Auth proxy: Ignore stale cache entries (#23979)
* Auth proxy: Retry without cache if failing to get user
This commit is contained in:
Arve Knudsen
GitHub
@@ -11,6 +11,7 @@ import (
|
||||
"time"
|
||||
|
||||
"github.com/grafana/grafana/pkg/bus"
|
||||
"github.com/grafana/grafana/pkg/infra/log"
|
||||
"github.com/grafana/grafana/pkg/infra/remotecache"
|
||||
"github.com/grafana/grafana/pkg/models"
|
||||
"github.com/grafana/grafana/pkg/services/ldap"
|
||||
@@ -168,27 +169,23 @@ func (auth *AuthProxy) getKey() string {
|
||||
return fmt.Sprintf(CachePrefix, hashedKey)
|
||||
}
|
||||
|
||||
// Login logs in user id with whatever means possible
|
||||
func (auth *AuthProxy) Login() (int64, *Error) {
|
||||
|
||||
id, _ := auth.GetUserViaCache()
|
||||
if id != 0 {
|
||||
// Login logs in user ID by whatever means possible.
|
||||
func (auth *AuthProxy) Login(logger log.Logger, ignoreCache bool) (int64, *Error) {
|
||||
if !ignoreCache {
|
||||
// Error here means absent cache - we don't need to handle that
|
||||
return id, nil
|
||||
id, err := auth.GetUserViaCache(logger)
|
||||
if err == nil && id != 0 {
|
||||
return id, nil
|
||||
}
|
||||
}
|
||||
|
||||
if isLDAPEnabled() {
|
||||
id, err := auth.LoginViaLDAP()
|
||||
|
||||
if err == ldap.ErrInvalidCredentials {
|
||||
return 0, newError(
|
||||
"Proxy authentication required",
|
||||
ldap.ErrInvalidCredentials,
|
||||
)
|
||||
}
|
||||
|
||||
if err != nil {
|
||||
return 0, newError("Failed to get the user", err)
|
||||
if err == ldap.ErrInvalidCredentials {
|
||||
return 0, newError("proxy authentication required", ldap.ErrInvalidCredentials)
|
||||
}
|
||||
return 0, newError("failed to get the user", err)
|
||||
}
|
||||
|
||||
return id, nil
|
||||
@@ -196,29 +193,38 @@ func (auth *AuthProxy) Login() (int64, *Error) {
|
||||
|
||||
id, err := auth.LoginViaHeader()
|
||||
if err != nil {
|
||||
return 0, newError(
|
||||
"Failed to log in as user, specified in auth proxy header",
|
||||
err,
|
||||
)
|
||||
return 0, newError("failed to log in as user, specified in auth proxy header", err)
|
||||
}
|
||||
|
||||
return id, nil
|
||||
}
|
||||
|
||||
// GetUserViaCache gets user id from cache
|
||||
func (auth *AuthProxy) GetUserViaCache() (int64, error) {
|
||||
var (
|
||||
cacheKey = auth.getKey()
|
||||
userID, err = auth.store.Get(cacheKey)
|
||||
)
|
||||
|
||||
// GetUserViaCache gets user ID from cache.
|
||||
func (auth *AuthProxy) GetUserViaCache(logger log.Logger) (int64, error) {
|
||||
cacheKey := auth.getKey()
|
||||
logger.Debug("Getting user ID via auth cache", "cacheKey", cacheKey)
|
||||
userID, err := auth.store.Get(cacheKey)
|
||||
if err != nil {
|
||||
logger.Debug("Failed getting user ID via auth cache", "error", err)
|
||||
return 0, err
|
||||
}
|
||||
|
||||
logger.Debug("Successfully got user ID via auth cache", "id", userID)
|
||||
return userID.(int64), nil
|
||||
}
|
||||
|
||||
// RemoveUserFromCache removes user from cache.
|
||||
func (auth *AuthProxy) RemoveUserFromCache(logger log.Logger) error {
|
||||
cacheKey := auth.getKey()
|
||||
logger.Debug("Removing user from auth cache", "cacheKey", cacheKey)
|
||||
if err := auth.store.Delete(cacheKey); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
logger.Debug("Successfully removed user from auth cache", "cacheKey", cacheKey)
|
||||
return nil
|
||||
}
|
||||
|
||||
// LoginViaLDAP logs in user via LDAP request
|
||||
func (auth *AuthProxy) LoginViaLDAP() (int64, *Error) {
|
||||
config, err := getLDAPConfig()
|
||||
@@ -265,7 +271,6 @@ func (auth *AuthProxy) LoginViaHeader() (int64, error) {
|
||||
extUser.Login = auth.header
|
||||
default:
|
||||
return 0, newError("Auth proxy header property invalid", nil)
|
||||
|
||||
}
|
||||
|
||||
auth.headersIterator(func(field string, header string) {
|
||||
@@ -305,7 +310,7 @@ func (auth *AuthProxy) headersIterator(fn func(field string, header string)) {
|
||||
}
|
||||
}
|
||||
|
||||
// GetSignedUser get full signed user info
|
||||
// GetSignedUser gets full signed user info.
