grafana · torkelo · Nov 7, 2019 · Nov 5, 2019 · Nov 5, 2019 · Nov 7, 2019
@@ -436,6 +436,7 @@ auto_sign_up = true
 ldap_sync_ttl = 60
 whitelist =
 headers =
+grant_login_token = false
 
 #################################### Auth LDAP ###########################
 [auth.ldap]

@@ -398,6 +398,9 @@
 ;ldap_sync_ttl = 60
 ;whitelist = 192.168.1.1, 192.168.2.1
 ;headers = Email:X-User-Email, Name:X-User-Name
+# If you want to combine auth proxy with the normal login session token & cookie enable setting defined below.
+# It will grant a login token if you supply auth proxy headers on /login request
+;grant_login_token = false
 
 #################################### Basic Auth ##########################
 [auth.basic]

diff --git a/devenv/docker/blocks/nginx_proxy/nginx_login_only.conf b/devenv/docker/blocks/nginx_proxy/nginx_login_only.conf
@@ -0,0 +1,42 @@
+events { worker_connections 1024; }
+
+http {
+  sendfile on;
+
+  proxy_redirect     off;
+  proxy_set_header   Host $host;
+  proxy_set_header   X-Real-IP $remote_addr;
+  proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+  proxy_set_header   X-Forwarded-Host $server_name;
+
+  server {
+    listen 10080;
+
+    location /grafana/ {
+      ################################################################
+      # Enable these settings to test with basic auth and an auth proxy header
+      # the htpasswd file contains an admin user with password admin and
+      # user1: grafana and user2: grafana
+      ################################################################
+
+
+      ################################################################
+      # To use the auth proxy header, set the following in custom.ini:
+      # [auth.proxy]
+      # enabled = true
+      # header_name = X-WEBAUTH-USER
+      # header_property = username
+      ################################################################
+
+      location /grafana/login {
+        auth_basic "Restricted Content";
+        auth_basic_user_file /etc/nginx/htpasswd;
+        proxy_set_header X-WEBAUTH-USER $remote_user;
+        proxy_pass http://localhost:3000/login;
+      }
+
+      proxy_set_header Authorization "";
+      proxy_pass http://localhost:3000/;
+    }
+  }
+}
@@ -36,6 +36,9 @@ whitelist =
 # Optionally define more headers to sync other user attributes
 # Example `headers = Name:X-WEBAUTH-NAME Email:X-WEBAUTH-EMAIL Groups:X-WEBAUTH-GROUPS`
 headers =
+# If you want to combine auth proxy with the normal login session token & cookie enable setting defined below.
+# It will grant a login token if you supply auth proxy headers on /login request
+grant_login_token = false
 ```
 
 ## Interacting with Grafana’s AuthProxy via curl
@@ -294,3 +297,12 @@ curl -H "X-WEBAUTH-USER: leonard" -H "X-WEBAUTH-GROUPS: lokiteamOnExternalSystem
 With this, the user `leonard` will be automatically placed into the Loki team as part of Grafana authentication.
 
 [Learn more about Team Sync]({{< relref "auth/team-sync.md" >}})
+
+
+## Login token & session cookie
+
+If you want to combine auth proxy with the normal login session token & cookie enable the setting `grant_login_token`.
+With that option enabled requests to `/login` that have auth proxy headers added will create a new session token for the
+user (and redirect user). This means that only /login route needs to go through auth proxy. Use settings `login_maximum_inactive_lifetime_days`
+and `login_maximum_lifetime_days` under `[auth]` to control session lifetime.
+
@@ -57,18 +57,31 @@ func (hs *HTTPServer) LoginView(c *models.ReqContext) {
 		return
 	}
 
-	if !c.IsSignedIn {
-		c.HTML(200, ViewIndex, viewData)
-		return
-	}
+	if c.IsSignedIn {
+		// Assign login token to auth proxy users if grant_login_token = true
+		if setting.AuthProxyEnabled && setting.AuthProxyGrantLoginToken {
+			hs.loginAuthProxyUser(c)
+		}
 
-	if redirectTo, _ := url.QueryUnescape(c.GetCookie("redirect_to")); len(redirectTo) > 0 {
-		c.SetCookie("redirect_to", "", -1, setting.AppSubUrl+"/")
-		c.Redirect(redirectTo)
