2018-09-10 22:59:29 +08:00
|
|
|
package pluginproxy
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
|
|
|
|
"fmt"
|
|
|
|
|
"net/http"
|
|
|
|
|
"net/url"
|
|
|
|
|
"strings"
|
|
|
|
|
|
2020-03-04 19:57:20 +08:00
|
|
|
"github.com/grafana/grafana/pkg/models"
|
2018-09-10 22:59:29 +08:00
|
|
|
"github.com/grafana/grafana/pkg/plugins"
|
2021-10-07 22:33:50 +08:00
|
|
|
"github.com/grafana/grafana/pkg/services/encryption"
|
2021-05-14 19:59:07 +08:00
|
|
|
"github.com/grafana/grafana/pkg/setting"
|
2018-09-10 22:59:29 +08:00
|
|
|
"github.com/grafana/grafana/pkg/util"
|
|
|
|
|
)
|
|
|
|
|
|
2020-11-13 16:52:38 +08:00
|
|
|
// ApplyRoute should use the plugin route data to set auth headers and custom headers.
|
2021-03-08 14:02:49 +08:00
|
|
|
func ApplyRoute(ctx context.Context, req *http.Request, proxyPath string, route *plugins.AppPluginRoute,
|
2021-10-07 22:33:50 +08:00
|
|
|
ds *models.DataSource, cfg *setting.Cfg, encryptionService encryption.Service) {
|
2018-09-10 22:59:29 +08:00
|
|
|
proxyPath = strings.TrimPrefix(proxyPath, route.Path)
|
|
|
|
|
|
2021-10-07 22:33:50 +08:00
|
|
|
secureJsonData, err := encryptionService.DecryptJsonData(ctx, ds.SecureJsonData, setting.SecretKey)
|
|
|
|
|
if err != nil {
|
|
|
|
|
logger.Error("Error interpolating proxy url", "error", err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-09-10 22:59:29 +08:00
|
|
|
data := templateData{
|
|
|
|
|
JsonData: ds.JsonData.Interface().(map[string]interface{}),
|
2021-10-07 22:33:50 +08:00
|
|
|
SecureJsonData: secureJsonData,
|
2018-09-10 22:59:29 +08:00
|
|
|
}
|
|
|
|
|
|
2020-09-18 19:22:07 +08:00
|
|
|
if len(route.URL) > 0 {
|
2020-11-17 17:56:42 +08:00
|
|
|
interpolatedURL, err := interpolateString(route.URL, data)
|
2020-09-18 19:22:07 +08:00
|
|
|
if err != nil {
|
|
|
|
|
logger.Error("Error interpolating proxy url", "error", err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
routeURL, err := url.Parse(interpolatedURL)
|
|
|
|
|
if err != nil {
|
|
|
|
|
logger.Error("Error parsing plugin route url", "error", err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
req.URL.Scheme = routeURL.Scheme
|
|
|
|
|
req.URL.Host = routeURL.Host
|
|
|
|
|
req.Host = routeURL.Host
|
|
|
|
|
req.URL.Path = util.JoinURLFragments(routeURL.Path, proxyPath)
|
2018-09-10 22:59:29 +08:00
|
|
|
}
|
|
|
|
|
|
2020-04-24 16:32:13 +08:00
|
|
|
if err := addQueryString(req, route, data); err != nil {
|
|
|
|
|
logger.Error("Failed to render plugin URL query string", "error", err)
|
|
|
|
|
}
|
|
|
|
|
|
2018-09-10 22:59:29 +08:00
|
|
|
if err := addHeaders(&req.Header, route, data); err != nil {
|
|
|
|
|
logger.Error("Failed to render plugin headers", "error", err)
|
|
|
|
|
}
|
|
|
|
|
|
2021-03-31 22:38:35 +08:00
|
|
|
if err := setBodyContent(req, route, data); err != nil {
|
|
|
|
|
logger.Error("Failed to set plugin route body content", "error", err)
|
|
|
|
|
}
|
|
|
|
|
|
2021-05-14 19:59:07 +08:00
|
|
|
if tokenProvider, err := getTokenProvider(ctx, cfg, ds, route, data); err != nil {
|
2021-05-07 04:05:23 +08:00
|
|
|
logger.Error("Failed to resolve auth token provider", "error", err)
|
|
|
|
|
} else if tokenProvider != nil {
|
2021-06-11 23:02:24 +08:00
|
|
|
if token, err := tokenProvider.GetAccessToken(); err != nil {
|
2018-09-10 22:59:29 +08:00
|
|
|
logger.Error("Failed to get access token", "error", err)
|
|
|
|
|
} else {
|
2018-12-01 03:12:55 +08:00
|
|
|
req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
|
2018-09-10 22:59:29 +08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2021-07-15 20:30:06 +08:00
|
|
|
if cfg.DataProxyLogging {
|
2021-06-15 21:03:24 +08:00
|
|
|
logger.Debug("Requesting", "url", req.URL.String())
|
|
|
|
|
}
|
2021-05-03 20:46:32 +08:00
