Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
N
nexpie-grafana-theme
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Registry
Registry
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Kornkitt Poolsup
nexpie-grafana-theme
Commits
9d536536
Commit
9d536536
authored
Oct 12, 2017
by
Carl Bergquist
Committed by
GitHub
Oct 12, 2017
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #9378 from mattbostock/verify_tls
Bugfix: Always verify TLS unless explicitly told otherwise
parents
45704d45
83f1ae4e
Hide whitespace changes
Inline
Side-by-side
Showing
8 changed files
with
53 additions
and
36 deletions
+53
-36
pkg/api/app_routes.go
+16
-13
pkg/api/grafana_com_proxy.go
+1
-3
pkg/api/login_oauth.go
+16
-15
pkg/cmd/grafana-cli/main.go
+8
-2
pkg/cmd/grafana-cli/services/services.go
+4
-3
pkg/setting/setting.go
+6
-0
pkg/setting/setting_oauth.go
+1
-0
pkg/social/social.go
+1
-0
No files found.
pkg/api/app_routes.go
View file @
9d536536
...
...
@@ -11,25 +11,28 @@ import (
"github.com/grafana/grafana/pkg/middleware"
m
"github.com/grafana/grafana/pkg/models"
"github.com/grafana/grafana/pkg/plugins"
"github.com/grafana/grafana/pkg/setting"
"github.com/grafana/grafana/pkg/util"
macaron
"gopkg.in/macaron.v1"
)
var
pluginProxyTransport
=
&
http
.
Transport
{
TLSClientConfig
:
&
tls
.
Config
{
InsecureSkipVerify
:
true
,
Renegotiation
:
tls
.
RenegotiateFreelyAsClient
,
},
Proxy
:
http
.
ProxyFromEnvironment
,
Dial
:
(
&
net
.
Dialer
{
Timeout
:
30
*
time
.
Second
,
KeepAlive
:
30
*
time
.
Second
,
DualStack
:
true
,
})
.
Dial
,
TLSHandshakeTimeout
:
10
*
time
.
Second
,
}
var
pluginProxyTransport
*
http
.
Transport
func
InitAppPluginRoutes
(
r
*
macaron
.
Macaron
)
{
pluginProxyTransport
=
&
http
.
Transport
{
TLSClientConfig
:
&
tls
.
Config
{
InsecureSkipVerify
:
setting
.
PluginAppsSkipVerifyTLS
,
Renegotiation
:
tls
.
RenegotiateFreelyAsClient
,
},
Proxy
:
http
.
ProxyFromEnvironment
,
Dial
:
(
&
net
.
Dialer
{
Timeout
:
30
*
time
.
Second
,
KeepAlive
:
30
*
time
.
Second
,
DualStack
:
true
,
})
.
Dial
,
TLSHandshakeTimeout
:
10
*
time
.
Second
,
}
for
_
,
plugin
:=
range
plugins
.
Apps
{
for
_
,
route
:=
range
plugin
.
Routes
{
url
:=
util
.
JoinUrlFragments
(
"/api/plugin-proxy/"
+
plugin
.
Id
,
route
.
Path
)
...
...
pkg/api/grafana_com_proxy.go
View file @
9d536536
package
api
import
(
"crypto/tls"
"net"
"net/http"
"net/http/httputil"
...
...
@@ -14,8 +13,7 @@ import (
)
var
grafanaComProxyTransport
=
&
http
.
Transport
{
TLSClientConfig
:
&
tls
.
Config
{
InsecureSkipVerify
:
false
},
Proxy
:
http
.
ProxyFromEnvironment
,
Proxy
:
http
.
ProxyFromEnvironment
,
Dial
:
(
&
net
.
Dialer
{
Timeout
:
30
*
time
.
Second
,
KeepAlive
:
30
*
time
.
Second
,
...
...
pkg/api/login_oauth.go
View file @
9d536536
...
...
@@ -78,16 +78,25 @@ func OAuthLogin(ctx *middleware.Context) {
}
// handle call back
tr
:=
&
http
.
Transport
{
TLSClientConfig
:
&
tls
.
Config
{
InsecureSkipVerify
:
setting
.
OAuthService
.
OAuthInfos
[
name
]
.
TlsSkipVerify
,
},
}
oauthClient
:=
&
http
.
Client
{
Transport
:
tr
,
}
// initialize oauth2 context
oauthCtx
:=
oauth2
.
NoContext
if
setting
.
OAuthService
.
OAuthInfos
[
name
]
.
TlsClientCert
!=
""
{
if
setting
.
OAuthService
.
OAuthInfos
[
name
]
.
TlsClientCert
!=
""
||
setting
.
OAuthService
.
OAuthInfos
[
name
]
.
TlsClientKey
!=
""
{
cert
,
err
:=
tls
.
LoadX509KeyPair
(
setting
.
OAuthService
.
OAuthInfos
[
name
]
.
TlsClientCert
,
setting
.
OAuthService
.
OAuthInfos
[
name
]
.
TlsClientKey
)
if
err
!=
nil
{
log
.
Fatal
(
err
)
}
// Load CA cert
tr
.
TLSClientConfig
.
Certificates
=
append
(
tr
.
TLSClientConfig
.
Certificates
,
cert
)
}
if
setting
.
