Infra: Azure authentication in HttpClientProvider (#36932)

* Azure middleware in HttpClientProxy * Azure authentication under feature flag * Minor fixes * Add prefixes to not clash with JsonData * Return error if JsonData cannot be parsed * Return original string if URL invalid * Tests for datasource_cache
2025-02-25 18:55:37 -06:00 · 2021-07-22 13:43:10 -07:00
parent 4664cba935
commit c1963024ec
6 changed files with 344 additions and 14 deletions
--- a/pkg/models/datasource_cache.go
+++ b/pkg/models/datasource_cache.go
@@ -11,6 +11,7 @@ import (
 	sdkhttpclient "github.com/grafana/grafana-plugin-sdk-go/backend/httpclient"
 	"github.com/grafana/grafana/pkg/components/simplejson"
 	"github.com/grafana/grafana/pkg/infra/httpclient"
+	"github.com/grafana/grafana/pkg/tsdb/azuremonitor/azcredentials"
 )

 func (ds *DataSource) getTimeout() time.Duration {
@@ -66,10 +67,14 @@ func (ds *DataSource) GetHTTPTransport(provider httpclient.Provider, customMiddl
 		return t.roundTripper, nil
 	}

-	opts := ds.HTTPClientOptions()
+	opts, err := ds.HTTPClientOptions()
+	if err != nil {
+		return nil, err
+	}
+
 	opts.Middlewares = customMiddlewares

-	rt, err := provider.GetTransport(opts)
+	rt, err := provider.GetTransport(*opts)
 	if err != nil {
 		return nil, err
 	}
@@ -82,7 +87,7 @@ func (ds *DataSource) GetHTTPTransport(provider httpclient.Provider, customMiddl
 	return rt, nil
 }

-func (ds *DataSource) HTTPClientOptions() sdkhttpclient.Options {
+func (ds *DataSource) HTTPClientOptions() (*sdkhttpclient.Options, error) {
 	tlsOptions := ds.TLSOptions()
 	timeouts := &sdkhttpclient.TimeoutOptions{
 		Timeout:               ds.getTimeout(),
@@ -95,7 +100,7 @@ func (ds *DataSource) HTTPClientOptions() sdkhttpclient.Options {
 		MaxIdleConnsPerHost:   sdkhttpclient.DefaultTimeoutOptions.MaxIdleConnsPerHost,
 		IdleConnTimeout:       sdkhttpclient.DefaultTimeoutOptions.IdleConnTimeout,
 	}
-	opts := sdkhttpclient.Options{
+	opts := &sdkhttpclient.Options{
 		Timeouts: timeouts,
 		Headers:  getCustomHeaders(ds.JsonData, ds.DecryptedValues()),
 		Labels: map[string]string{
@@ -121,6 +126,19 @@ func (ds *DataSource) HTTPClientOptions() sdkhttpclient.Options {
 		}
 	}

+	if ds.JsonData != nil && ds.JsonData.Get("azureAuth").MustBool() {
+		credentials, err := azcredentials.FromDatasourceData(ds.JsonData.MustMap(), ds.DecryptedValues())
+		if err != nil {
+			err = fmt.Errorf("invalid Azure credentials: %s", err)
+			return nil, err
+		}
+
+		opts.CustomOptions["_azureAuth"] = true
+		if credentials != nil {
+			opts.CustomOptions["_azureCredentials"] = credentials
+		}
+	}
+
 	if ds.JsonData != nil && ds.JsonData.Get("sigV4Auth").MustBool(false) {
 		opts.SigV4 = &sdkhttpclient.SigV4Config{
 			Service:       awsServiceNamespace(ds.Type),
@@ -140,7 +158,7 @@ func (ds *DataSource) HTTPClientOptions() sdkhttpclient.Options {
 		}
 	}

-	return opts
+	return opts, nil
 }

 func (ds *DataSource) TLSOptions() sdkhttpclient.TLSOptions {
@@ -180,7 +198,11 @@ func (ds *DataSource) TLSOptions() sdkhttpclient.TLSOptions {
 }

 func (ds *DataSource) GetTLSConfig(httpClientProvider httpclient.Provider) (*tls.Config, error) {
-	return httpClientProvider.GetTLSConfig(ds.HTTPClientOptions())
+	opts, err := ds.HTTPClientOptions()
+	if err != nil {
+		return nil, err
+	}
+	return httpClientProvider.GetTLSConfig(*opts)
 }

 // getCustomHeaders returns a map with all the to be set headers
--- a/pkg/models/datasource_cache_test.go
+++ b/pkg/models/datasource_cache_test.go
@@ -13,6 +13,7 @@ import (
 	"github.com/grafana/grafana/pkg/components/simplejson"
 	"github.com/grafana/grafana/pkg/infra/httpclient"
 	"github.com/grafana/grafana/pkg/setting"
+	"github.com/grafana/grafana/pkg/tsdb/azuremonitor/azcredentials"
 	"github.com/grafana/grafana/pkg/util"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -394,6 +395,109 @@ func TestDataSource_DecryptedValue(t *testing.T) {
 	})
 }

