upstream/grafana
1
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2026-06-10 09:01:30 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 165
grafana/pkg/api/pluginproxy/ds_proxy_test.go
Ryan McKinley 538d9be70c
Some checks failed
Backend Code Checks / Detect whether code changed (push) Has been cancelled
Details
Backend Unit Tests / Detect whether code changed (push) Has been cancelled
Details
Build Go (matrix) / darwin/amd64 (push) Has been cancelled
Details
Build Go (matrix) / linux/amd64 (push) Has been cancelled
Details
Build Go (matrix) / linux/armv6 (push) Has been cancelled
Details
Build Go (matrix) / linux/armv7 (push) Has been cancelled
Details
Build Go (matrix) / darwin/arm64 (push) Has been cancelled
Details
Build Go (matrix) / linux/arm64 (push) Has been cancelled
Details
Build Go (matrix) / windows/arm64 (push) Has been cancelled
Details
Build Go (matrix) / linux/s390x (push) Has been cancelled
Details
Build Go (matrix) / darwin/amd64 (enterprise) (push) Has been cancelled
Details
Build Go (matrix) / linux/amd64 (enterprise) (push) Has been cancelled
Details
Build Go (matrix) / linux/armv6 (enterprise) (push) Has been cancelled
Details
Build Go (matrix) / linux/armv7 (enterprise) (push) Has been cancelled
Details
Build Go (matrix) / darwin/arm64 (enterprise) (push) Has been cancelled
Details
Build Go (matrix) / linux/arm64 (enterprise) (push) Has been cancelled
Details
Build Go (matrix) / windows/arm64 (enterprise) (push) Has been cancelled
Details
Build Go (matrix) / linux/s390x (enterprise) (push) Has been cancelled
Details
Build Go (matrix) / verify rpm stig (linux/amd64) (push) Has been cancelled
Details
Lint Frontend / Detect whether code changed (push) Has been cancelled
Details
Lint Frontend / Verify API clients (push) Has been cancelled
Details
Lint Frontend / Verify OpenAPI specs (push) Has been cancelled
Details
Lint Frontend / Verify API clients (enterprise) (push) Has been cancelled
Details
golangci-lint / Detect whether code changed (push) Has been cancelled
Details
govulncheck / govulncheck (push) Has been cancelled
Details
Verify i18n / verify-i18n (push) Has been cancelled
Details
End-to-end tests / Detect whether code changed (push) Has been cancelled
Details
End-to-end tests / Publish metrics (push) Has been cancelled
Details
Frontend tests / Detect whether code changed (push) Has been cancelled
Details
Integration Tests (pgvector) / pgvector (push) Has been cancelled
Details
Integration Tests / Detect whether code changed (push) Has been cancelled
Details
Integration Tests / Sqlite (1/4) (push) Has been cancelled
Details
Integration Tests / Sqlite (2/4) (push) Has been cancelled
Details
Integration Tests / Sqlite (3/4) (push) Has been cancelled
Details
Integration Tests / Sqlite (4/4) (push) Has been cancelled
Details
Integration Tests / MySQL (1/16) (push) Has been cancelled
Details
Integration Tests / MySQL (10/16) (push) Has been cancelled
Details
Integration Tests / MySQL (11/16) (push) Has been cancelled
Details
Integration Tests / MySQL (12/16) (push) Has been cancelled
Details
Integration Tests / MySQL (13/16) (push) Has been cancelled
Details
Integration Tests / MySQL (14/16) (push) Has been cancelled
Details
Integration Tests / MySQL (15/16) (push) Has been cancelled
Details
Integration Tests / MySQL (16/16) (push) Has been cancelled
Details
Integration Tests / MySQL (2/16) (push) Has been cancelled
Details
Integration Tests / MySQL (3/16) (push) Has been cancelled
Details
Integration Tests / MySQL (4/16) (push) Has been cancelled
Details
Integration Tests / MySQL (5/16) (push) Has been cancelled
Details
Integration Tests / MySQL (6/16) (push) Has been cancelled
Details
Integration Tests / MySQL (7/16) (push) Has been cancelled
Details
Integration Tests / MySQL (8/16) (push) Has been cancelled
Details
Integration Tests / MySQL (9/16) (push) Has been cancelled
Details
Integration Tests / Postgres (1/16) (push) Has been cancelled
Details
Integration Tests / Postgres (10/16) (push) Has been cancelled
Details
Integration Tests / Postgres (11/16) (push) Has been cancelled
Details
Integration Tests / Postgres (12/16) (push) Has been cancelled
Details
Integration Tests / Postgres (13/16) (push) Has been cancelled
Details
Integration Tests / Postgres (14/16) (push) Has been cancelled
Details
Integration Tests / Postgres (15/16) (push) Has been cancelled
Details
Integration Tests / Postgres (16/16) (push) Has been cancelled
Details
Integration Tests / Postgres (2/16) (push) Has been cancelled
Details
Integration Tests / Postgres (3/16) (push) Has been cancelled
Details
Integration Tests / Postgres (4/16) (push) Has been cancelled
Details
Integration Tests / Postgres (5/16) (push) Has been cancelled
Details
Integration Tests / Postgres (6/16) (push) Has been cancelled
Details
Integration Tests / Postgres (7/16) (push) Has been cancelled
Details
Integration Tests / Postgres (8/16) (push) Has been cancelled
Details
Integration Tests / Postgres (9/16) (push) Has been cancelled
Details
Integration Tests / Sqlite Enterprise (1/16) (push) Has been cancelled
Details
Integration Tests / Sqlite Enterprise (10/16) (push) Has been cancelled
Details
Integration Tests / Sqlite Enterprise (11/16) (push) Has been cancelled
Details
Integration Tests / Sqlite Enterprise (12/16) (push) Has been cancelled
Details
Integration Tests / Sqlite Enterprise (13/16) (push) Has been cancelled
Details
Integration Tests / Sqlite Enterprise (14/16) (push) Has been cancelled
Details
Integration Tests / Sqlite Enterprise (15/16) (push) Has been cancelled
Details
Integration Tests / Sqlite Enterprise (16/16) (push) Has been cancelled
Details
Integration Tests / Sqlite Enterprise (2/16) (push) Has been cancelled
Details
Integration Tests / Sqlite Enterprise (3/16) (push) Has been cancelled
Details
Integration Tests / Sqlite Enterprise (4/16) (push) Has been cancelled
Details
Integration Tests / Sqlite Enterprise (5/16) (push) Has been cancelled
Details
Integration Tests / Sqlite Enterprise (6/16) (push) Has been cancelled
Details
Integration Tests / Sqlite Enterprise (7/16) (push) Has been cancelled
Details
Integration Tests / Sqlite Enterprise (8/16) (push) Has been cancelled
Details
Integration Tests / Sqlite Enterprise (9/16) (push) Has been cancelled
Details
Integration Tests / MySQL Enterprise (1/16) (push) Has been cancelled
Details
Integration Tests / MySQL Enterprise (10/16) (push) Has been cancelled
Details
Integration Tests / MySQL Enterprise (11/16) (push) Has been cancelled
Details
Integration Tests / MySQL Enterprise (12/16) (push) Has been cancelled
Details
Integration Tests / MySQL Enterprise (13/16) (push) Has been cancelled
Details
Integration Tests / MySQL Enterprise (14/16) (push) Has been cancelled
Details
Integration Tests / MySQL Enterprise (15/16) (push) Has been cancelled
Details
Integration Tests / MySQL Enterprise (16/16) (push) Has been cancelled
Details
Integration Tests / MySQL Enterprise (2/16) (push) Has been cancelled
Details
Integration Tests / MySQL Enterprise (3/16) (push) Has been cancelled
Details
Integration Tests / MySQL Enterprise (4/16) (push) Has been cancelled
Details
Integration Tests / MySQL Enterprise (5/16) (push) Has been cancelled
Details
Integration Tests / MySQL Enterprise (6/16) (push) Has been cancelled
Details
Integration Tests / MySQL Enterprise (7/16) (push) Has been cancelled
Details
Integration Tests / MySQL Enterprise (8/16) (push) Has been cancelled
Details
Integration Tests / MySQL Enterprise (9/16) (push) Has been cancelled
Details
Integration Tests / Postgres Enterprise (1/16) (push) Has been cancelled
Details
Integration Tests / Postgres Enterprise (10/16) (push) Has been cancelled
Details
Integration Tests / Postgres Enterprise (11/16) (push) Has been cancelled
Details
Integration Tests / Postgres Enterprise (12/16) (push) Has been cancelled
Details
Integration Tests / Postgres Enterprise (13/16) (push) Has been cancelled
Details
Integration Tests / Postgres Enterprise (14/16) (push) Has been cancelled
Details
Integration Tests / Postgres Enterprise (15/16) (push) Has been cancelled
Details
Integration Tests / Postgres Enterprise (16/16) (push) Has been cancelled
Details
Integration Tests / Postgres Enterprise (2/16) (push) Has been cancelled
Details
Integration Tests / Postgres Enterprise (3/16) (push) Has been cancelled
Details
Integration Tests / Postgres Enterprise (4/16) (push) Has been cancelled
Details
