root
/
grafana
mirror of https://github.com/grafana/grafana.git
1
0
Fork 0
Code Issues Actions 83 Packages Projects Releases Wiki Activity
grafana/pkg/api/pluginproxy/pluginproxy.go

230 lines
6.5 KiB
Go
Raw Normal View History

feat(app routes): worked on app routes, added unit test, changed Grafana-Context header to start with X to be standard compliant, got cloud saas queries to work via app route feature and header template
2016-02-10 23:43:35 +08:00
package pluginproxy
import (
Instrumentation: Proxy status code correction and various improvements (#47473) For a proxied request, e.g. Grafana's datasource or plugin proxy: If the request is cancelled, e.g. from the browser, the HTTP status code is now 499 Client closed request instead of 502 Bad gateway. If the request times out, e.g. takes longer time than allowed, the HTTP status code is now 504 Gateway timeout instead of 502 Bad gateway. This also means that request metrics and logs will get their status codes adjusted according to above. Fixes #46337 Fixes #46338
2022-04-11 19:17:08 +08:00
"bytes"
feat(app routes): worked on app routes, added unit test, changed Grafana-Context header to start with X to be standard compliant, got cloud saas queries to work via app route feature and header template
2016-02-10 23:43:35 +08:00
"encoding/json"
Handle ioutil deprecations (#53526) * replace ioutil.ReadFile -> os.ReadFile * replace ioutil.ReadAll -> io.ReadAll * replace ioutil.TempFile -> os.CreateTemp * replace ioutil.NopCloser -> io.NopCloser * replace ioutil.WriteFile -> os.WriteFile * replace ioutil.TempDir -> os.MkdirTemp * replace ioutil.Discard -> io.Discard
2022-08-10 21:37:51 +08:00
"io"
feat(app routes): worked on app routes, added unit test, changed Grafana-Context header to start with X to be standard compliant, got cloud saas queries to work via app route feature and header template
2016-02-10 23:43:35 +08:00
"net/http"
"net/url"
Plugins: Preserve trailing slash in plugin proxy (#86859) * Plugins: Preserve trailing slash in plugin proxy * enable toggle by default
2024-06-05 19:36:14 +08:00
"strings"
feat(app routes): worked on app routes, added unit test, changed Grafana-Context header to start with X to be standard compliant, got cloud saas queries to work via app route feature and header template
2016-02-10 23:43:35 +08:00
FeatureToggles: Add context and and an explicit global check (#78081)
2023-11-15 04:50:27 +08:00
"go.opentelemetry.io/otel/attribute"
Plugins: Handle app plugin proxy routes per request (#51835) Fixes #47530
2022-08-23 19:05:31 +08:00
"github.com/grafana/grafana/pkg/infra/tracing"
feat(app routes): worked on app routes, added unit test, changed Grafana-Context header to start with X to be standard compliant, got cloud saas queries to work via app route feature and header template
2016-02-10 23:43:35 +08:00
"github.com/grafana/grafana/pkg/plugins"
RBAC: Cover plugin routes (#80578) * RBAC: Cover plugin routes * Action instead of ReqAction * Fix test initializations * Fix NewPluginProxy call * Duplicate test to add RBAC checks * Cover legacy access control as well * Fix typo * action -> reqAction * Add example Co-authored-by: Andres Martinez Gotor <andres.martinez@grafana.com> --------- Co-authored-by: Andres Martinez Gotor <andres.martinez@grafana.com>
2024-01-17 23:32:23 +08:00
ac "github.com/grafana/grafana/pkg/services/accesscontrol"
Chore: Move ReqContext to contexthandler service (#62102) * Chore: Move ReqContext to contexthandler service * Rename package to contextmodel * Generate ngalert files * Remove unused imports
2023-01-27 15:50:36 +08:00
contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
IDforwarding: forward signed id to plugins (#75651) * Plugins: Add client middlware that forwards the signed grafana id token if present * DsProxy: Set grafana id header if id token exists * Add util function to apply id token to header * Only add id forwarding middleware if feature toggle is enabled * Add feature toggles to ds proxy and check if id forwarding is enabled * Clean up test setup * Change to use backend.ForwardHTTPHeaders interface * PluginProxy: Forward signed identity when feature toggle is enabled * PluginProxy: forrward signed id header
2023-10-02 15:14:10 +08:00
"github.com/grafana/grafana/pkg/services/featuremgmt"
RBAC: Allow plugins to use scoped actions (#90946) Co-authored-by: gamab <gabriel.mabille@grafana.com>
2024-07-25 22:22:42 +08:00
pluginac "github.com/grafana/grafana/pkg/services/pluginsintegration/pluginaccesscontrol"
Plugins: Migrate `plugincontext`, `adapters` and `pluginsettings` to pkg/services/pluginsintegration package (#64154) * migrate plugincontext, adapter and pluginsettings * add to CODEOWNERS * fix imports * fix CODEOWNERS * take pluginsettings * migrate wire stuff
2023-03-08 00:22:30 +08:00
"github.com/grafana/grafana/pkg/services/pluginsintegration/pluginsettings"
