Plugins: add option to proxy ds connections through a secure socks proxy (#59254)

* Plugins: add feature to proxy data source connections
2025-02-25 18:55:37 -06:00 · 2022-11-29 23:50:59 -06:00
parent 122f0d947e
commit 6805c951e9
10 changed files with 342 additions and 1 deletions
--- a/pkg/infra/httpclient/httpclientprovider/http_client_provider.go
+++ b/pkg/infra/httpclient/httpclientprovider/http_client_provider.go
@@ -10,6 +10,7 @@ import (
 	"github.com/grafana/grafana/pkg/infra/metrics/metricutil"
 	"github.com/grafana/grafana/pkg/infra/tracing"
 	"github.com/grafana/grafana/pkg/models"
+	"github.com/grafana/grafana/pkg/services/featuremgmt"
 	"github.com/grafana/grafana/pkg/setting"
 	"github.com/mwitkow/go-conntrack"
 )
@@ -50,10 +51,18 @@ func New(cfg *setting.Cfg, validator models.PluginRequestValidator, tracer traci
 				return
 			}
 			datasourceLabelName, err := metricutil.SanitizeLabelName(datasourceName)
-
 			if err != nil {
 				return
 			}
+
+			if cfg.IsFeatureToggleEnabled(featuremgmt.FlagSecureSocksDatasourceProxy) &&
+				cfg.SecureSocksDSProxy.Enabled && secureSocksProxyEnabledOnDS(opts) {
+				err = newSecureSocksProxy(&cfg.SecureSocksDSProxy, transport)
+				if err != nil {
+					logger.Error("Failed to enable secure socks proxy", "error", err.Error(), "datasource", datasourceName)
+				}
+			}
+
 			newConntrackRoundTripper(datasourceLabelName, transport)
 		},
 	})
--- a/pkg/infra/httpclient/httpclientprovider/secure_socks_proxy.go
+++ b/pkg/infra/httpclient/httpclientprovider/secure_socks_proxy.go
@@ -0,0 +1,72 @@
+package httpclientprovider
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"errors"
+	"net/http"
+	"os"
+	"strings"
+
+	"github.com/grafana/grafana-plugin-sdk-go/backend"
+	sdkhttpclient "github.com/grafana/grafana-plugin-sdk-go/backend/httpclient"
+	"github.com/grafana/grafana/pkg/setting"
+	"golang.org/x/net/proxy"
+)
+
+// newSecureSocksProxy takes a http.DefaultTransport and wraps it in a socks5 proxy with TLS
+func newSecureSocksProxy(cfg *setting.SecureSocksDSProxySettings, transport *http.Transport) error {
+	certPool := x509.NewCertPool()
+	for _, rootCAFile := range strings.Split(cfg.RootCA, " ") {
+		// nolint:gosec
+		// The gosec G304 warning can be ignored because `rootCAFile` comes from config ini.
+		pem, err := os.ReadFile(rootCAFile)
+		if err != nil {
+			return err
+		}
+		if !certPool.AppendCertsFromPEM(pem) {
+			return errors.New("failed to append CA certificate " + rootCAFile)
+		}
+	}
+
+	cert, err := tls.LoadX509KeyPair(cfg.ClientCert, cfg.ClientKey)
+	if err != nil {
+		return err
+	}
+
+	tlsDialer := &tls.Dialer{
+		Config: &tls.Config{
+			Certificates: []tls.Certificate{cert},
+			ServerName:   cfg.ServerName,
+			RootCAs:      certPool,
+		},
+	}
+	dialSocksProxy, err := proxy.SOCKS5("tcp", cfg.ProxyAddress, nil, tlsDialer)
+	if err != nil {
+		return err
+	}
+
+	contextDialer, ok := dialSocksProxy.(proxy.ContextDialer)
+	if !ok {
+		return errors.New("unable to cast socks proxy dialer to context proxy dialer")
+	}
+
+	transport.DialContext = contextDialer.DialContext
+
+	return nil
+}
+
+// secureSocksProxyEnabledOnDS checks the datasource json data to see if the secure socks proxy is enabled on it
+func secureSocksProxyEnabledOnDS(opts sdkhttpclient.Options) bool {
+	jsonData := backend.JSONDataFromHTTPClientOptions(opts)
+	res, enabled := jsonData["enableSecureSocksProxy"]
+	if !enabled {
+		return false
+	}
+
+	if val, ok := res.(bool); ok {
+		return val
+	}
+
+	return false
+}
--- a/pkg/infra/httpclient/httpclientprovider/secure_socks_proxy_test.go
+++ b/pkg/infra/httpclient/httpclientprovider/secure_socks_proxy_test.go
@@ -0,0 +1,177 @@
+package httpclientprovider
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"math/big"
+	"net/http"
+	"os"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"github.com/grafana/grafana-plugin-sdk-go/backend"
+	"github.com/grafana/grafana/pkg/setting"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestNewSecureSocksProxy(t *testing.T) {
+	proxyAddress := "localhost:3000"
+	serverName := "localhost"
+	tempDir := t.TempDir()
+
+	// create empty file for testing invalid configs
+	tempEmptyFile := filepath.Join(tempDir, "emptyfile.txt")
+	// nolint:gosec
+	// The gosec G304 warning can be ignored because all values come from the test
+	_, err := os.Create(tempEmptyFile)
+	require.NoError(t, err)
+
+	// generate test rootCA
+	ca := &x509.Certificate{
+		SerialNumber: big.NewInt(2019),