Integration Tests / Postgres Enterprise (5/16) (push) Has been cancelled
Details
Integration Tests / Postgres Enterprise (6/16) (push) Has been cancelled
Details
Integration Tests / Postgres Enterprise (7/16) (push) Has been cancelled
Details
Integration Tests / Postgres Enterprise (8/16) (push) Has been cancelled
Details
Integration Tests / Postgres Enterprise (9/16) (push) Has been cancelled
Details
Reject GitHub secrets / reject-gh-secrets (push) Has been cancelled
Details
Build Release Packages / setup (push) Has been cancelled
Details
Run dashboard schema v2 e2e / dashboard-schema-v2-e2e (push) Has been cancelled
Details
Shellcheck / Shellcheck scripts (push) Has been cancelled
Details
Run Storybook a11y tests / Detect whether code changed (push) Has been cancelled
Details
Swagger generated code / Detect whether code changed (push) Has been cancelled
Details
Dispatch sync to mirror / dispatch-job (push) Has been cancelled
Details
Backend Code Checks / Validate Backend Configs (push) Has been cancelled
Details
Backend Unit Tests / Grafana (1/8) (push) Has been cancelled
Details
Backend Unit Tests / Grafana (2/8) (push) Has been cancelled
Details
Backend Unit Tests / Grafana (3/8) (push) Has been cancelled
Details
Backend Unit Tests / Grafana (4/8) (push) Has been cancelled
Details
Backend Unit Tests / Grafana (5/8) (push) Has been cancelled
Details
Backend Unit Tests / Grafana (6/8) (push) Has been cancelled
Details
Backend Unit Tests / Grafana (7/8) (push) Has been cancelled
Details
Backend Unit Tests / Grafana (8/8) (push) Has been cancelled
Details
Backend Unit Tests / Grafana Enterprise (1/8) (push) Has been cancelled
Details
Backend Unit Tests / Grafana Enterprise (2/8) (push) Has been cancelled
Details
Backend Unit Tests / Grafana Enterprise (3/8) (push) Has been cancelled
Details
Backend Unit Tests / Grafana Enterprise (4/8) (push) Has been cancelled
Details
Backend Unit Tests / Grafana Enterprise (5/8) (push) Has been cancelled
Details
Backend Unit Tests / Grafana Enterprise (6/8) (push) Has been cancelled
Details
Backend Unit Tests / Grafana Enterprise (7/8) (push) Has been cancelled
Details
Backend Unit Tests / Grafana Enterprise (8/8) (push) Has been cancelled
Details
Backend Unit Tests / All backend unit tests complete (push) Has been cancelled
Details
Lint Frontend / Lint (push) Has been cancelled
Details
Lint Frontend / Typecheck (push) Has been cancelled
Details
Lint Frontend / Typecheck (TSGO/TS7) (push) Has been cancelled
Details
Lint Frontend / Verify packed frontend packages (push) Has been cancelled
Details
Lint Frontend / Check circular dependencies (push) Has been cancelled
Details
Lint Frontend / Validate yarn install (push) Has been cancelled
Details
golangci-lint / go-fmt (push) Has been cancelled
Details
golangci-lint / lint-go (push) Has been cancelled
Details
End-to-end tests / Build backend (push) Has been cancelled
Details
End-to-end tests / Build frontend (push) Has been cancelled
Details
End-to-end tests / Verify Storybook (Playwright) (push) Has been cancelled
Details
End-to-end tests / Playwright E2E tests (1/8) (push) Has been cancelled
Details
End-to-end tests / Playwright E2E tests (2/8) (push) Has been cancelled
Details
End-to-end tests / Playwright E2E tests (3/8) (push) Has been cancelled
Details
End-to-end tests / Playwright E2E tests (4/8) (push) Has been cancelled
Details
End-to-end tests / Playwright E2E tests (5/8) (push) Has been cancelled
Details
End-to-end tests / Playwright E2E tests (6/8) (push) Has been cancelled
Details
End-to-end tests / Playwright E2E tests (7/8) (push) Has been cancelled
Details
End-to-end tests / Playwright E2E tests (8/8) (push) Has been cancelled
Details
End-to-end tests / All Playwright tests complete (push) Has been cancelled
Details
End-to-end tests / Report Playwright benchmarks (push) Has been cancelled
Details
End-to-end tests / All E2E tests complete (push) Has been cancelled
Details
Frontend tests / Generate golden files (push) Has been cancelled
Details
Frontend tests / Unit tests (1 / 16) (push) Has been cancelled
Details
Frontend tests / Unit tests (10 / 16) (push) Has been cancelled
Details
Frontend tests / Unit tests (11 / 16) (push) Has been cancelled
Details
Frontend tests / Unit tests (12 / 16) (push) Has been cancelled
Details
Frontend tests / Unit tests (13 / 16) (push) Has been cancelled
Details
Frontend tests / Unit tests (14 / 16) (push) Has been cancelled
Details
Frontend tests / Unit tests (15 / 16) (push) Has been cancelled
Details
Frontend tests / Unit tests (16 / 16) (push) Has been cancelled
Details
Frontend tests / Unit tests (2 / 16) (push) Has been cancelled
Details
Frontend tests / Unit tests (3 / 16) (push) Has been cancelled
Details
Frontend tests / Unit tests (4 / 16) (push) Has been cancelled
Details
Frontend tests / Unit tests (5 / 16) (push) Has been cancelled
Details
Frontend tests / Unit tests (6 / 16) (push) Has been cancelled
Details
Frontend tests / Unit tests (7 / 16) (push) Has been cancelled
Details
Frontend tests / Unit tests (8 / 16) (push) Has been cancelled
Details
Frontend tests / Unit tests (9 / 16) (push) Has been cancelled
Details
Frontend tests / Decoupled plugin tests (push) Has been cancelled
Details
Frontend tests / Packages unit tests (push) Has been cancelled
Details
Frontend tests / All frontend unit tests complete (push) Has been cancelled
Details
Frontend tests / Devenv frontend-service build (push) Has been cancelled
Details
Build Release Packages / Dispatch grafana-enterprise build (push) Has been cancelled
Details
Build Release Packages / build frontend (push) Has been cancelled
Details
Build Release Packages / build backend / darwin-amd64 (push) Has been cancelled
Details
Build Release Packages / build backend / linux-amd64 (push) Has been cancelled
Details
Build Release Packages / build backend / windows-amd64 (push) Has been cancelled
Details
Build Release Packages / build backend / linux-armv6 (push) Has been cancelled
Details
Build Release Packages / build backend / linux-armv7 (push) Has been cancelled
Details
Build Release Packages / build backend / darwin-arm64 (push) Has been cancelled
Details
Build Release Packages / build backend / linux-arm64 (push) Has been cancelled
Details
Build Release Packages / build backend / windows-arm64 (push) Has been cancelled
Details
Build Release Packages / build backend / linux-s390x (push) Has been cancelled
Details
Build Release Packages / build backend / linux-riscv64 (push) Has been cancelled
Details
Build Release Packages / targz / darwin-amd64 (push) Has been cancelled
Details
Build Release Packages / targz / linux-amd64 (push) Has been cancelled
Details
Build Release Packages / targz / windows-amd64 (push) Has been cancelled
Details
Build Release Packages / targz / linux-armv6 (push) Has been cancelled
Details
Build Release Packages / targz / linux-armv7 (push) Has been cancelled
Details
Build Release Packages / targz / darwin-arm64 (push) Has been cancelled
Details
Build Release Packages / targz / linux-arm64 (push) Has been cancelled
Details
Build Release Packages / targz / windows-arm64 (push) Has been cancelled
Details
Build Release Packages / targz / linux-s390x (push) Has been cancelled
Details
Build Release Packages / targz / linux-riscv64 (push) Has been cancelled
Details
Build Release Packages / deb / rpm / linux-amd64 (push) Has been cancelled
Details
Build Release Packages / deb / rpm / linux-armv6 (push) Has been cancelled
Details
Build Release Packages / deb / rpm / linux-armv7 (push) Has been cancelled
Details
Build Release Packages / deb / rpm / linux-arm64 (push) Has been cancelled
Details
Build Release Packages / deb / rpm / linux-s390x (push) Has been cancelled
Details
Build Release Packages / deb / rpm / linux-riscv64 (push) Has been cancelled
Details
Build Release Packages / verify rpm stig (linux-amd64) (push) Has been cancelled
Details
Build Release Packages / docker / linux-amd64 (push) Has been cancelled
Details
Build Release Packages / docker / linux-arm64 (push) Has been cancelled
Details
Build Release Packages / docker / linux-s390x (push) Has been cancelled
Details
Build Release Packages / docker / linux-armv7 (push) Has been cancelled
Details
Build Release Packages / verify targz (linux-amd64) (push) Has been cancelled
Details
Build Release Packages / verify packages (linux-amd64) (push) Has been cancelled
Details
Build Release Packages / / windows / windows-amd64 (push) Has been cancelled
