Plugins: Add validation stage to plugin loader pipeline (#73053)

* first pass * change validation signature * err tracking * fix * undo golden * 1 more * fix * adjust doc * add test helper * fix linter
2025-07-31 15:42:55 +08:00 · 2023-08-09 18:25:28 +02:00
parent 69c8200fc9
commit 72da44db0e
23 changed files with 624 additions and 368 deletions
--- a/pkg/services/pluginsintegration/pipeline/steps.go
+++ b/pkg/services/pluginsintegration/pipeline/steps.go
@ -2,14 +2,18 @@ package pipeline

 import (
 	"context"
+	"errors"

 	"github.com/grafana/grafana/pkg/infra/metrics"
 	"github.com/grafana/grafana/pkg/plugins"
 	"github.com/grafana/grafana/pkg/plugins/config"
 	"github.com/grafana/grafana/pkg/plugins/log"
 	"github.com/grafana/grafana/pkg/plugins/manager/pipeline/initialization"
+	"github.com/grafana/grafana/pkg/plugins/manager/pipeline/validation"
+	"github.com/grafana/grafana/pkg/plugins/manager/signature"
 	"github.com/grafana/grafana/pkg/plugins/oauth"
 	"github.com/grafana/grafana/pkg/services/featuremgmt"
+	"github.com/grafana/grafana/pkg/services/pluginsintegration/pluginerrs"
 )

 // ExternalServiceRegistration implements an InitializeFunc for registering external services.
@ -78,3 +82,42 @@ func ReportBuildMetrics(_ context.Context, p *plugins.Plugin) (*plugins.Plugin,
 	}
 	return p, nil
 }
+
+// SignatureValidation implements a ValidateFunc for validating plugin signatures.
+type SignatureValidation struct {
+	signatureValidator signature.Validator
+	errs               pluginerrs.SignatureErrorTracker
+	log                log.Logger
+}
+
+// SignatureValidationStep returns a new ValidateFunc for validating plugin signatures.
+func SignatureValidationStep(signatureValidator signature.Validator,
+	sigErr pluginerrs.SignatureErrorTracker) validation.ValidateFunc {
+	sv := &SignatureValidation{
+		errs:               sigErr,
+		signatureValidator: signatureValidator,
+		log:                log.New("plugins.signature.validation"),
+	}
+	return sv.Validate
+}
+
+// Validate validates the plugin signature. If a signature error is encountered, the error is recorded with the
+// pluginerrs.SignatureErrorTracker.
+func (v *SignatureValidation) Validate(ctx context.Context, p *plugins.Plugin) error {
+	err := v.signatureValidator.ValidateSignature(p)
+	if err != nil {
+		var sigErr *plugins.SignatureError
+		if errors.As(err, &sigErr) {
+			v.log.Warn("Skipping loading plugin due to problem with signature",
+				"pluginID", p.ID, "status", sigErr.SignatureStatus)
+			p.SignatureError = sigErr
+			v.errs.Record(ctx, sigErr)
+		}
+		return err
+	}
+
+	// clear plugin error if a pre-existing error has since been resolved
+	v.errs.Clear(ctx, p.ID)
+
+	return nil
+}