Plugins: Forward user header (X-Grafana-User) in backend plugin requests (#58646)

Grafana would forward the X-Grafana-User header to backend plugin request when dataproxy.send_user_header is enabled. In addition, X-Grafana-User will be automatically forwarded in outgoing HTTP requests for core/builtin HTTP datasources. Use grafana-plugin-sdk-go v0.147.0. Fixes #47734 Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
2025-08-02 00:55:16 +08:00 · 2022-12-15 15:28:25 +01:00
parent ecf83a6df9
commit 6478d0a5ef
12 changed files with 459 additions and 27 deletions
--- a/pkg/services/pluginsintegration/clientmiddleware/user_header_middleware_test.go
+++ b/pkg/services/pluginsintegration/clientmiddleware/user_header_middleware_test.go
@ -0,0 +1,254 @@
+package clientmiddleware
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/grafana/grafana-plugin-sdk-go/backend"
+	"github.com/grafana/grafana-plugin-sdk-go/backend/httpclient"
+	"github.com/grafana/grafana/pkg/infra/httpclient/httpclientprovider"
+	"github.com/grafana/grafana/pkg/plugins/manager/client/clienttest"
+	"github.com/grafana/grafana/pkg/services/user"
+	"github.com/grafana/grafana/pkg/util/proxyutil"
+	"github.com/stretchr/testify/require"
+)
+
+func TestUserHeaderMiddleware(t *testing.T) {
+	t.Run("When anononymous user in reqContext", func(t *testing.T) {
+		req, err := http.NewRequest(http.MethodGet, "/some/thing", nil)
+		require.NoError(t, err)
+
+		t.Run("And requests are for a datasource", func(t *testing.T) {
+			cdt := clienttest.NewClientDecoratorTest(t,
+				clienttest.WithReqContext(req, &user.SignedInUser{
+					IsAnonymous: true,
+					Login:       "anonymous"},
+				),
+				clienttest.WithMiddlewares(NewUserHeaderMiddleware()),
+			)
+
+			pluginCtx := backend.PluginContext{
+				DataSourceInstanceSettings: &backend.DataSourceInstanceSettings{},
+			}
+
+			t.Run("Should not forward user header when calling QueryData", func(t *testing.T) {
+				_, err = cdt.Decorator.QueryData(req.Context(), &backend.QueryDataRequest{
+					PluginContext: pluginCtx,
+					Headers:       map[string]string{},
+				})
+				require.NoError(t, err)
+				require.NotNil(t, cdt.QueryDataReq)
+				require.Empty(t, cdt.QueryDataReq.Headers)
+
+				middlewares := httpclient.ContextualMiddlewareFromContext(cdt.QueryDataCtx)
+				require.Len(t, middlewares, 1)
+				require.Equal(t, httpclientprovider.DeleteHeadersMiddlewareName, middlewares[0].(httpclient.MiddlewareName).MiddlewareName())
+			})
+
+			t.Run("Should not forward user header when calling CallResource", func(t *testing.T) {
+				err = cdt.Decorator.CallResource(req.Context(), &backend.CallResourceRequest{
+					PluginContext: pluginCtx,
+					Headers:       map[string][]string{},
+				}, nopCallResourceSender)
+				require.NoError(t, err)
+				require.NotNil(t, cdt.CallResourceReq)
+				require.Empty(t, cdt.CallResourceReq.Headers)
+
+				middlewares := httpclient.ContextualMiddlewareFromContext(cdt.CallResourceCtx)
+				require.Len(t, middlewares, 1)
+				require.Equal(t, httpclientprovider.DeleteHeadersMiddlewareName, middlewares[0].(httpclient.MiddlewareName).MiddlewareName())
+			})
+
+			t.Run("Should not forward user header when calling CheckHealth", func(t *testing.T) {
+				_, err = cdt.Decorator.CheckHealth(req.Context(), &backend.CheckHealthRequest{
+					PluginContext: pluginCtx,
+					Headers:       map[string]string{},
+				})
+				require.NoError(t, err)
+				require.NotNil(t, cdt.CheckHealthReq)
+				require.Empty(t, cdt.CheckHealthReq.Headers)
+
+				middlewares := httpclient.ContextualMiddlewareFromContext(cdt.CheckHealthCtx)
+				require.Len(t, middlewares, 1)
+				require.Equal(t, httpclientprovider.DeleteHeadersMiddlewareName, middlewares[0].(httpclient.MiddlewareName).MiddlewareName())
+			})
+		})
+
