Influxdata
/
influxdb
mirror of https://github.com/influxdata/influxdb.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
influxdb/server/auth.go

160 lines
4.2 KiB
Go
Raw Normal View History

Add new auth duration CLI option; add client heartbeat; fix logout (#1119) * User can now set oauth cookie session duration via the CLI to any duration or to expire on browser close * Refactor GET 'me' into heartbeat at constant interval * Add ping route to all routes * Add /chronograf/v1/ping endpoint for server status * Refactor cookie generation to use an interface * WIP adding refreshable tokens * Add reminder to review index.js Login error handling * Refactor Authenticator interface to accommodate cookie duration and logout delay * Update make run-dev to be more TICKStack compliant * Remove heartbeat/logout duration from authentication * WIP Refactor tests to accommodate cookie and auth refactor * Update oauth2 tests to newly refactored design * Update oauth provider tests * Remove unused oauth2/consts.go * Move authentication middleware to server package * Fix authentication comment * Update authenication documentation to mention AUTH_DURATION * Update /chronograf/v1/ping to simply return 204 * Fix Makefile run-dev target * Remove spurious ping route * Update auth docs to clarify authentication duration * Revert "Refactor GET 'me' into heartbeat at constant interval" This reverts commit 298a8c47e1431720d9bd97a9cb853744f04501a3. Conflicts: ui/src/index.js * Add auth test for JWT signing method * Add comments for why coverage isn't written for some areas of jwt code * Update auth docs to explicitly mention how to require re-auth for all users on server restart * Add Duration to Validation interface for Tokens * Make auth duration of zero yield a everlasting token * Revert "Revert "Refactor GET 'me' into heartbeat at constant interval"" This reverts commit b4773c15afe4fcd227ad88aa9d5686beb6b0a6cd. * Rename http status constants and add FORBIDDEN * Heartbeat only when logged in, notify user if heartbeat fails * Update changelog * Fix minor word semantics * Update oauth2 tests to be in the oauth2_test package * Add check at compile time that JWT implements Tokenizer * Rename CookieMux to AuthMux for consistency with earlier refactor * Fix logout middleware * Fix logout button not showing due to obsolete data shape expectations * Update changelog * Fix proptypes for logout button data shape in SideNav
2017-04-06 18:40:57 +00:00
package server
import (
"context"
"net/http"
Add organization field to principal in auth tests Signed-off-by: Jared Scheib <jared.scheib@gmail.com>
2017-10-27 20:19:43 +00:00
"strconv"
Add new auth duration CLI option; add client heartbeat; fix logout (#1119) * User can now set oauth cookie session duration via the CLI to any duration or to expire on browser close * Refactor GET 'me' into heartbeat at constant interval * Add ping route to all routes * Add /chronograf/v1/ping endpoint for server status * Refactor cookie generation to use an interface * WIP adding refreshable tokens * Add reminder to review index.js Login error handling * Refactor Authenticator interface to accommodate cookie duration and logout delay * Update make run-dev to be more TICKStack compliant * Remove heartbeat/logout duration from authentication * WIP Refactor tests to accommodate cookie and auth refactor * Update oauth2 tests to newly refactored design * Update oauth provider tests * Remove unused oauth2/consts.go * Move authentication middleware to server package * Fix authentication comment * Update authenication documentation to mention AUTH_DURATION * Update /chronograf/v1/ping to simply return 204 * Fix Makefile run-dev target * Remove spurious ping route * Update auth docs to clarify authentication duration * Revert "Refactor GET 'me' into heartbeat at constant interval" This reverts commit 298a8c47e1431720d9bd97a9cb853744f04501a3. Conflicts: ui/src/index.js * Add auth test for JWT signing method * Add comments for why coverage isn't written for some areas of jwt code * Update auth docs to explicitly mention how to require re-auth for all users on server restart * Add Duration to Validation interface for Tokens * Make auth duration of zero yield a everlasting token * Revert "Revert "Refactor GET 'me' into heartbeat at constant interval"" This reverts commit b4773c15afe4fcd227ad88aa9d5686beb6b0a6cd. * Rename http status constants and add FORBIDDEN * Heartbeat only when logged in, notify user if heartbeat fails * Update changelog * Fix minor word semantics * Update oauth2 tests to be in the oauth2_test package * Add check at compile time that JWT implements Tokenizer * Rename CookieMux to AuthMux for consistency with earlier refactor * Fix logout middleware * Fix logout button not showing due to obsolete data shape expectations * Update changelog * Fix proptypes for logout button data shape in SideNav
2017-04-06 18:40:57 +00:00
"github.com/influxdata/chronograf"
"github.com/influxdata/chronograf/oauth2"
)
// AuthorizedToken extracts the token and validates; if valid the next handler
// will be run. The principal will be sent to the next handler via the request's
// Context. It is up to the next handler to determine if the principal has access.
