grafana/pkg/api/pluginproxy/ds_proxy.go

package pluginproxy

import (
	"bytes"
	"errors"
	"fmt"
	"io/ioutil"
	"net"
	"net/http"
	"net/http/httputil"
	"net/url"
	"strconv"
	"strings"
	"time"

	"github.com/opentracing/opentracing-go"
	"golang.org/x/oauth2"

	"github.com/grafana/grafana/pkg/bus"
	"github.com/grafana/grafana/pkg/log"
	m "github.com/grafana/grafana/pkg/models"
	"github.com/grafana/grafana/pkg/plugins"
	"github.com/grafana/grafana/pkg/setting"
	"github.com/grafana/grafana/pkg/social"
	"github.com/grafana/grafana/pkg/util"
)

var (
	logger = log.New("data-proxy-log")
	client = newHTTPClient()
)

type DataSourceProxy struct {
	ds        *m.DataSource
	ctx       *m.ReqContext
	targetUrl *url.URL
	proxyPath string
	route     *plugins.AppPluginRoute
	plugin    *plugins.DataSourcePlugin
}

type httpClient interface {
	Do(req *http.Request) (*http.Response, error)
}

func NewDataSourceProxy(ds *m.DataSource, plugin *plugins.DataSourcePlugin, ctx *m.ReqContext, proxyPath string) *DataSourceProxy {
	targetURL, _ := url.Parse(ds.Url)

	return &DataSourceProxy{
		ds:        ds,
		plugin:    plugin,
		ctx:       ctx,
		proxyPath: proxyPath,
		targetUrl: targetURL,
	}
}

func newHTTPClient() httpClient {
	return &http.Client{
		Timeout:   time.Duration(setting.DataProxyTimeout) * time.Second,
		Transport: &http.Transport{Proxy: http.ProxyFromEnvironment},
	}
}

func (proxy *DataSourceProxy) HandleRequest() {
	if err := proxy.validateRequest(); err != nil {
		proxy.ctx.JsonApiErr(403, err.Error(), nil)
		return
	}

	reverseProxy := &httputil.ReverseProxy{
		Director:      proxy.getDirector(),
		FlushInterval: time.Millisecond * 200,
	}

	var err error
	reverseProxy.Transport, err = proxy.ds.GetHttpTransport()
	if err != nil {
		proxy.ctx.JsonApiErr(400, "Unable to load TLS certificate", err)
		return
	}

	proxy.logRequest()

	span, ctx := opentracing.StartSpanFromContext(proxy.ctx.Req.Context(), "datasource reverse proxy")
	proxy.ctx.Req.Request = proxy.ctx.Req.WithContext(ctx)

	defer span.Finish()
	span.SetTag("datasource_id", proxy.ds.Id)
	span.SetTag("datasource_type", proxy.ds.Type)
	span.SetTag("user_id", proxy.ctx.SignedInUser.UserId)
	span.SetTag("org_id", proxy.ctx.SignedInUser.OrgId)

	proxy.addTraceFromHeaderValue(span, "X-Panel-Id", "panel_id")
	proxy.addTraceFromHeaderValue(span, "X-Dashboard-Id", "dashboard_id")

	opentracing.GlobalTracer().Inject(
		span.Context(),
		opentracing.HTTPHeaders,
		opentracing.HTTPHeadersCarrier(proxy.ctx.Req.Request.Header))

	reverseProxy.ServeHTTP(proxy.ctx.Resp, proxy.ctx.Req.Request)
	proxy.ctx.Resp.Header().Del("Set-Cookie")
}

func (proxy *DataSourceProxy) addTraceFromHeaderValue(span opentracing.Span, headerName string, tagName string) {
	panelId := proxy.ctx.Req.Header.Get(headerName)
	dashId, err := strconv.Atoi(panelId)
	if err == nil {
		span.SetTag(tagName, dashId)
	}
}

func (proxy *DataSourceProxy) useCustomHeaders(req *http.Request) {
	decryptSdj := proxy.ds.SecureJsonData.Decrypt()
	index := 1
	for {
		headerNameSuffix := fmt.Sprintf("httpHeaderName%d", index)
		headerValueSuffix := fmt.Sprintf("httpHeaderValue%d", index)
		if key := proxy.ds.JsonData.Get(headerNameSuffix).MustString(); key != "" {
			if val, ok := decryptSdj[headerValueSuffix]; ok {
				// remove if exists
				if req.Header.Get(key) != "" {
					req.Header.Del(key)
				}
				req.Header.Add(key, val)
				logger.Debug("Using custom header ", "CustomHeaders", key)
			}
		} else {
			break
		}
		index += 1
	}
}

