grafana/pkg/api
Kristian Bremberg 35407142d0
Feature: Trusted Types support (#64975)
* Draft: Feature: Trusted Types support

* remove trusted-types package

* Create policy before jQuery and Angular is loaded and add feature flag

* Add trustedTypePolicies

* Sanitize scriptURL

* Add TT meta tag for test env

* Move trusted types into core

* Add DOMParser support for TrustedHTML

* Seperate RSS sanitization and add better TrustedHTML support

* Get test CSP header from config

* Remove dompurify dep from core

* Add documentation for trusted types

* Apply suggestions from code review

Co-authored-by: Kristian Bremberg <114284895+KristianGrafana@users.noreply.github.com>

* Add comment about Github discussion thread and things breaking

* Remove changes from News panel

* Remove TT feature toggle

* Expose TT and CSPReportOnly to frontend

* Log errors in console when CSP report only is enabled

* Log error for reporting and remove test mode

* Only insert CSP header in HTML for dev env

* Update docs

---------

Co-authored-by: Tobias Skarhed <tobias.skarhed@gmail.com>
Co-authored-by: Tobias Skarhed <1438972+tskarhed@users.noreply.github.com>
2023-04-27 18:20:37 +02:00
..
apierrors Chore: Fix status codes for nested folders (#59087) 2022-11-22 16:06:39 +02:00
avatar Chore: Fix goimports grouping in pkg/api (#62419) 2023-01-30 08:18:26 +00:00
datasource backend/datasources: move datasources models into the datasources service package (#51267) 2022-06-27 12:23:15 -04:00
dtos Feature: Trusted Types support (#64975) 2023-04-27 18:20:37 +02:00
frontendlogging Chore: Fix goimports grouping in pkg/api (#62419) 2023-01-30 08:18:26 +00:00
pluginproxy Plugins: Migrate plugincontext, adapters and pluginsettings to pkg/services/pluginsintegration package (#64154) 2023-03-07 11:22:30 -05:00
response Logger: Add feature toggle for errors in HTTP request logs (#64425) 2023-03-31 15:38:09 +02:00
routing Chore: Move ReqContext to contexthandler service (#62102) 2023-01-27 08:50:36 +01:00
static API: Extract OpenAPI specification from source code using go-swagger (#40528) 2022-02-08 13:38:43 +01:00
accesscontrol.go Plugins: Migrate licensing and access control to pkg/services/pluginsintegration package (#65258) 2023-03-27 11:15:37 +02:00
admin_encryption.go Chore: Move ReqContext to contexthandler service (#62102) 2023-01-27 08:50:36 +01:00
admin_provisioning_test.go RBAC: Rewrite provisioning rbac tests (#61752) 2023-01-19 13:49:57 +01:00
admin_provisioning.go Chore: Move ReqContext to contexthandler service (#62102) 2023-01-27 08:50:36 +01:00
admin_test.go Chore: Fix goimports grouping in pkg/api (#62419) 2023-01-30 08:18:26 +00:00
admin_users_test.go Chore: Differentiate the ErrOrgNotFound error messages (#64131) 2023-03-06 09:57:46 +02:00
admin_users.go Chore: Remove result fields from login (#65136) 2023-03-28 20:32:21 +02:00
admin.go Add verbose settings (#65469) 2023-04-20 04:43:28 -04:00
alerting.go Chore: Remove result field from search (#65583) 2023-03-30 11:28:12 +02:00
annotations_test.go Cfg: Move ViewersCanEdit into cfg (#64876) 2023-03-16 10:54:01 +01:00
annotations.go Chore: remove dashboardsFromStorage (#65058) 2023-03-20 18:36:49 +02:00
api.go Nested folders: Provide count of all descendant dashboards and folders (#67184) 2023-04-27 17:00:09 +02:00
apikey.go Revert "APIkeys: Add metrics for apikey endpoints (#66732)" (#66754) 2023-04-18 13:05:52 +01:00
basic_auth_test.go Macaron: remove custom Request type (#37874) 2021-09-01 11:18:30 +02:00
basic_auth.go Macaron: remove custom Request type (#37874) 2021-09-01 11:18:30 +02:00
common_test.go Chore: Remove result field from search (#65583) 2023-03-30 11:28:12 +02:00
