opensource/grafana
1
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-07-30 16:43:07 +08:00
Code Issues Packages Projects Releases Wiki Activity

Plugins: Add validation stage to plugin loader pipeline (#73053)

Browse Source 
* first pass

* change validation signature

* err tracking

* fix

* undo golden

* 1 more

* fix

* adjust doc

* add test helper

* fix linter
This commit is contained in:
Will Browne
2023-08-09 18:25:28 +02:00
committed by GitHub
parent 69c8200fc9
commit 72da44db0e
23 changed files with 624 additions and 368 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
pkg/api/plugin_resource_test.go
View File

@ -11,7 +11,6 @@ import (
"github.com/grafana/grafana-azure-sdk-go/azsettings"
"github.com/grafana/grafana-plugin-sdk-go/backend"
"github.com/grafana/grafana/pkg/plugins/manager/loader/angular/angularinspector"
"github.com/stretchr/testify/require"
"github.com/grafana/grafana/pkg/infra/db"
@ -19,27 +18,14 @@ import (
"github.com/grafana/grafana/pkg/infra/log"
"github.com/grafana/grafana/pkg/infra/tracing"
"github.com/grafana/grafana/pkg/plugins/backendplugin/coreplugin"
"github.com/grafana/grafana/pkg/plugins/backendplugin/provider"
pluginClient "github.com/grafana/grafana/pkg/plugins/manager/client"
"github.com/grafana/grafana/pkg/plugins/manager/fakes"
"github.com/grafana/grafana/pkg/plugins/manager/loader"
"github.com/grafana/grafana/pkg/plugins/manager/loader/assetpath"
"github.com/grafana/grafana/pkg/plugins/manager/loader/finder"
"github.com/grafana/grafana/pkg/plugins/manager/process"
"github.com/grafana/grafana/pkg/plugins/manager/registry"
"github.com/grafana/grafana/pkg/plugins/manager/signature"
"github.com/grafana/grafana/pkg/plugins/manager/signature/statickey"
"github.com/grafana/grafana/pkg/plugins/manager/sources"
"github.com/grafana/grafana/pkg/plugins/manager/store"
"github.com/grafana/grafana/pkg/plugins/pluginscdn"
"github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/grafana/grafana/pkg/services/caching"
datasources "github.com/grafana/grafana/pkg/services/datasources/fakes"
"github.com/grafana/grafana/pkg/services/featuremgmt"
"github.com/grafana/grafana/pkg/services/oauthtoken/oauthtokentest"
"github.com/grafana/grafana/pkg/services/pluginsintegration"
"github.com/grafana/grafana/pkg/services/pluginsintegration/config"
"github.com/grafana/grafana/pkg/services/pluginsintegration/pipeline"
"github.com/grafana/grafana/pkg/services/pluginsintegration/pluginaccesscontrol"
"github.com/grafana/grafana/pkg/services/pluginsintegration/plugincontext"
pluginSettings "github.com/grafana/grafana/pkg/services/pluginsintegration/pluginsettings/service"
@ -66,36 +52,18 @@ func TestCallResource(t *testing.T) {
coreRegistry := coreplugin.ProvideCoreRegistry(nil, &cloudwatch.CloudWatchService{}, nil, nil, nil, nil,
nil, nil, nil, nil, testdatasource.ProvideService(), nil, nil, nil, nil, nil, nil)
pCfg, err := config.ProvideConfig(setting.ProvideProvider(cfg), cfg, featuremgmt.WithFeatures())
require.NoError(t, err)
reg := registry.ProvideService()
angularInspector, err := angularinspector.NewStaticInspector()
require.NoError(t, err)
proc := process.NewManager(reg)
discovery := pipeline.ProvideDiscoveryStage(pCfg, finder.NewLocalFinder(pCfg.DevMode), reg)
bootstrap := pipeline.ProvideBootstrapStage(pCfg, signature.ProvideService(pCfg, statickey.New()), assetpath.ProvideService(pluginscdn.ProvideService(pCfg)))
initialize := pipeline.ProvideInitializationStage(pCfg, reg, fakes.NewFakeLicensingService(), provider.ProvideService(coreRegistry), proc, &fakes.FakeOauthService{}, fakes.NewFakeRoleRegistry())
terminate, err := pipeline.ProvideTerminationStage(pCfg, reg, proc)
require.NoError(t, err)
textCtx := pluginsintegration.CreateIntegrationTestCtx(t, cfg, coreRegistry)
l := loader.ProvideService(pCfg, signature.NewUnsignedAuthorizer(pCfg),
reg, fakes.NewFakeRoleRegistry(),
assetpath.ProvideService(pluginscdn.ProvideService(pCfg)),
angularInspector, &fakes.FakeOauthService{}, discovery, bootstrap, initialize, terminate)
srcs := sources.ProvideService(cfg, pCfg)
ps, err := store.ProvideService(reg, srcs, l)
require.NoError(t, err)
pcp := plugincontext.ProvideService(localcache.ProvideService(), ps, &datasources.FakeDataSourceService{},
pcp := plugincontext.ProvideService(localcache.ProvideService(), textCtx.PluginStore, &datasources.FakeDataSourceService{},
pluginSettings.ProvideService(db.InitTestDB(t), fakeSecrets.NewFakeSecretsService()))
srv := SetupAPITestServer(t, func(hs *HTTPServer) {
hs.Cfg = cfg
hs.pluginContextProvider = pcp
hs.QuotaService = quotatest.New(false, nil)
hs.pluginStore = ps
hs.pluginClient = pluginClient.ProvideService(reg, pCfg)
hs.pluginStore = textCtx.PluginStore
hs.pluginClient = textCtx.PluginClient
hs.log = log.New("test")
})
@ -133,7 +101,7 @@ func TestCallResource(t *testing.T) {
hs.Cfg = cfg
hs.pluginContextProvider = pcp
hs.QuotaService = quotatest.New(false, nil)
hs.pluginStore = ps
hs.pluginStore = textCtx.PluginStore
hs.pluginClient = pc
hs.log = log.New("test")
})

11
pkg/plugins/manager/fakes/fakes.go
View File

@ -486,6 +486,17 @@ func (f *FakeBootstrapper) Bootstrap(ctx context.Context, src plugins.PluginSour
return []*plugins.Plugin{}, nil
}
type FakeValidator struct {
ValidateFunc func(ctx context.Context, ps []*plugins.Plugin) ([]*plugins.Plugin, error)
}
func (f *FakeValidator) Validate(ctx context.Context, ps []*plugins.Plugin) ([]*plugins.Plugin, error) {
if f.ValidateFunc != nil {
return f.ValidateFunc(ctx, ps)
}
return []*plugins.Plugin{}, nil
}
type FakeInitializer struct {
IntializeFunc func(ctx context.Context, ps []*plugins.Plugin) ([]*plugins.Plugin, error)
}

4
pkg/plugins/manager/loader/angular/angularinspector/angularinspector.go
View File

@ -73,6 +73,6 @@ func NewDefaultStaticDetectorsProvider() angulardetector.DetectorsProvider {
// NewStaticInspector returns the default Inspector, which is a PatternsListInspector that only uses the
// static (hardcoded) angular detection patterns.
func NewStaticInspector() (Inspector, error) {
return &PatternsListInspector{DetectorsProvider: NewDefaultStaticDetectorsProvider()}, nil
func NewStaticInspector() Inspector {
return &PatternsListInspector{DetectorsProvider: NewDefaultStaticDetectorsProvider()}
}

