Plugins: Refactor forward of cookies, OAuth token and header modifications by introducing client middlewares (#58132)

Adding support for backend plugin client middlewares. This allows headers in outgoing 
backend plugin and HTTP requests to be modified using client middlewares.

The following client middlewares added:
Forward cookies: Will forward incoming HTTP request Cookies to outgoing plugins.Client 
and HTTP requests if the datasource has enabled forwarding of cookies (keepCookies).
Forward OAuth token: Will set OAuth token headers on outgoing plugins.Client and HTTP 
requests if the datasource has enabled Forward OAuth Identity (oauthPassThru).
Clear auth headers: Will clear any outgoing HTTP headers that was part of the incoming 
HTTP request and used when authenticating to Grafana.
The current suggested way to register client middlewares is to have a separate package, 
pluginsintegration, responsible for bootstrap/instantiate the backend plugin client with 
middlewares and/or longer term bootstrap/instantiate plugin management. 

Fixes #54135
Related to #47734
Related to #57870
Related to #41623
Related to #57065

pkg/infra/httpclient/httpclientprovider/delete_headers_middleware.go

@@ -0,0 +1,27 @@
+package httpclientprovider
+
+import (
+	"net/http"
+
+	"github.com/grafana/grafana-plugin-sdk-go/backend/httpclient"
+)
+
+const DeleteHeadersMiddlewareName = "delete-headers"
+
+// DeleteHeadersMiddleware middleware that delete headers on the outgoing
+// request if header names provided.
+func DeleteHeadersMiddleware(headerNames ...string) httpclient.Middleware {
+	return httpclient.NamedMiddlewareFunc(DeleteHeadersMiddlewareName, func(opts httpclient.Options, next http.RoundTripper) http.RoundTripper {
+		if len(headerNames) == 0 {
+			return next
+		}
+
+		return httpclient.RoundTripperFunc(func(req *http.Request) (*http.Response, error) {
+			for _, k := range headerNames {
+				req.Header.Del(k)
+			}
+
+			return next.RoundTrip(req)
+		})
+	})
+}

pkg/infra/httpclient/httpclientprovider/delete_headers_middleware_test.go

@@ -0,0 +1,66 @@
+package httpclientprovider
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/grafana/grafana-plugin-sdk-go/backend/httpclient"
+	"github.com/stretchr/testify/require"
+)
+
+func TestDeleteHeadersMiddleware(t *testing.T) {
+	t.Run("Without headerNames should return next http.RoundTripper", func(t *testing.T) {
+		ctx := &testContext{}
+		finalRoundTripper := ctx.createRoundTripper("finalrt")
+		var headerNames []string
+		mw := DeleteHeadersMiddleware(headerNames...)
+		rt := mw.CreateMiddleware(httpclient.Options{}, finalRoundTripper)
+		require.NotNil(t, rt)
+		middlewareName, ok := mw.(httpclient.MiddlewareName)
+		require.True(t, ok)
+		require.Equal(t, DeleteHeadersMiddlewareName, middlewareName.MiddlewareName())
+
+		req, err := http.NewRequest(http.MethodGet, "http://", nil)
+		require.NoError(t, err)
+		res, err := rt.RoundTrip(req)
+		require.NoError(t, err)
+		require.NotNil(t, res)
+		if res.Body != nil {
+			require.NoError(t, res.Body.Close())
+		}
+		require.Len(t, ctx.callChain, 1)
+		require.ElementsMatch(t, []string{"finalrt"}, ctx.callChain)
+	})
+
+	t.Run("With headers set should apply HTTP headers to the request", func(t *testing.T) {
+		ctx := &testContext{}
+		finalRoundTripper := ctx.createRoundTripper("final")
+		headerNames := []string{"X-Header-B", "X-Header-C"}
+		mw := DeleteHeadersMiddleware(headerNames...)
+		rt := mw.CreateMiddleware(httpclient.Options{}, finalRoundTripper)
+		require.NotNil(t, rt)
+		middlewareName, ok := mw.(httpclient.MiddlewareName)
+		require.True(t, ok)
+		require.Equal(t, DeleteHeadersMiddlewareName, middlewareName.MiddlewareName())
+
+		req, err := http.NewRequest(http.MethodGet, "http://", nil)
+		require.NoError(t, err)
+		req.Header.Set("X-Header-A", "a")
+		req.Header.Set("X-Header-B", "b")
+		req.Header.Set("X-Header-C", "c")
+		req.Header.Set("X-Header-D", "d")
+		res, err := rt.RoundTrip(req)
+		require.NoError(t, err)
+		require.NotNil(t, res)
+		if res.Body != nil {
+			require.NoError(t, res.Body.Close())
+		}
+		require.Len(t, ctx.callChain, 1)
+		require.ElementsMatch(t, []string{"final"}, ctx.callChain)
+
+		require.Equal(t, "a", req.Header.Get("X-Header-A"))
+		require.Empty(t, req.Header.Get("X-Header-B"))
+		require.Empty(t, req.Header.Get("X-Header-C"))
+		require.Equal(t, "d", req.Header.Get("X-Header-D"))
+	})
+}