Encryption: Use secrets service (#40251) * Use secrets service in pluginproxy * Use secrets service in pluginxontext * Use secrets service in pluginsettings * Use secrets service in provisioning * Use secrets service in authinfoservice * Use secrets service in api * Use secrets service in sqlstore * Use secrets service in dashboardshapshots * Use secrets service in tsdb * Use secrets service in datasources * Use secrets service in alerting * Use secrets service in ngalert * Break cyclic dependancy * Refactor service * Break cyclic dependancy * Add FakeSecretsStore * Setup Secrets Service in sqlstore * Fix * Continue secrets service refactoring * Fix cyclic dependancy in sqlstore tests * Fix secrets service references * Fix linter errors * Add fake secrets service for tests * Refactor SetupTestSecretsService * Update setting up secret service in tests * Fix missing secrets service in multiorg_alertmanager_test * Use fake db in tests and sort imports * Use fake db in datasources tests * Fix more tests * Fix linter issues * Attempt to fix plugin proxy tests * Pass secrets service to getPluginProxiedRequest in pluginproxy tests * Fix pluginproxy tests * Revert using secrets service in alerting and provisioning * Update decryptFn in alerting migration * Rename defaultProvider to currentProvider * Use fake secrets service in alert channels tests * Refactor secrets service test helper * Update setting up secrets service in tests * Revert alerting changes in api * Add comments * Remove secrets service from background services * Convert global encryption functions into vars * Revert "Convert global encryption functions into vars" This reverts commit 498eb19859eba364a2400a6d7e73236b1c9a5b37. * Add feature toggle for envelope encryption * Rename toggle Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Joan López de la Franca Beltran <joanjan14@gmail.com>
2021-11-05 00:47:21 +08:00
"github.com/grafana/grafana/pkg/services/secrets"
Backend plugins: Prepare and clean request headers before resource calls (#22321) Moves common request proxy utilities to proxyutil package with support for removing X-Forwarded-Host, X-Forwarded-Port, X-Forwarded-Proto headers, setting X-Forwarded-For header and cleaning Cookie header. Using the proxyutil package to prepare and clean request headers before resource calls. Closes #21512
2020-03-03 18:45:16 +08:00
"github.com/grafana/grafana/pkg/setting"
feat(app routes): worked on app routes, added unit test, changed Grafana-Context header to start with X to be standard compliant, got cloud saas queries to work via app route feature and header template
2016-02-10 23:43:35 +08:00
"github.com/grafana/grafana/pkg/util"
Backend plugins: Prepare and clean request headers before resource calls (#22321) Moves common request proxy utilities to proxyutil package with support for removing X-Forwarded-Host, X-Forwarded-Port, X-Forwarded-Proto headers, setting X-Forwarded-For header and cleaning Cookie header. Using the proxyutil package to prepare and clean request headers before resource calls. Closes #21512
2020-03-03 18:45:16 +08:00
"github.com/grafana/grafana/pkg/util/proxyutil"
Plugins: Handle app plugin proxy routes per request (#51835) Fixes #47530
2022-08-23 19:05:31 +08:00
"github.com/grafana/grafana/pkg/web"
feat(app routes): worked on app routes, added unit test, changed Grafana-Context header to start with X to be standard compliant, got cloud saas queries to work via app route feature and header template
2016-02-10 23:43:35 +08:00
)
Plugins: Handle app plugin proxy routes per request (#51835) Fixes #47530
2022-08-23 19:05:31 +08:00
type PluginProxy struct {
RBAC: Cover plugin routes (#80578) * RBAC: Cover plugin routes * Action instead of ReqAction * Fix test initializations * Fix NewPluginProxy call * Duplicate test to add RBAC checks * Cover legacy access control as well * Fix typo * action -> reqAction * Add example Co-authored-by: Andres Martinez Gotor <andres.martinez@grafana.com> --------- Co-authored-by: Andres Martinez Gotor <andres.martinez@grafana.com>
2024-01-17 23:32:23 +08:00
accessControl ac.AccessControl
Plugins: Handle app plugin proxy routes per request (#51835) Fixes #47530
2022-08-23 19:05:31 +08:00
ps *pluginsettings.DTO
pluginRoutes []*plugins.Route
Chore: Move ReqContext to contexthandler service (#62102) * Chore: Move ReqContext to contexthandler service * Rename package to contextmodel * Generate ngalert files * Remove unused imports
2023-01-27 15:50:36 +08:00
ctx *contextmodel.ReqContext
Plugins: Handle app plugin proxy routes per request (#51835) Fixes #47530
2022-08-23 19:05:31 +08:00
proxyPath string
matchedRoute *plugins.Route
cfg *setting.Cfg
secretsService secrets.Service
tracer tracing.Tracer
transport *http.Transport
IDforwarding: forward signed id to plugins (#75651) * Plugins: Add client middlware that forwards the signed grafana id token if present * DsProxy: Set grafana id header if id token exists * Add util function to apply id token to header * Only add id forwarding middleware if feature toggle is enabled * Add feature toggles to ds proxy and check if id forwarding is enabled * Clean up test setup * Change to use backend.ForwardHTTPHeaders interface * PluginProxy: Forward signed identity when feature toggle is enabled * PluginProxy: forrward signed id header
2023-10-02 15:14:10 +08:00
features featuremgmt.FeatureToggles
feat(app routes): worked on app routes, added unit test, changed Grafana-Context header to start with X to be standard compliant, got cloud saas queries to work via app route feature and header template
2016-02-10 23:43:35 +08:00
}
Plugins: Handle app plugin proxy routes per request (#51835) Fixes #47530
2022-08-23 19:05:31 +08:00
// NewPluginProxy creates a plugin proxy.