|
|
|
}
|
2018-10-08 19:49:27 +08:00
|
|
|
|
2021-05-14 19:59:07 +08:00
|
|
|
func getTokenProvider(ctx context.Context, cfg *setting.Cfg, ds *models.DataSource, pluginRoute *plugins.AppPluginRoute,
|
2021-05-07 04:05:23 +08:00
|
|
|
data templateData) (accessTokenProvider, error) {
|
|
|
|
|
authType := pluginRoute.AuthType
|
2021-05-03 20:46:32 +08:00
|
|
|
|
2021-05-07 04:05:23 +08:00
|
|
|
// Plugin can override authentication type specified in route configuration
|
|
|
|
|
if authTypeOverride := ds.JsonData.Get("authenticationType").MustString(); authTypeOverride != "" {
|
|
|
|
|
authType = authTypeOverride
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
tokenAuth, err := interpolateAuthParams(pluginRoute.TokenAuth, data)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
jwtTokenAuth, err := interpolateAuthParams(pluginRoute.JwtTokenAuth, data)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
switch authType {
|
2021-05-14 19:59:07 +08:00
|
|
|
case "azure":
|
|
|
|
|
if tokenAuth == nil {
|
|
|
|
|
return nil, fmt.Errorf("'tokenAuth' not configured for authentication type '%s'", authType)
|
|
|
|
|
}
|
2021-07-05 18:20:12 +08:00
|
|
|
return newAzureAccessTokenProvider(ctx, cfg, tokenAuth)
|
2021-05-14 19:59:07 +08:00
|
|
|
|
2021-05-03 20:46:32 +08:00
|
|
|
case "gce":
|
2021-05-07 04:05:23 +08:00
|
|
|
if jwtTokenAuth == nil {
|
|
|
|
|
return nil, fmt.Errorf("'jwtTokenAuth' not configured for authentication type '%s'", authType)
|
|
|
|
|
}
|
|
|
|
|
provider := newGceAccessTokenProvider(ctx, ds, pluginRoute, jwtTokenAuth)
|
|
|
|
|
return provider, nil
|
|
|
|
|
|
2021-05-03 20:46:32 +08:00
|
|
|
case "jwt":
|
2021-05-07 04:05:23 +08:00
|
|
|
if jwtTokenAuth == nil {
|
|
|
|
|
return nil, fmt.Errorf("'jwtTokenAuth' not configured for authentication type '%s'", authType)
|
2021-05-03 20:46:32 +08:00
|
|
|
}
|
2021-05-07 04:05:23 +08:00
|
|
|
provider := newJwtAccessTokenProvider(ctx, ds, pluginRoute, jwtTokenAuth)
|
|
|
|
|
return provider, nil
|
|
|
|
|
|
|
|
|
|
case "":
|
|
|
|
|
// Fallback to authentication methods when authentication type isn't explicitly configured
|
|
|
|
|
if tokenAuth != nil {
|
|
|
|
|
provider := newGenericAccessTokenProvider(ds, pluginRoute, tokenAuth)
|
|
|
|
|
return provider, nil
|
2021-05-03 20:46:32 +08:00
|
|
|
}
|
2021-05-07 04:05:23 +08:00
|
|
|
if jwtTokenAuth != nil {
|
|
|
|
|
provider := newJwtAccessTokenProvider(ctx, ds, pluginRoute, jwtTokenAuth)
|
|
|
|
|
return provider, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// No authentication
|
|
|
|
|
return nil, nil
|
|
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
return nil, fmt.Errorf("authentication type '%s' not supported", authType)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func interpolateAuthParams(tokenAuth *plugins.JwtTokenAuth, data templateData) (*plugins.JwtTokenAuth, error) {
|
|
|
|
|
if tokenAuth == nil {
|
|
|
|
|
// Nothing to interpolate
|
|
|
|
|
return nil, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
interpolatedUrl, err := interpolateString(tokenAuth.Url, data)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
interpolatedParams := make(map[string]string)
|
|
|
|
|
for key, value := range tokenAuth.Params {
|
|
|
|
|
interpolatedParam, err := interpolateString(value, data)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
2018-10-03 23:08:13 +08:00
|
|
|
}
|
2021-05-07 04:05:23 +08:00
|
|
|
interpolatedParams[key] = interpolatedParam
|
2018-10-03 23:08:13 +08:00
|
|
|
}
|
|
|
|
|
|
2021-05-07 04:05:23 +08:00
|
|
|
return &plugins.JwtTokenAuth{
|
|
|
|
|
Url: interpolatedUrl,
|
|
|
|
|
Scopes: tokenAuth.Scopes,
|
|
|
|
|
Params: interpolatedParams,
|
|
|
|
|
}, nil
|
2018-09-10 22:59:29 +08:00
|
|
|
}
|