// On failure, will return http.StatusForbidden.
func AuthorizedToken(auth oauth2.Authenticator, logger chronograf.Logger, next http.Handler) http.HandlerFunc {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
log := logger.
Set Scheme to be OAuth2 explicitly for all users Add Provider to Users authenticated via /me Signed-off-by: Michael de Sa <mjdesa@gmail.com>
2017-10-19 18:17:40 +00:00
WithField("component", "token_auth").
Add new auth duration CLI option; add client heartbeat; fix logout (#1119) * User can now set oauth cookie session duration via the CLI to any duration or to expire on browser close * Refactor GET 'me' into heartbeat at constant interval * Add ping route to all routes * Add /chronograf/v1/ping endpoint for server status * Refactor cookie generation to use an interface * WIP adding refreshable tokens * Add reminder to review index.js Login error handling * Refactor Authenticator interface to accommodate cookie duration and logout delay * Update make run-dev to be more TICKStack compliant * Remove heartbeat/logout duration from authentication * WIP Refactor tests to accommodate cookie and auth refactor * Update oauth2 tests to newly refactored design * Update oauth provider tests * Remove unused oauth2/consts.go * Move authentication middleware to server package * Fix authentication comment * Update authenication documentation to mention AUTH_DURATION * Update /chronograf/v1/ping to simply return 204 * Fix Makefile run-dev target * Remove spurious ping route * Update auth docs to clarify authentication duration * Revert "Refactor GET 'me' into heartbeat at constant interval" This reverts commit 298a8c47e1431720d9bd97a9cb853744f04501a3. Conflicts: ui/src/index.js * Add auth test for JWT signing method * Add comments for why coverage isn't written for some areas of jwt code * Update auth docs to explicitly mention how to require re-auth for all users on server restart * Add Duration to Validation interface for Tokens * Make auth duration of zero yield a everlasting token * Revert "Revert "Refactor GET 'me' into heartbeat at constant interval"" This reverts commit b4773c15afe4fcd227ad88aa9d5686beb6b0a6cd. * Rename http status constants and add FORBIDDEN * Heartbeat only when logged in, notify user if heartbeat fails * Update changelog * Fix minor word semantics * Update oauth2 tests to be in the oauth2_test package * Add check at compile time that JWT implements Tokenizer * Rename CookieMux to AuthMux for consistency with earlier refactor * Fix logout middleware * Fix logout button not showing due to obsolete data shape expectations * Update changelog * Fix proptypes for logout button data shape in SideNav
2017-04-06 18:40:57 +00:00
WithField("remote_addr", r.RemoteAddr).
WithField("method", r.Method).
WithField("url", r.URL)
ctx := r.Context()
Update oauth2 Authenticator signatures to use extend
2017-04-17 16:49:45 +00:00
// We do not check the authorization of the principal. Those
Add new auth duration CLI option; add client heartbeat; fix logout (#1119) * User can now set oauth cookie session duration via the CLI to any duration or to expire on browser close * Refactor GET 'me' into heartbeat at constant interval * Add ping route to all routes * Add /chronograf/v1/ping endpoint for server status * Refactor cookie generation to use an interface * WIP adding refreshable tokens * Add reminder to review index.js Login error handling * Refactor Authenticator interface to accommodate cookie duration and logout delay * Update make run-dev to be more TICKStack compliant * Remove heartbeat/logout duration from authentication * WIP Refactor tests to accommodate cookie and auth refactor * Update oauth2 tests to newly refactored design * Update oauth provider tests * Remove unused oauth2/consts.go * Move authentication middleware to server package * Fix authentication comment * Update authenication documentation to mention AUTH_DURATION * Update /chronograf/v1/ping to simply return 204 * Fix Makefile run-dev target * Remove spurious ping route * Update auth docs to clarify authentication duration * Revert "Refactor GET 'me' into heartbeat at constant interval" This reverts commit 298a8c47e1431720d9bd97a9cb853744f04501a3. Conflicts: ui/src/index.js * Add auth test for JWT signing method * Add comments for why coverage isn't written for some areas of jwt code * Update auth docs to explicitly mention how to require re-auth for all users on server restart * Add Duration to Validation interface for Tokens * Make auth duration of zero yield a everlasting token * Revert "Revert "Refactor GET 'me' into heartbeat at constant interval"" This reverts commit b4773c15afe4fcd227ad88aa9d5686beb6b0a6cd. * Rename http status constants and add FORBIDDEN * Heartbeat only when logged in, notify user if heartbeat fails * Update changelog * Fix minor word semantics * Update oauth2 tests to be in the oauth2_test package * Add check at compile time that JWT implements Tokenizer * Rename CookieMux to AuthMux for consistency with earlier refactor * Fix logout middleware * Fix logout button not showing due to obsolete data shape expectations * Update changelog * Fix proptypes for logout button data shape in SideNav
2017-04-06 18:40:57 +00:00
// served further down the chain should do so.