Chore: Move ReqContext to contexthandler service (#62102) * Chore: Move ReqContext to contexthandler service * Rename package to contextmodel * Generate ngalert files * Remove unused imports
2023-01-27 15:50:36 +08:00
func NewPluginProxy(ps *pluginsettings.DTO, routes []*plugins.Route, ctx *contextmodel.ReqContext,
Plugins: Handle app plugin proxy routes per request (#51835) Fixes #47530
2022-08-23 19:05:31 +08:00
proxyPath string, cfg *setting.Cfg, secretsService secrets.Service, tracer tracing.Tracer,
RBAC: Cover plugin routes (#80578) * RBAC: Cover plugin routes * Action instead of ReqAction * Fix test initializations * Fix NewPluginProxy call * Duplicate test to add RBAC checks * Cover legacy access control as well * Fix typo * action -> reqAction * Add example Co-authored-by: Andres Martinez Gotor <andres.martinez@grafana.com> --------- Co-authored-by: Andres Martinez Gotor <andres.martinez@grafana.com>
2024-01-17 23:32:23 +08:00
transport *http.Transport, accessControl ac.AccessControl, features featuremgmt.FeatureToggles) (*PluginProxy, error) {
Plugins: Handle app plugin proxy routes per request (#51835) Fixes #47530
2022-08-23 19:05:31 +08:00
return &PluginProxy{
RBAC: Cover plugin routes (#80578) * RBAC: Cover plugin routes * Action instead of ReqAction * Fix test initializations * Fix NewPluginProxy call * Duplicate test to add RBAC checks * Cover legacy access control as well * Fix typo * action -> reqAction * Add example Co-authored-by: Andres Martinez Gotor <andres.martinez@grafana.com> --------- Co-authored-by: Andres Martinez Gotor <andres.martinez@grafana.com>
2024-01-17 23:32:23 +08:00
accessControl: accessControl,
Plugins: Handle app plugin proxy routes per request (#51835) Fixes #47530
2022-08-23 19:05:31 +08:00
ps: ps,
pluginRoutes: routes,
ctx: ctx,
proxyPath: proxyPath,
cfg: cfg,
secretsService: secretsService,
tracer: tracer,
transport: transport,
IDforwarding: forward signed id to plugins (#75651) * Plugins: Add client middlware that forwards the signed grafana id token if present * DsProxy: Set grafana id header if id token exists * Add util function to apply id token to header * Only add id forwarding middleware if feature toggle is enabled * Add feature toggles to ds proxy and check if id forwarding is enabled * Clean up test setup * Change to use backend.ForwardHTTPHeaders interface * PluginProxy: Forward signed identity when feature toggle is enabled * PluginProxy: forrward signed id header
2023-10-02 15:14:10 +08:00
features: features,
Plugins: Handle app plugin proxy routes per request (#51835) Fixes #47530
2022-08-23 19:05:31 +08:00
}, nil
}
Instrumentation: Proxy status code correction and various improvements (#47473) For a proxied request, e.g. Grafana's datasource or plugin proxy: If the request is cancelled, e.g. from the browser, the HTTP status code is now 499 Client closed request instead of 502 Bad gateway. If the request times out, e.g. takes longer time than allowed, the HTTP status code is now 504 Gateway timeout instead of 502 Bad gateway. This also means that request metrics and logs will get their status codes adjusted according to above. Fixes #46337 Fixes #46338
2022-04-11 19:17:08 +08:00
Plugins: Handle app plugin proxy routes per request (#51835) Fixes #47530
2022-08-23 19:05:31 +08:00
func (proxy *PluginProxy) HandleRequest() {
// found route if there are any
for _, route := range proxy.pluginRoutes {
// method match
if route.Method != "" && route.Method != "*" && route.Method != proxy.ctx.Req.Method {
continue
Fix panic when using complex dynamic URLs in app plugin routes (#27977) * remove unused function to interpolate URLs * share function to add headers between ds/plugin proxies * stop performing unnecessary plugin setting lookup * fix bug causing runtime errors when using complex templated URLs * lower case util functions not used outside of pluginproxy package * change test URL to a (valid) dummy URL to make intent clearer Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
2020-11-17 17:56:42 +08:00
}
Plugins: Handle app plugin proxy routes per request (#51835) Fixes #47530
2022-08-23 19:05:31 +08:00
t := web.NewTree()
t.Add(route.Path, nil)
_, params, isMatch := t.Match(proxy.proxyPath)
