grafana · njvrzm · Nov 28, 2024 · Nov 22, 2024 · Nov 25, 2024 · Nov 26, 2024
@@ -2,6 +2,8 @@ package backend
 
 import (
 	"context"
+	"encoding/base64"
+	"encoding/pem"
 	"errors"
 	"fmt"
 	"os"
@@ -96,15 +98,34 @@ func (c *GrafanaCfg) Equal(c2 *GrafanaCfg) bool {
 	return true
 }
 
-// ProxyHash returns the last four bytes of the PDC client key contents,
-// if present, for use in datasource instance caching
+// ProxyHash returns the last four characters of the base64-encoded
+// // PDC client key contents, if present, for use in datasource instance
+// caching. The contents should be PEM-encoded, so we try to PEM-decode
+// them, and, if successful, return the base-64 encoding of the final three bytes,
+// giving a four character hash.
 func (c *GrafanaCfg) ProxyHash() string {
 	if c == nil {
 		return ""
 	}
-	key := c.config[proxy.PluginSecureSocksProxyClientKeyContents]
-	start := max(len(key)-4, 0)
-	return key[start:]
+	contents := c.config[proxy.PluginSecureSocksProxyClientKeyContents]
+	if contents == "" {
+		return ""
+	}
+	block, _ := pem.Decode([]byte(contents))
+	if block == nil {
+		Logger.Warn("ProxyHash(): key contents are not PEM-encoded")
+		return ""
+	}
+	if block.Type != "PRIVATE KEY" {
+		Logger.Warn("ProxyHash(): key contents are not PEM-encoded private key")
+		return ""
+	}
+	bl := len(block.Bytes)
+	if bl < 3 {
+		Logger.Warn("ProxyHash(): key contents too short")
+		return ""
+	}
+	return base64.StdEncoding.EncodeToString(block.Bytes[bl-3:])
 }
 
 type FeatureToggles struct {

@@ -2,6 +2,10 @@ package backend
 
 import (
 	"context"
+	"crypto/rand"
+	"encoding/pem"
+	"fmt"
+	mathrand "math/rand"
 	"os"
 	"testing"
 
@@ -358,3 +362,33 @@ func TestPluginAppClientSecret(t *testing.T) {
 		require.Equal(t, "client-secret", v)
 	})
 }
+
+func randomProxyContents() []byte {
+	key := make([]byte, 48)
+	_, _ = rand.Read(key)
+	pb := pem.Block{
+		Type:  "PRIVATE KEY",
+		Bytes: key,
+	}
+	return pem.EncodeToMemory(&pb)
+}
+
+var b64chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789/+"
+
+func BenchmarkProxyHash(b *testing.B) {
+	count := 0
+	kBytes := randomProxyContents()
+	cm := map[string]string{
+		proxy.PluginSecureSocksProxyClientKeyContents: string(kBytes),
+	}
+	for i := 0; i < b.N; i++ {
+		kBytes[88] = b64chars[mathrand.Intn(64)] //nolint:gosec
+		cm[proxy.PluginSecureSocksProxyClientKeyContents] = string(kBytes)
+		cfg := NewGrafanaCfg(cm)
+		hash := cfg.ProxyHash()
+		if hash[0] == 'a' {
+			count++
+		}
+	}
+	fmt.Printf("This should be about one in 64: %f\n", float64(count)/float64(b.N))
+}
diff --git a/backend/datasource/instance_provider.go b/backend/datasource/instance_provider.go
@@ -63,7 +63,8 @@ func (ip *instanceProvider) GetKey(ctx context.Context, pluginContext backend.Pl
 	proxyHash := pluginContext.GrafanaConfig.ProxyHash()
 	tenantID := tenant.IDFromContext(ctx)
 
-	return fmt.Sprintf("%d#%s#%s", dsID, tenantID, proxyHash), nil
+	key := fmt.Sprintf("%d#%s#%s", dsID, tenantID, proxyHash)
+	return key, nil
 }
 
 func (ip *instanceProvider) NeedsUpdate(_ context.Context, pluginContext backend.PluginContext, cachedInstance instancemgmt.CachedInstance) bool {

@@ -2,6 +2,10 @@ package datasource
 
 import (
 	"context"
+	"encoding/base64"
+	"encoding/pem"
+	"fmt"
+	"strings"
 	"testing"
 	"time"
 
@@ -35,15 +39,25 @@ func TestInstanceProvider(t *testing.T) {
 	})
 
 	t.Run("When PDC is configured, datasource cache key should include its (so-called) hash", func(t *testing.T) {
+		// the value of Bytes below must be a multiple of three in length for this test
+		// to pass, but that's an artifact of how the target value is created. The code
+		// itself isn't affected by the length of the key as long as it's at least 3 bytes.
+		contents := pem.EncodeToMemory(&pem.Block{
+			Type:  "PRIVATE KEY",
+			Bytes: []byte("this will work."),
+		})
+		want := base64.StdEncoding.EncodeToString([]byte("this will work."))
+		want = strings.TrimRight(want, "=")
+		want = want[len(want)-4:]
 		cfg := backend.NewGrafanaCfg(map[string]string{
-			proxy.PluginSecureSocksProxyClientKeyContents: "This should work",
+			proxy.PluginSecureSocksProxyClientKeyContents: string(contents),
 		})
 		key, err := ip.GetKey(context.Background(), backend.PluginContext{
 			DataSourceInstanceSettings: &backend.DataSourceInstanceSettings{ID: 5},
 			GrafanaConfig:              cfg,
 		})
 		require.NoError(t, err)
-		require.Equal(t, "5##work", key)
+		require.Equal(t, fmt.Sprintf("5##%s", want), key)
 	})
 
 	t.Run("When PDC is configured but the key is empty, no problem", func(t *testing.T) {
@@ -58,16 +72,16 @@ func TestInstanceProvider(t *testing.T) {
 		require.Equal(t, "6##", key)
 	})
 
-	t.Run("When PDC is configured, a too-short key doesn't cause an error", func(t *testing.T) {
+	t.Run("When PDC is configured but the key is not PEM-encoded, no problem", func(t *testing.T) {
 		cfg := backend.NewGrafanaCfg(map[string]string{
-			proxy.PluginSecureSocksProxyClientKeyContents: "doh",
+			proxy.PluginSecureSocksProxyClientKeyContents: "this is not\na valid string\n",
 		})
 		key, err := ip.GetKey(context.Background(), backend.PluginContext{
-			DataSourceInstanceSettings: &backend.DataSourceInstanceSettings{ID: 7},
+			DataSourceInstanceSettings: &backend.DataSourceInstanceSettings{ID: 6},
 			GrafanaConfig:              cfg,
 		})
 		require.NoError(t, err)
-		require.Equal(t, "7##doh", key)
+		require.Equal(t, "6##", key)
 	})
 
 	t.Run("When both the configuration and updated field of current data source instance settings are equal to the cache, should return false", func(t *testing.T) {