+		t.Run("And requests are for an app", func(t *testing.T) {
+			cdt := clienttest.NewClientDecoratorTest(t,
+				clienttest.WithReqContext(req, &user.SignedInUser{
+					IsAnonymous: true,
+					Login:       "anonymous"},
+				),
+				clienttest.WithMiddlewares(NewUserHeaderMiddleware()),
+			)
+
+			pluginCtx := backend.PluginContext{
+				AppInstanceSettings: &backend.AppInstanceSettings{},
+			}
+
+			t.Run("Should not forward user header when calling QueryData", func(t *testing.T) {
+				_, err = cdt.Decorator.QueryData(req.Context(), &backend.QueryDataRequest{
+					PluginContext: pluginCtx,
+					Headers:       map[string]string{},
+				})
+				require.NoError(t, err)
+				require.NotNil(t, cdt.QueryDataReq)
+				require.Empty(t, cdt.QueryDataReq.Headers)
+
+				middlewares := httpclient.ContextualMiddlewareFromContext(cdt.QueryDataCtx)
+				require.Len(t, middlewares, 1)
+				require.Equal(t, httpclientprovider.DeleteHeadersMiddlewareName, middlewares[0].(httpclient.MiddlewareName).MiddlewareName())
+			})
+
+			t.Run("Should not forward user header when calling CallResource", func(t *testing.T) {
+				err = cdt.Decorator.CallResource(req.Context(), &backend.CallResourceRequest{
+					PluginContext: pluginCtx,
+					Headers:       map[string][]string{},
+				}, nopCallResourceSender)
+				require.NoError(t, err)
+				require.NotNil(t, cdt.CallResourceReq)
+				require.Empty(t, cdt.CallResourceReq.Headers)
+
+				middlewares := httpclient.ContextualMiddlewareFromContext(cdt.CallResourceCtx)
+				require.Len(t, middlewares, 1)
+				require.Equal(t, httpclientprovider.DeleteHeadersMiddlewareName, middlewares[0].(httpclient.MiddlewareName).MiddlewareName())
+			})
+
+			t.Run("Should not forward user header when calling CheckHealth", func(t *testing.T) {
+				_, err = cdt.Decorator.CheckHealth(req.Context(), &backend.CheckHealthRequest{
+					PluginContext: pluginCtx,
+					Headers:       map[string]string{},
+				})
+				require.NoError(t, err)
+				require.NotNil(t, cdt.CheckHealthReq)
+				require.Empty(t, cdt.CheckHealthReq.Headers)
+
+				middlewares := httpclient.ContextualMiddlewareFromContext(cdt.CheckHealthCtx)
+				require.Len(t, middlewares, 1)
+				require.Equal(t, httpclientprovider.DeleteHeadersMiddlewareName, middlewares[0].(httpclient.MiddlewareName).MiddlewareName())
+			})
+		})
+	})
+
+	t.Run("When real user in reqContext", func(t *testing.T) {
+		req, err := http.NewRequest(http.MethodGet, "/some/thing", nil)
+		require.NoError(t, err)
+
+		t.Run("And requests are for a datasource", func(t *testing.T) {
+			cdt := clienttest.NewClientDecoratorTest(t,
+				clienttest.WithReqContext(req, &user.SignedInUser{
+					Login: "admin",
+				}),
+				clienttest.WithMiddlewares(NewUserHeaderMiddleware()),
+			)
+
+			pluginCtx := backend.PluginContext{
+				DataSourceInstanceSettings: &backend.DataSourceInstanceSettings{},
+			}
+
+			t.Run("Should forward user header when calling QueryData", func(t *testing.T) {
+				_, err = cdt.Decorator.QueryData(req.Context(), &backend.QueryDataRequest{
+					PluginContext: pluginCtx,
+					Headers:       map[string]string{},
+				})
+				require.NoError(t, err)
+				require.NotNil(t, cdt.QueryDataReq)
+				require.Len(t, cdt.QueryDataReq.Headers, 1)
+				require.Equal(t, "admin", cdt.QueryDataReq.GetHTTPHeader(proxyutil.UserHeaderName))
+
+				middlewares := httpclient.ContextualMiddlewareFromContext(cdt.QueryDataCtx)
+				require.Len(t, middlewares, 1)
+				require.Equal(t, httpclientprovider.SetHeadersMiddlewareName, middlewares[0].(httpclient.MiddlewareName).MiddlewareName())
+			})
+
+			t.Run("Should forward user header when calling CallResource", func(t *testing.T) {
+				err = cdt.Decorator.CallResource(req.Context(), &backend.CallResourceRequest{
+					PluginContext: pluginCtx,
+					Headers:       map[string][]string{},