+func TestDataSource_HTTPClientOptions(t *testing.T) {
+	emptyJsonData := simplejson.New()
+	emptySecureJsonData := map[string][]byte{}
+
+	ds := DataSource{
+		Id:   1,
+		Url:  "https://api.example.com",
+		Type: "prometheus",
+	}
+
+	t.Run("Azure authentication", func(t *testing.T) {
+		t.Run("should be disabled if not enabled in JsonData", func(t *testing.T) {
+			t.Cleanup(func() { ds.JsonData = emptyJsonData; ds.SecureJsonData = emptySecureJsonData })
+
+			opts, err := ds.HTTPClientOptions()
+			require.NoError(t, err)
+
+			assert.NotEqual(t, true, opts.CustomOptions["_azureAuth"])
+			assert.NotContains(t, opts.CustomOptions, "_azureCredentials")
+		})
+
+		t.Run("should be enabled if enabled in JsonData without credentials configured", func(t *testing.T) {
+			t.Cleanup(func() { ds.JsonData = emptyJsonData; ds.SecureJsonData = emptySecureJsonData })
+
+			ds.JsonData = simplejson.NewFromAny(map[string]interface{}{
+				"azureAuth": true,
+			})
+
+			opts, err := ds.HTTPClientOptions()
+			require.NoError(t, err)
+
+			assert.Equal(t, true, opts.CustomOptions["_azureAuth"])
+			assert.NotContains(t, opts.CustomOptions, "_azureCredentials")
+		})
+
+		t.Run("should be enabled if enabled in JsonData with credentials configured", func(t *testing.T) {
+			t.Cleanup(func() { ds.JsonData = emptyJsonData; ds.SecureJsonData = emptySecureJsonData })
+
+			ds.JsonData = simplejson.NewFromAny(map[string]interface{}{
+				"azureAuth": true,
+				"azureCredentials": map[string]interface{}{
+					"authType": "msi",
+				},
+			})
+
+			opts, err := ds.HTTPClientOptions()
+			require.NoError(t, err)
+
+			assert.Equal(t, true, opts.CustomOptions["_azureAuth"])
+
+			require.Contains(t, opts.CustomOptions, "_azureCredentials")
+			credentials := opts.CustomOptions["_azureCredentials"]
+
+			assert.IsType(t, &azcredentials.AzureManagedIdentityCredentials{}, credentials)
+		})
+
+		t.Run("should be disabled if disabled in JsonData even with credentials configured", func(t *testing.T) {
+			t.Cleanup(func() { ds.JsonData = emptyJsonData; ds.SecureJsonData = emptySecureJsonData })
+
+			ds.JsonData = simplejson.NewFromAny(map[string]interface{}{
+				"azureAuth": false,
+				"azureCredentials": map[string]interface{}{
+					"authType": "msi",
+				},
+			})
+
+			opts, err := ds.HTTPClientOptions()
+			require.NoError(t, err)
+
+			assert.NotEqual(t, true, opts.CustomOptions["_azureAuth"])
+			assert.NotContains(t, opts.CustomOptions, "_azureCredentials")
+		})
+
+		t.Run("should fail if credentials are invalid", func(t *testing.T) {
+			t.Cleanup(func() { ds.JsonData = emptyJsonData; ds.SecureJsonData = emptySecureJsonData })
+
+			ds.JsonData = simplejson.NewFromAny(map[string]interface{}{
+				"azureAuth":        true,
+				"azureCredentials": "invalid",
+			})
+
+			_, err := ds.HTTPClientOptions()
+			assert.Error(t, err)
+		})
+
+		t.Run("should pass resourceId from JsonData", func(t *testing.T) {
+			t.Cleanup(func() { ds.JsonData = emptyJsonData; ds.SecureJsonData = emptySecureJsonData })
+
+			ds.JsonData = simplejson.NewFromAny(map[string]interface{}{
+				"azureEndpointResourceId": "https://api.example.com/abd5c4ce-ca73-41e9-9cb2-bed39aa2adb5",
+			})
+
+			opts, err := ds.HTTPClientOptions()
+			require.NoError(t, err)
+
+			require.Contains(t, opts.CustomOptions, "azureEndpointResourceId")
+			azureEndpointResourceId := opts.CustomOptions["azureEndpointResourceId"]
+
+			assert.Equal(t, "https://api.example.com/abd5c4ce-ca73-41e9-9cb2-bed39aa2adb5", azureEndpointResourceId)
+		})
+	})
+}
+
 func clearDSProxyCache(t *testing.T) {
 	t.Helper()