mirror of
https://github.com/grafana/grafana.git
synced 2025-08-01 02:31:50 +08:00
Auth: Do not search for the user twice (#18366)
* Auth: Do not search for the user twice Previously `initContextWithBasicAuth` did not use `LoginUserQuery`, doing `GetUserByLoginQuery` only i.e. looking user in DB only, things changed when this function started to check LDAP provider via `LoginUserQuery` (#6940), however, this request was placed after `GetUserByLoginQuery`, so we first looking in DB then in the LDAP - if LDAP user hasn't logged in we will not find it in DB, so `LoginUserQuery` will never be reached. `LoginUserQuery` request already performs `GetUserByLoginQuery` request in correct sequence. So we can just remove redundant request. * Correct sequence execution during authentification & introduce tests for it * Move basic auth tests to separate test file, since main test file already pretty large * Introduce `testing.go` for the middleware module * Remove redundant test helper function * Make handler names more explicit Ref 5777f65d05a8dc141c34e470ef1d5fe956f8173c Fixes #18329 * Auth: address review comment
This commit is contained in:

committed by
Torkel Ödegaard

parent
d8f86834d9
commit
d88fdc86fc
143
pkg/middleware/middleware_basic_auth_test.go
Normal file
143
pkg/middleware/middleware_basic_auth_test.go
Normal file
@ -0,0 +1,143 @@
|
||||
package middleware
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"testing"
|
||||
|
||||
. "github.com/smartystreets/goconvey/convey"
|
||||
|
||||
"github.com/grafana/grafana/pkg/bus"
|
||||
authLogin "github.com/grafana/grafana/pkg/login"
|
||||
"github.com/grafana/grafana/pkg/models"
|
||||
"github.com/grafana/grafana/pkg/setting"
|
||||
"github.com/grafana/grafana/pkg/util"
|
||||
)
|
||||
|
||||
func TestMiddlewareBasicAuth(t *testing.T) {
|
||||
Convey("Given the basic auth", t, func() {
|
||||
var oldBasicAuthEnabled = setting.BasicAuthEnabled
|
||||
var oldDisableBruteForceLoginProtection = setting.DisableBruteForceLoginProtection
|
||||
var id int64 = 12
|
||||
|
||||
Convey("Setup", func() {
|
||||
setting.BasicAuthEnabled = true
|
||||
setting.DisableBruteForceLoginProtection = true
|
||||
bus.ClearBusHandlers()
|
||||
})
|
||||
|
||||
middlewareScenario(t, "Valid API key", func(sc *scenarioContext) {
|
||||
var orgID int64 = 2
|
||||
keyhash := util.EncodePassword("v5nAwpMafFP6znaS4urhdWDLS5511M42", "asd")
|
||||
|
||||
bus.AddHandler("test", func(query *models.GetApiKeyByNameQuery) error {
|
||||
query.Result = &models.ApiKey{OrgId: orgID, Role: models.ROLE_EDITOR, Key: keyhash}
|
||||
return nil
|
||||
})
|
||||
|
||||
authHeader := util.GetBasicAuthHeader("api_key", "eyJrIjoidjVuQXdwTWFmRlA2em5hUzR1cmhkV0RMUzU1MTFNNDIiLCJuIjoiYXNkIiwiaWQiOjF9")
|
||||
sc.fakeReq("GET", "/").withAuthorizationHeader(authHeader).exec()
|
||||
|
||||
Convey("Should return 200", func() {
|
||||
So(sc.resp.Code, ShouldEqual, 200)
|
||||
})
|
||||
|
||||
Convey("Should init middleware context", func() {
|
||||
So(sc.context.IsSignedIn, ShouldEqual, true)
|
||||
So(sc.context.OrgId, ShouldEqual, orgID)
|
||||
So(sc.context.OrgRole, ShouldEqual, models.ROLE_EDITOR)
|
||||
})
|
||||
})
|
||||
|
||||
