mirror of
https://github.com/grafana/grafana.git
synced 2026-06-10 09:01:30 -04:00
463 lines
14 KiB
Go
463 lines
14 KiB
Go
package pluginproxy
|
|
|
|
import (
|
|
"bytes"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"net/http"
|
|
"net/url"
|
|
"strconv"
|
|
"strings"
|
|
"time"
|
|
|
|
"go.opentelemetry.io/otel/attribute"
|
|
"go.opentelemetry.io/otel/trace"
|
|
|
|
"github.com/grafana/grafana/pkg/api/datasource/validation"
|
|
"github.com/grafana/grafana/pkg/apimachinery/identity"
|
|
"github.com/grafana/grafana/pkg/apimachinery/utils"
|
|
datasourcesV0 "github.com/grafana/grafana/pkg/apis/datasource/v0alpha1"
|
|
"github.com/grafana/grafana/pkg/infra/httpclient"
|
|
glog "github.com/grafana/grafana/pkg/infra/log"
|
|
"github.com/grafana/grafana/pkg/infra/tracing"
|
|
"github.com/grafana/grafana/pkg/models/usertoken"
|
|
"github.com/grafana/grafana/pkg/plugins"
|
|
"github.com/grafana/grafana/pkg/services/datasources"
|
|
"github.com/grafana/grafana/pkg/services/featuremgmt"
|
|
"github.com/grafana/grafana/pkg/services/oauthtoken"
|
|
pluginac "github.com/grafana/grafana/pkg/services/pluginsintegration/pluginaccesscontrol"
|
|
"github.com/grafana/grafana/pkg/util"
|
|
"github.com/grafana/grafana/pkg/util/proxyutil"
|
|
)
|
|
|
|
var (
|
|
logger = glog.New("data-proxy-log")
|
|
client = newHTTPClient()
|
|
|
|
errPluginProxyRouteAccessDenied = errors.New("plugin proxy route access denied")
|
|
)
|
|
|
|
// maxForwardedUserAgentLen is the maximum byte length of the client User-Agent
|
|
// appended to the data proxy User-Agent when forward_user_agent is enabled.
|
|
const maxForwardedUserAgentLen = 255
|
|
|
|
type HTTPContext struct {
|
|
Req *http.Request
|
|
Resp http.ResponseWriter
|
|
|
|
// TODO? eventually this should come from the user in the request context
|
|
UserToken *usertoken.UserToken
|
|
}
|
|
|
|
type DataSourceProxy struct {
|
|
ds *datasourcesV0.DataSource
|
|
requester identity.Requester
|
|
dataSource DataSourceLoader
|
|
ctx HTTPContext
|
|
targetUrl *url.URL
|
|
proxyPath string
|
|
matchedRoute *plugins.Route
|
|
pluginRoutes []*plugins.Route
|
|
settings *DataSourceProxySettings
|
|
clientProvider httpclient.Provider
|
|
oAuthTokenService oauthtoken.OAuthTokenService
|
|
tracer tracing.Tracer
|
|
features featuremgmt.FeatureToggles
|
|
}
|
|
|
|
type httpClient interface {
|
|
Do(req *http.Request) (*http.Response, error)
|
|
}
|
|
|
|
// NewDataSourceProxy creates a new Datasource proxy
|
|
func NewDataSourceProxy(dataSource DataSourceLoader,
|
|
pluginRoutes []*plugins.Route, ctx HTTPContext,
|
|
proxyPath string, settings *DataSourceProxySettings, clientProvider httpclient.Provider,
|
|
oAuthTokenService oauthtoken.OAuthTokenService,
|
|
tracer tracing.Tracer, features featuremgmt.FeatureToggles,
|
|
) (*DataSourceProxy, error) {
|
|
ds, err := dataSource.DataSource(ctx.Req.Context())
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to load datasource: %w", err)
|
|
}
|
|
|
|
targetURL, err := validation.ValidateURL(dataSource.PluginType(), ds.Spec.URL())
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
