grafana/pkg/api/dataproxy.go

package api

import (
	"net/http"
	"net/http/httputil"
	"net/url"
	"time"

	"github.com/grafana/grafana/pkg/api/cloudwatch"
	"github.com/grafana/grafana/pkg/bus"
	"github.com/grafana/grafana/pkg/metrics"
	"github.com/grafana/grafana/pkg/middleware"
	m "github.com/grafana/grafana/pkg/models"
	"github.com/grafana/grafana/pkg/setting"
	"github.com/grafana/grafana/pkg/util"
)

func NewReverseProxy(ds *m.DataSource, proxyPath string, targetUrl *url.URL) *httputil.ReverseProxy {
	director := func(req *http.Request) {
		req.URL.Scheme = targetUrl.Scheme
		req.URL.Host = targetUrl.Host
		req.Host = targetUrl.Host

		reqQueryVals := req.URL.Query()

		if ds.Type == m.DS_INFLUXDB_08 {
			req.URL.Path = util.JoinUrlFragments(targetUrl.Path, "db/"+ds.Database+"/"+proxyPath)
			reqQueryVals.Add("u", ds.User)
			reqQueryVals.Add("p", ds.Password)
			req.URL.RawQuery = reqQueryVals.Encode()
		} else if ds.Type == m.DS_INFLUXDB {
			req.URL.Path = util.JoinUrlFragments(targetUrl.Path, proxyPath)
			req.URL.RawQuery = reqQueryVals.Encode()
			if !ds.BasicAuth {
				req.Header.Del("Authorization")
				req.Header.Add("Authorization", util.GetBasicAuthHeader(ds.User, ds.Password))
			}
		} else {
			req.URL.Path = util.JoinUrlFragments(targetUrl.Path, proxyPath)
		}

		if ds.BasicAuth {
			req.Header.Del("Authorization")
			req.Header.Add("Authorization", util.GetBasicAuthHeader(ds.BasicAuthUser, ds.BasicAuthPassword))
		}

		dsAuth := req.Header.Get("X-DS-Authorization")
		if len(dsAuth) > 0 {
			req.Header.Del("X-DS-Authorization")
			req.Header.Del("Authorization")
			req.Header.Add("Authorization", dsAuth)
		}

		// clear cookie headers
		req.Header.Del("Cookie")
		req.Header.Del("Set-Cookie")
	}

	return &httputil.ReverseProxy{Director: director, FlushInterval: time.Millisecond * 200}
}

func getDatasource(id int64, orgId int64) (*m.DataSource, error) {
	query := m.GetDataSourceByIdQuery{Id: id, OrgId: orgId}
	if err := bus.Dispatch(&query); err != nil {
		return nil, err
	}

	return query.Result, nil
}

func ProxyDataSourceRequest(c *middleware.Context) {
	c.TimeRequest(metrics.M_DataSource_ProxyReq_Timer)

	ds, err := getDatasource(c.ParamsInt64(":id"), c.OrgId)

	if err != nil {
		c.JsonApiErr(500, "Unable to load datasource meta data", err)
		return
	}

	if ds.Type == m.DS_CLOUDWATCH {
		cloudwatch.HandleRequest(c, ds)
		return
	}

	if ds.Type == m.DS_INFLUXDB {
		if c.Query("db") != ds.Database {
			c.JsonApiErr(403, "Datasource is not configured to allow this database", nil)
			return
		}
	}

	targetUrl, _ := url.Parse(ds.Url)
	if len(setting.DataProxyWhiteList) > 0 {
		if _, exists := setting.DataProxyWhiteList[targetUrl.Host]; !exists {
			c.JsonApiErr(403, "Data proxy hostname and ip are not included in whitelist", nil)
			return
		}
	}

	proxyPath := c.Params("*")

	if ds.Type == m.DS_ES {
		if c.Req.Request.Method == "DELETE" {
			c.JsonApiErr(403, "Deletes not allowed on proxied Elasticsearch datasource", nil)
			return
		}
		if c.Req.Request.Method == "PUT" {
			c.JsonApiErr(403, "Puts not allowed on proxied Elasticsearch datasource", nil)
			return
		}
		if c.Req.Request.Method == "POST" && proxyPath != "_msearch" {
			c.JsonApiErr(403, "Posts not allowed on proxied Elasticsearch datasource except on /_msearch", nil)
			return
		}
	}

