Auth: Add Sigv4 auth option to datasources (#27552)

* create transport chain * add frontend * remove log * inline field updates * allow ARN, Credentials + Keys auth in frontend * configure credentials * add tests and refactor * update frontend json field names * fix tests * fix comment * add app config flag * refactor tests * add return field for tests * add flag for UI display * update comment * move logic * fix config * pass config through props * update docs * pr feedback and add docs coverage * shorten settings filename * fix imports * revert docs changes * remove log line * wrap up next as round tripper * only propagate required config * remove unused import * remove ARN option and replace with default chain * make ARN role assume as supplemental * update docs * refactor flow * sign body when necessary * remove unnecessary wrapper * remove newline * Apply suggestions from code review * PR fixes Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>

Auth: Add Sigv4 auth option to datasources (#27552)
* create transport chain * add frontend * remove log * inline field updates * allow ARN, Credentials + Keys auth in frontend * configure credentials * add tests and refactor * update frontend json field names * fix tests * fix comment * add app config flag * refactor tests * add return field for tests * add flag for UI display * update comment * move logic * fix config * pass config through props * update docs * pr feedback and add docs coverage * shorten settings filename * fix imports * revert docs changes * remove log line * wrap up next as round tripper * only propagate required config * remove unused import * remove ARN option and replace with default chain * make ARN role assume as supplemental * update docs * refactor flow * sign body when necessary * remove unnecessary wrapper * remove newline * Apply suggestions from code review * PR fixes Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
7d63b2c4 · Will Browne · GitHub · ab33e467 · 7d63b2c4 · 7d63b2c4
Commit 7d63b2c4 authored Oct 08, 2020 by Will Browne Committed by GitHub Oct 08, 2020
17 changed files
--- a/conf/defaults.ini
+++ b/conf/defaults.ini
@@ -307,6 +307,9 @@ oauth_state_cookie_max_age = 600
 # limit of api_key seconds to live before expiration
 api_key_max_seconds_to_live = -1

+# Set to true to enable SigV4 authentication option for HTTP-based datasources
+sigv4_auth_enabled = false
+
 #################################### Anonymous Auth ######################
 [auth.anonymous]
 # enable anonymous access

--- a/conf/sample.ini
+++ b/conf/sample.ini
@@ -306,6 +306,9 @@
 # limit of api_key seconds to live before expiration
 ;api_key_max_seconds_to_live = -1

+# Set to true to enable SigV4 authentication option for HTTP-based datasources.
+;sigv4_auth_enabled = false
+
 #################################### Anonymous Auth ######################
 [auth.anonymous]
 # enable anonymous access

--- a/docs/sources/administration/configuration.md
+++ b/docs/sources/administration/configuration.md
@@ -649,6 +649,12 @@ Administrators can increase this if they experience OAuth login state mismatch e

 Limit of API key seconds to live before expiration. Default is -1 (unlimited).

+### sigv4_auth_enabled
+
+> Only available in Grafana 7.3+.
+
+Set to `true` to enable the AWS Signature Version 4 Authentication option for HTTP-based datasources. Default is `false`.
+
 <hr />

 ## [auth.anonymous]

--- a/packages/grafana-data/src/types/config.ts
+++ b/packages/grafana-data/src/types/config.ts
@@ -83,6 +83,7 @@ export interface GrafanaConfig {
  authProxyEnabled: boolean;
  exploreEnabled: boolean;
  ldapEnabled: boolean;
+  sigV4AuthEnabled: boolean;
  samlEnabled: boolean;
  autoAssignOrg: boolean;
  verifyEmailEnabled: boolean;

--- a/packages/grafana-runtime/src/config.ts
+++ b/packages/grafana-runtime/src/config.ts
@@ -36,6 +36,7 @@ export class GrafanaBootConfig implements GrafanaConfig {
  authProxyEnabled = false;
  exploreEnabled = false;
  ldapEnabled = false;
+  sigV4AuthEnabled = false;
  samlEnabled = false;
  autoAssignOrg = true;
  verifyEmailEnabled = false;