Details
Build Release Packages / / windows / windows-arm64 (push) Has been cancelled
Details
Build Release Packages / Upload targz / darwin-amd64 (push) Has been cancelled
Details
Build Release Packages / Upload targz / darwin-arm64 (push) Has been cancelled
Details
Build Release Packages / Upload targz / linux-amd64 (push) Has been cancelled
Details
Build Release Packages / Upload targz / linux-arm64 (push) Has been cancelled
Details
Build Release Packages / Upload targz / linux-armv6 (push) Has been cancelled
Details
Build Release Packages / Upload targz / linux-armv7 (push) Has been cancelled
Details
Build Release Packages / Upload targz / linux-s390x (push) Has been cancelled
Details
Build Release Packages / Upload targz / linux-riscv64 (push) Has been cancelled
Details
Build Release Packages / Upload targz / windows-amd64 (push) Has been cancelled
Details
Build Release Packages / Upload targz / windows-arm64 (push) Has been cancelled
Details
Build Release Packages / Upload deb/rpm / linux-amd64 (push) Has been cancelled
Details
Build Release Packages / Upload deb/rpm / linux-arm64 (push) Has been cancelled
Details
Build Release Packages / Upload deb/rpm / linux-armv6 (push) Has been cancelled
Details
Build Release Packages / Upload deb/rpm / linux-armv7 (push) Has been cancelled
Details
Build Release Packages / Upload deb/rpm / linux-s390x (push) Has been cancelled
Details
Build Release Packages / Upload deb/rpm / linux-riscv64 (push) Has been cancelled
Details
Build Release Packages / Upload docker (alpine) / linux-amd64 (push) Has been cancelled
Details
Build Release Packages / Upload docker (alpine) / linux-arm64 (push) Has been cancelled
Details
Build Release Packages / Upload docker (alpine) / linux-armv7 (push) Has been cancelled
Details
Build Release Packages / Upload docker (alpine) / linux-s390x (push) Has been cancelled
Details
Build Release Packages / Upload docker (alpine-slim) / linux-amd64 (push) Has been cancelled
Details
Build Release Packages / Upload docker (alpine-slim) / linux-arm64 (push) Has been cancelled
Details
Build Release Packages / Upload docker (alpine-slim) / linux-armv7 (push) Has been cancelled
Details
Build Release Packages / Upload docker (alpine-slim) / linux-s390x (push) Has been cancelled
Details
Build Release Packages / Upload docker (ubuntu) / linux-amd64 (push) Has been cancelled
Details
Build Release Packages / Upload docker (ubuntu) / linux-arm64 (push) Has been cancelled
Details
Build Release Packages / Upload docker (ubuntu) / linux-armv7 (push) Has been cancelled
Details
Build Release Packages / Upload docker (ubuntu) / linux-s390x (push) Has been cancelled
Details
Build Release Packages / Upload docker (ubuntu-slim) / linux-amd64 (push) Has been cancelled
Details
Build Release Packages / Upload docker (ubuntu-slim) / linux-arm64 (push) Has been cancelled
Details
Build Release Packages / Upload docker (ubuntu-slim) / linux-armv7 (push) Has been cancelled
Details
Build Release Packages / Upload docker (ubuntu-slim) / linux-s390x (push) Has been cancelled
Details
Build Release Packages / Upload docker (distroless) / linux-amd64 (push) Has been cancelled
Details
Build Release Packages / Upload docker (distroless) / linux-arm64 (push) Has been cancelled
Details
Build Release Packages / Upload docker (distroless) / linux-armv7 (push) Has been cancelled
Details
Build Release Packages / Upload docker (distroless) / linux-s390x (push) Has been cancelled
Details
Build Release Packages / Upload docker (distroless-slim) / linux-amd64 (push) Has been cancelled
Details
Build Release Packages / Upload docker (distroless-slim) / linux-arm64 (push) Has been cancelled
Details
Build Release Packages / Upload docker (distroless-slim) / linux-armv7 (push) Has been cancelled
Details
Build Release Packages / Upload docker (distroless-slim) / linux-s390x (push) Has been cancelled
Details
Build Release Packages / Upload windows / windows-amd64 (push) Has been cancelled
Details
Build Release Packages / Upload windows / windows-arm64 (push) Has been cancelled
Details
Build Release Packages / publish-dockerhub (artifacts-docker, , artifacts-docker-alpine-slim, -slim, alpine) (push) Has been cancelled
Details
Build Release Packages / publish-dockerhub (artifacts-docker-distroless, -distroless, artifacts-docker-distroless-slim, -distroless-slim, distroless) (push) Has been cancelled
Details
Build Release Packages / publish-dockerhub (artifacts-docker-ubuntu, -ubuntu, artifacts-docker-ubuntu-slim, -ubuntu-slim, ubuntu) (push) Has been cancelled
Details
Build Release Packages / Run Meticulous tests (push) Has been cancelled
Details
Build Release Packages / Dispatch publish NPM canaries (push) Has been cancelled
Details
Build Release Packages / notify-pr (push) Has been cancelled
Details
Run Storybook a11y tests / Run Storybook a11y tests (dark theme) (push) Has been cancelled
Details
Run Storybook a11y tests / Run Storybook a11y tests (deut_prot_dark theme) (push) Has been cancelled
Details
Run Storybook a11y tests / Run Storybook a11y tests (deut_prot_light theme) (push) Has been cancelled
Details
Run Storybook a11y tests / Run Storybook a11y tests (light theme) (push) Has been cancelled
Details
Run Storybook a11y tests / Run Storybook a11y tests (tritanopia_dark theme) (push) Has been cancelled
Details
Run Storybook a11y tests / Run Storybook a11y tests (tritanopia_light theme) (push) Has been cancelled
Details
Run Storybook a11y tests / Storybook a11y tests (push) Has been cancelled
Details
Swagger generated code / Verify committed API specs match (push) Has been cancelled
Details
DataSource/Proxy: Move OAuthPassThru settings to the datasource package (#125325)
2026-05-23 13:36:49 +03:00

1361 lines
45 KiB
Go
Raw Blame History

package pluginproxy
import (
"bytes"
"context"
"encoding/json"
"errors"
"fmt"
"io"
"net/http"
"net/http/httptest"
"net/url"
"os"
"strings"
"testing"
"time"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"golang.org/x/oauth2"
claims "github.com/grafana/authlib/types"
"github.com/grafana/grafana/pkg/api/datasource"
"github.com/grafana/grafana/pkg/apimachinery/identity"
"github.com/grafana/grafana/pkg/components/simplejson"
"github.com/grafana/grafana/pkg/infra/db"
"github.com/grafana/grafana/pkg/infra/db/dbtest"
"github.com/grafana/grafana/pkg/infra/httpclient"
"github.com/grafana/grafana/pkg/infra/log"
"github.com/grafana/grafana/pkg/infra/tracing"
"github.com/grafana/grafana/pkg/plugins"
"github.com/grafana/grafana/pkg/plugins/manager/pluginfakes"
"github.com/grafana/grafana/pkg/services/accesscontrol/acimpl"
"github.com/grafana/grafana/pkg/services/accesscontrol/actest"
"github.com/grafana/grafana/pkg/services/auth"
"github.com/grafana/grafana/pkg/services/contexthandler/ctxkey"
contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
"github.com/grafana/grafana/pkg/services/datasources"
datasourceservice "github.com/grafana/grafana/pkg/services/datasources/service"
"github.com/grafana/grafana/pkg/services/featuremgmt"
"github.com/grafana/grafana/pkg/services/oauthtoken"
"github.com/grafana/grafana/pkg/services/oauthtoken/oauthtokentest"
"github.com/grafana/grafana/pkg/services/org"
"github.com/grafana/grafana/pkg/services/pluginsintegration/pluginconfig"
"github.com/grafana/grafana/pkg/services/pluginsintegration/plugincontext"
"github.com/grafana/grafana/pkg/services/pluginsintegration/pluginstore"
"github.com/grafana/grafana/pkg/services/quota/quotatest"
"github.com/grafana/grafana/pkg/services/secrets"
"github.com/grafana/grafana/pkg/services/secrets/fakes"
secretskvs "github.com/grafana/grafana/pkg/services/secrets/kvstore"
secretsmng "github.com/grafana/grafana/pkg/services/secrets/manager"
"github.com/grafana/grafana/pkg/services/user"
"github.com/grafana/grafana/pkg/setting"
"github.com/grafana/grafana/pkg/tests/testsuite"
"github.com/grafana/grafana/pkg/util/testutil"
"github.com/grafana/grafana/pkg/web"
)
func TestMain(m *testing.M) {
testsuite.Run(m)
}
func TestIntegrationDataSourceProxy_routeRule(t *testing.T) {
testutil.SkipIntegrationTestInShortMode(t)
cfg := &setting.Cfg{}
t.Run("Plugin with routes", func(t *testing.T) {
routes := []*plugins.Route{
{
Path: "api/v4/",
URL: "https://www.google.com",
ReqRole: org.RoleEditor,
Headers: []plugins.Header{
{Name: "x-header", Content: "my secret {{.SecureJsonData.key}}"},
},
},
{
Path: "api/admin",
URL: "https://www.google.com",
ReqRole: org.RoleAdmin,
Headers: []plugins.Header{
