Merge remote-tracking branch 'private/master'

Author: joanlopez

default.json

@@ -15,6 +15,10 @@
         "json": true,
         "colorize": false
       }
+    },
+
+    "security": {
+      "authToken": "-"
     }
   },
   "rendering": {

plugin.json

@@ -20,10 +20,10 @@
       {"name": "Project site", "url": "https://github.com/grafana/grafana-image-renderer"},
       {"name": "Apache License", "url": "https://github.com/grafana/grafana-image-renderer/blob/master/LICENSE"}
     ],
-    "version": "3.5.0",
-    "updated": "2022-07-18"
+    "version": "3.6.0",
+    "updated": "2022-08-16"
   },
   "dependencies": {
-    "grafanaDependency": ">=7.0.0"
+    "grafanaDependency": ">=8.3.11"
   }
 }

proto/rendererv2.proto

@@ -18,6 +18,7 @@ message RenderRequest {
   int32 timeout = 8;
   string timezone = 9;
   map<string, StringList> headers = 10;
+  string authToken = 11;
 }
 
 message RenderResponse {
@@ -32,6 +33,7 @@ message RenderCSVRequest {
   int32 timeout = 5;
   string timezone = 6;
   map<string, StringList> headers = 7;
+  string authToken = 8;
 }
 
 message RenderCSVResponse {

proto/sanitizer.proto

@@ -8,6 +8,7 @@ message SanitizeRequest {
   bytes content = 2;
   string configType = 3; // DOMPurify, ...
   bytes config = 4;
+  string authToken = 5;
 }
 
 message SanitizeResponse {

src/app.ts

@@ -108,6 +108,10 @@ function populateServiceConfigFromEnv(config: ServiceConfig, env: NodeJS.Process
     config.service.port = parseInt(env['HTTP_PORT'] as string, 10);
   }
 
+  if (env['AUTH_TOKEN']) {
+    config.service.security.authToken = env['AUTH_TOKEN'];
+  }
+
   if (env['LOG_LEVEL']) {
     config.service.logging.level = env['LOG_LEVEL'] as string;
   }

src/config.ts

@@ -54,12 +54,17 @@ export interface LoggingConfig {
   console?: ConsoleLoggerConfig;
 }
 
+export interface SecurityConfig {
+  authToken: string;
+}
+
 export interface ServiceConfig {
   service: {
     host?: string;
     port: number;
     metrics: MetricsConfig;
     logging: LoggingConfig;
+    security: SecurityConfig;
   };
   rendering: RenderingConfig;
 }
@@ -70,6 +75,7 @@ export interface PluginConfig {
       host: string;
       port: number;
     };
+    security: SecurityConfig;
   };
   rendering: RenderingConfig;
 }
@@ -116,6 +122,9 @@ export const defaultServiceConfig: ServiceConfig = {
         colorize: false,
       },
     },
+    security: {
+      authToken: '-',
+    },
   },
   rendering: defaultRenderingConfig,
 };
@@ -126,6 +135,9 @@ export const defaultPluginConfig: PluginConfig = {
       host: '127.0.0.1',
       port: 0,
     },
+    security: {
+      authToken: '-',
+    },
   },
   rendering: defaultRenderingConfig,
 };

src/plugin/v2/grpc_plugin.ts

@@ -3,7 +3,7 @@ import * as protoLoader from '@grpc/proto-loader';
 import * as promClient from 'prom-client';
 import { GrpcPlugin } from '../../node-plugin';
 import { Logger } from '../../logger';
-import { PluginConfig } from '../../config';
+import { PluginConfig, SecurityConfig } from '../../config';
 import { createBrowser, Browser } from '../../browser';
 import { HTTPHeaders, ImageRenderOptions, RenderOptions } from '../../types';
 import {
@@ -21,6 +21,7 @@ import {
 } from './types';
 import { createSanitizer, Sanitizer } from '../../sanitizer/Sanitizer';
 import { SanitizeRequest } from '../../sanitizer/types';
+import { Status } from '@grpc/grpc-js/build/src/constants';
 
 const rendererV2PackageDef = protoLoader.loadSync(__dirname + '/../../../proto/rendererv2.proto', {
   keepCase: true,
@@ -58,7 +59,7 @@ export class RenderGRPCPluginV2 implements GrpcPlugin {
   async grpcServer(server: grpc.Server) {
     const metrics = setupMetrics();
     const browser = createBrowser(this.config.rendering, this.log, metrics);
-    const pluginService = new PluginGRPCServer(browser, this.log, createSanitizer());
+    const pluginService = new PluginGRPCServer(browser, this.log, createSanitizer(), this.config.plugin.security);
 
     const rendererServiceDef = rendererV2ProtoDescriptor['pluginextensionv2']['Renderer']['service'];
     server.addService(rendererServiceDef, pluginService as any);
@@ -92,7 +93,7 @@ export class RenderGRPCPluginV2 implements GrpcPlugin {
 class PluginGRPCServer {
   private browserVersion: string | undefined;
 
