Alerting: External AM fix parsing basic auth with escape characters (#84681)

pkg/services/ngalert/sender/router.go

@@ -275,17 +275,16 @@ func (d *AlertsRouter) buildExternalURL(ds *datasources.DataSource) (string, err
 		}
 	}
 
-	// if basic auth is enabled we need to build the url with basic auth baked in
+	// If basic auth is enabled we need to build the url with basic auth baked in.
-	if !ds.BasicAuth {
+	if ds.BasicAuth {
-		return parsed.String(), nil
+		password := d.secretService.GetDecryptedValue(context.Background(), ds.SecureJsonData, "basicAuthPassword", "")
+		if password == "" {
+			return "", fmt.Errorf("basic auth enabled but no password set")
+		}
+		parsed.User = url.UserPassword(ds.BasicAuthUser, password)
 	}
 
-	password := d.secretService.GetDecryptedValue(context.Background(), ds.SecureJsonData, "basicAuthPassword", "")
+	return parsed.String(), nil
-	if password == "" {
-		return "", fmt.Errorf("basic auth enabled but no password set")
-	}
-	return fmt.Sprintf("%s://%s:%s@%s%s%s", parsed.Scheme, ds.BasicAuthUser,
-		password, parsed.Host, parsed.Path, parsed.RawQuery), nil
 }
 
 func (d *AlertsRouter) Send(ctx context.Context, key models.AlertRuleKey, alerts definitions.PostableAlerts) {

pkg/services/ngalert/sender/router_test.go

@@ -461,6 +461,18 @@ func TestBuildExternalURL(t *testing.T) {
 			},
 			expectedURL: "https://johndoe:123@localhost:9000",
 		},
+		{
+			name: "datasource with auth that needs escaping",
+			ds: &datasources.DataSource{
+				URL:           "https://localhost:9000",
+				BasicAuth:     true,
+				BasicAuthUser: "johndoe",
+				SecureJsonData: map[string][]byte{
+					"basicAuthPassword": []byte("123#!"),
+				},
+			},
+			expectedURL: "https://johndoe:123%23%21@localhost:9000",
+		},
 		{
 			name: "datasource with auth and path",
 			ds: &datasources.DataSource{