7 anni fa · 391868c5d6
--- a/pkg/middleware/auth_proxy.go
+++ b/pkg/middleware/auth_proxy.go
@@ -1,8 +1,8 @@
 
				 package middleware
			
 
				 
			
 
				 import (
			
 
				-	"errors"
			
 
				 	"fmt"
			
 
				+	"net"
			
 
				 	"strings"
			
 
				 	"time"
			
 
				 
			
@@ -25,7 +25,7 @@ func initContextWithAuthProxy(ctx *m.ReqContext, orgID int64) bool {
 
				 	}
			
 
				 
			
 
				 	// if auth proxy ip(s) defined, check if request comes from one of those
			
 
				-	if err := checkAuthenticationProxy(ctx, proxyHeaderValue); err != nil {
			
 
				+	if err := checkAuthenticationProxy(ctx.Req.RemoteAddr, proxyHeaderValue); err != nil {
			
 
				 		ctx.Handle(407, "Proxy authentication required", err)
			
 
				 		return true
			
 
				 	}
			
@@ -123,29 +123,25 @@ var syncGrafanaUserWithLdapUser = func(ctx *m.ReqContext, query *m.GetSignedInUs
 
				 	return nil
			
 
				 }
			
 
				 
			
 
				-func checkAuthenticationProxy(ctx *m.ReqContext, proxyHeaderValue string) error {
			
 
				+func checkAuthenticationProxy(remoteAddr string, proxyHeaderValue string) error {
			
 
				 	if len(strings.TrimSpace(setting.AuthProxyWhitelist)) == 0 {
			
 
				 		return nil
			
 
				 	}
			
 
				+
			
 
				 	proxies := strings.Split(setting.AuthProxyWhitelist, ",")
			
 
				-	remoteAddrSplit := strings.Split(ctx.Req.RemoteAddr, ":")
			
 
				-	sourceIP := remoteAddrSplit[0]
			
 
				+	sourceIP, _, err := net.SplitHostPort(remoteAddr)
			
 
				+	if err != nil {
			
 
				+		return err
			
 
				+	}
			
 
				 
			
 
				-	found := false
			
 
				+	// Compare allowed IP addresses to actual address
			
 
				 	for _, proxyIP := range proxies {
			
 
				 		if sourceIP == strings.TrimSpace(proxyIP) {
			
 
				-			found = true
			
 
				-			break
			
 
				+			return nil
			
 
				 		}
			
 
				 	}
			
 
				 
			
 
				-	if !found {
			
 
				-		msg := fmt.Sprintf("Request for user (%s) is not from the authentication proxy", proxyHeaderValue)
			
 
				-		err := errors.New(msg)
			
 
				-		return err
			
 
				-	}
			
 
				-
			
 
				-	return nil
			
 
				+	return fmt.Errorf("Request for user (%s) from %s is not from the authentication proxy", proxyHeaderValue, sourceIP)
			
 
				 }
			
 
				 
			
 
				 func getSignedInUserQueryForProxyAuth(headerVal string) *m.GetSignedInUserQuery {
			
--- a/pkg/middleware/middleware_test.go
+++ b/pkg/middleware/middleware_test.go
@@ -226,11 +226,11 @@ func TestMiddlewareContext(t *testing.T) {
 
				 			})
			
 
				 		})
			
 
				 
			
 
				-		middlewareScenario("When auth_proxy is enabled and request RemoteAddr is not trusted", func(sc *scenarioContext) {
			
 
				+		middlewareScenario("When auth_proxy is enabled and IPv4 request RemoteAddr is not trusted", func(sc *scenarioContext) {
			
 
				 			setting.AuthProxyEnabled = true
			
 
				 			setting.AuthProxyHeaderName = "X-WEBAUTH-USER"
			
 
				 			setting.AuthProxyHeaderProperty = "username"
			
 
				-			setting.AuthProxyWhitelist = "192.168.1.1, 192.168.2.1"
			
 
				+			setting.AuthProxyWhitelist = "192.168.1.1, 2001::23"
			
 
				 
			
 
				 			sc.fakeReq("GET", "/")
			
 
				 			sc.req.Header.Add("X-WEBAUTH-USER", "torkelo")
			
@@ -239,6 +239,24 @@ func TestMiddlewareContext(t *testing.T) {
 
				 
			
 
				 			Convey("should return 407 status code", func() {
			
 
				 				So(sc.resp.Code, ShouldEqual, 407)
			
 
				+				So(sc.resp.Body.String(), ShouldContainSubstring, "Request for user (torkelo) from 192.168.3.1 is not from the authentication proxy")
			
 
				+			})
			
 
				+		})
			
 
				+
			
 
				+		middlewareScenario("When auth_proxy is enabled and IPv6 request RemoteAddr is not trusted", func(sc *scenarioContext) {
			
 
				+			setting.AuthProxyEnabled = true
			
 
				+			setting.AuthProxyHeaderName = "X-WEBAUTH-USER"
			
 
				+			setting.AuthProxyHeaderProperty = "username"
			
 
				+			setting.AuthProxyWhitelist = "192.168.1.1, 2001::23"
			
 
				+
			
 
				+			sc.fakeReq("GET", "/")
			
 
				+			sc.req.Header.Add("X-WEBAUTH-USER", "torkelo")
			
 
				+			sc.req.RemoteAddr = "[2001:23]:12345"
			
 
				+			sc.exec()
			
 
				+
			
 
				+			Convey("should return 407 status code", func() {
			
 
				+				So(sc.resp.Code, ShouldEqual, 407)
			
 
				+				So(sc.resp.Body.String(), ShouldContainSubstring, "Request for user (torkelo) from 2001:23 is not from the authentication proxy")
			
 
				 			})
			
 
				 		})
			
 
				 
			
@@ -246,7 +264,7 @@ func TestMiddlewareContext(t *testing.T) {
 
				 			setting.AuthProxyEnabled = true
			
 
				 			setting.AuthProxyHeaderName = "X-WEBAUTH-USER"
			
 
				 			setting.AuthProxyHeaderProperty = "username"
			
 
				-			setting.AuthProxyWhitelist = "192.168.1.1, 192.168.2.1"
			
 
				+			setting.AuthProxyWhitelist = "192.168.1.1, 2001::23"
			
 
				 
			
 
				 			bus.AddHandler("test", func(query *m.GetSignedInUserQuery) error {
			
 
				 				query.Result = &m.SignedInUser{OrgId: 4, UserId: 33}
			
@@ -255,7 +273,7 @@ func TestMiddlewareContext(t *testing.T) {
 
				 
			
 
				 			sc.fakeReq("GET", "/")
			
 
				 			sc.req.Header.Add("X-WEBAUTH-USER", "torkelo")
			
 
				-			sc.req.RemoteAddr = "192.168.2.1:12345"
			
 
				+			sc.req.RemoteAddr = "[2001::23]:12345"
			
 
				 			sc.exec()
			
 
				 
			
 
				 			Convey("Should init context with user info", func() {