Add secure socks proxy to sdk (#667)

stephaniehingtgen · web-flow · commit 9e36be73cee6 · 2023-04-06T09:40:48.000-06:00
diff --git a/backend/http_settings.go b/backend/http_settings.go
@@ -6,6 +6,7 @@ import (
 	"time"
 
 	"github.com/grafana/grafana-plugin-sdk-go/backend/httpclient"
+	"github.com/grafana/grafana-plugin-sdk-go/backend/proxy"
 )
 
 // HTTPSettings is a convenient struct for holding decoded HTTP settings from
@@ -45,6 +46,10 @@ type HTTPSettings struct {
 	SigV4AccessKey     string
 	SigV4SecretKey     string
 
+	SecureSocksProxyEnabled  bool
+	SecureSocksProxyUsername string
+	SecureSocksProxyPass     string
+
 	JSONData       map[string]interface{}
 	SecureJSONData map[string]string
 }
@@ -98,6 +103,20 @@ func (s *HTTPSettings) HTTPClientOptions() httpclient.Options {
 		}
 	}
 
+	if s.SecureSocksProxyEnabled {
+		opts.ProxyOptions = &proxy.Options{
+			Enabled: s.SecureSocksProxyEnabled,
+			Timeouts: &proxy.TimeoutOptions{
+				Timeout:   s.Timeout,
+				KeepAlive: s.KeepAlive,
+			},
+			Auth: &proxy.AuthOptions{
+				Username: s.SecureSocksProxyUsername,
+				Password: s.SecureSocksProxyPass,
+			},
+		}
+	}
+
 	return opts
 }
 
@@ -265,6 +284,20 @@ func parseHTTPSettings(jsonData json.RawMessage, secureJSONData map[string]strin
 		}
 	}
 
+	// secure socks proxy
+	if v, exists := dat["enableSecureSocksProxy"]; exists {
+		s.SecureSocksProxyEnabled = v.(bool)
+	}
+
+	if s.SecureSocksProxyEnabled {
+		if v, exists := dat["secureSocksProxyUsername"]; exists {
+			s.SecureSocksProxyUsername = v.(string)
+		}
+		if v, exists := secureJSONData["secureSocksProxyPassword"]; exists {
+			s.SecureSocksProxyPass = v
+		}
+	}
+
 	// headers
 	index := 1
 	for {
diff --git a/backend/httpclient/http_client.go b/backend/httpclient/http_client.go
@@ -6,6 +6,8 @@ import (
 	"errors"
 	"net"
 	"net/http"
+
+	"github.com/grafana/grafana-plugin-sdk-go/backend/proxy"
 )
 
 // New creates a new http.Client.
@@ -84,6 +86,11 @@ func GetTransport(opts ...Options) (http.RoundTripper, error) {
 		clientOpts.Middlewares = clientOpts.ConfigureMiddleware(clientOpts, clientOpts.Middlewares)
 	}
 
+	err = proxy.ConfigureSecureSocksHTTPProxy(transport, clientOpts.ProxyOptions)
+	if err != nil {
+		return nil, err
+	}
+
 	return roundTripperFromMiddlewares(clientOpts, clientOpts.Middlewares, transport), nil
 }
 
@@ -152,6 +159,17 @@ func createOptions(providedOpts ...Options) Options {
 		opts.Middlewares = DefaultMiddlewares()
 	}
 
+	if proxy.SecureSocksProxyEnabled(opts.ProxyOptions) {
+		// default username is the datasource uid, this can be updated
+		// by setting `secureSocksProxyUsername` in the datasource json
+		if opts.ProxyOptions.Auth == nil {
+			opts.ProxyOptions.Auth = &proxy.AuthOptions{}
+		}
+		if opts.ProxyOptions.Auth.Username == "" {
+			opts.ProxyOptions.Auth.Username = opts.Labels["datasource_uid"]
+		}
+	}
+
 	return opts
 }
 
diff --git a/backend/httpclient/options.go b/backend/httpclient/options.go
@@ -4,6 +4,8 @@ import (
 	"crypto/tls"
 	"net/http"
 	"time"
+
+	"github.com/grafana/grafana-plugin-sdk-go/backend/proxy"
 )
 
 // ConfigureClientFunc function signature for configuring http.Client.
@@ -30,6 +32,9 @@ type Options struct {
 	TLS   *TLSOptions
 	SigV4 *SigV4Config
 
