Team LBAC: Move middleware to enterprise (#76969)

* Team LBAC: Move middleware to enterprise * Remove ds proxy part * Move utils to enterprise
2025-07-30 05:02:12 +08:00 · 2023-10-24 13:06:18 +02:00
parent 575981201c
commit cad3c43bb1
5 changed files with 2 additions and 303 deletions
--- a/pkg/api/pluginproxy/ds_proxy.go
+++ b/pkg/api/pluginproxy/ds_proxy.go
@ -272,15 +272,6 @@ func (proxy *DataSourceProxy) director(req *http.Request) {
 	if proxy.features.IsEnabled(featuremgmt.FlagIdForwarding) {
 		proxyutil.ApplyForwardIDHeader(req, proxy.ctx.SignedInUser)
 	}
 	if proxy.features.IsEnabled(featuremgmt.FlagTeamHttpHeaders) {
 		err := proxyutil.ApplyTeamHTTPHeaders(req, proxy.ds, proxy.ctx.Teams)
 		if err != nil {
 			// NOTE: could downgrade the errors to warnings
 			ctxLogger.Error("Error applying teamHTTPHeaders", "error", err)
 			return
 		}
 	}
 }
 func (proxy *DataSourceProxy) validateRequest() error {
--- a/pkg/services/pluginsintegration/clientmiddleware/team_headers_middleware.go
+++ b/pkg/services/pluginsintegration/clientmiddleware/team_headers_middleware.go
@ -1,131 +0,0 @@
 package clientmiddleware
 import (
 	"context"
 	"github.com/grafana/grafana-plugin-sdk-go/backend"
 	"github.com/grafana/grafana/pkg/components/simplejson"
 	"github.com/grafana/grafana/pkg/infra/appcontext"
 	"github.com/grafana/grafana/pkg/plugins"
 	"github.com/grafana/grafana/pkg/services/contexthandler"
 	"github.com/grafana/grafana/pkg/services/datasources"
 	"github.com/grafana/grafana/pkg/util/proxyutil"
 )
 // NewTeamHTTPHeaderMiddleware creates a new plugins.ClientMiddleware that will
 // set headers based on teams user is member of.
 func NewTeamHTTPHeadersMiddleware() plugins.ClientMiddleware {
 	return plugins.ClientMiddlewareFunc(func(next plugins.Client) plugins.Client {
 		return &TeamHTTPHeadersMiddleware{
 			next: next,
 		}
 	})
 }
 type TeamHTTPHeadersMiddleware struct {
 	next plugins.Client
 }
 func (m *TeamHTTPHeadersMiddleware) QueryData(ctx context.Context, req *backend.QueryDataRequest) (*backend.QueryDataResponse, error) {
 	if req == nil {
 		return m.next.QueryData(ctx, req)
 	}
 	err := m.setHeaders(ctx, req.PluginContext, req)
 	if err != nil {
 		return nil, err
 	}
 	return m.next.QueryData(ctx, req)
 }
 func (m *TeamHTTPHeadersMiddleware) CallResource(ctx context.Context, req *backend.CallResourceRequest, sender backend.CallResourceResponseSender) error {
 	if req == nil {
 		return m.next.CallResource(ctx, req, sender)
 	}
 	err := m.setHeaders(ctx, req.PluginContext, req)
 	if err != nil {
 		return err
 	}
 	return m.next.CallResource(ctx, req, sender)
 }
 func (m *TeamHTTPHeadersMiddleware) CheckHealth(ctx context.Context, req *backend.CheckHealthRequest) (*backend.CheckHealthResult, error) {
 	if req == nil {
 		return m.next.CheckHealth(ctx, req)
 	}
 	// NOTE: might not be needed to set headers. we want to for now set these headers
 	err := m.setHeaders(ctx, req.PluginContext, req)
 	if err != nil {
 		return nil, err
 	}
 	return m.next.CheckHealth(ctx, req)
 }
 func (m *TeamHTTPHeadersMiddleware) CollectMetrics(ctx context.Context, req *backend.CollectMetricsRequest) (*backend.CollectMetricsResult, error) {
 	return m.next.CollectMetrics(ctx, req)
 }
 func (m *TeamHTTPHeadersMiddleware) SubscribeStream(ctx context.Context, req *backend.SubscribeStreamRequest) (*backend.SubscribeStreamResponse, error) {
 	return m.next.SubscribeStream(ctx, req)
 }
 func (m *TeamHTTPHeadersMiddleware) PublishStream(ctx context.Context, req *backend.PublishStreamRequest) (*backend.PublishStreamResponse, error) {
 	return m.next.PublishStream(ctx, req)
 }
 func (m *TeamHTTPHeadersMiddleware) RunStream(ctx context.Context, req *backend.RunStreamRequest, sender *backend.StreamSender) error {
 	return m.next.RunStream(ctx, req, sender)
 }
 func (m *TeamHTTPHeadersMiddleware) setHeaders(ctx context.Context, pCtx backend.PluginContext, req interface{}) error {
 	reqCtx := contexthandler.FromContext(ctx)
 	// if request not for a datasource or no HTTP request context skip middleware
 	if req == nil || pCtx.DataSourceInstanceSettings == nil || reqCtx == nil || reqCtx.Req == nil {
 		return nil
 	}
 	settings := pCtx.DataSourceInstanceSettings
 	jsonDataBytes, err := simplejson.NewJson(settings.JSONData)
 	if err != nil {
 		return err
 	}
 	ds := &datasources.DataSource{
 		ID:       settings.ID,
 		OrgID:    pCtx.OrgID,
 		JsonData: jsonDataBytes,
 		Updated:  settings.Updated,
 	}
 	signedInUser, err := appcontext.User(ctx)
 	if err != nil {
 		return nil // no user
 	}
 	teamHTTPHeaders, err := proxyutil.GetTeamHTTPHeaders(ds, signedInUser.GetTeams())
 	if err != nil {
 		return err
 	}
 	switch t := req.(type) {
 	case *backend.QueryDataRequest:
 		for key, value := range teamHTTPHeaders {
 			t.SetHTTPHeader(key, value)
 		}
 	case *backend.CheckHealthRequest:
 		for key, value := range teamHTTPHeaders {
 			t.SetHTTPHeader(key, value)
 		}
 	case *backend.CallResourceRequest:
 		for key, value := range teamHTTPHeaders {
 			t.SetHTTPHeader(key, value)
 		}
 	}
 	return nil
 }
--- a/pkg/services/pluginsintegration/pluginsintegration.go
+++ b/pkg/services/pluginsintegration/pluginsintegration.go
@ -60,8 +60,6 @@ var WireSet = wire.NewSet(
 	wire.Bind(new(plugins.RendererManager), new(*pluginstore.Service)),
 	wire.Bind(new(plugins.SecretsPluginManager), new(*pluginstore.Service)),
 	wire.Bind(new(plugins.StaticRouteResolver), new(*pluginstore.Service)),
 	ProvideClientDecorator,
 	wire.Bind(new(plugins.Client), new(*client.Decorator)),
 	process.ProvideService,
 	wire.Bind(new(process.Manager), new(*process.Service)),
 	coreplugin.ProvideCoreRegistry,
@ -127,6 +125,8 @@ var WireExtensionSet = wire.NewSet(
 	wire.Bind(new(plugins.PluginLoaderAuthorizer), new(*signature.UnsignedPluginAuthorizer)),
 	wire.Bind(new(finder.Finder), new(*finder.Local)),
 	finder.ProvideLocalFinder,
 	ProvideClientDecorator,
 	wire.Bind(new(plugins.Client), new(*client.Decorator)),
 )
 func ProvideClientDecorator(
@ -179,10 +179,6 @@ func CreateMiddlewares(cfg *setting.Cfg, oAuthTokenService oauthtoken.OAuthToken
 		middlewares = append(middlewares, clientmiddleware.NewUserHeaderMiddleware())
 	}
 	if features.IsEnabled(featuremgmt.FlagTeamHttpHeaders) {
 		middlewares = append(middlewares, clientmiddleware.NewTeamHTTPHeadersMiddleware())
 	}
 	middlewares = append(middlewares, clientmiddleware.NewHTTPClientMiddleware())
 	return middlewares
--- a/pkg/util/proxyutil/proxyutil.go
+++ b/pkg/util/proxyutil/proxyutil.go
@ -4,13 +4,10 @@ import (
 	"fmt"
 	"net"
 	"net/http"
 	"net/url"
 	"sort"
 	"strconv"
 	"strings"
 	"github.com/grafana/grafana/pkg/services/auth/identity"
 	"github.com/grafana/grafana/pkg/services/datasources"
 )
 const (
@ -133,63 +130,3 @@ func ApplyForwardIDHeader(req *http.Request, user identity.Requester) {
 		req.Header.Set(IDHeaderName, token)
 	}
 }
 func ApplyTeamHTTPHeaders(req *http.Request, ds *datasources.DataSource, teams []int64) error {
 	headers, err := GetTeamHTTPHeaders(ds, teams)
 	if err != nil {
 		return err
 	}
 	for header, value := range headers {
 		// check if headerv is already set in req.Header
 		if req.Header.Get(header) != "" {
 			req.Header.Add(header, value)
 		} else {
 			req.Header.Set(header, value)
 		}
 	}
 	return nil
 }
 func GetTeamHTTPHeaders(ds *datasources.DataSource, teams []int64) (map[string]string, error) {
 	teamHTTPHeadersMap := make(map[string]string)
 	teamHTTPHeaders, err := ds.TeamHTTPHeaders()
 	if err != nil {
 		return nil, err
 	}
 	for teamID, headers := range teamHTTPHeaders {
 		id, err := strconv.ParseInt(teamID, 10, 64)
 		if err != nil {
 			// FIXME: logging here
 			continue
 		}
 		if !contains(teams, id) {
 			continue
 		}
 		for _, header := range headers {
 			// Header values should be properly escaped.