127
pkg/plugins/manager/loader/loader.go
View File

@ -2,154 +2,63 @@ package loader
import (
"context"
"errors"
"time"
"github.com/grafana/grafana/pkg/plugins"
"github.com/grafana/grafana/pkg/plugins/config"
"github.com/grafana/grafana/pkg/plugins/log"
"github.com/grafana/grafana/pkg/plugins/manager/loader/angular/angularinspector"
"github.com/grafana/grafana/pkg/plugins/manager/loader/assetpath"
"github.com/grafana/grafana/pkg/plugins/manager/pipeline/bootstrap"
"github.com/grafana/grafana/pkg/plugins/manager/pipeline/discovery"
"github.com/grafana/grafana/pkg/plugins/manager/pipeline/initialization"
"github.com/grafana/grafana/pkg/plugins/manager/pipeline/termination"
"github.com/grafana/grafana/pkg/plugins/manager/process"
"github.com/grafana/grafana/pkg/plugins/manager/registry"
"github.com/grafana/grafana/pkg/plugins/manager/signature"
"github.com/grafana/grafana/pkg/plugins/oauth"
"github.com/grafana/grafana/pkg/plugins/manager/pipeline/validation"
)
var _ plugins.ErrorResolver = (*Loader)(nil)
type Loader struct {
discovery discovery.Discoverer
bootstrap bootstrap.Bootstrapper
initializer initialization.Initializer
termination termination.Terminator
processManager process.Service
pluginRegistry registry.Service
roleRegistry plugins.RoleRegistry
signatureValidator signature.Validator
externalServiceRegistry oauth.ExternalServiceRegistry
assetPath *assetpath.Service
validation validation.Validator
log log.Logger
cfg *config.Cfg
angularInspector angularinspector.Inspector
errs map[string]*plugins.SignatureError
}
func ProvideService(cfg *config.Cfg, authorizer plugins.PluginLoaderAuthorizer,
pluginRegistry registry.Service, roleRegistry plugins.RoleRegistry, assetPath *assetpath.Service,
angularInspector angularinspector.Inspector, externalServiceRegistry oauth.ExternalServiceRegistry,
discovery discovery.Discoverer, bootstrap bootstrap.Bootstrapper, initializer initialization.Initializer,
termination termination.Terminator) *Loader {
return New(cfg, authorizer, pluginRegistry, process.NewManager(pluginRegistry), roleRegistry, assetPath,
angularInspector, externalServiceRegistry, discovery, bootstrap, initializer, termination)
func ProvideService(discovery discovery.Discoverer, bootstrap bootstrap.Bootstrapper, validation validation.Validator,
initializer initialization.Initializer, termination termination.Terminator) *Loader {
return New(discovery, bootstrap, validation, initializer, termination)
}
func New(cfg *config.Cfg, authorizer plugins.PluginLoaderAuthorizer, pluginRegistry registry.Service,
processManager process.Service, roleRegistry plugins.RoleRegistry, assetPath *assetpath.Service,
angularInspector angularinspector.Inspector, externalServiceRegistry oauth.ExternalServiceRegistry,
discovery discovery.Discoverer, bootstrap bootstrap.Bootstrapper, initializer initialization.Initializer,
termination termination.Terminator) *Loader {
func New(
discovery discovery.Discoverer, bootstrap bootstrap.Bootstrapper, validation validation.Validator,
initializer initialization.Initializer, termination termination.Terminator) *Loader {
return &Loader{
pluginRegistry: pluginRegistry,
signatureValidator: signature.NewValidator(authorizer),
processManager: processManager,
errs: make(map[string]*plugins.SignatureError),
log: log.New("plugin.loader"),
roleRegistry: roleRegistry,
cfg: cfg,
assetPath: assetPath,
angularInspector: angularInspector,
externalServiceRegistry: externalServiceRegistry,
discovery: discovery,
bootstrap: bootstrap,
validation: validation,
initializer: initializer,
termination: termination,
log: log.New("plugin.loader"),
}
}
func (l *Loader) Load(ctx context.Context, src plugins.PluginSource) ([]*plugins.Plugin, error) {
// <DISCOVERY STAGE>
discoveredPlugins, err := l.discovery.Discover(ctx, src)
if err != nil {
return nil, err
}
// </DISCOVERY STAGE>
// <BOOTSTRAP STAGE>
bootstrappedPlugins, err := l.bootstrap.Bootstrap(ctx, src, discoveredPlugins)
if err != nil {
return nil, err
}
// </BOOTSTRAP STAGE>
// <VERIFICATION STAGE>
verifiedPlugins := make([]*plugins.Plugin, 0, len(bootstrappedPlugins))
for _, plugin := range bootstrappedPlugins {
signingError := l.signatureValidator.Validate(plugin)
if signingError != nil {
l.log.Warn("Skipping loading plugin due to problem with signature",
"pluginID", plugin.ID, "status", signingError.SignatureStatus)
plugin.SignatureError = signingError
l.errs[plugin.ID] = signingError
// skip plugin so it will not be loaded any further
continue
}
// clear plugin error if a pre-existing error has since been resolved
delete(l.errs, plugin.ID)
// verify module.js exists for SystemJS to load.
// CDN plugins can be loaded with plugin.json only, so do not warn for those.
if !plugin.IsRenderer() && !plugin.IsCorePlugin() {
f, err := plugin.FS.Open("module.js")
verifiedPlugins, err := l.validation.Validate(ctx, bootstrappedPlugins)
if err != nil {
if errors.Is(err, plugins.ErrFileNotExist) {
l.log.Warn("Plugin missing module.js", "pluginID", plugin.ID,
"warning", "Missing module.js, If you loaded this plugin from git, make sure to compile it.")
}
} else if f != nil {
if err := f.Close(); err != nil {
l.log.Warn("Could not close module.js", "pluginID", plugin.ID, "err", err)
}
}
return nil, err
}
// detect angular for external plugins
if plugin.IsExternalPlugin() {
var err error
cctx, canc := context.WithTimeout(ctx, time.Second*10)
plugin.AngularDetected, err = l.angularInspector.Inspect(cctx, plugin)
canc()
if err != nil {
l.log.Warn("Could not inspect plugin for angular", "pluginID", plugin.ID, "err", err)
}
// Do not initialize plugins if they're using Angular and Angular support is disabled
if plugin.AngularDetected && !l.cfg.AngularSupportEnabled {
l.log.Error("Refusing to initialize plugin because it's using Angular, which has been disabled", "pluginID", plugin.ID)
continue
}
}
verifiedPlugins = append(verifiedPlugins, plugin)
}
// </VERIFICATION STAGE>
// <INITIALIZATION STAGE>
initializedPlugins, err := l.initializer.Initialize(ctx, verifiedPlugins)
if err != nil {
return nil, err
}
// </INITIALIZATION STAGE>
return initializedPlugins, nil
}
@ -157,15 +66,3 @@ func (l *Loader) Load(ctx context.Context, src plugins.PluginSource) ([]*plugins
func (l *Loader) Unload(ctx context.Context, pluginID string) error {
return l.termination.Terminate(ctx, pluginID)
}
func (l *Loader) PluginErrors() []*plugins.Error {
errs := make([]*plugins.Error, 0, len(l.errs))
for _, err := range l.errs {
errs = append(errs, &plugins.Error{
PluginID: err.PluginID,
ErrorCode: err.AsErrorCode(),
})
}
return errs
}