+		if redirectTo, _ := url.QueryUnescape(c.GetCookie("redirect_to")); len(redirectTo) > 0 {
+			c.SetCookie("redirect_to", "", -1, setting.AppSubUrl+"/")
+			c.Redirect(redirectTo)
+			return
+		}
+
+		c.Redirect(setting.AppSubUrl + "/")
 		return
 	}
 
-	c.Redirect(setting.AppSubUrl + "/")
+	c.HTML(200, ViewIndex, viewData)
+}
+
+func (hs *HTTPServer) loginAuthProxyUser(c *models.ReqContext) {
+	hs.loginUserWithUser(&models.User{
+		Id:    c.SignedInUser.UserId,
+		Email: c.SignedInUser.Email,
+		Login: c.SignedInUser.Login,
+	}, c)
 }
 
 func tryOAuthAutoLogin(c *models.ReqContext) bool {

@@ -10,7 +10,9 @@ import (
 	"testing"
 
 	"github.com/grafana/grafana/pkg/api/dtos"
+	"github.com/grafana/grafana/pkg/infra/log"
 	"github.com/grafana/grafana/pkg/models"
+	"github.com/grafana/grafana/pkg/services/auth"
 	"github.com/grafana/grafana/pkg/setting"
 	"github.com/grafana/grafana/pkg/util"
 	"github.com/stretchr/testify/assert"
@@ -68,8 +70,6 @@ func TestLoginErrorCookieApiEndpoint(t *testing.T) {
 		hs.LoginView(c)
 	})
 
-	setting.OAuthService = &setting.OAuther{}
-	setting.OAuthService.OAuthInfos = make(map[string]*setting.OAuthInfo)
 	setting.LoginCookieName = "grafana_session"
 	setting.SecretKey = "login_testing"
 
@@ -136,3 +136,59 @@ func TestLoginOAuthRedirect(t *testing.T) {
 	assert.True(t, ok)
 	assert.Equal(t, location[0], "/login/github")
 }
+
+func TestAuthProxyLoginGrantLoginDisabled(t *testing.T) {
+	sc := setupAuthProxyLoginTest(false)
+
+	assert.Equal(t, sc.resp.Code, 302)
+	location, ok := sc.resp.Header()["Location"]
+	assert.True(t, ok)
+	assert.Equal(t, location[0], "/")
+
+	_, ok = sc.resp.Header()["Set-Cookie"]
+	assert.False(t, ok, "Set-Cookie does not exist")
+}
+
+func TestAuthProxyLoginWithGrantEnabled(t *testing.T) {
+	sc := setupAuthProxyLoginTest(true)
+
+	assert.Equal(t, sc.resp.Code, 302)
+	location, ok := sc.resp.Header()["Location"]
+	assert.True(t, ok)
+	assert.Equal(t, location[0], "/")
+
+	setCookie, ok := sc.resp.Header()["Set-Cookie"]
+	assert.True(t, ok, "Set-Cookie exists")
+	assert.Equal(t, "grafana_session=; Path=/; Max-Age=0; HttpOnly", setCookie[0])
+}
+
+func setupAuthProxyLoginTest(grantLoginToken bool) *scenarioContext {
+	mockSetIndexViewData()
+	defer resetSetIndexViewData()
+
+	sc := setupScenarioContext("/login")
+	hs := &HTTPServer{
+		Cfg:              setting.NewCfg(),
+		License:          models.OSSLicensingService{},
+		AuthTokenService: auth.NewFakeUserAuthTokenService(),
+		log:              log.New("hello"),
+	}
+
+	sc.defaultHandler = Wrap(func(c *models.ReqContext) {
+		c.IsSignedIn = true
+		c.SignedInUser = &models.SignedInUser{
+			UserId: 10,
+		}
+		hs.LoginView(c)
+	})
+
+	setting.OAuthService = &setting.OAuther{}
+	setting.OAuthService.OAuthInfos = make(map[string]*setting.OAuthInfo)
+	setting.AuthProxyEnabled = true
+	setting.AuthProxyGrantLoginToken = grantLoginToken
+
+	sc.m.Get(sc.url, sc.defaultHandler)
+	sc.fakeReqNoAssertions("GET", sc.url).exec()
+
+	return sc
+}
@@ -143,13 +143,14 @@ var (
 	AnonymousOrgRole string
 
 	// Auth proxy settings
-	AuthProxyEnabled        bool
-	AuthProxyHeaderName     string
-	AuthProxyHeaderProperty string
-	AuthProxyAutoSignUp     bool
-	AuthProxyLDAPSyncTtl    int
-	AuthProxyWhitelist      string
-	AuthProxyHeaders        map[string]string
+	AuthProxyEnabled         bool
+	AuthProxyHeaderName      string
+	AuthProxyHeaderProperty  string
+	AuthProxyAutoSignUp      bool
+	AuthProxyGrantLoginToken bool
+	AuthProxyLDAPSyncTtl     int
+	AuthProxyWhitelist       string
+	AuthProxyHeaders         map[string]string
 
 	// Basic Auth
 	BasicAuthEnabled bool
@@ -854,6 +855,7 @@ func (cfg *Cfg) Load(args *CommandLineArgs) error {
 		return err
 	}
 	AuthProxyAutoSignUp = authProxy.Key("auto_sign_up").MustBool(true)
+	AuthProxyGrantLoginToken = authProxy.Key("grant_login_token").MustBool(true)
 	AuthProxyLDAPSyncTtl = authProxy.Key("ldap_sync_ttl").MustInt()
 	AuthProxyWhitelist, err = valueAsString(authProxy, "whitelist", "")
 	if err != nil {