mirror of
https://github.com/grafana/grafana.git
synced 2024-11-24 09:50:29 -06:00
11d8bcbea9
* Guardian: Use dashboard UID instead of ID * Apply suggestions from code review Introduce several guardian constructors and each time use the most appropriate one.
488 lines
14 KiB
Go
488 lines
14 KiB
Go
package api
|
||
|
||
import (
|
||
"bytes"
|
||
"encoding/json"
|
||
"errors"
|
||
"fmt"
|
||
"net/http"
|
||
"time"
|
||
|
||
"github.com/grafana/grafana/pkg/api/dtos"
|
||
"github.com/grafana/grafana/pkg/api/response"
|
||
"github.com/grafana/grafana/pkg/components/simplejson"
|
||
"github.com/grafana/grafana/pkg/infra/metrics"
|
||
"github.com/grafana/grafana/pkg/models"
|
||
"github.com/grafana/grafana/pkg/services/dashboards"
|
||
"github.com/grafana/grafana/pkg/services/dashboardsnapshots"
|
||
"github.com/grafana/grafana/pkg/services/guardian"
|
||
"github.com/grafana/grafana/pkg/setting"
|
||
"github.com/grafana/grafana/pkg/util"
|
||
"github.com/grafana/grafana/pkg/web"
|
||
)
|
||
|
||
var client = &http.Client{
|
||
Timeout: time.Second * 5,
|
||
Transport: &http.Transport{Proxy: http.ProxyFromEnvironment},
|
||
}
|
||
|
||
// swagger:route GET /snapshot/shared-options snapshots getSharingOptions
|
||
//
|
||
// Get snapshot sharing settings.
|
||
//
|
||
// Responses:
|
||
// 200: getSharingOptionsResponse
|
||
// 401: unauthorisedError
|
||
func GetSharingOptions(c *models.ReqContext) {
|
||
c.JSON(http.StatusOK, util.DynMap{
|
||
"externalSnapshotURL": setting.ExternalSnapshotUrl,
|
||
"externalSnapshotName": setting.ExternalSnapshotName,
|
||
"externalEnabled": setting.ExternalEnabled,
|
||
})
|
||
}
|
||
|
||
type CreateExternalSnapshotResponse struct {
|
||
Key string `json:"key"`
|
||
DeleteKey string `json:"deleteKey"`
|
||
Url string `json:"url"`
|
||
DeleteUrl string `json:"deleteUrl"`
|
||
}
|
||
|
||
func createExternalDashboardSnapshot(cmd dashboardsnapshots.CreateDashboardSnapshotCommand) (*CreateExternalSnapshotResponse, error) {
|
||
var createSnapshotResponse CreateExternalSnapshotResponse
|
||
message := map[string]interface{}{
|
||
"name": cmd.Name,
|
||
"expires": cmd.Expires,
|
||
"dashboard": cmd.Dashboard,
|
||
"key": cmd.Key,
|
||
"deleteKey": cmd.DeleteKey,
|
||
}
|
||
|
||
messageBytes, err := simplejson.NewFromAny(message).Encode()
|
||
if err != nil {
|
||
return nil, err
|
||
}
|
||
|
||
response, err := client.Post(setting.ExternalSnapshotUrl+"/api/snapshots", "application/json", bytes.NewBuffer(messageBytes))
|
||
if err != nil {
|
||
return nil, err
|
||
}
|
||
defer func() {
|
||
if err := response.Body.Close(); err != nil {
|
||
plog.Warn("Failed to close response body", "err", err)
|
||
}
|
||
}()
|
||
|
||
if response.StatusCode != 200 {
|
||
return nil, fmt.Errorf("create external snapshot response status code %d", response.StatusCode)
|
||
}
|
||
|
||
if err := json.NewDecoder(response.Body).Decode(&createSnapshotResponse); err != nil {
|
||
return nil, err
|
||
}
|
||
|
||
return &createSnapshotResponse, nil
|
||
}
|
||
|
||
func createOriginalDashboardURL(appURL string, cmd *dashboardsnapshots.CreateDashboardSnapshotCommand) (string, error) {
|
||
dashUID := cmd.Dashboard.Get("uid").MustString("")
|
||
if ok := util.IsValidShortUID(dashUID); !ok {
|
||
return "", fmt.Errorf("invalid dashboard UID")
|
||
}
|
||
|
||
return fmt.Sprintf("/d/%v", dashUID), nil
|
||
}
|
||
|
||
// swagger:route POST /snapshots snapshots createDashboardSnapshot
|
||
//
|
||
// When creating a snapshot using the API, you have to provide the full dashboard payload including the snapshot data. This endpoint is designed for the Grafana UI.