dashboard_permission_test.go NestedFolders: Add folder service registry with dashboard service implementation (#65033) 2023-04-14 11:17:23 +02:00
dashboard_permission.go Chore: Move ReqContext to contexthandler service (#62102) 2023-01-27 08:50:36 +01:00
dashboard_snapshot_test.go Cfg: Move ViewersCanEdit into cfg (#64876) 2023-03-16 10:54:01 +01:00
dashboard_snapshot.go Snapshots: Fix deleting snapshot with non existent dashboard ID (#64345) 2023-03-08 10:12:02 +02:00
dashboard_test.go Chore: Remove deprecated dashboardId from panel query runner (#64786) 2023-04-14 16:50:10 -07:00
dashboard.go API: Fix "Updated by" Column in dashboard versions table (#65351) 2023-03-30 17:31:53 +03:00
dataproxy.go Chore: Move ReqContext to contexthandler service (#62102) 2023-01-27 08:50:36 +01:00
datasources_test.go Chore: Remove Result field from datasources (#63048) 2023-02-09 15:49:44 +01:00
datasources.go Datasources: provide generic function to extract custom headers (#66738) 2023-04-19 17:04:30 +02:00
fakes.go NavTree: Make it possible to configure where in nav tree plugins live (#55484) 2022-09-28 08:29:35 +02:00
folder_permission_test.go NestedFolders: Add folder service registry with dashboard service implementation (#65033) 2023-04-14 11:17:23 +02:00
folder_permission.go Chore: Move ReqContext to contexthandler service (#62102) 2023-01-27 08:50:36 +01:00
folder_test.go NestedFolders: Return full folder hierarchy in Folder response (#66835) 2023-04-25 11:22:20 +03:00
folder.go Nested folders: Provide count of all descendant dashboards and folders (#67184) 2023-04-27 17:00:09 +02:00
frontend_logging_test.go Chore: Fix goimports grouping in pkg/api (#62419) 2023-01-30 08:18:26 +00:00
frontend_logging.go Chore: Add deprecation warnings for Sentry (#60165) 2022-12-13 16:41:42 +02:00
frontend_metrics.go Chore: Move ReqContext to contexthandler service (#62102) 2023-01-27 08:50:36 +01:00
frontendsettings_test.go SupportBundles: Add OAuth bundle collectors (#64810) 2023-03-16 09:46:25 +02:00
frontendsettings.go Feature: Trusted Types support (#64975) 2023-04-27 18:20:37 +02:00
grafana_com_proxy.go API: don't re-add /api suffix to grafana.com API URL (#62280) 2023-01-27 10:20:55 +01:00
health_test.go Chore: Fix goimports grouping in pkg/api (#62419) 2023-01-30 08:18:26 +00:00
health.go Chore: Remove Store interface and use db.DB instead (#60160) 2022-12-13 11:03:36 +01:00
http_server_test.go Chore: Fix goimports grouping in pkg/api (#62419) 2023-01-30 08:18:26 +00:00
http_server.go ServeFromSubPath: Redirect to URL with subpath when subpath missing (#66724) 2023-04-24 09:55:55 +02:00
index.go Feature: Trusted Types support (#64975) 2023-04-27 18:20:37 +02:00
login_oauth_test.go SupportBundles: Add OAuth bundle collectors (#64810) 2023-03-16 09:46:25 +02:00
login_oauth.go Chore: Remove result fields from login (#65136) 2023-03-28 20:32:21 +02:00
login_test.go Auth: Add feature flag to move token rotation to client (#65060) 2023-03-23 14:39:04 +01:00
login.go Chore: Remove result fields from login (#65136) 2023-03-28 20:32:21 +02:00
metrics_test.go Chore: Change fmt.Errorf to errors.New when there is no formatting required (#58600) 2022-12-01 20:51:12 +01:00
metrics.go Caching: Refactor enterprise query caching middleware to a wire service (#65616) 2023-04-12 12:30:33 -04:00
openapi3.go Chore: Move ReqContext to contexthandler service (#62102) 2023-01-27 08:50:36 +01:00
org_invite_test.go Chore: Fix goimports grouping in pkg/api (#62419) 2023-01-30 08:18:26 +00:00
org_invite.go Settings: Remove global variables for auth settings (#63795) 2023-02-27 15:28:49 +01:00
org_test.go RBAC: remove access control mock from org quota tests (#61574) 2023-01-17 10:33:01 +00:00
org_users_test.go Auth: Fix orgrole picker disabled if isSynced user (#64033) 2023-03-22 17:41:59 +00:00