func (proxy *DataSourceProxy) getDirector() func(req *http.Request) {
	return func(req *http.Request) {
		req.URL.Scheme = proxy.targetUrl.Scheme
		req.URL.Host = proxy.targetUrl.Host
		req.Host = proxy.targetUrl.Host

		reqQueryVals := req.URL.Query()

		if proxy.ds.Type == m.DS_INFLUXDB_08 {
			req.URL.Path = util.JoinURLFragments(proxy.targetUrl.Path, "db/"+proxy.ds.Database+"/"+proxy.proxyPath)
			reqQueryVals.Add("u", proxy.ds.User)
			reqQueryVals.Add("p", proxy.ds.Password)
			req.URL.RawQuery = reqQueryVals.Encode()
		} else if proxy.ds.Type == m.DS_INFLUXDB {
			req.URL.Path = util.JoinURLFragments(proxy.targetUrl.Path, proxy.proxyPath)
			req.URL.RawQuery = reqQueryVals.Encode()
			if !proxy.ds.BasicAuth {
				req.Header.Del("Authorization")
				req.Header.Add("Authorization", util.GetBasicAuthHeader(proxy.ds.User, proxy.ds.Password))
			}
		} else {
			req.URL.Path = util.JoinURLFragments(proxy.targetUrl.Path, proxy.proxyPath)
		}
		if proxy.ds.BasicAuth {
			req.Header.Del("Authorization")
			req.Header.Add("Authorization", util.GetBasicAuthHeader(proxy.ds.BasicAuthUser, proxy.ds.BasicAuthPassword))
		}

		// Lookup and use custom headers
		if proxy.ds.SecureJsonData != nil {
			proxy.useCustomHeaders(req)
		}

		dsAuth := req.Header.Get("X-DS-Authorization")
		if len(dsAuth) > 0 {
			req.Header.Del("X-DS-Authorization")
			req.Header.Del("Authorization")
			req.Header.Add("Authorization", dsAuth)
		}

		// clear cookie header, except for whitelisted cookies
		var keptCookies []*http.Cookie
		if proxy.ds.JsonData != nil {
			if keepCookies := proxy.ds.JsonData.Get("keepCookies"); keepCookies != nil {
				keepCookieNames := keepCookies.MustStringArray()
				for _, c := range req.Cookies() {
					for _, v := range keepCookieNames {
						if c.Name == v {
							keptCookies = append(keptCookies, c)
						}
					}
				}
			}
		}
		req.Header.Del("Cookie")
		for _, c := range keptCookies {
			req.AddCookie(c)
		}

		// clear X-Forwarded Host/Port/Proto headers
		req.Header.Del("X-Forwarded-Host")
		req.Header.Del("X-Forwarded-Port")
		req.Header.Del("X-Forwarded-Proto")
		req.Header.Set("User-Agent", fmt.Sprintf("Grafana/%s", setting.BuildVersion))

		// Clear Origin and Referer to avoir CORS issues
		req.Header.Del("Origin")
		req.Header.Del("Referer")

		// set X-Forwarded-For header
		if req.RemoteAddr != "" {
			remoteAddr, _, err := net.SplitHostPort(req.RemoteAddr)
			if err != nil {
				remoteAddr = req.RemoteAddr
			}
			if req.Header.Get("X-Forwarded-For") != "" {
				req.Header.Set("X-Forwarded-For", req.Header.Get("X-Forwarded-For")+", "+remoteAddr)
			} else {
				req.Header.Set("X-Forwarded-For", remoteAddr)
			}
		}

		if proxy.route != nil {
			ApplyRoute(proxy.ctx.Req.Context(), req, proxy.proxyPath, proxy.route, proxy.ds)
		}

		if proxy.ds.JsonData != nil && proxy.ds.JsonData.Get("oauthPassThru").MustBool() {
			cmd := &m.GetAuthInfoQuery{UserId: proxy.ctx.UserId}
			if err := bus.Dispatch(cmd); err != nil {
				logger.Error("Error feching oauth information for user", "error", err)
			}

			provider := cmd.Result.AuthModule
			connect, ok := social.SocialMap[strings.TrimPrefix(provider, "oauth_")] // The socialMap keys don't have "oauth_" prefix, but everywhere else in the system does
			if !ok {
				logger.Error("Failed to find oauth provider with given name", "provider", provider)
			}

			// TokenSource handles refreshing the token if it has expired
			token, err := connect.TokenSource(proxy.ctx.Req.Context(), &oauth2.Token{
				AccessToken:  cmd.Result.OAuthAccessToken,
				Expiry:       cmd.Result.OAuthExpiry,
				RefreshToken: cmd.Result.OAuthRefreshToken,
				TokenType:    cmd.Result.OAuthTokenType,
			}).Token()
			if err != nil {
				logger.Error("Failed to retrieve access token from oauth provider", "provider", cmd.Result.AuthModule)
			}