--- a/packages/grafana-ui/src/components/DataSourceSettings/DataSourceHttpSettings.mdx
+++ b/packages/grafana-ui/src/components/DataSourceSettings/DataSourceHttpSettings.mdx
@@ -13,7 +13,7 @@ It is used in a `ConfigEditor` for data source plugins. You can find more exampl
 ### Example usage
 ```jsx
 export const ConfigEditor = (props: Props) => {
-  const { options, onOptionsChange } = props;
+  const { options, onOptionsChange, config } = props;
  return (
    <>
      <DataSourceHttpSettings
@@ -21,6 +21,7 @@ export const ConfigEditor = (props: Props) => {
        dataSourceConfig={options}
        showAccessOptions={true}
        onChange={onOptionsChange}
+        sigV4AuthEnabled={false}
      />

      {/* Additional configuration settings for your data source plugin.*/}

--- a/packages/grafana-ui/src/components/DataSourceSettings/DataSourceHttpSettings.tsx
+++ b/packages/grafana-ui/src/components/DataSourceSettings/DataSourceHttpSettings.tsx
@@ -12,6 +12,7 @@ import { Icon } from '../Icon/Icon';
 import { FormField } from '../FormField/FormField';
 import { InlineFormLabel } from '../FormLabel/FormLabel';
 import { TagsInput } from '../TagsInput/TagsInput';
+import { SigV4AuthSettings } from './SigV4AuthSettings';
 import { useTheme } from '../../themes';
 import { HttpSettingsProps } from './types';

@@ -55,7 +56,7 @@ const HttpAccessHelp = () => (
 );

 export const DataSourceHttpSettings: React.FC<HttpSettingsProps> = props => {
-  const { defaultUrl, dataSourceConfig, onChange, showAccessOptions } = props;
+  const { defaultUrl, dataSourceConfig, onChange, showAccessOptions, sigV4AuthToggleEnabled } = props;
  let urlTooltip;
  const [isAccessHelpVisible, setIsAccessHelpVisible] = useState(false);
  const theme = useTheme();
@@ -189,6 +190,21 @@ export const DataSourceHttpSettings: React.FC<HttpSettingsProps> = props => {
            />
          </div>

+          {sigV4AuthToggleEnabled && (
+            <div className="gf-form-inline">
+              <Switch
+                label="SigV4 auth"
+                labelClass="width-13"
+                checked={dataSourceConfig.jsonData.sigV4Auth || false}
+                onChange={event => {
+                  onSettingsChange({
+                    jsonData: { ...dataSourceConfig.jsonData, sigV4Auth: event!.currentTarget.checked },
+                  });
+                }}
+              />
+            </div>
+          )}
+
          {dataSourceConfig.access === 'proxy' && (
            <HttpProxySettings
              dataSourceConfig={dataSourceConfig}
@@ -205,6 +221,8 @@ export const DataSourceHttpSettings: React.FC<HttpSettingsProps> = props => {
          </>
        )}

+        {dataSourceConfig.jsonData.sigV4Auth && <SigV4AuthSettings {...props} />}
+
        {(dataSourceConfig.jsonData.tlsAuth || dataSourceConfig.jsonData.tlsAuthWithCACert) && (
          <TLSAuthSettings dataSourceConfig={dataSourceConfig} onChange={onChange} />
        )}

--- a/packages/grafana-ui/src/components/DataSourceSettings/SigV4AuthSettings.tsx
+++ b/packages/grafana-ui/src/components/DataSourceSettings/SigV4AuthSettings.tsx
--- a/packages/grafana-ui/src/components/DataSourceSettings/types.ts
+++ b/packages/grafana-ui/src/components/DataSourceSettings/types.ts
@@ -12,4 +12,6 @@ export interface HttpSettingsProps extends HttpSettingsBaseProps {
  defaultUrl: string;
  /** Show the http access help box */
  showAccessOptions?: boolean;
+  /** Show the SigV4 auth toggle option */
+  sigV4AuthToggleEnabled?: boolean;
 }
--- a/pkg/api/frontendsettings.go
+++ b/pkg/api/frontendsettings.go
