influxdb/server/auth.go

package server

import (
	"context"
	"fmt"
	"net/http"

	"github.com/influxdata/chronograf"
	"github.com/influxdata/chronograf/oauth2"
)

// AuthorizedToken extracts the token and validates; if valid the next handler
// will be run.  The principal will be sent to the next handler via the request's
// Context.  It is up to the next handler to determine if the principal has access.
// On failure, will return http.StatusForbidden.
func AuthorizedToken(auth oauth2.Authenticator, logger chronograf.Logger, next http.Handler) http.HandlerFunc {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		log := logger.
			WithField("component", "auth").
			WithField("remote_addr", r.RemoteAddr).
			WithField("method", r.Method).
			WithField("url", r.URL)

		ctx := r.Context()
		// We do not check the authorization of the principal.  Those
		// served further down the chain should do so.
		principal, err := auth.Validate(ctx, r)
		if err != nil {
			log.Error("Invalid principal")
			w.WriteHeader(http.StatusForbidden)
			return
		}

		// If the principal is valid we will extend its lifespan
		// into the future
		principal, err = auth.Extend(ctx, w, principal)
		if err != nil {
			log.Error("Unable to extend principal")
			w.WriteHeader(http.StatusForbidden)
			return
		}

		// Send the principal to the next handler
		ctx = context.WithValue(ctx, oauth2.PrincipalKey, principal)
		next.ServeHTTP(w, r.WithContext(ctx))
		return
	})
}

func AuthorizedUser(store chronograf.UsersStore, useAuth bool, role string, logger chronograf.Logger, next http.HandlerFunc) http.HandlerFunc {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		if !useAuth {
			next(w, r)
			return
		}

		log := logger.
			WithField("component", "role_auth").
			WithField("remote_addr", r.RemoteAddr).
			WithField("method", r.Method).
			WithField("url", r.URL)

		ctx := r.Context()

		username, err := getUsername(ctx)
		if err != nil {
			log.Error("Failed to retrieve username from context")
			Error(w, http.StatusUnauthorized, fmt.Sprintf("User is not authorized"), logger)
			return
		}
		provider, err := getProvider(ctx)
		if err != nil {
			log.Error("Failed to retrieve provider from context")
			Error(w, http.StatusUnauthorized, fmt.Sprintf("User %s is not authorized", username), logger)
			return
		}

		u, err := getUserBy(store, ctx, username, provider)
		if err != nil {
			log.Error("Error to retrieving user")
			Error(w, http.StatusUnauthorized, fmt.Sprintf("User %s is not authorized", username), logger)
			return
		}

		if u == nil {
			log.Error("User not found")
			Error(w, http.StatusNotFound, fmt.Sprintf("User with name %s and provider %s not found", username, provider), logger)
			return
		}

		if hasPrivelege(u, role) {
			next(w, r)
			return
		}

		Error(w, http.StatusUnauthorized, fmt.Sprintf("User %s is not authorized", username), logger)
		return

	})
}

func hasPrivelege(u *chronograf.User, role string) bool {
	if u == nil {
		return false
	}

	switch role {
	case ViewerRoleName:
		for _, r := range u.Roles {
			switch r.Name {
			case ViewerRoleName, EditorRoleName, AdminRoleName:
				return true
			default:
				return false
			}
		}
	case EditorRoleName:
		for _, r := range u.Roles {
			switch r.Name {
			case EditorRoleName, AdminRoleName:
				return true
			default:
				return false
			}
		}
	case AdminRoleName:
		for _, r := range u.Roles {
			switch r.Name {
			case AdminRoleName:
				return true
			default:
				return false
			}
		}
	default:
		return false
	}