+				}, nopCallResourceSender)
+				require.NoError(t, err)
+				require.NotNil(t, cdt.CallResourceReq)
+				require.Len(t, cdt.CallResourceReq.Headers, 1)
+				require.Equal(t, "admin", cdt.CallResourceReq.GetHTTPHeader(proxyutil.UserHeaderName))
+
+				middlewares := httpclient.ContextualMiddlewareFromContext(cdt.CallResourceCtx)
+				require.Len(t, middlewares, 1)
+				require.Equal(t, httpclientprovider.SetHeadersMiddlewareName, middlewares[0].(httpclient.MiddlewareName).MiddlewareName())
+			})
+
+			t.Run("Should forward user header when calling CheckHealth", func(t *testing.T) {
+				_, err = cdt.Decorator.CheckHealth(req.Context(), &backend.CheckHealthRequest{
+					PluginContext: pluginCtx,
+					Headers:       map[string]string{},
+				})
+				require.NoError(t, err)
+				require.NotNil(t, cdt.CheckHealthReq)
+				require.Len(t, cdt.CheckHealthReq.Headers, 1)
+				require.Equal(t, "admin", cdt.CheckHealthReq.GetHTTPHeader(proxyutil.UserHeaderName))
+
+				middlewares := httpclient.ContextualMiddlewareFromContext(cdt.CheckHealthCtx)
+				require.Len(t, middlewares, 1)
+				require.Equal(t, httpclientprovider.SetHeadersMiddlewareName, middlewares[0].(httpclient.MiddlewareName).MiddlewareName())
+			})
+		})
+
+		t.Run("And requests are for an app", func(t *testing.T) {
+			cdt := clienttest.NewClientDecoratorTest(t,
+				clienttest.WithReqContext(req, &user.SignedInUser{
+					Login: "admin",
+				}),
+				clienttest.WithMiddlewares(NewUserHeaderMiddleware()),
+			)
+
+			pluginCtx := backend.PluginContext{
+				AppInstanceSettings: &backend.AppInstanceSettings{},
+			}
+
+			t.Run("Should forward user header when calling QueryData", func(t *testing.T) {
+				_, err = cdt.Decorator.QueryData(req.Context(), &backend.QueryDataRequest{
+					PluginContext: pluginCtx,
+					Headers:       map[string]string{},
+				})
+				require.NoError(t, err)
+				require.NotNil(t, cdt.QueryDataReq)
+				require.Len(t, cdt.QueryDataReq.Headers, 1)
+				require.Equal(t, "admin", cdt.QueryDataReq.GetHTTPHeader(proxyutil.UserHeaderName))
+
+				middlewares := httpclient.ContextualMiddlewareFromContext(cdt.QueryDataCtx)
+				require.Len(t, middlewares, 1)
+				require.Equal(t, httpclientprovider.SetHeadersMiddlewareName, middlewares[0].(httpclient.MiddlewareName).MiddlewareName())
+			})
+
+			t.Run("Should forward user header when calling CallResource", func(t *testing.T) {
+				err = cdt.Decorator.CallResource(req.Context(), &backend.CallResourceRequest{
+					PluginContext: pluginCtx,
+					Headers:       map[string][]string{},
+				}, nopCallResourceSender)
+				require.NoError(t, err)
+				require.NotNil(t, cdt.CallResourceReq)
+				require.Len(t, cdt.CallResourceReq.Headers, 1)
+				require.Equal(t, "admin", cdt.CallResourceReq.GetHTTPHeader(proxyutil.UserHeaderName))
+
+				middlewares := httpclient.ContextualMiddlewareFromContext(cdt.CallResourceCtx)
+				require.Len(t, middlewares, 1)
+				require.Equal(t, httpclientprovider.SetHeadersMiddlewareName, middlewares[0].(httpclient.MiddlewareName).MiddlewareName())
+			})
+
+			t.Run("Should forward user header when calling CheckHealth", func(t *testing.T) {
+				_, err = cdt.Decorator.CheckHealth(req.Context(), &backend.CheckHealthRequest{
+					PluginContext: pluginCtx,
+					Headers:       map[string]string{},
+				})
+				require.NoError(t, err)
+				require.NotNil(t, cdt.CheckHealthReq)
+				require.Len(t, cdt.CheckHealthReq.Headers, 1)
+				require.Equal(t, "admin", cdt.CheckHealthReq.GetHTTPHeader(proxyutil.UserHeaderName))
+
+				middlewares := httpclient.ContextualMiddlewareFromContext(cdt.CheckHealthCtx)
+				require.Len(t, middlewares, 1)
+				require.Equal(t, httpclientprovider.SetHeadersMiddlewareName, middlewares[0].(httpclient.MiddlewareName).MiddlewareName())
+			})
+		})
+	})
+}