opensource/grafana
1
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-07-29 00:42:23 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
grafana/pkg/api/pluginproxy/pluginproxy_test.go
Dimitris Sotirakis 605d056136 Security: Sync security changes on main (#45083) 
* * Teams: Appropriately apply user id filter in /api/teams/:id and /api/teams/search
* Teams: Ensure that users searching for teams are only able see teams they have access to
* Teams: Require teamGuardian admin privileges to list team members
* Teams: Prevent org viewers from administering teams
* Teams: Add org_id condition to team count query
* Teams: clarify permission requirements in teams api docs
* Teams: expand scenarios for team search tests
* Teams: mock teamGuardian in tests

Co-authored-by: Dan Cech <dcech@grafana.com>

* remove duplicate WHERE statement

* Fix for CVE-2022-21702

(cherry picked from commit 202d7c190082c094bc1dc13f7fe9464746c37f9e)

* Lint and test fixes

(cherry picked from commit 3e6b67d5504abf4a1d7b8d621f04d062c048e981)

* check content type properly

(cherry picked from commit 70b4458892bf2f776302720c10d24c9ff34edd98)

* basic csrf origin check

(cherry picked from commit 3adaa5ff39832364f6390881fb5b42ad47df92e1)

* compare origin to host

(cherry picked from commit 5443892699e8ed42836bb2b9a44744ff3e970f42)

* simplify url parsing

(cherry picked from commit b2ffbc9513fed75468628370a48b929d30af2b1d)

* check csrf for GET requests, only compare origin

(cherry picked from commit 8b81dc12d8f8a1f07852809c5b4d44f0f0b1d709)

* parse content type properly

(cherry picked from commit 16f76f4902e6f2188bea9606c68b551af186bdc0)

* mentioned get in the comment

(cherry picked from commit a7e61811ef8ae558ce721e2e3fed04ce7a5a5345)

* add content-type: application/json to test HTTP requests

* fix pluginproxy test

* Fix linter when comparing errors

Co-authored-by: Kevin Minehart <kmineh0151@gmail.com>
Co-authored-by: Dan Cech <dcech@grafana.com>
Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
Co-authored-by: Serge Zaitsev <serge.zaitsev@grafana.com>
Co-authored-by: Vardan Torosyan <vardants@gmail.com>
2022-02-09 13:44:38 +01:00