	return false
}
Add new auth duration CLI option; add client heartbeat; fix logout (#1119) * User can now set oauth cookie session duration via the CLI to any duration or to expire on browser close * Refactor GET 'me' into heartbeat at constant interval * Add ping route to all routes * Add /chronograf/v1/ping endpoint for server status * Refactor cookie generation to use an interface * WIP adding refreshable tokens * Add reminder to review index.js Login error handling * Refactor Authenticator interface to accommodate cookie duration and logout delay * Update make run-dev to be more TICKStack compliant * Remove heartbeat/logout duration from authentication * WIP Refactor tests to accommodate cookie and auth refactor * Update oauth2 tests to newly refactored design * Update oauth provider tests * Remove unused oauth2/consts.go * Move authentication middleware to server package * Fix authentication comment * Update authenication documentation to mention AUTH_DURATION * Update /chronograf/v1/ping to simply return 204 * Fix Makefile run-dev target * Remove spurious ping route * Update auth docs to clarify authentication duration * Revert "Refactor GET 'me' into heartbeat at constant interval" This reverts commit 298a8c47e1431720d9bd97a9cb853744f04501a3. Conflicts: ui/src/index.js * Add auth test for JWT signing method * Add comments for why coverage isn't written for some areas of jwt code * Update auth docs to explicitly mention how to require re-auth for all users on server restart * Add Duration to Validation interface for Tokens * Make auth duration of zero yield a everlasting token * Revert "Revert "Refactor GET 'me' into heartbeat at constant interval"" This reverts commit b4773c15afe4fcd227ad88aa9d5686beb6b0a6cd. * Rename http status constants and add FORBIDDEN * Heartbeat only when logged in, notify user if heartbeat fails * Update changelog * Fix minor word semantics * Update oauth2 tests to be in the oauth2_test package * Add check at compile time that JWT implements Tokenizer * Rename CookieMux to AuthMux for consistency with earlier refactor * Fix logout middleware * Fix logout button not showing due to obsolete data shape expectations * Update changelog * Fix proptypes for logout button data shape in SideNav 2017-04-06 18:40:57 +00:00			`package server`

			`import (`
			`"context"`
Add AuthorizedUser middleware 2017-10-18 16:35:40 +00:00			`"fmt"`
Add new auth duration CLI option; add client heartbeat; fix logout (#1119) * User can now set oauth cookie session duration via the CLI to any duration or to expire on browser close * Refactor GET 'me' into heartbeat at constant interval * Add ping route to all routes * Add /chronograf/v1/ping endpoint for server status * Refactor cookie generation to use an interface * WIP adding refreshable tokens * Add reminder to review index.js Login error handling * Refactor Authenticator interface to accommodate cookie duration and logout delay * Update make run-dev to be more TICKStack compliant * Remove heartbeat/logout duration from authentication * WIP Refactor tests to accommodate cookie and auth refactor * Update oauth2 tests to newly refactored design * Update oauth provider tests * Remove unused oauth2/consts.go * Move authentication middleware to server package * Fix authentication comment * Update authenication documentation to mention AUTH_DURATION * Update /chronograf/v1/ping to simply return 204 * Fix Makefile run-dev target * Remove spurious ping route * Update auth docs to clarify authentication duration * Revert "Refactor GET 'me' into heartbeat at constant interval" This reverts commit 298a8c47e1431720d9bd97a9cb853744f04501a3. Conflicts: ui/src/index.js * Add auth test for JWT signing method * Add comments for why coverage isn't written for some areas of jwt code * Update auth docs to explicitly mention how to require re-auth for all users on server restart * Add Duration to Validation interface for Tokens * Make auth duration of zero yield a everlasting token * Revert "Revert "Refactor GET 'me' into heartbeat at constant interval"" This reverts commit b4773c15afe4fcd227ad88aa9d5686beb6b0a6cd. * Rename http status constants and add FORBIDDEN * Heartbeat only when logged in, notify user if heartbeat fails * Update changelog * Fix minor word semantics * Update oauth2 tests to be in the oauth2_test package * Add check at compile time that JWT implements Tokenizer * Rename CookieMux to AuthMux for consistency with earlier refactor * Fix logout middleware * Fix logout button not showing due to obsolete data shape expectations * Update changelog * Fix proptypes for logout button data shape in SideNav 2017-04-06 18:40:57 +00:00			`"net/http"`

			`"github.com/influxdata/chronograf"`
			`"github.com/influxdata/chronograf/oauth2"`
			`)`

			`// AuthorizedToken extracts the token and validates; if valid the next handler`
			`// will be run. The principal will be sent to the next handler via the request's`
			`// Context. It is up to the next handler to determine if the principal has access.`
			`// On failure, will return http.StatusForbidden.`
			`func AuthorizedToken(auth oauth2.Authenticator, logger chronograf.Logger, next http.Handler) http.HandlerFunc {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`log := logger.`
			`WithField("component", "auth").`
			`WithField("remote_addr", r.RemoteAddr).`
			`WithField("method", r.Method).`
			`WithField("url", r.URL)`