{Name: "x-header", Content: "my secret {{.SecureJsonData.key}}"},
},
},
{
Path: "api/anon",
URL: "https://www.google.com",
Headers: []plugins.Header{
{Name: "x-header", Content: "my secret {{.SecureJsonData.key}}"},
},
},
{
Path: "api/common",
URL: "{{.JsonData.dynamicUrl}}",
URLParams: []plugins.URLParam{
{Name: "{{.JsonData.queryParam}}", Content: "{{.SecureJsonData.key}}"},
},
Headers: []plugins.Header{
{Name: "x-header", Content: "my secret {{.SecureJsonData.key}}"},
},
},
{
Path: "api/restricted",
ReqRole: org.RoleAdmin,
},
{
Path: "api/body",
URL: "http://www.test.com",
Body: []byte(`{ "url": "{{.JsonData.dynamicUrl}}", "secret": "{{.SecureJsonData.key}}" }`),
},
{
Path: "mypath",
URL: "https://example.com/api/v1/",
},
{
Path: "api/rbac-home",
ReqAction: "datasources:read",
},
{
Path: "api/rbac-restricted",
ReqAction: "test-app.settings:read",
},
{
Path: "encodedPath",
URL: "http://encoded.com",
},
}
ds := &datasources.DataSource{
UID: "dsUID",
JsonData: simplejson.NewFromAny(map[string]any{
"clientId": "asd",
"dynamicUrl": "https://dynamic.grafana.com",
"queryParam": "apiKey",
}),
}
jd, err := ds.JsonData.Map()
require.NoError(t, err)
dsInfo := DSInfo{
ID: ds.ID,
Updated: ds.Updated,
JSONData: jd,
DecryptedSecureJSONData: map[string]string{
"key": "123",
},
}
setUp := func() (*contextmodel.ReqContext, *http.Request) {
req, err := http.NewRequest("GET", "http://localhost/asd", nil)
require.NoError(t, err)
ctx := &contextmodel.ReqContext{
Context: &web.Context{Req: req},
SignedInUser: &user.SignedInUser{OrgRole: org.RoleEditor},
}
return ctx, req
}
t.Run("When matching route path", func(t *testing.T) {
ctx, req := setUp()
proxy, err := setupDSProxyTest(t, ctx, ds, routes, "api/v4/some/method")
require.NoError(t, err)
proxy.matchedRoute = routes[0]
ApplyRoute(proxy.ctx.Req.Context(), req, proxy.proxyPath, proxy.matchedRoute, dsInfo, proxy.settings)
assert.Equal(t, "https://www.google.com/some/method", req.URL.String())
assert.Equal(t, "my secret 123", req.Header.Get("x-header"))
})
t.Run("When matching route path and has dynamic url", func(t *testing.T) {
ctx, req := setUp()
proxy, err := setupDSProxyTest(t, ctx, ds, routes, "api/common/some/method")
require.NoError(t, err)
proxy.matchedRoute = routes[3]
ApplyRoute(proxy.ctx.Req.Context(), req, proxy.proxyPath, proxy.matchedRoute, dsInfo, proxy.settings)
assert.Equal(t, "https://dynamic.grafana.com/some/method?apiKey=123", req.URL.String())
assert.Equal(t, "my secret 123", req.Header.Get("x-header"))
})
t.Run("When matching route path with no url", func(t *testing.T) {
ctx, req := setUp()
proxy, err := setupDSProxyTest(t, ctx, ds, routes, "")
require.NoError(t, err)
proxy.matchedRoute = routes[4]
ApplyRoute(proxy.ctx.Req.Context(), req, proxy.proxyPath, proxy.matchedRoute, dsInfo, proxy.settings)
assert.Equal(t, "http://localhost/asd", req.URL.String())
})
t.Run("When matching route path and has setting url", func(t *testing.T) {
ctx, req := setUp()
proxy, err := setupDSProxyTest(t, ctx, ds, routes, "api/common/some/method")
require.NoError(t, err)
proxy.matchedRoute = &plugins.Route{
Path: "api/common",
URL: "{{.URL}}",
Headers: []plugins.Header{
{Name: "x-header", Content: "my secret {{.SecureJsonData.key}}"},
},
URLParams: []plugins.URLParam{
{Name: "{{.JsonData.queryParam}}", Content: "{{.SecureJsonData.key}}"},
},
}
dsInfo := DSInfo{
ID: ds.ID,
Updated: ds.Updated,
JSONData: jd,
DecryptedSecureJSONData: map[string]string{
"key": "123",
},
URL: "https://dynamic.grafana.com",
}
ApplyRoute(proxy.ctx.Req.Context(), req, proxy.proxyPath, proxy.matchedRoute, dsInfo, proxy.settings)
assert.Equal(t, "https://dynamic.grafana.com/some/method?apiKey=123", req.URL.String())
assert.Equal(t, "my secret 123", req.Header.Get("x-header"))
})
t.Run("When matching route path and has dynamic body", func(t *testing.T) {
ctx, req := setUp()
proxy, err := setupDSProxyTest(t, ctx, ds, routes, "api/body")
require.NoError(t, err)
proxy.matchedRoute = routes[5]
ApplyRoute(proxy.ctx.Req.Context(), req, proxy.proxyPath, proxy.matchedRoute, dsInfo, proxy.settings)
content, err := io.ReadAll(req.Body)
require.NoError(t, err)
require.Equal(t, `{ "url": "https://dynamic.grafana.com", "secret": "123" }`, string(content))
})
t.Run("When matching route path ending with a slash", func(t *testing.T) {
ctx, req := setUp()
proxy, err := setupDSProxyTest(t, ctx, ds, routes, "mypath/some-route/")
require.NoError(t, err)
proxy.matchedRoute = routes[6]
ApplyRoute(proxy.ctx.Req.Context(), req, proxy.proxyPath, proxy.matchedRoute, dsInfo, proxy.settings)
assert.Equal(t, "https://example.com/api/v1/some-route/", req.URL.String())
})
t.Run("When matching proxy path is already encoded", func(t *testing.T) {
ctx, req := setUp()
proxy, err := setupDSProxyTest(t, ctx, ds, routes, "/our%20devices")
require.NoError(t, err)
proxy.matchedRoute = routes[9]
ApplyRoute(proxy.ctx.Req.Context(), req, proxy.proxyPath, proxy.matchedRoute, dsInfo, proxy.settings)
assert.Equal(t, "http://encoded.com/our%20devices", req.URL.String())
})
t.Run("Validating request", func(t *testing.T) {
t.Run("plugin route with valid role", func(t *testing.T) {
ctx, _ := setUp()
proxy, err := setupDSProxyTest(t, ctx, ds, routes, "api/v4/some/method")
require.NoError(t, err)
err = proxy.validateRequest()
require.NoError(t, err)
})
t.Run("plugin route with admin role and user is editor", func(t *testing.T) {
ctx, _ := setUp()
proxy, err := setupDSProxyTest(t, ctx, ds, routes, "api/admin")
require.NoError(t, err)
err = proxy.validateRequest()
require.Error(t, err)
})
t.Run("plugin route with admin role and user is admin", func(t *testing.T) {
ctx, _ := setUp()
ctx.OrgRole = org.RoleAdmin
proxy, err := setupDSProxyTest(t, ctx, ds, routes, "api/admin")
require.NoError(t, err)
err = proxy.validateRequest()
require.NoError(t, err)
})
t.Run("path with slashes and user is editor", func(t *testing.T) {
ctx, _ := setUp()
proxy, err := setupDSProxyTest(t, ctx, ds, routes, "//api//admin")
require.NoError(t, err)
err = proxy.validateRequest()
require.Error(t, err)
})
})
t.Run("plugin route with RBAC protection user is allowed", func(t *testing.T) {
ctx, _ := setUp()
ctx.OrgID = int64(1)
ctx.OrgRole = identity.RoleNone
ctx.Permissions = map[int64]map[string][]string{1: {"test-app.settings:read": nil}}
proxy, err := setupDSProxyTest(t, ctx, ds, routes, "api/rbac-restricted")
require.NoError(t, err)
err = proxy.validateRequest()
require.NoError(t, err)
})
t.Run("plugin route with RBAC protection user is not allowed", func(t *testing.T) {
ctx, _ := setUp()
ctx.OrgID = int64(1)
ctx.OrgRole = identity.RoleNone
ctx.Permissions = map[int64]map[string][]string{1: {"test-app:read": nil}}
proxy, err := setupDSProxyTest(t, ctx, ds, routes, "api/rbac-restricted")
require.NoError(t, err)
err = proxy.validateRequest()
require.Error(t, err)
})
t.Run("plugin route with dynamic RBAC protection user is allowed", func(t *testing.T) {
ctx, _ := setUp()
ctx.OrgID = int64(1)
ctx.OrgRole = identity.RoleNone
ctx.Permissions = map[int64]map[string][]string{1: {"datasources:read": {"datasources:uid:dsUID"}}}
proxy, err := setupDSProxyTest(t, ctx, ds, routes, "api/rbac-home")
require.NoError(t, err)
err = proxy.validateRequest()
require.NoError(t, err)
})
t.Run("plugin route with dynamic RBAC protection user is not allowed", func(t *testing.T) {
ctx, _ := setUp()
ctx.OrgID = int64(1)
ctx.OrgRole = identity.RoleNone
// Has access but to another app
ctx.Permissions = map[int64]map[string][]string{1: {"datasources:read": {"datasources:uid:notTheDsUID"}}}
proxy, err := setupDSProxyTest(t, ctx, ds, routes, "api/rbac-home")
require.NoError(t, err)
err = proxy.validateRequest()
require.Error(t, err)
})
})
t.Run("Plugin with multiple routes for token auth", func(t *testing.T) {
routes := []*plugins.Route{
{
Path: "pathwithtoken1",
URL: "https://api.nr1.io/some/path",
TokenAuth: &plugins.JWTTokenAuth{
Url: "https://login.server.com/{{.JsonData.tenantId}}/oauth2/token",
Params: map[string]string{
"grant_type": "client_credentials",
"client_id": "{{.JsonData.clientId}}",
"client_secret": "{{.SecureJsonData.clientSecret}}",
"resource": "https://api.nr1.io",
},
},
},
{
Path: "pathwithtoken2",
URL: "https://api.nr2.io/some/path",
TokenAuth: &plugins.JWTTokenAuth{
Url: "https://login.server.com/{{.JsonData.tenantId}}/oauth2/token",
Params: map[string]string{
"grant_type": "client_credentials",
"client_id": "{{.JsonData.clientId}}",
"client_secret": "{{.SecureJsonData.clientSecret}}",