Encryption: Refactor securejsondata.SecureJsonData to stop relying on global functions (#38865) * Encryption: Add support to encrypt/decrypt sjd * Add datasources.Service as a proxy to datasources db operations * Encrypt ds.SecureJsonData before calling SQLStore * Move ds cache code into ds service * Fix tlsmanager tests * Fix pluginproxy tests * Remove some securejsondata.GetEncryptedJsonData usages * Add pluginsettings.Service as a proxy for plugin settings db operations * Add AlertNotificationService as a proxy for alert notification db operations * Remove some securejsondata.GetEncryptedJsonData usages * Remove more securejsondata.GetEncryptedJsonData usages * Fix lint errors * Minor fixes * Remove encryption global functions usages from ngalert * Fix lint errors * Minor fixes * Minor fixes * Remove securejsondata.DecryptedValue usage * Refactor the refactor * Remove securejsondata.DecryptedValue usage * Move securejsondata to migrations package * Move securejsondata to migrations package * Minor fix * Fix integration test * Fix integration tests * Undo undesired changes * Fix tests * Add context.Context into encryption methods * Fix tests * Fix tests * Fix tests * Trigger CI * Fix test * Add names to params of encryption service interface * Remove bus from CacheServiceImpl * Add logging * Add keys to logger Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * Add missing key to logger Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * Undo changes in markdown files * Fix formatting * Add context to secrets service * Rename decryptSecureJsonData to decryptSecureJsonDataFn * Name args in GetDecryptedValueFn * Add template back to NewAlertmanagerNotifier * Copy GetDecryptedValueFn to ngalert * Add logging to pluginsettings * Fix pluginsettings test Co-authored-by: Tania B <yalyna.ts@gmail.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-10-07 22:33:50 +08:00
Plugins: Handle app plugin proxy routes per request (#51835) Fixes #47530
2022-08-23 19:05:31 +08:00
if !isMatch {
continue
Fix panic when using complex dynamic URLs in app plugin routes (#27977) * remove unused function to interpolate URLs * share function to add headers between ds/plugin proxies * stop performing unnecessary plugin setting lookup * fix bug causing runtime errors when using complex templated URLs * lower case util functions not used outside of pluginproxy package * change test URL to a (valid) dummy URL to make intent clearer Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
2020-11-17 17:56:42 +08:00
}
RBAC: Cover plugin routes (#80578) * RBAC: Cover plugin routes * Action instead of ReqAction * Fix test initializations * Fix NewPluginProxy call * Duplicate test to add RBAC checks * Cover legacy access control as well * Fix typo * action -> reqAction * Add example Co-authored-by: Andres Martinez Gotor <andres.martinez@grafana.com> --------- Co-authored-by: Andres Martinez Gotor <andres.martinez@grafana.com>
2024-01-17 23:32:23 +08:00
if !proxy.hasAccessToRoute(route) {
proxy.ctx.JsonApiErr(http.StatusForbidden, "plugin proxy route access denied", nil)
return
Fix panic when using complex dynamic URLs in app plugin routes (#27977) * remove unused function to interpolate URLs * share function to add headers between ds/plugin proxies * stop performing unnecessary plugin setting lookup * fix bug causing runtime errors when using complex templated URLs * lower case util functions not used outside of pluginproxy package * change test URL to a (valid) dummy URL to make intent clearer Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
2020-11-17 17:56:42 +08:00
}
Plugins: Handle app plugin proxy routes per request (#51835) Fixes #47530
2022-08-23 19:05:31 +08:00
if path, exists := params["*"]; exists {
Plugins: Preserve trailing slash in plugin proxy (#86859) * Plugins: Preserve trailing slash in plugin proxy * enable toggle by default
2024-06-05 19:36:14 +08:00
hasSlash := strings.HasSuffix(proxy.proxyPath, "/")
Plugins: Handle app plugin proxy routes per request (#51835) Fixes #47530
2022-08-23 19:05:31 +08:00
proxy.proxyPath = path
Plugins: Preserve trailing slash in plugin proxy (#86859) * Plugins: Preserve trailing slash in plugin proxy * enable toggle by default
2024-06-05 19:36:14 +08:00
if hasSlash && !strings.HasSuffix(path, "/") && proxy.features.IsEnabled(proxy.ctx.Req.Context(), featuremgmt.FlagPluginProxyPreserveTrailingSlash) {
proxy.proxyPath += "/"
}
Plugins: Handle app plugin proxy routes per request (#51835) Fixes #47530
