secure socks proxy: add option to disable tls in the socks proxy dialer (#833)

PoorlyDefinedBehaviour · web-flow · commit aa5d1fdd5c95 · 2023-12-14T10:14:02.000-03:00
* secure socks proxy: add option to disable tls in the socks proxy dialer

* check error when parsing GF_SECURE_SOCKS_DATASOURCE_PROXY_ALLOW_INSECURE

* remove comment about tls config from cfgProxyWrapper.ConfigureSecureSocksHTTPProxy

* cfgProxyWrapper.NewSecureSocksProxyContextDialer: extract TLS dialer instantiation to a method

* update getConfigFromEnv to handle allowInsecure
diff --git a/backend/common.go b/backend/common.go
@@ -125,7 +125,11 @@ func (s *DataSourceInstanceSettings) HTTPClientOptions(ctx context.Context) (htt
 	setCustomOptionsFromHTTPSettings(&opts, httpSettings)
 
 	cfg := GrafanaConfigFromContext(ctx)
-	opts.ProxyOptions, err = s.ProxyOptions(cfg.proxy().clientCfg)
+	proxy, err := cfg.proxy()
+	if err != nil {
+		return opts, err
+	}
+	opts.ProxyOptions, err = s.ProxyOptions(proxy.clientCfg)
 	if err != nil {
 		return opts, err
 	}
diff --git a/backend/config.go b/backend/config.go
@@ -101,19 +101,33 @@ type Proxy struct {
 	clientCfg *proxy.ClientCfg
 }
 
-func (c *GrafanaCfg) proxy() Proxy {
+func (c *GrafanaCfg) proxy() (Proxy, error) {
 	if v, exists := c.config[proxy.PluginSecureSocksProxyEnabled]; exists && v == strconv.FormatBool(true) {
+		var (
+			allowInsecure = false
+			err           error
+		)
+
+		if v := c.Get(proxy.PluginSecureSocksProxyAllowInsecure); v != "" {
+			allowInsecure, err = strconv.ParseBool(c.Get(proxy.PluginSecureSocksProxyAllowInsecure))
+			if err != nil {
+				return Proxy{}, fmt.Errorf("parsing %s, value must be a boolean: %w", proxy.PluginSecureSocksProxyAllowInsecure, err)
+			}
+		}
+
 		return Proxy{
 			clientCfg: &proxy.ClientCfg{
-				ClientCert:   c.Get(proxy.PluginSecureSocksProxyClientCert),
-				ClientKey:    c.Get(proxy.PluginSecureSocksProxyClientKey),
-				RootCA:       c.Get(proxy.PluginSecureSocksProxyRootCACert),
-				ProxyAddress: c.Get(proxy.PluginSecureSocksProxyProxyAddress),
-				ServerName:   c.Get(proxy.PluginSecureSocksProxyServerName),
+				ClientCert:    c.Get(proxy.PluginSecureSocksProxyClientCert),
+				ClientKey:     c.Get(proxy.PluginSecureSocksProxyClientKey),
+				RootCA:        c.Get(proxy.PluginSecureSocksProxyRootCACert),
+				ProxyAddress:  c.Get(proxy.PluginSecureSocksProxyProxyAddress),
+				ServerName:    c.Get(proxy.PluginSecureSocksProxyServerName),
+				AllowInsecure: allowInsecure,
 			},
-		}
+		}, nil
 	}
-	return Proxy{}
+
+	return Proxy{}, nil
 }
 
 func (c *GrafanaCfg) AppURL() (string, error) {
diff --git a/backend/config_test.go b/backend/config_test.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"testing"
 