requester, err := identity.GetRequester(ctx.Req.Context())
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to get requester from context: %w", err)
|
|
}
|
|
|
|
return &DataSourceProxy{
|
|
ds: ds,
|
|
requester: requester,
|
|
dataSource: dataSource,
|
|
pluginRoutes: pluginRoutes,
|
|
ctx: ctx,
|
|
proxyPath: proxyPath,
|
|
targetUrl: targetURL,
|
|
settings: settings,
|
|
clientProvider: clientProvider,
|
|
oAuthTokenService: oAuthTokenService,
|
|
tracer: tracer,
|
|
features: features,
|
|
}, nil
|
|
}
|
|
|
|
func newHTTPClient() httpClient {
|
|
return &http.Client{
|
|
Timeout: 30 * time.Second,
|
|
Transport: &http.Transport{Proxy: http.ProxyFromEnvironment},
|
|
}
|
|
}
|
|
|
|
func (proxy *DataSourceProxy) HandleRequest() {
|
|
if err := proxy.validateRequest(); err != nil {
|
|
writeJSONErr(proxy.ctx.Resp, proxy.ctx.Req, 403, err.Error(), nil)
|
|
return
|
|
}
|
|
|
|
userid, _ := proxy.requester.GetInternalID()
|
|
proxyErrorLogger := logger.New(
|
|
"userId", userid,
|
|
"orgId", proxy.requester.GetOrgID(),
|
|
"uname", proxy.requester.GetLogin(),
|
|
"path", proxy.ctx.Req.URL.Path,
|
|
"remote_addr", proxy.ctx.Req.RemoteAddr,
|
|
"referer", proxy.ctx.Req.Referer(),
|
|
)
|
|
|
|
transport, err := proxy.dataSource.GetHTTPTransport(proxy.ctx.Req.Context(), proxy.clientProvider)
|
|
if err != nil {
|
|
writeJSONErr(proxy.ctx.Resp, proxy.ctx.Req, 400, "Unable to load TLS certificate", err)
|
|
return
|
|
}
|
|
|
|
modifyResponse := func(resp *http.Response) error {
|
|
if resp.StatusCode == 401 {
|
|
// The data source rejected the request as unauthorized, convert to 400 (bad request)
|
|
body, err := io.ReadAll(resp.Body)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to read data source response body: %w", err)
|
|
}
|
|
_ = resp.Body.Close()
|
|
|
|
ctxLogger := proxyErrorLogger.FromContext(resp.Request.Context())
|
|
ctxLogger.Info("Authentication to data source failed", "body", string(body), "statusCode",
|
|
resp.StatusCode)
|
|
msg := "Authentication to data source failed"
|
|
*resp = http.Response{
|
|
StatusCode: 400,
|
|
Status: "Bad Request",
|
|
Body: io.NopCloser(strings.NewReader(msg)),
|
|
ContentLength: int64(len(msg)),
|
|
Header: http.Header{},
|
|
Request: resp.Request,
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
reverseProxy := proxyutil.NewReverseProxy(
|
|
proxyErrorLogger,
|
|
proxy.director,
|
|
proxyutil.WithTransport(transport),
|
|
proxyutil.WithModifyResponse(modifyResponse),
|
|
)
|
|
|
|
proxy.logRequest()
|
|
ctx, span := proxy.tracer.Start(proxy.ctx.Req.Context(), "datasource reverse proxy")
|
|
defer span.End()
|
|
|
|
proxy.ctx.Req = proxy.ctx.Req.WithContext(ctx)
|
|
|
|
span.SetAttributes(
|
|
attribute.String("datasource_name", proxy.ds.Spec.Title()),
|
|
attribute.String("datasource_type", proxy.dataSource.PluginType()),
|
|
attribute.String("user", proxy.requester.GetLogin()),
|
|
attribute.Int64("org_id", proxy.requester.GetOrgID()),
|
|
)
|
|
|
|
proxy.addTraceFromHeaderValue(span, "X-Panel-Id", "panel_id")
|
|