+		Subject: pkix.Name{
+			Organization: []string{"Grafana Labs"},
+			CommonName:   "Grafana",
+		},
+		NotBefore:             time.Now(),
+		NotAfter:              time.Now().AddDate(10, 0, 0),
+		IsCA:                  true,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
+		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		BasicConstraintsValid: true,
+	}
+	caPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)
+	require.NoError(t, err)
+	caBytes, err := x509.CreateCertificate(rand.Reader, ca, ca, &caPrivKey.PublicKey, caPrivKey)
+	require.NoError(t, err)
+	rootCACert := filepath.Join(tempDir, "ca.cert")
+	// nolint:gosec
+	// The gosec G304 warning can be ignored because all values come from the test
+	caCertFile, err := os.Create(rootCACert)
+	require.NoError(t, err)
+	err = pem.Encode(caCertFile, &pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: caBytes,
+	})
+	require.NoError(t, err)
+
+	// generate test client cert & key
+	cert := &x509.Certificate{
+		SerialNumber: big.NewInt(2019),
+		Subject: pkix.Name{
+			Organization: []string{"Grafana Labs"},
+			CommonName:   "Grafana",
+		},
+		NotBefore:    time.Now(),
+		NotAfter:     time.Now().AddDate(10, 0, 0),
+		SubjectKeyId: []byte{1, 2, 3, 4, 6},
+		ExtKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
+		KeyUsage:     x509.KeyUsageDigitalSignature,
+	}
+	certPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)
+	require.NoError(t, err)
+	certBytes, err := x509.CreateCertificate(rand.Reader, cert, ca, &certPrivKey.PublicKey, caPrivKey)
+	require.NoError(t, err)
+	clientCert := filepath.Join(tempDir, "client.cert")
+	// nolint:gosec
+	// The gosec G304 warning can be ignored because all values come from the test
+	certFile, err := os.Create(clientCert)
+	require.NoError(t, err)
+	err = pem.Encode(certFile, &pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: certBytes,
+	})
+	require.NoError(t, err)
+	clientKey := filepath.Join(tempDir, "client.key")
+	// nolint:gosec
+	// The gosec G304 warning can be ignored because all values come from the test
+	keyFile, err := os.Create(clientKey)
+	require.NoError(t, err)
+	err = pem.Encode(keyFile, &pem.Block{
+		Type:  "RSA PRIVATE KEY",
+		Bytes: x509.MarshalPKCS1PrivateKey(certPrivKey),
+	})
+	require.NoError(t, err)
+
+	settings := &setting.SecureSocksDSProxySettings{
+		ClientCert:   clientCert,
+		ClientKey:    clientKey,
+		RootCA:       rootCACert,
+		ServerName:   serverName,
+		ProxyAddress: proxyAddress,
+	}
+
+	t.Run("New socks proxy should be properly configured when all settings are valid", func(t *testing.T) {
+		require.NoError(t, newSecureSocksProxy(settings, &http.Transport{}))
+	})
+
+	t.Run("Client cert must be valid", func(t *testing.T) {
+		settings.ClientCert = tempEmptyFile
+		t.Cleanup(func() {
+			settings.ClientCert = clientCert
+		})
+		require.Error(t, newSecureSocksProxy(settings, &http.Transport{}))
+	})
+
+	t.Run("Client key must be valid", func(t *testing.T) {
+		settings.ClientKey = tempEmptyFile
+		t.Cleanup(func() {
+			settings.ClientKey = clientKey
+		})
+		require.Error(t, newSecureSocksProxy(settings, &http.Transport{}))
+	})
+
+	t.Run("Root CA must be valid", func(t *testing.T) {
+		settings.RootCA = tempEmptyFile
+		t.Cleanup(func() {
+			settings.RootCA = rootCACert
+		})
+		require.Error(t, newSecureSocksProxy(settings, &http.Transport{}))
+	})
+}
+
+func TestSecureSocksProxyEnabledOnDS(t *testing.T) {
+	t.Run("Secure socks proxy should only be enabled when the json data contains enableSecureSocksProxy=true", func(t *testing.T) {
+		tests := []struct {
+			instanceSettings *backend.AppInstanceSettings
+			enabled          bool
+		}{
+			{
+				instanceSettings: &backend.AppInstanceSettings{
+					JSONData: []byte("{}"),
+				},
+				enabled: false,
+			},
+			{
+				instanceSettings: &backend.AppInstanceSettings{
+					JSONData: []byte("{ \"enableSecureSocksProxy\": \"nonbool\" }"),
+				},
+				enabled: false,
+			},
+			{
+				instanceSettings: &backend.AppInstanceSettings{
+					JSONData: []byte("{ \"enableSecureSocksProxy\": false }"),
+				},
+				enabled: false,
+			},
+			{
+				instanceSettings: &backend.AppInstanceSettings{
+					JSONData: []byte("{ \"enableSecureSocksProxy\": true }"),
+				},
+				enabled: true,
+			},
+		}
+
+		for _, tt := range tests {
+			opts, err := tt.instanceSettings.HTTPClientOptions()
+			assert.NoError(t, err)
+
+			assert.Equal(t, tt.enabled, secureSocksProxyEnabledOnDS(opts))
+		}
+	})
+}