Plugins: Unsigned chromium file should not invalidate signature for Renderer plugin (#59104)

* Plugins: Unsigned chromium file should not invalidate signature for Renderer plugin * fix test * re-work solution
2025-02-25 18:55:37 -06:00 · 2022-12-19 11:46:27 +00:00 · 2022-12-19 11:46:27 +00:00 · 48b33ab521
commit 48b33ab521
parent 02fbb1cd8f
7 changed files with 77 additions and 11 deletions
--- a/pkg/plugins/manager/signature/manifest.go
+++ b/pkg/plugins/manager/signature/manifest.go
@ -12,6 +12,7 @@ import (
 	"os"
 	"path"
 	"path/filepath"
+	"runtime"
 	"strings"

 	"github.com/gobwas/glob"
@ -54,6 +55,8 @@ N1c5v9v/4h6qeA==
 -----END PGP PUBLIC KEY BLOCK-----
 `

+var runningWindows = runtime.GOOS == "windows"
+
 // pluginManifest holds details for the file manifest
 type pluginManifest struct {
 	Plugin  string            `json:"plugin"`
@ -259,6 +262,11 @@ func pluginFilesRequiringVerification(plugin *plugins.Plugin) ([]string, error)
 			return nil
 		}

+		// Ignoring unsigned Chromium debug.log so it doesn't invalidate the signature for Renderer plugin running on Windows
+		if runningWindows && plugin.IsRenderer() && strings.HasSuffix(path, filepath.Join("chrome-win", "debug.log")) {
+			return nil
+		}
+
 		// verify that file is within plugin directory
 		file, err := filepath.Rel(plugin.PluginDir, path)
 		if err != nil {
--- a/pkg/plugins/manager/signature/manifest_test.go
+++ b/pkg/plugins/manager/signature/manifest_test.go
@ -165,6 +165,31 @@ func TestCalculate(t *testing.T) {
 			require.Equal(t, tc.expectedSignature, sig)
 		}
 	})
+
+	t.Run("Unsigned Chromium file should not invalidate signature for Renderer plugin running on Windows", func(t *testing.T) {
+		backup := runningWindows
+		t.Cleanup(func() {
+			runningWindows = backup
+		})
+
+		runningWindows = true
+		sig, err := Calculate(log.NewNopLogger(), &plugins.Plugin{
+			JSONData: plugins.JSONData{
+				ID:   "test-renderer",
+				Type: plugins.Renderer,
+				Info: plugins.Info{
+					Version: "1.0.0",
+				},
+			},
+			PluginDir: "../testdata/renderer-added-file/plugin",
+		})
+		require.NoError(t, err)
+		require.Equal(t, plugins.Signature{
+			Status:     plugins.SignatureValid,
+			Type:       plugins.GrafanaSignature,
+			SigningOrg: "Grafana Labs",
+		}, sig)
+	})
 }

 func fileList(manifest *pluginManifest) []string {
--- a/pkg/plugins/manager/testdata/renderer-added-file/plugin/MANIFEST.txt
+++ b/pkg/plugins/manager/testdata/renderer-added-file/plugin/MANIFEST.txt
@ -0,0 +1,28 @@
+
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+{
+  "manifestVersion": "2.0.0",
+  "signatureType": "grafana",
+  "signedByOrg": "grafana",
+  "signedByOrgName": "Grafana Labs",
+  "plugin": "test-renderer",
+  "version": "1.0.0",
+  "time": 1669116992691,
+  "keyId": "7e4d0c6a708866e7",
+  "files": {
+    "plugin.json": "2f8fc554d0a080b9719ba43c0a8df366a88500eb129dfd4aedd9e3d147178273"
+  }
+}
+-----BEGIN PGP SIGNATURE-----
+Version: OpenPGP.js v4.10.10
+Comment: https://openpgpjs.org
+
+wrgEARMKAAYFAmN8tEAAIQkQfk0ManCIZucWIQTzOyW2kQdOhGNlcPN+TQxq
+cIhm576UAgiedgIhpOgTi/ypYgg8AtGQqKAwnDuDRDrYOc6LUDuskbSsR+J7
+f2QjcPGpPk3alaqiTYMxixkTgmD01hltaTJ0AwIJAS9XkKHKxC9/ZhSHYemw
+7wUeKs6AEvKR6amYZ+TF2pVyiJ9cEnl9J55MmDikqKFrIqC9J0V9r9wFkPAF
+kOKVOY+y
+=gqF+
+-----END PGP SIGNATURE-----
--- a/pkg/plugins/manager/testdata/renderer-added-file/plugin/chrome-win/debug.log
+++ b/pkg/plugins/manager/testdata/renderer-added-file/plugin/chrome-win/debug.log
@ -0,0 +1 @@
+TEST LOG LINE
--- a/pkg/plugins/manager/testdata/renderer-added-file/plugin/plugin.json
+++ b/pkg/plugins/manager/testdata/renderer-added-file/plugin/plugin.json
@ -0,0 +1,11 @@
+{
+  "type": "renderer",
+  "name": "Test",
+  "id": "test-renderer",
+  "backend": true,
+  "executable": "test",
+  "info": {
+    "version": "1.0.0",
+    "description": "Test"
+  }
+}
--- a/pkg/plugins/pfs/pfs_test.go
+++ b/pkg/plugins/pfs/pfs_test.go
@ -69,6 +69,10 @@ func TestParseTreeTestdata(t *testing.T) {
 			rootid:  "test-datasource",
 			subpath: "plugin",
 		},
+		"renderer-added-file": {
+			rootid:  "test-renderer",
+			subpath: "plugin",
+		},
 		"symbolic-plugin-dirs": {
 			skip: "io/fs-based scanner will not traverse symlinks; caller of ParsePluginFS() must do it",
 		},
--- a/pkg/services/rendering/rendering.go
+++ b/pkg/services/rendering/rendering.go
@ -7,7 +7,6 @@ import (
 	"math"
 	"net/url"
 	"os"
-	"path"
 	"path/filepath"
 	"strings"
 	"sync"
@ -170,16 +169,6 @@ func (rs *RenderingService) Run(ctx context.Context) error {
 		rs.sanitizeSVGAction = rs.sanitizeSVGViaPlugin
 		<-ctx.Done()

-		// On Windows, Chromium is generating a debug.log file that breaks signature check on next restart
-		debugFilePath := path.Join(rs.pluginInfo.PluginDir, "chrome-win/debug.log")
-		if _, err := os.Stat(debugFilePath); err == nil {
-			err = os.Remove(debugFilePath)
-			if err != nil {
-				rs.log.Warn("Couldn't remove debug.log file, the renderer plugin will not be able to pass the signature check until this file is deleted",
-					"err", err)
-			}
-		}
-
 		return nil
 	}