105
pkg/plugins/manager/loader/loader_test.go
View File

@ -14,15 +14,12 @@ import (
"github.com/grafana/grafana/pkg/plugins"
"github.com/grafana/grafana/pkg/plugins/config"
"github.com/grafana/grafana/pkg/plugins/manager/fakes"
"github.com/grafana/grafana/pkg/plugins/manager/loader/angular/angularinspector"
"github.com/grafana/grafana/pkg/plugins/manager/loader/assetpath"
"github.com/grafana/grafana/pkg/plugins/manager/pipeline/bootstrap"
"github.com/grafana/grafana/pkg/plugins/manager/pipeline/discovery"
"github.com/grafana/grafana/pkg/plugins/manager/pipeline/initialization"
"github.com/grafana/grafana/pkg/plugins/manager/pipeline/termination"
"github.com/grafana/grafana/pkg/plugins/manager/signature"
"github.com/grafana/grafana/pkg/plugins/manager/pipeline/validation"
"github.com/grafana/grafana/pkg/plugins/manager/sources"
"github.com/grafana/grafana/pkg/plugins/pluginscdn"
"github.com/grafana/grafana/pkg/services/org"
)
@ -66,7 +63,6 @@ func TestLoader_Load(t *testing.T) {
cfg *config.Cfg
pluginPaths []string
want []*plugins.Plugin
pluginErrors map[string]*plugins.Error
}{
{
name: "Load a Core plugin",
@ -272,18 +268,13 @@ func TestLoader_Load(t *testing.T) {
Signature: "unsigned",
},
},
}, {
},
{
name: "Load an unsigned plugin (production)",
class: plugins.ClassExternal,
cfg: &config.Cfg{},
pluginPaths: []string{"../testdata/unsigned-datasource"},
want: []*plugins.Plugin{},
pluginErrors: map[string]*plugins.Error{
"test-datasource": {
PluginID: "test-datasource",
ErrorCode: "signatureMissing",
},
},
},
{
name: "Load an unsigned plugin using PluginsAllowUnsigned config (production)",
@ -330,12 +321,6 @@ func TestLoader_Load(t *testing.T) {
cfg: &config.Cfg{},
pluginPaths: []string{"../testdata/lacking-files"},
want: []*plugins.Plugin{},
pluginErrors: map[string]*plugins.Error{
"test-datasource": {
PluginID: "test-datasource",
ErrorCode: "signatureInvalid",
},
},
},
{
name: "Load a plugin with v1 manifest using PluginsAllowUnsigned config (production) should return signatureInvali",
@ -345,12 +330,6 @@ func TestLoader_Load(t *testing.T) {
},
pluginPaths: []string{"../testdata/lacking-files"},
want: []*plugins.Plugin{},
pluginErrors: map[string]*plugins.Error{
"test-datasource": {
PluginID: "test-datasource",
ErrorCode: "signatureInvalid",
},
},
},
{
name: "Load a plugin with manifest which has a file not found in plugin folder",
@ -360,12 +339,6 @@ func TestLoader_Load(t *testing.T) {
},
pluginPaths: []string{"../testdata/invalid-v2-missing-file"},
want: []*plugins.Plugin{},
pluginErrors: map[string]*plugins.Error{
"test-datasource": {
PluginID: "test-datasource",
ErrorCode: "signatureModified",
},
},
},
{
name: "Load a plugin with file which is missing from the manifest",
@ -375,12 +348,6 @@ func TestLoader_Load(t *testing.T) {
},
pluginPaths: []string{"../testdata/invalid-v2-extra-file"},
want: []*plugins.Plugin{},
pluginErrors: map[string]*plugins.Error{
"test-datasource": {
PluginID: "test-datasource",
ErrorCode: "signatureModified",
},
},
},
{
name: "Load an app with includes",
@ -434,31 +401,19 @@ func TestLoader_Load(t *testing.T) {
},
}
for _, tt := range tests {
angularInspector, err := angularinspector.NewStaticInspector()
require.NoError(t, err)
t.Run(tt.name, func(t *testing.T) {
terminationStage, err := termination.New(tt.cfg, termination.Opts{})
require.NoError(t, err)
l := New(tt.cfg, signature.NewUnsignedAuthorizer(tt.cfg), fakes.NewFakePluginRegistry(),
fakes.NewFakeProcessManager(), fakes.NewFakeRoleRegistry(),
assetpath.ProvideService(pluginscdn.ProvideService(tt.cfg)), angularInspector, &fakes.FakeOauthService{},
discovery.New(tt.cfg, discovery.Opts{}), bootstrap.New(tt.cfg, bootstrap.Opts{}),
initialization.New(tt.cfg, initialization.Opts{}),
l := New(discovery.New(tt.cfg, discovery.Opts{}), bootstrap.New(tt.cfg, bootstrap.Opts{}),
validation.New(tt.cfg, validation.Opts{}), initialization.New(tt.cfg, initialization.Opts{}),
terminationStage)
t.Run(tt.name, func(t *testing.T) {
got, err := l.Load(context.Background(), sources.NewLocalSource(tt.class, tt.pluginPaths))
require.NoError(t, err)
if !cmp.Equal(got, tt.want, compareOpts...) {
t.Fatalf("Result mismatch (-want +got):\n%s", cmp.Diff(got, tt.want, compareOpts...))
}
pluginErrs := l.PluginErrors()
require.Equal(t, len(tt.pluginErrors), len(pluginErrs))
for _, pluginErr := range pluginErrs {
require.Equal(t, tt.pluginErrors[pluginErr.PluginID], pluginErr)
}
})
}
@ -474,41 +429,41 @@ func TestLoader_Load(t *testing.T) {
return plugins.Signature{}, false
},
}
pJSON := plugins.JSONData{ID: "test-datasource", Type: plugins.TypeDataSource, Info: plugins.Info{Version: "1.0.0"}}
p := &plugins.Plugin{
JSONData: pJSON,
pluginJSON := plugins.JSONData{ID: "test-datasource", Type: plugins.TypeDataSource, Info: plugins.Info{Version: "1.0.0"}}
plugin := &plugins.Plugin{
JSONData: pluginJSON,
Signature: plugins.SignatureStatusValid,
SignatureType: plugins.SignatureTypeCommunity,
FS: plugins.NewFakeFS(),
}
cfg := &config.Cfg{}
angularInspector, err := angularinspector.NewStaticInspector()
require.NoError(t, err)
var steps []string
l := New(cfg, signature.NewUnsignedAuthorizer(cfg), fakes.NewFakePluginRegistry(), fakes.NewFakeProcessManager(),
fakes.NewFakeRoleRegistry(), assetpath.ProvideService(pluginscdn.ProvideService(cfg)),
angularInspector, &fakes.FakeOauthService{},
l := New(
&fakes.FakeDiscoverer{
DiscoverFunc: func(ctx context.Context, s plugins.PluginSource) ([]*plugins.FoundBundle, error) {
require.Equal(t, src, s)
steps = append(steps, "discover")
return []*plugins.FoundBundle{{Primary: plugins.FoundPlugin{JSONData: pJSON}}}, nil
return []*plugins.FoundBundle{{Primary: plugins.FoundPlugin{JSONData: pluginJSON}}}, nil
},
}, &fakes.FakeBootstrapper{
BootstrapFunc: func(ctx context.Context, s plugins.PluginSource, b []*plugins.FoundBundle) ([]*plugins.Plugin, error) {
require.True(t, len(b) == 1)
require.Equal(t, b[0].Primary.JSONData, pJSON)
require.Equal(t, b[0].Primary.JSONData, pluginJSON)
require.Equal(t, src, s)
steps = append(steps, "bootstrap")
return []*plugins.Plugin{p}, nil
return []*plugins.Plugin{plugin}, nil
},
}, &fakes.FakeInitializer{
}, &fakes.FakeValidator{ValidateFunc: func(ctx context.Context, ps []*plugins.Plugin) ([]*plugins.Plugin, error) {
require.Equal(t, []*plugins.Plugin{plugin}, ps)
steps = append(steps, "validate")
return ps, nil
}},
&fakes.FakeInitializer{
IntializeFunc: func(ctx context.Context, ps []*plugins.Plugin) ([]*plugins.Plugin, error) {
require.True(t, len(ps) == 1)
require.Equal(t, ps[0].JSONData, pJSON)
require.Equal(t, ps[0].JSONData, pluginJSON)
steps = append(steps, "initialize")
return ps, nil
},
@ -516,19 +471,14 @@ func TestLoader_Load(t *testing.T) {
got, err := l.Load(context.Background(), src)
require.NoError(t, err)
require.Equal(t, []*plugins.Plugin{p}, got)
require.Equal(t, []string{"discover", "bootstrap", "initialize"}, steps)
require.Zero(t, len(l.PluginErrors()))
require.Equal(t, []*plugins.Plugin{plugin}, got)
require.Equal(t, []string{"discover", "bootstrap", "validate", "initialize"}, steps)
})
}
func TestLoader_Unload(t *testing.T) {
t.Run("Termination stage error is returned from Unload", func(t *testing.T) {
pluginID := "grafana-test-panel"
cfg := &config.Cfg{}
angularInspector, err := angularinspector.NewStaticInspector()
require.NoError(t, err)
tcs := []struct {
expectedErr error
}{
@ -541,9 +491,10 @@ func TestLoader_Unload(t *testing.T) {
}
for _, tc := range tcs {
l := New(cfg, signature.NewUnsignedAuthorizer(cfg), fakes.NewFakePluginRegistry(), fakes.NewFakeProcessManager(),
fakes.NewFakeRoleRegistry(), assetpath.ProvideService(pluginscdn.ProvideService(cfg)), angularInspector,
&fakes.FakeOauthService{}, &fakes.FakeDiscoverer{}, &fakes.FakeBootstrapper{}, &fakes.FakeInitializer{},
l := New(&fakes.FakeDiscoverer{},
&fakes.FakeBootstrapper{},
&fakes.FakeValidator{},
&fakes.FakeInitializer{},
&fakes.FakeTerminator{
TerminateFunc: func(ctx context.Context, pID string) error {
require.Equal(t, pluginID, pID)
@ -551,7 +502,7 @@ func TestLoader_Unload(t *testing.T) {
},
})
err = l.Unload(context.Background(), pluginID)
err := l.Unload(context.Background(), pluginID)
require.ErrorIs(t, err, tc.expectedErr)
}
})

1
pkg/plugins/manager/pipeline/bootstrap/doc.go
View File

@ -1,6 +1,5 @@
// Package bootstrap defines the Bootstrap stage of the plugin loader pipeline.
//
// The Bootstrap stage must implement the Bootstrapper interface.
// - Bootstrap(ctx context.Context, src plugins.PluginSource, bundles []*plugins.FoundBundle) ([]*plugins.Plugin, error)
package bootstrap

1
pkg/plugins/manager/pipeline/discovery/doc.go
View File

@ -1,6 +1,5 @@
// Package discovery defines the Discovery stage of the plugin loader pipeline.
// The Discovery stage must implement the Discoverer interface.
// - Discover(ctx context.Context, src plugins.PluginSource) ([]*plugins.FoundBundle, error)
package discovery

2
pkg/plugins/manager/pipeline/doc.go
View File

@ -4,7 +4,7 @@
// A plugin loader pipeline is defined by the following stages:
// Discovery: Find plugins (e.g. from disk, remote, etc.), and [optionally] filter the results based on some criteria.
// Bootstrap: Create the plugins found in the discovery stage and enrich them with metadata.
// Verification: Verify the plugins based on some criteria (e.g. signature validation, angular detection, etc.)
// Validation: Validate the plugins based on some criteria (e.g. signature, angular, etc.)
// Initialization: Initialize the plugin for use (e.g. register with Grafana, start the backend process, declare RBAC roles etc.)
// - Termination: Terminate the plugin (e.g. stop the backend process, cleanup, etc.)