@@ -203,6 +203,7 @@ func (hs *HTTPServer) getFrontendSettingsMap(c *models.ReqContext) (map[string]i
 		"alertingMinInterval":        setting.AlertingMinInterval,
 		"autoAssignOrg":              setting.AutoAssignOrg,
 		"verifyEmailEnabled":         setting.VerifyEmailEnabled,
+		"sigV4AuthEnabled":           setting.SigV4AuthEnabled,
 		"exploreEnabled":             setting.ExploreEnabled,
 		"googleAnalyticsId":          setting.GoogleAnalyticsId,
 		"disableLoginForm":           setting.DisableLoginForm,

--- a/pkg/models/datasource_cache.go
+++ b/pkg/models/datasource_cache.go
@@ -69,6 +69,7 @@ type dataSourceTransport struct {
 	datasourceName string
 	headers        map[string]string
 	transport      *http.Transport
+	next           http.RoundTripper
 }

 func instrumentRoundtrip(datasourceName string, next http.RoundTripper) promhttp.RoundTripperFunc {
@@ -108,7 +109,7 @@ func (d *dataSourceTransport) RoundTrip(req *http.Request) (*http.Response, erro
 		req.Header.Set(key, value)
 	}

-	return instrumentRoundtrip(d.datasourceName, d.transport).RoundTrip(req)
+	return instrumentRoundtrip(d.datasourceName, d.next).RoundTrip(req)
 }

 type cachedTransport struct {
@@ -133,6 +134,7 @@ func (ds *DataSource) GetHttpClient() (*http.Client, error) {
 	}, nil
 }

+// Creates a HTTP Transport middleware chain
 func (ds *DataSource) GetHttpTransport() (*dataSourceTransport, error) {
 	ptc.Lock()
 	defer ptc.Unlock()
@@ -163,10 +165,19 @@ func (ds *DataSource) GetHttpTransport() (*dataSourceTransport, error) {
 		IdleConnTimeout:       90 * time.Second,
 	}

+	// Set default next round tripper to the default transport
+	next := http.RoundTripper(transport)
+
+	// Add SigV4 middleware if enabled, which will then defer to the default transport
+	if ds.JsonData != nil && ds.JsonData.Get("sigV4Auth").MustBool() && setting.SigV4AuthEnabled {
+		next = ds.sigV4Middleware(transport)
+	}
+
 	dsTransport := &dataSourceTransport{
+		datasourceName: ds.Name,
 		headers:        customHeaders,
 		transport:      transport,
-		datasourceName: ds.Name,
+		next:           next,
 	}

 	ptc.cache[ds.Id] = cachedTransport{
@@ -177,6 +188,23 @@ func (ds *DataSource) GetHttpTransport() (*dataSourceTransport, error) {
 	return dsTransport, nil
 }

+func (ds *DataSource) sigV4Middleware(next http.RoundTripper) http.RoundTripper {
+	decrypted := ds.DecryptedValues()
+
+	return &SigV4Middleware{
+		Config: &Config{
+			AccessKey:     decrypted["accessKey"],
+			SecretKey:     decrypted["secretKey"],
+			Region:        ds.JsonData.Get("region").MustString(),
+			AssumeRoleARN: ds.JsonData.Get("assumeRoleArn").MustString(),
+			AuthType:      ds.JsonData.Get("authType").MustString(),
+			ExternalID:    ds.JsonData.Get("externalId").MustString(),
+			Profile:       ds.JsonData.Get("profile").MustString(),
+		},
+		Next: next,
+	}
+}
+
 func (ds *DataSource) GetTLSConfig() (*tls.Config, error) {
 	var tlsSkipVerify, tlsClientAuth, tlsAuthWithCACert bool
 	if ds.JsonData != nil {

--- a/pkg/models/datasource_cache_test.go
+++ b/pkg/models/datasource_cache_test.go
@@ -291,6 +291,78 @@ func TestDataSourceDecryptionCache(t *testing.T) {
 	})
 }

+func TestDataSourceSigV4Auth(t *testing.T) {
+	Convey("When caching a datasource proxy with middleware", t, func() {
+		clearDSProxyCache()
+		origEnabled := setting.SigV4AuthEnabled
+		setting.SigV4AuthEnabled = true
+		t.Cleanup(func() {
+			setting.SigV4AuthEnabled = origEnabled
+		})
+
+		json, err := simplejson.NewJson([]byte(`{ "sigV4Auth": true }`))
+		So(err, ShouldBeNil)
+
+		ds := DataSource{
+			JsonData: json,
+		}
+
+		t, err := ds.GetHttpTransport()
+		So(err, ShouldBeNil)