pkg/infra/httpclient/httpclientprovider/forwarded_cookie_middleware_test.go

@@ -70,3 +70,16 @@ func TestForwardedCookiesMiddleware(t *testing.T) {
 		})
 	}
 }
+
+type testContext struct {
+	callChain []string
+	req       *http.Request
+}
+
+func (c *testContext) createRoundTripper() http.RoundTripper {
+	return httpclient.RoundTripperFunc(func(req *http.Request) (*http.Response, error) {
+		c.callChain = append(c.callChain, "final")
+		c.req = req
+		return &http.Response{StatusCode: http.StatusOK}, nil
+	})
+}

pkg/infra/httpclient/httpclientprovider/forwarded_oauth_identity_middleware.go

@@ -1,31 +0,0 @@
-package httpclientprovider
-
-import (
-	"fmt"
-	"net/http"
-
-	"github.com/grafana/grafana-plugin-sdk-go/backend/httpclient"
-	"golang.org/x/oauth2"
-)
-
-const ForwardedOAuthIdentityMiddlewareName = "forwarded-oauth-identity"
-
-// ForwardedOAuthIdentityMiddleware middleware that sets Authorization/X-ID-Token
-// headers on the outgoing request if an OAuth Token is provided
-func ForwardedOAuthIdentityMiddleware(token *oauth2.Token) httpclient.Middleware {
-	return httpclient.NamedMiddlewareFunc(ForwardedOAuthIdentityMiddlewareName, func(opts httpclient.Options, next http.RoundTripper) http.RoundTripper {
-		if token == nil {
-			return next
-		}
-		return httpclient.RoundTripperFunc(func(req *http.Request) (*http.Response, error) {
-			req.Header.Set("Authorization", fmt.Sprintf("%s %s", token.Type(), token.AccessToken))
-
-			idToken, ok := token.Extra("id_token").(string)
-			if ok && idToken != "" {
-				req.Header.Set("X-ID-Token", idToken)
-			}
-
-			return next.RoundTrip(req)
-		})
-	})
-}

pkg/infra/httpclient/httpclientprovider/forwarded_oauth_identity_middleware_test.go

@@ -1,82 +0,0 @@
-package httpclientprovider_test
-
-import (
-	"net/http"
-	"testing"
-
-	"github.com/grafana/grafana-plugin-sdk-go/backend/httpclient"
-	"github.com/grafana/grafana/pkg/infra/httpclient/httpclientprovider"
-	"github.com/stretchr/testify/require"
-	"golang.org/x/oauth2"
-)
-
-func TestForwardedOAuthIdentityMiddleware(t *testing.T) {
-	at := &oauth2.Token{
-		AccessToken: "access-token",
-	}
-	tcs := []struct {
-		desc                        string
-		token                       *oauth2.Token
-		expectedAuthorizationHeader string
-		expectedIDTokenHeader       string
-	}{
-		{
-			desc:                        "With nil token should not populate Cookie headers",
-			token:                       nil,
-			expectedAuthorizationHeader: "",
-			expectedIDTokenHeader:       "",
-		},
-		{
-			desc:                        "With access token set should populate Authorization header",
-			token:                       at,
-			expectedAuthorizationHeader: "Bearer access-token",
-			expectedIDTokenHeader:       "",
-		},
-		{
-			desc:                        "With Authorization and X-ID-Token header set should populate Authorization and X-Id-Token header",
-			token:                       at.WithExtra(map[string]interface{}{"id_token": "id-token"}),
-			expectedAuthorizationHeader: "Bearer access-token",
-			expectedIDTokenHeader:       "id-token",
-		},
-	}
-
-	for _, tc := range tcs {
-		t.Run(tc.desc, func(t *testing.T) {
-			ctx := &testContext{}
-			finalRoundTripper := ctx.createRoundTripper()
-			mw := httpclientprovider.ForwardedOAuthIdentityMiddleware(tc.token)
-			opts := httpclient.Options{}
-			rt := mw.CreateMiddleware(opts, finalRoundTripper)
-			require.NotNil(t, rt)
-			middlewareName, ok := mw.(httpclient.MiddlewareName)
-			require.True(t, ok)
-			require.Equal(t, "forwarded-oauth-identity", middlewareName.MiddlewareName())
-
-			req, err := http.NewRequest(http.MethodGet, "http://", nil)
-			require.NoError(t, err)
-			res, err := rt.RoundTrip(req)
-			require.NoError(t, err)
-			require.NotNil(t, res)
-			if res.Body != nil {
-				require.NoError(t, res.Body.Close())
-			}
-			require.Len(t, ctx.callChain, 1)
-			require.ElementsMatch(t, []string{"final"}, ctx.callChain)
-			require.Equal(t, tc.expectedAuthorizationHeader, ctx.req.Header.Get("Authorization"))
-			require.Equal(t, tc.expectedIDTokenHeader, ctx.req.Header.Get("X-ID-Token"))
-		})
-	}
-}
-
-type testContext struct {
-	callChain []string
-	req       *http.Request
-}
-
-func (c *testContext) createRoundTripper() http.RoundTripper {
-	return httpclient.RoundTripperFunc(func(req *http.Request) (*http.Response, error) {
-		c.callChain = append(c.callChain, "final")
-		c.req = req
-		return &http.Response{StatusCode: http.StatusOK}, nil
-	})
-}

pkg/infra/httpclient/httpclientprovider/http_client_provider.go

@@ -25,10 +25,10 @@ func New(cfg *setting.Cfg, validator models.PluginRequestValidator, tracer traci
 	middlewares := []sdkhttpclient.Middleware{
 		TracingMiddleware(logger, tracer),
 		DataSourceMetricsMiddleware(),
+		sdkhttpclient.ContextualMiddleware(),
 		SetUserAgentMiddleware(userAgent),
 		sdkhttpclient.BasicAuthenticationMiddleware(),
 		sdkhttpclient.CustomHeadersMiddleware(),
-		sdkhttpclient.ContextualMiddleware(),
 		ResponseLimitMiddleware(cfg.ResponseLimit),
 		RedirectLimitMiddleware(validator),
 	}

pkg/infra/httpclient/httpclientprovider/http_client_provider_test.go

@@ -29,10 +29,10 @@ func TestHTTPClientProvider(t *testing.T) {
 		require.Len(t, o.Middlewares, 8)
 		require.Equal(t, TracingMiddlewareName, o.Middlewares[0].(sdkhttpclient.MiddlewareName).MiddlewareName())
 		require.Equal(t, DataSourceMetricsMiddlewareName, o.Middlewares[1].(sdkhttpclient.MiddlewareName).MiddlewareName())
-		require.Equal(t, SetUserAgentMiddlewareName, o.Middlewares[2].(sdkhttpclient.MiddlewareName).MiddlewareName())
-		require.Equal(t, sdkhttpclient.BasicAuthenticationMiddlewareName, o.Middlewares[3].(sdkhttpclient.MiddlewareName).MiddlewareName())
-		require.Equal(t, sdkhttpclient.CustomHeadersMiddlewareName, o.Middlewares[4].(sdkhttpclient.MiddlewareName).MiddlewareName())
-		require.Equal(t, sdkhttpclient.ContextualMiddlewareName, o.Middlewares[5].(sdkhttpclient.MiddlewareName).MiddlewareName())
+		require.Equal(t, sdkhttpclient.ContextualMiddlewareName, o.Middlewares[2].(sdkhttpclient.MiddlewareName).MiddlewareName())
+		require.Equal(t, SetUserAgentMiddlewareName, o.Middlewares[3].(sdkhttpclient.MiddlewareName).MiddlewareName())
+		require.Equal(t, sdkhttpclient.BasicAuthenticationMiddlewareName, o.Middlewares[4].(sdkhttpclient.MiddlewareName).MiddlewareName())
+		require.Equal(t, sdkhttpclient.CustomHeadersMiddlewareName, o.Middlewares[5].(sdkhttpclient.MiddlewareName).MiddlewareName())
 		require.Equal(t, ResponseLimitMiddlewareName, o.Middlewares[6].(sdkhttpclient.MiddlewareName).MiddlewareName())
 	})
 
@@ -53,10 +53,10 @@ func TestHTTPClientProvider(t *testing.T) {
 		require.Len(t, o.Middlewares, 9)
 		require.Equal(t, TracingMiddlewareName, o.Middlewares[0].(sdkhttpclient.MiddlewareName).MiddlewareName())
 		require.Equal(t, DataSourceMetricsMiddlewareName, o.Middlewares[1].(sdkhttpclient.MiddlewareName).MiddlewareName())
-		require.Equal(t, SetUserAgentMiddlewareName, o.Middlewares[2].(sdkhttpclient.MiddlewareName).MiddlewareName())
-		require.Equal(t, sdkhttpclient.BasicAuthenticationMiddlewareName, o.Middlewares[3].(sdkhttpclient.MiddlewareName).MiddlewareName())
-		require.Equal(t, sdkhttpclient.CustomHeadersMiddlewareName, o.Middlewares[4].(sdkhttpclient.MiddlewareName).MiddlewareName())
-		require.Equal(t, sdkhttpclient.ContextualMiddlewareName, o.Middlewares[5].(sdkhttpclient.MiddlewareName).MiddlewareName())
+		require.Equal(t, sdkhttpclient.ContextualMiddlewareName, o.Middlewares[2].(sdkhttpclient.MiddlewareName).MiddlewareName())
+		require.Equal(t, SetUserAgentMiddlewareName, o.Middlewares[3].(sdkhttpclient.MiddlewareName).MiddlewareName())
+		require.Equal(t, sdkhttpclient.BasicAuthenticationMiddlewareName, o.Middlewares[4].(sdkhttpclient.MiddlewareName).MiddlewareName())
+		require.Equal(t, sdkhttpclient.CustomHeadersMiddlewareName, o.Middlewares[5].(sdkhttpclient.MiddlewareName).MiddlewareName())
 		require.Equal(t, ResponseLimitMiddlewareName, o.Middlewares[6].(sdkhttpclient.MiddlewareName).MiddlewareName())
 		require.Equal(t, SigV4MiddlewareName, o.Middlewares[8].(sdkhttpclient.MiddlewareName).MiddlewareName())
 	})
@@ -78,10 +78,10 @@ func TestHTTPClientProvider(t *testing.T) {
 		require.Len(t, o.Middlewares, 9)
 		require.Equal(t, TracingMiddlewareName, o.Middlewares[0].(sdkhttpclient.MiddlewareName).MiddlewareName())
 		require.Equal(t, DataSourceMetricsMiddlewareName, o.Middlewares[1].(sdkhttpclient.MiddlewareName).MiddlewareName())
-		require.Equal(t, SetUserAgentMiddlewareName, o.Middlewares[2].(sdkhttpclient.MiddlewareName).MiddlewareName())
-		require.Equal(t, sdkhttpclient.BasicAuthenticationMiddlewareName, o.Middlewares[3].(sdkhttpclient.MiddlewareName).MiddlewareName())
-		require.Equal(t, sdkhttpclient.CustomHeadersMiddlewareName, o.Middlewares[4].(sdkhttpclient.MiddlewareName).MiddlewareName())
-		require.Equal(t, sdkhttpclient.ContextualMiddlewareName, o.Middlewares[5].(sdkhttpclient.MiddlewareName).MiddlewareName())
+		require.Equal(t, sdkhttpclient.ContextualMiddlewareName, o.Middlewares[2].(sdkhttpclient.MiddlewareName).MiddlewareName())
+		require.Equal(t, SetUserAgentMiddlewareName, o.Middlewares[3].(sdkhttpclient.MiddlewareName).MiddlewareName())
+		require.Equal(t, sdkhttpclient.BasicAuthenticationMiddlewareName, o.Middlewares[4].(sdkhttpclient.MiddlewareName).MiddlewareName())
+		require.Equal(t, sdkhttpclient.CustomHeadersMiddlewareName, o.Middlewares[5].(sdkhttpclient.MiddlewareName).MiddlewareName())
 		require.Equal(t, ResponseLimitMiddlewareName, o.Middlewares[6].(sdkhttpclient.MiddlewareName).MiddlewareName())
 		require.Equal(t, HostRedirectValidationMiddlewareName, o.Middlewares[7].(sdkhttpclient.MiddlewareName).MiddlewareName())
 		require.Equal(t, HTTPLoggerMiddlewareName, o.Middlewares[8].(sdkhttpclient.MiddlewareName).MiddlewareName())