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
 	"github.com/grafana/grafana-plugin-sdk-go/backend/proxy"
@@ -109,14 +110,41 @@ func TestConfig(t *testing.T) {
 					},
 				},
 			},
+			{
+				name: "feature toggles disabled and insecure proxy enabled",
+				cfg: NewGrafanaCfg(map[string]string{
+					featuretoggles.EnabledFeatures:            "",
+					proxy.PluginSecureSocksProxyEnabled:       "true",
+					proxy.PluginSecureSocksProxyProxyAddress:  "localhost:1234",
+					proxy.PluginSecureSocksProxyServerName:    "localhost",
+					proxy.PluginSecureSocksProxyClientKey:     "clientKey",
+					proxy.PluginSecureSocksProxyClientCert:    "clientCert",
+					proxy.PluginSecureSocksProxyRootCACert:    "rootCACert",
+					proxy.PluginSecureSocksProxyAllowInsecure: "true",
+				}),
+				expectedFeatureToggles: FeatureToggles{},
+				expectedProxy: Proxy{
+					clientCfg: &proxy.ClientCfg{
+						ClientCert:    "clientCert",
+						ClientKey:     "clientKey",
+						RootCA:        "rootCACert",
+						ProxyAddress:  "localhost:1234",
+						ServerName:    "localhost",
+						AllowInsecure: true,
+					},
+				},
+			},
 		}
 
 		for _, tc := range tcs {
 			ctx := WithGrafanaConfig(context.Background(), tc.cfg)
 			cfg := GrafanaConfigFromContext(ctx)
 
 			require.Equal(t, tc.expectedFeatureToggles, cfg.FeatureToggles())
-			require.Equal(t, tc.expectedProxy, cfg.proxy())
+			proxy, err := cfg.proxy()
+			assert.NoError(t, err)
+
+			require.Equal(t, tc.expectedProxy, proxy)
 		}
 	})
 }
diff --git a/backend/proxy/secure_socks_proxy.go b/backend/proxy/secure_socks_proxy.go
@@ -6,6 +6,7 @@ import (
 	"crypto/x509"
 	"encoding/pem"
 	"errors"
+	"fmt"
 	"net"
 	"net/http"
 	"os"
@@ -39,6 +40,9 @@ var (
 	// PluginSecureSocksProxyServerName is a constant for the GF_SECURE_SOCKS_DATASOURCE_PROXY_SERVER_NAME
 	// environment variable used to specify the server name of the secure socks proxy.
 	PluginSecureSocksProxyServerName = "GF_SECURE_SOCKS_DATASOURCE_PROXY_SERVER_NAME"
+	// PluginSecureSocksProxyAllowInsecure is a constant for the GF_SECURE_SOCKS_DATASOURCE_PROXY_ALLOW_INSECURE
+	// environment variable used to specify if the proxy should use a TLS dialer.
+	PluginSecureSocksProxyAllowInsecure = "GF_SECURE_SOCKS_DATASOURCE_PROXY_ALLOW_INSECURE"
 )
 
 var (
@@ -60,11 +64,12 @@ type Client interface {
 // ClientCfg contains the information needed to allow datasource connections to be
 // proxied to a secure socks proxy.
 type ClientCfg struct {
-	ClientCert   string
-	ClientKey    string
-	RootCA       string
-	ProxyAddress string
-	ServerName   string
+	ClientCert    string
+	ClientKey     string
+	RootCA        string
+	ProxyAddress  string
+	ServerName    string
+	AllowInsecure bool
 }
 
 // New creates a new proxy client from a given config.
@@ -119,6 +124,38 @@ func (p *cfgProxyWrapper) NewSecureSocksProxyContextDialer() (proxy.Dialer, erro
 		return nil, errors.New("proxy not enabled")
 	}
 
