Plugins: Improve API response for plugin assets (#36352)

* improve API response for plugin assets 403

* remove unnecessary newline

pkg/api/api.go

@@ -133,7 +133,7 @@ func (hs *HTTPServer) registerRoutes() {
 	r.Get("/api/login/ping", quota("session"), routing.Wrap(hs.LoginAPIPing))
 
 	// expose plugin file system assets
-	r.Get("/public/plugins/:pluginId/*", hs.GetPluginAssets)
+	r.Get("/public/plugins/:pluginId/*", routing.Wrap(hs.GetPluginAssets))
 
 	// authed api
 	r.Group("/api", func(apiRoute routing.RouteRegister) {

pkg/api/plugins.go

@@ -3,14 +3,13 @@ package api
 import (
 	"encoding/json"
 	"errors"
+	"fmt"
 	"net/http"
 	"os"
 	"path/filepath"
 	"sort"
 	"strings"
 
-	"gopkg.in/macaron.v1"
-
 	"github.com/grafana/grafana-plugin-sdk-go/backend"
 	"github.com/grafana/grafana/pkg/api/dtos"
 	"github.com/grafana/grafana/pkg/api/response"
@@ -258,12 +257,11 @@ func (hs *HTTPServer) CollectPluginMetrics(c *models.ReqContext) response.Respon
 // GetPluginAssets returns public plugin assets (images, JS, etc.)
 //
 // /public/plugins/:pluginId/*
-func (hs *HTTPServer) GetPluginAssets(c *models.ReqContext) {
+func (hs *HTTPServer) GetPluginAssets(c *models.ReqContext) response.Response {
 	pluginID := c.Params("pluginId")
 	plugin := hs.PluginManager.GetPlugin(pluginID)
 	if plugin == nil {
-		c.Handle(hs.Cfg, 404, "Plugin not found", nil)
+		return response.Error(404, "Plugin not found", nil)
-		return
 	}
 
 	requestedFile := filepath.Clean(c.Params("*"))
@@ -275,11 +273,9 @@ func (hs *HTTPServer) GetPluginAssets(c *models.ReqContext) {
 	f, err := os.Open(pluginFilePath)
 	if err != nil {
 		if os.IsNotExist(err) {
-			c.Handle(hs.Cfg, 404, "Could not find plugin file", err)
+			return response.Error(404, "Plugin file not found", err)
-			return
 		}
-		c.Handle(hs.Cfg, 500, "Could not open plugin file", err)
+		return response.Error(500, "Could not open plugin file", err)
-		return
 	}
 	defer func() {
 		if err := f.Close(); err != nil {
@@ -289,28 +285,28 @@ func (hs *HTTPServer) GetPluginAssets(c *models.ReqContext) {
 
 	fi, err := f.Stat()
 	if err != nil {
-		c.Handle(hs.Cfg, 500, "Plugin file exists but could not open", err)
+		return response.Error(500, "Plugin file exists but could not open", err)
-		return
 	}
 
 	if shouldExclude(fi) {
-		c.Handle(hs.Cfg, 404, "Plugin file not found", nil)
+		return response.Error(403, "Plugin file access forbidden",
-		return
+			fmt.Errorf("access is forbidden to executable plugin file %s", pluginFilePath))
 	}
 
-	headers := func(c *macaron.Context) {
+	resp := response.CreateNormalResponse(
-		c.Resp.Header().Set("Cache-Control", "public, max-age=3600")
+		http.Header{"Content-Type": []string{"text/plain", "charset=utf-8"}},
-	}
+		[]byte{},
+		200)
 
 	if hs.Cfg.Env == setting.Dev {
-		headers = func(c *macaron.Context) {
+		resp.SetHeader("Cache-Control", "max-age=0, must-revalidate, no-cache")
-			c.Resp.Header().Set("Cache-Control", "max-age=0, must-revalidate, no-cache")
+	} else {
-		}
+		resp.SetHeader("Cache-Control", "public, max-age=3600")
 	}
 
-	headers(c.Context)
+	http.ServeContent(resp, c.Req.Request, pluginFilePath, fi.ModTime(), f)
 
-	http.ServeContent(c.Resp, c.Req.Request, pluginFilePath, fi.ModTime(), f)
+	return resp
 }
 
 // CheckHealth returns the health of a plugin.