+	// Proxy related options.
+	ProxyOptions *proxy.Options
+
 	// Headers custom headers.
 	Headers map[string]string
 
diff --git a/backend/proxy/doc.go b/backend/proxy/doc.go
@@ -0,0 +1,2 @@
+// Package proxy provides utilities for updating a data source plugin connection to go through a proxy.
+package proxy
diff --git a/backend/proxy/options.go b/backend/proxy/options.go
@@ -0,0 +1,43 @@
+package proxy
+
+import "time"
+
+// Options defines per datasource options for creating the proxy dialer.
+type Options struct {
+	Enabled  bool
+	Auth     *AuthOptions
+	Timeouts *TimeoutOptions
+}
+
+// AuthOptions socks5 username and password options.
+// Every datasource can have separate credentials to the proxy.
+type AuthOptions struct {
+	Username string
+	Password string
+}
+
+// TimeoutOptions timeout/connection options.
+type TimeoutOptions struct {
+	Timeout   time.Duration
+	KeepAlive time.Duration
+}
+
+// DefaultTimeoutOptions default timeout/connection options for the proxy.
+var DefaultTimeoutOptions = TimeoutOptions{
+	Timeout:   30 * time.Second,
+	KeepAlive: 30 * time.Second,
+}
+
+func createOptions(providedOpts *Options) Options {
+	var opts Options
+	if providedOpts == nil {
+		return opts
+	}
+
+	opts = *providedOpts
+	if opts.Timeouts == nil {
+		opts.Timeouts = &DefaultTimeoutOptions
+	}
+
+	return opts
+}
diff --git a/backend/proxy/secure_socks_proxy.go b/backend/proxy/secure_socks_proxy.go
@@ -0,0 +1,217 @@
+package proxy
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/pem"
+	"errors"
+	"fmt"
+	"net"
+	"net/http"
+	"os"
+	"strconv"
+	"strings"
+
+	"golang.org/x/net/proxy"
+)
+
+var (
+
+	// PluginSecureSocksProxyEnabled is a constant for the GF_SECURE_SOCKS_DATASOURCE_PROXY_SERVER_ENABLED
+	// environment variable used to specify if a secure socks proxy is allowed to be used for datasource connections.
+	PluginSecureSocksProxyEnabled = "GF_SECURE_SOCKS_DATASOURCE_PROXY_SERVER_ENABLED"
+	// PluginSecureSocksProxyClientCert is a constant for the GF_SECURE_SOCKS_DATASOURCE_PROXY_CLIENT_CERT
+	// environment variable used to specify the file location of the client cert for the secure socks proxy.
+	PluginSecureSocksProxyClientCert = "GF_SECURE_SOCKS_DATASOURCE_PROXY_CLIENT_CERT"
+	// PluginSecureSocksProxyClientKey is a constant for the GF_SECURE_SOCKS_DATASOURCE_PROXY_CLIENT_KEY
+	// environment variable used to specify the file location of the client key for the secure socks proxy.
+	PluginSecureSocksProxyClientKey = "GF_SECURE_SOCKS_DATASOURCE_PROXY_CLIENT_KEY"
+	// PluginSecureSocksProxyRootCACert is a constant for the GF_SECURE_SOCKS_DATASOURCE_PROXY_ROOT_CA_CERT
+	// environment variable used to specify the file location of the root ca for the secure socks proxy.
+	PluginSecureSocksProxyRootCACert = "GF_SECURE_SOCKS_DATASOURCE_PROXY_ROOT_CA_CERT"
+	// PluginSecureSocksProxyProxyAddress is a constant for the GF_SECURE_SOCKS_DATASOURCE_PROXY_PROXY_ADDRESS
+	// environment variable used to specify the secure socks proxy server address to proxy the connections to.
+	PluginSecureSocksProxyProxyAddress = "GF_SECURE_SOCKS_DATASOURCE_PROXY_PROXY_ADDRESS"
+	// PluginSecureSocksProxyServerName is a constant for the GF_SECURE_SOCKS_DATASOURCE_PROXY_SERVER_NAME
+	// environment variable used to specify the server name of the secure socks proxy.
+	PluginSecureSocksProxyServerName = "GF_SECURE_SOCKS_DATASOURCE_PROXY_SERVER_NAME"
+)
+
+// SecureSocksProxyConfig contains the information needed to allow datasource connections to be
+// proxied to a secure socks proxy
+type secureSocksProxyConfig struct {
+	clientCert   string
+	clientKey    string
+	rootCA       string
+	proxyAddress string
+	serverName   string
+}
+
+// SecureSocksProxyEnabled checks if the Grafana instance allows the secure socks proxy to be used
+// and the datasource options specify to use the proxy
+func SecureSocksProxyEnabled(opts *Options) bool {
+	if opts == nil {
+		return false
+	}
+
+	if !opts.Enabled {
+		return false
+	}
+
+	if value, ok := os.LookupEnv(PluginSecureSocksProxyEnabled); ok {
+		enabledOnInst, err := strconv.ParseBool(value)
+		if err != nil {
+			return false
+		}
+
+		return enabledOnInst
+	}
+
+	return false
+}
+
+// SecureSocksProxyEnabledOnDS checks the datasource json data for `enableSecureSocksProxy`