|
||||
func (auth *AuthProxy) GetSignedUser(userID int64) (*models.SignedInUser, *Error) {
|
||||
query := &models.GetSignedInUserQuery{
|
||||
OrgId: auth.orgID,
|
||||
|
||||
@@ -7,6 +7,7 @@ import (
|
||||
"testing"
|
||||
|
||||
"github.com/grafana/grafana/pkg/bus"
|
||||
"github.com/grafana/grafana/pkg/infra/log"
|
||||
"github.com/grafana/grafana/pkg/infra/remotecache"
|
||||
"github.com/grafana/grafana/pkg/models"
|
||||
"github.com/grafana/grafana/pkg/services/ldap"
|
||||
@@ -66,8 +67,10 @@ func prepareMiddleware(t *testing.T, req *http.Request, store *remotecache.Remot
|
||||
}
|
||||
|
||||
func TestMiddlewareContext(t *testing.T) {
|
||||
logger := log.New("test")
|
||||
Convey("auth_proxy helper", t, func() {
|
||||
req, _ := http.NewRequest("POST", "http://example.com", nil)
|
||||
req, err := http.NewRequest("POST", "http://example.com", nil)
|
||||
So(err, ShouldBeNil)
|
||||
setting.AuthProxyHeaderName = "X-Killa"
|
||||
store := remotecache.NewFakeStore(t)
|
||||
|
||||
@@ -75,7 +78,6 @@ func TestMiddlewareContext(t *testing.T) {
|
||||
req.Header.Add(setting.AuthProxyHeaderName, name)
|
||||
|
||||
Convey("when the cache only contains the main header", func() {
|
||||
|
||||
Convey("with a simple cache key", func() {
|
||||
// Set cache key
|
||||
key := fmt.Sprintf(CachePrefix, HashCacheKey(name))
|
||||
@@ -84,10 +86,11 @@ func TestMiddlewareContext(t *testing.T) {
|
||||
|
||||
// Set up the middleware
|
||||
auth := prepareMiddleware(t, req, store)
|
||||
id, err := auth.Login()
|
||||
So(auth.getKey(), ShouldEqual, "auth-proxy-sync-ttl:0a7f3374e9659b10980fd66247b0cf2f")
|
||||
|
||||
id, err := auth.Login(logger, false)
|
||||
So(err, ShouldBeNil)
|
||||
|
||||
So(auth.getKey(), ShouldEqual, "auth-proxy-sync-ttl:0a7f3374e9659b10980fd66247b0cf2f")
|
||||
So(id, ShouldEqual, 33)
|
||||
})
|
||||
|
||||
@@ -101,14 +104,11 @@ func TestMiddlewareContext(t *testing.T) {
|
||||
So(err, ShouldBeNil)
|
||||
|
||||
auth := prepareMiddleware(t, req, store)
|
||||
|
||||
id, err := auth.Login()
|
||||
So(err, ShouldBeNil)
|
||||
So(auth.getKey(), ShouldEqual, "auth-proxy-sync-ttl:14f69b7023baa0ac98c96b31cec07bc0")
|
||||
So(id, ShouldEqual, 33)
|
||||
})
|
||||
|
||||
Convey("when the does not exist", func() {
|
||||
id, err := auth.Login(logger, false)
|
||||
So(err, ShouldBeNil)
|
||||
So(id, ShouldEqual, 33)
|
||||
})
|
||||
})
|
||||
|
||||
@@ -155,7 +155,7 @@ func TestMiddlewareContext(t *testing.T) {
|
||||
|
||||
auth := prepareMiddleware(t, req, store)
|
||||
|
||||
id, err := auth.Login()
|
||||
id, err := auth.Login(logger, false)
|
||||
|
||||
So(err, ShouldBeNil)
|
||||
So(id, ShouldEqual, 42)
|
||||
@@ -189,10 +189,10 @@ func TestMiddlewareContext(t *testing.T) {
|
||||
return stub
|
||||
}
|
||||
|
||||
id, err := auth.Login()
|
||||
id, err := auth.Login(logger, false)
|
||||
|
||||
So(err, ShouldNotBeNil)
|
||||
So(err.Error(), ShouldContainSubstring, "Failed to get the user")
|
||||
So(err.Error(), ShouldContainSubstring, "failed to get the user")
|
||||
So(id, ShouldNotEqual, 42)
|
||||
So(stub.loginCalled, ShouldEqual, false)
|
||||
})
|
||||
|
||||
Reference in New Issue
Block a user