1
pkg/plugins/manager/pipeline/initialization/doc.go
View File

@ -1,6 +1,5 @@
// Package initialization defines the Initialization stage of the plugin loader pipeline.
//
// The Initialization stage must implement the Initializer interface.
// - Initialize(ctx context.Context, ps []*plugins.Plugin) ([]*plugins.Plugin, error)
package initialization

1
pkg/plugins/manager/pipeline/termination/doc.go
View File

@ -1,5 +1,4 @@
// Package termination defines the Termination stage of the plugin loader pipeline.
//
// The Termination stage must implement the Terminator interface.
// - Terminate(ctx context.Context, pluginID string) error
package termination

5
pkg/plugins/manager/pipeline/validation/doc.go Normal file
View File

@ -0,0 +1,5 @@
// Package validation defines the Validation stage of the plugin loader pipeline.
//
// The Validation stage must implement the Validator interface.
package validation

113
pkg/plugins/manager/pipeline/validation/steps.go Normal file
View File

@ -0,0 +1,113 @@
package validation
import (
"context"
"errors"
"time"
"github.com/grafana/grafana/pkg/plugins"
"github.com/grafana/grafana/pkg/plugins/config"
"github.com/grafana/grafana/pkg/plugins/log"
"github.com/grafana/grafana/pkg/plugins/manager/loader/angular/angularinspector"
"github.com/grafana/grafana/pkg/plugins/manager/signature"
)
// DefaultValidateFuncs are the default ValidateFunc used for the Validate step of the Validation stage.
func DefaultValidateFuncs(cfg *config.Cfg) []ValidateFunc {
return []ValidateFunc{
SignatureValidationStep(signature.NewValidator(signature.NewUnsignedAuthorizer(cfg))),
ModuleJSValidationStep(),
AngularDetectionStep(cfg, angularinspector.NewStaticInspector()),
}
}
type PluginSignatureValidator struct {
signatureValidator signature.Validator
log log.Logger
}
func SignatureValidationStep(signatureValidator signature.Validator) ValidateFunc {
return newPluginSignatureValidator(signatureValidator).Validate
}
func newPluginSignatureValidator(signatureValidator signature.Validator) *PluginSignatureValidator {
return &PluginSignatureValidator{
signatureValidator: signatureValidator,
log: log.New("plugins.validator.signature"),
}
}
func (v *PluginSignatureValidator) Validate(_ context.Context, p *plugins.Plugin) error {
return v.signatureValidator.ValidateSignature(p)
}
type ModuleJSValidator struct {
log log.Logger
}
func ModuleJSValidationStep() ValidateFunc {
return newModuleJSValidator().Validate
}
func newModuleJSValidator() *ModuleJSValidator {
return &ModuleJSValidator{
log: log.New("plugins.validator.module"),
}
}
func (v *ModuleJSValidator) Validate(_ context.Context, p *plugins.Plugin) error {
if !p.IsRenderer() && !p.IsCorePlugin() {
f, err := p.FS.Open("module.js")
if err != nil {
if errors.Is(err, plugins.ErrFileNotExist) {
v.log.Warn("Plugin missing module.js", "pluginID", p.ID,
"warning", "Missing module.js, If you loaded this plugin from git, make sure to compile it.")
}
} else if f != nil {
if err = f.Close(); err != nil {
v.log.Warn("Could not close module.js", "pluginID", p.ID, "err", err)
}
}
}
return nil
}
type AngularDetector struct {
cfg *config.Cfg
angularInspector angularinspector.Inspector
log log.Logger
}
func AngularDetectionStep(cfg *config.Cfg, angularInspector angularinspector.Inspector) ValidateFunc {
return newAngularDetector(cfg, angularInspector).Validate
}
func newAngularDetector(cfg *config.Cfg, angularInspector angularinspector.Inspector) *AngularDetector {
return &AngularDetector{
cfg: cfg,
angularInspector: angularInspector,
log: log.New("plugins.validator.angular"),
}
}
func (a *AngularDetector) Validate(ctx context.Context, p *plugins.Plugin) error {
if p.IsExternalPlugin() {
var err error
cctx, canc := context.WithTimeout(ctx, time.Second*10)
p.AngularDetected, err = a.angularInspector.Inspect(cctx, p)
canc()
if err != nil {
a.log.Warn("Could not inspect plugin for angular", "pluginID", p.ID, "err", err)
}
// Do not initialize plugins if they're using Angular and Angular support is disabled
if p.AngularDetected && !a.cfg.AngularSupportEnabled {
a.log.Error("Refusing to initialize plugin because it's using Angular, which has been disabled", "pluginID", p.ID)
return errors.New("angular plugins are not supported")
}
}
return nil
}

67
pkg/plugins/manager/pipeline/validation/validation.go Normal file
View File

@ -0,0 +1,67 @@
package validation
import (
"context"
"errors"
"github.com/grafana/grafana/pkg/plugins"
"github.com/grafana/grafana/pkg/plugins/config"
"github.com/grafana/grafana/pkg/plugins/log"
)
// Validator is responsible for the Validation stage of the plugin loader pipeline.
type Validator interface {
Validate(ctx context.Context, ps []*plugins.Plugin) ([]*plugins.Plugin, error)
}
// ValidateFunc is the function used for the Validate step of the Validation stage.
type ValidateFunc func(ctx context.Context, p *plugins.Plugin) error
type Validate struct {
cfg *config.Cfg
validateSteps []ValidateFunc
log log.Logger
}
type Opts struct {
ValidateFuncs []ValidateFunc
}
// New returns a new Validation stage.
func New(cfg *config.Cfg, opts Opts) *Validate {
if opts.ValidateFuncs == nil {
opts.ValidateFuncs = DefaultValidateFuncs(cfg)
}
return &Validate{
cfg: cfg,
validateSteps: opts.ValidateFuncs,
log: log.New("plugins.validation"),
}
}
// Validate will execute the Validate steps of the Validation stage.
func (t *Validate) Validate(ctx context.Context, ps []*plugins.Plugin) ([]*plugins.Plugin, error) {
if len(t.validateSteps) == 0 {
return ps, nil
}
var err error
verifiedPlugins := make([]*plugins.Plugin, 0, len(ps))
for _, p := range ps {
stepFailed := false
for _, validate := range t.validateSteps {
err = validate(ctx, p)
if err != nil && !errors.Is(err, nil) {
stepFailed = true
t.log.Error("Plugin verification failed", "pluginID", p.ID, "err", err)
break
}
}
if !stepFailed {
verifiedPlugins = append(verifiedPlugins, p)
}
}
return verifiedPlugins, nil
}

16
pkg/plugins/manager/signature/signature.go
View File

@ -5,19 +5,27 @@ import (
"github.com/grafana/grafana/pkg/plugins/log"
)
type Validator struct {
type Validator interface {
ValidateSignature(plugin *plugins.Plugin) error
}
type Validation struct {
authorizer plugins.PluginLoaderAuthorizer
log log.Logger
}
func NewValidator(authorizer plugins.PluginLoaderAuthorizer) Validator {
return Validator{
func ProvideValidatorService(authorizer plugins.PluginLoaderAuthorizer) *Validation {
return NewValidator(authorizer)
}
func NewValidator(authorizer plugins.PluginLoaderAuthorizer) *Validation {
return &Validation{
authorizer: authorizer,
log: log.New("plugin.signature.validator"),
}
}
func (s *Validator) Validate(plugin *plugins.Plugin) *plugins.SignatureError {
func (s *Validation) ValidateSignature(plugin *plugins.Plugin) error {
if plugin.Signature.IsValid() {
s.log.Debug("Plugin has valid signature", "id", plugin.ID)
return nil

38
pkg/services/pluginsintegration/loader/fakes.go Normal file
View File

@ -0,0 +1,38 @@
package loader
import (
"context"
"github.com/grafana/grafana/pkg/plugins"
)
type fakeSignatureErrorTracker struct {
RecordFunc func(ctx context.Context, err *plugins.SignatureError)
ClearFunc func(ctx context.Context, pluginID string)
SignatureErrorsFunc func(ctx context.Context) []*plugins.SignatureError
}
func newFakeSignatureErrorTracker() *fakeSignatureErrorTracker {
return &fakeSignatureErrorTracker{}
}
func (t *fakeSignatureErrorTracker) Record(ctx context.Context, err *plugins.SignatureError) {
if t.RecordFunc != nil {
t.RecordFunc(ctx, err)
return
}
}
func (t *fakeSignatureErrorTracker) Clear(ctx context.Context, pluginID string) {
if t.ClearFunc != nil {
t.ClearFunc(ctx, pluginID)
return
}
}
func (t *fakeSignatureErrorTracker) SignatureErrors(ctx context.Context) []*plugins.SignatureError {
if t.SignatureErrorsFunc != nil {
return t.SignatureErrorsFunc(ctx)
}
return nil
}

22
pkg/services/pluginsintegration/loader/loader.go
View File

@ -4,35 +4,25 @@ import (
"context"
"github.com/grafana/grafana/pkg/plugins"
"github.com/grafana/grafana/pkg/plugins/config"
pluginsLoader "github.com/grafana/grafana/pkg/plugins/manager/loader"
"github.com/grafana/grafana/pkg/plugins/manager/loader/angular/angularinspector"
"github.com/grafana/grafana/pkg/plugins/manager/loader/assetpath"
"github.com/grafana/grafana/pkg/plugins/manager/pipeline/bootstrap"
"github.com/grafana/grafana/pkg/plugins/manager/pipeline/discovery"
"github.com/grafana/grafana/pkg/plugins/manager/pipeline/initialization"
"github.com/grafana/grafana/pkg/plugins/manager/pipeline/termination"
"github.com/grafana/grafana/pkg/plugins/manager/process"
"github.com/grafana/grafana/pkg/plugins/manager/registry"
"github.com/grafana/grafana/pkg/plugins/oauth"
"github.com/grafana/grafana/pkg/plugins/manager/pipeline/validation"
)
var _ plugins.ErrorResolver = (*Loader)(nil)
var _ pluginsLoader.Service = (*Loader)(nil)
type Loader struct {
loader *pluginsLoader.Loader
}
func ProvideService(cfg *config.Cfg, authorizer plugins.PluginLoaderAuthorizer, processManager process.Service,
pluginRegistry registry.Service, roleRegistry plugins.RoleRegistry, assetPath *assetpath.Service,
angularInspector angularinspector.Inspector, externalServiceRegistry oauth.ExternalServiceRegistry,
discovery discovery.Discoverer, bootstrap bootstrap.Bootstrapper, initializer initialization.Initializer,
termination termination.Terminator,
func ProvideService(discovery discovery.Discoverer, bootstrap bootstrap.Bootstrapper, validation validation.Validator,
initializer initialization.Initializer, termination termination.Terminator,
) *Loader {
return &Loader{
loader: pluginsLoader.New(cfg, authorizer, pluginRegistry, processManager, roleRegistry, assetPath,
angularInspector, externalServiceRegistry, discovery, bootstrap, initializer, termination),
loader: pluginsLoader.New(discovery, bootstrap, validation, initializer, termination),
}
}
@ -43,7 +33,3 @@ func (l *Loader) Load(ctx context.Context, src plugins.PluginSource) ([]*plugins
func (l *Loader) Unload(ctx context.Context, pluginID string) error {
return l.loader.Unload(ctx, pluginID)
}
func (l *Loader) PluginErrors() []*plugins.Error {
return l.loader.PluginErrors()
}

