Plugins: Fix issue with propagating ID token downstream for RunStream requests (#104833)

fix issue
2025-07-31 03:42:39 +08:00 · 2025-05-06 11:41:32 +01:00
parent 5526443007
commit a5649b6e1d
3 changed files with 115 additions and 3 deletions
--- a/pkg/services/pluginsintegration/clientmiddleware/forward_id_middleware_test.go
+++ b/pkg/services/pluginsintegration/clientmiddleware/forward_id_middleware_test.go
@ -9,6 +9,7 @@ import (
 	"github.com/grafana/grafana-plugin-sdk-go/backend/handlertest"
 	"github.com/stretchr/testify/require"

+	"github.com/grafana/grafana/pkg/apimachinery/identity"
 	"github.com/grafana/grafana/pkg/services/contexthandler/ctxkey"
 	contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
 	"github.com/grafana/grafana/pkg/services/user"
@ -235,4 +236,94 @@ func TestForwardIDMiddleware(t *testing.T) {
 			})
 		})
 	})
+
+	t.Run("When signed in with Requester in context", func(t *testing.T) {
+		cdt := handlertest.NewHandlerMiddlewareTest(t, handlertest.WithMiddlewares(NewForwardIDMiddleware()))
+
+		ctx := context.Background()
+		requester := &identity.StaticRequester{
+			IDToken: "requester-token",
+		}
+		ctx = identity.WithRequester(ctx, requester)
+
+		t.Run("And requests are for a datasource", func(t *testing.T) {
+			pluginContext := backend.PluginContext{
+				DataSourceInstanceSettings: &backend.DataSourceInstanceSettings{},
+			}
+
+			t.Run("Should set forwarded id header from Requester for QueryData", func(t *testing.T) {
+				_, err := cdt.MiddlewareHandler.QueryData(ctx, &backend.QueryDataRequest{
+					PluginContext: pluginContext,
+				})
+				require.NoError(t, err)
+				require.Equal(t, "requester-token", cdt.QueryDataReq.GetHTTPHeader(forwardIDHeaderName))
+			})
+
+			t.Run("Should set forwarded id header from Requester for CallResource", func(t *testing.T) {
+				err := cdt.MiddlewareHandler.CallResource(ctx, &backend.CallResourceRequest{
+					PluginContext: pluginContext,
+				}, nopCallResourceSender)
+				require.NoError(t, err)
+				require.Equal(t, "requester-token", cdt.CallResourceReq.GetHTTPHeader(forwardIDHeaderName))
+			})
+
+			t.Run("Should set forwarded id header from Requester for CheckHealth", func(t *testing.T) {
+				_, err := cdt.MiddlewareHandler.CheckHealth(ctx, &backend.CheckHealthRequest{
+					PluginContext: pluginContext,
+				})
+				require.NoError(t, err)
+				require.Equal(t, "requester-token", cdt.CheckHealthReq.GetHTTPHeader(forwardIDHeaderName))
+			})
+
+			t.Run("Should set forwarded id header from Requester for SubscribeStream", func(t *testing.T) {
+				_, err := cdt.MiddlewareHandler.SubscribeStream(ctx, &backend.SubscribeStreamRequest{
+					PluginContext: pluginContext,
+				})
+				require.NoError(t, err)
+				require.Equal(t, "requester-token", cdt.SubscribeStreamReq.GetHTTPHeader(forwardIDHeaderName))
+			})
+
+			t.Run("Should set forwarded id header from Requester for PublishStream", func(t *testing.T) {
+				_, err := cdt.MiddlewareHandler.PublishStream(ctx, &backend.PublishStreamRequest{
+					PluginContext: pluginContext,
+				})
+				require.NoError(t, err)
+				require.Equal(t, "requester-token", cdt.PublishStreamReq.GetHTTPHeader(forwardIDHeaderName))
+			})
+
+			t.Run("Should set forwarded id header from Requester for RunStream", func(t *testing.T) {
+				err := cdt.MiddlewareHandler.RunStream(ctx, &backend.RunStreamRequest{
+					PluginContext: pluginContext,
+				}, &backend.StreamSender{})
+				require.NoError(t, err)
+				require.Equal(t, "requester-token", cdt.RunStreamReq.GetHTTPHeader(forwardIDHeaderName))
+			})
+		})
+	})
+
+	t.Run("When signed in with both Requester and SignedInUser", func(t *testing.T) {
+		cdt := handlertest.NewHandlerMiddlewareTest(t, handlertest.WithMiddlewares(NewForwardIDMiddleware()))
+
+		ctx := context.Background()
+		requester := &identity.StaticRequester{
+			IDToken: "requester-token",
+		}
+		ctx = identity.WithRequester(ctx, requester)
+		ctx = context.WithValue(ctx, ctxkey.Key{}, &contextmodel.ReqContext{
+			Context:      &web.Context{Req: &http.Request{}},
+			SignedInUser: &user.SignedInUser{IDToken: "signed-in-token"},
+		})
+
+		t.Run("Should prefer SignedInUser token over Requester token", func(t *testing.T) {
+			pluginContext := backend.PluginContext{
+				DataSourceInstanceSettings: &backend.DataSourceInstanceSettings{},
+			}
+
+			_, err := cdt.MiddlewareHandler.QueryData(ctx, &backend.QueryDataRequest{
+				PluginContext: pluginContext,
+			})
+			require.NoError(t, err)
+			require.Equal(t, "signed-in-token", cdt.QueryDataReq.GetHTTPHeader(forwardIDHeaderName))
+		})
+	})
 }