Plugins: Add validation stage to plugin loader pipeline (#73053)

* first pass

* change validation signature

* err tracking

* fix

* undo golden

* 1 more

* fix

* adjust doc

* add test helper

* fix linter

pkg/plugins/manager/pipeline/validation/doc.go

@@ -0,0 +1,5 @@
+// Package validation defines the Validation stage of the plugin loader pipeline.
+//
+// The Validation stage must implement the Validator interface.
+
+package validation

pkg/plugins/manager/pipeline/validation/steps.go

@@ -0,0 +1,113 @@
+package validation
+
+import (
+	"context"
+	"errors"
+	"time"
+
+	"github.com/grafana/grafana/pkg/plugins"
+	"github.com/grafana/grafana/pkg/plugins/config"
+	"github.com/grafana/grafana/pkg/plugins/log"
+	"github.com/grafana/grafana/pkg/plugins/manager/loader/angular/angularinspector"
+	"github.com/grafana/grafana/pkg/plugins/manager/signature"
+)
+
+// DefaultValidateFuncs are the default ValidateFunc used for the Validate step of the Validation stage.
+func DefaultValidateFuncs(cfg *config.Cfg) []ValidateFunc {
+	return []ValidateFunc{
+		SignatureValidationStep(signature.NewValidator(signature.NewUnsignedAuthorizer(cfg))),
+		ModuleJSValidationStep(),
+		AngularDetectionStep(cfg, angularinspector.NewStaticInspector()),
+	}
+}
+
+type PluginSignatureValidator struct {
+	signatureValidator signature.Validator
+	log                log.Logger
+}
+
+func SignatureValidationStep(signatureValidator signature.Validator) ValidateFunc {
+	return newPluginSignatureValidator(signatureValidator).Validate
+}
+
+func newPluginSignatureValidator(signatureValidator signature.Validator) *PluginSignatureValidator {
+	return &PluginSignatureValidator{
+		signatureValidator: signatureValidator,
+		log:                log.New("plugins.validator.signature"),
+	}
+}
+
+func (v *PluginSignatureValidator) Validate(_ context.Context, p *plugins.Plugin) error {
+	return v.signatureValidator.ValidateSignature(p)
+}
+
+type ModuleJSValidator struct {
+	log log.Logger
+}
+
+func ModuleJSValidationStep() ValidateFunc {
+	return newModuleJSValidator().Validate
+}
+
+func newModuleJSValidator() *ModuleJSValidator {
+	return &ModuleJSValidator{
+		log: log.New("plugins.validator.module"),
+	}
+}
+
+func (v *ModuleJSValidator) Validate(_ context.Context, p *plugins.Plugin) error {
+	if !p.IsRenderer() && !p.IsCorePlugin() {
+		f, err := p.FS.Open("module.js")
+		if err != nil {
+			if errors.Is(err, plugins.ErrFileNotExist) {
+				v.log.Warn("Plugin missing module.js", "pluginID", p.ID,
+					"warning", "Missing module.js, If you loaded this plugin from git, make sure to compile it.")
+			}
+		} else if f != nil {
+			if err = f.Close(); err != nil {
+				v.log.Warn("Could not close module.js", "pluginID", p.ID, "err", err)
+			}
+		}
+	}
+	return nil
+}
+
+type AngularDetector struct {
+	cfg              *config.Cfg
+	angularInspector angularinspector.Inspector
+	log              log.Logger
+}
+
+func AngularDetectionStep(cfg *config.Cfg, angularInspector angularinspector.Inspector) ValidateFunc {
+	return newAngularDetector(cfg, angularInspector).Validate
+}
+
+func newAngularDetector(cfg *config.Cfg, angularInspector angularinspector.Inspector) *AngularDetector {
+	return &AngularDetector{
+		cfg:              cfg,
+		angularInspector: angularInspector,
+		log:              log.New("plugins.validator.angular"),
+	}
+}
+
+func (a *AngularDetector) Validate(ctx context.Context, p *plugins.Plugin) error {
+	if p.IsExternalPlugin() {
+		var err error
+
+		cctx, canc := context.WithTimeout(ctx, time.Second*10)
+		p.AngularDetected, err = a.angularInspector.Inspect(cctx, p)
+		canc()
+
+		if err != nil {
+			a.log.Warn("Could not inspect plugin for angular", "pluginID", p.ID, "err", err)
+		}
+
+		// Do not initialize plugins if they're using Angular and Angular support is disabled
+		if p.AngularDetected && !a.cfg.AngularSupportEnabled {
+			a.log.Error("Refusing to initialize plugin because it's using Angular, which has been disabled", "pluginID", p.ID)
+			return errors.New("angular plugins are not supported")
+		}
+	}
+
+	return nil
+}

pkg/plugins/manager/pipeline/validation/validation.go

@@ -0,0 +1,67 @@
+package validation
+
+import (
+	"context"
+	"errors"
+
+	"github.com/grafana/grafana/pkg/plugins"
+	"github.com/grafana/grafana/pkg/plugins/config"
+	"github.com/grafana/grafana/pkg/plugins/log"
+)
+
+// Validator is responsible for the Validation stage of the plugin loader pipeline.
+type Validator interface {
+	Validate(ctx context.Context, ps []*plugins.Plugin) ([]*plugins.Plugin, error)
+}
+
+// ValidateFunc is the function used for the Validate step of the Validation stage.
+type ValidateFunc func(ctx context.Context, p *plugins.Plugin) error
+
+type Validate struct {
+	cfg           *config.Cfg
+	validateSteps []ValidateFunc
+	log           log.Logger
+}
+
+type Opts struct {
+	ValidateFuncs []ValidateFunc
+}
+
+// New returns a new Validation stage.
+func New(cfg *config.Cfg, opts Opts) *Validate {
+	if opts.ValidateFuncs == nil {
+		opts.ValidateFuncs = DefaultValidateFuncs(cfg)
+	}
+
+	return &Validate{
+		cfg:           cfg,
+		validateSteps: opts.ValidateFuncs,
+		log:           log.New("plugins.validation"),
+	}
+}
+
+// Validate will execute the Validate steps of the Validation stage.
+func (t *Validate) Validate(ctx context.Context, ps []*plugins.Plugin) ([]*plugins.Plugin, error) {
+	if len(t.validateSteps) == 0 {
+		return ps, nil
+	}
+
+	var err error
+	verifiedPlugins := make([]*plugins.Plugin, 0, len(ps))
+	for _, p := range ps {
+		stepFailed := false
+		for _, validate := range t.validateSteps {
+			err = validate(ctx, p)
+			if err != nil && !errors.Is(err, nil) {
+				stepFailed = true
+				t.log.Error("Plugin verification failed", "pluginID", p.ID, "err", err)
+				break
+			}
+		}
+		if !stepFailed {
+			verifiedPlugins = append(verifiedPlugins, p)
+		}
+	}
+
+	return verifiedPlugins, nil
+}