87
pkg/services/pluginsintegration/loader/loader_test.go
View File

@ -19,10 +19,6 @@ import (
"github.com/grafana/grafana/pkg/plugins/manager/loader/angular/angularinspector"
"github.com/grafana/grafana/pkg/plugins/manager/loader/assetpath"
"github.com/grafana/grafana/pkg/plugins/manager/loader/finder"
"github.com/grafana/grafana/pkg/plugins/manager/pipeline/bootstrap"
"github.com/grafana/grafana/pkg/plugins/manager/pipeline/discovery"
"github.com/grafana/grafana/pkg/plugins/manager/pipeline/initialization"
"github.com/grafana/grafana/pkg/plugins/manager/pipeline/termination"
"github.com/grafana/grafana/pkg/plugins/manager/process"
"github.com/grafana/grafana/pkg/plugins/manager/registry"
"github.com/grafana/grafana/pkg/plugins/manager/signature"
@ -30,6 +26,7 @@ import (
"github.com/grafana/grafana/pkg/plugins/pluginscdn"
"github.com/grafana/grafana/pkg/services/org"
"github.com/grafana/grafana/pkg/services/pluginsintegration/pipeline"
"github.com/grafana/grafana/pkg/services/pluginsintegration/pluginerrs"
"github.com/grafana/grafana/pkg/setting"
)
@ -63,7 +60,7 @@ func TestLoader_Load(t *testing.T) {
cfg *config.Cfg
pluginPaths []string
want []*plugins.Plugin
pluginErrors map[string]*plugins.Error
pluginErrors map[string]*plugins.SignatureError
}{
{
name: "Load a Core plugin",
@ -275,10 +272,10 @@ func TestLoader_Load(t *testing.T) {
cfg: &config.Cfg{},
pluginPaths: []string{filepath.Join(testDataDir(t), "unsigned-datasource")},
want: []*plugins.Plugin{},
pluginErrors: map[string]*plugins.Error{
pluginErrors: map[string]*plugins.SignatureError{
"test-datasource": {
PluginID: "test-datasource",
ErrorCode: "signatureMissing",
SignatureStatus: plugins.SignatureStatusUnsigned,
},
},
},
@ -327,10 +324,10 @@ func TestLoader_Load(t *testing.T) {
cfg: &config.Cfg{},
pluginPaths: []string{filepath.Join(testDataDir(t), "lacking-files")},
want: []*plugins.Plugin{},
pluginErrors: map[string]*plugins.Error{
pluginErrors: map[string]*plugins.SignatureError{
"test-datasource": {
PluginID: "test-datasource",
ErrorCode: "signatureInvalid",
SignatureStatus: plugins.SignatureStatusInvalid,
},
},
},
@ -342,10 +339,10 @@ func TestLoader_Load(t *testing.T) {
},
pluginPaths: []string{filepath.Join(testDataDir(t), "lacking-files")},
want: []*plugins.Plugin{},
pluginErrors: map[string]*plugins.Error{
pluginErrors: map[string]*plugins.SignatureError{
"test-datasource": {
PluginID: "test-datasource",
ErrorCode: "signatureInvalid",
SignatureStatus: plugins.SignatureStatusInvalid,
},
},
},
@ -357,10 +354,10 @@ func TestLoader_Load(t *testing.T) {
},
pluginPaths: []string{filepath.Join(testDataDir(t), "invalid-v2-missing-file")},
want: []*plugins.Plugin{},
pluginErrors: map[string]*plugins.Error{
pluginErrors: map[string]*plugins.SignatureError{
"test-datasource": {
PluginID: "test-datasource",
ErrorCode: "signatureModified",
SignatureStatus: plugins.SignatureStatusModified,
},
},
},
@ -372,10 +369,10 @@ func TestLoader_Load(t *testing.T) {
},
pluginPaths: []string{filepath.Join(testDataDir(t), "invalid-v2-extra-file")},
want: []*plugins.Plugin{},
pluginErrors: map[string]*plugins.Error{
pluginErrors: map[string]*plugins.SignatureError{
"test-datasource": {
PluginID: "test-datasource",
ErrorCode: "signatureModified",
SignatureStatus: plugins.SignatureStatusModified,
},
},
},
@ -433,7 +430,8 @@ func TestLoader_Load(t *testing.T) {
reg := fakes.NewFakePluginRegistry()
procPrvdr := fakes.NewFakeBackendProcessProvider()
procMgr := fakes.NewFakeProcessManager()
l := newLoader(t, tt.cfg, reg, procMgr, procPrvdr)
errTracker := pluginerrs.ProvideSignatureErrorTracker()
l := newLoader(t, tt.cfg, reg, procMgr, procPrvdr, errTracker)
t.Run(tt.name, func(t *testing.T) {
got, err := l.Load(context.Background(), sources.NewLocalSource(tt.class, tt.pluginPaths))
@ -442,7 +440,7 @@ func TestLoader_Load(t *testing.T) {
t.Fatalf("Result mismatch (-want +got):\n%s", cmp.Diff(got, tt.want, compareOpts...))
}
pluginErrs := l.PluginErrors()
pluginErrs := errTracker.SignatureErrors(context.Background())
require.Equal(t, len(tt.pluginErrors), len(pluginErrs))
for _, pluginErr := range pluginErrs {
require.Equal(t, tt.pluginErrors[pluginErr.PluginID], pluginErr)
@ -506,7 +504,7 @@ func TestLoader_Load_CustomSource(t *testing.T) {
Module: "plugin-cdn/grafana-worldmap-panel/0.3.3/public/plugins/grafana-worldmap-panel/module",
}}
l := newLoader(t, cfg, fakes.NewFakePluginRegistry(), fakes.NewFakeProcessManager(), fakes.NewFakeBackendProcessProvider())
l := newLoader(t, cfg, fakes.NewFakePluginRegistry(), fakes.NewFakeProcessManager(), fakes.NewFakeBackendProcessProvider(), newFakeSignatureErrorTracker())
got, err := l.Load(context.Background(), &fakes.FakePluginSource{
PluginClassFunc: func(ctx context.Context) plugins.Class {
return plugins.ClassBundled
@ -536,7 +534,7 @@ func TestLoader_Load_MultiplePlugins(t *testing.T) {
pluginPaths []string
existingPlugins map[string]struct{}
want []*plugins.Plugin
pluginErrors map[string]*plugins.Error
pluginErrors map[string]*plugins.SignatureError
}{
{
name: "Load multiple plugins (broken, valid, unsigned)",
@ -583,10 +581,10 @@ func TestLoader_Load_MultiplePlugins(t *testing.T) {
SignatureOrg: "Will Browne",
},
},
pluginErrors: map[string]*plugins.Error{
pluginErrors: map[string]*plugins.SignatureError{
"test-panel": {
PluginID: "test-panel",
ErrorCode: "signatureMissing",
SignatureStatus: plugins.SignatureStatusUnsigned,
},
},
},
@ -596,7 +594,9 @@ func TestLoader_Load_MultiplePlugins(t *testing.T) {
reg := fakes.NewFakePluginRegistry()
procPrvdr := fakes.NewFakeBackendProcessProvider()
procMgr := fakes.NewFakeProcessManager()
l := newLoader(t, tt.cfg, reg, procMgr, procPrvdr)
errTracker := pluginerrs.ProvideSignatureErrorTracker()
l := newLoader(t, tt.cfg, reg, procMgr, procPrvdr, errTracker)
t.Run(tt.name, func(t *testing.T) {
got, err := l.Load(context.Background(), &fakes.FakePluginSource{
PluginClassFunc: func(ctx context.Context) plugins.Class {
@ -613,7 +613,7 @@ func TestLoader_Load_MultiplePlugins(t *testing.T) {
if !cmp.Equal(got, tt.want, compareOpts...) {
t.Fatalf("Result mismatch (-want +got):\n%s", cmp.Diff(got, tt.want, compareOpts...))
}
pluginErrs := l.PluginErrors()
pluginErrs := errTracker.SignatureErrors(context.Background())
require.Equal(t, len(tt.pluginErrors), len(pluginErrs))
for _, pluginErr := range pluginErrs {
require.Equal(t, tt.pluginErrors[pluginErr.PluginID], pluginErr)
@ -696,7 +696,7 @@ func TestLoader_Load_RBACReady(t *testing.T) {
reg := fakes.NewFakePluginRegistry()
procPrvdr := fakes.NewFakeBackendProcessProvider()
procMgr := fakes.NewFakeProcessManager()
l := newLoader(t, tt.cfg, reg, procMgr, procPrvdr)
l := newLoader(t, tt.cfg, reg, procMgr, procPrvdr, newFakeSignatureErrorTracker())
got, err := l.Load(context.Background(), &fakes.FakePluginSource{
PluginClassFunc: func(ctx context.Context) plugins.Class {
@ -711,8 +711,6 @@ func TestLoader_Load_RBACReady(t *testing.T) {
if !cmp.Equal(got, tt.want, compareOpts...) {
t.Fatalf("Result mismatch (-want +got):\n%s", cmp.Diff(got, tt.want, compareOpts...))
}
pluginErrs := l.PluginErrors()
require.Len(t, pluginErrs, 0)
verifyState(t, tt.want, reg, procPrvdr, procMgr)
}
@ -756,7 +754,7 @@ func TestLoader_Load_Signature_RootURL(t *testing.T) {
procPrvdr := fakes.NewFakeBackendProcessProvider()
procMgr := fakes.NewFakeProcessManager()
cfg := &config.Cfg{GrafanaAppURL: defaultAppURL}
l := newLoader(t, cfg, reg, procMgr, procPrvdr)
l := newLoader(t, cfg, reg, procMgr, procPrvdr, newFakeSignatureErrorTracker())
got, err := l.Load(context.Background(), &fakes.FakePluginSource{
PluginClassFunc: func(ctx context.Context) plugins.Class {
return plugins.ClassExternal
@ -832,7 +830,7 @@ func TestLoader_Load_DuplicatePlugins(t *testing.T) {
procPrvdr := fakes.NewFakeBackendProcessProvider()
procMgr := fakes.NewFakeProcessManager()
cfg := &config.Cfg{}
l := newLoader(t, cfg, reg, procMgr, procPrvdr)
l := newLoader(t, cfg, reg, procMgr, procPrvdr, newFakeSignatureErrorTracker())
got, err := l.Load(context.Background(), &fakes.FakePluginSource{
PluginClassFunc: func(ctx context.Context) plugins.Class {
return plugins.ClassExternal
@ -921,7 +919,7 @@ func TestLoader_Load_SkipUninitializedPlugins(t *testing.T) {
}
procMgr := fakes.NewFakeProcessManager()
cfg := &config.Cfg{}
l := newLoader(t, cfg, reg, procMgr, procPrvdr)
l := newLoader(t, cfg, reg, procMgr, procPrvdr, newFakeSignatureErrorTracker())
got, err := l.Load(context.Background(), &fakes.FakePluginSource{
PluginClassFunc: func(ctx context.Context) plugins.Class {
return plugins.ClassExternal
@ -1114,7 +1112,7 @@ func TestLoader_Load_NestedPlugins(t *testing.T) {
procMgr := fakes.NewFakeProcessManager()
reg := fakes.NewFakePluginRegistry()
cfg := &config.Cfg{}
l := newLoader(t, cfg, reg, procMgr, procPrvdr)
l := newLoader(t, cfg, reg, procMgr, procPrvdr, newFakeSignatureErrorTracker())
got, err := l.Load(context.Background(), &fakes.FakePluginSource{
PluginClassFunc: func(ctx context.Context) plugins.Class {
@ -1289,7 +1287,7 @@ func TestLoader_Load_NestedPlugins(t *testing.T) {
procPrvdr := fakes.NewFakeBackendProcessProvider()
procMgr := fakes.NewFakeProcessManager()
cfg := &config.Cfg{}
l := newLoader(t, cfg, reg, procMgr, procPrvdr)
l := newLoader(t, cfg, reg, procMgr, procPrvdr, newFakeSignatureErrorTracker())
got, err := l.Load(context.Background(), &fakes.FakePluginSource{
PluginClassFunc: func(ctx context.Context) plugins.Class {
return plugins.ClassExternal
@ -1314,34 +1312,37 @@ func TestLoader_Load_NestedPlugins(t *testing.T) {
}
func newLoader(t *testing.T, cfg *config.Cfg, reg registry.Service, proc process.Service,
backendFactory plugins.BackendFactoryProvider) *Loader {
backendFactory plugins.BackendFactoryProvider, sigErrTracker pluginerrs.SignatureErrorTracker) *Loader {
assets := assetpath.ProvideService(pluginscdn.ProvideService(cfg))
lic := fakes.NewFakeLicensingService()
angularInspector, err := angularinspector.NewStaticInspector()
require.NoError(t, err)
angularInspector := angularinspector.NewStaticInspector()
terminate, err := pipeline.ProvideTerminationStage(cfg, reg, proc)
require.NoError(t, err)
return ProvideService(cfg, signature.NewUnsignedAuthorizer(cfg), proc, reg, fakes.NewFakeRoleRegistry(), assets,
angularInspector, &fakes.FakeOauthService{},
pipeline.ProvideDiscoveryStage(cfg, finder.NewLocalFinder(false), reg),
return ProvideService(pipeline.ProvideDiscoveryStage(cfg, finder.NewLocalFinder(false), reg),
pipeline.ProvideBootstrapStage(cfg, signature.DefaultCalculator(cfg), assets),
pipeline.ProvideValidationStage(cfg, signature.NewValidator(signature.NewUnsignedAuthorizer(cfg)), angularInspector, sigErrTracker),
pipeline.ProvideInitializationStage(cfg, reg, lic, backendFactory, proc, &fakes.FakeOauthService{}, fakes.NewFakeRoleRegistry()),
terminate)
}
func newLoaderWithAngularInspector(t *testing.T, cfg *config.Cfg, angularInspector angularinspector.Inspector) *Loader {
assets := assetpath.ProvideService(pluginscdn.ProvideService(cfg))
lic := fakes.NewFakeLicensingService()
reg := fakes.NewFakePluginRegistry()
backendFactory := fakes.NewFakeBackendProcessProvider()
proc := fakes.NewFakeProcessManager()
terminationStage, err := termination.New(cfg, termination.Opts{})
terminate, err := pipeline.ProvideTerminationStage(cfg, reg, proc)
require.NoError(t, err)
sigErrTracker := pluginerrs.ProvideSignatureErrorTracker()
return ProvideService(cfg, signature.NewUnsignedAuthorizer(cfg), process.ProvideService(reg), reg,
fakes.NewFakeRoleRegistry(), assetpath.ProvideService(pluginscdn.ProvideService(cfg)),
angularInspector, &fakes.FakeOauthService{},
discovery.New(cfg, discovery.Opts{}), bootstrap.New(cfg, bootstrap.Opts{}),
initialization.New(cfg, initialization.Opts{}), terminationStage)
return ProvideService(pipeline.ProvideDiscoveryStage(cfg, finder.NewLocalFinder(false), reg),
pipeline.ProvideBootstrapStage(cfg, signature.DefaultCalculator(cfg), assets),
pipeline.ProvideValidationStage(cfg, signature.NewValidator(signature.NewUnsignedAuthorizer(cfg)), angularInspector, sigErrTracker),
pipeline.ProvideInitializationStage(cfg, reg, lic, backendFactory, proc, &fakes.FakeOauthService{}, fakes.NewFakeRoleRegistry()),
terminate)
}
func verifyState(t *testing.T, ps []*plugins.Plugin, reg registry.Service,