+// to determine if the secure socks proxy should be enabled on it
+func SecureSocksProxyEnabledOnDS(jsonData map[string]interface{}) bool {
+	res, enabled := jsonData["enableSecureSocksProxy"]
+	if !enabled {
+		return false
+	}
+
+	if val, ok := res.(bool); ok {
+		return val
+	}
+
+	return false
+}
+
+// ConfigureSecureSocksHTTPProxy takes a http.DefaultTransport and wraps it in a socks5 proxy with TLS
+// if it is enabled on the datasource and the grafana instance
+func ConfigureSecureSocksHTTPProxy(transport *http.Transport, opts *Options) error {
+	if !SecureSocksProxyEnabled(opts) {
+		return nil
+	}
+
+	dialSocksProxy, err := NewSecureSocksProxyContextDialer(opts)
+	if err != nil {
+		return err
+	}
+
+	contextDialer, ok := dialSocksProxy.(proxy.ContextDialer)
+	if !ok {
+		return errors.New("unable to cast socks proxy dialer to context proxy dialer")
+	}
+
+	transport.DialContext = contextDialer.DialContext
+	return nil
+}
+
+// NewSecureSocksProxyContextDialer returns a proxy context dialer that can be used to allow datasource connections to go through a secure socks proxy
+func NewSecureSocksProxyContextDialer(opts *Options) (proxy.Dialer, error) {
+	var err error
+	cfg, err := getConfigFromEnv()
+	if err != nil {
+		return nil, err
+	}
+
+	clientOpts := createOptions(opts)
+
+	certPool := x509.NewCertPool()
+	for _, rootCAFile := range strings.Split(cfg.rootCA, " ") {
+		// nolint:gosec
+		// The gosec G304 warning can be ignored because `rootCAFile` comes from config ini
+		// and we check below if it's the right file type
+		pemBytes, err := os.ReadFile(rootCAFile)
+		if err != nil {
+			return nil, err
+		}
+
+		pemDecoded, _ := pem.Decode(pemBytes)
+		if pemDecoded == nil || pemDecoded.Type != "CERTIFICATE" {
+			return nil, errors.New("root ca is invalid")
+		}
+
+		if !certPool.AppendCertsFromPEM(pemBytes) {
+			return nil, errors.New("failed to append CA certificate " + rootCAFile)
+		}
+	}
+
+	cert, err := tls.LoadX509KeyPair(cfg.clientCert, cfg.clientKey)
+	if err != nil {
+		return nil, err
+	}
+
+	tlsDialer := &tls.Dialer{
+		Config: &tls.Config{
+			Certificates: []tls.Certificate{cert},
+			ServerName:   cfg.serverName,
+			RootCAs:      certPool,
+			MinVersion:   tls.VersionTLS13,
+		},
+		NetDialer: &net.Dialer{
+			Timeout:   clientOpts.Timeouts.Timeout,
+			KeepAlive: clientOpts.Timeouts.KeepAlive,
+		},
+	}
+
+	var dsInfo *proxy.Auth
+	if clientOpts.Auth != nil {
+		dsInfo = &proxy.Auth{
+			User:     clientOpts.Auth.Username,
+			Password: clientOpts.Auth.Password,
+		}
+	}
+
+	dialSocksProxy, err := proxy.SOCKS5("tcp", cfg.proxyAddress, dsInfo, tlsDialer)
+	if err != nil {
+		return nil, err
+	}
+
+	return dialSocksProxy, nil
+}
+
+// getConfigFromEnv gets the needed proxy information from the env variables that Grafana set with the values from the config ini
+func getConfigFromEnv() (*secureSocksProxyConfig, error) {
+	clientCert := ""
+	if value, ok := os.LookupEnv(PluginSecureSocksProxyClientCert); ok {
+		clientCert = value
+	} else {
+		return nil, fmt.Errorf("missing client cert")
+	}
+
+	clientKey := ""
+	if value, ok := os.LookupEnv(PluginSecureSocksProxyClientKey); ok {
+		clientKey = value
+	} else {
+		return nil, fmt.Errorf("missing client key")
+	}
+
+	rootCA := ""
+	if value, ok := os.LookupEnv(PluginSecureSocksProxyRootCACert); ok {
+		rootCA = value
+	} else {
+		return nil, fmt.Errorf("missing root ca")
+	}
+
+	proxyAddress := ""
+	if value, ok := os.LookupEnv(PluginSecureSocksProxyProxyAddress); ok {
+		proxyAddress = value
+	} else {
+		return nil, fmt.Errorf("missing proxy address")
+	}
+
+	serverName := ""
+	if value, ok := os.LookupEnv(PluginSecureSocksProxyServerName); ok {
+		serverName = value
+	} else {
+		return nil, fmt.Errorf("missing server name")
+	}
+
+	return &secureSocksProxyConfig{
+		clientCert:   clientCert,
+		clientKey:    clientKey,
+		rootCA:       rootCA,
+		proxyAddress: proxyAddress,
+		serverName:   serverName,
+	}, nil
+}
diff --git a/backend/proxy/secure_socks_proxy_test.go b/backend/proxy/secure_socks_proxy_test.go

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+// Package proxy provides utilities for updating a data source plugin connection to go through a proxy.`
	`2`	`+package proxy`