			// If the tokens are not the same, update the entry in the DB
			if token.AccessToken != cmd.Result.OAuthAccessToken {
				cmd2 := &m.UpdateAuthInfoCommand{
					UserId:     cmd.Result.Id,
					AuthModule: cmd.Result.AuthModule,
					AuthId:     cmd.Result.AuthId,
					OAuthToken: token,
				}
				if err := bus.Dispatch(cmd2); err != nil {
					logger.Error("Failed to update access token during token refresh", "error", err)
				}
			}
			req.Header.Del("Authorization")
			req.Header.Add("Authorization", fmt.Sprintf("%s %s", token.Type(), token.AccessToken))
		}
	}
}

func (proxy *DataSourceProxy) validateRequest() error {
	if !checkWhiteList(proxy.ctx, proxy.targetUrl.Host) {
		return errors.New("Target url is not a valid target")
	}

	if proxy.ds.Type == m.DS_PROMETHEUS {
		if proxy.ctx.Req.Request.Method == "DELETE" {
			return errors.New("Deletes not allowed on proxied Prometheus datasource")
		}
		if proxy.ctx.Req.Request.Method == "PUT" {
			return errors.New("Puts not allowed on proxied Prometheus datasource")
		}
		if proxy.ctx.Req.Request.Method == "POST" && !(proxy.proxyPath == "api/v1/query" || proxy.proxyPath == "api/v1/query_range") {
			return errors.New("Posts not allowed on proxied Prometheus datasource except on /query and /query_range")
		}
	}

	if proxy.ds.Type == m.DS_ES {
		if proxy.ctx.Req.Request.Method == "DELETE" {
			return errors.New("Deletes not allowed on proxied Elasticsearch datasource")
		}
		if proxy.ctx.Req.Request.Method == "PUT" {
			return errors.New("Puts not allowed on proxied Elasticsearch datasource")
		}
		if proxy.ctx.Req.Request.Method == "POST" && proxy.proxyPath != "_msearch" {
			return errors.New("Posts not allowed on proxied Elasticsearch datasource except on /_msearch")
		}
	}

	// found route if there are any
	if len(proxy.plugin.Routes) > 0 {
		for _, route := range proxy.plugin.Routes {
			// method match
			if route.Method != "" && route.Method != "*" && route.Method != proxy.ctx.Req.Method {
				continue
			}

			if route.ReqRole.IsValid() {
				if !proxy.ctx.HasUserRole(route.ReqRole) {
					return errors.New("Plugin proxy route access denied")
				}
			}

			if strings.HasPrefix(proxy.proxyPath, route.Path) {
				proxy.route = route
				break
			}
		}
	}

	return nil
}

func (proxy *DataSourceProxy) logRequest() {
	if !setting.DataProxyLogging {
		return
	}

	var body string
	if proxy.ctx.Req.Request.Body != nil {
		buffer, err := ioutil.ReadAll(proxy.ctx.Req.Request.Body)
		if err == nil {
			proxy.ctx.Req.Request.Body = ioutil.NopCloser(bytes.NewBuffer(buffer))
			body = string(buffer)
		}
	}

	logger.Info("Proxying incoming request",
		"userid", proxy.ctx.UserId,
		"orgid", proxy.ctx.OrgId,
		"username", proxy.ctx.Login,
		"datasource", proxy.ds.Type,
		"uri", proxy.ctx.Req.RequestURI,
		"method", proxy.ctx.Req.Request.Method,
		"body", body)
}

func checkWhiteList(c *m.ReqContext, host string) bool {
	if host != "" && len(setting.DataProxyWhiteList) > 0 {
		if _, exists := setting.DataProxyWhiteList[host]; !exists {
			c.JsonApiErr(403, "Data proxy hostname and ip are not included in whitelist", nil)
			return false
		}
	}

	return true
}
feat: data source proxy refactoring and route handling, #9078 2017-08-22 23:14:15 +08:00			`package pluginproxy`