			`ctx := r.Context()`
Update oauth2 Authenticator signatures to use extend 2017-04-17 16:49:45 +00:00			`// We do not check the authorization of the principal. Those`
Add new auth duration CLI option; add client heartbeat; fix logout (#1119) * User can now set oauth cookie session duration via the CLI to any duration or to expire on browser close * Refactor GET 'me' into heartbeat at constant interval * Add ping route to all routes * Add /chronograf/v1/ping endpoint for server status * Refactor cookie generation to use an interface * WIP adding refreshable tokens * Add reminder to review index.js Login error handling * Refactor Authenticator interface to accommodate cookie duration and logout delay * Update make run-dev to be more TICKStack compliant * Remove heartbeat/logout duration from authentication * WIP Refactor tests to accommodate cookie and auth refactor * Update oauth2 tests to newly refactored design * Update oauth provider tests * Remove unused oauth2/consts.go * Move authentication middleware to server package * Fix authentication comment * Update authenication documentation to mention AUTH_DURATION * Update /chronograf/v1/ping to simply return 204 * Fix Makefile run-dev target * Remove spurious ping route * Update auth docs to clarify authentication duration * Revert "Refactor GET 'me' into heartbeat at constant interval" This reverts commit 298a8c47e1431720d9bd97a9cb853744f04501a3. Conflicts: ui/src/index.js * Add auth test for JWT signing method * Add comments for why coverage isn't written for some areas of jwt code * Update auth docs to explicitly mention how to require re-auth for all users on server restart * Add Duration to Validation interface for Tokens * Make auth duration of zero yield a everlasting token * Revert "Revert "Refactor GET 'me' into heartbeat at constant interval"" This reverts commit b4773c15afe4fcd227ad88aa9d5686beb6b0a6cd. * Rename http status constants and add FORBIDDEN * Heartbeat only when logged in, notify user if heartbeat fails * Update changelog * Fix minor word semantics * Update oauth2 tests to be in the oauth2_test package * Add check at compile time that JWT implements Tokenizer * Rename CookieMux to AuthMux for consistency with earlier refactor * Fix logout middleware * Fix logout button not showing due to obsolete data shape expectations * Update changelog * Fix proptypes for logout button data shape in SideNav 2017-04-06 18:40:57 +00:00			`// served further down the chain should do so.`
Update oauth2 Authenticator signatures to use extend 2017-04-17 16:49:45 +00:00			`principal, err := auth.Validate(ctx, r)`
Add new auth duration CLI option; add client heartbeat; fix logout (#1119) * User can now set oauth cookie session duration via the CLI to any duration or to expire on browser close * Refactor GET 'me' into heartbeat at constant interval * Add ping route to all routes * Add /chronograf/v1/ping endpoint for server status * Refactor cookie generation to use an interface * WIP adding refreshable tokens * Add reminder to review index.js Login error handling * Refactor Authenticator interface to accommodate cookie duration and logout delay * Update make run-dev to be more TICKStack compliant * Remove heartbeat/logout duration from authentication * WIP Refactor tests to accommodate cookie and auth refactor * Update oauth2 tests to newly refactored design * Update oauth provider tests * Remove unused oauth2/consts.go * Move authentication middleware to server package * Fix authentication comment * Update authenication documentation to mention AUTH_DURATION * Update /chronograf/v1/ping to simply return 204 * Fix Makefile run-dev target * Remove spurious ping route * Update auth docs to clarify authentication duration * Revert "Refactor GET 'me' into heartbeat at constant interval" This reverts commit 298a8c47e1431720d9bd97a9cb853744f04501a3. Conflicts: ui/src/index.js * Add auth test for JWT signing method * Add comments for why coverage isn't written for some areas of jwt code * Update auth docs to explicitly mention how to require re-auth for all users on server restart * Add Duration to Validation interface for Tokens * Make auth duration of zero yield a everlasting token * Revert "Revert "Refactor GET 'me' into heartbeat at constant interval"" This reverts commit b4773c15afe4fcd227ad88aa9d5686beb6b0a6cd. * Rename http status constants and add FORBIDDEN * Heartbeat only when logged in, notify user if heartbeat fails * Update changelog * Fix minor word semantics * Update oauth2 tests to be in the oauth2_test package * Add check at compile time that JWT implements Tokenizer * Rename CookieMux to AuthMux for consistency with earlier refactor * Fix logout middleware * Fix logout button not showing due to obsolete data shape expectations * Update changelog * Fix proptypes for logout button data shape in SideNav 2017-04-06 18:40:57 +00:00			`if err != nil {`
			`log.Error("Invalid principal")`
			`w.WriteHeader(http.StatusForbidden)`
			`return`
			`}`

Update oauth2 Authenticator signatures to use extend 2017-04-17 16:49:45 +00:00			`// If the principal is valid we will extend its lifespan`
			`// into the future`
			`principal, err = auth.Extend(ctx, w, principal)`
			`if err != nil {`
			`log.Error("Unable to extend principal")`
			`w.WriteHeader(http.StatusForbidden)`
			`return`
			`}`

