Plugins: Add support for signature manifest V2 (#29240)

* add support for signing manifest v2 * add log and fix var name * shorten comment * improve comment * remove unnecessary param * improve naming * reformat * rename var * refactor test * remove unnecessary assert * simplify test requirements * add more test cases * address feedback * revert naming * flip tracking missing * fix check * Trigger Build
2025-07-29 12:42:15 +08:00 · 2020-12-11 12:57:57 +01:00
parent e2351f7951
commit a515c54404
18 changed files with 557 additions and 58 deletions
--- a/pkg/plugins/plugins_test.go
+++ b/pkg/plugins/plugins_test.go
@ -89,12 +89,12 @@ func TestPluginManager_Init(t *testing.T) {
 		assert.Empty(t, pm.scanningErrors)
 	})

-	t.Run("With external back-end plugin with invalid signature", func(t *testing.T) {
+	t.Run("With external back-end plugin with invalid v1 signature", func(t *testing.T) {
 		origPluginsPath := setting.PluginsPath
 		t.Cleanup(func() {
 			setting.PluginsPath = origPluginsPath
 		})
-		setting.PluginsPath = "testdata/invalid-signature"
+		setting.PluginsPath = "testdata/invalid-v1-signature"

 		pm := &PluginManager{
 			Cfg: &setting.Cfg{},
@ -158,6 +158,123 @@ func TestPluginManager_Init(t *testing.T) {
 		assert.Len(t, pm.scanningErrors, 1)
 		assert.True(t, errors.Is(pm.scanningErrors[0], duplicatePluginError{}))
 	})
+
+	t.Run("With external back-end plugin with valid v2 signature", func(t *testing.T) {
+		origPluginsPath := setting.PluginsPath
+		t.Cleanup(func() {
+			setting.PluginsPath = origPluginsPath
+		})
+		setting.PluginsPath = "testdata/valid-v2-signature"
+
+		pm := &PluginManager{
+			Cfg:                  &setting.Cfg{},
+			BackendPluginManager: &fakeBackendPluginManager{},
+		}
+		err := pm.Init()
+		require.NoError(t, err)
+		require.Empty(t, pm.scanningErrors)
+
+		pluginId := "test"
+		assert.NotNil(t, Plugins[pluginId])
+		assert.Equal(t, "datasource", Plugins[pluginId].Type)
+		assert.Equal(t, "Test", Plugins[pluginId].Name)
+		assert.Equal(t, pluginId, Plugins[pluginId].Id)
+		assert.Equal(t, "1.0.0", Plugins[pluginId].Info.Version)
+		assert.Equal(t, pluginSignatureValid, Plugins[pluginId].Signature)
+		assert.Equal(t, grafanaType, Plugins[pluginId].SignatureType)
+		assert.Equal(t, "Grafana Labs", Plugins[pluginId].SignatureOrg)
+		assert.False(t, Plugins[pluginId].IsCorePlugin)
+	})
+
+	t.Run("With back-end plugin with invalid v2 private signature (mismatched root URL)", func(t *testing.T) {
+		origAppURL := setting.AppUrl
+		origPluginsPath := setting.PluginsPath
+		t.Cleanup(func() {
+			setting.AppUrl = origAppURL
+			setting.PluginsPath = origPluginsPath
+		})
+		setting.AppUrl = "http://localhost:1234"
+		setting.PluginsPath = "testdata/valid-v2-pvt-signature"
+
+		pm := &PluginManager{
+			Cfg: &setting.Cfg{},
+		}
+		err := pm.Init()
+		require.NoError(t, err)
+
+		assert.Equal(t, []error{fmt.Errorf(`plugin "test" has an invalid signature`)}, pm.scanningErrors)
+		assert.Nil(t, Plugins[("test")])
+	})
+
+	t.Run("With back-end plugin with valid v2 private signature", func(t *testing.T) {
+		origAppURL := setting.AppUrl
+		origPluginsPath := setting.PluginsPath
+		t.Cleanup(func() {
+			setting.AppUrl = origAppURL
+			setting.PluginsPath = origPluginsPath
+		})
+		setting.AppUrl = "http://localhost:3000/"
+		setting.PluginsPath = "testdata/valid-v2-pvt-signature"
+
+		pm := &PluginManager{
+			Cfg:                  &setting.Cfg{},
+			BackendPluginManager: &fakeBackendPluginManager{},
+		}
+		err := pm.Init()
+		require.NoError(t, err)
+		require.Empty(t, pm.scanningErrors)
+
+		pluginId := "test"
+		assert.NotNil(t, Plugins[pluginId])
+		assert.Equal(t, "datasource", Plugins[pluginId].Type)
+		assert.Equal(t, "Test", Plugins[pluginId].Name)
+		assert.Equal(t, pluginId, Plugins[pluginId].Id)
+		assert.Equal(t, "1.0.0", Plugins[pluginId].Info.Version)
+		assert.Equal(t, pluginSignatureValid, Plugins[pluginId].Signature)
+		assert.Equal(t, privateType, Plugins[pluginId].SignatureType)
+		assert.Equal(t, "Will Browne", Plugins[pluginId].SignatureOrg)
+		assert.False(t, Plugins[pluginId].IsCorePlugin)
+	})
+
+	t.Run("With back-end plugin with modified v2 signature (missing file from plugin dir)", func(t *testing.T) {
+		origAppURL := setting.AppUrl
+		origPluginsPath := setting.PluginsPath
+		t.Cleanup(func() {
+			setting.AppUrl = origAppURL
+			setting.PluginsPath = origPluginsPath
+		})
+		setting.AppUrl = "http://localhost:3000/"
+		setting.PluginsPath = "testdata/invalid-v2-signature"
+
+		pm := &PluginManager{
+			Cfg:                  &setting.Cfg{},
+			BackendPluginManager: &fakeBackendPluginManager{},
+		}
+		err := pm.Init()
+		require.NoError(t, err)
+		assert.Equal(t, []error{fmt.Errorf(`plugin "test"'s signature has been modified`)}, pm.scanningErrors)
+		assert.Nil(t, Plugins[("test")])
+	})
+
+	t.Run("With back-end plugin with modified v2 signature (unaccounted file in plugin dir)", func(t *testing.T) {
+		origAppURL := setting.AppUrl
+		origPluginsPath := setting.PluginsPath
+		t.Cleanup(func() {
+			setting.AppUrl = origAppURL
+			setting.PluginsPath = origPluginsPath
+		})
+		setting.AppUrl = "http://localhost:3000/"
+		setting.PluginsPath = "testdata/invalid-v2-signature-2"
+
+		pm := &PluginManager{
+			Cfg:                  &setting.Cfg{},
+			BackendPluginManager: &fakeBackendPluginManager{},
+		}
+		err := pm.Init()
+		require.NoError(t, err)
+		assert.Equal(t, []error{fmt.Errorf(`plugin "test"'s signature has been modified`)}, pm.scanningErrors)
+		assert.Nil(t, Plugins[("test")])
+	})
 }

 func TestPluginManager_IsBackendOnlyPlugin(t *testing.T) {