			`import (`
			`"bytes"`
			`"errors"`
			`"fmt"`
			`"io/ioutil"`
			`"net"`
			`"net/http"`
			`"net/http/httputil"`
			`"net/url"`
datasource-proxy: token exchange 2017-08-23 23:18:43 +08:00			`"strconv"`
feat: data source proxy refactoring and route handling, #9078 2017-08-22 23:14:15 +08:00			`"strings"`
			`"time"`

add traces for datasource reverse proxy requests 2017-09-12 16:25:40 +08:00			`"github.com/opentracing/opentracing-go"`
Add oauth pass-thru option for datasources 2019-02-02 08:40:57 +08:00			`"golang.org/x/oauth2"`
add traces for datasource reverse proxy requests 2017-09-12 16:25:40 +08:00
Add oauth pass-thru option for datasources 2019-02-02 08:40:57 +08:00			`"github.com/grafana/grafana/pkg/bus"`
feat: data source proxy refactoring and route handling, #9078 2017-08-22 23:14:15 +08:00			`"github.com/grafana/grafana/pkg/log"`
			`m "github.com/grafana/grafana/pkg/models"`
			`"github.com/grafana/grafana/pkg/plugins"`
			`"github.com/grafana/grafana/pkg/setting"`
Add oauth pass-thru option for datasources 2019-02-02 08:40:57 +08:00			`"github.com/grafana/grafana/pkg/social"`
feat: data source proxy refactoring and route handling, #9078 2017-08-22 23:14:15 +08:00			`"github.com/grafana/grafana/pkg/util"`
			`)`

			`var (`
dsproxy: implements support for plugin routes with jwt file Google Cloud service accounts use a JWT token to get an oauth access token. This adds support for that. 2018-09-06 21:50:16 +08:00			`logger = log.New("data-proxy-log")`
			`client = newHTTPClient()`
feat: data source proxy refactoring and route handling, #9078 2017-08-22 23:14:15 +08:00			`)`

			`type DataSourceProxy struct {`
dsproxy: move http client variable back After refactoring to be able to mock the client in a test, the client wasn't a global variable anymore. This change moves the client back to being a package- level variable. 2018-06-14 19:39:46 +08:00			`ds *m.DataSource`
			`ctx *m.ReqContext`
			`targetUrl *url.URL`
			`proxyPath string`
			`route *plugins.AppPluginRoute`
			`plugin *plugins.DataSourcePlugin`
dsproxy: allow multiple access tokens per datasource Changes the cache key for tokens to cache on datasource id + route path + http method instead of just datasource id. 2018-06-12 23:39:38 +08:00			`}`

dsproxy: move http client variable back After refactoring to be able to mock the client in a test, the client wasn't a global variable anymore. This change moves the client back to being a package- level variable. 2018-06-14 19:39:46 +08:00			`type httpClient interface {`
dsproxy: allow multiple access tokens per datasource Changes the cache key for tokens to cache on datasource id + route path + http method instead of just datasource id. 2018-06-12 23:39:38 +08:00			`Do(req http.Request) (http.Response, error)`
feat: data source proxy refactoring and route handling, #9078 2017-08-22 23:14:15 +08:00			`}`

rename Context to ReqContext 2018-03-08 00:54:50 +08:00			`func NewDataSourceProxy(ds m.DataSource, plugin plugins.DataSourcePlugin, ctx m.ReqContext, proxyPath string) DataSourceProxy {`
Make golint happier 2018-03-23 05:13:46 +08:00			`targetURL, _ := url.Parse(ds.Url)`
dataproxy: refactoring data source proxy to support route templates and wrote more tests for data proxy code, #9078 2017-08-23 16:52:31 +08:00
feat: data source proxy refactoring and route handling, #9078 2017-08-22 23:14:15 +08:00			`return &DataSourceProxy{`
			`ds: ds,`
dataproxy: refactoring data source proxy to support route templates and wrote more tests for data proxy code, #9078 2017-08-23 16:52:31 +08:00			`plugin: plugin,`
feat: data source proxy refactoring and route handling, #9078 2017-08-22 23:14:15 +08:00			`ctx: ctx,`
			`proxyPath: proxyPath,`
Make golint happier 2018-03-23 05:13:46 +08:00			`targetUrl: targetURL,`
dsproxy: move http client variable back After refactoring to be able to mock the client in a test, the client wasn't a global variable anymore. This change moves the client back to being a package- level variable. 2018-06-14 19:39:46 +08:00			`}`
			`}`

			`func newHTTPClient() httpClient {`
			`return &http.Client{`
add global datasource proxy timeout setting closes grafana#5699 2019-01-25 03:04:21 +08:00			`Timeout: time.Duration(setting.DataProxyTimeout) * time.Second,`
dsproxy: move http client variable back After refactoring to be able to mock the client in a test, the client wasn't a global variable anymore. This change moves the client back to being a package- level variable. 2018-06-14 19:39:46 +08:00			`Transport: &http.Transport{Proxy: http.ProxyFromEnvironment},`
feat: data source proxy refactoring and route handling, #9078 2017-08-22 23:14:15 +08:00			`}`
			`}`

