opensource/grafana
1
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-07-31 14:32:22 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
grafana/pkg/services/pluginsintegration/clientmiddleware/oauthtoken_middleware.go
Marcus Efraimsson 6dbe3b555f Plugins: Refactor forward of cookies, OAuth token and header modifications by introducing client middlewares (#58132) 
Adding support for backend plugin client middlewares. This allows headers in outgoing 
backend plugin and HTTP requests to be modified using client middlewares.

The following client middlewares added:
Forward cookies: Will forward incoming HTTP request Cookies to outgoing plugins.Client 
and HTTP requests if the datasource has enabled forwarding of cookies (keepCookies).
Forward OAuth token: Will set OAuth token headers on outgoing plugins.Client and HTTP 
requests if the datasource has enabled Forward OAuth Identity (oauthPassThru).
Clear auth headers: Will clear any outgoing HTTP headers that was part of the incoming 
HTTP request and used when authenticating to Grafana.
The current suggested way to register client middlewares is to have a separate package, 
pluginsintegration, responsible for bootstrap/instantiate the backend plugin client with 
middlewares and/or longer term bootstrap/instantiate plugin management. 

Fixes #54135
Related to #47734
Related to #57870
Related to #41623
Related to #57065
2022-12-01 19:08:36 +01:00

156 lines
4.8 KiB
Go
Raw Blame History

package clientmiddleware
import (
"context"
"fmt"
"net/http"
"github.com/grafana/grafana-plugin-sdk-go/backend"
"github.com/grafana/grafana-plugin-sdk-go/backend/httpclient"
"github.com/grafana/grafana/pkg/components/simplejson"
"github.com/grafana/grafana/pkg/infra/httpclient/httpclientprovider"
"github.com/grafana/grafana/pkg/plugins"
"github.com/grafana/grafana/pkg/services/contexthandler"
"github.com/grafana/grafana/pkg/services/datasources"
"github.com/grafana/grafana/pkg/services/oauthtoken"
)
// NewOAuthTokenMiddleware creates a new plugins.ClientMiddleware that will
// set OAuth token headers on outgoing plugins.Client and HTTP requests if
// the datasource has enabled Forward OAuth Identity (oauthPassThru).
func NewOAuthTokenMiddleware(oAuthTokenService oauthtoken.OAuthTokenService) plugins.ClientMiddleware {
return plugins.ClientMiddlewareFunc(func(next plugins.Client) plugins.Client {
return &OAuthTokenMiddleware{
next: next,
oAuthTokenService: oAuthTokenService,
}
})
}
const (
tokenHeaderName = "Authorization"
idTokenHeaderName = "X-ID-Token"
)
type OAuthTokenMiddleware struct {
oAuthTokenService oauthtoken.OAuthTokenService
next plugins.Client
}
func (m *OAuthTokenMiddleware) applyToken(ctx context.Context, pCtx backend.PluginContext, req interface{}) (context.Context, error) {
reqCtx := contexthandler.FromContext(ctx)
// if request not for a datasource or no HTTP request context skip middleware
if req == nil || pCtx.DataSourceInstanceSettings == nil || reqCtx == nil || reqCtx.Req == nil {
return ctx, nil
}
settings := pCtx.DataSourceInstanceSettings
jsonDataBytes, err := simplejson.NewJson(settings.JSONData)
if err != nil {
return ctx, err
}
ds := &datasources.DataSource{
Id: settings.ID,
OrgId: pCtx.OrgID,
JsonData: jsonDataBytes,
Updated: settings.Updated,
}
if m.oAuthTokenService.IsOAuthPassThruEnabled(ds) {
if token := m.oAuthTokenService.GetCurrentOAuthToken(ctx, reqCtx.SignedInUser); token != nil {
authorizationHeader := fmt.Sprintf("%s %s", token.Type(), token.AccessToken)
idTokenHeader := ""
idToken, ok := token.Extra("id_token").(string)
if ok && idToken != "" {
idTokenHeader = idToken
}
switch t := req.(type) {
case *backend.QueryDataRequest:
t.Headers[tokenHeaderName] = authorizationHeader
if idTokenHeader != "" {
t.Headers[idTokenHeaderName] = idTokenHeader
}
case *backend.CheckHealthRequest:
t.Headers[tokenHeaderName] = authorizationHeader
if idTokenHeader != "" {
t.Headers[idTokenHeaderName] = idTokenHeader
}
case *backend.CallResourceRequest:
t.Headers[tokenHeaderName] = []string{authorizationHeader}
if idTokenHeader != "" {
t.Headers[idTokenHeaderName] = []string{idTokenHeader}
}
}
httpHeaders := http.Header{}
httpHeaders.Set(tokenHeaderName, authorizationHeader)
if idTokenHeader != "" {
httpHeaders.Set(idTokenHeaderName, idTokenHeader)
}
ctx = httpclient.WithContextualMiddleware(ctx, httpclientprovider.SetHeadersMiddleware(httpHeaders))
}
}
return ctx, nil
}
func (m *OAuthTokenMiddleware) QueryData(ctx context.Context, req *backend.QueryDataRequest) (*backend.QueryDataResponse, error) {
if req == nil {
return m.next.QueryData(ctx, req)
}
newCtx, err := m.applyToken(ctx, req.PluginContext, req)
if err != nil {
return nil, err
}
return m.next.QueryData(newCtx, req)
}
func (m *OAuthTokenMiddleware) CallResource(ctx context.Context, req *backend.CallResourceRequest, sender backend.CallResourceResponseSender) error {
if req == nil {
return m.next.CallResource(ctx, req, sender)
}
newCtx, err := m.applyToken(ctx, req.PluginContext, req)
if err != nil {
return err
}
return m.next.CallResource(newCtx, req, sender)
}
func (m *OAuthTokenMiddleware) CheckHealth(ctx context.Context, req *backend.CheckHealthRequest) (*backend.CheckHealthResult, error) {
if req == nil {
return m.next.CheckHealth(ctx, req)
}
newCtx, err := m.applyToken(ctx, req.PluginContext, req)
if err != nil {
return nil, err
}
return m.next.CheckHealth(newCtx, req)
}
func (m *OAuthTokenMiddleware) CollectMetrics(ctx context.Context, req *backend.CollectMetricsRequest) (*backend.CollectMetricsResult, error) {
return m.next.CollectMetrics(ctx, req)
}
func (m *OAuthTokenMiddleware) SubscribeStream(ctx context.Context, req *backend.SubscribeStreamRequest) (*backend.SubscribeStreamResponse, error) {
return m.next.SubscribeStream(ctx, req)
}
func (m *OAuthTokenMiddleware) PublishStream(ctx context.Context, req *backend.PublishStreamRequest) (*backend.PublishStreamResponse, error) {
return m.next.PublishStream(ctx, req)
}
func (m *OAuthTokenMiddleware) RunStream(ctx context.Context, req *backend.RunStreamRequest, sender *backend.StreamSender) error {
return m.next.RunStream(ctx, req, sender)
}
Reference in New Issue View Git Blame Copy Permalink