Plugins: Add sql support for the secure socks proxy (#64630)

2025-08-03 06:22:13 +08:00 · 2023-03-16 07:54:19 -05:00
parent 68e38aad6a
commit 10db808ea1
19 changed files with 651 additions and 104 deletions
--- a/pkg/tsdb/mysql/mysql.go
+++ b/pkg/tsdb/mysql/mysql.go
@ -21,6 +21,7 @@ import (

 	"github.com/grafana/grafana/pkg/infra/httpclient"
 	"github.com/grafana/grafana/pkg/infra/log"
+	"github.com/grafana/grafana/pkg/services/featuremgmt"
 	"github.com/grafana/grafana/pkg/setting"
 	"github.com/grafana/grafana/pkg/tsdb/sqleng"
 )
@ -54,6 +55,7 @@ func newInstanceSettings(cfg *setting.Cfg, httpClientProvider httpclient.Provide
 			MaxOpenConns:    0,
 			MaxIdleConns:    2,
 			ConnMaxLifetime: 14400,
+			SecureDSProxy:   false,
 		}

 		err := json.Unmarshal(settings.JSONData, &jsonData)
@ -82,6 +84,16 @@ func newInstanceSettings(cfg *setting.Cfg, httpClientProvider httpclient.Provide
 			protocol = "unix"
 		}

+		// register the secure socks proxy dialer context, if enabled
+		if cfg.IsFeatureToggleEnabled(featuremgmt.FlagSecureSocksDatasourceProxy) && cfg.SecureSocksDSProxy.Enabled && jsonData.SecureDSProxy {
+			// UID is only unique per org, the only way to ensure uniqueness is to do it by connection information
+			uniqueIdentifier := dsInfo.User + dsInfo.DecryptedSecureJSONData["password"] + dsInfo.URL + dsInfo.Database
+			protocol, err = registerProxyDialerContext(&cfg.SecureSocksDSProxy, protocol, uniqueIdentifier)
+			if err != nil {
+				return nil, err
+			}
+		}
+
 		cnnstr := fmt.Sprintf("%s:%s@%s(%s)/%s?collation=utf8mb4_unicode_ci&parseTime=true&loc=UTC&allowNativePasswords=true",
 			characterEscape(dsInfo.User, ":"),
 			dsInfo.DecryptedSecureJSONData["password"],
--- a/pkg/tsdb/mysql/proxy.go
+++ b/pkg/tsdb/mysql/proxy.go
@ -0,0 +1,57 @@
+package mysql
+
+import (
+	"context"
+	"net"
+
+	"github.com/go-sql-driver/mysql"
+	iproxy "github.com/grafana/grafana/pkg/infra/proxy"
+	"github.com/grafana/grafana/pkg/setting"
+	"github.com/grafana/grafana/pkg/util"
+	"golang.org/x/net/proxy"
+)
+
+// registerProxyDialerContext registers a new dialer context to be used by mysql when the proxy network is
+// specified in the connection string
+func registerProxyDialerContext(settings *setting.SecureSocksDSProxySettings, protocol, cnnstr string) (string, error) {
+	// the dialer contains the true network used behind the scenes
+	dialer, err := getProxyDialerContext(settings, protocol)
+	if err != nil {
+		return "", err
+	}
+
+	// the dialer context can be updated everytime the datasource is updated
+	// have a unique network per connection string
+	hash, err := util.Md5SumString(cnnstr)
+	if err != nil {
+		return "", err
+	}
+	network := "proxy-" + hash
+	mysql.RegisterDialContext(network, dialer.DialContext)
+
+	return network, nil
+}
+
+// mySQLContextDialer turns a golang proxy driver into a MySQL proxy driver
+type mySQLContextDialer struct {
+	dialer  proxy.ContextDialer
+	network string
+}
+
+// getProxyDialerContext returns a context dialer that will send the request through to the secure socks proxy
+func getProxyDialerContext(cfg *setting.SecureSocksDSProxySettings, actualNetwork string) (*mySQLContextDialer, error) {
+	dialer, err := iproxy.NewSecureSocksProxyContextDialer(cfg)
+	if err != nil {
+		return nil, err
+	}
+	contextDialer, ok := dialer.(proxy.ContextDialer)
+	if !ok {
+		return nil, err
+	}
+	return &mySQLContextDialer{dialer: contextDialer, network: actualNetwork}, nil
+}
+
+// DialContext implements the MySQL requirements for a proxy driver, and uses the underlying golang proxy driver with the assigned network
+func (d *mySQLContextDialer) DialContext(ctx context.Context, addr string) (net.Conn, error) {
+	return d.dialer.DialContext(ctx, d.network, addr)
+}
--- a/pkg/tsdb/mysql/proxy_test.go
+++ b/pkg/tsdb/mysql/proxy_test.go
@ -0,0 +1,51 @@
+package mysql
+
+import (
+	"context"
+	"fmt"
+	"testing"
+
+	"github.com/go-sql-driver/mysql"
+	"github.com/grafana/grafana/pkg/infra/proxy/proxyutil"
+	"github.com/stretchr/testify/require"
+)
+
+func TestMySQLProxyDialer(t *testing.T) {
+	settings := proxyutil.SetupTestSecureSocksProxySettings(t)
+
+	protocol := "tcp"
+	network, err := registerProxyDialerContext(settings, protocol, "1")
+	require.NoError(t, err)
+	driver := mysql.MySQLDriver{}
+	dbURL := "localhost:5432"
+	cnnstr := fmt.Sprintf("test:test@%s(%s)/db",
+		network,
+		dbURL,
+	)
+	t.Run("Network is available", func(t *testing.T) {
+		_, err = driver.OpenConnector(cnnstr)
+		require.NoError(t, err)
+	})
+
+	t.Run("Multiple networks can be created", func(t *testing.T) {
+		network, err := registerProxyDialerContext(settings, protocol, "2")
+		require.NoError(t, err)
+		cnnstr2 := fmt.Sprintf("test:test@%s(%s)/db",
+			network,
+			dbURL,
+		)
+		// both networks should exist
+		_, err = driver.OpenConnector(cnnstr)
+		require.NoError(t, err)
+		_, err = driver.OpenConnector(cnnstr2)
+		require.NoError(t, err)
+	})
+
+	t.Run("Connection should be routed through socks proxy to db", func(t *testing.T) {
+		conn, err := driver.OpenConnector(cnnstr)
+		require.NoError(t, err)
+		_, err = conn.Connect(context.Background())
+		require.Error(t, err)
+		require.Contains(t, err.Error(), fmt.Sprintf("socks connect %s %s->%s", protocol, settings.ProxyAddress, dbURL))
+	})
+}