			`func (proxy *DataSourceProxy) HandleRequest() {`
			`if err := proxy.validateRequest(); err != nil {`
			`proxy.ctx.JsonApiErr(403, err.Error(), nil)`
			`return`
			`}`

			`reverseProxy := &httputil.ReverseProxy{`
			`Director: proxy.getDirector(),`
			`FlushInterval: time.Millisecond * 200,`
			`}`

			`var err error`
			`reverseProxy.Transport, err = proxy.ds.GetHttpTransport()`
			`if err != nil {`
			`proxy.ctx.JsonApiErr(400, "Unable to load TLS certificate", err)`
			`return`
			`}`

			`proxy.logRequest()`

add traces for datasource reverse proxy requests 2017-09-12 16:25:40 +08:00			`span, ctx := opentracing.StartSpanFromContext(proxy.ctx.Req.Context(), "datasource reverse proxy")`
			`proxy.ctx.Req.Request = proxy.ctx.Req.WithContext(ctx)`

			`defer span.Finish()`
			`span.SetTag("datasource_id", proxy.ds.Id)`
			`span.SetTag("datasource_type", proxy.ds.Type)`
			`span.SetTag("user_id", proxy.ctx.SignedInUser.UserId)`
			`span.SetTag("org_id", proxy.ctx.SignedInUser.OrgId)`

dataproxy: adds dashboardid and panelid as tags closes #11315 2018-03-21 05:21:24 +08:00			`proxy.addTraceFromHeaderValue(span, "X-Panel-Id", "panel_id")`
			`proxy.addTraceFromHeaderValue(span, "X-Dashboard-Id", "dashboard_id")`

add trace headers for outgoing requests 2017-09-12 17:06:37 +08:00			`opentracing.GlobalTracer().Inject(`
			`span.Context(),`
			`opentracing.HTTPHeaders,`
			`opentracing.HTTPHeadersCarrier(proxy.ctx.Req.Request.Header))`

feat: data source proxy refactoring and route handling, #9078 2017-08-22 23:14:15 +08:00			`reverseProxy.ServeHTTP(proxy.ctx.Resp, proxy.ctx.Req.Request)`
			`proxy.ctx.Resp.Header().Del("Set-Cookie")`
			`}`

dataproxy: adds dashboardid and panelid as tags closes #11315 2018-03-21 05:21:24 +08:00			`func (proxy *DataSourceProxy) addTraceFromHeaderValue(span opentracing.Span, headerName string, tagName string) {`
			`panelId := proxy.ctx.Req.Header.Get(headerName)`
			`dashId, err := strconv.Atoi(panelId)`
			`if err == nil {`
			`span.SetTag(tagName, dashId)`
			`}`
			`}`

Pass configured/auth headers to a Datasource. In some setups (ex openshift), the Datasource will require Grafana to pass oauth token as header when sending queries. Also, this PR allow to send any header which is something Grafana currently does not support. 2018-04-16 22:28:20 +08:00			`func (proxy DataSourceProxy) useCustomHeaders(req http.Request) {`
			`decryptSdj := proxy.ds.SecureJsonData.Decrypt()`
			`index := 1`
			`for {`
			`headerNameSuffix := fmt.Sprintf("httpHeaderName%d", index)`
			`headerValueSuffix := fmt.Sprintf("httpHeaderValue%d", index)`
			`if key := proxy.ds.JsonData.Get(headerNameSuffix).MustString(); key != "" {`
			`if val, ok := decryptSdj[headerValueSuffix]; ok {`
			`// remove if exists`
			`if req.Header.Get(key) != "" {`
			`req.Header.Del(key)`
			`}`
			`req.Header.Add(key, val)`
			`logger.Debug("Using custom header ", "CustomHeaders", key)`
			`}`
			`} else {`
			`break`
			`}`
			`index += 1`
			`}`
			`}`

feat: data source proxy refactoring and route handling, #9078 2017-08-22 23:14:15 +08:00			`func (proxy DataSourceProxy) getDirector() func(req http.Request) {`
			`return func(req *http.Request) {`
			`req.URL.Scheme = proxy.targetUrl.Scheme`
			`req.URL.Host = proxy.targetUrl.Host`
			`req.Host = proxy.targetUrl.Host`