 			if value, ok := teamHTTPHeadersMap[header.Header]; ok {
 				// Add multiple header values as a comma-separated strings according to RFC 7230
 				// https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6
 				teamHTTPHeadersMap[header.Header] = fmt.Sprintf("%s,%s", value, url.PathEscape(header.Value))
 			} else {
 				teamHTTPHeadersMap[header.Header] = url.PathEscape(header.Value)
 			}
 		}
 	}
 	return teamHTTPHeadersMap, nil
 }
 func contains(slice []int64, value int64) bool {
 	for _, v := range slice {
 		if v == value {
 			return true
 		}
 	}
 	return false
 }
--- a/pkg/util/proxyutil/proxyutil_test.go
+++ b/pkg/util/proxyutil/proxyutil_test.go
@ -6,8 +6,6 @@ import (
 	"github.com/stretchr/testify/require"
 	"github.com/grafana/grafana/pkg/components/simplejson"
 	"github.com/grafana/grafana/pkg/services/datasources"
 	"github.com/grafana/grafana/pkg/services/user"
 )
@ -205,95 +203,3 @@ func TestApplyUserHeader(t *testing.T) {
 		require.Equal(t, "admin", req.Header.Get("X-Grafana-User"))
 	})
 }
 func TestApplyteamHTTPHeaders(t *testing.T) {
 	testCases := []struct {
 		desc      string
 		jsonData  any
 		userTeams []int64
 		want      map[string]string
 	}{
 		{
 			desc: "Should apply team headers for users teams",
 			jsonData: map[string]interface{}{
 				"1": []map[string]interface{}{
 					{
 						"header": "X-Team-Header",
 						"value":  "1",
 					},
 				},
 				"2": []map[string]interface{}{
 					{
 						"header": "X-Prom-Label-Policy",
 						"value":  "2",
 					},
 				},
 				// user is not part of this team
 				"3": []map[string]interface{}{
 					{
 						"header": "X-Custom-Label-Policy",
 						"value":  "3",
 					},
 				},
 			},
 			userTeams: []int64{1, 2},
 			want: map[string]string{
 				"X-Team-Header":       "1",
 				"X-Prom-Label-Policy": "2",
 			},
 		},
 		{
 			desc: "Should be able to parse header values with commas",
 			jsonData: map[string]interface{}{
 				"101": []map[string]interface{}{
 					{
 						"header": "X-Prom-Label-Policy",
 						"value":  `1234:{ foo="bar", bar="baz" }`,
 					},
 				},
 			},
 			userTeams: []int64{101},
 			want: map[string]string{
 				"X-Prom-Label-Policy": "1234:%7B%20foo=%22bar%22%2C%20bar=%22baz%22%20%7D",
 			},
 		}, {
 			desc: "Should be able to handle multiple header values",
 			jsonData: map[string]interface{}{
 				"101": []map[string]interface{}{
 					{
 						"header": "X-Prom-Label-Policy",
 						"value":  `1234:{ foo="bar" }`,
 					},
 					{
 						"header": "X-Prom-Label-Policy",
 						"value":  `1234:{ bar="baz" }`,
 					},
 				},
 			},
 			userTeams: []int64{101},
 			want: map[string]string{
 				"X-Prom-Label-Policy": "1234:%7B%20foo=%22bar%22%20%7D,1234:%7B%20bar=%22baz%22%20%7D",
 			},
 		},
 	}
 	for _, testCase := range testCases {
 		t.Run("Should apply team headers for users teams", func(t *testing.T) {
 			req, err := http.NewRequest(http.MethodGet, "/", nil)
 			require.NoError(t, err)
 			ds := &datasources.DataSource{
 				JsonData: simplejson.New(),
 			}
 			// add team headers
 			ds.JsonData.Set("teamHttpHeaders", testCase.jsonData)
 			err = ApplyTeamHTTPHeaders(req, ds, testCase.userTeams)
 			require.NoError(t, err)
 			for header, value := range testCase.want {
 				require.Contains(t, req.Header, header)
 				require.Equal(t, value, req.Header.Get(header))
 			}
 		})
 	}
 }