mirror of
https://github.com/grafana/grafana.git
synced 2025-07-29 05:42:28 +08:00
730bedf36f
* LDAP Debug: No longer shows incorrectly matching groups based on role Org Role was used as a shortcut to figure out what groups were matching and which weren't. That lead to too all groups matching a specific role to show up for a user if that user got that role. * LDAP Debug: Fixes ordering of matches The order of groups in the ldap.toml file is important, only the first match for an organisation will be used. This means we have to iterate based on the config and stop matching when a match is found. We might want to think about showing further matches as potential matches that are shadowed by the first match. That would possibly make it easier to understand why one match is used instead of another one. * LDAP Debug: never display more than one match for the same LDAP group/mapping. * LDAP Debug: show all matches, even if they aren't used * Update public/app/features/admin/ldap/LdapUserGroups.tsx Co-Authored-By: gotjosh <josue.abreu@gmail.com> * Update public/app/features/admin/ldap/LdapUserGroups.tsx Co-Authored-By: gotjosh <josue.abreu@gmail.com>
347 lines
9.7 KiB
Go
347 lines
9.7 KiB
Go
package api
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"net/http"
|
|
|
|
"github.com/grafana/grafana/pkg/bus"
|
|
"github.com/grafana/grafana/pkg/infra/log"
|
|
"github.com/grafana/grafana/pkg/login"
|
|
"github.com/grafana/grafana/pkg/models"
|
|
"github.com/grafana/grafana/pkg/services/ldap"
|
|
"github.com/grafana/grafana/pkg/services/multildap"
|
|
"github.com/grafana/grafana/pkg/setting"
|
|
"github.com/grafana/grafana/pkg/util"
|
|
)
|
|
|
|
var (
|
|
getLDAPConfig = multildap.GetConfig
|
|
newLDAP = multildap.New
|
|
tokenService = AuthToken{}.TokenService
|
|
|
|
logger = log.New("LDAP.debug")
|
|
|
|
errOrganizationNotFound = func(orgId int64) error {
|
|
return fmt.Errorf("Unable to find organization with ID '%d'", orgId)
|
|
}
|
|
)
|
|
|
|
// LDAPAttribute is a serializer for user attributes mapped from LDAP. Is meant to display both the serialized value and the LDAP key we received it from.
|
|
type LDAPAttribute struct {
|
|
ConfigAttributeValue string `json:"cfgAttrValue"`
|
|
LDAPAttributeValue string `json:"ldapValue"`
|
|
}
|
|
|
|
// RoleDTO is a serializer for mapped roles from LDAP
|
|
type LDAPRoleDTO struct {
|
|
OrgId int64 `json:"orgId"`
|
|
OrgName string `json:"orgName"`
|
|
OrgRole models.RoleType `json:"orgRole"`
|
|
GroupDN string `json:"groupDN"`
|
|
}
|
|
|
|
// LDAPUserDTO is a serializer for users mapped from LDAP
|
|
type LDAPUserDTO struct {
|
|
Name *LDAPAttribute `json:"name"`
|
|
Surname *LDAPAttribute `json:"surname"`
|
|
Email *LDAPAttribute `json:"email"`
|
|
Username *LDAPAttribute `json:"login"`
|
|
IsGrafanaAdmin *bool `json:"isGrafanaAdmin"`
|
|
IsDisabled bool `json:"isDisabled"`
|
|
OrgRoles []LDAPRoleDTO `json:"roles"`
|
|
Teams []models.TeamOrgGroupDTO `json:"teams"`
|
|
}
|
|
|
|
// LDAPServerDTO is a serializer for LDAP server statuses
|
|
type LDAPServerDTO struct {
|
|
Host string `json:"host"`
|
|
Port int `json:"port"`
|
|
Available bool `json:"available"`
|
|
Error string `json:"error"`
|
|
}
|
|
|
|
type AuthToken struct {
|
|
TokenService TokenRevoker `inject:""`
|
|
}
|
|
|
|
type TokenRevoker interface {
|
|
RevokeAllUserTokens(context.Context, int64) error
|
|
}
|
|
|
|
// FetchOrgs fetches the organization(s) information by executing a single query to the database. Then, populating the DTO with the information retrieved.