2022-08-23 19:05:31 +08:00
} else {
proxy.proxyPath = ""
feat(app routes): worked on app routes, added unit test, changed Grafana-Context header to start with X to be standard compliant, got cloud saas queries to work via app route feature and header template
2016-02-10 23:43:35 +08:00
}
Plugins: Handle app plugin proxy routes per request (#51835) Fixes #47530
2022-08-23 19:05:31 +08:00
proxy.matchedRoute = route
break
}
feat(app routes): worked on app routes, added unit test, changed Grafana-Context header to start with X to be standard compliant, got cloud saas queries to work via app route feature and header template
2016-02-10 23:43:35 +08:00
Plugins: Handle app plugin proxy routes per request (#51835) Fixes #47530
2022-08-23 19:05:31 +08:00
if proxy.matchedRoute == nil {
proxy.ctx.JsonApiErr(http.StatusNotFound, "plugin route match not found", nil)
return
}
Add custom header with grafana user and a config switch for it
2019-03-14 20:04:47 +08:00
Plugins: Handle app plugin proxy routes per request (#51835) Fixes #47530
2022-08-23 19:05:31 +08:00
proxyErrorLogger := logger.New(
"userId", proxy.ctx.UserID,
"orgId", proxy.ctx.OrgID,
"uname", proxy.ctx.Login,
"path", proxy.ctx.Req.URL.Path,
"remote_addr", proxy.ctx.RemoteAddr(),
"referer", proxy.ctx.Req.Referer(),
)
Plugins: Support set body content in plugin routes (#32551) Adds support for overriding the body and length in plugin routes.
2021-03-31 22:38:35 +08:00
Plugins: Handle app plugin proxy routes per request (#51835) Fixes #47530
2022-08-23 19:05:31 +08:00
reverseProxy := proxyutil.NewReverseProxy(
proxyErrorLogger,
proxy.director,
proxyutil.WithTransport(proxy.transport),
)
proxy.logRequest()
ctx, span := proxy.tracer.Start(proxy.ctx.Req.Context(), "plugin reverse proxy")
defer span.End()
proxy.ctx.Req = proxy.ctx.Req.WithContext(ctx)
Tracing: Standardize on otel tracing (#75528)
2023-10-03 20:54:20 +08:00
span.SetAttributes(
attribute.String("user", proxy.ctx.SignedInUser.Login),
attribute.Int64("org_id", proxy.ctx.SignedInUser.OrgID),
)
Plugins: Handle app plugin proxy routes per request (#51835) Fixes #47530
2022-08-23 19:05:31 +08:00
proxy.tracer.Inject(ctx, proxy.ctx.Req.Header, span)
reverseProxy.ServeHTTP(proxy.ctx.Resp, proxy.ctx.Req)
}
RBAC: Cover plugin routes (#80578) * RBAC: Cover plugin routes * Action instead of ReqAction * Fix test initializations * Fix NewPluginProxy call * Duplicate test to add RBAC checks * Cover legacy access control as well * Fix typo * action -> reqAction * Add example Co-authored-by: Andres Martinez Gotor <andres.martinez@grafana.com> --------- Co-authored-by: Andres Martinez Gotor <andres.martinez@grafana.com>
2024-01-17 23:32:23 +08:00
func (proxy *PluginProxy) hasAccessToRoute(route *plugins.Route) bool {
Update DS Proxy to use RBAC action (#87517) iam-team: Update DS Proxy to use RBAC action
2024-05-21 21:05:16 +08:00
useRBAC := proxy.features.IsEnabled(proxy.ctx.Req.Context(), featuremgmt.FlagAccessControlOnCall) && route.ReqAction != ""
RBAC: Cover plugin routes (#80578) * RBAC: Cover plugin routes * Action instead of ReqAction * Fix test initializations * Fix NewPluginProxy call * Duplicate test to add RBAC checks * Cover legacy access control as well * Fix typo * action -> reqAction * Add example Co-authored-by: Andres Martinez Gotor <andres.martinez@grafana.com> --------- Co-authored-by: Andres Martinez Gotor <andres.martinez@grafana.com>
2024-01-17 23:32:23 +08:00
if useRBAC {
RBAC: Allow plugins to use scoped actions (#90946) Co-authored-by: gamab <gabriel.mabille@grafana.com>
2024-07-25 22:22:42 +08:00
routeEval := pluginac.GetPluginRouteEvaluator(proxy.ps.PluginID, route.ReqAction)
hasAccess := ac.HasAccess(proxy.accessControl, proxy.ctx)(routeEval)
RBAC: Cover plugin routes (#80578) * RBAC: Cover plugin routes * Action instead of ReqAction * Fix test initializations * Fix NewPluginProxy call * Duplicate test to add RBAC checks * Cover legacy access control as well * Fix typo * action -> reqAction * Add example Co-authored-by: Andres Martinez Gotor <andres.martinez@grafana.com> --------- Co-authored-by: Andres Martinez Gotor <andres.martinez@grafana.com>
2024-01-17 23:32:23 +08:00
if !hasAccess {
proxy.ctx.Logger.Debug("plugin route is covered by RBAC, user doesn't have access", "route", proxy.ctx.Req.URL.Path)
}