proxy.addTraceFromHeaderValue(span, "X-Dashboard-Id", "dashboard_id")
|
|
|
|
proxy.tracer.Inject(ctx, proxy.ctx.Req.Header, span)
|
|
|
|
reverseProxy.ServeHTTP(proxy.ctx.Resp, proxy.ctx.Req)
|
|
}
|
|
|
|
func (proxy *DataSourceProxy) addTraceFromHeaderValue(span trace.Span, headerName string, tagName string) {
|
|
panelId := proxy.ctx.Req.Header.Get(headerName)
|
|
dashId, err := strconv.Atoi(panelId)
|
|
if err == nil {
|
|
span.SetAttributes(attribute.Int(tagName, dashId))
|
|
}
|
|
}
|
|
|
|
func (proxy *DataSourceProxy) director(req *http.Request) {
|
|
req.URL.Scheme = proxy.targetUrl.Scheme
|
|
req.URL.Host = proxy.targetUrl.Host
|
|
req.Host = proxy.targetUrl.Host
|
|
|
|
reqQueryVals := req.URL.Query()
|
|
|
|
ctxLogger := logger.FromContext(req.Context())
|
|
ds := proxy.ds
|
|
|
|
switch proxy.dataSource.PluginType() {
|
|
case datasources.DS_INFLUXDB_08:
|
|
password, err := proxy.dataSource.DecryptedPassword(req.Context())
|
|
if err != nil {
|
|
ctxLogger.Error("Error interpolating proxy url", "error", err)
|
|
return
|
|
}
|
|
|
|
req.URL.RawPath = util.JoinURLFragments(proxy.targetUrl.Path, "db/"+ds.Spec.Database()+"/"+proxy.proxyPath)
|
|
reqQueryVals.Add("u", ds.Spec.User())
|
|
reqQueryVals.Add("p", password)
|
|
req.URL.RawQuery = reqQueryVals.Encode()
|
|
case datasources.DS_INFLUXDB:
|
|
password, err := proxy.dataSource.DecryptedPassword(req.Context())
|
|
if err != nil {
|
|
ctxLogger.Error("Error interpolating proxy url", "error", err)
|
|
return
|
|
}
|
|
req.URL.RawPath = util.JoinURLFragments(proxy.targetUrl.Path, proxy.proxyPath)
|
|
req.URL.RawQuery = reqQueryVals.Encode()
|
|
if !ds.Spec.BasicAuth() {
|
|
req.Header.Set(
|
|
"Authorization",
|
|
util.GetBasicAuthHeader(ds.Spec.User(), password),
|
|
)
|
|
}
|
|
default:
|
|
req.URL.RawPath = util.JoinURLFragments(proxy.targetUrl.Path, proxy.proxyPath)
|
|
}
|
|
|
|
unescapedPath, err := url.PathUnescape(req.URL.RawPath)
|
|
if err != nil {
|
|
ctxLogger.Error("Failed to unescape raw path", "rawPath", req.URL.RawPath, "error", err)
|
|
return
|
|
}
|
|
|
|
req.URL.Path = unescapedPath
|
|
|
|
if ds.Spec.BasicAuth() {
|
|
password, err := proxy.dataSource.DecryptedBasicAuthPassword(req.Context())
|
|
if err != nil {
|
|
ctxLogger.Error("Error interpolating proxy url", "error", err)
|
|
return
|
|
}
|
|
req.Header.Set("Authorization", util.GetBasicAuthHeader(ds.Spec.BasicAuthUser(),
|
|
password))
|
|
}
|
|
|
|
dsAuth := req.Header.Get("X-DS-Authorization")
|
|
if len(dsAuth) > 0 {
|
|
req.Header.Del("X-DS-Authorization")
|
|
req.Header.Set("Authorization", dsAuth)
|
|
}
|
|
|
|
proxyutil.ApplyUserHeader(proxy.settings.SendUserHeader, req, proxy.requester)
|
|
|
|
proxyutil.ClearCookieHeader(req, ds.Spec.KeepCookies(), []string{proxy.settings.LoginCookieName})
|
|
ua := proxy.settings.DataProxyUserAgent
|
|
if proxy.settings.DataProxyForwardUserAgent {
|
|
if originalUA := req.Header.Get("User-Agent"); originalUA != "" {
|
|
if len(originalUA) > maxForwardedUserAgentLen {
|
|
originalUA = originalUA[:maxForwardedUserAgentLen]
|
|
}
|
|
if ua != "" {
|
|
ua = ua + " " + originalUA