|
|
func (user *LDAPUserDTO) FetchOrgs() error {
|
|
orgIds := []int64{}
|
|
|
|
for _, or := range user.OrgRoles {
|
|
orgIds = append(orgIds, or.OrgId)
|
|
}
|
|
|
|
q := &models.SearchOrgsQuery{}
|
|
q.Ids = orgIds
|
|
|
|
if err := bus.Dispatch(q); err != nil {
|
|
return err
|
|
}
|
|
|
|
orgNamesById := map[int64]string{}
|
|
for _, org := range q.Result {
|
|
orgNamesById[org.Id] = org.Name
|
|
}
|
|
|
|
for i, orgDTO := range user.OrgRoles {
|
|
if orgDTO.OrgId < 1 {
|
|
continue
|
|
}
|
|
|
|
orgName := orgNamesById[orgDTO.OrgId]
|
|
|
|
if orgName != "" {
|
|
user.OrgRoles[i].OrgName = orgName
|
|
} else {
|
|
return errOrganizationNotFound(orgDTO.OrgId)
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// ReloadLDAPCfg reloads the LDAP configuration
|
|
func (server *HTTPServer) ReloadLDAPCfg() Response {
|
|
if !ldap.IsEnabled() {
|
|
return Error(http.StatusBadRequest, "LDAP is not enabled", nil)
|
|
}
|
|
|
|
err := ldap.ReloadConfig()
|
|
if err != nil {
|
|
return Error(http.StatusInternalServerError, "Failed to reload LDAP config", err)
|
|
}
|
|
return Success("LDAP config reloaded")
|
|
}
|
|
|
|
// GetLDAPStatus attempts to connect to all the configured LDAP servers and returns information on whenever they're availabe or not.
|
|
func (server *HTTPServer) GetLDAPStatus(c *models.ReqContext) Response {
|
|
if !ldap.IsEnabled() {
|
|
return Error(http.StatusBadRequest, "LDAP is not enabled", nil)
|
|
}
|
|
|
|
ldapConfig, err := getLDAPConfig()
|
|
|
|
if err != nil {
|
|
return Error(http.StatusBadRequest, "Failed to obtain the LDAP configuration. Please verify the configuration and try again", err)
|
|
}
|
|
|
|
ldap := newLDAP(ldapConfig.Servers)
|
|
|
|
if ldap == nil {
|
|
return Error(http.StatusInternalServerError, "Failed to find the LDAP server", nil)
|
|
}
|
|
|
|
statuses, err := ldap.Ping()
|
|
|
|
if err != nil {
|
|
return Error(http.StatusBadRequest, "Failed to connect to the LDAP server(s)", err)
|
|
}
|
|
|
|
serverDTOs := []*LDAPServerDTO{}
|
|
for _, status := range statuses {
|
|
s := &LDAPServerDTO{
|
|
Host: status.Host,
|
|
Available: status.Available,
|
|
Port: status.Port,
|
|
}
|
|
|
|
if status.Error != nil {
|
|
s.Error = status.Error.Error()
|
|
}
|
|
|
|
serverDTOs = append(serverDTOs, s)
|
|
}
|
|
|
|
return JSON(http.StatusOK, serverDTOs)
|
|
}
|
|
|
|
// PostSyncUserWithLDAP enables a single Grafana user to be synchronized against LDAP
|
|
func (server *HTTPServer) PostSyncUserWithLDAP(c *models.ReqContext) Response {
|
|
if !ldap.IsEnabled() {
|
|
return Error(http.StatusBadRequest, "LDAP is not enabled", nil)
|
|
}
|
|
|
|
ldapConfig, err := getLDAPConfig()
|
|
|
|
if err != nil {
|
|
return Error(http.StatusBadRequest, "Failed to obtain the LDAP configuration. Please verify the configuration and try again", err)
|
|
}
|
|
|
|
userId := c.ParamsInt64(":id")
|
|
|
|
query := models.GetUserByIdQuery{Id: userId}
|
|
|
|
if err := bus.Dispatch(&query); err != nil { // validate the userId exists
|
|
if err == models.ErrUserNotFound {
|
|
return Error(404, models.ErrUserNotFound.Error(), nil)
|
|
}
|
|
|
|
return Error(500, "Failed to get user", err)
|
|
}
|
|
|
|
authModuleQuery := &models.GetAuthInfoQuery{UserId: query.Result.Id, AuthModule: models.AuthModuleLDAP}
|
|
|
|
if err := bus.Dispatch(authModuleQuery); err != nil { // validate the userId comes from LDAP
|
|
if err == models.ErrUserNotFound {
|
|
return Error(404, models.ErrUserNotFound.Error(), nil)
|
|
}
|
|
|
|
return Error(500, "Failed to get user", err)
|
|
}
|
|
|
|
ldapServer := newLDAP(ldapConfig.Servers)
|
|
user, _, err := ldapServer.User(query.Result.Login)
|
|
|
|
if err != nil {
|
|
if err == ldap.ErrCouldNotFindUser { // User was not in the LDAP server - we need to take action:
|
|
|
|
if setting.AdminUser == query.Result.Login { // User is *the* Grafana Admin. We cannot disable it.
|
|
errMsg := fmt.Sprintf(`Refusing to sync grafana super admin "%s" - it would be disabled`, query.Result.Login)
|
|
logger.Error(errMsg)
|
|
return Error(http.StatusBadRequest, errMsg, err)
|
|
}
|
|
|
|
// Since the user was not in the LDAP server. Let's disable it.
|
|
err := login.DisableExternalUser(query.Result.Login)
|
|
|
|
if err != nil {
|
|
return Error(http.StatusInternalServerError, "Failed to disable the user", err)
|
|
}
|
|
|
|
err = tokenService.RevokeAllUserTokens(context.TODO(), userId)
|
|
if err != nil {
|
|
return Error(http.StatusInternalServerError, "Failed to remove session tokens for the user", err)
|
|
}
|
|
|
|
return Success("User disabled without any updates in the information") // should this be a success?