return hasAccess
}
if route.ReqRole.IsValid() {
return proxy.ctx.HasUserRole(route.ReqRole)
}
return true
}
Plugins: Handle app plugin proxy routes per request (#51835) Fixes #47530
2022-08-23 19:05:31 +08:00
func (proxy PluginProxy) director(req *http.Request) {
secureJsonData, err := proxy.secretsService.DecryptJsonData(proxy.ctx.Req.Context(), proxy.ps.SecureJSONData)
if err != nil {
proxy.ctx.JsonApiErr(500, "Failed to decrypt plugin settings", err)
return
}
data := templateData{
JsonData: proxy.ps.JSONData,
SecureJsonData: secureJsonData,
}
interpolatedURL, err := interpolateString(proxy.matchedRoute.URL, data)
if err != nil {
proxy.ctx.JsonApiErr(500, "Could not interpolate plugin route url", err)
return
}
targetURL, err := url.Parse(interpolatedURL)
if err != nil {
proxy.ctx.JsonApiErr(500, "Could not parse url", err)
return
}
req.URL.Scheme = targetURL.Scheme
req.URL.Host = targetURL.Host
req.Host = targetURL.Host
req.URL.Path = util.JoinURLFragments(targetURL.Path, proxy.proxyPath)
// clear cookie headers
req.Header.Del("Cookie")
req.Header.Del("Set-Cookie")
// Create a HTTP header with the context in it.
ctxJSON, err := json.Marshal(proxy.ctx.SignedInUser)
if err != nil {
proxy.ctx.JsonApiErr(500, "failed to marshal context to json.", err)
return
feat(app routes): worked on app routes, added unit test, changed Grafana-Context header to start with X to be standard compliant, got cloud saas queries to work via app route feature and header template
2016-02-10 23:43:35 +08:00
}
Plugins: Handle app plugin proxy routes per request (#51835) Fixes #47530
2022-08-23 19:05:31 +08:00
req.Header.Set("X-Grafana-Context", string(ctxJSON))
Instrumentation: Proxy status code correction and various improvements (#47473) For a proxied request, e.g. Grafana's datasource or plugin proxy: If the request is cancelled, e.g. from the browser, the HTTP status code is now 499 Client closed request instead of 502 Bad gateway. If the request times out, e.g. takes longer time than allowed, the HTTP status code is now 504 Gateway timeout instead of 502 Bad gateway. This also means that request metrics and logs will get their status codes adjusted according to above. Fixes #46337 Fixes #46338
2022-04-11 19:17:08 +08:00
Plugins: Forward user header (X-Grafana-User) in backend plugin requests (#58646) Grafana would forward the X-Grafana-User header to backend plugin request when dataproxy.send_user_header is enabled. In addition, X-Grafana-User will be automatically forwarded in outgoing HTTP requests for core/builtin HTTP datasources. Use grafana-plugin-sdk-go v0.147.0. Fixes #47734 Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
2022-12-15 22:28:25 +08:00
proxyutil.ApplyUserHeader(proxy.cfg.SendUserHeader, req, proxy.ctx.SignedInUser)
Auth: remove id token flag (#92209)
2024-08-21 21:30:17 +08:00
proxyutil.ApplyForwardIDHeader(req, proxy.ctx.SignedInUser)
IDforwarding: forward signed id to plugins (#75651) * Plugins: Add client middlware that forwards the signed grafana id token if present * DsProxy: Set grafana id header if id token exists * Add util function to apply id token to header * Only add id forwarding middleware if feature toggle is enabled * Add feature toggles to ds proxy and check if id forwarding is enabled * Clean up test setup * Change to use backend.ForwardHTTPHeaders interface * PluginProxy: Forward signed identity when feature toggle is enabled * PluginProxy: forrward signed id header
2023-10-02 15:14:10 +08:00
Plugins: Handle app plugin proxy routes per request (#51835) Fixes #47530
2022-08-23 19:05:31 +08:00
if err := addHeaders(&req.Header, proxy.matchedRoute, data); err != nil {
proxy.ctx.JsonApiErr(500, "Failed to render plugin headers", err)
return
}
if err := setBodyContent(req, proxy.matchedRoute, data); err != nil {
Logging: Introduce API for contextual logging (#55198) Introduces a FromContext method on the log.Logger interface that allows contextual key/value pairs to be attached, e.g. per request, so that any logger using this API will automatically get the per request context attached. The proposal makes the traceID available for contextual logger , if available, and would allow logs originating from a certain HTTP request to be correlated with traceID. In addition, when tracing not enabled, skip adding traceID=00000000000000000000000000000000 to logs.