			`reqQueryVals := req.URL.Query()`

			`if proxy.ds.Type == m.DS_INFLUXDB_08 {`
pkg/util/{ip.go,url.go}: Fix some golint issues See, $ gometalinter --vendor --deadline 10m --disable-all --enable=golint ./... ip.go:8:6:warning: func SplitIpPort should be SplitIPPort (golint) url.go:14:6:warning: func NewUrlQueryReader should be NewURLQueryReader (golint) url.go:9:6:warning: type UrlQueryReader should be URLQueryReader (golint) url.go:37:6:warning: func JoinUrlFragments should be JoinURLFragments (golint) 2019-01-29 05:18:48 +08:00			`req.URL.Path = util.JoinURLFragments(proxy.targetUrl.Path, "db/"+proxy.ds.Database+"/"+proxy.proxyPath)`
feat: data source proxy refactoring and route handling, #9078 2017-08-22 23:14:15 +08:00			`reqQueryVals.Add("u", proxy.ds.User)`
			`reqQueryVals.Add("p", proxy.ds.Password)`
			`req.URL.RawQuery = reqQueryVals.Encode()`
			`} else if proxy.ds.Type == m.DS_INFLUXDB {`
pkg/util/{ip.go,url.go}: Fix some golint issues See, $ gometalinter --vendor --deadline 10m --disable-all --enable=golint ./... ip.go:8:6:warning: func SplitIpPort should be SplitIPPort (golint) url.go:14:6:warning: func NewUrlQueryReader should be NewURLQueryReader (golint) url.go:9:6:warning: type UrlQueryReader should be URLQueryReader (golint) url.go:37:6:warning: func JoinUrlFragments should be JoinURLFragments (golint) 2019-01-29 05:18:48 +08:00			`req.URL.Path = util.JoinURLFragments(proxy.targetUrl.Path, proxy.proxyPath)`
feat: data source proxy refactoring and route handling, #9078 2017-08-22 23:14:15 +08:00			`req.URL.RawQuery = reqQueryVals.Encode()`
			`if !proxy.ds.BasicAuth {`
			`req.Header.Del("Authorization")`
			`req.Header.Add("Authorization", util.GetBasicAuthHeader(proxy.ds.User, proxy.ds.Password))`
			`}`
			`} else {`
pkg/util/{ip.go,url.go}: Fix some golint issues See, $ gometalinter --vendor --deadline 10m --disable-all --enable=golint ./... ip.go:8:6:warning: func SplitIpPort should be SplitIPPort (golint) url.go:14:6:warning: func NewUrlQueryReader should be NewURLQueryReader (golint) url.go:9:6:warning: type UrlQueryReader should be URLQueryReader (golint) url.go:37:6:warning: func JoinUrlFragments should be JoinURLFragments (golint) 2019-01-29 05:18:48 +08:00			`req.URL.Path = util.JoinURLFragments(proxy.targetUrl.Path, proxy.proxyPath)`
feat: data source proxy refactoring and route handling, #9078 2017-08-22 23:14:15 +08:00			`}`
			`if proxy.ds.BasicAuth {`
			`req.Header.Del("Authorization")`
			`req.Header.Add("Authorization", util.GetBasicAuthHeader(proxy.ds.BasicAuthUser, proxy.ds.BasicAuthPassword))`
			`}`

Pass configured/auth headers to a Datasource. In some setups (ex openshift), the Datasource will require Grafana to pass oauth token as header when sending queries. Also, this PR allow to send any header which is something Grafana currently does not support. 2018-04-16 22:28:20 +08:00			`// Lookup and use custom headers`
			`if proxy.ds.SecureJsonData != nil {`
			`proxy.useCustomHeaders(req)`
			`}`

feat: data source proxy refactoring and route handling, #9078 2017-08-22 23:14:15 +08:00			`dsAuth := req.Header.Get("X-DS-Authorization")`
			`if len(dsAuth) > 0 {`
			`req.Header.Del("X-DS-Authorization")`
			`req.Header.Del("Authorization")`
			`req.Header.Add("Authorization", dsAuth)`
			`}`