pkg/infra/httpclient/httpclientprovider/set_headers_middleware.go

@@ -0,0 +1,31 @@
+package httpclientprovider
+
+import (
+	"net/http"
+	"net/textproto"
+
+	"github.com/grafana/grafana-plugin-sdk-go/backend/httpclient"
+)
+
+const SetHeadersMiddlewareName = "set-headers"
+
+// SetHeadersMiddleware middleware that sets headers on the outgoing
+// request if headers provided.
+// If the request already contains any of the headers provided, they
+// will be overwritten.
+func SetHeadersMiddleware(headers http.Header) httpclient.Middleware {
+	return httpclient.NamedMiddlewareFunc(SetHeadersMiddlewareName, func(opts httpclient.Options, next http.RoundTripper) http.RoundTripper {
+		if len(headers) == 0 {
+			return next
+		}
+
+		return httpclient.RoundTripperFunc(func(req *http.Request) (*http.Response, error) {
+			for k, v := range headers {
+				canonicalKey := textproto.CanonicalMIMEHeaderKey(k)
+				req.Header[canonicalKey] = v
+			}
+
+			return next.RoundTrip(req)
+		})
+	})
+}

pkg/infra/httpclient/httpclientprovider/set_headers_middleware_test.go

@@ -0,0 +1,66 @@
+package httpclientprovider
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/grafana/grafana-plugin-sdk-go/backend/httpclient"
+	"github.com/stretchr/testify/require"
+)
+
+func TestSetHeadersMiddleware(t *testing.T) {
+	t.Run("Without headers set should return next http.RoundTripper", func(t *testing.T) {
+		ctx := &testContext{}
+		finalRoundTripper := ctx.createRoundTripper("finalrt")
+		var headers http.Header
+		mw := SetHeadersMiddleware(headers)
+		rt := mw.CreateMiddleware(httpclient.Options{}, finalRoundTripper)
+		require.NotNil(t, rt)
+		middlewareName, ok := mw.(httpclient.MiddlewareName)
+		require.True(t, ok)
+		require.Equal(t, SetHeadersMiddlewareName, middlewareName.MiddlewareName())
+
+		req, err := http.NewRequest(http.MethodGet, "http://", nil)
+		require.NoError(t, err)
+		res, err := rt.RoundTrip(req)
+		require.NoError(t, err)
+		require.NotNil(t, res)
+		if res.Body != nil {
+			require.NoError(t, res.Body.Close())
+		}
+		require.Len(t, ctx.callChain, 1)
+		require.ElementsMatch(t, []string{"finalrt"}, ctx.callChain)
+	})
+
+	t.Run("With headers set should apply HTTP headers to the request", func(t *testing.T) {
+		ctx := &testContext{}
+		finalRoundTripper := ctx.createRoundTripper("final")
+		headers := http.Header{
+			"X-Header-A": []string{"value a"},
+			"X-Header-B": []string{"value b"},
+			"X-HEader-C": []string{"value c"},
+		}
+		mw := SetHeadersMiddleware(headers)
+		rt := mw.CreateMiddleware(httpclient.Options{}, finalRoundTripper)
+		require.NotNil(t, rt)
+		middlewareName, ok := mw.(httpclient.MiddlewareName)
+		require.True(t, ok)
+		require.Equal(t, SetHeadersMiddlewareName, middlewareName.MiddlewareName())
+
+		req, err := http.NewRequest(http.MethodGet, "http://", nil)
+		require.NoError(t, err)
+		req.Header.Set("X-Header-B", "d")
+		res, err := rt.RoundTrip(req)
+		require.NoError(t, err)
+		require.NotNil(t, res)
+		if res.Body != nil {
+			require.NoError(t, res.Body.Close())
+		}
+		require.Len(t, ctx.callChain, 1)
+		require.ElementsMatch(t, []string{"final"}, ctx.callChain)
+
+		require.Equal(t, "value a", req.Header.Get("X-Header-A"))
+		require.Equal(t, "value b", req.Header.Get("X-Header-B"))
+		require.Equal(t, "value c", req.Header.Get("X-Header-C"))
+	})
+}

pkg/infra/httpclient/httpclientprovider/user_agent_middleware_test.go

@@ -8,7 +8,7 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-func TestCustomHeadersMiddleware(t *testing.T) {
+func TestSetUserAgentMiddleware(t *testing.T) {
 	t.Run("Without user agent set should return next http.RoundTripper", func(t *testing.T) {
 		ctx := &testContext{}
 		finalRoundTripper := ctx.createRoundTripper("finalrt")