org_users.go Chore: Fix authinfo api after result field removal (#65487) 2023-03-28 23:12:57 +03:00
org.go Chore: Move ReqContext to contexthandler service (#62102) 2023-01-27 08:50:36 +01:00
password.go Chore: Remove result fields from login (#65136) 2023-03-28 20:32:21 +02:00
playlist_play.go Chore: Remove result field from search (#65583) 2023-03-30 11:28:12 +02:00
playlist.go Chore: Move ReqContext to contexthandler service (#62102) 2023-01-27 08:50:36 +01:00
plugin_dashboards_test.go Chore: Fix goimports grouping in pkg/api (#62419) 2023-01-30 08:18:26 +00:00
plugin_dashboards.go Chore: Move ReqContext to contexthandler service (#62102) 2023-01-27 08:50:36 +01:00
plugin_metrics_test.go Chore: Fix goimports grouping in pkg/api (#62419) 2023-01-30 08:18:26 +00:00
plugin_metrics.go Chore: Fix goimports grouping in pkg/api (#62419) 2023-01-30 08:18:26 +00:00
plugin_proxy_test.go Plugins: Handle app plugin proxy routes per request (#51835) 2022-08-23 13:05:31 +02:00
plugin_proxy.go Plugins: Migrate plugincontext, adapters and pluginsettings to pkg/services/pluginsintegration package (#64154) 2023-03-07 11:22:30 -05:00
plugin_resource_test.go Chore: Refactor manifest verifier (#67218) 2023-04-27 17:54:28 +02:00
plugin_resource.go Plugins: Refactor cleaning of call resource response headers (#67145) 2023-04-25 19:44:32 +02:00
plugins_test.go Plugins: Fs: Add option to access unallowed files in dev mode (#66492) 2023-04-27 10:26:15 +02:00
plugins.go Plugins: Simplify plugin file removal (#66115) 2023-04-20 11:52:59 +02:00
preferences_test.go Chore: Remove Result from dashboard models (#61997) 2023-01-25 10:36:26 +01:00
preferences.go Cookies: Provide a mechanism for per user control over cookies (#61566) 2023-02-21 11:19:07 +01:00
quota_test.go Chore: Upgrade golangci-lint to v1.51.2 (#63630) 2023-02-23 15:10:03 +01:00
quota.go Chore: Move ReqContext to contexthandler service (#62102) 2023-01-27 08:50:36 +01:00
README.md API: Enable serving Swagger UI by default and add docs and guidelines (#63489) 2023-03-01 16:36:37 +02:00
render.go Chore: Move ReqContext to contexthandler service (#62102) 2023-01-27 08:50:36 +01:00
search.go RBAC: Make access control metadata for folders work with nested folders (#66464) 2023-04-21 15:05:11 +01:00
short_url_test.go Chore: Fix goimports grouping in pkg/api (#62419) 2023-01-30 08:18:26 +00:00
short_url.go Chore: Move ReqContext to contexthandler service (#62102) 2023-01-27 08:50:36 +01:00
signup.go Orgs: Remove auto assign globals (#63754) 2023-02-27 10:23:38 +01:00
swagger_responses.go Chore: Move swagger definitions to the handlers (#52643) 2022-07-27 09:54:37 -04:00
swagger_tags.json Chore: Move swagger definitions to the handlers (#52643) 2022-07-27 09:54:37 -04:00
swagger.go Chore: Move ReqContext to contexthandler service (#62102) 2023-01-27 08:50:36 +01:00
team_members_test.go Chore: Remove CreateUserForTests() (#64125) 2023-03-03 11:01:23 -05:00
team_members.go Chore: Move ReqContext to contexthandler service (#62102) 2023-01-27 08:50:36 +01:00
team_test.go Chore: Move ReqContext to contexthandler service (#62102) 2023-01-27 08:50:36 +01:00
team.go Chore: Move ReqContext to contexthandler service (#62102) 2023-01-27 08:50:36 +01:00
user_test.go Chore: Remove CreateUserForTests() (#64125) 2023-03-03 11:01:23 -05:00
user_token_test.go AuthToken: client token rotation fix (#65709) 2023-03-31 16:44:08 +02:00
user_token.go AuthToken: client token rotation fix (#65709) 2023-03-31 16:44:08 +02:00
user.go Chore: Fix authinfo api after result field removal (#65487) 2023-03-28 23:12:57 +03:00
utils.go Auth: Add feature flag to move token rotation to client (#65060) 2023-03-23 14:39:04 +01:00

