public/grafana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Plugins: Handle app plugin proxy routes per request (#51835)

Browse Source 
Fixes #47530
This commit is contained in:
Marcus Efraimsson
2022-08-23 13:05:31 +02:00
committed by GitHub
parent 5f80bf5297
commit e6857bf17d
7 changed files with 443 additions and 236 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pkg/api/pluginproxy/pluginproxy.go
+152 -79
View File
@@ -5,9 +5,9 @@ import (
"encoding/json"
"io"
"net/http"
"net/http/httputil"
"net/url"
"github.com/grafana/grafana/pkg/infra/tracing"
"github.com/grafana/grafana/pkg/models"
"github.com/grafana/grafana/pkg/plugins"
"github.com/grafana/grafana/pkg/services/pluginsettings"
@@ -15,111 +15,184 @@ import (
"github.com/grafana/grafana/pkg/setting"
"github.com/grafana/grafana/pkg/util"
"github.com/grafana/grafana/pkg/util/proxyutil"
"github.com/grafana/grafana/pkg/web"
"go.opentelemetry.io/otel/attribute"
)
type templateData struct {
JsonData map[string]interface{}
SecureJsonData map[string]string
type PluginProxy struct {
ps *pluginsettings.DTO
pluginRoutes []*plugins.Route
ctx *models.ReqContext
proxyPath string
matchedRoute *plugins.Route
cfg *setting.Cfg
secretsService secrets.Service
tracer tracing.Tracer
transport *http.Transport
}
// NewApiPluginProxy create a plugin proxy
func NewApiPluginProxy(ctx *models.ReqContext, proxyPath string, route *plugins.Route,
appID string, cfg *setting.Cfg, pluginSettingsService pluginsettings.Service,
secretsService secrets.Service) *httputil.ReverseProxy {
appProxyLogger := logger.New(
"userId", ctx.UserID,
"orgId", ctx.OrgID,
"uname", ctx.Login,
"app", appID,
"path", ctx.Req.URL.Path,
"remote_addr", ctx.RemoteAddr(),
"referer", ctx.Req.Referer(),
)
// NewPluginProxy creates a plugin proxy.
func NewPluginProxy(ps *pluginsettings.DTO, routes []*plugins.Route, ctx *models.ReqContext,
proxyPath string, cfg *setting.Cfg, secretsService secrets.Service, tracer tracing.Tracer,
transport *http.Transport) (*PluginProxy, error) {
return &PluginProxy{
ps: ps,
pluginRoutes: routes,
ctx: ctx,
proxyPath: proxyPath,
cfg: cfg,
secretsService: secretsService,
tracer: tracer,
transport: transport,
}, nil
}
director := func(req *http.Request) {
query := pluginsettings.GetByPluginIDArgs{OrgID: ctx.OrgID, PluginID: appID}
ps, err := pluginSettingsService.GetPluginSettingByPluginID(ctx.Req.Context(), &query)
if err != nil {
ctx.JsonApiErr(500, "Failed to fetch plugin settings", err)
return
func (proxy *PluginProxy) HandleRequest() {
// found route if there are any
for _, route := range proxy.pluginRoutes {
// method match
if route.Method != "" && route.Method != "*" && route.Method != proxy.ctx.Req.Method {
continue
}
secureJsonData, err := secretsService.DecryptJsonData(ctx.Req.Context(), ps.SecureJSONData)
if err != nil {
ctx.JsonApiErr(500, "Failed to decrypt plugin settings", err)
return
t := web.NewTree()
t.Add(route.Path, nil)
_, params, isMatch := t.Match(proxy.proxyPath)
if !isMatch {
continue
}
data := templateData{
JsonData: ps.JSONData,
SecureJsonData: secureJsonData,
if route.ReqRole.IsValid() {
if !proxy.ctx.HasUserRole(route.ReqRole) {
proxy.ctx.JsonApiErr(http.StatusForbidden, "plugin proxy route access denied", nil)
return
}
}
interpolatedURL, err := interpolateString(route.URL, data)
if err != nil {
ctx.JsonApiErr(500, "Could not interpolate plugin route url", err)
return
}
targetURL, err := url.Parse(interpolatedURL)
if err != nil {
ctx.JsonApiErr(500, "Could not parse url", err)
return
}
req.URL.Scheme = targetURL.Scheme
req.URL.Host = targetURL.Host
req.Host = targetURL.Host
req.URL.Path = util.JoinURLFragments(targetURL.Path, proxyPath)
// clear cookie headers
req.Header.Del("Cookie")
req.Header.Del("Set-Cookie")
// Create a HTTP header with the context in it.
