting
.
AuthProxyHeaderName
=
"X-WEBAUTH-USER"
setting
.
AuthProxyHeaderName
=
"X-WEBAUTH-USER"
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment