grafana/pkg/api/app_routes.go

package api

import (
	"crypto/tls"
	"net"
	"net/http"
	"strings"
	"time"

	"github.com/grafana/grafana/pkg/api/pluginproxy"
	"github.com/grafana/grafana/pkg/infra/log"
	"github.com/grafana/grafana/pkg/middleware"
	"github.com/grafana/grafana/pkg/models"
	"github.com/grafana/grafana/pkg/plugins"
	"github.com/grafana/grafana/pkg/util"
	"github.com/grafana/grafana/pkg/web"
)

var pluginProxyTransport *http.Transport

func (hs *HTTPServer) initAppPluginRoutes(r *web.Mux) {
	pluginProxyTransport = &http.Transport{
		TLSClientConfig: &tls.Config{
			InsecureSkipVerify: hs.Cfg.PluginsAppsSkipVerifyTLS,
			Renegotiation:      tls.RenegotiateFreelyAsClient,
		},
		Proxy: http.ProxyFromEnvironment,
		Dial: (&net.Dialer{
			Timeout:   30 * time.Second,
			KeepAlive: 30 * time.Second,
		}).Dial,
		TLSHandshakeTimeout: 10 * time.Second,
	}

	for _, plugin := range hs.PluginManager.Apps() {
		for _, route := range plugin.Routes {
			url := util.JoinURLFragments("/api/plugin-proxy/"+plugin.Id, route.Path)
			handlers := make([]web.Handler, 0)
			handlers = append(handlers, middleware.Auth(&middleware.AuthOptions{
				ReqSignedIn: true,
			}))

			if route.ReqRole != "" {
				if route.ReqRole == models.ROLE_ADMIN {
					handlers = append(handlers, middleware.RoleAuth(models.ROLE_ADMIN))
				} else if route.ReqRole == models.ROLE_EDITOR {
					handlers = append(handlers, middleware.RoleAuth(models.ROLE_EDITOR, models.ROLE_ADMIN))
				}
			}
			handlers = append(handlers, AppPluginRoute(route, plugin.Id, hs))
			for _, method := range strings.Split(route.Method, ",") {
				r.Handle(strings.TrimSpace(method), url, handlers)
			}
			log.Debug("Plugins: Adding proxy route", "url", url)
		}
	}
}

func AppPluginRoute(route *plugins.AppPluginRoute, appID string, hs *HTTPServer) web.Handler {
	return func(c *models.ReqContext) {
		path := web.Params(c.Req)["*"]

		proxy := pluginproxy.NewApiPluginProxy(c, path, route, appID, hs.Cfg, hs.EncryptionService)
		proxy.Transport = pluginProxyTransport
		proxy.ServeHTTP(c.Resp, c.Req)
	}
}
initial import of thirdParty route support 2015-10-06 17:20:50 +08:00			`package api`

			`import (`
Added support for TLS client auth for datasource proxies (#5801) 2016-08-25 11:43:25 +08:00			`"crypto/tls"`
			`"net"`
			`"net/http"`
Plugins: Support multiple HTTP methods in plugin.json routes (#39069) * Fix: support comma-separated methods in plugin.json * update docs about multiple methods per route 2021-09-13 19:32:11 +08:00			`"strings"`
Added support for TLS client auth for datasource proxies (#5801) 2016-08-25 11:43:25 +08:00			`"time"`

feat(app routes): worked on app routes, added unit test, changed Grafana-Context header to start with X to be standard compliant, got cloud saas queries to work via app route feature and header template 2016-02-10 23:43:35 +08:00			`"github.com/grafana/grafana/pkg/api/pluginproxy"`
move log package to /infra (#17023) ref #14679 Signed-off-by: zhulongcheng <zhulongcheng.me@gmail.com> 2019-05-13 14:45:54 +08:00			`"github.com/grafana/grafana/pkg/infra/log"`
initial import of thirdParty route support 2015-10-06 17:20:50 +08:00			`"github.com/grafana/grafana/pkg/middleware"`
Chore: Avoid aliasing importing models in api package (#22492) 2020-03-04 19:57:20 +08:00			`"github.com/grafana/grafana/pkg/models"`
initial import of thirdParty route support 2015-10-06 17:20:50 +08:00			`"github.com/grafana/grafana/pkg/plugins"`
			`"github.com/grafana/grafana/pkg/util"`
Chore: replace macaron with web package (#40136) * replace macaron with web package * add web.go 2021-10-11 20:30:59 +08:00			`"github.com/grafana/grafana/pkg/web"`
initial import of thirdParty route support 2015-10-06 17:20:50 +08:00			`)`