OAuthService
.
OAuthInfos
[
name
]
.
TlsClientCa
!=
""
{
caCert
,
err
:=
ioutil
.
ReadFile
(
setting
.
OAuthService
.
OAuthInfos
[
name
]
.
TlsClientCa
)
if
err
!=
nil
{
log
.
Fatal
(
err
)
...
...
@@ -95,19 +104,11 @@ func OAuthLogin(ctx *middleware.Context) {
caCertPool
:=
x509
.
NewCertPool
()
caCertPool
.
AppendCertsFromPEM
(
caCert
)
tr
:=
&
http
.
Transport
{
TLSClientConfig
:
&
tls
.
Config
{
InsecureSkipVerify
:
true
,
Certificates
:
[]
tls
.
Certificate
{
cert
},
RootCAs
:
caCertPool
,
},
}
sslcli
:=
&
http
.
Client
{
Transport
:
tr
}
oauthCtx
=
context
.
Background
()
oauthCtx
=
context
.
WithValue
(
oauthCtx
,
oauth2
.
HTTPClient
,
sslcli
)
tr
.
TLSClientConfig
.
RootCAs
=
caCertPool
}
oauthCtx
:=
context
.
WithValue
(
context
.
Background
(),
oauth2
.
HTTPClient
,
oauthClient
)
// get token from provider
token
,
err
:=
connect
.
Exchange
(
oauthCtx
,
code
)
if
err
!=
nil
{
...
...
pkg/cmd/grafana-cli/main.go
View file @
9d536536
...
...
@@ -17,8 +17,6 @@ var version = "master"
func
main
()
{
setupLogging
()
services
.
Init
(
version
)
app
:=
cli
.
NewApp
()
app
.
Name
=
"Grafana cli"
app
.
Usage
=
""
...
...
@@ -45,11 +43,19 @@ func main() {
EnvVar
:
"GF_PLUGIN_URL"
,
},
cli
.
BoolFlag
{
Name
:
"insecure"
,
Usage
:
"Skip TLS verification (insecure)"
,
},
cli
.
BoolFlag
{
Name
:
"debug, d"
,
Usage
:
"enable debug logging"
,
},
}
app
.
Before
=
func
(
c
*
cli
.
Context
)
error
{
services
.
Init
(
version
,
c
.
GlobalBool
(
"insecure"
))
return
nil
}
app
.
Commands
=
commands
.
Commands
app
.
CommandNotFound
=
cmdNotFound
...
...
pkg/cmd/grafana-cli/services/services.go
View file @
9d536536
...
...
@@ -22,7 +22,7 @@ var (
grafanaVersion
string
)
func
Init
(
version
string
)
{
func
Init
(
version
string
,
skipTLSVerify
bool
)
{
grafanaVersion
=
version
tr
:=
&
http
.
Transport
{
...
...
@@ -36,8 +36,9 @@ func Init(version string) {
IdleConnTimeout
:
90
*
time
.
Second
,
TLSHandshakeTimeout
:
10
*
time
.
Second
,
ExpectContinueTimeout
:
1
*
time
.
Second
,
TLSClientConfig
:
&
tls
.
Config
{
InsecureSkipVerify
:
false
},
TLSClientConfig
:
&
tls
.
Config
{
InsecureSkipVerify
:
skipTLSVerify
,
},
}
HttpClient
=
http
.
Client
{
...
...
pkg/setting/setting.go
View file @
9d536536
...
...
@@ -122,6 +122,9 @@ var (
// Basic Auth
BasicAuthEnabled
bool
// Plugin settings
PluginAppsSkipVerifyTLS
bool
// Session settings.
SessionOptions
session
.
Options
...
...
@@ -560,6 +563,9 @@ func NewConfigContext(args *CommandLineArgs) error {
authBasic
:=
Cfg
.
Section
(
"auth.basic"
)
BasicAuthEnabled
=
authBasic
.
Key
(
"enabled"
)
.
MustBool
(
true
)
// global plugin settings
PluginAppsSkipVerifyTLS
=
Cfg
.
Section
(
"plugins"
)
.
Key
(
"app_tls_skip_verify_insecure"
)
.
MustBool
(
false
)
// PhantomJS rendering
ImagesDir
=
filepath
.
Join
(
DataPath
,
"png"
)
PhantomDir
=
filepath
.
Join
(
HomePath
,
"vendor/phantomjs"
)
...
...
pkg/setting/setting_oauth.go
View file @
9d536536
...
...
@@ -13,6 +13,7 @@ type OAuthInfo struct {
TlsClientCert
string
TlsClientKey
string
TlsClientCa
string
TlsSkipVerify
bool
}
type
OAuther
struct
{
...
...
pkg/social/social.go
View file @
9d536536
...
...
@@ -66,6 +66,7 @@ func NewOAuthService() {
TlsClientCert
:
sec
.
Key
(
"tls_client_cert"
)
.
String
(),
TlsClientKey
:
sec
.
Key
(
"tls_client_key"
)
.
String
(),
TlsClientCa
:
sec
.
Key
(
"tls_client_ca"
)
.
String
(),
TlsSkipVerify
:
sec
.
Key
(
"tls_skip_verify_insecure"
)
.
MustBool
(),
}
if
!
info
.
Enabled
{
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment