Team LBAC: Move middleware to enterprise (#76969)

* Team LBAC: Move middleware to enterprise * Remove ds proxy part * Move utils to enterprise
2025-02-25 18:55:37 -06:00 · 2023-10-24 13:06:18 +02:00 · 2023-10-24 13:06:18 +02:00 · cad3c43bb1
commit cad3c43bb1
parent 575981201c
5 changed files with 2 additions and 303 deletions
--- a/pkg/api/pluginproxy/ds_proxy.go
+++ b/pkg/api/pluginproxy/ds_proxy.go
@ -272,15 +272,6 @@ func (proxy *DataSourceProxy) director(req *http.Request) {
 	if proxy.features.IsEnabled(featuremgmt.FlagIdForwarding) {
 		proxyutil.ApplyForwardIDHeader(req, proxy.ctx.SignedInUser)
 	}
-
-	if proxy.features.IsEnabled(featuremgmt.FlagTeamHttpHeaders) {
-		err := proxyutil.ApplyTeamHTTPHeaders(req, proxy.ds, proxy.ctx.Teams)
-		if err != nil {
-			// NOTE: could downgrade the errors to warnings
-			ctxLogger.Error("Error applying teamHTTPHeaders", "error", err)
-			return
-		}
-	}
 }

 func (proxy *DataSourceProxy) validateRequest() error {
--- a/pkg/services/pluginsintegration/clientmiddleware/team_headers_middleware.go
+++ b/pkg/services/pluginsintegration/clientmiddleware/team_headers_middleware.go
@ -1,131 +0,0 @@
-package clientmiddleware
-
-import (
-	"context"
-
-	"github.com/grafana/grafana-plugin-sdk-go/backend"
-	"github.com/grafana/grafana/pkg/components/simplejson"
-	"github.com/grafana/grafana/pkg/infra/appcontext"
-	"github.com/grafana/grafana/pkg/plugins"
-	"github.com/grafana/grafana/pkg/services/contexthandler"
-	"github.com/grafana/grafana/pkg/services/datasources"
-	"github.com/grafana/grafana/pkg/util/proxyutil"
-)
-
-// NewTeamHTTPHeaderMiddleware creates a new plugins.ClientMiddleware that will
-// set headers based on teams user is member of.
-func NewTeamHTTPHeadersMiddleware() plugins.ClientMiddleware {
-	return plugins.ClientMiddlewareFunc(func(next plugins.Client) plugins.Client {
-		return &TeamHTTPHeadersMiddleware{
-			next: next,
-		}
-	})
-}
-
-type TeamHTTPHeadersMiddleware struct {
-	next plugins.Client
-}
-
-func (m *TeamHTTPHeadersMiddleware) QueryData(ctx context.Context, req *backend.QueryDataRequest) (*backend.QueryDataResponse, error) {
-	if req == nil {
-		return m.next.QueryData(ctx, req)
-	}
-
-	err := m.setHeaders(ctx, req.PluginContext, req)
-	if err != nil {
-		return nil, err
-	}
-
-	return m.next.QueryData(ctx, req)
-}
-
-func (m *TeamHTTPHeadersMiddleware) CallResource(ctx context.Context, req *backend.CallResourceRequest, sender backend.CallResourceResponseSender) error {
-	if req == nil {
-		return m.next.CallResource(ctx, req, sender)
-	}
-
-	err := m.setHeaders(ctx, req.PluginContext, req)
-	if err != nil {
-		return err
-	}
-
-	return m.next.CallResource(ctx, req, sender)
-}
-
-func (m *TeamHTTPHeadersMiddleware) CheckHealth(ctx context.Context, req *backend.CheckHealthRequest) (*backend.CheckHealthResult, error) {
-	if req == nil {
-		return m.next.CheckHealth(ctx, req)
-	}
-
-	// NOTE: might not be needed to set headers. we want to for now set these headers
-	err := m.setHeaders(ctx, req.PluginContext, req)