15
pkg/services/pluginsintegration/pipeline/pipeline.go
View File

@ -6,15 +6,19 @@ import (
"github.com/grafana/grafana/pkg/plugins"
"github.com/grafana/grafana/pkg/plugins/config"
"github.com/grafana/grafana/pkg/plugins/envvars"
"github.com/grafana/grafana/pkg/plugins/manager/loader/angular/angularinspector"
"github.com/grafana/grafana/pkg/plugins/manager/loader/assetpath"
"github.com/grafana/grafana/pkg/plugins/manager/loader/finder"
"github.com/grafana/grafana/pkg/plugins/manager/pipeline/bootstrap"
"github.com/grafana/grafana/pkg/plugins/manager/pipeline/discovery"
"github.com/grafana/grafana/pkg/plugins/manager/pipeline/initialization"
"github.com/grafana/grafana/pkg/plugins/manager/pipeline/termination"
"github.com/grafana/grafana/pkg/plugins/manager/pipeline/validation"
"github.com/grafana/grafana/pkg/plugins/manager/process"
"github.com/grafana/grafana/pkg/plugins/manager/registry"
"github.com/grafana/grafana/pkg/plugins/manager/signature"
"github.com/grafana/grafana/pkg/plugins/oauth"
"github.com/grafana/grafana/pkg/services/pluginsintegration/pluginerrs"
)
func ProvideDiscoveryStage(cfg *config.Cfg, pf finder.Finder, pr registry.Service) *discovery.Discovery {
@ -37,6 +41,17 @@ func ProvideBootstrapStage(cfg *config.Cfg, sc plugins.SignatureCalculator, a *a
})
}
func ProvideValidationStage(cfg *config.Cfg, sv signature.Validator, ai angularinspector.Inspector,
et pluginerrs.SignatureErrorTracker) *validation.Validate {
return validation.New(cfg, validation.Opts{
ValidateFuncs: []validation.ValidateFunc{
SignatureValidationStep(sv, et),
validation.ModuleJSValidationStep(),
validation.AngularDetectionStep(cfg, ai),
},
})
}
func ProvideInitializationStage(cfg *config.Cfg, pr registry.Service, l plugins.Licensing,
bp plugins.BackendFactoryProvider, pm process.Service, externalServiceRegistry oauth.ExternalServiceRegistry,
roleRegistry plugins.RoleRegistry) *initialization.Initialize {