ctxJSON, err := json.Marshal(ctx.SignedInUser)
if err != nil {
ctx.JsonApiErr(500, "failed to marshal context to json.", err)
return
if path, exists := params["*"]; exists {
proxy.proxyPath = path
} else {
proxy.proxyPath = ""
}
req.Header.Set("X-Grafana-Context", string(ctxJSON))
applyUserHeader(cfg.SendUserHeader, req, ctx.SignedInUser)
if err := addHeaders(&req.Header, route, data); err != nil {
ctx.JsonApiErr(500, "Failed to render plugin headers", err)
return
}
if err := setBodyContent(req, route, data); err != nil {
appProxyLogger.Error("Failed to set plugin route body content", "error", err)
}
proxy.matchedRoute = route
break
}
logAppPluginProxyRequest(appID, cfg, ctx)
if proxy.matchedRoute == nil {
proxy.ctx.JsonApiErr(http.StatusNotFound, "plugin route match not found", nil)
return
}
return proxyutil.NewReverseProxy(appProxyLogger, director)
traceID := tracing.TraceIDFromContext(proxy.ctx.Req.Context(), false)
proxyErrorLogger := logger.New(
"userId", proxy.ctx.UserID,
"orgId", proxy.ctx.OrgID,
"uname", proxy.ctx.Login,
"path", proxy.ctx.Req.URL.Path,
"remote_addr", proxy.ctx.RemoteAddr(),
"referer", proxy.ctx.Req.Referer(),
"traceID", traceID,
)
reverseProxy := proxyutil.NewReverseProxy(
proxyErrorLogger,
proxy.director,
proxyutil.WithTransport(proxy.transport),
)
proxy.logRequest()
ctx, span := proxy.tracer.Start(proxy.ctx.Req.Context(), "plugin reverse proxy")
defer span.End()
proxy.ctx.Req = proxy.ctx.Req.WithContext(ctx)
span.SetAttributes("user", proxy.ctx.SignedInUser.Login, attribute.Key("user").String(proxy.ctx.SignedInUser.Login))
span.SetAttributes("org_id", proxy.ctx.SignedInUser.OrgID, attribute.Key("org_id").Int64(proxy.ctx.SignedInUser.OrgID))
proxy.tracer.Inject(ctx, proxy.ctx.Req.Header, span)
reverseProxy.ServeHTTP(proxy.ctx.Resp, proxy.ctx.Req)
}
func logAppPluginProxyRequest(appID string, cfg *setting.Cfg, c *models.ReqContext) {
if !cfg.DataProxyLogging {
func (proxy PluginProxy) director(req *http.Request) {
secureJsonData, err := proxy.secretsService.DecryptJsonData(proxy.ctx.Req.Context(), proxy.ps.SecureJSONData)
if err != nil {
proxy.ctx.JsonApiErr(500, "Failed to decrypt plugin settings", err)
return
}
data := templateData{
JsonData: proxy.ps.JSONData,
SecureJsonData: secureJsonData,
}
interpolatedURL, err := interpolateString(proxy.matchedRoute.URL, data)
if err != nil {
proxy.ctx.JsonApiErr(500, "Could not interpolate plugin route url", err)
return
}
targetURL, err := url.Parse(interpolatedURL)
if err != nil {
proxy.ctx.JsonApiErr(500, "Could not parse url", err)
return
}
req.URL.Scheme = targetURL.Scheme
req.URL.Host = targetURL.Host
req.Host = targetURL.Host
req.URL.Path = util.JoinURLFragments(targetURL.Path, proxy.proxyPath)
// clear cookie headers
req.Header.Del("Cookie")
req.Header.Del("Set-Cookie")
// Create a HTTP header with the context in it.