|
||
//
|
||
// Snapshot public mode should be enabled or authentication is required.
|
||
//
|
||
// Responses:
|
||
// 200: createDashboardSnapshotResponse
|
||
// 401: unauthorisedError
|
||
// 403: forbiddenError
|
||
// 500: internalServerError
|
||
func (hs *HTTPServer) CreateDashboardSnapshot(c *models.ReqContext) response.Response {
|
||
cmd := dashboardsnapshots.CreateDashboardSnapshotCommand{}
|
||
if err := web.Bind(c.Req, &cmd); err != nil {
|
||
return response.Error(http.StatusBadRequest, "bad request data", err)
|
||
}
|
||
if cmd.Name == "" {
|
||
cmd.Name = "Unnamed snapshot"
|
||
}
|
||
|
||
var snapshotUrl string
|
||
cmd.ExternalUrl = ""
|
||
cmd.OrgId = c.OrgID
|
||
cmd.UserId = c.UserID
|
||
originalDashboardURL, err := createOriginalDashboardURL(hs.Cfg.AppURL, &cmd)
|
||
if err != nil {
|
||
return response.Error(http.StatusInternalServerError, "Invalid app URL", err)
|
||
}
|
||
|
||
if cmd.External {
|
||
if !setting.ExternalEnabled {
|
||
c.JsonApiErr(http.StatusForbidden, "External dashboard creation is disabled", nil)
|
||
return nil
|
||
}
|
||
|
||
response, err := createExternalDashboardSnapshot(cmd)
|
||
if err != nil {
|
||
c.JsonApiErr(http.StatusInternalServerError, "Failed to create external snapshot", err)
|
||
return nil
|
||
}
|
||
|
||
snapshotUrl = response.Url
|
||
cmd.Key = response.Key
|
||
cmd.DeleteKey = response.DeleteKey
|
||
cmd.ExternalUrl = response.Url
|
||
cmd.ExternalDeleteUrl = response.DeleteUrl
|
||
cmd.Dashboard = simplejson.New()
|
||
|
||
metrics.MApiDashboardSnapshotExternal.Inc()
|
||
} else {
|
||
cmd.Dashboard.SetPath([]string{"snapshot", "originalUrl"}, originalDashboardURL)
|
||
|
||
if cmd.Key == "" {
|
||
var err error
|
||
cmd.Key, err = util.GetRandomString(32)
|
||
if err != nil {
|
||
c.JsonApiErr(http.StatusInternalServerError, "Could not generate random string", err)
|
||
return nil
|
||
}
|
||
}
|
||
|
||
if cmd.DeleteKey == "" {
|
||
var err error
|
||
cmd.DeleteKey, err = util.GetRandomString(32)
|
||
if err != nil {
|
||
c.JsonApiErr(http.StatusInternalServerError, "Could not generate random string", err)
|
||
return nil
|
||
}
|
||
}
|
||
|
||
snapshotUrl = setting.ToAbsUrl("dashboard/snapshot/" + cmd.Key)
|
||
|
||
metrics.MApiDashboardSnapshotCreate.Inc()
|
||
}
|
||
|
||
if err := hs.dashboardsnapshotsService.CreateDashboardSnapshot(c.Req.Context(), &cmd); err != nil {
|
||
c.JsonApiErr(http.StatusInternalServerError, "Failed to create snapshot", err)
|
||
return nil
|
||
}
|
||
|
||
c.JSON(http.StatusOK, util.DynMap{
|
||
"key": cmd.Key,
|
||
"deleteKey": cmd.DeleteKey,
|
||
"url": snapshotUrl,
|
||
"deleteUrl": setting.ToAbsUrl("api/snapshots-delete/" + cmd.DeleteKey),
|
||
"id": cmd.Result.Id,
|
||
})
|
||
return nil
|
||
}
|
||
|
||
// GET /api/snapshots/:key
|
||
// swagger:route GET /snapshots/{key} snapshots getDashboardSnapshot
|
||
//
|
||
// Get Snapshot by Key.