43
pkg/services/pluginsintegration/pipeline/steps.go
View File

@ -2,14 +2,18 @@ package pipeline
import (
"context"
"errors"
"github.com/grafana/grafana/pkg/infra/metrics"
"github.com/grafana/grafana/pkg/plugins"
"github.com/grafana/grafana/pkg/plugins/config"
"github.com/grafana/grafana/pkg/plugins/log"
"github.com/grafana/grafana/pkg/plugins/manager/pipeline/initialization"
"github.com/grafana/grafana/pkg/plugins/manager/pipeline/validation"
"github.com/grafana/grafana/pkg/plugins/manager/signature"
"github.com/grafana/grafana/pkg/plugins/oauth"
"github.com/grafana/grafana/pkg/services/featuremgmt"
"github.com/grafana/grafana/pkg/services/pluginsintegration/pluginerrs"
)
// ExternalServiceRegistration implements an InitializeFunc for registering external services.
@ -78,3 +82,42 @@ func ReportBuildMetrics(_ context.Context, p *plugins.Plugin) (*plugins.Plugin,
}
return p, nil
}
// SignatureValidation implements a ValidateFunc for validating plugin signatures.
type SignatureValidation struct {
signatureValidator signature.Validator
errs pluginerrs.SignatureErrorTracker
log log.Logger
}
// SignatureValidationStep returns a new ValidateFunc for validating plugin signatures.
func SignatureValidationStep(signatureValidator signature.Validator,
sigErr pluginerrs.SignatureErrorTracker) validation.ValidateFunc {
sv := &SignatureValidation{
errs: sigErr,
signatureValidator: signatureValidator,
log: log.New("plugins.signature.validation"),
}
return sv.Validate
}
// Validate validates the plugin signature. If a signature error is encountered, the error is recorded with the
// pluginerrs.SignatureErrorTracker.
func (v *SignatureValidation) Validate(ctx context.Context, p *plugins.Plugin) error {
err := v.signatureValidator.ValidateSignature(p)
if err != nil {
var sigErr *plugins.SignatureError
if errors.As(err, &sigErr) {
v.log.Warn("Skipping loading plugin due to problem with signature",
"pluginID", p.ID, "status", sigErr.SignatureStatus)
p.SignatureError = sigErr
v.errs.Record(ctx, sigErr)
}
return err
}
// clear plugin error if a pre-existing error has since been resolved
v.errs.Clear(ctx, p.ID)
return nil
}

71
pkg/services/pluginsintegration/pluginerrs/errors.go Normal file
View File

@ -0,0 +1,71 @@
package pluginerrs
import (
"context"
"github.com/grafana/grafana/pkg/plugins"
"github.com/grafana/grafana/pkg/plugins/log"
)
var _ plugins.ErrorResolver = (*Store)(nil)
type Store struct {
signatureErrs SignatureErrorTracker
}
func ProvideStore(signatureErrs SignatureErrorTracker) *Store {
return &Store{
signatureErrs: signatureErrs,
}
}
func (s *Store) PluginErrors() []*plugins.Error {
sigErrs := s.signatureErrs.SignatureErrors(context.Background())
errs := make([]*plugins.Error, 0, len(sigErrs))
for _, err := range sigErrs {
errs = append(errs, &plugins.Error{
PluginID: err.PluginID,
ErrorCode: err.AsErrorCode(),
})
}
return errs
}
type SignatureErrorRegistry struct {
errs map[string]*plugins.SignatureError
log log.Logger
}
type SignatureErrorTracker interface {
Record(ctx context.Context, err *plugins.SignatureError)
Clear(ctx context.Context, pluginID string)
SignatureErrors(ctx context.Context) []*plugins.SignatureError
}
func ProvideSignatureErrorTracker() *SignatureErrorRegistry {
return newSignatureErrorRegistry()
}
func newSignatureErrorRegistry() *SignatureErrorRegistry {
return &SignatureErrorRegistry{
errs: make(map[string]*plugins.SignatureError),
log: log.New("plugins.errors"),
}
}
func (r *SignatureErrorRegistry) Record(_ context.Context, signatureErr *plugins.SignatureError) {
r.errs[signatureErr.PluginID] = signatureErr
}
func (r *SignatureErrorRegistry) Clear(_ context.Context, pluginID string) {
delete(r.errs, pluginID)
}
func (r *SignatureErrorRegistry) SignatureErrors(_ context.Context) []*plugins.SignatureError {
errs := make([]*plugins.SignatureError, 0, len(r.errs))
for _, err := range r.errs {
errs = append(errs, err)
}
return errs
}

53
pkg/plugins/manager/manager_integration_test.go → pkg/services/pluginsintegration/plugins_integration_test.go
View File

@ -1,4 +1,4 @@
package manager
package pluginsintegration
import (
"context"
@ -17,26 +17,10 @@ import (
"github.com/grafana/grafana/pkg/infra/tracing"
"github.com/grafana/grafana/pkg/plugins"
"github.com/grafana/grafana/pkg/plugins/backendplugin/coreplugin"
"github.com/grafana/grafana/pkg/plugins/backendplugin/provider"
"github.com/grafana/grafana/pkg/plugins/manager/client"
"github.com/grafana/grafana/pkg/plugins/manager/fakes"
"github.com/grafana/grafana/pkg/plugins/manager/loader"
"github.com/grafana/grafana/pkg/plugins/manager/loader/angular/angularinspector"
"github.com/grafana/grafana/pkg/plugins/manager/loader/assetpath"
"github.com/grafana/grafana/pkg/plugins/manager/loader/finder"
"github.com/grafana/grafana/pkg/plugins/manager/process"
"github.com/grafana/grafana/pkg/plugins/manager/registry"
"github.com/grafana/grafana/pkg/plugins/manager/signature"
"github.com/grafana/grafana/pkg/plugins/manager/signature/statickey"
"github.com/grafana/grafana/pkg/plugins/manager/sources"
"github.com/grafana/grafana/pkg/plugins/manager/store"
"github.com/grafana/grafana/pkg/plugins/pluginscdn"
"github.com/grafana/grafana/pkg/services/accesscontrol/acimpl"
"github.com/grafana/grafana/pkg/services/featuremgmt"
"github.com/grafana/grafana/pkg/services/licensing"
"github.com/grafana/grafana/pkg/services/pluginsintegration/config"
plicensing "github.com/grafana/grafana/pkg/services/pluginsintegration/licensing"
"github.com/grafana/grafana/pkg/services/pluginsintegration/pipeline"
"github.com/grafana/grafana/pkg/services/searchV2"
"github.com/grafana/grafana/pkg/setting"
"github.com/grafana/grafana/pkg/tsdb/azuremonitor"
@ -75,7 +59,7 @@ func TestIntegrationPluginManager(t *testing.T) {
app_mode = production
[plugin.test-app]
path=testdata/test-app
path=../../plugins/manager/testdata/test-app
[plugin.test-panel]
not=included
@ -113,37 +97,16 @@ func TestIntegrationPluginManager(t *testing.T) {
graf := grafanads.ProvideService(sv2, nil)
phlare := pyroscope.ProvideService(hcp, acimpl.ProvideAccessControl(cfg))
parca := parca.ProvideService(hcp)
coreRegistry := coreplugin.ProvideCoreRegistry(am, cw, cm, es, grap, idb, lk, otsdb, pr, tmpo, td, pg, my, ms, graf, phlare, parca)
pCfg, err := config.ProvideConfig(setting.ProvideProvider(cfg), cfg, featuremgmt.WithFeatures())
require.NoError(t, err)
reg := registry.ProvideService()
lic := plicensing.ProvideLicensing(cfg, &licensing.OSSLicensingService{Cfg: cfg})
angularInspector, err := angularinspector.NewStaticInspector()
require.NoError(t, err)
proc := process.NewManager(reg)
discovery := pipeline.ProvideDiscoveryStage(pCfg, finder.NewLocalFinder(pCfg.DevMode), reg)
bootstrap := pipeline.ProvideBootstrapStage(pCfg, signature.ProvideService(pCfg, statickey.New()), assetpath.ProvideService(pluginscdn.ProvideService(pCfg)))
initialize := pipeline.ProvideInitializationStage(pCfg, reg, lic, provider.ProvideService(coreRegistry), proc, &fakes.FakeOauthService{}, fakes.NewFakeRoleRegistry())
terminate, err := pipeline.ProvideTerminationStage(pCfg, reg, proc)
require.NoError(t, err)
l := loader.ProvideService(pCfg, signature.NewUnsignedAuthorizer(pCfg),
reg, fakes.NewFakeRoleRegistry(),
assetpath.ProvideService(pluginscdn.ProvideService(pCfg)),
angularInspector, &fakes.FakeOauthService{}, discovery, bootstrap, initialize, terminate)
srcs := sources.ProvideService(cfg, pCfg)
ps, err := store.ProvideService(reg, srcs, l)
require.NoError(t, err)
testCtx := CreateIntegrationTestCtx(t, cfg, coreRegistry)
ctx := context.Background()
verifyCorePluginCatalogue(t, ctx, ps)
verifyBundledPlugins(t, ctx, ps)
verifyPluginStaticRoutes(t, ctx, ps, reg)
verifyBackendProcesses(t, reg.Plugins(ctx))
verifyPluginQuery(t, ctx, client.ProvideService(reg, pCfg))
verifyCorePluginCatalogue(t, ctx, testCtx.PluginStore)
verifyBundledPlugins(t, ctx, testCtx.PluginStore)
verifyPluginStaticRoutes(t, ctx, testCtx.PluginStore, testCtx.PluginRegistry)
verifyBackendProcesses(t, testCtx.PluginRegistry.Plugins(ctx))
verifyPluginQuery(t, ctx, testCtx.PluginClient)
}
func verifyPluginQuery(t *testing.T, ctx context.Context, c plugins.Client) {

