diff --git a/pkg/api/api.go b/pkg/api/api.go index 2b2c13c3bd0..e1ed7c0e303 100644 --- a/pkg/api/api.go +++ b/pkg/api/api.go @@ -365,6 +365,8 @@ func (hs *HTTPServer) registerRoutes() { apiRoute.Any("/plugins/:pluginId/resources", authorize(reqSignedIn, ac.EvalPermission(plugins.ActionAppAccess, pluginIDScope)), hs.CallResource) apiRoute.Any("/plugins/:pluginId/resources/*", authorize(reqSignedIn, ac.EvalPermission(plugins.ActionAppAccess, pluginIDScope)), hs.CallResource) apiRoute.Get("/plugins/errors", routing.Wrap(hs.GetPluginErrorsList)) + apiRoute.Any("/plugin-proxy/:pluginId/*", authorize(reqSignedIn, ac.EvalPermission(plugins.ActionAppAccess, pluginIDScope)), hs.ProxyPluginRequest) + apiRoute.Any("/plugin-proxy/:pluginId", authorize(reqSignedIn, ac.EvalPermission(plugins.ActionAppAccess, pluginIDScope)), hs.ProxyPluginRequest) if hs.Cfg.PluginAdminEnabled && !hs.Cfg.PluginAdminExternalManageEnabled { apiRoute.Group("/plugins", func(pluginRoute routing.RouteRegister) { diff --git a/pkg/api/app_routes.go b/pkg/api/app_routes.go deleted file mode 100644 index 5883a14d39c..00000000000 --- a/pkg/api/app_routes.go +++ /dev/null @@ -1,79 +0,0 @@ -package api - -import ( - "context" - "crypto/tls" - "net" - "net/http" - "strings" - "time" - - "github.com/grafana/grafana/pkg/api/pluginproxy" - "github.com/grafana/grafana/pkg/infra/log" - "github.com/grafana/grafana/pkg/middleware" - "github.com/grafana/grafana/pkg/models" - "github.com/grafana/grafana/pkg/plugins" - ac "github.com/grafana/grafana/pkg/services/accesscontrol" - "github.com/grafana/grafana/pkg/services/org" - "github.com/grafana/grafana/pkg/util" - "github.com/grafana/grafana/pkg/web" -) - -var pluginProxyTransport *http.Transport -var applog = log.New("app.routes") - -func (hs *HTTPServer) initAppPluginRoutes(r *web.Mux) { - pluginProxyTransport = &http.Transport{ - TLSClientConfig: &tls.Config{ - InsecureSkipVerify: hs.Cfg.PluginsAppsSkipVerifyTLS, - Renegotiation: tls.RenegotiateFreelyAsClient, - }, - Proxy: http.ProxyFromEnvironment, - DialContext: (&net.Dialer{ - Timeout: 30 * time.Second, - KeepAlive: 30 * time.Second, - }).DialContext, - TLSHandshakeTimeout: 10 * time.Second, - } - - for _, plugin := range hs.pluginStore.Plugins(context.Background(), plugins.App) { - for _, route := range plugin.Routes { - url := util.JoinURLFragments("/api/plugin-proxy/"+plugin.ID, route.Path) - handlers := make([]web.Handler, 0) - handlers = append(handlers, middleware.Auth(&middleware.AuthOptions{ - ReqSignedIn: true, - })) - - // Preventing access to plugin routes if the user has no right to access the plugin - authorize := ac.Middleware(hs.AccessControl) - handlers = append(handlers, authorize(middleware.ReqSignedIn, - ac.EvalPermission(plugins.ActionAppAccess, plugins.ScopeProvider.GetResourceScope(plugin.ID)))) - - if route.ReqRole != "" { - if route.ReqRole == org.RoleAdmin { - handlers = append(handlers, middleware.RoleAuth(org.RoleAdmin)) - } else if route.ReqRole == org.RoleEditor { - handlers = append(handlers, middleware.RoleAuth(org.RoleEditor, org.RoleAdmin)) - } - } - - handlers = append(handlers, AppPluginRoute(route, plugin.ID, hs)) - for _, method := range strings.Split(route.Method, ",") { - r.Handle(strings.TrimSpace(method), url, handlers) - } - - applog.Debug("Plugins: Adding proxy route", "url", url) - } - } -} - -func AppPluginRoute(route *plugins.Route, appID string, hs *HTTPServer) web.Handler { - return func(c *models.ReqContext) { - path := web.Params(c.Req)["*"] - - proxy := pluginproxy.NewApiPluginProxy(c, path, route, appID, hs.Cfg, hs.PluginSettings, hs.SecretsService) - proxy.Transport = pluginProxyTransport - - proxy.ServeHTTP(c.Resp, c.Req) - } -} diff --git a/pkg/api/http_server.go b/pkg/api/http_server.go index bf074091a4c..fd650d1375f 100644 --- a/pkg/api/http_server.go +++ b/pkg/api/http_server.go @@ -513,8 +513,6 @@ func (hs *HTTPServer) applyRoutes() { hs.addMiddlewaresAndStaticRoutes() // then add view routes & api routes hs.RouteRegister.Register(hs.web, hs.namedMiddlewares...) - // then custom app proxy routes - hs.initAppPluginRoutes(hs.web) // lastly not found route hs.web.NotFound(middleware.ReqSignedIn, hs.NotFoundHandler) } diff --git a/pkg/api/plugin_proxy.go b/pkg/api/plugin_proxy.go new file mode 100644 index 00000000000..509c1f784bf --- /dev/null +++ b/pkg/api/plugin_proxy.go @@ -0,0 +1,68 @@ +package api + +import ( + "crypto/tls" + "net" + "net/http" + "regexp" + "sync" + "time" + + "github.com/grafana/grafana/pkg/api/pluginproxy" + "github.com/grafana/grafana/pkg/models" + "github.com/grafana/grafana/pkg/services/pluginsettings" + "github.com/grafana/grafana/pkg/web" +) + +func (hs *HTTPServer) ProxyPluginRequest(c *models.ReqContext) { + var once sync.Once + var pluginProxyTransport *http.Transport + once.Do(func() { + pluginProxyTransport = &http.Transport{ + TLSClientConfig: &tls.Config{ + InsecureSkipVerify: hs.Cfg.PluginsAppsSkipVerifyTLS, + Renegotiation: tls.RenegotiateFreelyAsClient, + }, + Proxy: http.ProxyFromEnvironment, + DialContext: (&net.Dialer{ + Timeout: 30 * time.Second, + KeepAlive: 30 * time.Second, + }).DialContext, + TLSHandshakeTimeout: 10 * time.Second, + } + }) + + pluginID := web.Params(c.Req)[":pluginId"] + + plugin, exists := hs.pluginStore.Plugin(c.Req.Context(), pluginID) + if !exists { + c.JsonApiErr(http.StatusNotFound, "Plugin not found, no installed plugin with that id", nil) + return + } + + query := pluginsettings.GetByPluginIDArgs{OrgID: c.OrgID, PluginID: plugin.ID} + ps, err := hs.PluginSettings.GetPluginSettingByPluginID(c.Req.Context(), &query) + if err != nil { + c.JsonApiErr(http.StatusInternalServerError, "Failed to fetch plugin settings", err) + return + } + + proxyPath := getProxyPath(c) + p, err := pluginproxy.NewPluginProxy(ps, plugin.Routes, c, proxyPath, hs.Cfg, hs.SecretsService, hs.tracer, pluginProxyTransport) + if err != nil { + c.JsonApiErr(http.StatusInternalServerError, "Failed to create plugin proxy", err) + return + } + + p.HandleRequest() +} + +var pluginProxyPathRegexp = regexp.MustCompile(`^\/api\/plugin-proxy\/([\w\-]+)\/?`) + +func extractProxyPath(originalRawPath string) string { + return pluginProxyPathRegexp.ReplaceAllString(originalRawPath, "") +} + +func getProxyPath(c *models.ReqContext) string { + return extractProxyPath(c.Req.URL.EscapedPath()) +} diff --git a/pkg/api/plugin_proxy_test.go b/pkg/api/plugin_proxy_test.go new file mode 100644 index 00000000000..96cad24dd2b --- /dev/null +++ b/pkg/api/plugin_proxy_test.go @@ -0,0 +1,36 @@ +package api + +import ( + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestExtractPluginProxyPath(t *testing.T) { + testCases := []struct { + originalRawPath string + exp string + }{ + { + "/api/plugin-proxy/test", + "", + }, + { + "/api/plugin-proxy/test/some/thing", + "some/thing", + }, + { + "/api/plugin-proxy/test2/api/services/afsd%2Fafsd/operations", + "api/services/afsd%2Fafsd/operations", + }, + { + "/api/plugin-proxy/cloudflare-app/with-token/api/v4/accounts", + "with-token/api/v4/accounts", + }, + } + for _, tc := range testCases { + t.Run("Given raw path, should extract expected proxy path", func(t *testing.T) { + assert.Equal(t, tc.exp, extractProxyPath(tc.originalRawPath)) + }) + } +} diff --git a/pkg/api/pluginproxy/pluginproxy.go b/pkg/api/pluginproxy/pluginproxy.go index d5de967a095..ef8498c6097 100644 --- a/pkg/api/pluginproxy/pluginproxy.go +++ b/pkg/api/pluginproxy/pluginproxy.go @@ -5,9 +5,9 @@ import ( "encoding/json" "io" "net/http" - "net/http/httputil" "net/url" + "github.com/grafana/grafana/pkg/infra/tracing" "github.com/grafana/grafana/pkg/models" "github.com/grafana/grafana/pkg/plugins" "github.com/grafana/grafana/pkg/services/pluginsettings" @@ -15,111 +15,184 @@ import ( "github.com/grafana/grafana/pkg/setting" "github.com/grafana/grafana/pkg/util" "github.com/grafana/grafana/pkg/util/proxyutil" + "github.com/grafana/grafana/pkg/web" + "go.opentelemetry.io/otel/attribute" ) -type templateData struct { - JsonData map[string]interface{} - SecureJsonData map[string]string +type PluginProxy struct { + ps *pluginsettings.DTO + pluginRoutes []*plugins.Route + ctx *models.ReqContext + proxyPath string + matchedRoute *plugins.Route + cfg *setting.Cfg + secretsService secrets.Service + tracer tracing.Tracer + transport *http.Transport } -// NewApiPluginProxy create a plugin proxy -func NewApiPluginProxy(ctx *models.ReqContext, proxyPath string, route *plugins.Route, - appID string, cfg *setting.Cfg, pluginSettingsService pluginsettings.Service, - secretsService secrets.Service) *httputil.ReverseProxy { - appProxyLogger := logger.New( - "userId", ctx.UserID, - "orgId", ctx.OrgID, - "uname", ctx.Login, - "app", appID, - "path", ctx.Req.URL.Path, - "remote_addr", ctx.RemoteAddr(), - "referer", ctx.Req.Referer(), - ) +// NewPluginProxy creates a plugin proxy. +func NewPluginProxy(ps *pluginsettings.DTO, routes []*plugins.Route, ctx *models.ReqContext, + proxyPath string, cfg *setting.Cfg, secretsService secrets.Service, tracer tracing.Tracer, + transport *http.Transport) (*PluginProxy, error) { + return &PluginProxy{ + ps: ps, + pluginRoutes: routes, + ctx: ctx, + proxyPath: proxyPath, + cfg: cfg, + secretsService: secretsService, + tracer: tracer, + transport: transport, + }, nil +} - director := func(req *http.Request) { - query := pluginsettings.GetByPluginIDArgs{OrgID: ctx.OrgID, PluginID: appID} - ps, err := pluginSettingsService.GetPluginSettingByPluginID(ctx.Req.Context(), &query) - if err != nil { - ctx.JsonApiErr(500, "Failed to fetch plugin settings", err) - return +func (proxy *PluginProxy) HandleRequest() { + // found route if there are any + for _, route := range proxy.pluginRoutes { + // method match + if route.Method != "" && route.Method != "*" && route.Method != proxy.ctx.Req.Method { + continue } - secureJsonData, err := secretsService.DecryptJsonData(ctx.Req.Context(), ps.SecureJSONData) - if err != nil { - ctx.JsonApiErr(500, "Failed to decrypt plugin settings", err) - return + t := web.NewTree() + t.Add(route.Path, nil) + _, params, isMatch := t.Match(proxy.proxyPath) + + if !isMatch { + continue } - data := templateData{ - JsonData: ps.JSONData, - SecureJsonData: secureJsonData, + if route.ReqRole.IsValid() { + if !proxy.ctx.HasUserRole(route.ReqRole) { + proxy.ctx.JsonApiErr(http.StatusForbidden, "plugin proxy route access denied", nil) + return + } } - interpolatedURL, err := interpolateString(route.URL, data) - if err != nil { - ctx.JsonApiErr(500, "Could not interpolate plugin route url", err) - return - } - targetURL, err := url.Parse(interpolatedURL) - if err != nil { - ctx.JsonApiErr(500, "Could not parse url", err) - return - } - req.URL.Scheme = targetURL.Scheme - req.URL.Host = targetURL.Host - req.Host = targetURL.Host - req.URL.Path = util.JoinURLFragments(targetURL.Path, proxyPath) - - // clear cookie headers - req.Header.Del("Cookie") - req.Header.Del("Set-Cookie") - - // Create a HTTP header with the context in it. - ctxJSON, err := json.Marshal(ctx.SignedInUser) - if err != nil { - ctx.JsonApiErr(500, "failed to marshal context to json.", err) - return + if path, exists := params["*"]; exists { + proxy.proxyPath = path + } else { + proxy.proxyPath = "" } - req.Header.Set("X-Grafana-Context", string(ctxJSON)) - - applyUserHeader(cfg.SendUserHeader, req, ctx.SignedInUser) - - if err := addHeaders(&req.Header, route, data); err != nil { - ctx.JsonApiErr(500, "Failed to render plugin headers", err) - return - } - - if err := setBodyContent(req, route, data); err != nil { - appProxyLogger.Error("Failed to set plugin route body content", "error", err) - } + proxy.matchedRoute = route + break } - logAppPluginProxyRequest(appID, cfg, ctx) + if proxy.matchedRoute == nil { + proxy.ctx.JsonApiErr(http.StatusNotFound, "plugin route match not found", nil) + return + } - return proxyutil.NewReverseProxy(appProxyLogger, director) + traceID := tracing.TraceIDFromContext(proxy.ctx.Req.Context(), false) + proxyErrorLogger := logger.New( + "userId", proxy.ctx.UserID, + "orgId", proxy.ctx.OrgID, + "uname", proxy.ctx.Login, + "path", proxy.ctx.Req.URL.Path, + "remote_addr", proxy.ctx.RemoteAddr(), + "referer", proxy.ctx.Req.Referer(), + "traceID", traceID, + ) + + reverseProxy := proxyutil.NewReverseProxy( + proxyErrorLogger, + proxy.director, + proxyutil.WithTransport(proxy.transport), + ) + + proxy.logRequest() + ctx, span := proxy.tracer.Start(proxy.ctx.Req.Context(), "plugin reverse proxy") + defer span.End() + + proxy.ctx.Req = proxy.ctx.Req.WithContext(ctx) + + span.SetAttributes("user", proxy.ctx.SignedInUser.Login, attribute.Key("user").String(proxy.ctx.SignedInUser.Login)) + span.SetAttributes("org_id", proxy.ctx.SignedInUser.OrgID, attribute.Key("org_id").Int64(proxy.ctx.SignedInUser.OrgID)) + + proxy.tracer.Inject(ctx, proxy.ctx.Req.Header, span) + + reverseProxy.ServeHTTP(proxy.ctx.Resp, proxy.ctx.Req) } -func logAppPluginProxyRequest(appID string, cfg *setting.Cfg, c *models.ReqContext) { - if !cfg.DataProxyLogging { +func (proxy PluginProxy) director(req *http.Request) { + secureJsonData, err := proxy.secretsService.DecryptJsonData(proxy.ctx.Req.Context(), proxy.ps.SecureJSONData) + if err != nil { + proxy.ctx.JsonApiErr(500, "Failed to decrypt plugin settings", err) + return + } + + data := templateData{ + JsonData: proxy.ps.JSONData, + SecureJsonData: secureJsonData, + } + + interpolatedURL, err := interpolateString(proxy.matchedRoute.URL, data) + if err != nil { + proxy.ctx.JsonApiErr(500, "Could not interpolate plugin route url", err) + return + } + targetURL, err := url.Parse(interpolatedURL) + if err != nil { + proxy.ctx.JsonApiErr(500, "Could