2022-09-21 00:32:06 +08:00
logger.FromContext(req.Context()).Error("Failed to set plugin route body content", "error", err)
Plugins: Handle app plugin proxy routes per request (#51835) Fixes #47530
2022-08-23 19:05:31 +08:00
}
Security: Sync security changes on main (#45083) * * Teams: Appropriately apply user id filter in /api/teams/:id and /api/teams/search * Teams: Ensure that users searching for teams are only able see teams they have access to * Teams: Require teamGuardian admin privileges to list team members * Teams: Prevent org viewers from administering teams * Teams: Add org_id condition to team count query * Teams: clarify permission requirements in teams api docs * Teams: expand scenarios for team search tests * Teams: mock teamGuardian in tests Co-authored-by: Dan Cech <dcech@grafana.com> * remove duplicate WHERE statement * Fix for CVE-2022-21702 (cherry picked from commit 202d7c190082c094bc1dc13f7fe9464746c37f9e) * Lint and test fixes (cherry picked from commit 3e6b67d5504abf4a1d7b8d621f04d062c048e981) * check content type properly (cherry picked from commit 70b4458892bf2f776302720c10d24c9ff34edd98) * basic csrf origin check (cherry picked from commit 3adaa5ff39832364f6390881fb5b42ad47df92e1) * compare origin to host (cherry picked from commit 5443892699e8ed42836bb2b9a44744ff3e970f42) * simplify url parsing (cherry picked from commit b2ffbc9513fed75468628370a48b929d30af2b1d) * check csrf for GET requests, only compare origin (cherry picked from commit 8b81dc12d8f8a1f07852809c5b4d44f0f0b1d709) * parse content type properly (cherry picked from commit 16f76f4902e6f2188bea9606c68b551af186bdc0) * mentioned get in the comment (cherry picked from commit a7e61811ef8ae558ce721e2e3fed04ce7a5a5345) * add content-type: application/json to test HTTP requests * fix pluginproxy test * Fix linter when comparing errors Co-authored-by: Kevin Minehart <kmineh0151@gmail.com> Co-authored-by: Dan Cech <dcech@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> Co-authored-by: Serge Zaitsev <serge.zaitsev@grafana.com> Co-authored-by: Vardan Torosyan <vardants@gmail.com>
2022-02-09 20:44:38 +08:00
}
Plugins: Handle app plugin proxy routes per request (#51835) Fixes #47530
2022-08-23 19:05:31 +08:00
func (proxy PluginProxy) logRequest() {
if !proxy.cfg.DataProxyLogging {
Instrumentation: Proxy status code correction and various improvements (#47473) For a proxied request, e.g. Grafana's datasource or plugin proxy: If the request is cancelled, e.g. from the browser, the HTTP status code is now 499 Client closed request instead of 502 Bad gateway. If the request times out, e.g. takes longer time than allowed, the HTTP status code is now 504 Gateway timeout instead of 502 Bad gateway. This also means that request metrics and logs will get their status codes adjusted according to above. Fixes #46337 Fixes #46338
2022-04-11 19:17:08 +08:00
return
}
var body string
Plugins: Handle app plugin proxy routes per request (#51835) Fixes #47530
2022-08-23 19:05:31 +08:00
if proxy.ctx.Req.Body != nil {
buffer, err := io.ReadAll(proxy.ctx.Req.Body)
Instrumentation: Proxy status code correction and various improvements (#47473) For a proxied request, e.g. Grafana's datasource or plugin proxy: If the request is cancelled, e.g. from the browser, the HTTP status code is now 499 Client closed request instead of 502 Bad gateway. If the request times out, e.g. takes longer time than allowed, the HTTP status code is now 504 Gateway timeout instead of 502 Bad gateway. This also means that request metrics and logs will get their status codes adjusted according to above. Fixes #46337 Fixes #46338
2022-04-11 19:17:08 +08:00
if err == nil {
Plugins: Handle app plugin proxy routes per request (#51835) Fixes #47530
2022-08-23 19:05:31 +08:00
proxy.ctx.Req.Body = io.NopCloser(bytes.NewBuffer(buffer))
Instrumentation: Proxy status code correction and various improvements (#47473) For a proxied request, e.g. Grafana's datasource or plugin proxy: If the request is cancelled, e.g. from the browser, the HTTP status code is now 499 Client closed request instead of 502 Bad gateway. If the request times out, e.g. takes longer time than allowed, the HTTP status code is now 504 Gateway timeout instead of 502 Bad gateway. This also means that request metrics and logs will get their status codes adjusted according to above. Fixes #46337 Fixes #46338