-  constructor(private browser: Browser, private log: Logger, private sanitizer: Sanitizer) {}
+  constructor(private browser: Browser, private log: Logger, private sanitizer: Sanitizer, private securityCfg: SecurityConfig) {}
 
   async start(browserVersion?: string) {
     this.browserVersion = browserVersion;
@@ -104,7 +105,16 @@ class PluginGRPCServer {
     const headers: HTTPHeaders = {};
 
     if (!req) {
-      throw new Error('Request cannot be null');
+      return callback({ code: Status.INVALID_ARGUMENT, details: 'Request cannot be null' });
+    }
+
+    const configToken = this.securityCfg.authToken || '';
+    if (!req.authToken || req.authToken !== configToken) {
+      return callback({ code: Status.UNAUTHENTICATED, details: 'Unauthorized request' });
+    }
+
+    if (req.url && !(req.url.startsWith('http://') || req.url.startsWith('https://'))) {
+      return callback({ code: Status.INVALID_ARGUMENT, details: 'Forbidden query url protocol' });
     }
 
     if (req.headers) {
@@ -145,7 +155,16 @@ class PluginGRPCServer {
     const headers: HTTPHeaders = {};
 
     if (!req) {
-      throw new Error('Request cannot be null');
+      return callback({ code: Status.INVALID_ARGUMENT, details: 'Request cannot be null' });
+    }
+
+    const configToken = this.securityCfg.authToken || '';
+    if (!req.authToken || req.authToken !== configToken) {
+      return callback({ code: Status.UNAUTHENTICATED, details: 'Unauthorized request' });
+    }
+
+    if (req.url && !(req.url.startsWith('http://') || req.url.startsWith('https://'))) {
+      return callback({ code: Status.INVALID_ARGUMENT, details: 'Forbidden query url protocol' });
     }
 
     if (req.headers) {
@@ -198,6 +217,11 @@ class PluginGRPCServer {
   async sanitize(call: grpc.ServerUnaryCall<GRPCSanitizeRequest, any>, callback: grpc.sendUnaryData<GRPCSanitizeResponse>) {
     const grpcReq = call.request;
 
+    const configToken = this.securityCfg.authToken || '';
+    if (!grpcReq.authToken || grpcReq.authToken !== configToken) {
+      return callback({ code: Status.UNAUTHENTICATED, details: 'Unauthorized request' });
+    }
+
     const req: SanitizeRequest = {
       content: grpcReq.content,
       config: JSON.parse(grpcReq.config.toString()),
@@ -294,6 +318,10 @@ const populateConfigFromEnv = (config: PluginConfig) => {
   if (env['GF_PLUGIN_RENDERING_DUMPIO']) {
     config.rendering.dumpio = env['GF_PLUGIN_RENDERING_DUMPIO'] === 'true';
   }
+
+  if (env['GF_PLUGIN_AUTH_TOKEN']) {
+    config.plugin.security.authToken = env['GF_PLUGIN_AUTH_TOKEN'];
+  }
 };
 
 interface PluginMetrics {

src/plugin/v2/types.ts

@@ -17,6 +17,7 @@ export interface RenderRequest {
   headers: {
     [header: string]: StringList;
   };
+  authToken: string;
 }
 
 export interface RenderResponse {
@@ -33,6 +34,7 @@ export interface RenderCSVRequest {
   headers: {
     [header: string]: StringList;
   };
+  authToken: string;
 }
 
 export interface RenderCSVResponse {
@@ -72,6 +74,7 @@ export interface GRPCSanitizeRequest {
   configType: ConfigType;
   config: Buffer;
   allowAllLinksInSvgUseTags: boolean;
+  authToken: string;
 }
 
 export interface GRPCSanitizeResponse {

src/service/http-server.ts

@@ -8,13 +8,14 @@ import * as promClient from 'prom-client';
 import { Logger } from '../logger';
 import { Browser, createBrowser } from '../browser';
 import { ServiceConfig } from '../config';
-import { setupHttpServerMetrics } from './metrics_middleware';
+import { setupHttpServerMetrics } from './metrics';
 import { HTTPHeaders, ImageRenderOptions, RenderOptions } from '../types';
 import { Sanitizer } from '../sanitizer/Sanitizer';
 import * as bodyParser from 'body-parser';
 import * as multer from 'multer';
 import { isSanitizeRequest } from '../sanitizer/types';
 import * as contentDisposition from 'content-disposition';
+import { asyncMiddleware, trustedUrlMiddleware, authTokenMiddleware } from './middlewares';
 
 const upload = multer({ storage: multer.memoryStorage() });
 
@@ -53,16 +54,26 @@ export class HttpServer {
     if (this.config.service.metrics.enabled) {
       setupHttpServerMetrics(this.app, this.config.service.metrics, this.log);
     }
+
     this.app.get('/', (req: express.Request, res: express.Response) => {
       res.send('Grafana Image Renderer');
     });
+
+    // Middlewares for /render endpoints
+    this.app.use('/render', authTokenMiddleware(this.config.service.security), trustedUrlMiddleware);
+
+    // Set up /render endpoints
+    this.app.get('/render', asyncMiddleware(this.render));
+    this.app.get('/render/csv', asyncMiddleware(this.renderCSV));
     this.app.get('/render/version', (req: express.Request, res: express.Response) => {
       const pluginInfo = require('../../plugin.json');
       res.send({ version: pluginInfo.info.version });
     });
 
-    this.app.get('/render', asyncMiddleware(this.render));
-    this.app.get('/render/csv', asyncMiddleware(this.renderCSV));
+    // Middlewares for /sanitize endpoints
+    this.app.use('/sanitize', authTokenMiddleware(this.config.service.security));
+
+    // Set up /sanitize endpoints
     this.app.post(
       '/sanitize',
       upload.fields([
@@ -71,6 +82,7 @@ export class HttpServer {
       ]),
       asyncMiddleware(this.sanitize)
     );
+
     this.app.use((err, req, res, next) => {
       if (err.stack) {
         this.log.error('Request failed', 'url', req.url, 'stack', err.stack);
@@ -254,14 +266,3 @@ export class HttpServer {
     });
   };
 }
-
-// wrapper for our async route handlers
-// probably you want to move it to a new file
-const asyncMiddleware = (fn) => (req, res, next) => {
-  Promise.resolve(fn(req, res, next)).catch((err) => {
-    if (!err.isBoom) {
-      return next(boom.badImplementation(err));
-    }
-    next(err);
-  });
-};