-	if err != nil {
-		return nil, err
-	}
-
-	return m.next.CheckHealth(ctx, req)
-}
-
-func (m *TeamHTTPHeadersMiddleware) CollectMetrics(ctx context.Context, req *backend.CollectMetricsRequest) (*backend.CollectMetricsResult, error) {
-	return m.next.CollectMetrics(ctx, req)
-}
-
-func (m *TeamHTTPHeadersMiddleware) SubscribeStream(ctx context.Context, req *backend.SubscribeStreamRequest) (*backend.SubscribeStreamResponse, error) {
-	return m.next.SubscribeStream(ctx, req)
-}
-
-func (m *TeamHTTPHeadersMiddleware) PublishStream(ctx context.Context, req *backend.PublishStreamRequest) (*backend.PublishStreamResponse, error) {
-	return m.next.PublishStream(ctx, req)
-}
-
-func (m *TeamHTTPHeadersMiddleware) RunStream(ctx context.Context, req *backend.RunStreamRequest, sender *backend.StreamSender) error {
-	return m.next.RunStream(ctx, req, sender)
-}
-
-func (m *TeamHTTPHeadersMiddleware) setHeaders(ctx context.Context, pCtx backend.PluginContext, req interface{}) error {
-	reqCtx := contexthandler.FromContext(ctx)
-	// if request not for a datasource or no HTTP request context skip middleware
-	if req == nil || pCtx.DataSourceInstanceSettings == nil || reqCtx == nil || reqCtx.Req == nil {
-		return nil
-	}
-
-	settings := pCtx.DataSourceInstanceSettings
-	jsonDataBytes, err := simplejson.NewJson(settings.JSONData)
-	if err != nil {
-		return err
-	}
-
-	ds := &datasources.DataSource{
-		ID:       settings.ID,
-		OrgID:    pCtx.OrgID,
-		JsonData: jsonDataBytes,
-		Updated:  settings.Updated,
-	}
-
-	signedInUser, err := appcontext.User(ctx)
-	if err != nil {
-		return nil // no user
-	}
-
-	teamHTTPHeaders, err := proxyutil.GetTeamHTTPHeaders(ds, signedInUser.GetTeams())
-	if err != nil {
-		return err
-	}
-
-	switch t := req.(type) {
-	case *backend.QueryDataRequest:
-		for key, value := range teamHTTPHeaders {
-			t.SetHTTPHeader(key, value)
-		}
-	case *backend.CheckHealthRequest:
-		for key, value := range teamHTTPHeaders {
-			t.SetHTTPHeader(key, value)
-		}
-	case *backend.CallResourceRequest:
-		for key, value := range teamHTTPHeaders {
-			t.SetHTTPHeader(key, value)
-		}
-	}
-
-	return nil
-}
--- a/pkg/services/pluginsintegration/pluginsintegration.go
+++ b/pkg/services/pluginsintegration/pluginsintegration.go
@ -60,8 +60,6 @@ var WireSet = wire.NewSet(
 	wire.Bind(new(plugins.RendererManager), new(*pluginstore.Service)),
 	wire.Bind(new(plugins.SecretsPluginManager), new(*pluginstore.Service)),
 	wire.Bind(new(plugins.StaticRouteResolver), new(*pluginstore.Service)),
-	ProvideClientDecorator,
-	wire.Bind(new(plugins.Client), new(*client.Decorator)),
 	process.ProvideService,
 	wire.Bind(new(process.Manager), new(*process.Service)),
 	coreplugin.ProvideCoreRegistry,
@ -127,6 +125,8 @@ var WireExtensionSet = wire.NewSet(
 	wire.Bind(new(plugins.PluginLoaderAuthorizer), new(*signature.UnsignedPluginAuthorizer)),
 	wire.Bind(new(finder.Finder), new(*finder.Local)),
 	finder.ProvideLocalFinder,
+	ProvideClientDecorator,
+	wire.Bind(new(plugins.Client), new(*client.Decorator)),
 )