not parse url", err) + return + } + req.URL.Scheme = targetURL.Scheme + req.URL.Host = targetURL.Host + req.Host = targetURL.Host + req.URL.Path = util.JoinURLFragments(targetURL.Path, proxy.proxyPath) + + // clear cookie headers + req.Header.Del("Cookie") + req.Header.Del("Set-Cookie") + + // Create a HTTP header with the context in it. + ctxJSON, err := json.Marshal(proxy.ctx.SignedInUser) + if err != nil { + proxy.ctx.JsonApiErr(500, "failed to marshal context to json.", err) + return + } + + req.Header.Set("X-Grafana-Context", string(ctxJSON)) + + applyUserHeader(proxy.cfg.SendUserHeader, req, proxy.ctx.SignedInUser) + + if err := addHeaders(&req.Header, proxy.matchedRoute, data); err != nil { + proxy.ctx.JsonApiErr(500, "Failed to render plugin headers", err) + return + } + + if err := setBodyContent(req, proxy.matchedRoute, data); err != nil { + logger.Error("Failed to set plugin route body content", "error", err) + } +} + +func (proxy PluginProxy) logRequest() { + if !proxy.cfg.DataProxyLogging { return } var body string - if c.Req.Body != nil { - buffer, err := io.ReadAll(c.Req.Body) + if proxy.ctx.Req.Body != nil { + buffer, err := io.ReadAll(proxy.ctx.Req.Body) if err == nil { - c.Req.Body = io.NopCloser(bytes.NewBuffer(buffer)) + proxy.ctx.Req.Body = io.NopCloser(bytes.NewBuffer(buffer)) body = string(buffer) } } logger.Info("Proxying incoming request", - "userid", c.UserID, - "orgid", c.OrgID, - "username", c.Login, - "app", appID, - "uri", c.Req.RequestURI, - "method", c.Req.Method, + "userid", proxy.ctx.UserID, + "orgid", proxy.ctx.OrgID, + "username", proxy.ctx.Login, + "app", proxy.ps.PluginID, + "uri", proxy.ctx.Req.RequestURI, + "method", proxy.ctx.Req.Method, "body", body) } + +type templateData struct { + JsonData map[string]interface{} + SecureJsonData map[string]string +} diff --git a/pkg/api/pluginproxy/pluginproxy_test.go b/pkg/api/pluginproxy/pluginproxy_test.go index afdae53cc1d..d1e18072caa 100644 --- a/pkg/api/pluginproxy/pluginproxy_test.go +++ b/pkg/api/pluginproxy/pluginproxy_test.go @@ -2,11 +2,14 @@ package pluginproxy import ( "context" + "fmt" "io" "net/http" "net/http/httptest" + "net/url" "testing" + "github.com/grafana/grafana/pkg/infra/tracing" "github.com/grafana/grafana/pkg/models" "github.com/grafana/grafana/pkg/plugins" "github.com/grafana/grafana/pkg/services/org" @@ -32,19 +35,19 @@ func TestPluginProxy(t *testing.T) { }, } - store := &mockPluginsSettingsService{} - key, _ := secretsService.Encrypt(context.Background(), []byte("123"), secrets.WithoutScope()) - store.pluginSetting = &pluginsettings.DTO{ - SecureJSONData: map[string][]byte{ - "key": key, - }, - } + key, err := secretsService.Encrypt(context.Background(), []byte("123"), secrets.WithoutScope()) + require.NoError(t, err) httpReq, err := http.NewRequest(http.MethodGet, "", nil) require.NoError(t, err) req := getPluginProxiedRequest( t, + &pluginsettings.DTO{ + SecureJSONData: map[string][]byte{ + "key": key, + }, + }, secretsService, &models.ReqContext{ SignedInUser: &user.SignedInUser{ @@ -56,7 +59,6 @@ func TestPluginProxy(t *testing.T) { }, &setting.Cfg{SendUserHeader: true}, route, - store, ) assert.Equal(t, "my secret 123", req.Header.Get("x-header")) @@ -66,11 +68,9 @@ func TestPluginProxy(t *testing.T) { httpReq, err := http.NewRequest(http.MethodGet, "", nil) require.NoError(t, err) - store := &mockPluginsSettingsService{} - store.pluginSetting = &pluginsettings.DTO{} - req := getPluginProxiedRequest( t, + &pluginsettings.DTO{}, secretsService, &models.ReqContext{ SignedInUser: &user.SignedInUser{ @@ -82,7 +82,6 @@ func TestPluginProxy(t *testing.T) { }, &setting.Cfg{SendUserHeader: true}, nil, - store, ) // Get will return empty string even if header is not set @@ -93,11 +92,9 @@ func TestPluginProxy(t *testing.T) { httpReq, err := http.NewRequest(http.MethodGet, "", nil) require.NoError(t, err) - store := &mockPluginsSettingsService{} - store.pluginSetting = &pluginsettings.DTO{} - req := getPluginProxiedRequest( t, + &pluginsettings.DTO{}, secretsService, &models.ReqContext{ SignedInUser: &user.SignedInUser{ @@ -109,7 +106,6 @@ func TestPluginProxy(t *testing.T) { }, &setting.Cfg{SendUserHeader: false}, nil, - store, ) // Get will return empty string even if header is not set assert.Equal(t, "", req.Header.Get("X-Grafana-User")) @@ -119,11 +115,9 @@ func TestPluginProxy(t *testing.T) { httpReq, err := http.NewRequest(http.MethodGet, "", nil) require.NoError(t, err) - store := &mockPluginsSettingsService{} - store.pluginSetting = &pluginsettings.DTO{} - req := getPluginProxiedRequest( t, + &pluginsettings.DTO{}, secretsService, &models.ReqContext{ SignedInUser: &user.SignedInUser{IsAnonymous: true}, @@ -133,7 +127,6 @@ func TestPluginProxy(t *testing.T) { }, &setting.Cfg{SendUserHeader: true}, nil, - store, ) // Get will return empty string even if header is not set @@ -146,18 +139,16 @@ func TestPluginProxy(t *testing.T) { Method: "GET", } - store := &mockPluginsSettingsService{} - store.pluginSetting = &pluginsettings.DTO{ - JSONData: map[string]interface{}{ - "dynamicUrl": "https://dynamic.grafana.com", - }, - } - httpReq, err := http.NewRequest(http.MethodGet, "", nil) require.NoError(t, err) req := getPluginProxiedRequest( t, + &pluginsettings.DTO{ + JSONData: map[string]interface{}{ + "dynamicUrl": "https://dynamic.grafana.com", + }, + }, secretsService, &models.ReqContext{ SignedInUser: &user.SignedInUser{ @@ -169,7 +160,6 @@ func TestPluginProxy(t *testing.T) { }, &setting.Cfg{SendUserHeader: true}, route, - store, ) assert.Equal(t, "https://dynamic.grafana.com", req.URL.String()) assert.Equal(t, "{{.JsonData.dynamicUrl}}", route.URL) @@ -181,14 +171,12 @@ func TestPluginProxy(t *testing.T) { Method: "GET", } - store := &mockPluginsSettingsService{} - store.pluginSetting = &pluginsettings.DTO{} - httpReq, err := http.NewRequest(http.MethodGet, "", nil) require.NoError(t, err) req := getPluginProxiedRequest( t, + &pluginsettings.DTO{}, secretsService, &models.ReqContext{ SignedInUser: &user.SignedInUser{ @@ -200,7 +188,6 @@ func TestPluginProxy(t *testing.T) { }, &setting.Cfg{SendUserHeader: true}, route, - store, ) assert.Equal(t, "https://example.com", req.URL.String()) }) @@ -212,22 +199,22 @@ func TestPluginProxy(t *testing.T) { Body: []byte(`{ "url": "{{.JsonData.dynamicUrl}}", "secret": "{{.SecureJsonData.key}}" }`), } - store := &mockPluginsSettingsService{} - encryptedJsonData, _ := secretsService.EncryptJsonData( + encryptedJsonData, err := secretsService.EncryptJsonData( context.Background(), map[string]string{"key": "123"}, secrets.WithoutScope(), ) - store.pluginSetting = &pluginsettings.DTO{ - JSONData: map[string]interface{}{"dynamicUrl": "https://dynamic.grafana.com"}, - SecureJSONData: encryptedJsonData, - } + require.NoError(t, err) httpReq, err := http.NewRequest(http.MethodGet, "", nil) require.NoError(t, err) req := getPluginProxiedRequest( t, + &pluginsettings.DTO{ + JSONData: map[string]interface{}{"dynamicUrl": "https://dynamic.grafana.com"}, + SecureJSONData: encryptedJsonData, + }, secretsService, &models.ReqContext{ SignedInUser: &user.SignedInUser{ @@ -239,7 +226,6 @@ func TestPluginProxy(t *testing.T) { }, &setting.Cfg{SendUserHeader: true}, route, - store, ) content, err := io.ReadAll(req.Body) require.NoError(t, err) @@ -257,9 +243,11 @@ func TestPluginProxy(t *testing.T) { responseWriter := web.NewResponseWriter("GET", httptest.NewRecorder()) - route := &plugins.Route{ - Path: "/", - URL: backendServer.URL, + routes := []*plugins.Route{ + { + Path: "/", + URL: backendServer.URL, + }, } ctx := &models.ReqContext{ @@ -269,13 +257,12 @@ func TestPluginProxy(t *testing.T) { Resp: responseWriter, }, } - pluginSettingsService := &mockPluginsSettingsService{ - pluginSetting: &pluginsettings.DTO{ - SecureJSONData: map[string][]byte{}, - }, + ps := &pluginsettings.DTO{ + SecureJSONData: map[string][]byte{}, } - proxy := NewApiPluginProxy(ctx, "", route, "", &setting.Cfg{}, pluginSettingsService, secretsService) - proxy.ServeHTTP(ctx.Resp, ctx.Req) + proxy, err := NewPluginProxy(ps, routes, ctx, "", &setting.Cfg{}, secretsService, tracing.InitializeTracerForTest(), &http.Transport{}) + require.NoError(t, err) + proxy.HandleRequest() for { if requestHandled { @@ -287,8 +274,153 @@ func TestPluginProxy(t *testing.T) { }) } +func TestPluginProxyRoutes(t *testing.T) { + routes := []*plugins.Route{ + { + Path: "", + Method: "GET", + URL: "http://localhost", + }, + { + Path: "some-api", + Method: "GET", + URL: "http://localhost/api", + }, + { + Path: "some-api/instances", + Method: "GET", + URL: "http://localhost/api/instances/", + }, + { + Path: "some-api/*", + Method: "GET", + URL: "http://localhost/api", + }, + { + Path: "some-api/instances/*", + Method: "GET", + URL: "http://localhost/api/instances", + }, + { + Path: "some-other-api/*", + Method: "GET", + URL: "http://localhost/api/v2", + }, + { + Path: "some-other-api/instances/*", + Method: "GET", + URL: "http://localhost/api/v2/instances", + }, + } + + tcs := []struct { + proxyPath string + expectedURLPath string + expectedStatus int + }{ + { + proxyPath: "/notexists", + expectedStatus: http.StatusNotFound, + }, + { + proxyPath: "/", + expectedURLPath: "/", + expectedStatus: http.StatusOK, + }, + { + proxyPath: "/some-api", + expectedURLPath: "/api", + expectedStatus: http.StatusOK, + }, + { + proxyPath: "/some-api/instances", + expectedURLPath: "/api/instances/", + expectedStatus: http.StatusOK, + }, + { + proxyPath: "/some-api/some/thing", + expectedURLPath: "/api/some/thing", + expectedStatus: http.StatusOK, + }, + { + proxyPath: "/some-api/instances/instance-one", + expectedURLPath: "/api/instances/instance-one", + expectedStatus: http.StatusOK, + }, + { + proxyPath: "/some-other-api/some/thing", + expectedURLPath: "/api/v2/some/thing", + expectedStatus: http.StatusOK, + }, + { + proxyPath: "/some-other-api/instances/instance-one", + expectedURLPath: "/api/v2/instances/instance-one", + expectedStatus: http.StatusOK, + }, + } + + for _, tc := range tcs { + t.Run(fmt.Sprintf("When proxying path %q should call expected URL", tc.proxyPath), func(t *testing.T) { + secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore()) + requestHandled := false + requestURL := "" + backendServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + requestURL = r.URL.RequestURI() + w.WriteHeader(200) + _, _ = w.Write([]byte("I am the backend")) + requestHandled = true + })) + t.Cleanup(backendServer.Close) + + backendURL, err := url.Parse(backendServer.URL) + require.NoError(t, err) + + testRoutes := make([]*plugins.Route, len(routes)) + for i, r := range routes { + u, err := url.Parse(r.URL) + require.NoError(t, err) + u.Scheme = backendURL.Scheme + u.Host = backendURL.Host + testRoute := *r + testRoute.URL = u.String() + testRoutes[i] = &testRoute + } + + responseWriter := web.NewResponseWriter("GET", httptest.NewRecorder()) + + ctx := &models.ReqContext{ + SignedInUser: &user.SignedInUser{}, + Context: &web.Context{ + Req: httptest.NewRequest("GET", tc.proxyPath, nil), + Resp: responseWriter, + }, + } + ps := &pluginsettings.DTO{ + SecureJSONData: map[string][]byte{}, + } + proxy, err := NewPluginProxy(ps, testRoutes, ctx, tc.proxyPath, &setting.Cfg{}, secretsService, tracing.InitializeTracerForTest(), &http.Transport{}) + require.NoError(t, err) + proxy.HandleRequest() + + for { + if requestHandled || ctx.Resp.Written() { + break + } + } + + require.Equal(t, tc.expectedStatus, ctx.Resp.Status()) + + if tc.expectedStatus == http.StatusNotFound { + return + } + + require.Equal(t, tc.expectedURLPath, requestURL) + }) + } +} + // getPluginProxiedRequest is a helper for easier setup of tests based on global config and ReqContext. -func getPluginProxiedRequest(t *testing.T, secretsService secrets.Service, ctx *models.ReqContext, cfg *setting.Cfg, route *plugins.Route, pluginSettingsService pluginsettings.Service) *http.Request { +func getPluginProxiedRequest(t *testing.T, ps *pluginsettings.DTO, secretsService secrets.Service, ctx *models.ReqContext, cfg *setting.Cfg, route *plugins.Route) *http.Request { // insert dummy route if none is specified if route == nil { route = &plugins.Route{ @@ -297,35 +429,12 @@ func getPluginProxiedRequest(t *testing.T, secretsService secrets.Service, ctx * ReqRole: org.RoleEditor, } } - proxy := NewApiPluginProxy(ctx, "", route, "", cfg, pluginSettingsService, secretsService) + proxy, err := NewPluginProxy(ps, []*plugins.Route{}, ctx, "", cfg, secretsService, tracing.InitializeTracerForTest(), &http.Transport{}) + require.NoError(t, err) req, err := http.NewRequest(http.MethodGet, "/api/plugin-proxy/grafana-simple-app/api/v4/alerts", nil) require.NoError(t, err) - proxy.Director(req) + proxy.matchedRoute = route + proxy.director(req) return req } - -type mockPluginsSettingsService struct { - pluginSetting *pluginsettings.DTO - err error -} - -func (s *mockPluginsSettingsService) GetPluginSettings(_ context.Context, _ *pluginsettings.GetArgs) ([]*pluginsettings.DTO, error) { - return nil, s.err -} - -func (s *mockPluginsSettingsService) GetPluginSettingByPluginID(_ context.Context, _ *pluginsettings.GetByPluginIDArgs) (*pluginsettings.DTO, error) { - return s.pluginSetting, s.err -} - -func (s *mockPluginsSettingsService) UpdatePluginSettingPluginVersion(_ context.Context, _ *pluginsettings.UpdatePluginVersionArgs) error { - return s.err -} - -func (s *mockPluginsSettingsService) UpdatePluginSetting(_ context.Context, _ *pluginsettings.UpdateArgs) error { - return s.err -} - -func (s *mockPluginsSettingsService) DecryptedValues(_ *pluginsettings.DTO) map[string]string { - return nil -}