Update oauth2 Authenticator signatures to use extend
2017-04-17 16:49:45 +00:00
principal, err := auth.Validate(ctx, r)
Add new auth duration CLI option; add client heartbeat; fix logout (#1119) * User can now set oauth cookie session duration via the CLI to any duration or to expire on browser close * Refactor GET 'me' into heartbeat at constant interval * Add ping route to all routes * Add /chronograf/v1/ping endpoint for server status * Refactor cookie generation to use an interface * WIP adding refreshable tokens * Add reminder to review index.js Login error handling * Refactor Authenticator interface to accommodate cookie duration and logout delay * Update make run-dev to be more TICKStack compliant * Remove heartbeat/logout duration from authentication * WIP Refactor tests to accommodate cookie and auth refactor * Update oauth2 tests to newly refactored design * Update oauth provider tests * Remove unused oauth2/consts.go * Move authentication middleware to server package * Fix authentication comment * Update authenication documentation to mention AUTH_DURATION * Update /chronograf/v1/ping to simply return 204 * Fix Makefile run-dev target * Remove spurious ping route * Update auth docs to clarify authentication duration * Revert "Refactor GET 'me' into heartbeat at constant interval" This reverts commit 298a8c47e1431720d9bd97a9cb853744f04501a3. Conflicts: ui/src/index.js * Add auth test for JWT signing method * Add comments for why coverage isn't written for some areas of jwt code * Update auth docs to explicitly mention how to require re-auth for all users on server restart * Add Duration to Validation interface for Tokens * Make auth duration of zero yield a everlasting token * Revert "Revert "Refactor GET 'me' into heartbeat at constant interval"" This reverts commit b4773c15afe4fcd227ad88aa9d5686beb6b0a6cd. * Rename http status constants and add FORBIDDEN * Heartbeat only when logged in, notify user if heartbeat fails * Update changelog * Fix minor word semantics * Update oauth2 tests to be in the oauth2_test package * Add check at compile time that JWT implements Tokenizer * Rename CookieMux to AuthMux for consistency with earlier refactor * Fix logout middleware * Fix logout button not showing due to obsolete data shape expectations * Update changelog * Fix proptypes for logout button data shape in SideNav
2017-04-06 18:40:57 +00:00
if err != nil {
log.Error("Invalid principal")
w.WriteHeader(http.StatusForbidden)
return
}
Update oauth2 Authenticator signatures to use extend
2017-04-17 16:49:45 +00:00
// If the principal is valid we will extend its lifespan
// into the future
principal, err = auth.Extend(ctx, w, principal)
if err != nil {
log.Error("Unable to extend principal")
w.WriteHeader(http.StatusForbidden)
return
}
Add new auth duration CLI option; add client heartbeat; fix logout (#1119) * User can now set oauth cookie session duration via the CLI to any duration or to expire on browser close * Refactor GET 'me' into heartbeat at constant interval * Add ping route to all routes * Add /chronograf/v1/ping endpoint for server status * Refactor cookie generation to use an interface * WIP adding refreshable tokens * Add reminder to review index.js Login error handling * Refactor Authenticator interface to accommodate cookie duration and logout delay * Update make run-dev to be more TICKStack compliant * Remove heartbeat/logout duration from authentication * WIP Refactor tests to accommodate cookie and auth refactor * Update oauth2 tests to newly refactored design * Update oauth provider tests * Remove unused oauth2/consts.go * Move authentication middleware to server package * Fix authentication comment * Update authenication documentation to mention AUTH_DURATION * Update /chronograf/v1/ping to simply return 204 * Fix