public/grafana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b50737a76ceaa301d07deda42b8336e20b6d7953
grafana/apps/advisor/pkg/app/checks/plugincheck/unsigned_step.go
T
Andres Martinez Gotor e2e8de29ba Advisor: Check plugin signature (#106044)
2025-05-29 11:33:19 +02:00

95 lines
2.5 KiB
Go
Raw Blame History

package plugincheck
import (
"context"
"fmt"
"slices"
"github.com/grafana/grafana-app-sdk/logging"
advisor "github.com/grafana/grafana/apps/advisor/pkg/apis/advisor/v0alpha1"
"github.com/grafana/grafana/apps/advisor/pkg/app/checks"
"github.com/grafana/grafana/pkg/plugins"
"github.com/grafana/grafana/pkg/plugins/repo"
)
const (
UnsignedStepID = "unsigned"
)
type unsignedStep struct {
pluginIndex map[string]repo.PluginInfo
}
func (s *unsignedStep) Title() string {
return "Plugin signature check"
}
func (s *unsignedStep) Description() string {
return "Checks has a missing or invalid signature."
}
func (s *unsignedStep) Resolution() string {
return "For security, we recommend only installing plugins from the catalog. " +
"Review the plugin's status and verify your allowlist if appropriate."
}
func (s *unsignedStep) ID() string {
return UnsignedStepID
}
func (s *unsignedStep) Run(ctx context.Context, log logging.Logger, _ *advisor.CheckSpec, it any) ([]advisor.CheckReportFailure, error) {
pi, ok := it.(*pluginItem)
if !ok {
return nil, fmt.Errorf("invalid item type %T", it)
}
p := pi.Plugin
invalidSignatureTypes := []plugins.SignatureStatus{
plugins.SignatureStatusUnsigned,
plugins.SignatureStatusModified,
plugins.SignatureStatusInvalid,
}
if p != nil && slices.Contains(invalidSignatureTypes, p.Signature) {
// This will only happen in dev mode or if the plugin is in the unsigned allow list
links := []advisor.CheckErrorLink{}
if _, ok := s.pluginIndex[p.ID]; ok {
links = append(links, advisor.CheckErrorLink{
Message: "View plugin",
Url: fmt.Sprintf("/plugins/%s", p.ID),
})
}
return []advisor.CheckReportFailure{checks.NewCheckReportFailure(
advisor.CheckReportFailureSeverityLow,
s.ID(),
p.Name,
p.ID,
links,
)}, nil
}
pluginErr := pi.Err
invalidErrorCodeTypes := []plugins.ErrorCode{
plugins.ErrorCodeSignatureMissing,
plugins.ErrorCodeSignatureInvalid,
plugins.ErrorCodeSignatureModified,
}
if pluginErr != nil && slices.Contains(invalidErrorCodeTypes, pluginErr.ErrorCode) {
links := []advisor.CheckErrorLink{}
if _, ok := s.pluginIndex[pluginErr.PluginID]; ok {
links = append(links, advisor.CheckErrorLink{
Message: "View plugin",
Url: fmt.Sprintf("/plugins/%s", pluginErr.PluginID),
})
}
return []advisor.CheckReportFailure{checks.NewCheckReportFailure(
advisor.CheckReportFailureSeverityHigh,
s.ID(),
pluginErr.PluginID,
pluginErr.PluginID,
links,
)}, nil
}
return nil, nil
}
Reference in New Issue View Git Blame Copy Permalink