|
||
//
|
||
// Responses:
|
||
// 200: getDashboardSnapshotResponse
|
||
// 400: badRequestError
|
||
// 404: notFoundError
|
||
// 500: internalServerError
|
||
func (hs *HTTPServer) GetDashboardSnapshot(c *models.ReqContext) response.Response {
|
||
key := web.Params(c.Req)[":key"]
|
||
if len(key) == 0 {
|
||
return response.Error(http.StatusBadRequest, "Empty snapshot key", nil)
|
||
}
|
||
|
||
query := &dashboardsnapshots.GetDashboardSnapshotQuery{Key: key}
|
||
|
||
err := hs.dashboardsnapshotsService.GetDashboardSnapshot(c.Req.Context(), query)
|
||
if err != nil {
|
||
return response.Err(err)
|
||
}
|
||
|
||
snapshot := query.Result
|
||
|
||
// expired snapshots should also be removed from db
|
||
if snapshot.Expires.Before(time.Now()) {
|
||
return response.Error(404, "Dashboard snapshot not found", err)
|
||
}
|
||
|
||
dto := dtos.DashboardFullWithMeta{
|
||
Dashboard: snapshot.Dashboard,
|
||
Meta: dtos.DashboardMeta{
|
||
Type: models.DashTypeSnapshot,
|
||
IsSnapshot: true,
|
||
Created: snapshot.Created,
|
||
Expires: snapshot.Expires,
|
||
},
|
||
}
|
||
|
||
metrics.MApiDashboardSnapshotGet.Inc()
|
||
|
||
return response.JSON(http.StatusOK, dto).SetHeader("Cache-Control", "public, max-age=3600")
|
||
}
|
||
|
||
func deleteExternalDashboardSnapshot(externalUrl string) error {
|
||
response, err := client.Get(externalUrl)
|
||
if err != nil {
|
||
return err
|
||
}
|
||
|
||
defer func() {
|
||
if err := response.Body.Close(); err != nil {
|
||
plog.Warn("Failed to close response body", "err", err)
|
||
}
|
||
}()
|
||
|
||
if response.StatusCode == 200 {
|
||
return nil
|
||
}
|
||
|
||
// Gracefully ignore "snapshot not found" errors as they could have already
|
||
// been removed either via the cleanup script or by request.
|
||
if response.StatusCode == 500 {
|
||
var respJson map[string]interface{}
|
||
if err := json.NewDecoder(response.Body).Decode(&respJson); err != nil {
|
||
return err
|
||
}
|
||
|
||
if respJson["message"] == "Failed to get dashboard snapshot" {
|
||
return nil
|
||
}
|
||
}
|
||
|
||
return fmt.Errorf("unexpected response when deleting external snapshot, status code: %d", response.StatusCode)
|
||
}
|
||
|
||
// swagger:route GET /snapshots-delete/{deleteKey} snapshots deleteDashboardSnapshotByDeleteKey
|
||
//
|
||
// Delete Snapshot by deleteKey.
|
||
//
|
||
// Snapshot public mode should be enabled or authentication is required.
|
||
//
|
||
// Responses:
|
||
// 200: okResponse
|
||
// 401: unauthorisedError
|
||
// 403: forbiddenError
|
||
// 404: notFoundError
|
||
// 500: internalServerError
|
||
func (hs *HTTPServer) DeleteDashboardSnapshotByDeleteKey(c *models.ReqContext) response.Response {
|
||
key := web.Params(c.Req)[":deleteKey"]
|
||
if len(key) == 0 {
|
||
return response.Error(404, "Snapshot not found", nil)
|
||
}
|
||
|
||
query := &dashboardsnapshots.GetDashboardSnapshotQuery{DeleteKey: key}
|
||
err := hs.dashboardsnapshotsService.GetDashboardSnapshot(c.Req.Context(), query)
|
||
if err != nil {
|
||
return response.Err(err)
|
||
}
|
||
|
||
if query.Result.External {
|
||
err := deleteExternalDashboardSnapshot(query.Result.ExternalDeleteUrl)
|
||
if err != nil {
|
||
return response.Error(500, "Failed to delete external dashboard", err)
|
||
}
|
||
}
|
||
|
||
cmd := &dashboardsnapshots.DeleteDashboardSnapshotCommand{DeleteKey: query.Result.DeleteKey}
|
||
|
||
if err := hs.dashboardsnapshotsService.DeleteDashboardSnapshot(c.Req.Context(), cmd); err != nil {
|
||
return response.Error(500, "Failed to delete dashboard snapshot", err)
|
||
}
|
||
|
||
return response.JSON(http.StatusOK, util.DynMap{
|
||
"message": "Snapshot deleted. It might take an hour before it's cleared from any CDN caches.",
|
||
"id": query.Result.Id,
|
||
})
|
||
}
|
||
|
||
// swagger:route DELETE /snapshots/{key} snapshots deleteDashboardSnapshot
|
||
//
|
||
// Delete Snapshot by Key.