ctxJSON, err := json.Marshal(proxy.ctx.SignedInUser)
if err != nil {
proxy.ctx.JsonApiErr(500, "failed to marshal context to json.", err)
return
}
req.Header.Set("X-Grafana-Context", string(ctxJSON))
applyUserHeader(proxy.cfg.SendUserHeader, req, proxy.ctx.SignedInUser)
if err := addHeaders(&req.Header, proxy.matchedRoute, data); err != nil {
proxy.ctx.JsonApiErr(500, "Failed to render plugin headers", err)
return
}
if err := setBodyContent(req, proxy.matchedRoute, data); err != nil {
logger.Error("Failed to set plugin route body content", "error", err)
}
}
func (proxy PluginProxy) logRequest() {
if !proxy.cfg.DataProxyLogging {
return
}
var body string
if c.Req.Body != nil {
buffer, err := io.ReadAll(c.Req.Body)
if proxy.ctx.Req.Body != nil {
buffer, err := io.ReadAll(proxy.ctx.Req.Body)
if err == nil {
c.Req.Body = io.NopCloser(bytes.NewBuffer(buffer))
proxy.ctx.Req.Body = io.NopCloser(bytes.NewBuffer(buffer))
body = string(buffer)
}
}
logger.Info("Proxying incoming request",
"userid", c.UserID,
"orgid", c.OrgID,
"username", c.Login,
"app", appID,
"uri", c.Req.RequestURI,
"method", c.Req.Method,
"userid", proxy.ctx.UserID,
"orgid", proxy.ctx.OrgID,
"username", proxy.ctx.Login,
"app", proxy.ps.PluginID,
"uri", proxy.ctx.Req.RequestURI,
"method", proxy.ctx.Req.Method,
"body", body)
}
type templateData struct {
JsonData map[string]interface{}
SecureJsonData map[string]string
}
pkg/api/pluginproxy/pluginproxy_test.go
+185 -76
View File
@@ -2,11 +2,14 @@ package pluginproxy
import (
"context"
"fmt"
"io"
"net/http"
"net/http/httptest"
"net/url"
"testing"
"github.com/grafana/grafana/pkg/infra/tracing"
"github.com/grafana/grafana/pkg/models"
"github.com/grafana/grafana/pkg/plugins"
"github.com/grafana/grafana/pkg/services/org"
@@ -32,19 +35,19 @@ func TestPluginProxy(t *testing.T) {
},
}
store := &mockPluginsSettingsService{}
key, _ := secretsService.Encrypt(context.Background(), []byte("123"), secrets.WithoutScope())
store.pluginSetting = &pluginsettings.DTO{
SecureJSONData: map[string][]byte{
"key": key,
},
}
key, err := secretsService.Encrypt(context.Background(), []byte("123"), secrets.WithoutScope())
require.NoError(t, err)
httpReq, err := http.NewRequest(http.MethodGet, "", nil)
require.NoError(t, err)
req := getPluginProxiedRequest(
t,
&pluginsettings.DTO{
SecureJSONData: map[string][]byte{
"key": key,
},
},
secretsService,
&models.ReqContext{
SignedInUser: &user.SignedInUser{
@@ -56,7 +59,6 @@ func TestPluginProxy(t *testing.T) {
},
&setting.Cfg{SendUserHeader: true},
route,
store,
)
assert.Equal(t, "my secret 123", req.Header.Get("x-header"))
@@ -66,11 +68,9 @@ func TestPluginProxy(t *testing.T) {
httpReq, err := http.NewRequest(http.MethodGet, "", nil)
require.NoError(t, err)
store := &mockPluginsSettingsService{}
store.pluginSetting = &pluginsettings.DTO{}
req := getPluginProxiedRequest(
t,
&pluginsettings.DTO{},
secretsService,
&models.ReqContext{
SignedInUser: &user.SignedInUser{
@@ -82,7 +82,6 @@ func TestPluginProxy(t *testing.T) {
},
&setting.Cfg{SendUserHeader: true},
nil,
store,
)
// Get will return empty string even if header is not set
@@ -93,11 +92,9 @@ func TestPluginProxy(t *testing.T) {
