secure socks proxy: add option to disable tls in the socks proxy dialer #833
Conversation
PoorlyDefinedBehaviour
requested review from
wbrowne,
marefr and
xnyo
and removed request for
a team
backend/config.go
Outdated
| @@ -103,13 +103,15 @@ type Proxy struct { | |||
|
|
|||
| func (c *GrafanaCfg) proxy() Proxy { | |||
| if v, exists := c.config[proxy.PluginSecureSocksProxyEnabled]; exists && v == strconv.FormatBool(true) { | |||
| allowInsecure, _ := strconv.ParseBool(c.Get(proxy.PluginSecureSocksProxyAllowInsecure)) | |||
There was a problem hiding this comment.
Should check for error/unable to parse here.
| @@ -39,6 +39,9 @@ var ( | |||
| // PluginSecureSocksProxyServerName is a constant for the GF_SECURE_SOCKS_DATASOURCE_PROXY_SERVER_NAME | |||
| // environment variable used to specify the server name of the secure socks proxy. | |||
| PluginSecureSocksProxyServerName = "GF_SECURE_SOCKS_DATASOURCE_PROXY_SERVER_NAME" | |||
| // PluginSecureSocksProxyAllowInsecure is a constant for the GF_SECURE_SOCKS_DATASOURCE_PROXY_ALLOW_INSECURE | |||
| // environment variable used to specify if the proxy should use a TLS dialer. | |||
| PluginSecureSocksProxyAllowInsecure = "GF_SECURE_SOCKS_DATASOURCE_PROXY_ALLOW_INSECURE" | |||
There was a problem hiding this comment.
How is this supposed to be populated? Planning to make further changes to grafana? If so would suggest a PR on grafana now using this branch as sdk dependency
There was a problem hiding this comment.
There was a problem hiding this comment.
Yeah, sorry for not pointing out that. Changes here is needed to be able to change this behaviour on a "global" Grafana level:
https://github.com/grafana/grafana/blob/main/pkg/plugins/envvars/envvars.go#L138-L145
https://github.com/grafana/grafana/blob/9e71dc801d229eae5d791e89905ac864cfeb448a/pkg/plugins/envvars/envvars.go#L248-L260
https://github.com/grafana/grafana/blob/main/pkg/setting/setting_secure_socks_proxy.go
backend/proxy/secure_socks_proxy.go
Outdated
| @@ -108,7 +112,7 @@ func (p *cfgProxyWrapper) ConfigureSecureSocksHTTPProxy(transport *http.Transpor | |||
| } | |||
|
|
|||
| transport.DialContext = contextDialer.DialContext | |||
| return nil | |||
| return nil // No need to include the TLS config since the proxy won't use it. | |||
There was a problem hiding this comment.
Is this comment meant to be here?
| if pemDecoded == nil || pemDecoded.Type != "CERTIFICATE" { | ||
| return nil, errors.New("root ca is invalid") | ||
| if p.opts.ClientCfg.AllowInsecure { | ||
| dialer = &net.Dialer{ |
There was a problem hiding this comment.
Nit. Can maybe return early here to make the code easier to read.
Oops just realized dialer are used further down. If last part moved to a function can maybe simplify the code then? :)
There was a problem hiding this comment.
Done, moved to a function.
| ServerName: "testServer", | ||
| ClientCert: "client.crt", | ||
| ClientKey: "client.key", | ||
| RootCA: "ca.crt", |
There was a problem hiding this comment.
Nit. Based on changes in Grafana this test case when allow insecure is true should never happen. Not sure if it make sense to treat that special here though.
There was a problem hiding this comment.
Updated the test and updated getConfigFromEnv: it won't try to get the tls fields from the env vars when allowInsecure=true because they won't be used
|
Would suggest sync with main before merge. |
…instantiation to a method
PoorlyDefinedBehaviour
requested review from
dafydd-t
and removed request for
dafydd-t
PoorlyDefinedBehaviour
deleted the
secure-socks-proxy/add-insecure-option
branch
What this PR does / why we need it:
Description taken from https://github.com/grafana/hosted-grafana/issues/4935:
Which issue(s) this PR fixes:
Fixes https://github.com/grafana/hosted-grafana/issues/4935