|
|
}
|
|
}
|
|
|
|
upsertCmd := &models.UpsertUserCommand{
|
|
ExternalUser: user,
|
|
SignupAllowed: setting.LDAPAllowSignup,
|
|
}
|
|
|
|
err = bus.Dispatch(upsertCmd)
|
|
|
|
if err != nil {
|
|
return Error(http.StatusInternalServerError, "Failed to udpate the user", err)
|
|
}
|
|
|
|
return Success("User synced successfully")
|
|
}
|
|
|
|
// GetUserFromLDAP finds an user based on a username in LDAP. This helps illustrate how would the particular user be mapped in Grafana when synced.
|
|
func (server *HTTPServer) GetUserFromLDAP(c *models.ReqContext) Response {
|
|
if !ldap.IsEnabled() {
|
|
return Error(http.StatusBadRequest, "LDAP is not enabled", nil)
|
|
}
|
|
|
|
ldapConfig, err := getLDAPConfig()
|
|
|
|
if err != nil {
|
|
return Error(http.StatusBadRequest, "Failed to obtain the LDAP configuration", err)
|
|
}
|
|
|
|
ldap := newLDAP(ldapConfig.Servers)
|
|
|
|
username := c.Params(":username")
|
|
|
|
if len(username) == 0 {
|
|
return Error(http.StatusBadRequest, "Validation error. You must specify an username", nil)
|
|
}
|
|
|
|
user, serverConfig, err := ldap.User(username)
|
|
|
|
if user == nil {
|
|
return Error(http.StatusNotFound, "No user was found in the LDAP server(s) with that username", err)
|
|
}
|
|
|
|
logger.Debug("user found", "user", user)
|
|
|
|
name, surname := splitName(user.Name)
|
|
|
|
u := &LDAPUserDTO{
|
|
Name: &LDAPAttribute{serverConfig.Attr.Name, name},
|
|
Surname: &LDAPAttribute{serverConfig.Attr.Surname, surname},
|
|
Email: &LDAPAttribute{serverConfig.Attr.Email, user.Email},
|
|
Username: &LDAPAttribute{serverConfig.Attr.Username, user.Login},
|
|
IsGrafanaAdmin: user.IsGrafanaAdmin,
|
|
IsDisabled: user.IsDisabled,
|
|
}
|
|
|
|
orgRoles := []LDAPRoleDTO{}
|
|
|
|
// Need to iterate based on the config groups as only the first match for an org is used
|
|
// We are showing all matches as that should help in understanding why one match wins out
|
|
// over another.
|
|
for _, configGroup := range serverConfig.Groups {
|
|
for _, userGroup := range user.Groups {
|
|
if configGroup.GroupDN == userGroup {
|
|
r := &LDAPRoleDTO{GroupDN: configGroup.GroupDN, OrgId: configGroup.OrgId, OrgRole: configGroup.OrgRole}
|
|
orgRoles = append(orgRoles, *r)
|
|
break
|
|
}
|
|
}
|
|
//}
|
|
}
|
|
|
|
// Then, we find what we did not match by inspecting the list of groups returned from
|
|
// LDAP against what we have already matched above.
|
|
for _, userGroup := range user.Groups {
|
|
var matched bool
|
|
|
|
for _, orgRole := range orgRoles {
|
|
if orgRole.GroupDN == userGroup { // we already matched it
|
|
matched = true
|
|
break
|
|
}
|
|
}
|
|
|
|
if !matched {
|
|
r := &LDAPRoleDTO{GroupDN: userGroup}
|
|
orgRoles = append(orgRoles, *r)
|
|
}
|
|
}
|
|
|
|
u.OrgRoles = orgRoles
|
|
|
|
logger.Debug("mapping org roles", "orgsRoles", u.OrgRoles)
|
|
err = u.FetchOrgs()
|
|
|
|
if err != nil {
|
|
return Error(http.StatusBadRequest, "An oganization was not found - Please verify your LDAP configuration", err)
|
|
}
|
|
|
|
cmd := &models.GetTeamsForLDAPGroupCommand{Groups: user.Groups}
|
|
err = bus.Dispatch(cmd)
|
|
|
|
if err != bus.ErrHandlerNotFound && err != nil {
|
|
return Error(http.StatusBadRequest, "Unable to find the teams for this user", err)
|
|
}
|
|
|
|
u.Teams = cmd.Result
|
|
|
|
return JSON(200, u)
|
|
}
|
|
|
|
// splitName receives the full name of a user and splits it into two parts: A name and a surname.
|
|
func splitName(name string) (string, string) {
|
|
names := util.SplitString(name)
|
|
|
|
switch len(names) {
|
|
case 0:
|
|
return "", ""
|
|
case 1:
|
|
return names[0], ""
|
|
default:
|
|
return names[0], names[1]
|
|
}
|
|
}
|