proxyds: delete cookies except those listed in keepCookies 2017-10-18 06:47:15 +08:00			`// clear cookie header, except for whitelisted cookies`
			`var keptCookies []*http.Cookie`
			`if proxy.ds.JsonData != nil {`
			`if keepCookies := proxy.ds.JsonData.Get("keepCookies"); keepCookies != nil {`
			`keepCookieNames := keepCookies.MustStringArray()`
			`for _, c := range req.Cookies() {`
			`for _, v := range keepCookieNames {`
			`if c.Name == v {`
			`keptCookies = append(keptCookies, c)`
			`}`
			`}`
			`}`
			`}`
			`}`
feat: data source proxy refactoring and route handling, #9078 2017-08-22 23:14:15 +08:00			`req.Header.Del("Cookie")`
proxyds: delete cookies except those listed in keepCookies 2017-10-18 06:47:15 +08:00			`for _, c := range keptCookies {`
			`req.AddCookie(c)`
			`}`
feat: data source proxy refactoring and route handling, #9078 2017-08-22 23:14:15 +08:00
			`// clear X-Forwarded Host/Port/Proto headers`
			`req.Header.Del("X-Forwarded-Host")`
			`req.Header.Del("X-Forwarded-Port")`
			`req.Header.Del("X-Forwarded-Proto")`
Set User-Agent header in all proxied datasource requests Header value will be Grafana/%version%, i.e. Grafana/5.3.0 2018-08-15 15:46:59 +08:00			`req.Header.Set("User-Agent", fmt.Sprintf("Grafana/%s", setting.BuildVersion))`
feat: data source proxy refactoring and route handling, #9078 2017-08-22 23:14:15 +08:00
Remove Origin and Referer headers while proxying requests Fix #13949 Fix #13328 Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu> 2018-11-08 19:30:10 +08:00			`// Clear Origin and Referer to avoir CORS issues`
			`req.Header.Del("Origin")`
			`req.Header.Del("Referer")`

feat: data source proxy refactoring and route handling, #9078 2017-08-22 23:14:15 +08:00			`// set X-Forwarded-For header`
			`if req.RemoteAddr != "" {`
			`remoteAddr, _, err := net.SplitHostPort(req.RemoteAddr)`
			`if err != nil {`
			`remoteAddr = req.RemoteAddr`
			`}`
			`if req.Header.Get("X-Forwarded-For") != "" {`
			`req.Header.Set("X-Forwarded-For", req.Header.Get("X-Forwarded-For")+", "+remoteAddr)`
			`} else {`
			`req.Header.Set("X-Forwarded-For", remoteAddr)`
			`}`
			`}`

			`if proxy.route != nil {`
Stackdriver: Use ds_auth_provider in stackdriver. This will make sure the token is renewed when it has exporired 2018-09-10 23:49:13 +08:00			`ApplyRoute(proxy.ctx.Req.Context(), req, proxy.proxyPath, proxy.route, proxy.ds)`
feat: data source proxy refactoring and route handling, #9078 2017-08-22 23:14:15 +08:00			`}`
Add oauth pass-thru option for datasources 2019-02-02 08:40:57 +08:00
			`if proxy.ds.JsonData != nil && proxy.ds.JsonData.Get("oauthPassThru").MustBool() {`
Get most recent oauth token from db, rather than lookup by auth_module 2019-03-14 01:22:22 +08:00			`cmd := &m.GetAuthInfoQuery{UserId: proxy.ctx.UserId}`
			`if err := bus.Dispatch(cmd); err != nil {`
			`logger.Error("Error feching oauth information for user", "error", err)`
			`}`

			`provider := cmd.Result.AuthModule`
Add oauth pass-thru option for datasources 2019-02-02 08:40:57 +08:00			`connect, ok := social.SocialMap[strings.TrimPrefix(provider, "oauth_")] // The socialMap keys don't have "oauth_" prefix, but everywhere else in the system does`
			`if !ok {`
			`logger.Error("Failed to find oauth provider with given name", "provider", provider)`
			`}`

			`// TokenSource handles refreshing the token if it has expired`
			`token, err := connect.TokenSource(proxy.ctx.Req.Context(), &oauth2.Token{`
			`AccessToken: cmd.Result.OAuthAccessToken,`
			`Expiry: cmd.Result.OAuthExpiry,`
			`RefreshToken: cmd.Result.OAuthRefreshToken,`
			`TokenType: cmd.Result.OAuthTokenType,`
			`}).Token()`
			`if err != nil {`
			`logger.Error("Failed to retrieve access token from oauth provider", "provider", cmd.Result.AuthModule)`
			`}`

			`// If the tokens are not the same, update the entry in the DB`
			`if token.AccessToken != cmd.Result.OAuthAccessToken {`
			`cmd2 := &m.UpdateAuthInfoCommand{`
			`UserId: cmd.Result.Id,`
			`AuthModule: cmd.Result.AuthModule,`
			`AuthId: cmd.Result.AuthId,`
			`OAuthToken: token,`
			`}`
			`if err := bus.Dispatch(cmd2); err != nil {`
			`logger.Error("Failed to update access token during token refresh", "error", err)`
			`}`
			`}`
			`req.Header.Del("Authorization")`
			`req.Header.Add("Authorization", fmt.Sprintf("%s %s", token.Type(), token.AccessToken))`
			`}`
feat: data source proxy refactoring and route handling, #9078 2017-08-22 23:14:15 +08:00			`}`
			`}`