httpReq, err := http.NewRequest(http.MethodGet, "", nil)
require.NoError(t, err)
store := &mockPluginsSettingsService{}
store.pluginSetting = &pluginsettings.DTO{}
req := getPluginProxiedRequest(
t,
&pluginsettings.DTO{},
secretsService,
&models.ReqContext{
SignedInUser: &user.SignedInUser{
@@ -109,7 +106,6 @@ func TestPluginProxy(t *testing.T) {
},
&setting.Cfg{SendUserHeader: false},
nil,
store,
)
// Get will return empty string even if header is not set
assert.Equal(t, "", req.Header.Get("X-Grafana-User"))
@@ -119,11 +115,9 @@ func TestPluginProxy(t *testing.T) {
httpReq, err := http.NewRequest(http.MethodGet, "", nil)
require.NoError(t, err)
store := &mockPluginsSettingsService{}
store.pluginSetting = &pluginsettings.DTO{}
req := getPluginProxiedRequest(
t,
&pluginsettings.DTO{},
secretsService,
&models.ReqContext{
SignedInUser: &user.SignedInUser{IsAnonymous: true},
@@ -133,7 +127,6 @@ func TestPluginProxy(t *testing.T) {
},
&setting.Cfg{SendUserHeader: true},
nil,
store,
)
// Get will return empty string even if header is not set
@@ -146,18 +139,16 @@ func TestPluginProxy(t *testing.T) {
Method: "GET",
}
store := &mockPluginsSettingsService{}
store.pluginSetting = &pluginsettings.DTO{
JSONData: map[string]interface{}{
"dynamicUrl": "https://dynamic.grafana.com",
},
}
httpReq, err := http.NewRequest(http.MethodGet, "", nil)
require.NoError(t, err)
req := getPluginProxiedRequest(
t,
&pluginsettings.DTO{
JSONData: map[string]interface{}{
"dynamicUrl": "https://dynamic.grafana.com",
},
},
secretsService,
&models.ReqContext{
SignedInUser: &user.SignedInUser{
@@ -169,7 +160,6 @@ func TestPluginProxy(t *testing.T) {
},
&setting.Cfg{SendUserHeader: true},
route,
store,
)
assert.Equal(t, "https://dynamic.grafana.com", req.URL.String())
assert.Equal(t, "{{.JsonData.dynamicUrl}}", route.URL)
@@ -181,14 +171,12 @@ func TestPluginProxy(t *testing.T) {
Method: "GET",
}
store := &mockPluginsSettingsService{}
store.pluginSetting = &pluginsettings.DTO{}
httpReq, err := http.NewRequest(http.MethodGet, "", nil)
require.NoError(t, err)
req := getPluginProxiedRequest(
t,
&pluginsettings.DTO{},
secretsService,
&models.ReqContext{
SignedInUser: &user.SignedInUser{
@@ -200,7 +188,6 @@ func TestPluginProxy(t *testing.T) {
},
&setting.Cfg{SendUserHeader: true},
route,
store,
)
assert.Equal(t, "https://example.com", req.URL.String())
})
@@ -212,22 +199,22 @@ func TestPluginProxy(t *testing.T) {
Body: []byte(`{ "url": "{{.JsonData.dynamicUrl}}", "secret": "{{.SecureJsonData.key}}" }`),
}
store := &mockPluginsSettingsService{}
encryptedJsonData, _ := secretsService.EncryptJsonData(
encryptedJsonData, err := secretsService.EncryptJsonData(
context.Background(),
map[string]string{"key": "123"},
secrets.WithoutScope(),
)
store.pluginSetting = &pluginsettings.DTO{
JSONData: map[string]interface{}{"dynamicUrl": "https://dynamic.grafana.com"},
SecureJSONData: encryptedJsonData,
}
require.NoError(t, err)
httpReq, err := http.NewRequest(http.MethodGet, "", nil)
require.NoError(t, err)
req := getPluginProxiedRequest(
t,
&pluginsettings.DTO{
JSONData: map[string]interface{}{"dynamicUrl": "https://dynamic.grafana.com"},