2022-04-11 19:17:08 +08:00
body = string(buffer)
}
}
Security: Sync security changes on main (#45083) * * Teams: Appropriately apply user id filter in /api/teams/:id and /api/teams/search * Teams: Ensure that users searching for teams are only able see teams they have access to * Teams: Require teamGuardian admin privileges to list team members * Teams: Prevent org viewers from administering teams * Teams: Add org_id condition to team count query * Teams: clarify permission requirements in teams api docs * Teams: expand scenarios for team search tests * Teams: mock teamGuardian in tests Co-authored-by: Dan Cech <dcech@grafana.com> * remove duplicate WHERE statement * Fix for CVE-2022-21702 (cherry picked from commit 202d7c190082c094bc1dc13f7fe9464746c37f9e) * Lint and test fixes (cherry picked from commit 3e6b67d5504abf4a1d7b8d621f04d062c048e981) * check content type properly (cherry picked from commit 70b4458892bf2f776302720c10d24c9ff34edd98) * basic csrf origin check (cherry picked from commit 3adaa5ff39832364f6390881fb5b42ad47df92e1) * compare origin to host (cherry picked from commit 5443892699e8ed42836bb2b9a44744ff3e970f42) * simplify url parsing (cherry picked from commit b2ffbc9513fed75468628370a48b929d30af2b1d) * check csrf for GET requests, only compare origin (cherry picked from commit 8b81dc12d8f8a1f07852809c5b4d44f0f0b1d709) * parse content type properly (cherry picked from commit 16f76f4902e6f2188bea9606c68b551af186bdc0) * mentioned get in the comment (cherry picked from commit a7e61811ef8ae558ce721e2e3fed04ce7a5a5345) * add content-type: application/json to test HTTP requests * fix pluginproxy test * Fix linter when comparing errors Co-authored-by: Kevin Minehart <kmineh0151@gmail.com> Co-authored-by: Dan Cech <dcech@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> Co-authored-by: Serge Zaitsev <serge.zaitsev@grafana.com> Co-authored-by: Vardan Torosyan <vardants@gmail.com>
2022-02-09 20:44:38 +08:00
Logging: Introduce API for contextual logging (#55198) Introduces a FromContext method on the log.Logger interface that allows contextual key/value pairs to be attached, e.g. per request, so that any logger using this API will automatically get the per request context attached. The proposal makes the traceID available for contextual logger , if available, and would allow logs originating from a certain HTTP request to be correlated with traceID. In addition, when tracing not enabled, skip adding traceID=00000000000000000000000000000000 to logs.
2022-09-21 00:32:06 +08:00
ctxLogger := logger.FromContext(proxy.ctx.Req.Context())
ctxLogger.Info("Proxying incoming request",
Plugins: Handle app plugin proxy routes per request (#51835) Fixes #47530
2022-08-23 19:05:31 +08:00
"userid", proxy.ctx.UserID,
"orgid", proxy.ctx.OrgID,
"username", proxy.ctx.Login,
"app", proxy.ps.PluginID,
"uri", proxy.ctx.Req.RequestURI,
"method", proxy.ctx.Req.Method,
Instrumentation: Proxy status code correction and various improvements (#47473) For a proxied request, e.g. Grafana's datasource or plugin proxy: If the request is cancelled, e.g. from the browser, the HTTP status code is now 499 Client closed request instead of 502 Bad gateway. If the request times out, e.g. takes longer time than allowed, the HTTP status code is now 504 Gateway timeout instead of 502 Bad gateway. This also means that request metrics and logs will get their status codes adjusted according to above. Fixes #46337 Fixes #46338
2022-04-11 19:17:08 +08:00
"body", body)
feat(app routes): worked on app routes, added unit test, changed Grafana-Context header to start with X to be standard compliant, got cloud saas queries to work via app route feature and header template
2016-02-10 23:43:35 +08:00
}
Plugins: Handle app plugin proxy routes per request (#51835) Fixes #47530
2022-08-23 19:05:31 +08:00
type templateData struct {
Plugins Proxy: Allow using {{ .URL }} inside "routes" section in plugin.json (#80858) Signed-off-by: Slach <bloodjazman@gmail.com> Co-authored-by: Andres Martinez Gotor <andres.mgotor@gmail.com>
2024-02-02 16:23:07 +08:00
URL string
Chore: use any rather than interface{} (#74066)
2023-08-30 23:46:47 +08:00
JsonData map[string]any
Plugins: Handle app plugin proxy routes per request (#51835) Fixes #47530
2022-08-23 19:05:31 +08:00
SecureJsonData map[string]string
}