Add new auth duration CLI option; add client heartbeat; fix logout (#1119) * User can now set oauth cookie session duration via the CLI to any duration or to expire on browser close * Refactor GET 'me' into heartbeat at constant interval * Add ping route to all routes * Add /chronograf/v1/ping endpoint for server status * Refactor cookie generation to use an interface * WIP adding refreshable tokens * Add reminder to review index.js Login error handling * Refactor Authenticator interface to accommodate cookie duration and logout delay * Update make run-dev to be more TICKStack compliant * Remove heartbeat/logout duration from authentication * WIP Refactor tests to accommodate cookie and auth refactor * Update oauth2 tests to newly refactored design * Update oauth provider tests * Remove unused oauth2/consts.go * Move authentication middleware to server package * Fix authentication comment * Update authenication documentation to mention AUTH_DURATION * Update /chronograf/v1/ping to simply return 204 * Fix Makefile run-dev target * Remove spurious ping route * Update auth docs to clarify authentication duration * Revert "Refactor GET 'me' into heartbeat at constant interval" This reverts commit 298a8c47e1431720d9bd97a9cb853744f04501a3. Conflicts: ui/src/index.js * Add auth test for JWT signing method * Add comments for why coverage isn't written for some areas of jwt code * Update auth docs to explicitly mention how to require re-auth for all users on server restart * Add Duration to Validation interface for Tokens * Make auth duration of zero yield a everlasting token * Revert "Revert "Refactor GET 'me' into heartbeat at constant interval"" This reverts commit b4773c15afe4fcd227ad88aa9d5686beb6b0a6cd. * Rename http status constants and add FORBIDDEN * Heartbeat only when logged in, notify user if heartbeat fails * Update changelog * Fix minor word semantics * Update oauth2 tests to be in the oauth2_test package * Add check at compile time that JWT implements Tokenizer * Rename CookieMux to AuthMux for consistency with earlier refactor * Fix logout middleware * Fix logout button not showing due to obsolete data shape expectations * Update changelog * Fix proptypes for logout button data shape in SideNav 2017-04-06 18:40:57 +00:00			`// Send the principal to the next handler`
			`ctx = context.WithValue(ctx, oauth2.PrincipalKey, principal)`
			`next.ServeHTTP(w, r.WithContext(ctx))`
			`return`
			`})`
			`}`
Add AuthorizedUser middleware 2017-10-18 16:35:40 +00:00
			`func AuthorizedUser(store chronograf.UsersStore, useAuth bool, role string, logger chronograf.Logger, next http.HandlerFunc) http.HandlerFunc {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`if !useAuth {`
			`next(w, r)`
			`return`
			`}`

			`log := logger.`
			`WithField("component", "role_auth").`
			`WithField("remote_addr", r.RemoteAddr).`
			`WithField("method", r.Method).`
			`WithField("url", r.URL)`

			`ctx := r.Context()`

			`username, err := getUsername(ctx)`
			`if err != nil {`
			`log.Error("Failed to retrieve username from context")`
			`Error(w, http.StatusUnauthorized, fmt.Sprintf("User is not authorized"), logger)`
			`return`
			`}`
			`provider, err := getProvider(ctx)`
			`if err != nil {`
			`log.Error("Failed to retrieve provider from context")`
			`Error(w, http.StatusUnauthorized, fmt.Sprintf("User %s is not authorized", username), logger)`
			`return`
			`}`

			`u, err := getUserBy(store, ctx, username, provider)`
			`if err != nil {`
			`log.Error("Error to retrieving user")`
			`Error(w, http.StatusUnauthorized, fmt.Sprintf("User %s is not authorized", username), logger)`
			`return`
			`}`

			`if u == nil {`
			`log.Error("User not found")`
			`Error(w, http.StatusNotFound, fmt.Sprintf("User with name %s and provider %s not found", username, provider), logger)`
			`return`
			`}`

			`if hasPrivelege(u, role) {`
			`next(w, r)`
			`return`
			`}`

			`Error(w, http.StatusUnauthorized, fmt.Sprintf("User %s is not authorized", username), logger)`
			`return`

			`})`
			`}`

			`func hasPrivelege(u *chronograf.User, role string) bool {`
			`if u == nil {`
			`return false`
			`}`

			`switch role {`
			`case ViewerRoleName:`
			`for _, r := range u.Roles {`
			`switch r.Name {`
			`case ViewerRoleName, EditorRoleName, AdminRoleName:`
			`return true`
			`default:`
			`return false`
			`}`
			`}`
			`case EditorRoleName:`
			`for _, r := range u.Roles {`
			`switch r.Name {`
			`case EditorRoleName, AdminRoleName:`
			`return true`
			`default:`
			`return false`
			`}`
			`}`
			`case AdminRoleName:`
			`for _, r := range u.Roles {`
			`switch r.Name {`
			`case AdminRoleName:`
			`return true`
			`default:`
			`return false`
			`}`
			`}`
			`default:`
			`return false`
			`}`

			`return false`
			`}`