"resource": "https://api.nr2.io",
},
},
},
}
ds := &datasources.DataSource{
JsonData: simplejson.NewFromAny(map[string]any{
"clientId": "asd",
"tenantId": "mytenantId",
}),
}
req, err := http.NewRequest("GET", "http://localhost/asd", nil)
require.NoError(t, err)
ctx := &contextmodel.ReqContext{
Context: &web.Context{Req: req},
SignedInUser: &user.SignedInUser{OrgRole: org.RoleEditor},
}
t.Run("When creating and caching access tokens", func(t *testing.T) {
var authorizationHeaderCall1 string
var authorizationHeaderCall2 string
t.Run("first call should add authorization header with access token", func(t *testing.T) {
json, err := os.ReadFile("./test-data/access-token-1.json")
require.NoError(t, err)
originalClient := client
client = newFakeHTTPClient(t, json)
defer func() { client = originalClient }()
jd, err := ds.JsonData.Map()
require.NoError(t, err)
dsInfo := DSInfo{
ID: ds.ID,
Updated: ds.Updated,
JSONData: jd,
DecryptedSecureJSONData: map[string]string{
"clientSecret": "123",
},
}
proxy, err := setupDSProxyTest(t, ctx, ds, routes, "pathwithtoken1")
require.NoError(t, err)
ApplyRoute(proxy.ctx.Req.Context(), req, proxy.proxyPath, routes[0], dsInfo, proxy.settings)
authorizationHeaderCall1 = req.Header.Get("Authorization")
assert.Equal(t, "https://api.nr1.io/some/path", req.URL.String())
assert.True(t, strings.HasPrefix(authorizationHeaderCall1, "Bearer eyJ0e"))
t.Run("second call to another route should add a different access token", func(t *testing.T) {
json2, err := os.ReadFile("./test-data/access-token-2.json")
require.NoError(t, err)
req, err := http.NewRequest("GET", "http://localhost/asd", nil)
require.NoError(t, err)
client = newFakeHTTPClient(t, json2)
proxy, err := setupDSProxyTest(t, ctx, ds, routes, "pathwithtoken2")
require.NoError(t, err)
ApplyRoute(proxy.ctx.Req.Context(), req, proxy.proxyPath, routes[1], dsInfo, proxy.settings)
authorizationHeaderCall2 = req.Header.Get("Authorization")
assert.Equal(t, "https://api.nr2.io/some/path", req.URL.String())
assert.True(t, strings.HasPrefix(authorizationHeaderCall1, "Bearer eyJ0e"))
assert.True(t, strings.HasPrefix(authorizationHeaderCall2, "Bearer eyJ0e"))
assert.NotEqual(t, authorizationHeaderCall1, authorizationHeaderCall2)
t.Run("third call to first route should add cached access token", func(t *testing.T) {
req, err := http.NewRequest("GET", "http://localhost/asd", nil)
require.NoError(t, err)
client = newFakeHTTPClient(t, []byte{})
proxy, err := setupDSProxyTest(t, ctx, ds, routes, "pathwithtoken1")
require.NoError(t, err)
ApplyRoute(proxy.ctx.Req.Context(), req, proxy.proxyPath, routes[0], dsInfo, proxy.settings)
authorizationHeaderCall3 := req.Header.Get("Authorization")
assert.Equal(t, "https://api.nr1.io/some/path", req.URL.String())
assert.True(t, strings.HasPrefix(authorizationHeaderCall1, "Bearer eyJ0e"))
assert.True(t, strings.HasPrefix(authorizationHeaderCall3, "Bearer eyJ0e"))
assert.Equal(t, authorizationHeaderCall1, authorizationHeaderCall3)
})
})
})
})
})
t.Run("When proxying graphite", func(t *testing.T) {
var routes []*plugins.Route
ds := &datasources.DataSource{URL: "htttp://graphite:8080", Type: datasources.DS_GRAPHITE}
ctx := &contextmodel.ReqContext{}
proxy, err := setupDSProxyTest(t, ctx, ds, routes, "/render", func(proxy *DataSourceProxy) {
proxy.settings = &DataSourceProxySettings{}
})
require.NoError(t, err)
req, err := http.NewRequest(http.MethodGet, "http://grafana.com/sub", nil)
require.NoError(t, err)
proxy.director(req)
t.Run("Can translate request URL and path", func(t *testing.T) {
assert.Equal(t, "graphite:8080", req.URL.Host)
assert.Equal(t, "/render", req.URL.Path)
})
})
t.Run("When proxying InfluxDB", func(t *testing.T) {
ds := &datasources.DataSource{
Type: datasources.DS_INFLUXDB_08,
URL: "http://influxdb:8083",
Database: "site",
User: "user",
}
ctx := &contextmodel.ReqContext{}
var routes []*plugins.Route
proxy, err := setupDSProxyTest(t, ctx, ds, routes, "")
require.NoError(t, err)
req, err := http.NewRequest(http.MethodGet, "http://grafana.com/sub", nil)
require.NoError(t, err)
proxy.director(req)
assert.Equal(t, "/db/site/", req.URL.Path)
})
t.Run("When proxying a data source with no keepCookies specified", func(t *testing.T) {
json, err := simplejson.NewJson([]byte(`{"keepCookies": []}`))
require.NoError(t, err)
ds := &datasources.DataSource{
Type: datasources.DS_GRAPHITE,
URL: "http://graphite:8086",
JsonData: json,
}
ctx := &contextmodel.ReqContext{}
var routes []*plugins.Route
proxy, err := setupDSProxyTest(t, ctx, ds, routes, "")
require.NoError(t, err)
requestURL, err := url.Parse("http://grafana.com/sub")
require.NoError(t, err)
req := http.Request{URL: requestURL, Header: make(http.Header)}
cookies := "grafana_user=admin; grafana_remember=99; grafana_sess=11; JSESSION_ID=test"
req.Header.Set("Cookie", cookies)
proxy.director(&req)
assert.Equal(t, "", req.Header.Get("Cookie"))
})
t.Run("When proxying a data source with keep cookies specified", func(t *testing.T) {
json, err := simplejson.NewJson([]byte(`{"keepCookies": ["JSESSION_ID"]}`))
require.NoError(t, err)
ds := &datasources.DataSource{
Type: datasources.DS_GRAPHITE,
URL: "http://graphite:8086",
JsonData: json,
}
ctx := &contextmodel.ReqContext{}
var routes []*plugins.Route
proxy, err := setupDSProxyTest(t, ctx, ds, routes, "")
require.NoError(t, err)
requestURL, err := url.Parse("http://grafana.com/sub")
require.NoError(t, err)
req := http.Request{URL: requestURL, Header: make(http.Header)}
cookies := "grafana_user=admin; grafana_remember=99; grafana_sess=11; JSESSION_ID=test"
req.Header.Set("Cookie", cookies)
proxy.director(&req)
assert.Equal(t, "JSESSION_ID=test", req.Header.Get("Cookie"))
})
t.Run("When proxying a custom datasource", func(t *testing.T) {
ds := &datasources.DataSource{
Type: "custom-datasource",
URL: "http://host/root/",
}
ctx := &contextmodel.ReqContext{}
var routes []*plugins.Route
proxy, err := setupDSProxyTest(t, ctx, ds, routes, "/path/to/folder/")
require.NoError(t, err)
req, err := http.NewRequest(http.MethodGet, "http://grafana.com/sub", nil)
req.Header.Set("Origin", "grafana.com")
req.Header.Set("Referer", "grafana.com")
req.Header.Set("X-Canary", "stillthere")
require.NoError(t, err)
proxy.director(req)
assert.Equal(t, "http://host/root/path/to/folder/", req.URL.String())
assert.Equal(t, "stillthere", req.Header.Get("X-Canary"))
})
t.Run("When proxying a datasource that has OAuth token pass-through enabled", func(t *testing.T) {
ds := &datasources.DataSource{
Type: "custom-datasource",
URL: "http://host/root/",
JsonData: simplejson.NewFromAny(map[string]any{
"oauthPassThru": true,
}),
}
req, err := http.NewRequest("GET", "http://localhost/asd", nil)
require.NoError(t, err)
ctx := &contextmodel.ReqContext{
SignedInUser: &user.SignedInUser{UserID: 1},
Context: &web.Context{Req: req},
}
var routes []*plugins.Route
proxy, err := setupDSProxyTest(t, ctx, ds, routes, "/path/to/folder/", func(proxy *DataSourceProxy) {
proxy.oAuthTokenService = &oauthtokentest.MockOauthTokenService{
GetCurrentOauthTokenFunc: func(_ context.Context, _ identity.Requester, _ *auth.UserToken) *oauth2.Token {
return (&oauth2.Token{
AccessToken: "testtoken",
RefreshToken: "testrefreshtoken",
TokenType: "Bearer",
Expiry: time.Now().AddDate(0, 0, 1),
}).WithExtra(map[string]any{"id_token": "testidtoken"})
},
}
})
require.NoError(t, err)
req, err = http.NewRequest(http.MethodGet, "http://grafana.com/sub", nil)
req = req.WithContext(context.WithValue(req.Context(), ctxkey.Key{}, &contextmodel.ReqContext{UserToken: nil}))
require.NoError(t, err)
proxy.director(req)
assert.Equal(t, "Bearer testtoken", req.Header.Get("Authorization"))
assert.Equal(t, "testidtoken", req.Header.Get("X-ID-Token"))
})
t.Run("When SendUserHeader config is enabled", func(t *testing.T) {
req := getDatasourceProxiedRequest(
t,
&contextmodel.ReqContext{
SignedInUser: &user.SignedInUser{
Login: "test_user",
FallbackType: claims.TypeUser,
UserID: 1,
},
},
&DataSourceProxySettings{SendUserHeader: true},
)
assert.Equal(t, "test_user", req.Header.Get("X-Grafana-User"))
})
t.Run("When SendUserHeader config is disabled", func(t *testing.T) {
req := getDatasourceProxiedRequest(
t,
&contextmodel.ReqContext{
SignedInUser: &user.SignedInUser{
Login: "test_user",
},
},
&DataSourceProxySettings{SendUserHeader: false},
)
// Get will return empty string even if header is not set
assert.Empty(t, req.Header.Get("X-Grafana-User"))
})