11
pkg/services/pluginsintegration/pluginsintegration.go
View File

@ -19,6 +19,7 @@ import (
"github.com/grafana/grafana/pkg/plugins/manager/pipeline/discovery"
"github.com/grafana/grafana/pkg/plugins/manager/pipeline/initialization"
"github.com/grafana/grafana/pkg/plugins/manager/pipeline/termination"
"github.com/grafana/grafana/pkg/plugins/manager/pipeline/validation"
"github.com/grafana/grafana/pkg/plugins/manager/process"
"github.com/grafana/grafana/pkg/plugins/manager/registry"
"github.com/grafana/grafana/pkg/plugins/manager/signature"
@ -42,6 +43,7 @@ import (
"github.com/grafana/grafana/pkg/services/pluginsintegration/loader"
"github.com/grafana/grafana/pkg/services/pluginsintegration/pipeline"
"github.com/grafana/grafana/pkg/services/pluginsintegration/plugincontext"
"github.com/grafana/grafana/pkg/services/pluginsintegration/pluginerrs"
"github.com/grafana/grafana/pkg/services/pluginsintegration/pluginsettings"
pluginSettings "github.com/grafana/grafana/pkg/services/pluginsintegration/pluginsettings/service"
"github.com/grafana/grafana/pkg/services/pluginsintegration/serviceregistration"
@ -72,15 +74,22 @@ var WireSet = wire.NewSet(
wire.Bind(new(initialization.Initializer), new(*initialization.Initialize)),
pipeline.ProvideTerminationStage,
wire.Bind(new(termination.Terminator), new(*termination.Terminate)),
pipeline.ProvideValidationStage,
wire.Bind(new(validation.Validator), new(*validation.Validate)),
angularpatternsstore.ProvideService,
angulardetectorsprovider.ProvideDynamic,
angularinspector.ProvideService,
wire.Bind(new(pAngularInspector.Inspector), new(*angularinspector.Service)),
signature.ProvideValidatorService,
wire.Bind(new(signature.Validator), new(*signature.Validation)),
loader.ProvideService,
wire.Bind(new(pluginLoader.Service), new(*loader.Loader)),
wire.Bind(new(plugins.ErrorResolver), new(*loader.Loader)),
pluginerrs.ProvideSignatureErrorTracker,
wire.Bind(new(pluginerrs.SignatureErrorTracker), new(*pluginerrs.SignatureErrorRegistry)),
pluginerrs.ProvideStore,
wire.Bind(new(plugins.ErrorResolver), new(*pluginerrs.Store)),
manager.ProvideInstaller,
wire.Bind(new(plugins.Installer), new(*manager.PluginInstaller)),
registry.ProvideService,

114
pkg/services/pluginsintegration/test_helper.go Normal file
View File

@ -0,0 +1,114 @@
package pluginsintegration
import (
"testing"
"github.com/stretchr/testify/require"
"github.com/grafana/grafana/pkg/plugins"
"github.com/grafana/grafana/pkg/plugins/backendplugin"
"github.com/grafana/grafana/pkg/plugins/backendplugin/coreplugin"
"github.com/grafana/grafana/pkg/plugins/backendplugin/provider"
pluginsCfg "github.com/grafana/grafana/pkg/plugins/config"
"github.com/grafana/grafana/pkg/plugins/manager/client"
"github.com/grafana/grafana/pkg/plugins/manager/fakes"
"github.com/grafana/grafana/pkg/plugins/manager/loader"
"github.com/grafana/grafana/pkg/plugins/manager/loader/angular/angularinspector"
"github.com/grafana/grafana/pkg/plugins/manager/loader/assetpath"
"github.com/grafana/grafana/pkg/plugins/manager/loader/finder"
"github.com/grafana/grafana/pkg/plugins/manager/pipeline/bootstrap"
"github.com/grafana/grafana/pkg/plugins/manager/pipeline/discovery"
"github.com/grafana/grafana/pkg/plugins/manager/pipeline/initialization"
"github.com/grafana/grafana/pkg/plugins/manager/pipeline/termination"
"github.com/grafana/grafana/pkg/plugins/manager/pipeline/validation"
"github.com/grafana/grafana/pkg/plugins/manager/process"
"github.com/grafana/grafana/pkg/plugins/manager/registry"
"github.com/grafana/grafana/pkg/plugins/manager/signature"
"github.com/grafana/grafana/pkg/plugins/manager/signature/statickey"
"github.com/grafana/grafana/pkg/plugins/manager/sources"
"github.com/grafana/grafana/pkg/plugins/manager/store"
"github.com/grafana/grafana/pkg/plugins/pluginscdn"
"github.com/grafana/grafana/pkg/services/featuremgmt"
"github.com/grafana/grafana/pkg/services/pluginsintegration/config"
"github.com/grafana/grafana/pkg/services/pluginsintegration/pipeline"
"github.com/grafana/grafana/pkg/services/pluginsintegration/pluginerrs"
"github.com/grafana/grafana/pkg/setting"
)
type IntegrationTestCtx struct {
PluginClient plugins.Client
PluginStore *store.Service
PluginRegistry registry.Service
}
func CreateIntegrationTestCtx(t *testing.T, cfg *setting.Cfg, coreRegistry *coreplugin.Registry) *IntegrationTestCtx {
pCfg, err := config.ProvideConfig(setting.ProvideProvider(cfg), cfg, featuremgmt.WithFeatures())
require.NoError(t, err)
cdn := pluginscdn.ProvideService(pCfg)
reg := registry.ProvideService()
angularInspector := angularinspector.NewStaticInspector()
proc := process.NewManager(reg)
errTracker := pluginerrs.ProvideSignatureErrorTracker()
disc := pipeline.ProvideDiscoveryStage(pCfg, finder.NewLocalFinder(true), reg)
boot := pipeline.ProvideBootstrapStage(pCfg, signature.ProvideService(pCfg, statickey.New()), assetpath.ProvideService(cdn))
valid := pipeline.ProvideValidationStage(pCfg, signature.NewValidator(signature.NewUnsignedAuthorizer(pCfg)), angularInspector, errTracker)
init := pipeline.ProvideInitializationStage(pCfg, reg, fakes.NewFakeLicensingService(), provider.ProvideService(coreRegistry), proc, &fakes.FakeOauthService{}, fakes.NewFakeRoleRegistry())
term, err := pipeline.ProvideTerminationStage(pCfg, reg, proc)
require.NoError(t, err)
l := CreateTestLoader(t, pCfg, LoaderOpts{
Discoverer: disc,
Bootstrapper: boot,
Validator: valid,
Initializer: init,
Terminator: term,
})
ps, err := store.ProvideService(reg, sources.ProvideService(cfg, pCfg), l)
require.NoError(t, err)
return &IntegrationTestCtx{
PluginClient: client.ProvideService(reg, pCfg),
PluginStore: ps,
PluginRegistry: reg,
}
}
type LoaderOpts struct {
Discoverer discovery.Discoverer
Bootstrapper bootstrap.Bootstrapper
Validator validation.Validator
Terminator termination.Terminator
Initializer initialization.Initializer
}
func CreateTestLoader(t *testing.T, cfg *pluginsCfg.Cfg, opts LoaderOpts) *loader.Loader {
if opts.Discoverer == nil {
opts.Discoverer = pipeline.ProvideDiscoveryStage(cfg, finder.NewLocalFinder(cfg.DevMode), registry.ProvideService())
}
if opts.Bootstrapper == nil {
opts.Bootstrapper = pipeline.ProvideBootstrapStage(cfg, signature.ProvideService(cfg, statickey.New()), assetpath.ProvideService(pluginscdn.ProvideService(cfg)))
}
if opts.Validator == nil {
opts.Validator = pipeline.ProvideValidationStage(cfg, signature.NewValidator(signature.NewUnsignedAuthorizer(cfg)), angularinspector.NewStaticInspector(), pluginerrs.ProvideSignatureErrorTracker())
}
if opts.Initializer == nil {
reg := registry.ProvideService()
coreRegistry := coreplugin.NewRegistry(make(map[string]backendplugin.PluginFactoryFunc))
opts.Initializer = pipeline.ProvideInitializationStage(cfg, reg, fakes.NewFakeLicensingService(), provider.ProvideService(coreRegistry), process.NewManager(reg), &fakes.FakeOauthService{}, fakes.NewFakeRoleRegistry())
}
if opts.Terminator == nil {
var err error
reg := registry.ProvideService()
opts.Terminator, err = pipeline.ProvideTerminationStage(cfg, reg, process.NewManager(reg))
require.NoError(t, err)
}
return loader.New(opts.Discoverer, opts.Bootstrapper, opts.Validator, opts.Initializer, opts.Terminator)
}