IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Plugins: Unsigned chromium file should not invalidate signature for Renderer plugin (#59104)

Browse Source 
* Plugins: Unsigned chromium file should not invalidate signature for Renderer plugin

* fix test

* re-work solution
This commit is contained in:
Will Browne 2022-12-19 11:46:27 +00:00 committed by GitHub
parent 02fbb1cd8f
commit 48b33ab521
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 77 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
pkg/plugins/manager/signature/manifest.go
View File

@ -12,6 +12,7 @@ import (
"os" "os"
"path" "path"
"path/filepath" "path/filepath"
"runtime"
"strings" "strings"
"github.com/gobwas/glob" "github.com/gobwas/glob"
@ -54,6 +55,8 @@ N1c5v9v/4h6qeA==
-----END PGP PUBLIC KEY BLOCK----- -----END PGP PUBLIC KEY BLOCK-----
` `
var runningWindows = runtime.GOOS == "windows"
// pluginManifest holds details for the file manifest // pluginManifest holds details for the file manifest
type pluginManifest struct { type pluginManifest struct {
Plugin string `json:"plugin"` Plugin string `json:"plugin"`
@ -259,6 +262,11 @@ func pluginFilesRequiringVerification(plugin *plugins.Plugin) ([]string, error)
return nil return nil
} }
// Ignoring unsigned Chromium debug.log so it doesn't invalidate the signature for Renderer plugin running on Windows
if runningWindows && plugin.IsRenderer() && strings.HasSuffix(path, filepath.Join("chrome-win", "debug.log")) {
return nil
}
// verify that file is within plugin directory // verify that file is within plugin directory
file, err := filepath.Rel(plugin.PluginDir, path) file, err := filepath.Rel(plugin.PluginDir, path)
if err != nil { if err != nil {

25
pkg/plugins/manager/signature/manifest_test.go
View File

@ -165,6 +165,31 @@ func TestCalculate(t *testing.T) {
require.Equal(t, tc.expectedSignature, sig) require.Equal(t, tc.expectedSignature, sig)
} }
}) })
t.Run("Unsigned Chromium file should not invalidate signature for Renderer plugin running on Windows", func(t *testing.T) {
backup := runningWindows
t.Cleanup(func() {
runningWindows = backup
})
runningWindows = true
sig, err := Calculate(log.NewNopLogger(), &plugins.Plugin{
JSONData: plugins.JSONData{
ID: "test-renderer",
Type: plugins.Renderer,
Info: plugins.Info{
Version: "1.0.0",
},
},
PluginDir: "../testdata/renderer-added-file/plugin",
})
require.NoError(t, err)
require.Equal(t, plugins.Signature{
Status: plugins.SignatureValid,
Type: plugins.GrafanaSignature,
SigningOrg: "Grafana Labs",
}, sig)
})
} }
func fileList(manifest *pluginManifest) []string { func fileList(manifest *pluginManifest) []string {

28
pkg/plugins/manager/testdata/renderer-added-file/plugin/MANIFEST.txt vendored Normal file
View File

@ -0,0 +1,28 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
{
"manifestVersion": "2.0.0",
"signatureType": "grafana",
"signedByOrg": "grafana",
"signedByOrgName": "Grafana Labs",
"plugin": "test-renderer",
"version": "1.0.0",
"time": 1669116992691,
"keyId": "7e4d0c6a708866e7",
"files": {
"plugin.json": "2f8fc554d0a080b9719ba43c0a8df366a88500eb129dfd4aedd9e3d147178273"
}
}
-----BEGIN PGP SIGNATURE-----
Version: OpenPGP.js v4.10.10
Comment: https://openpgpjs.org
wrgEARMKAAYFAmN8tEAAIQkQfk0ManCIZucWIQTzOyW2kQdOhGNlcPN+TQxq
cIhm576UAgiedgIhpOgTi/ypYgg8AtGQqKAwnDuDRDrYOc6LUDuskbSsR+J7
f2QjcPGpPk3alaqiTYMxixkTgmD01hltaTJ0AwIJAS9XkKHKxC9/ZhSHYemw
7wUeKs6AEvKR6amYZ+TF2pVyiJ9cEnl9J55MmDikqKFrIqC9J0V9r9wFkPAF
kOKVOY+y
=gqF+
-----END PGP SIGNATURE-----

1
pkg/plugins/manager/testdata/renderer-added-file/plugin/chrome-win/debug.log vendored Normal file
View File

@ -0,0 +1 @@
TEST LOG LINE

11
pkg/plugins/manager/testdata/renderer-added-file/plugin/plugin.json vendored Normal file
View File

@ -0,0 +1,11 @@
{
"type": "renderer",
"name": "Test",
"id": "test-renderer",
"backend": true,
"executable": "test",
"info": {
"version": "1.0.0",
"description": "Test"
}
}

4
pkg/plugins/pfs/pfs_test.go
View File

@ -69,6 +69,10 @@ func TestParseTreeTestdata(t *testing.T) {
rootid: "test-datasource", rootid: "test-datasource",
subpath: "plugin", subpath: "plugin",
}, },
"renderer-added-file": {
rootid: "test-renderer",
subpath: "plugin",
},
"symbolic-plugin-dirs": { "symbolic-plugin-dirs": {
skip: "io/fs-based scanner will not traverse symlinks; caller of ParsePluginFS() must do it", skip: "io/fs-based scanner will not traverse symlinks; caller of ParsePluginFS() must do it",
}, },

11
pkg/services/rendering/rendering.go
View File

@ -7,7 +7,6 @@ import (
"math" "math"
"net/url" "net/url"
"os" "os"
"path"
"path/filepath" "path/filepath"
"strings" "strings"
"sync" "sync"
@ -170,16 +169,6 @@ func (rs *RenderingService) Run(ctx context.Context) error {
rs.sanitizeSVGAction = rs.sanitizeSVGViaPlugin rs.sanitizeSVGAction = rs.sanitizeSVGViaPlugin
<-ctx.Done() <-ctx.Done()
// On Windows, Chromium is generating a debug.log file that breaks signature check on next restart
debugFilePath := path.Join(rs.pluginInfo.PluginDir, "chrome-win/debug.log")
if _, err := os.Stat(debugFilePath); err == nil {
err = os.Remove(debugFilePath)
if err != nil {
rs.log.Warn("Couldn't remove debug.log file, the renderer plugin will not be able to pass the signature check until this file is deleted",
"err", err)
}
}
return nil return nil
} }