Always verify TLS unless explicitly told otherwise TLS was not being verified in a number of places: - connections to grafana.com - connections to OAuth providers when TLS client authentication was enabled - connections to self-hosted Grafana installations when using the CLI tool TLS should always be verified unless the user explicitly enables an option to skip verification. Removes some instances where `InsecureSkipVerify` is explicitly set to `false`, the default, to help avoid confusion and make it more difficult to regress on this fix by accident. Adds a `--insecure` flag to `grafana-cli` to skip TLS verification. Adds a `tls_skip_verify_insecure` setting for OAuth. Adds a `app_tls_skip_verify_insecure` setting under a new `[plugins]` section. I'm not super happy with the way the global setting is used by `pkg/api/app_routes.go` but that seems to be the existing pattern used. 2017-09-28 18:10:59 +08:00			`var pluginProxyTransport *http.Transport`
Added support for TLS client auth for datasource proxies (#5801) 2016-08-25 11:43:25 +08:00
Chore: replace macaron with web package (#40136) * replace macaron with web package * add web.go 2021-10-11 20:30:59 +08:00			`func (hs HTTPServer) initAppPluginRoutes(r web.Mux) {`
Always verify TLS unless explicitly told otherwise TLS was not being verified in a number of places: - connections to grafana.com - connections to OAuth providers when TLS client authentication was enabled - connections to self-hosted Grafana installations when using the CLI tool TLS should always be verified unless the user explicitly enables an option to skip verification. Removes some instances where `InsecureSkipVerify` is explicitly set to `false`, the default, to help avoid confusion and make it more difficult to regress on this fix by accident. Adds a `--insecure` flag to `grafana-cli` to skip TLS verification. Adds a `tls_skip_verify_insecure` setting for OAuth. Adds a `app_tls_skip_verify_insecure` setting under a new `[plugins]` section. I'm not super happy with the way the global setting is used by `pkg/api/app_routes.go` but that seems to be the existing pattern used. 2017-09-28 18:10:59 +08:00			`pluginProxyTransport = &http.Transport{`
			`TLSClientConfig: &tls.Config{`
Plugins: Unifying alpha state & options for all plugins (#16530) * app pages * app pages * workign example * started alpha support * remove app stuff * show warning on alpha/beta panels * put app back on plugin file * fix go * add enum for PluginType and PluginIncludeType * Refactoring and moving settings to plugins section fixes #16529 2019-04-12 19:46:42 +08:00			`InsecureSkipVerify: hs.Cfg.PluginsAppsSkipVerifyTLS,`
Always verify TLS unless explicitly told otherwise TLS was not being verified in a number of places: - connections to grafana.com - connections to OAuth providers when TLS client authentication was enabled - connections to self-hosted Grafana installations when using the CLI tool TLS should always be verified unless the user explicitly enables an option to skip verification. Removes some instances where `InsecureSkipVerify` is explicitly set to `false`, the default, to help avoid confusion and make it more difficult to regress on this fix by accident. Adds a `--insecure` flag to `grafana-cli` to skip TLS verification. Adds a `tls_skip_verify_insecure` setting for OAuth. Adds a `app_tls_skip_verify_insecure` setting under a new `[plugins]` section. I'm not super happy with the way the global setting is used by `pkg/api/app_routes.go` but that seems to be the existing pattern used. 2017-09-28 18:10:59 +08:00			`Renegotiation: tls.RenegotiateFreelyAsClient,`
			`},`
			`Proxy: http.ProxyFromEnvironment,`
			`Dial: (&net.Dialer{`
			`Timeout: 30 * time.Second,`
			`KeepAlive: 30 * time.Second,`
			`}).Dial,`
			`TLSHandshakeTimeout: 10 * time.Second,`
			`}`

PluginManager: Make remaining plugin state non-global (#32094) * PluginDashboards: Use plugin manager interface Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * PluginManager: Make panels non-global Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * PluginManager: Make apps non-global Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * PluginManager: Make static routes non-global Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * PluginManager: Make pluginTypes non-global Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> 2021-03-18 20:53:01 +08:00			`for _, plugin := range hs.PluginManager.Apps() {`
feat(external plugins): worked on supporting external plugins better 2015-11-20 01:44:07 +08:00			`for _, route := range plugin.Routes {`
pkg/util/{ip.go,url.go}: Fix some golint issues See, $ gometalinter --vendor --deadline 10m --disable-all --enable=golint ./... ip.go:8:6:warning: func SplitIpPort should be SplitIPPort (golint) url.go:14:6:warning: func NewUrlQueryReader should be NewURLQueryReader (golint) url.go:9:6:warning: type UrlQueryReader should be URLQueryReader (golint) url.go:37:6:warning: func JoinUrlFragments should be JoinURLFragments (golint) 2019-01-29 05:18:48 +08:00			`url := util.JoinURLFragments("/api/plugin-proxy/"+plugin.Id, route.Path)`
Chore: replace macaron with web package (#40136) * replace macaron with web package * add web.go 2021-10-11 20:30:59 +08:00			`handlers := make([]web.Handler, 0)`
feat(app routes): worked on app routes, added unit test, changed Grafana-Context header to start with X to be standard compliant, got cloud saas queries to work via app route feature and header template 2016-02-10 23:43:35 +08:00			`handlers = append(handlers, middleware.Auth(&middleware.AuthOptions{`
dataproxy: refactoring data source proxy to support route templates and wrote more tests for data proxy code, #9078 2017-08-23 16:52:31 +08:00			`ReqSignedIn: true,`
feat(app routes): worked on app routes, added unit test, changed Grafana-Context header to start with X to be standard compliant, got cloud saas queries to work via app route feature and header template 2016-02-10 23:43:35 +08:00			`}))`