			`func (proxy *DataSourceProxy) validateRequest() error {`
dataproxy: refactoring data source proxy to support route templates and wrote more tests for data proxy code, #9078 2017-08-23 16:52:31 +08:00			`if !checkWhiteList(proxy.ctx, proxy.targetUrl.Host) {`
feat: data source proxy refactoring and route handling, #9078 2017-08-22 23:14:15 +08:00			`return errors.New("Target url is not a valid target")`
			`}`

			`if proxy.ds.Type == m.DS_PROMETHEUS {`
support POST for query and query_range 2017-11-12 15:38:10 +08:00			`if proxy.ctx.Req.Request.Method == "DELETE" {`
			`return errors.New("Deletes not allowed on proxied Prometheus datasource")`
			`}`
			`if proxy.ctx.Req.Request.Method == "PUT" {`
			`return errors.New("Puts not allowed on proxied Prometheus datasource")`
			`}`
			`if proxy.ctx.Req.Request.Method == "POST" && !(proxy.proxyPath == "api/v1/query" \|\| proxy.proxyPath == "api/v1/query_range") {`
			`return errors.New("Posts not allowed on proxied Prometheus datasource except on /query and /query_range")`
feat: data source proxy refactoring and route handling, #9078 2017-08-22 23:14:15 +08:00			`}`
			`}`

			`if proxy.ds.Type == m.DS_ES {`
			`if proxy.ctx.Req.Request.Method == "DELETE" {`
			`return errors.New("Deletes not allowed on proxied Elasticsearch datasource")`
			`}`
			`if proxy.ctx.Req.Request.Method == "PUT" {`
			`return errors.New("Puts not allowed on proxied Elasticsearch datasource")`
			`}`
			`if proxy.ctx.Req.Request.Method == "POST" && proxy.proxyPath != "_msearch" {`
			`return errors.New("Posts not allowed on proxied Elasticsearch datasource except on /_msearch")`
			`}`
			`}`

			`// found route if there are any`
dataproxy: refactoring data source proxy to support route templates and wrote more tests for data proxy code, #9078 2017-08-23 16:52:31 +08:00			`if len(proxy.plugin.Routes) > 0 {`
			`for _, route := range proxy.plugin.Routes {`
			`// method match`
			`if route.Method != "" && route.Method != "*" && route.Method != proxy.ctx.Req.Method {`
			`continue`
			`}`
feat: data source proxy refactoring and route handling, #9078 2017-08-22 23:14:15 +08:00
dataproxy: refactoring data source proxy to support route templates and wrote more tests for data proxy code, #9078 2017-08-23 16:52:31 +08:00			`if route.ReqRole.IsValid() {`
			`if !proxy.ctx.HasUserRole(route.ReqRole) {`
			`return errors.New("Plugin proxy route access denied")`
feat: data source proxy refactoring and route handling, #9078 2017-08-22 23:14:15 +08:00			`}`
			`}`
dataproxy: refactoring data source proxy to support route templates and wrote more tests for data proxy code, #9078 2017-08-23 16:52:31 +08:00
			`if strings.HasPrefix(proxy.proxyPath, route.Path) {`
			`proxy.route = route`
			`break`
			`}`
feat: data source proxy refactoring and route handling, #9078 2017-08-22 23:14:15 +08:00			`}`
			`}`

			`return nil`
			`}`

			`func (proxy *DataSourceProxy) logRequest() {`
			`if !setting.DataProxyLogging {`
			`return`
			`}`

			`var body string`
			`if proxy.ctx.Req.Request.Body != nil {`
			`buffer, err := ioutil.ReadAll(proxy.ctx.Req.Request.Body)`
			`if err == nil {`
			`proxy.ctx.Req.Request.Body = ioutil.NopCloser(bytes.NewBuffer(buffer))`
			`body = string(buffer)`
			`}`
			`}`

			`logger.Info("Proxying incoming request",`
			`"userid", proxy.ctx.UserId,`
			`"orgid", proxy.ctx.OrgId,`
			`"username", proxy.ctx.Login,`
			`"datasource", proxy.ds.Type,`
			`"uri", proxy.ctx.Req.RequestURI,`
			`"method", proxy.ctx.Req.Request.Method,`
			`"body", body)`
			`}`

rename Context to ReqContext 2018-03-08 00:54:50 +08:00			`func checkWhiteList(c *m.ReqContext, host string) bool {`
feat: data source proxy refactoring and route handling, #9078 2017-08-22 23:14:15 +08:00			`if host != "" && len(setting.DataProxyWhiteList) > 0 {`
			`if _, exists := setting.DataProxyWhiteList[host]; !exists {`
			`c.JsonApiErr(403, "Data proxy hostname and ip are not included in whitelist", nil)`
			`return false`
			`}`
			`}`

			`return true`
			`}`