+	var dialer proxy.Dialer
+
+	if p.opts.ClientCfg.AllowInsecure {
+		dialer = &net.Dialer{
+			Timeout:   p.opts.Timeouts.Timeout,
+			KeepAlive: p.opts.Timeouts.KeepAlive,
+		}
+	} else {
+		d, err := p.getTLSDialer()
+		if err != nil {
+			return nil, fmt.Errorf("instantiating tls dialer: %w", err)
+		}
+		dialer = d
+	}
+
+	var auth *proxy.Auth
+	if p.opts.Auth != nil {
+		auth = &proxy.Auth{
+			User:     p.opts.Auth.Username,
+			Password: p.opts.Auth.Password,
+		}
+	}
+
+	dialSocksProxy, err := proxy.SOCKS5("tcp", p.opts.ClientCfg.ProxyAddress, auth, dialer)
+	if err != nil {
+		return nil, err
+	}
+
+	return newInstrumentedSocksDialer(dialSocksProxy), nil
+}
+
+func (p *cfgProxyWrapper) getTLSDialer() (*tls.Dialer, error) {
 	certPool := x509.NewCertPool()
 	for _, rootCAFile := range strings.Split(p.opts.ClientCfg.RootCA, " ") {
 		// nolint:gosec
@@ -144,7 +181,7 @@ func (p *cfgProxyWrapper) NewSecureSocksProxyContextDialer() (proxy.Dialer, erro
 		return nil, err
 	}
 
-	tlsDialer := &tls.Dialer{
+	return &tls.Dialer{
 		Config: &tls.Config{
 			Certificates: []tls.Certificate{cert},
 			ServerName:   p.opts.ClientCfg.ServerName,
@@ -155,22 +192,7 @@ func (p *cfgProxyWrapper) NewSecureSocksProxyContextDialer() (proxy.Dialer, erro
 			Timeout:   p.opts.Timeouts.Timeout,
 			KeepAlive: p.opts.Timeouts.KeepAlive,
 		},
-	}
-
-	var auth *proxy.Auth
-	if p.opts.Auth != nil {
-		auth = &proxy.Auth{
-			User:     p.opts.Auth.Username,
-			Password: p.opts.Auth.Password,
-		}
-	}
-
-	dialSocksProxy, err := proxy.SOCKS5("tcp", p.opts.ClientCfg.ProxyAddress, auth, tlsDialer)
-	if err != nil {
-		return nil, err
-	}
-
-	return newInstrumentedSocksDialer(dialSocksProxy), nil
+	}, nil
 }
 
 // getConfigFromEnv gets the needed proxy information from the env variables that Grafana set with the values from the config ini
@@ -182,6 +204,26 @@ func getConfigFromEnv() *ClientCfg {
 		}
 	}
 
+	proxyAddress := ""
+	if value, ok := os.LookupEnv(PluginSecureSocksProxyProxyAddress); ok {
+		proxyAddress = value
+	} else {
+		return nil
+	}
+
+	allowInsecure := false
+	if value, ok := os.LookupEnv(PluginSecureSocksProxyAllowInsecure); ok {
+		allowInsecure, _ = strconv.ParseBool(value)
+	}
+
+	// We only need to fill these fields on insecure mode.
+	if allowInsecure {
+		return &ClientCfg{
+			ProxyAddress:  proxyAddress,
+			AllowInsecure: allowInsecure,
+		}
+	}
+
 	clientCert := ""
 	if value, ok := os.LookupEnv(PluginSecureSocksProxyClientCert); ok {
 		clientCert = value
@@ -203,13 +245,6 @@ func getConfigFromEnv() *ClientCfg {
 		return nil
 	}
 
-	proxyAddress := ""
-	if value, ok := os.LookupEnv(PluginSecureSocksProxyProxyAddress); ok {
-		proxyAddress = value
-	} else {
-		return nil
-	}
-
 	serverName := ""
 	if value, ok := os.LookupEnv(PluginSecureSocksProxyServerName); ok {
 		serverName = value
@@ -218,11 +253,12 @@ func getConfigFromEnv() *ClientCfg {
 	}
 
 	return &ClientCfg{
-		ClientCert:   clientCert,
-		ClientKey:    clientKey,
-		RootCA:       rootCA,
-		ProxyAddress: proxyAddress,
-		ServerName:   serverName,
+		ClientCert:    clientCert,
+		ClientKey:     clientKey,
+		RootCA:        rootCA,
+		ProxyAddress:  proxyAddress,
+		ServerName:    serverName,
+		AllowInsecure: false,
 	}
 }
 
diff --git a/backend/proxy/secure_socks_proxy_test.go b/backend/proxy/secure_socks_proxy_test.go