|
|
} else {
|
|
ua = originalUA
|
|
}
|
|
}
|
|
}
|
|
req.Header.Set("User-Agent", ua)
|
|
|
|
if proxy.matchedRoute != nil {
|
|
decryptedValues, err := proxy.dataSource.DecryptedValues(req.Context())
|
|
if err != nil {
|
|
ctxLogger.Error("Error interpolating proxy url", "error", err)
|
|
return
|
|
}
|
|
|
|
ApplyRoute(req.Context(), req, proxy.proxyPath, proxy.matchedRoute, dsInfo(ds, decryptedValues), proxy.settings)
|
|
}
|
|
|
|
if ds.Spec.IsOAuthPassThruEnabled() {
|
|
if token := proxy.oAuthTokenService.GetCurrentOAuthToken(req.Context(), proxy.requester, proxy.ctx.UserToken); token != nil {
|
|
req.Header.Set("Authorization", fmt.Sprintf("%s %s", token.Type(), token.AccessToken))
|
|
|
|
idToken, ok := token.Extra("id_token").(string)
|
|
if ok && idToken != "" {
|
|
req.Header.Set("X-ID-Token", idToken)
|
|
}
|
|
}
|
|
}
|
|
|
|
proxyutil.ApplyForwardIDHeader(req, proxy.requester)
|
|
}
|
|
|
|
// dsInfo builds the DSInfo that ApplyRoute needs from a v0 datasource.
|
|
func dsInfo(ds *datasourcesV0.DataSource, decryptedValues map[string]string) DSInfo {
|
|
// JSONData may be absent or stored as a non-map value; ApplyRoute requires a non-nil map, so fall back to empty.
|
|
jsonData, ok := ds.Spec.JSONData().(map[string]any)
|
|
if !ok {
|
|
jsonData = make(map[string]any)
|
|
}
|
|
|
|
meta, _ := utils.MetaAccessor(ds)
|
|
updated := ds.CreationTimestamp.Time
|
|
if ts, _ := meta.GetUpdatedTimestamp(); ts != nil {
|
|
updated = *ts
|
|
}
|
|
|
|
return DSInfo{
|
|
ID: meta.GetDeprecatedInternalID(), // nolint:staticcheck
|
|
|
|
URL: ds.Spec.URL(),
|
|
Updated: updated,
|
|
JSONData: jsonData,
|
|
DecryptedSecureJSONData: decryptedValues,
|
|
}
|
|
}
|
|
|
|
func (proxy *DataSourceProxy) validateRequest() error {
|
|
if !proxy.checkWhiteList() {
|
|
return errors.New("target URL is not a valid target")
|
|
}
|
|
|
|
if proxy.dataSource.PluginType() == datasources.DS_ES {
|
|
if proxy.ctx.Req.Method == "DELETE" {
|
|
return errors.New("deletes not allowed on proxied Elasticsearch datasource")
|
|
}
|
|
if proxy.ctx.Req.Method == "PUT" {
|
|
return errors.New("puts not allowed on proxied Elasticsearch datasource")
|
|
}
|
|
if proxy.ctx.Req.Method == "POST" && proxy.proxyPath != "_msearch" {
|
|
return errors.New("posts not allowed on proxied Elasticsearch datasource except on /_msearch")
|
|
}
|
|
}
|
|
|
|
// found route if there are any
|
|
for _, route := range proxy.pluginRoutes {
|
|
// method match
|
|
if route.Method != "" && route.Method != "*" && route.Method != proxy.ctx.Req.Method {
|
|
continue
|
|
}
|
|
|
|
// route match
|
|
r1, err := plugins.CleanRelativePath(proxy.proxyPath)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
r2, err := plugins.CleanRelativePath(route.Path)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
// issues/116273: When we have an empty input route (or input that becomes relative to "."), we do not want it
|
|
// to be ".". This is because the `CleanRelativePath` function will never return "./" prefixes, and as such,
|
|
// the common prefix we need is an empty string.