+
+		Convey("SigV4 is in middleware chain if configured in JsonData", func() {
+			m1, ok := t.next.(*SigV4Middleware)
+			So(ok, ShouldEqual, true)
+
+			_, ok = m1.Next.(*http.Transport)
+			So(ok, ShouldEqual, true)
+		})
+	})
+
+	Convey("When caching a datasource proxy with middleware", t, func() {
+		clearDSProxyCache()
+		origEnabled := setting.SigV4AuthEnabled
+		setting.SigV4AuthEnabled = true
+		t.Cleanup(func() {
+			setting.SigV4AuthEnabled = origEnabled
+		})
+
+		ds := DataSource{}
+
+		t, err := ds.GetHttpTransport()
+		So(err, ShouldBeNil)
+
+		Convey("Should not include sigV4 middleware if not configured in JsonData", func() {
+			_, ok := t.next.(*http.Transport)
+			So(ok, ShouldEqual, true)
+		})
+	})
+
+	Convey("When caching a datasource proxy with middleware", t, func() {
+		clearDSProxyCache()
+		origEnabled := setting.SigV4AuthEnabled
+		setting.SigV4AuthEnabled = false
+		t.Cleanup(func() {
+			setting.SigV4AuthEnabled = origEnabled
+		})
+
+		json, err := simplejson.NewJson([]byte(`{ "sigV4Auth": true }`))
+		So(err, ShouldBeNil)
+
+		ds := DataSource{
+			JsonData: json,
+		}
+
+		t, err := ds.GetHttpTransport()
+		So(err, ShouldBeNil)
+
+		Convey("Should not include sigV4 middleware if not configured in app config", func() {
+			_, ok := t.next.(*http.Transport)
+			So(ok, ShouldEqual, true)
+		})
+	})
+}
+
 func clearDSProxyCache() {
 	ptc.Lock()
 	defer ptc.Unlock()

--- a/pkg/models/sigv4.go
+++ b/pkg/models/sigv4.go
+package models
+
+import (
+	"bytes"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"time"
+
+	"github.com/aws/aws-sdk-go/aws"
+
+	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
+	"github.com/aws/aws-sdk-go/aws/session"
+
+	"github.com/aws/aws-sdk-go/aws/defaults"
+
+	"github.com/aws/aws-sdk-go/aws/credentials"
+	v4 "github.com/aws/aws-sdk-go/aws/signer/v4"
+)
+
+type AuthType string
+
+const (
+	Default     AuthType = "default"
+	Keys        AuthType = "keys"
+	Credentials AuthType = "credentials"
+)
+
+type SigV4Middleware struct {
+	Config *Config
+	Next   http.RoundTripper
+}
+
+type Config struct {
+	AuthType string
+
+	Profile string
+
+	AccessKey string
+	SecretKey string
+
+	AssumeRoleARN string
+	ExternalID    string
+	Region        string
+}
+
+func (m *SigV4Middleware) RoundTrip(req *http.Request) (*http.Response, error) {
+	_, err := m.signRequest(req)
+	if err != nil {
+		return nil, err
+	}
+
+	if m.Next == nil {
+		return http.DefaultTransport.RoundTrip(req)
+	}
+
+	return m.Next.RoundTrip(req)
+}
+
+func (m *SigV4Middleware) signRequest(req *http.Request) (http.Header, error) {
+	signer, err := m.signer()
+	if err != nil {
+		return nil, err
+	}
+
+	if req.Body != nil {
+		// consume entire request body so that the signer can generate a hash from the contents
+		body, err := ioutil.ReadAll(req.Body)
+		if err != nil {
+			return nil, err
+		}
+		return signer.Sign(req, bytes.NewReader(body), "grafana", m.Config.Region, time.Now().UTC())
+	}
+	return signer.Sign(req, nil, "grafana", m.Config.Region, time.Now().UTC())
+}
+
+func (m *SigV4Middleware) signer() (*v4.Signer, error) {
+	c, err := m.credentials()
+	if err != nil {
+		return nil, err
+	}
+
+	if m.Config.AssumeRoleARN != "" {
+		s, err := session.NewSession(&aws.Config{
+			Region:      aws.String(m.Config.Region),
+			Credentials: c},
+		)
+		if err != nil {
+			return nil, err
+		}
+		return v4.NewSigner(stscreds.NewCredentials(s, m.Config.AssumeRoleARN)), nil
+	}
+
+	return v4.NewSigner(c), nil
+}
+
+func (m *SigV4Middleware) credentials() (*credentials.Credentials, error) {
+	authType := AuthType(m.Config.AuthType)
+
+	switch authType {