Makefile run-dev target * Remove spurious ping route * Update auth docs to clarify authentication duration * Revert "Refactor GET 'me' into heartbeat at constant interval" This reverts commit 298a8c47e1431720d9bd97a9cb853744f04501a3. Conflicts: ui/src/index.js * Add auth test for JWT signing method * Add comments for why coverage isn't written for some areas of jwt code * Update auth docs to explicitly mention how to require re-auth for all users on server restart * Add Duration to Validation interface for Tokens * Make auth duration of zero yield a everlasting token * Revert "Revert "Refactor GET 'me' into heartbeat at constant interval"" This reverts commit b4773c15afe4fcd227ad88aa9d5686beb6b0a6cd. * Rename http status constants and add FORBIDDEN * Heartbeat only when logged in, notify user if heartbeat fails * Update changelog * Fix minor word semantics * Update oauth2 tests to be in the oauth2_test package * Add check at compile time that JWT implements Tokenizer * Rename CookieMux to AuthMux for consistency with earlier refactor * Fix logout middleware * Fix logout button not showing due to obsolete data shape expectations * Update changelog * Fix proptypes for logout button data shape in SideNav
2017-04-06 18:40:57 +00:00
// Send the principal to the next handler
ctx = context.WithValue(ctx, oauth2.PrincipalKey, principal)
next.ServeHTTP(w, r.WithContext(ctx))
return
})
}
Add AuthorizedUser middleware
2017-10-18 16:35:40 +00:00
Fix formating of server/auth.go
2017-10-19 16:54:06 +00:00
// AuthorizedUser extracts the user name and provider from context. If the
// user and provider can be found on the context, we look up the user by their
// name and provider. If the user is found, we verify that the user has at at
// least the role supplied.
func AuthorizedUser(
Refactor data stores into a common interface
2017-10-31 20:41:17 +00:00
store DataStore,
Fix formating of server/auth.go
2017-10-19 16:54:06 +00:00
useAuth bool,
role string,
logger chronograf.Logger,
next http.HandlerFunc,
) http.HandlerFunc {
Add AuthorizedUser middleware
2017-10-18 16:35:40 +00:00
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if !useAuth {
next(w, r)
return
}
log := logger.
WithField("component", "role_auth").
WithField("remote_addr", r.RemoteAddr).
WithField("method", r.Method).
WithField("url", r.URL)
ctx := r.Context()
Add organization field to principal in auth tests Signed-off-by: Jared Scheib <jared.scheib@gmail.com>
2017-10-27 20:19:43 +00:00
p, err := getValidPrincipal(ctx)
Add AuthorizedUser middleware
2017-10-18 16:35:40 +00:00
if err != nil {
Add organization field to principal in auth tests Signed-off-by: Jared Scheib <jared.scheib@gmail.com>
2017-10-27 20:19:43 +00:00
log.Error("Failed to retrieve principal from context")
Fix wrong authorization level on selected routes Fix leaking of username on failed authorization Add comment to chronograf.UserQuery Fix logic in hasPrivilege method
2017-10-18 19:45:06 +00:00
Error(w, http.StatusUnauthorized, "User is not authorized", logger)
Add AuthorizedUser middleware
2017-10-18 16:35:40 +00:00
return
}
Add organization field to principal in auth tests Signed-off-by: Jared Scheib <jared.scheib@gmail.com>
2017-10-27 20:19:43 +00:00
scheme, err := getScheme(ctx)
Add AuthorizedUser middleware
2017-10-18 16:35:40 +00:00
if err != nil {
Add organization field to principal in auth tests Signed-off-by: Jared Scheib <jared.scheib@gmail.com>
2017-10-27 20:19:43 +00:00
log.Error("Failed to retrieve scheme from context")
Fix wrong authorization level on selected routes Fix leaking of username on failed authorization Add comment to chronograf.UserQuery Fix logic in hasPrivilege method
2017-10-18 19:45:06 +00:00
Error(w, http.StatusUnauthorized, "User is not authorized", logger)
Add AuthorizedUser middleware