SecureJSONData: encryptedJsonData,
},
secretsService,
&models.ReqContext{
SignedInUser: &user.SignedInUser{
@@ -239,7 +226,6 @@ func TestPluginProxy(t *testing.T) {
},
&setting.Cfg{SendUserHeader: true},
route,
store,
)
content, err := io.ReadAll(req.Body)
require.NoError(t, err)
@@ -257,9 +243,11 @@ func TestPluginProxy(t *testing.T) {
responseWriter := web.NewResponseWriter("GET", httptest.NewRecorder())
route := &plugins.Route{
Path: "/",
URL: backendServer.URL,
routes := []*plugins.Route{
{
Path: "/",
URL: backendServer.URL,
},
}
ctx := &models.ReqContext{
@@ -269,13 +257,12 @@ func TestPluginProxy(t *testing.T) {
Resp: responseWriter,
},
}
pluginSettingsService := &mockPluginsSettingsService{
pluginSetting: &pluginsettings.DTO{
SecureJSONData: map[string][]byte{},
},
ps := &pluginsettings.DTO{
SecureJSONData: map[string][]byte{},
}
proxy := NewApiPluginProxy(ctx, "", route, "", &setting.Cfg{}, pluginSettingsService, secretsService)
proxy.ServeHTTP(ctx.Resp, ctx.Req)
proxy, err := NewPluginProxy(ps, routes, ctx, "", &setting.Cfg{}, secretsService, tracing.InitializeTracerForTest(), &http.Transport{})
require.NoError(t, err)
proxy.HandleRequest()
for {
if requestHandled {
@@ -287,8 +274,153 @@ func TestPluginProxy(t *testing.T) {
})
}
func TestPluginProxyRoutes(t *testing.T) {
routes := []*plugins.Route{
{
Path: "",
Method: "GET",
URL: "http://localhost",
},
{
Path: "some-api",
Method: "GET",
URL: "http://localhost/api",
},
{
Path: "some-api/instances",
Method: "GET",
URL: "http://localhost/api/instances/",
},
{
Path: "some-api/*",
Method: "GET",
URL: "http://localhost/api",
},
{
Path: "some-api/instances/*",
Method: "GET",
URL: "http://localhost/api/instances",
},
{
Path: "some-other-api/*",
Method: "GET",
URL: "http://localhost/api/v2",
},
{
Path: "some-other-api/instances/*",
Method: "GET",
URL: "http://localhost/api/v2/instances",
},
}
tcs := []struct {
proxyPath string
expectedURLPath string
expectedStatus int
}{
{
proxyPath: "/notexists",
expectedStatus: http.StatusNotFound,
},
{
proxyPath: "/",
expectedURLPath: "/",
expectedStatus: http.StatusOK,
},
{
proxyPath: "/some-api",
expectedURLPath: "/api",
expectedStatus: http.StatusOK,
},
{
proxyPath: "/some-api/instances",
expectedURLPath: "/api/instances/",
expectedStatus: http.StatusOK,
},
{
proxyPath: "/some-api/some/thing",
expectedURLPath: "/api/some/thing",
expectedStatus: http.StatusOK,
},
{
proxyPath: "/some-api/instances/instance-one",
expectedURLPath: "/api/instances/instance-one",
expectedStatus: http.StatusOK,
},
{
proxyPath: "/some-other-api/some/thing",
expectedURLPath: "/api/v2/some/thing",
expectedStatus: http.StatusOK,
},
{
proxyPath: "/some-other-api/instances/instance-one",
expectedURLPath: "/api/v2/instances/instance-one",
expectedStatus: http.StatusOK,
},
}
for _, tc := range tcs {
t.Run(fmt.Sprintf("When proxying path %q should call expected URL", tc.proxyPath), func(t *testing.T) {
secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
requestHandled := false
requestURL := ""
backendServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
requestURL = r.URL.RequestURI()