t.Run("When SendUserHeader config is enabled but user is anonymous", func(t *testing.T) {
req := getDatasourceProxiedRequest(
t,
&contextmodel.ReqContext{
SignedInUser: &user.SignedInUser{IsAnonymous: true},
},
&DataSourceProxySettings{SendUserHeader: true},
)
// Get will return empty string even if header is not set
assert.Empty(t, req.Header.Get("X-Grafana-User"))
})
t.Run("When proxying data source proxy should handle authentication", func(t *testing.T) {
sqlStore := db.InitTestDB(t)
secretsService := secretsmng.SetupTestService(t, fakes.NewFakeSecretsStore())
secretsStore := secretskvs.NewSQLSecretsKVStore(sqlStore, secretsService, log.New("test.logger"))
tests := []*testCase{
createAuthTest(t, secretsStore, datasources.DS_INFLUXDB_08, "http://localhost:9090", authTypePassword, authCheckQuery),
createAuthTest(t, secretsStore, datasources.DS_INFLUXDB_08, "http://localhost:9090", authTypePassword, authCheckQuery),
createAuthTest(t, secretsStore, datasources.DS_INFLUXDB, "http://localhost:9090", authTypePassword, authCheckHeader),
createAuthTest(t, secretsStore, datasources.DS_INFLUXDB, "http://localhost:9090", authTypePassword, authCheckHeader),
createAuthTest(t, secretsStore, datasources.DS_INFLUXDB, "http://localhost:9090", authTypeBasic, authCheckHeader),
createAuthTest(t, secretsStore, datasources.DS_INFLUXDB, "http://localhost:9090", authTypeBasic, authCheckHeader),
// These two should be enough for any other datasource at the moment. Proxy has special handling
// only for Influx, others have the same path and only BasicAuth. Non BasicAuth datasources
// do not go through proxy but through TSDB API which is not tested here.
createAuthTest(t, secretsStore, datasources.DS_ES, "http://localhost:9200", authTypeBasic, authCheckHeader),
createAuthTest(t, secretsStore, datasources.DS_ES, "http://localhost:9200", authTypeBasic, authCheckHeader),
}
for _, test := range tests {
runDatasourceAuthTest(t, secretsService, secretsStore, cfg, test)
}
})
t.Run("Regression of 116273: Fallback routes should apply fallback route roles", func(t *testing.T) {
for _, tc := range []struct {
InputPath string
ConfigurationPath string
ExpectError bool
}{
{
InputPath: "api/v2/leak-ur-secrets",
ConfigurationPath: "",
ExpectError: true,
},
{
InputPath: "",
ConfigurationPath: "",
ExpectError: true,
},
{
InputPath: ".",
ConfigurationPath: ".",
ExpectError: true,
},
{
InputPath: "",
ConfigurationPath: ".",
ExpectError: false,
},
{
InputPath: "api",
ConfigurationPath: ".",
ExpectError: false,
},
} {
orEmptyStr := func(s string) string {
if s == "" {
return "<empty>"
}
return s
}
t.Run(
fmt.Sprintf("with inputPath=%s, configurationPath=%s, expectError=%v",
orEmptyStr(tc.InputPath), orEmptyStr(tc.ConfigurationPath), tc.ExpectError),
func(t *testing.T) {
ds := &datasources.DataSource{
UID: "dsUID",
JsonData: simplejson.New(),
}
routes := []*plugins.Route{
{
Path: tc.ConfigurationPath,
ReqRole: org.RoleAdmin,
Method: "GET",
},
{
Path: tc.ConfigurationPath,
ReqRole: org.RoleAdmin,
Method: "POST",
},
{
Path: tc.ConfigurationPath,
ReqRole: org.RoleAdmin,
Method: "PUT",
},
{
Path: tc.ConfigurationPath,
ReqRole: org.RoleAdmin,
Method: "DELETE",
},
}
req, err := http.NewRequestWithContext(t.Context(), "GET", "http://localhost/"+tc.InputPath, nil)
require.NoError(t, err, "failed to create HTTP request")
ctx := &contextmodel.ReqContext{
Context: &web.Context{Req: req},
SignedInUser: &user.SignedInUser{OrgRole: org.RoleViewer},
}
proxy, err := setupDSProxyTest(t, ctx, ds, routes, tc.InputPath)
require.NoError(t, err, "failed to setup proxy test")
err = proxy.validateRequest()
if tc.ExpectError {
require.ErrorIs(t, err, errPluginProxyRouteAccessDenied, "request was not denied due to access denied?")
} else {
require.NoError(t, err, "request was unexpectedly denied access")
}
},
)
}
})
}
func TestDataSourceProxy_userAgentHeader(t *testing.T) {
ds := &datasources.DataSource{Type: datasources.DS_GRAPHITE, URL: "http://graphite:8080"}
var routes []*plugins.Route
t.Run("When DataProxyForwardUserAgent config is disabled", func(t *testing.T) {
ctx := &contextmodel.ReqContext{}
proxy, err := setupDSProxyTest(t, ctx, ds, routes, "/render", func(p *DataSourceProxy) {
p.settings = &DataSourceProxySettings{
DataProxyUserAgent: "Grafana/5.3.0",
DataProxyForwardUserAgent: false,
}
})
require.NoError(t, err)
req, err := http.NewRequest(http.MethodGet, "http://grafana.com/sub", nil)
require.NoError(t, err)
req.Header.Set("User-Agent", "original-client/1.0")
proxy.director(req)
assert.Equal(t, "Grafana/5.3.0", req.Header.Get("User-Agent"))
})
t.Run("When DataProxyForwardUserAgent config is enabled", func(t *testing.T) {
ctx := &contextmodel.ReqContext{}
proxy, err := setupDSProxyTest(t, ctx, ds, routes, "/render", func(p *DataSourceProxy) {
p.settings = &DataSourceProxySettings{
DataProxyUserAgent: "Grafana/5.3.0",
DataProxyForwardUserAgent: true,
}
})
require.NoError(t, err)
req, err := http.NewRequest(http.MethodGet, "http://grafana.com/sub", nil)
require.NoError(t, err)
req.Header.Set("User-Agent", "original-client/1.0")
proxy.director(req)
assert.Equal(t, "Grafana/5.3.0 original-client/1.0", req.Header.Get("User-Agent"))
})
t.Run("When DataProxyForwardUserAgent config is enabled but the client User-Agent is empty", func(t *testing.T) {
ctx := &contextmodel.ReqContext{}
proxy, err := setupDSProxyTest(t, ctx, ds, routes, "/render", func(p *DataSourceProxy) {
p.settings = &DataSourceProxySettings{
DataProxyUserAgent: "Grafana/5.3.0",
DataProxyForwardUserAgent: true,
}
})
require.NoError(t, err)
req, err := http.NewRequest(http.MethodGet, "http://grafana.com/sub", nil)
require.NoError(t, err)
// no User-Agent header set
proxy.director(req)
assert.Equal(t, "Grafana/5.3.0", req.Header.Get("User-Agent"))
})
t.Run("When DataProxyForwardUserAgent config is enabled with a custom DataProxyUserAgent", func(t *testing.T) {
ctx := &contextmodel.ReqContext{}
proxy, err := setupDSProxyTest(t, ctx, ds, routes, "/render", func(p *DataSourceProxy) {
p.settings = &DataSourceProxySettings{
DataProxyUserAgent: "MyCorp/1.0",
DataProxyForwardUserAgent: true,
}
})
require.NoError(t, err)
req, err := http.NewRequest(http.MethodGet, "http://grafana.com/sub", nil)
require.NoError(t, err)
req.Header.Set("User-Agent", "original-client/1.0")
proxy.director(req)
assert.Equal(t, "MyCorp/1.0 original-client/1.0", req.Header.Get("User-Agent"))
})
t.Run("When DataProxyForwardUserAgent config is enabled and DataProxyUserAgent is empty", func(t *testing.T) {
ctx := &contextmodel.ReqContext{}
proxy, err := setupDSProxyTest(t, ctx, ds, routes, "/render", func(p *DataSourceProxy) {
p.settings = &DataSourceProxySettings{
DataProxyUserAgent: "",
DataProxyForwardUserAgent: true,
}
})
require.NoError(t, err)
req, err := http.NewRequest(http.MethodGet, "http://grafana.com/sub", nil)
require.NoError(t, err)
req.Header.Set("User-Agent", "original-client/1.0")
proxy.director(req)
assert.Equal(t, "original-client/1.0", req.Header.Get("User-Agent"))
})
t.Run("When DataProxyForwardUserAgent is enabled and the client User-Agent exceeds the length cap, it is truncated", func(t *testing.T) {
ctx := &contextmodel.ReqContext{}
proxy, err := setupDSProxyTest(t, ctx, ds, routes, "/render", func(p *DataSourceProxy) {
p.settings = &DataSourceProxySettings{
DataProxyUserAgent: "Grafana/5.3.0",
DataProxyForwardUserAgent: true,
}
})
require.NoError(t, err)
oversized := strings.Repeat("a", maxForwardedUserAgentLen+100)
req, err := http.NewRequest(http.MethodGet, "http://grafana.com/sub", nil)
require.NoError(t, err)
req.Header.Set("User-Agent", oversized)
proxy.director(req)
expected := "Grafana/5.3.0 " + strings.Repeat("a", maxForwardedUserAgentLen)
assert.Equal(t, expected, req.Header.Get("User-Agent"))
})
t.Run("When DataProxyForwardUserAgent is enabled and the client User-Agent is exactly the cap, it is forwarded unchanged", func(t *testing.T) {
ctx := &contextmodel.ReqContext{}
proxy, err := setupDSProxyTest(t, ctx, ds, routes, "/render", func(p *DataSourceProxy) {
p.settings = &DataSourceProxySettings{
DataProxyUserAgent: "Grafana/5.3.0",
DataProxyForwardUserAgent: true,
}
})
require.NoError(t, err)
exact := strings.Repeat("b", maxForwardedUserAgentLen)
req, err := http.NewRequest(http.MethodGet, "http://grafana.com/sub", nil)
require.NoError(t, err)
req.Header.Set("User-Agent", exact)
proxy.director(req)
assert.Equal(t, "Grafana/5.3.0 "+exact, req.Header.Get("User-Agent"))
})
}
// test DataSourceProxy request handling.