 func ProvideClientDecorator(
@ -179,10 +179,6 @@ func CreateMiddlewares(cfg *setting.Cfg, oAuthTokenService oauthtoken.OAuthToken
 		middlewares = append(middlewares, clientmiddleware.NewUserHeaderMiddleware())
 	}

-	if features.IsEnabled(featuremgmt.FlagTeamHttpHeaders) {
-		middlewares = append(middlewares, clientmiddleware.NewTeamHTTPHeadersMiddleware())
-	}
-
 	middlewares = append(middlewares, clientmiddleware.NewHTTPClientMiddleware())

 	return middlewares
--- a/pkg/util/proxyutil/proxyutil.go
+++ b/pkg/util/proxyutil/proxyutil.go
@ -4,13 +4,10 @@ import (
 	"fmt"
 	"net"
 	"net/http"
-	"net/url"
 	"sort"
-	"strconv"
 	"strings"

 	"github.com/grafana/grafana/pkg/services/auth/identity"
-	"github.com/grafana/grafana/pkg/services/datasources"
 )

 const (
@ -133,63 +130,3 @@ func ApplyForwardIDHeader(req *http.Request, user identity.Requester) {
 		req.Header.Set(IDHeaderName, token)
 	}
 }
-
-func ApplyTeamHTTPHeaders(req *http.Request, ds *datasources.DataSource, teams []int64) error {
-	headers, err := GetTeamHTTPHeaders(ds, teams)
-	if err != nil {
-		return err
-	}
-
-	for header, value := range headers {
-		// check if headerv is already set in req.Header
-		if req.Header.Get(header) != "" {
-			req.Header.Add(header, value)
-		} else {
-			req.Header.Set(header, value)
-		}
-	}
-
-	return nil
-}
-
-func GetTeamHTTPHeaders(ds *datasources.DataSource, teams []int64) (map[string]string, error) {
-	teamHTTPHeadersMap := make(map[string]string)
-	teamHTTPHeaders, err := ds.TeamHTTPHeaders()
-	if err != nil {
-		return nil, err
-	}
-
-	for teamID, headers := range teamHTTPHeaders {
-		id, err := strconv.ParseInt(teamID, 10, 64)
-		if err != nil {
-			// FIXME: logging here
-			continue
-		}
-
-		if !contains(teams, id) {
-			continue
-		}
-
-		for _, header := range headers {
-			// Header values should be properly escaped.
-			if value, ok := teamHTTPHeadersMap[header.Header]; ok {
-				// Add multiple header values as a comma-separated strings according to RFC 7230
-				// https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6
-				teamHTTPHeadersMap[header.Header] = fmt.Sprintf("%s,%s", value, url.PathEscape(header.Value))
-			} else {
-				teamHTTPHeadersMap[header.Header] = url.PathEscape(header.Value)
-			}
-		}
-	}
-
-	return teamHTTPHeadersMap, nil
-}
-
-func contains(slice []int64, value int64) bool {
-	for _, v := range slice {
-		if v == value {
-			return true
-		}
-	}
-	return false
-}
--- a/pkg/util/proxyutil/proxyutil_test.go
+++ b/pkg/util/proxyutil/proxyutil_test.go
@ -6,8 +6,6 @@ import (

 	"github.com/stretchr/testify/require"

-	"github.com/grafana/grafana/pkg/components/simplejson"
-	"github.com/grafana/grafana/pkg/services/datasources"
 	"github.com/grafana/grafana/pkg/services/user"
 )

@ -205,95 +203,3 @@ func TestApplyUserHeader(t *testing.T) {
 		require.Equal(t, "admin", req.Header.Get("X-Grafana-User"))
 	})
 }
-
-func TestApplyteamHTTPHeaders(t *testing.T) {
-	testCases := []struct {
-		desc      string
-		jsonData  any
-		userTeams []int64
-		want      map[string]string
-	}{
-		{
-			desc: "Should apply team headers for users teams",
-			jsonData: map[string]interface{}{
-				"1": []map[string]interface{}{
-					{
-						"header": "X-Team-Header",
-						"value":  "1",
-					},
-				},
-				"2": []map[string]interface{}{
-					{
-						"header": "X-Prom-Label-Policy",
-						"value":  "2",
-					},
-				},
-				// user is not part of this team
-				"3": []map[string]interface{}{
-					{
-						"header": "X-Custom-Label-Policy",
-						"value":  "3",
-					},
-				},
-			},
-			userTeams: []int64{1, 2},
-			want: map[string]string{
-				"X-Team-Header":       "1",
-				"X-Prom-Label-Policy": "2",
-			},
-		},
-		{
-			desc: "Should be able to parse header values with commas",
-			jsonData: map[string]interface{}{
-				"101": []map[string]interface{}{
-					{
-						"header": "X-Prom-Label-Policy",
-						"value":  `1234:{ foo="bar", bar="baz" }`,
-					},
-				},
-			},
-			userTeams: []int64{101},
-			want: map[string]string{
-				"X-Prom-Label-Policy": "1234:%7B%20foo=%22bar%22%2C%20bar=%22baz%22%20%7D",
-			},
-		}, {
-			desc: "Should be able to handle multiple header values",
-			jsonData: map[string]interface{}{
-				"101": []map[string]interface{}{
-					{
-						"header": "X-Prom-Label-Policy",
-						"value":  `1234:{ foo="bar" }`,
-					},
-					{
-						"header": "X-Prom-Label-Policy",
-						"value":  `1234:{ bar="baz" }`,
-					},
-				},
-			},
-			userTeams: []int64{101},
-			want: map[string]string{
-				"X-Prom-Label-Policy": "1234:%7B%20foo=%22bar%22%20%7D,1234:%7B%20bar=%22baz%22%20%7D",
-			},
-		},
-	}
-
-	for _, testCase := range testCases {
-		t.Run("Should apply team headers for users teams", func(t *testing.T) {
-			req, err := http.NewRequest(http.MethodGet, "/", nil)
-			require.NoError(t, err)
-			ds := &datasources.DataSource{
-				JsonData: simplejson.New(),
-			}
-
-			// add team headers
-			ds.JsonData.Set("teamHttpHeaders", testCase.jsonData)
-
-			err = ApplyTeamHTTPHeaders(req, ds, testCase.userTeams)
-			require.NoError(t, err)
-			for header, value := range testCase.want {
-				require.Contains(t, req.Header, header)
-				require.Equal(t, value, req.Header.Get(header))
-			}
-		})
-	}
-}