Team LBAC: Add teamHeaders for datasource proxy requests (#76339)

* Add teamHeaders for datasource proxy requests * adds validation for the teamHeaders * added tests for applying teamHeaders * remove previous implementation * validation for header values being set to authproxy * removed unnecessary checks * newline * Add middleware for injecting headers on the data source backend * renamed feature toggle * Get user teams from context * Fix feature toggle name * added test for validation of the auth headers and fixed evaluation to cover headers * renaming of teamHeaders to teamHTTPHeaders * use of header set for non-existing header and add for existing headers * moves types into datasources * fixed unchecked errors * Refactor * Add tests for data model * Update pkg/api/datasources.go Co-authored-by: Victor Cinaglia <victor@grafana.com> * Update pkg/api/datasources.go Co-authored-by: Victor Cinaglia <victor@grafana.com> --------- Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com> Co-authored-by: Victor Cinaglia <victor@grafana.com>
2025-02-25 18:55:37 -06:00 · 2023-10-17 11:23:54 +01:00
parent 7d9b2c73c7
commit be5ba68132
14 changed files with 425 additions and 4 deletions
--- a/pkg/util/proxyutil/proxyutil_test.go
+++ b/pkg/util/proxyutil/proxyutil_test.go
@@ -6,6 +6,8 @@ import (

 	"github.com/stretchr/testify/require"

+	"github.com/grafana/grafana/pkg/components/simplejson"
+	"github.com/grafana/grafana/pkg/services/datasources"
 	"github.com/grafana/grafana/pkg/services/user"
 )

@@ -203,3 +205,67 @@ func TestApplyUserHeader(t *testing.T) {
 		require.Equal(t, "admin", req.Header.Get("X-Grafana-User"))
 	})
 }
+
+func TestApplyteamHTTPHeaders(t *testing.T) {
+	t.Run("Should not apply team headers for users that are not part of the teams", func(t *testing.T) {
+		req, err := http.NewRequest(http.MethodGet, "/", nil)
+		require.NoError(t, err)
+		ds := &datasources.DataSource{
+			JsonData: simplejson.New(),
+		}
+		// add team headers
+		ds.JsonData.Set("teamHTTPHeaders", map[string]interface{}{
+			"1": []map[string]interface{}{
+				{
+					"header": "X-Team-Header",
+					"value":  "1",
+				},
+			},
+			"2": []map[string]interface{}{
+				{
+					"header": "X-Prom-Label-Policy",
+					"value":  "2",
+				},
+			},
+			// user is not part of this team
+			"3": []map[string]interface{}{
+				{
+					"header": "X-Custom-Label-Policy",
+					"value":  "3",
+				},
+			},
+		})
+
+		err = ApplyTeamHTTPHeaders(req, ds, []int64{1, 2})
+		require.NoError(t, err)
+		require.Contains(t, req.Header, "X-Team-Header")
+		require.Contains(t, req.Header, "X-Prom-Label-Policy")
+		require.NotContains(t, req.Header, "X-Custom-Label-Policy")
+	})
+	t.Run("Should apply team headers", func(t *testing.T) {
+		req, err := http.NewRequest(http.MethodGet, "/", nil)
+		require.NoError(t, err)
+		ds := &datasources.DataSource{
+			JsonData: simplejson.New(),
+		}
+		ds.JsonData.Set("teamHTTPHeaders", map[string]interface{}{
+			"1": []map[string]interface{}{
+				{
+					"header": "X-Team-Header",
+					"value":  "1",
+				},
+			},
+			"2": []map[string]interface{}{
+				{
+					"header": "X-Prom-Label-Policy",
+					"value":  "2",
+				},
+			},
+		})
+
+		err = ApplyTeamHTTPHeaders(req, ds, []int64{1, 2})
+		require.NoError(t, err)
+		require.Contains(t, req.Header, "X-Team-Header")
+		require.Contains(t, req.Header, "X-Prom-Label-Policy")
+	})
+}