func TestDataSourceProxy_requestHandling(t *testing.T) {
var writeErr error
type setUpCfg struct {
headers map[string]string
writeCb func(w http.ResponseWriter, r *http.Request)
}
setUp := func(t *testing.T, cfgs ...setUpCfg) (*contextmodel.ReqContext, *datasources.DataSource) {
writeErr = nil
backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
http.SetCookie(w, &http.Cookie{Name: "flavor", Value: "chocolateChip"})
written := false
for _, cfg := range cfgs {
if cfg.writeCb != nil {
t.Log("Writing response via callback")
cfg.writeCb(w, r)
written = true
}
}
if !written {
t.Log("Writing default response")
w.WriteHeader(200)
_, writeErr = w.Write([]byte("I am the backend"))
}
}))
t.Cleanup(backend.Close)
ds := &datasources.DataSource{URL: backend.URL, Type: datasources.DS_GRAPHITE}
responseWriter := web.NewResponseWriter("GET", httptest.NewRecorder())
// XXX: Really unsure why, but setting headers within the HTTP handler function doesn't stick,
// so doing it here instead
for _, cfg := range cfgs {
for k, v := range cfg.headers {
responseWriter.Header().Set(k, v)
}
}
return &contextmodel.ReqContext{
SignedInUser: &user.SignedInUser{},
Context: &web.Context{
Req: httptest.NewRequest("GET", "/render", nil),
Resp: responseWriter,
},
}, ds
}
t.Run("When response header Set-Cookie is not set should remove proxied Set-Cookie header", func(t *testing.T) {
ctx, ds := setUp(t)
var routes []*plugins.Route
proxy, err := setupDSProxyTest(t, ctx, ds, routes, "/render")
require.NoError(t, err)
proxy.HandleRequest()
require.NoError(t, writeErr)
assert.Empty(t, proxy.ctx.Resp.Header().Get("Set-Cookie"))
})
t.Run("When response header Set-Cookie is set should remove proxied Set-Cookie header and restore the original Set-Cookie header", func(t *testing.T) {
ctx, ds := setUp(t, setUpCfg{
headers: map[string]string{
"Set-Cookie": "important_cookie=important_value",
},
})
var routes []*plugins.Route
proxy, err := setupDSProxyTest(t, ctx, ds, routes, "/render")
require.NoError(t, err)
proxy.HandleRequest()
require.NoError(t, writeErr)
assert.Equal(t, "important_cookie=important_value", proxy.ctx.Resp.Header().Get("Set-Cookie"))
})
t.Run("When response should set Content-Security-Policy header", func(t *testing.T) {
ctx, ds := setUp(t)
var routes []*plugins.Route
proxy, err := setupDSProxyTest(t, ctx, ds, routes, "/render")
require.NoError(t, err)
proxy.HandleRequest()
require.NoError(t, writeErr)
assert.Equal(t, "sandbox", proxy.ctx.Resp.Header().Get("Content-Security-Policy"))
})
t.Run("Data source returns status code 401", func(t *testing.T) {
ctx, ds := setUp(t, setUpCfg{
writeCb: func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(401)
w.Header().Set("www-authenticate", `Basic realm="Access to the server"`)
_, err := w.Write([]byte("Not authenticated"))
require.NoError(t, err)
t.Log("Wrote 401 response")
},
})
var routes []*plugins.Route
proxy, err := setupDSProxyTest(t, ctx, ds, routes, "/render")
require.NoError(t, err)
proxy.HandleRequest()
require.NoError(t, writeErr)
assert.Equal(t, 400, proxy.ctx.Resp.Status(), "Status code 401 should be converted to 400")
assert.Empty(t, proxy.ctx.Resp.Header().Get("www-authenticate"))
})
t.Run("Data source should handle proxy path url encoding correctly", func(t *testing.T) {
var req *http.Request
ctx, ds := setUp(t, setUpCfg{
writeCb: func(w http.ResponseWriter, r *http.Request) {
req = r
w.WriteHeader(200)
_, err := w.Write([]byte("OK"))
require.NoError(t, err)
},
})
ctx.Req = httptest.NewRequest("GET", "/api/datasources/proxy/1/path/%2Ftest%2Ftest%2F?query=%2Ftest%2Ftest%2F", nil)
var routes []*plugins.Route
proxy, err := setupDSProxyTest(t, ctx, ds, routes, "/path/%2Ftest%2Ftest%2F")
require.NoError(t, err)
proxy.HandleRequest()
require.NoError(t, writeErr)
require.NotNil(t, req)
require.Equal(t, "/path/%2Ftest%2Ftest%2F?query=%2Ftest%2Ftest%2F", req.RequestURI)
})
t.Run("Data source should handle proxy path url encoding correctly with opentelemetry", func(t *testing.T) {
var req *http.Request
ctx, ds := setUp(t, setUpCfg{
writeCb: func(w http.ResponseWriter, r *http.Request) {
req = r
w.WriteHeader(200)
_, err := w.Write([]byte("OK"))
require.NoError(t, err)
},
})
ctx.Req = httptest.NewRequest("GET", "/api/datasources/proxy/1/path/%2Ftest%2Ftest%2F?query=%2Ftest%2Ftest%2F", nil)
var routes []*plugins.Route
proxy, err := setupDSProxyTest(t, ctx, ds, routes, "/path/%2Ftest%2Ftest%2F")
require.NoError(t, err)
proxy.HandleRequest()
require.NoError(t, writeErr)
require.NotNil(t, req)
require.Equal(t, "/path/%2Ftest%2Ftest%2F?query=%2Ftest%2Ftest%2F", req.RequestURI)
})
}
func TestNewDataSourceProxy_InvalidURL(t *testing.T) {
ctx := contextmodel.ReqContext{
Context: &web.Context{},
SignedInUser: &user.SignedInUser{OrgRole: org.RoleEditor},
}
ds := datasources.DataSource{
Type: "test",
URL: "://host/root",
}
var routes []*plugins.Route
_, err := setupDSProxyTest(t, &ctx, &ds, routes, "api/mehtod")
require.Error(t, err)
assert.True(t, strings.HasPrefix(err.Error(), `validation of data source URL "://host/root" failed`))
}
func TestNewDataSourceProxy_ProtocolLessURL(t *testing.T) {
ctx := contextmodel.ReqContext{
Context: &web.Context{},
SignedInUser: &user.SignedInUser{OrgRole: org.RoleEditor},
}
ds := datasources.DataSource{
Type: "test",
URL: "127.0.01:5432",
}
var routes []*plugins.Route
_, err := setupDSProxyTest(t, &ctx, &ds, routes, "api/mehtod")
require.NoError(t, err)
}
// Test wth MSSQL type data sources.