|
|
if r1 == "." && proxy.proxyPath != "." {
|
|
r1 = ""
|
|
}
|
|
if r2 == "." && route.Path != "." {
|
|
r2 = ""
|
|
}
|
|
if !strings.HasPrefix(r1, r2) {
|
|
continue
|
|
}
|
|
|
|
if !proxy.hasAccessToRoute(route) {
|
|
return errPluginProxyRouteAccessDenied
|
|
}
|
|
|
|
proxy.matchedRoute = route
|
|
return nil
|
|
}
|
|
|
|
// Trailing validation below this point for routes that were not matched
|
|
switch proxy.dataSource.PluginType() {
|
|
case datasources.DS_PROMETHEUS,
|
|
datasources.DS_AMAZON_PROMETHEUS,
|
|
datasources.DS_AZURE_PROMETHEUS,
|
|
datasources.DS_LOKI:
|
|
switch proxy.ctx.Req.Method {
|
|
case "DELETE", "PUT", "POST":
|
|
return fmt.Errorf("non allow-listed %ss not allowed on proxied %s datasource", proxy.ctx.Req.Method, proxy.dataSource.PluginType())
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (proxy *DataSourceProxy) hasAccessToRoute(route *plugins.Route) bool {
|
|
ctxLogger := logger.FromContext(proxy.ctx.Req.Context())
|
|
if route.ReqAction != "" {
|
|
routeEval := pluginac.GetDataSourceRouteEvaluator(proxy.ds.Name, route.ReqAction)
|
|
hasAccess := routeEval.Evaluate(proxy.requester.GetPermissions())
|
|
if !hasAccess {
|
|
ctxLogger.Debug("plugin route is covered by RBAC, user doesn't have access", "route", proxy.ctx.Req.URL.Path, "action", route.ReqAction, "path", route.Path, "method", route.Method)
|
|
}
|
|
return hasAccess
|
|
}
|
|
if route.ReqRole.IsValid() {
|
|
if hasUserRole := proxy.requester.GetOrgRole().Includes(route.ReqRole); !hasUserRole {
|
|
ctxLogger.Debug("plugin route is covered by org role, user doesn't have access", "route", proxy.ctx.Req.URL.Path, "role", route.ReqRole, "path", route.Path, "method", route.Method)
|
|
return false
|
|
}
|
|
}
|
|
return true
|
|
}
|
|
|
|
func (proxy *DataSourceProxy) logRequest() {
|
|
if !proxy.settings.DataProxyLogging {
|
|
return
|
|
}
|
|
|
|
var body string
|
|
if proxy.ctx.Req.Body != nil {
|
|
buffer, err := io.ReadAll(proxy.ctx.Req.Body)
|
|
if err == nil {
|
|
proxy.ctx.Req.Body = io.NopCloser(bytes.NewBuffer(buffer))
|
|
body = string(buffer)
|
|
}
|
|
}
|
|
|
|
ctxLogger := logger.FromContext(proxy.ctx.Req.Context())
|
|
panelPluginId := proxy.ctx.Req.Header.Get("X-Panel-Plugin-Id")
|
|
|
|
uri, err := util.SanitizeURI(proxy.ctx.Req.RequestURI)
|
|
if err != nil {
|
|
ctxLogger.Error("Could not sanitize RequestURI", "error", err)
|
|
}
|
|
|
|
userid, _ := proxy.requester.GetInternalID()
|
|
|
|
ctxLogger.Info("Proxying incoming request",
|
|
"userid", userid,
|
|
"orgid", proxy.requester.GetOrgID(),
|
|
"username", proxy.requester.GetLogin(),
|
|
"datasource", proxy.dataSource.PluginType(),
|
|
"uri", uri,
|
|
"method", proxy.ctx.Req.Method,
|
|
"panelPluginId", panelPluginId,
|
|
"body", body)
|
|
}
|
|
|
|
func (proxy *DataSourceProxy) checkWhiteList() bool {
|
|
if proxy.targetUrl.Host != "" && len(proxy.settings.DataProxyWhiteList) > 0 {
|
|
if _, exists := proxy.settings.DataProxyWhiteList[proxy.targetUrl.Host]; !exists {
|
|
writeJSONErr(proxy.ctx.Resp, proxy.ctx.Req, 403, "Data proxy hostname and ip are not included in whitelist", nil)
|
|
return false
|
|
}
|
|
}
|
|
|
|
return true
|
|
}
|