301 lines
7.9 KiB
Go
Raw Blame History

package pluginproxy
import (
"context"
"io/ioutil"
"net/http"
"net/http/httptest"
"testing"
"github.com/grafana/grafana/pkg/models"
"github.com/grafana/grafana/pkg/plugins"
"github.com/grafana/grafana/pkg/services/secrets"
"github.com/grafana/grafana/pkg/services/secrets/fakes"
secretsManager "github.com/grafana/grafana/pkg/services/secrets/manager"
"github.com/grafana/grafana/pkg/services/sqlstore"
"github.com/grafana/grafana/pkg/services/sqlstore/mockstore"
"github.com/grafana/grafana/pkg/setting"
"github.com/grafana/grafana/pkg/web"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func TestPluginProxy(t *testing.T) {
setting.SecretKey = "password"
secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
t.Run("When getting proxy headers", func(t *testing.T) {
route := &plugins.Route{
Headers: []plugins.Header{
{Name: "x-header", Content: "my secret {{.SecureJsonData.key}}"},
},
}
store := mockstore.NewSQLStoreMock()
key, _ := secretsService.Encrypt(context.Background(), []byte("123"), secrets.WithoutScope())
store.ExpectedPluginSetting = &models.PluginSetting{
SecureJsonData: map[string][]byte{
"key": key,
},
}
httpReq, err := http.NewRequest(http.MethodGet, "", nil)
require.NoError(t, err)
req := getPluginProxiedRequest(
t,
secretsService,
&models.ReqContext{
SignedInUser: &models.SignedInUser{
Login: "test_user",
},
Context: &web.Context{
Req: httpReq,
},
},
&setting.Cfg{SendUserHeader: true},
route,
store,
)
assert.Equal(t, "my secret 123", req.Header.Get("x-header"))
})
t.Run("When SendUserHeader config is enabled", func(t *testing.T) {
httpReq, err := http.NewRequest(http.MethodGet, "", nil)
require.NoError(t, err)
store := mockstore.NewSQLStoreMock()
store.ExpectedPluginSetting = &models.PluginSetting{}
req := getPluginProxiedRequest(
t,
secretsService,
&models.ReqContext{
SignedInUser: &models.SignedInUser{
Login: "test_user",
},
Context: &web.Context{
Req: httpReq,
},
},
&setting.Cfg{SendUserHeader: true},
nil,
store,
)
// Get will return empty string even if header is not set
assert.Equal(t, "test_user", req.Header.Get("X-Grafana-User"))
})
t.Run("When SendUserHeader config is disabled", func(t *testing.T) {
httpReq, err := http.NewRequest(http.MethodGet, "", nil)
require.NoError(t, err)
store := mockstore.NewSQLStoreMock()
store.ExpectedPluginSetting = &models.PluginSetting{}
req := getPluginProxiedRequest(
t,
secretsService,
&models.ReqContext{
SignedInUser: &models.SignedInUser{
Login: "test_user",
},
Context: &web.Context{
Req: httpReq,
},
},
&setting.Cfg{SendUserHeader: false},
nil,
store,
)
// Get will return empty string even if header is not set
assert.Equal(t, "", req.Header.Get("X-Grafana-User"))
})
t.Run("When SendUserHeader config is enabled but user is anonymous", func(t *testing.T) {
httpReq, err := http.NewRequest(http.MethodGet, "", nil)
require.NoError(t, err)
store := mockstore.NewSQLStoreMock()
store.ExpectedPluginSetting = &models.PluginSetting{}
req := getPluginProxiedRequest(
t,
secretsService,
&models.ReqContext{
SignedInUser: &models.SignedInUser{IsAnonymous: true},
Context: &web.Context{
Req: httpReq,
},
},
&setting.Cfg{SendUserHeader: true},
nil,
store,
)
// Get will return empty string even if header is not set
assert.Equal(t, "", req.Header.Get("X-Grafana-User"))
})
t.Run("When getting templated url", func(t *testing.T) {
route := &plugins.Route{
URL: "{{.JsonData.dynamicUrl}}",
Method: "GET",
}
store := mockstore.NewSQLStoreMock()
store.ExpectedPluginSetting = &models.PluginSetting{
JsonData: map[string]interface{}{
"dynamicUrl": "https://dynamic.grafana.com",
},
}
httpReq, err := http.NewRequest(http.MethodGet, "", nil)
require.NoError(t, err)
req := getPluginProxiedRequest(
t,
secretsService,
&models.ReqContext{
SignedInUser: &models.SignedInUser{
Login: "test_user",
},
Context: &web.Context{
Req: httpReq,
},
},
&setting.Cfg{SendUserHeader: true},
route,
store,
)
assert.Equal(t, "https://dynamic.grafana.com", req.URL.String())
assert.Equal(t, "{{.JsonData.dynamicUrl}}", route.URL)
})
t.Run("When getting complex templated url", func(t *testing.T) {
route := &plugins.Route{
URL: "{{if .JsonData.apiHost}}{{.JsonData.apiHost}}{{else}}https://example.com{{end}}",
Method: "GET",
}
store := mockstore.NewSQLStoreMock()
store.ExpectedPluginSetting = &models.PluginSetting{}
httpReq, err := http.NewRequest(http.MethodGet, "", nil)
require.NoError(t, err)
req := getPluginProxiedRequest(
t,
secretsService,
&models.ReqContext{
SignedInUser: &models.SignedInUser{
Login: "test_user",
},
Context: &web.Context{
Req: httpReq,
},
},
&setting.Cfg{SendUserHeader: true},
route,
store,
)
assert.Equal(t, "https://example.com", req.URL.String())
})
t.Run("When getting templated body", func(t *testing.T) {
route := &plugins.Route{
Path: "api/body",
URL: "http://www.test.com",
Body: []byte(`{ "url": "{{.JsonData.dynamicUrl}}", "secret": "{{.SecureJsonData.key}}" }`),
}
store := mockstore.NewSQLStoreMock()
encryptedJsonData, _ := secretsService.EncryptJsonData(
context.Background(),
map[string]string{"key": "123"},
secrets.WithoutScope(),
)
store.ExpectedPluginSetting = &models.PluginSetting{
JsonData: map[string]interface{}{"dynamicUrl": "https://dynamic.grafana.com"},
SecureJsonData: encryptedJsonData,
}
httpReq, err := http.NewRequest(http.MethodGet, "", nil)
require.NoError(t, err)
req := getPluginProxiedRequest(
t,
secretsService,
&models.ReqContext{
SignedInUser: &models.SignedInUser{
Login: "test_user",
},
Context: &web.Context{
Req: httpReq,
},
},
&setting.Cfg{SendUserHeader: true},
route,
store,
)
content, err := ioutil.ReadAll(req.Body)
require.NoError(t, err)
require.Equal(t, `{ "url": "https://dynamic.grafana.com", "secret": "123" }`, string(content))
})
t.Run("When proxying a request should set expected response headers", func(t *testing.T) {
requestHandled := false
backendServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(200)
_, _ = w.Write([]byte("I am the backend"))
requestHandled = true
}))
t.Cleanup(backendServer.Close)
responseWriter := web.NewResponseWriter("GET", httptest.NewRecorder())
route := &plugins.Route{
Path: "/",
URL: backendServer.URL,
}
ctx := &models.ReqContext{
SignedInUser: &models.SignedInUser{},
Context: &web.Context{
Req: httptest.NewRequest("GET", "/", nil),
Resp: responseWriter,
},
}
store := mockstore.NewSQLStoreMock()
store.ExpectedPluginSetting = &models.PluginSetting{
SecureJsonData: map[string][]byte{},
}
proxy := NewApiPluginProxy(ctx, "", route, "", &setting.Cfg{}, store, secretsService)
proxy.ServeHTTP(ctx.Resp, ctx.Req)
for {
if requestHandled {
break
}
}
require.Equal(t, "sandbox", ctx.Resp.Header().Get("Content-Security-Policy"))
})
}
// getPluginProxiedRequest is a helper for easier setup of tests based on global config and ReqContext.
func getPluginProxiedRequest(t *testing.T, secretsService secrets.Service, ctx *models.ReqContext, cfg *setting.Cfg, route *plugins.Route, store sqlstore.Store) *http.Request {
// insert dummy route if none is specified
if route == nil {
route = &plugins.Route{
Path: "api/v4/",
URL: "https://www.google.com",
ReqRole: models.ROLE_EDITOR,
}
}
proxy := NewApiPluginProxy(ctx, "", route, "", cfg, store, secretsService)
req, err := http.NewRequest(http.MethodGet, "/api/plugin-proxy/grafana-simple-app/api/v4/alerts", nil)
require.NoError(t, err)
proxy.Director(req)
return req
}
Reference in New Issue View Git Blame Copy Permalink