w.WriteHeader(200)
_, _ = w.Write([]byte("I am the backend"))
requestHandled = true
}))
t.Cleanup(backendServer.Close)
backendURL, err := url.Parse(backendServer.URL)
require.NoError(t, err)
testRoutes := make([]*plugins.Route, len(routes))
for i, r := range routes {
u, err := url.Parse(r.URL)
require.NoError(t, err)
u.Scheme = backendURL.Scheme
u.Host = backendURL.Host
testRoute := *r
testRoute.URL = u.String()
testRoutes[i] = &testRoute
}
responseWriter := web.NewResponseWriter("GET", httptest.NewRecorder())
ctx := &models.ReqContext{
SignedInUser: &user.SignedInUser{},
Context: &web.Context{
Req: httptest.NewRequest("GET", tc.proxyPath, nil),
Resp: responseWriter,
},
}
ps := &pluginsettings.DTO{
SecureJSONData: map[string][]byte{},
}
proxy, err := NewPluginProxy(ps, testRoutes, ctx, tc.proxyPath, &setting.Cfg{}, secretsService, tracing.InitializeTracerForTest(), &http.Transport{})
require.NoError(t, err)
proxy.HandleRequest()
for {
if requestHandled || ctx.Resp.Written() {
break
}
}
require.Equal(t, tc.expectedStatus, ctx.Resp.Status())
if tc.expectedStatus == http.StatusNotFound {
return
}
require.Equal(t, tc.expectedURLPath, requestURL)
})
}
}
// getPluginProxiedRequest is a helper for easier setup of tests based on global config and ReqContext.
func getPluginProxiedRequest(t *testing.T, secretsService secrets.Service, ctx *models.ReqContext, cfg *setting.Cfg, route *plugins.Route, pluginSettingsService pluginsettings.Service) *http.Request {
func getPluginProxiedRequest(t *testing.T, ps *pluginsettings.DTO, secretsService secrets.Service, ctx *models.ReqContext, cfg *setting.Cfg, route *plugins.Route) *http.Request {
// insert dummy route if none is specified
if route == nil {
route = &plugins.Route{
@@ -297,35 +429,12 @@ func getPluginProxiedRequest(t *testing.T, secretsService secrets.Service, ctx *
ReqRole: org.RoleEditor,
}
}
proxy := NewApiPluginProxy(ctx, "", route, "", cfg, pluginSettingsService, secretsService)
proxy, err := NewPluginProxy(ps, []*plugins.Route{}, ctx, "", cfg, secretsService, tracing.InitializeTracerForTest(), &http.Transport{})
require.NoError(t, err)
req, err := http.NewRequest(http.MethodGet, "/api/plugin-proxy/grafana-simple-app/api/v4/alerts", nil)
require.NoError(t, err)
proxy.Director(req)
proxy.matchedRoute = route
proxy.director(req)
return req
}
type mockPluginsSettingsService struct {
pluginSetting *pluginsettings.DTO
err error
}
func (s *mockPluginsSettingsService) GetPluginSettings(_ context.Context, _ *pluginsettings.GetArgs) ([]*pluginsettings.DTO, error) {
return nil, s.err
}
func (s *mockPluginsSettingsService) GetPluginSettingByPluginID(_ context.Context, _ *pluginsettings.GetByPluginIDArgs) (*pluginsettings.DTO, error) {
return s.pluginSetting, s.err
}
func (s *mockPluginsSettingsService) UpdatePluginSettingPluginVersion(_ context.Context, _ *pluginsettings.UpdatePluginVersionArgs) error {
return s.err
}
func (s *mockPluginsSettingsService) UpdatePluginSetting(_ context.Context, _ *pluginsettings.UpdateArgs) error {
return s.err
}
func (s *mockPluginsSettingsService) DecryptedValues(_ *pluginsettings.DTO) map[string]string {
return nil
}