middlewareScenario(t, "Handle auth", func(sc *scenarioContext) {
|
||||
var password = "MyPass"
|
||||
var salt = "Salt"
|
||||
var orgID int64 = 2
|
||||
|
||||
bus.AddHandler("grafana-auth", func(query *models.LoginUserQuery) error {
|
||||
query.User = &models.User{
|
||||
Password: util.EncodePassword(password, salt),
|
||||
Salt: salt,
|
||||
}
|
||||
return nil
|
||||
})
|
||||
|
||||
bus.AddHandler("get-sign-user", func(query *models.GetSignedInUserQuery) error {
|
||||
query.Result = &models.SignedInUser{OrgId: orgID, UserId: id}
|
||||
return nil
|
||||
})
|
||||
|
||||
authHeader := util.GetBasicAuthHeader("myUser", password)
|
||||
sc.fakeReq("GET", "/").withAuthorizationHeader(authHeader).exec()
|
||||
|
||||
Convey("Should init middleware context with users", func() {
|
||||
So(sc.context.IsSignedIn, ShouldEqual, true)
|
||||
So(sc.context.OrgId, ShouldEqual, orgID)
|
||||
So(sc.context.UserId, ShouldEqual, id)
|
||||
})
|
||||
|
||||
bus.ClearBusHandlers()
|
||||
})
|
||||
|
||||
middlewareScenario(t, "Auth sequence", func(sc *scenarioContext) {
|
||||
var password = "MyPass"
|
||||
var salt = "Salt"
|
||||
|
||||
authLogin.Init()
|
||||
|
||||
bus.AddHandler("user-query", func(query *models.GetUserByLoginQuery) error {
|
||||
query.Result = &models.User{
|
||||
Password: util.EncodePassword(password, salt),
|
||||
Id: id,
|
||||
Salt: salt,
|
||||
}
|
||||
return nil
|
||||
})
|
||||
|
||||
bus.AddHandler("get-sign-user", func(query *models.GetSignedInUserQuery) error {
|
||||
query.Result = &models.SignedInUser{UserId: query.UserId}
|
||||
return nil
|
||||
})
|
||||
|
||||
authHeader := util.GetBasicAuthHeader("myUser", password)
|
||||
sc.fakeReq("GET", "/").withAuthorizationHeader(authHeader).exec()
|
||||
|
||||
Convey("Should init middleware context with user", func() {
|
||||
So(sc.context.IsSignedIn, ShouldEqual, true)
|
||||
So(sc.context.UserId, ShouldEqual, id)
|
||||
})
|
||||
})
|
||||
|
||||
middlewareScenario(t, "Should return error if user is not found", func(sc *scenarioContext) {
|
||||
sc.fakeReq("GET", "/")
|
||||
sc.req.SetBasicAuth("user", "password")
|
||||
sc.exec()
|
||||
|
||||
err := json.NewDecoder(sc.resp.Body).Decode(&sc.respJson)
|
||||
So(err, ShouldNotBeNil)
|
||||
|
||||
So(sc.resp.Code, ShouldEqual, 401)
|
||||
So(sc.respJson["message"], ShouldEqual, errStringInvalidUsernamePassword)
|
||||
})
|
||||
|
||||
middlewareScenario(t, "Should return error if user & password do not match", func(sc *scenarioContext) {
|
||||
bus.AddHandler("user-query", func(loginUserQuery *models.GetUserByLoginQuery) error {
|
||||
return nil
|
||||
})
|
||||
|
||||
sc.fakeReq("GET", "/")
|
||||
sc.req.SetBasicAuth("killa", "gorilla")
|
||||
sc.exec()
|
||||
|
||||
err := json.NewDecoder(sc.resp.Body).Decode(&sc.respJson)
|
||||
So(err, ShouldNotBeNil)
|
||||
|
||||
So(sc.resp.Code, ShouldEqual, 401)
|
||||
So(sc.respJson["message"], ShouldEqual, errStringInvalidUsernamePassword)
|
||||
})
|
||||
|
||||
Convey("Destroy", func() {
|
||||
setting.BasicAuthEnabled = oldBasicAuthEnabled
|
||||
setting.DisableBruteForceLoginProtection = oldDisableBruteForceLoginProtection
|
||||
})
|
||||
})
|
||||
}
|
Reference in New Issue
Block a user