+	case Default:
+		return defaults.CredChain(defaults.Config(), defaults.Handlers()), nil
+	case Keys:
+		return credentials.NewStaticCredentials(m.Config.AccessKey, m.Config.SecretKey, ""), nil
+	case Credentials:
+		return credentials.NewSharedCredentials("", m.Config.Profile), nil
+	}
+
+	return nil, fmt.Errorf("unrecognized authType: %s", authType)
+}
--- a/pkg/setting/setting.go
+++ b/pkg/setting/setting.go
@@ -143,6 +143,7 @@ var (
 	AdminPassword    string
 	LoginCookieName  string
 	LoginMaxLifetime time.Duration
+	SigV4AuthEnabled bool

 	AnonymousEnabled bool
 	AnonymousOrgName string
@@ -280,6 +281,7 @@ type Cfg struct {
 	LoginMaxInactiveLifetime     time.Duration
 	LoginMaxLifetime             time.Duration
 	TokenRotationIntervalMinutes int
+	SigV4AuthEnabled             bool

 	// OAuth
 	OAuthCookieMaxAge int
@@ -990,6 +992,10 @@ func readAuthSettings(iniFile *ini.File, cfg *Cfg) (err error) {
 	cfg.OAuthCookieMaxAge = auth.Key("oauth_state_cookie_max_age").MustInt(600)
 	SignoutRedirectUrl = valueAsString(auth, "signout_redirect_url", "")

+	// SigV4
+	SigV4AuthEnabled = auth.Key("sigv4_auth_enabled").MustBool(false)
+	cfg.SigV4AuthEnabled = SigV4AuthEnabled
+
 	// SAML auth
 	cfg.SAMLEnabled = iniFile.Section("auth.saml").Key("enabled").MustBool(false)


--- a/public/app/plugins/datasource/cloudwatch/components/ConfigEditor.tsx
+++ b/public/app/plugins/datasource/cloudwatch/components/ConfigEditor.tsx
@@ -41,7 +41,7 @@ export class ConfigEditor extends PureComponent<Props, State> {
    this.loadRegionsPromise = makePromiseCancelable(this.loadRegions());
    this.loadRegionsPromise.promise.catch(({ isCanceled }) => {
      if (isCanceled) {
-        console.warn('Cloud Watch ConfigEditor has unmounted, intialization was canceled');
+        console.warn('Cloud Watch ConfigEditor has unmounted, initialization was canceled');
      }
    });
  }

--- a/public/app/plugins/datasource/elasticsearch/configuration/ConfigEditor.tsx
+++ b/public/app/plugins/datasource/elasticsearch/configuration/ConfigEditor.tsx
@@ -5,6 +5,7 @@ import { ElasticsearchOptions } from '../types';
 import { defaultMaxConcurrentShardRequests, ElasticDetails } from './ElasticDetails';
 import { LogsConfig } from './LogsConfig';
 import { DataLinks } from './DataLinks';
+import { config } from 'app/core/config';

 export type Props = DataSourcePluginOptionsEditorProps<ElasticsearchOptions>;
 export const ConfigEditor = (props: Props) => {
@@ -34,6 +35,7 @@ export const ConfigEditor = (props: Props) => {
        dataSourceConfig={options}
        showAccessOptions={true}
        onChange={onOptionsChange}
+        sigV4AuthToggleEnabled={config.sigV4AuthEnabled}
      />

      <ElasticDetails value={options} onChange={onOptionsChange} />

--- a/public/app/plugins/datasource/prometheus/configuration/ConfigEditor.tsx
+++ b/public/app/plugins/datasource/prometheus/configuration/ConfigEditor.tsx
@@ -3,6 +3,7 @@ import { DataSourceHttpSettings } from '@grafana/ui';
 import { DataSourcePluginOptionsEditorProps } from '@grafana/data';
 import { PromSettings } from './PromSettings';
 import { PromOptions } from '../types';
+import { config } from 'app/core/config';

 export type Props = DataSourcePluginOptionsEditorProps<PromOptions>;
 export const ConfigEditor = (props: Props) => {
@@ -14,6 +15,7 @@ export const ConfigEditor = (props: Props) => {
        dataSourceConfig={options}
        showAccessOptions={true}
        onChange={onOptionsChange}
+        sigV4AuthToggleEnabled={config.sigV4AuthEnabled}
      />

      <PromSettings options={options} onOptionsChange={onOptionsChange} />