func TestNewDataSourceProxy_MSSQL(t *testing.T) {
ctx := contextmodel.ReqContext{
Context: &web.Context{},
SignedInUser: &user.SignedInUser{OrgRole: org.RoleEditor},
}
tcs := []struct {
description string
url string
err error
}{
{
description: "Valid ODBC URL",
url: `localhost\instance:1433`,
},
{
description: "Invalid ODBC URL",
url: `localhost\instance::1433`,
err: datasource.URLValidationError{
Err: errors.New(`unrecognized URL format: "localhost\\instance::1433"`),
URL: `localhost\instance::1433`,
},
},
}
for _, tc := range tcs {
t.Run(tc.description, func(t *testing.T) {
ds := datasources.DataSource{
Type: "mssql",
URL: tc.url,
}
var routes []*plugins.Route
p, err := setupDSProxyTest(t, &ctx, &ds, routes, "api/method")
if tc.err == nil {
require.NoError(t, err)
assert.Equal(t, &url.URL{
Scheme: "sqlserver",
Host: ds.URL,
}, p.targetUrl)
} else {
require.Error(t, err)
assert.Equal(t, tc.err, err)
}
})
}
}
// getDatasourceProxiedRequest is a helper for easier setup of tests based on global config and ReqContext.
func getDatasourceProxiedRequest(t *testing.T, ctx *contextmodel.ReqContext, proxyCfg *DataSourceProxySettings) *http.Request {
ds := &datasources.DataSource{
Type: "custom",
URL: "http://host/root/",
}
tracer := tracing.InitializeTracerForTest()
var routes []*plugins.Route
cfg := setting.NewCfg()
sqlStore := db.InitTestDB(t)
secretsService := secretsmng.SetupTestService(t, fakes.NewFakeSecretsStore())
secretsStore := secretskvs.NewSQLSecretsKVStore(sqlStore, secretsService, log.New("test.logger"))
features := featuremgmt.WithFeatures()
quotaService := quotatest.New(false, nil)
dsRetriever := datasourceservice.ProvideDataSourceRetriever(sqlStore, features)
dsService, err := datasourceservice.ProvideService(nil, secretsService, secretsStore, cfg, features, acimpl.ProvideAccessControl(features),
&actest.FakePermissionsService{}, quotaService, &pluginstore.FakePluginStore{}, &pluginfakes.FakePluginClient{},
plugincontext.ProvideBaseService(cfg, pluginconfig.NewFakePluginRequestConfigProvider()), dsRetriever)
require.NoError(t, err)
proxy, err := NewDataSourceProxy(ds, routes, ctx, "", proxyCfg, httpclient.NewProvider(), &oauthtoken.Service{}, dsService, tracer, features)
require.NoError(t, err)
req, err := http.NewRequest(http.MethodGet, "http://grafana.com/sub", nil)
require.NoError(t, err)
proxy.director(req)
return req
}
type httpClientStub struct {
t *testing.T
fakeBody []byte
}
func (c *httpClientStub) Do(req *http.Request) (*http.Response, error) {
bodyJSON, err := simplejson.NewJson(c.fakeBody)
require.NoError(c.t, err)
_, passedTokenCacheTest := bodyJSON.CheckGet("expires_on")
require.True(c.t, passedTokenCacheTest)
bodyJSON.Set("expires_on", fmt.Sprint(time.Now().Add(time.Second*60).Unix()))
body, err := bodyJSON.MarshalJSON()
require.NoError(c.t, err)
resp := &http.Response{
Body: io.NopCloser(bytes.NewReader(body)),
}
return resp, nil
}
func newFakeHTTPClient(t *testing.T, fakeBody []byte) httpClient {
return &httpClientStub{
t: t,
fakeBody: fakeBody,
}
}
type testCase struct {
datasource *datasources.DataSource
checkReq func(req *http.Request)
}
const (
authTypePassword = "password"
authTypeBasic = "basic"
)
const (
authCheckQuery = "query"
authCheckHeader = "header"
)
func createAuthTest(t *testing.T, secretsStore secretskvs.SecretsKVStore, dsType string, url string, authType string, authCheck string) *testCase {
// Basic user:password
base64AuthHeader := "Basic dXNlcjpwYXNzd29yZA=="
test := &testCase{
datasource: &datasources.DataSource{
ID: 1,
OrgID: 1,
Name: fmt.Sprintf("%s,%s,%s,%s", dsType, url, authType, authCheck),
Type: dsType,
JsonData: simplejson.New(),
URL: url,
},
}
var message string
var err error
if authType == authTypePassword {
message = fmt.Sprintf("%v should add username and password", dsType)
test.datasource.User = "user"
secureJsonData, err := json.Marshal(map[string]string{
"password": "password",
})
require.NoError(t, err)
err = secretsStore.Set(context.Background(), test.datasource.OrgID, test.datasource.Name, "datasource", string(secureJsonData))
require.NoError(t, err)
} else {
message = fmt.Sprintf("%v should add basic auth username and password", dsType)
test.datasource.BasicAuth = true
test.datasource.BasicAuthUser = "user"
secureJsonData, err := json.Marshal(map[string]string{
"basicAuthPassword": "password",
})
require.NoError(t, err)
err = secretsStore.Set(context.Background(), test.datasource.OrgID, test.datasource.Name, "datasource", string(secureJsonData))
require.NoError(t, err)
}
require.NoError(t, err)
message += " from securejsondata"
if authCheck == authCheckQuery {
message += " to query params"
test.checkReq = func(req *http.Request) {
queryVals := req.URL.Query()
assert.Equal(t, "user", queryVals["u"][0], message)
assert.Equal(t, "password", queryVals["p"][0], message)
}
} else {
message += " to auth header"
test.checkReq = func(req *http.Request) {
assert.Equal(t, base64AuthHeader, req.Header.Get("Authorization"), message)
}
}
return test
}
func runDatasourceAuthTest(t *testing.T,
secretsService secrets.Service, //nolint:staticcheck // SA1019: Legacy envelope encryption for single-tenant feature
secretsStore secretskvs.SecretsKVStore, cfg *setting.Cfg, test *testCase,
) {
ctx := &contextmodel.ReqContext{}
tracer := tracing.InitializeTracerForTest()
var routes []*plugins.Route
features := featuremgmt.WithFeatures()
quotaService := quotatest.New(false, nil)
var sqlStore db.DB = nil
dsRetriever := datasourceservice.ProvideDataSourceRetriever(sqlStore, features)
dsService, err := datasourceservice.ProvideService(sqlStore, secretsService, secretsStore, cfg, features, acimpl.ProvideAccessControl(features),
&actest.FakePermissionsService{}, quotaService, &pluginstore.FakePluginStore{}, &pluginfakes.FakePluginClient{},
plugincontext.ProvideBaseService(cfg, pluginconfig.NewFakePluginRequestConfigProvider()), dsRetriever)
require.NoError(t, err)
proxy, err := NewDataSourceProxy(test.datasource, routes, ctx, "", &DataSourceProxySettings{}, httpclient.NewProvider(), &oauthtoken.Service{}, dsService, tracer, features)
require.NoError(t, err)
req, err := http.NewRequest(http.MethodGet, "http://grafana.com/sub", nil)
require.NoError(t, err)
proxy.director(req)
test.checkReq(req)
}
func Test_PathCheck(t *testing.T) {
// Ensure that we test routes appropriately. This test reproduces a historical bug where two routes were defined with different role requirements but the same method and the more privileged route was tested first. Here we ensure auth checks are applied based on the correct route, not just the method.
routes := []*plugins.Route{
{
Path: "a",
URL: "https://www.google.com",
ReqRole: org.RoleEditor,
Method: http.MethodGet,
},
{
Path: "b",
URL: "https://www.google.com",
ReqRole: org.RoleViewer,
Method: http.MethodGet,
},
}
setUp := func() (*contextmodel.ReqContext, *http.Request) {
req, err := http.NewRequest("GET", "http://localhost/asd", nil)
require.NoError(t, err)
ctx := &contextmodel.ReqContext{
Context: &web.Context{Req: req},
SignedInUser: &user.SignedInUser{OrgRole: org.RoleViewer},
}
return ctx, req
}
ctx, _ := setUp()
proxy, err := setupDSProxyTest(t, ctx, &datasources.DataSource{}, routes, "b")
require.NoError(t, err)
require.Nil(t, proxy.validateRequest())
require.Equal(t, routes[1], proxy.matchedRoute)
}
func setupDSProxyTest(t *testing.T, ctx *contextmodel.ReqContext, ds *datasources.DataSource, routes []*plugins.Route, path string, opts ...func(proxy *DataSourceProxy)) (*DataSourceProxy, error) {
t.Helper()
cfg := setting.NewCfg()
secretsService := secretsmng.SetupTestService(t, fakes.NewFakeSecretsStore())
secretsStore := secretskvs.NewSQLSecretsKVStore(dbtest.NewFakeDB(), secretsService, log.NewNopLogger())
features := featuremgmt.WithFeatures()
var sqlStore db.DB = nil
dsRetriever := datasourceservice.ProvideDataSourceRetriever(sqlStore, features)
dsService, err := datasourceservice.ProvideService(sqlStore, secretsService, secretsStore, cfg, features, acimpl.ProvideAccessControl(features),
&actest.FakePermissionsService{}, quotatest.New(false, nil), &pluginstore.FakePluginStore{}, &pluginfakes.FakePluginClient{},
plugincontext.ProvideBaseService(cfg, pluginconfig.NewFakePluginRequestConfigProvider()), dsRetriever)
require.NoError(t, err)
tracer := tracing.InitializeTracerForTest()
proxy, err := NewDataSourceProxy(ds, routes, ctx, path, &DataSourceProxySettings{}, httpclient.NewProvider(), &oauthtoken.Service{}, dsService, tracer, features)
if err != nil {
return nil, err
}
for _, o := range opts {
o(proxy)
}
return proxy, nil
}
Reference in a new issue View git blame Copy permalink