	proxy := NewReverseProxy(ds, proxyPath, targetUrl)
	proxy.Transport, err = ds.GetHttpTransport()
	if err != nil {
		c.JsonApiErr(400, "Unable to load TLS certificate", err)
		return
	}
	proxy.ServeHTTP(c.Resp, c.Req.Request)
	c.Resp.Header().Del("Set-Cookie")
}
InfluxDB now works in proxy mode, influxdb username and password is added in the backend and never exposed to frontend, #8 2014-12-29 20:36:08 +08:00			`package api`

			`import (`
			`"net/http"`
			`"net/http/httputil"`
			`"net/url"`
allow data source proxy to proxy requests over self signed https connections, Closes #2069 2015-06-01 17:00:05 +08:00			`"time"`
InfluxDB now works in proxy mode, influxdb username and password is added in the backend and never exposed to frontend, #8 2014-12-29 20:36:08 +08:00
feat(cloudwatch): refactoring and cleanup of backend code, started moving hard coded stuff in the frontend to the backend, changed name of metricFind queries region() -> regions() , and namespace() -> namespaces() to be more consistent with the others, #684 2015-10-02 17:10:21 +08:00			`"github.com/grafana/grafana/pkg/api/cloudwatch"`
Changed go package path 2015-02-05 17:37:13 +08:00			`"github.com/grafana/grafana/pkg/bus"`
feat(timing): timing is now working with graphite and influxdb 2016-06-03 15:17:36 +08:00			`"github.com/grafana/grafana/pkg/metrics"`
Changed go package path 2015-02-05 17:37:13 +08:00			`"github.com/grafana/grafana/pkg/middleware"`
			`m "github.com/grafana/grafana/pkg/models"`
feat(dataproxy): added whitelist setting and feature for data proxies, closes #2626 2015-09-09 23:21:25 +08:00			`"github.com/grafana/grafana/pkg/setting"`
Changed go package path 2015-02-05 17:37:13 +08:00			`"github.com/grafana/grafana/pkg/util"`
InfluxDB now works in proxy mode, influxdb username and password is added in the backend and never exposed to frontend, #8 2014-12-29 20:36:08 +08:00			`)`

feat(dataproxy): added whitelist setting and feature for data proxies, closes #2626 2015-09-09 23:21:25 +08:00			`func NewReverseProxy(ds m.DataSource, proxyPath string, targetUrl url.URL) *httputil.ReverseProxy {`
InfluxDB now works in proxy mode, influxdb username and password is added in the backend and never exposed to frontend, #8 2014-12-29 20:36:08 +08:00			`director := func(req *http.Request) {`
feat(dataproxy): added whitelist setting and feature for data proxies, closes #2626 2015-09-09 23:21:25 +08:00			`req.URL.Scheme = targetUrl.Scheme`
			`req.URL.Host = targetUrl.Host`
			`req.Host = targetUrl.Host`
InfluxDB now works in proxy mode, influxdb username and password is added in the backend and never exposed to frontend, #8 2014-12-29 20:36:08 +08:00
			`reqQueryVals := req.URL.Query()`