			`if route.ReqRole != "" {`
Chore: Avoid aliasing importing models in api package (#22492) 2020-03-04 19:57:20 +08:00			`if route.ReqRole == models.ROLE_ADMIN {`
			`handlers = append(handlers, middleware.RoleAuth(models.ROLE_ADMIN))`
			`} else if route.ReqRole == models.ROLE_EDITOR {`
			`handlers = append(handlers, middleware.RoleAuth(models.ROLE_EDITOR, models.ROLE_ADMIN))`
implement role access checks on external-plugin routes. 2015-11-27 16:26:30 +08:00			`}`
			`}`
Add custom header with grafana user and a config switch for it 2019-03-14 20:04:47 +08:00			`handlers = append(handlers, AppPluginRoute(route, plugin.Id, hs))`
Plugins: Support multiple HTTP methods in plugin.json routes (#39069) * Fix: support comma-separated methods in plugin.json * update docs about multiple methods per route 2021-09-13 19:32:11 +08:00			`for _, method := range strings.Split(route.Method, ",") {`
			`r.Handle(strings.TrimSpace(method), url, handlers)`
			`}`
remove crit and trace (#40320) 2021-10-26 23:36:24 +08:00			`log.Debug("Plugins: Adding proxy route", "url", url)`
initial import of thirdParty route support 2015-10-06 17:20:50 +08:00			`}`
			`}`
			`}`

Chore: replace macaron with web package (#40136) * replace macaron with web package * add web.go 2021-10-11 20:30:59 +08:00			`func AppPluginRoute(route plugins.AppPluginRoute, appID string, hs HTTPServer) web.Handler {`
Chore: Avoid aliasing importing models in api package (#22492) 2020-03-04 19:57:20 +08:00			`return func(c *models.ReqContext) {`
Chore: replace macaron with web package (#40136) * replace macaron with web package * add web.go 2021-10-11 20:30:59 +08:00			`path := web.Params(c.Req)["*"]`
initial import of thirdParty route support 2015-10-06 17:20:50 +08:00
Encryption: Refactor securejsondata.SecureJsonData to stop relying on global functions (#38865) * Encryption: Add support to encrypt/decrypt sjd * Add datasources.Service as a proxy to datasources db operations * Encrypt ds.SecureJsonData before calling SQLStore * Move ds cache code into ds service * Fix tlsmanager tests * Fix pluginproxy tests * Remove some securejsondata.GetEncryptedJsonData usages * Add pluginsettings.Service as a proxy for plugin settings db operations * Add AlertNotificationService as a proxy for alert notification db operations * Remove some securejsondata.GetEncryptedJsonData usages * Remove more securejsondata.GetEncryptedJsonData usages * Fix lint errors * Minor fixes * Remove encryption global functions usages from ngalert * Fix lint errors * Minor fixes * Minor fixes * Remove securejsondata.DecryptedValue usage * Refactor the refactor * Remove securejsondata.DecryptedValue usage * Move securejsondata to migrations package * Move securejsondata to migrations package * Minor fix * Fix integration test * Fix integration tests * Undo undesired changes * Fix tests * Add context.Context into encryption methods * Fix tests * Fix tests * Fix tests * Trigger CI * Fix test * Add names to params of encryption service interface * Remove bus from CacheServiceImpl * Add logging * Add keys to logger Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * Add missing key to logger Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * Undo changes in markdown files * Fix formatting * Add context to secrets service * Rename decryptSecureJsonData to decryptSecureJsonDataFn * Name args in GetDecryptedValueFn * Add template back to NewAlertmanagerNotifier * Copy GetDecryptedValueFn to ngalert * Add logging to pluginsettings * Fix pluginsettings test Co-authored-by: Tania B <yalyna.ts@gmail.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-10-07 22:33:50 +08:00			`proxy := pluginproxy.NewApiPluginProxy(c, path, route, appID, hs.Cfg, hs.EncryptionService)`
Added support for TLS client auth for datasource proxies (#5801) 2016-08-25 11:43:25 +08:00			`proxy.Transport = pluginProxyTransport`
Macaron: remove custom Request type (#37874) * remove macaron.Request, use http.Request instead * remove com dependency from bindings module * fix another c.Req.Request 2021-09-01 17:18:30 +08:00			`proxy.ServeHTTP(c.Resp, c.Req)`
initial import of thirdParty route support 2015-10-06 17:20:50 +08:00			`}`
			`}`