OpenAPI specifications

Since version 8.4, HTTP API details are specified using OpenAPI v2. Starting from version 9.1, there is also an OpenAPI v3 specification (generated by the v2 one using this script).

OpenAPI annotations

The OpenAPI v2 specification is generated automatically from the annotated Go code using go-swagger which scans the source code for annotation rules. Refer to this getting started guide for getting familiar with the toolkit.

Developers modifying the HTTP API endpoints need to make sure to add the necessary annotations so that their changes are reflected into the generated specifications.

Example of endpoint annotation

The following route defines a PATCH endpoint under the /serviceaccounts/{serviceAccountId} path with tag service_accounts (used for grouping together several routes) and operation ID updateServiceAccount (used for uniquely identifying routes and associate parameters and response with them).


// swagger:route PATCH /serviceaccounts/{serviceAccountId} service_accounts updateServiceAccount
//
// # Update service account
//
// Required permissions (See note in the [introduction](https://grafana.com/docs/grafana/latest/developers/http_api/serviceaccount/#service-account-api) for an explanation):
// action: `serviceaccounts:write` scope: `serviceaccounts:id:1` (single service account)
//
// Responses:
// 200: updateServiceAccountResponse
// 400: badRequestError
// 401: unauthorisedError
// 403: forbiddenError
// 404: notFoundError
// 500: internalServerError

The go-swagger can discover such annotations by scanning any code imported by pkg/server but by convention we place the endpoint annotations above the endpoint definition.

Example of endpoint parameters

The following struct defines the route parameters for the updateServiceAccount endpoint. The route expects:

  • a path parameter denoting the service account identifier and
  • a body parameter with the new values for the specific service account

// swagger:parameters updateServiceAccount
type UpdateServiceAccountParams struct {
	// in:path
	ServiceAccountId int64 `json:"serviceAccountId"`
	// in:body
	Body serviceaccounts.UpdateServiceAccountForm
}

Example of endpoint response

The following struct defines the response for the updateServiceAccount endpoint in case of a successful 200 response.


// swagger:response updateServiceAccountResponse
type UpdateServiceAccountResponse struct {
	// in:body
	Body struct {
		Message        string                                    `json:"message"`
		ID             int64                                     `json:"id"`
		Name           string                                    `json:"name"`
		ServiceAccount *serviceaccounts.ServiceAccountProfileDTO `json:"serviceaccount"`
	}
}

OpenAPI generation

Developers can re-create the OpenAPI v2 and v3 specifications using the following command:


make clean-api-spec && make openapi3-gen

They can observe its output into the public/api-merged.json and public/openapi3.json files.

Finally, they can browser and try out both the OpenAPI v2 and v3 via the Swagger UI editor (served by the grafana server) by navigating to /swagger-ui and /openapi3 respectivally.