Work on new datasource plugin model, #1276 #1472 2015-02-28 15:25:13 +08:00			`if ds.Type == m.DS_INFLUXDB_08 {`
feat(dataproxy): added whitelist setting and feature for data proxies, closes #2626 2015-09-09 23:21:25 +08:00			`req.URL.Path = util.JoinUrlFragments(targetUrl.Path, "db/"+ds.Database+"/"+proxyPath)`
InfluxDB now works in proxy mode, influxdb username and password is added in the backend and never exposed to frontend, #8 2014-12-29 20:36:08 +08:00			`reqQueryVals.Add("u", ds.User)`
			`reqQueryVals.Add("p", ds.Password)`
			`req.URL.RawQuery = reqQueryVals.Encode()`
Work on new datasource plugin model, #1276 #1472 2015-02-28 15:25:13 +08:00			`} else if ds.Type == m.DS_INFLUXDB {`
feat(dataproxy): added whitelist setting and feature for data proxies, closes #2626 2015-09-09 23:21:25 +08:00			`req.URL.Path = util.JoinUrlFragments(targetUrl.Path, proxyPath)`
Made a copy of influxdb datasource named influxdb_08 so the main influxdb data source can be modified to support InfluxDB 0.9, made some initial experiments to get queries to work, but a lot more work is needed, #1525 2015-02-26 01:43:44 +08:00			`req.URL.RawQuery = reqQueryVals.Encode()`
influxdb(auth): fixed issue with using basic auth and influxdb, fixes #2455 2015-08-07 17:01:59 +08:00			`if !ds.BasicAuth {`
fix(influxdb): clear existing Authorization header when proxying request to InfluxDB, fixes #2778 2015-09-19 18:32:35 +08:00			`req.Header.Del("Authorization")`
influxdb(auth): fixed issue with using basic auth and influxdb, fixes #2455 2015-08-07 17:01:59 +08:00			`req.Header.Add("Authorization", util.GetBasicAuthHeader(ds.User, ds.Password))`
			`}`
InfluxDB now works in proxy mode, influxdb username and password is added in the backend and never exposed to frontend, #8 2014-12-29 20:36:08 +08:00			`} else {`
feat(dataproxy): added whitelist setting and feature for data proxies, closes #2626 2015-09-09 23:21:25 +08:00			`req.URL.Path = util.JoinUrlFragments(targetUrl.Path, proxyPath)`
InfluxDB now works in proxy mode, influxdb username and password is added in the backend and never exposed to frontend, #8 2014-12-29 20:36:08 +08:00			`}`
Added basic auth to data source edit/create, add support for basic auth in data source proxy code, Closes #1510 2015-03-02 16:58:35 +08:00
			`if ds.BasicAuth {`
fix(influxdb): clear existing Authorization header when proxying request to InfluxDB, fixes #2778 2015-09-19 18:32:35 +08:00			`req.Header.Del("Authorization")`
Added basic auth to data source edit/create, add support for basic auth in data source proxy code, Closes #1510 2015-03-02 16:58:35 +08:00			`req.Header.Add("Authorization", util.GetBasicAuthHeader(ds.BasicAuthUser, ds.BasicAuthPassword))`
			`}`
fix(data source proxy): clear proxies request from cookies, fixes #2470 2015-08-10 18:11:18 +08:00
Allow for proxying Authorization header and automatically convert (#4832) Authorization header to X-DS-Authorization in backend_srv.js 2016-05-26 13:13:29 +08:00			`dsAuth := req.Header.Get("X-DS-Authorization")`
			`if len(dsAuth) > 0 {`
			`req.Header.Del("X-DS-Authorization")`
			`req.Header.Del("Authorization")`
			`req.Header.Add("Authorization", dsAuth)`
			`}`

fix(data source proxy): clear proxies request from cookies, fixes #2470 2015-08-10 18:11:18 +08:00			`// clear cookie headers`
			`req.Header.Del("Cookie")`
			`req.Header.Del("Set-Cookie")`
InfluxDB now works in proxy mode, influxdb username and password is added in the backend and never exposed to frontend, #8 2014-12-29 20:36:08 +08:00			`}`

feat(dataproxy): set flush interval, need a setting for this 2016-03-19 18:09:26 +08:00			`return &httputil.ReverseProxy{Director: director, FlushInterval: time.Millisecond * 200}`
InfluxDB now works in proxy mode, influxdb username and password is added in the backend and never exposed to frontend, #8 2014-12-29 20:36:08 +08:00			`}`

fixed gofmt issue 2015-10-08 23:30:13 +08:00			`func getDatasource(id int64, orgId int64) (*m.DataSource, error) {`
			`query := m.GetDataSourceByIdQuery{Id: id, OrgId: orgId}`
Fixed anonymous access mode, Closes #1586 2015-03-12 00:34:11 +08:00			`if err := bus.Dispatch(&query); err != nil {`
fixed gofmt issue 2015-10-08 23:30:13 +08:00			`return nil, err`
			`}`

feat(alerting): requests looks to be working again 2016-06-06 23:11:46 +08:00			`return query.Result, nil`
fixed gofmt issue 2015-10-08 23:30:13 +08:00			`}`