|
||
//
|
||
// Responses:
|
||
// 200: okResponse
|
||
// 403: forbiddenError
|
||
// 404: notFoundError
|
||
// 500: internalServerError
|
||
func (hs *HTTPServer) DeleteDashboardSnapshot(c *models.ReqContext) response.Response {
|
||
key := web.Params(c.Req)[":key"]
|
||
if len(key) == 0 {
|
||
return response.Error(http.StatusNotFound, "Snapshot not found", nil)
|
||
}
|
||
|
||
query := &dashboardsnapshots.GetDashboardSnapshotQuery{Key: key}
|
||
|
||
err := hs.dashboardsnapshotsService.GetDashboardSnapshot(c.Req.Context(), query)
|
||
if err != nil {
|
||
return response.Err(err)
|
||
}
|
||
if query.Result == nil {
|
||
return response.Error(http.StatusNotFound, "Failed to get dashboard snapshot", nil)
|
||
}
|
||
|
||
if query.Result.External {
|
||
err := deleteExternalDashboardSnapshot(query.Result.ExternalDeleteUrl)
|
||
if err != nil {
|
||
return response.Error(http.StatusInternalServerError, "Failed to delete external dashboard", err)
|
||
}
|
||
}
|
||
|
||
// Dashboard can be empty (creation error or external snapshot). This means that the mustInt here returns a 0,
|
||
// which before RBAC would result in a dashboard which has no ACL. A dashboard without an ACL would fallback
|
||
// to the user’s org role, which for editors and admins would essentially always be allowed here. With RBAC,
|
||
// all permissions must be explicit, so the lack of a rule for dashboard 0 means the guardian will reject.
|
||
dashboardID := query.Result.Dashboard.Get("id").MustInt64()
|
||
|
||
if dashboardID != 0 {
|
||
guardian, err := guardian.New(c.Req.Context(), dashboardID, c.OrgID, c.SignedInUser)
|
||
if err != nil {
|
||
return response.Err(err)
|
||
}
|
||
|
||
canEdit, err := guardian.CanEdit()
|
||
// check for permissions only if the dashboard is found
|
||
if err != nil && !errors.Is(err, dashboards.ErrDashboardNotFound) {
|
||
return response.Error(http.StatusInternalServerError, "Error while checking permissions for snapshot", err)
|
||
}
|
||
|
||
if !canEdit && query.Result.UserId != c.SignedInUser.UserID && !errors.Is(err, dashboards.ErrDashboardNotFound) {
|
||
return response.Error(http.StatusForbidden, "Access denied to this snapshot", nil)
|
||
}
|
||
}
|
||
|
||
cmd := &dashboardsnapshots.DeleteDashboardSnapshotCommand{DeleteKey: query.Result.DeleteKey}
|
||
|
||
if err := hs.dashboardsnapshotsService.DeleteDashboardSnapshot(c.Req.Context(), cmd); err != nil {
|
||
return response.Error(http.StatusInternalServerError, "Failed to delete dashboard snapshot", err)
|
||
}
|
||
|
||
return response.JSON(http.StatusOK, util.DynMap{
|
||
"message": "Snapshot deleted. It might take an hour before it's cleared from any CDN caches.",
|
||
"id": query.Result.Id,
|
||
})
|
||
}
|
||
|
||
// swagger:route GET /dashboard/snapshots snapshots searchDashboardSnapshots
|
||
//
|
||
// List snapshots.
