From f087d5f61b89f7ba8ed45cf4117fc5cbda4c69f9 Mon Sep 17 00:00:00 2001
From: Ryan McKinley <ryantxu@gmail.com>
Date: Tue, 1 Apr 2025 17:49:08 +0300
Subject: [PATCH] Provisioning: validate files we read (#103197)

---
 .../apis/provisioning/resources/dualwriter.go       |  7 ++++---
 pkg/tests/apis/provisioning/provisioning_test.go    | 13 +++++++++++--
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/pkg/registry/apis/provisioning/resources/dualwriter.go b/pkg/registry/apis/provisioning/resources/dualwriter.go
index 2a841187080..f30920d4e8a 100644
--- a/pkg/registry/apis/provisioning/resources/dualwriter.go
+++ b/pkg/registry/apis/provisioning/resources/dualwriter.go
@@ -5,12 +5,13 @@ import (
 	"errors"
 	"fmt"
 
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
 	"github.com/grafana/grafana/pkg/apimachinery/apis/common/v0alpha1"
 	provisioning "github.com/grafana/grafana/pkg/apis/provisioning/v0alpha1"
 	"github.com/grafana/grafana/pkg/registry/apis/provisioning/repository"
 	"github.com/grafana/grafana/pkg/registry/apis/provisioning/safepath"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 // DualReadWriter is a wrapper around a repository that can read and write resources
@@ -36,7 +37,7 @@ func (r *DualReadWriter) Read(ctx context.Context, path string, ref string) (*Pa
 		return nil, err
 	}
 
-	parsed, err := r.parser.Parse(ctx, info, false)
+	parsed, err := r.parser.Parse(ctx, info, true)
 	if err != nil {
 		return nil, err
 	}
diff --git a/pkg/tests/apis/provisioning/provisioning_test.go b/pkg/tests/apis/provisioning/provisioning_test.go
index 42c830eaeda..2f1ca0c1ec4 100644
--- a/pkg/tests/apis/provisioning/provisioning_test.go
+++ b/pkg/tests/apis/provisioning/provisioning_test.go
@@ -260,10 +260,19 @@ func TestIntegrationProvisioning_ImportAllPanelsFromLocalRepository(t *testing.T
 	_, err := helper.Repositories.Resource.Create(ctx, localTmp, metav1.CreateOptions{})
 	require.NoError(t, err)
 
-	// Make sure the repo can see the file
-	_, err = helper.Repositories.Resource.Get(ctx, repo, metav1.GetOptions{}, "files", "all-panels.json")
+	// Make sure the repo can read and validate the file
+	obj, err := helper.Repositories.Resource.Get(ctx, repo, metav1.GetOptions{}, "files", "all-panels.json")
 	require.NoError(t, err, "valid path should be fine")
 
+	resource, _, err := unstructured.NestedMap(obj.Object, "resource")
+	require.NoError(t, err, "missing resource")
+	action, _, err := unstructured.NestedString(resource, "action")
+	require.NoError(t, err, "invalid action")
+
+	require.NotNil(t, resource["file"], "the raw file")
+	require.NotNil(t, resource["dryRun"], "dryRun result")
+	require.Equal(t, "create", action)
+
 	// But the dashboard shouldn't exist yet
 	const allPanels = "n1jR8vnnz"
 	_, err = helper.Dashboards.Resource.Get(ctx, allPanels, metav1.GetOptions{})