			`func ProxyDataSourceRequest(c *middleware.Context) {`
feat(timing): timing is now working with graphite and influxdb 2016-06-03 15:17:36 +08:00			`c.TimeRequest(metrics.M_DataSource_ProxyReq_Timer)`

fixed gofmt issue 2015-10-08 23:30:13 +08:00			`ds, err := getDatasource(c.ParamsInt64(":id"), c.OrgId)`
feat(timing): timing is now working with graphite and influxdb 2016-06-03 15:17:36 +08:00
fixed gofmt issue 2015-10-08 23:30:13 +08:00			`if err != nil {`
InfluxDB now works in proxy mode, influxdb username and password is added in the backend and never exposed to frontend, #8 2014-12-29 20:36:08 +08:00			`c.JsonApiErr(500, "Unable to load datasource meta data", err)`
Fixed anonymous access mode, Closes #1586 2015-03-12 00:34:11 +08:00			`return`
InfluxDB now works in proxy mode, influxdb username and password is added in the backend and never exposed to frontend, #8 2014-12-29 20:36:08 +08:00			`}`

(cloudwatch) fix, don't block by white list (#5632) 2016-07-22 19:15:18 +08:00			`if ds.Type == m.DS_CLOUDWATCH {`
			`cloudwatch.HandleRequest(c, ds)`
			`return`
			`}`

fix(influxdb): enforce database restriction, fixes #6352 2016-10-22 16:03:02 +08:00			`if ds.Type == m.DS_INFLUXDB {`
			`if c.Query("db") != ds.Database {`
			`c.JsonApiErr(403, "Datasource is not configured to allow this database", nil)`
			`return`
			`}`
			`}`

feat(dataproxy): added whitelist setting and feature for data proxies, closes #2626 2015-09-09 23:21:25 +08:00			`targetUrl, _ := url.Parse(ds.Url)`
			`if len(setting.DataProxyWhiteList) > 0 {`
			`if _, exists := setting.DataProxyWhiteList[targetUrl.Host]; !exists {`
			`c.JsonApiErr(403, "Data proxy hostname and ip are not included in whitelist", nil)`
			`return`
			`}`
			`}`

(cloudwatch) fix, don't block by white list (#5632) 2016-07-22 19:15:18 +08:00			`proxyPath := c.Params("*")`
Secure Elasticsearch datasources a bit (#6031) Instead of allowing users to access the entire cluster, apply some sane restrictions. Change-Id: Ib2e93722bf2e39d700d4afa713ff49ec556f2fdf 2016-09-13 21:04:21 +08:00
			`if ds.Type == m.DS_ES {`
			`if c.Req.Request.Method == "DELETE" {`
			`c.JsonApiErr(403, "Deletes not allowed on proxied Elasticsearch datasource", nil)`
			`return`
			`}`
			`if c.Req.Request.Method == "PUT" {`
			`c.JsonApiErr(403, "Puts not allowed on proxied Elasticsearch datasource", nil)`
			`return`
			`}`
			`if c.Req.Request.Method == "POST" && proxyPath != "_msearch" {`
			`c.JsonApiErr(403, "Posts not allowed on proxied Elasticsearch datasource except on /_msearch", nil)`
			`return`
			`}`
			`}`

(cloudwatch) fix, don't block by white list (#5632) 2016-07-22 19:15:18 +08:00			`proxy := NewReverseProxy(ds, proxyPath, targetUrl)`
Use cache for http.client in tsdb package. (#6833) * datasource: move caching closer to datasource struct * tsdb: use cached version of datasource http transport closes #6825 2016-12-07 18:10:42 +08:00			`proxy.Transport, err = ds.GetHttpTransport()`
Added support for TLS client auth for datasource proxies (#5801) 2016-08-25 11:43:25 +08:00			`if err != nil {`
			`c.JsonApiErr(400, "Unable to load TLS certificate", err)`
			`return`
			`}`
(cloudwatch) fix, don't block by white list (#5632) 2016-07-22 19:15:18 +08:00			`proxy.ServeHTTP(c.Resp, c.Req.Request)`
			`c.Resp.Header().Del("Set-Cookie")`
InfluxDB now works in proxy mode, influxdb username and password is added in the backend and never exposed to frontend, #8 2014-12-29 20:36:08 +08:00			`}`