|
||
//
|
||
// Responses:
|
||
// 200: searchDashboardSnapshotsResponse
|
||
// 500: internalServerError
|
||
func (hs *HTTPServer) SearchDashboardSnapshots(c *models.ReqContext) response.Response {
|
||
query := c.Query("query")
|
||
limit := c.QueryInt("limit")
|
||
|
||
if limit == 0 {
|
||
limit = 1000
|
||
}
|
||
|
||
searchQuery := dashboardsnapshots.GetDashboardSnapshotsQuery{
|
||
Name: query,
|
||
Limit: limit,
|
||
OrgId: c.OrgID,
|
||
SignedInUser: c.SignedInUser,
|
||
}
|
||
|
||
err := hs.dashboardsnapshotsService.SearchDashboardSnapshots(c.Req.Context(), &searchQuery)
|
||
if err != nil {
|
||
return response.Error(500, "Search failed", err)
|
||
}
|
||
|
||
dtos := make([]*dashboardsnapshots.DashboardSnapshotDTO, len(searchQuery.Result))
|
||
for i, snapshot := range searchQuery.Result {
|
||
dtos[i] = &dashboardsnapshots.DashboardSnapshotDTO{
|
||
Id: snapshot.Id,
|
||
Name: snapshot.Name,
|
||
Key: snapshot.Key,
|
||
OrgId: snapshot.OrgId,
|
||
UserId: snapshot.UserId,
|
||
External: snapshot.External,
|
||
ExternalUrl: snapshot.ExternalUrl,
|
||
Expires: snapshot.Expires,
|
||
Created: snapshot.Created,
|
||
Updated: snapshot.Updated,
|
||
}
|
||
}
|
||
|
||
return response.JSON(http.StatusOK, dtos)
|
||
}
|
||
|
||
// swagger:parameters createDashboardSnapshot
|
||
type CreateSnapshotParams struct {
|
||
// in:body
|
||
// required:true
|
||
Body dashboardsnapshots.CreateDashboardSnapshotCommand `json:"body"`
|
||
}
|
||
|
||
// swagger:parameters searchDashboardSnapshots
|
||
type GetSnapshotsParams struct {
|
||
// Search Query
|
||
// in:query
|
||
Query string `json:"query"`
|
||
// Limit the number of returned results
|
||
// in:query
|
||
// default:1000
|
||
Limit int64 `json:"limit"`
|
||
}
|
||
|
||
// swagger:parameters getDashboardSnapshot
|
||
type GetDashboardSnapshotParams struct {
|
||
// in:path
|
||
Key string `json:"key"`
|
||
}
|
||
|
||
// swagger:parameters deleteDashboardSnapshot
|
||
type DeleteDashboardSnapshotParams struct {
|
||
// in:path
|
||
Key string `json:"key"`
|
||
}
|
||
|
||
// swagger:parameters deleteDashboardSnapshotByDeleteKey
|
||
type DeleteSnapshotByDeleteKeyParams struct {
|
||
// in:path
|
||
DeleteKey string `json:"deleteKey"`
|
||
}
|
||
|
||
// swagger:response createDashboardSnapshotResponse
|
||
type CreateSnapshotResponse struct {
|
||
// in:body
|
||
Body struct {
|
||
// Unique key
|
||
Key string `json:"key"`
|
||
// Unique key used to delete the snapshot. It is different from the key so that only the creator can delete the snapshot.
|
||
DeleteKey string `json:"deleteKey"`
|
||
URL string `json:"url"`
|
||
DeleteUrl string `json:"deleteUrl"`
|
||
// Snapshot id
|
||
ID int64 `json:"id"`
|
||
} `json:"body"`
|
||
}
|
||
|
||
// swagger:response searchDashboardSnapshotsResponse
|
||
type SearchDashboardSnapshotsResponse struct {
|
||
// in:body
|
||
Body []*dashboardsnapshots.DashboardSnapshotDTO `json:"body"`
|
||
}
|
||
|
||
// swagger:response getDashboardSnapshotResponse
|
||
type GetDashboardSnapshotResponse DashboardResponse
|
||
|
||
// swagger:response getSharingOptionsResponse
|
||
type GetSharingOptionsResponse struct {
|
||
// in:body
|
||
Body struct {
|
||
ExternalSnapshotURL string `json:"externalSnapshotURL"`
|
||
ExternalSnapshotName string `json:"externalSnapshotName"`
|
||
ExternalEnabled bool `json:"externalEnabled"`
|
||
} `json:"body"`
|
||
}
|