2017-10-18 16:35:40 +00:00
return
}
Add organization field to principal in auth tests Signed-off-by: Jared Scheib <jared.scheib@gmail.com>
2017-10-27 20:19:43 +00:00
if p.Organization == "" {
log.Error("Failed to retrieve organization from principal")
Error(w, http.StatusUnauthorized, "User is not authorized", logger)
return
}
// validate that the organization exists
orgID, err := strconv.ParseUint(p.Organization, 10, 64)
Set Scheme to be OAuth2 explicitly for all users Add Provider to Users authenticated via /me Signed-off-by: Michael de Sa <mjdesa@gmail.com>
2017-10-19 18:17:40 +00:00
if err != nil {
Add organization field to principal in auth tests Signed-off-by: Jared Scheib <jared.scheib@gmail.com>
2017-10-27 20:19:43 +00:00
log.Error("Failed to validate organization on context")
Error(w, http.StatusUnauthorized, "User is not authorized", logger)
return
}
Refactor data stores into a common interface
2017-10-31 20:41:17 +00:00
_, err = store.Organizations(ctx).Get(ctx, chronograf.OrganizationQuery{ID: &orgID})
Add organization field to principal in auth tests Signed-off-by: Jared Scheib <jared.scheib@gmail.com>
2017-10-27 20:19:43 +00:00
if err != nil {
log.Error("Failed to retrieve organization from organizations store")
Set Scheme to be OAuth2 explicitly for all users Add Provider to Users authenticated via /me Signed-off-by: Michael de Sa <mjdesa@gmail.com>
2017-10-19 18:17:40 +00:00
Error(w, http.StatusUnauthorized, "User is not authorized", logger)
return
}
Add AuthorizedUser middleware
2017-10-18 16:35:40 +00:00
Add organization field to principal in auth tests Signed-off-by: Jared Scheib <jared.scheib@gmail.com>
2017-10-27 20:19:43 +00:00
ctx = context.WithValue(ctx, "organizationID", p.Organization)
Refactor data stores into a common interface
2017-10-31 20:41:17 +00:00
u, err := store.Users(ctx).Get(ctx, chronograf.UserQuery{
Add organization field to principal in auth tests Signed-off-by: Jared Scheib <jared.scheib@gmail.com>
2017-10-27 20:19:43 +00:00
Name: &p.Subject,
Provider: &p.Issuer,
Set Scheme to be OAuth2 explicitly for all users Add Provider to Users authenticated via /me Signed-off-by: Michael de Sa <mjdesa@gmail.com>
2017-10-19 18:17:40 +00:00
Scheme: &scheme,
})
Add AuthorizedUser middleware
2017-10-18 16:35:40 +00:00
if err != nil {
Fix formating of server/auth.go
2017-10-19 16:54:06 +00:00
log.Error("Failed to retrieve user")
Fix wrong authorization level on selected routes Fix leaking of username on failed authorization Add comment to chronograf.UserQuery Fix logic in hasPrivilege method
2017-10-18 19:45:06 +00:00
Error(w, http.StatusUnauthorized, "User is not authorized", logger)
Add AuthorizedUser middleware
2017-10-18 16:35:40 +00:00
return
}
Fix formating of server/auth.go
2017-10-19 16:54:06 +00:00
if hasAuthorizedRole(u, role) {
Add AuthorizedUser middleware
2017-10-18 16:35:40 +00:00
next(w, r)
return
}
Fix wrong authorization level on selected routes Fix leaking of username on failed authorization Add comment to chronograf.UserQuery Fix logic in hasPrivilege method
2017-10-18 19:45:06 +00:00
Error(w, http.StatusUnauthorized, "User is not authorized", logger)
Add AuthorizedUser middleware
2017-10-18 16:35:40 +00:00
return
})
}
Fix formating of server/auth.go
2017-10-19 16:54:06 +00:00
func hasAuthorizedRole(u *chronograf.User, role string) bool {
Add AuthorizedUser middleware
2017-10-18 16:35:40 +00:00
if u == nil {
return false
}
switch role {
case ViewerRoleName:
for _, r := range u.Roles {
switch r.Name {
case ViewerRoleName, EditorRoleName, AdminRoleName:
return true
}
}
case EditorRoleName:
for _, r := range u.Roles {
switch r.Name {
case EditorRoleName, AdminRoleName:
return true
}
}
case AdminRoleName:
for _, r := range u.Roles {
switch r.Name {
case AdminRoleName:
return true
}
}
}
return false
}