Snapshot: Fix http api (#18830)

(cherry picked from commit be2e2330f5c1f92082841d7eb13c5583143963a4)

Snapshot: Fix http api (#18830)
(cherry picked from commit be2e2330f5c1f92082841d7eb13c5583143963a4)
964c2e72 · Marcus Efraimsson · GitHub · 2672b922 · 964c2e72 · 964c2e72
Commit 964c2e72 authored Sep 02, 2019 by Marcus Efraimsson Committed by GitHub Sep 02, 2019
Show whitespace changes
Inline Side-by-side

Showing with 47 additions and 7 deletions

conf/defaults.ini
+4 -0

conf/sample.ini
+4 -0

pkg/api/api.go
+8 -7

pkg/middleware/auth.go
+13 -0

pkg/middleware/auth_test.go
+16 -0

pkg/setting/setting.go
+2 -0

No files found.
--- a/conf/defaults.ini
+++ b/conf/defaults.ini
@@ -214,6 +214,10 @@ external_enabled = true
 external_snapshot_url = https://snapshots-origin.raintank.io
 external_snapshot_name = Publish to snapshot.raintank.io

+# Set to true to enable this Grafana instance act as an external snapshot server and allow unauthenticated requests for
+# creating and deleting snapshots.
+public_mode = false
+
 # remove expired snapshot
 snapshot_remove_expired = true


--- a/conf/sample.ini
+++ b/conf/sample.ini
@@ -209,6 +209,10 @@
 ;external_snapshot_url = https://snapshots-origin.raintank.io
 ;external_snapshot_name = Publish to snapshot.raintank.io

+# Set to true to enable this Grafana instance act as an external snapshot server and allow unauthenticated requests for
+# creating and deleting snapshots.
+;public_mode = false
+
 # remove expired snapshot
 ;snapshot_remove_expired = true


--- a/pkg/api/api.go
+++ b/pkg/api/api.go
@@ -15,6 +15,7 @@ func (hs *HTTPServer) registerRoutes() {
 	reqEditorRole := middleware.ReqEditorRole
 	reqOrgAdmin := middleware.ReqOrgAdmin
 	reqCanAccessTeams := middleware.AdminOrFeatureEnabled(hs.Cfg.EditorsCanAdmin)
+	reqSnapshotPublicModeOrSignedIn := middleware.SnapshotPublicModeOrSignedIn()
 	redirectFromLegacyDashboardURL := middleware.RedirectFromLegacyDashboardURL()
 	redirectFromLegacyDashboardSoloURL := middleware.RedirectFromLegacyDashboardSoloURL()
 	quota := middleware.Quota(hs.QuotaService)
@@ -104,13 +105,6 @@ func (hs *HTTPServer) registerRoutes() {
 	r.Get("/dashboard/snapshot/*", hs.Index)
 	r.Get("/dashboard/snapshots/", reqSignedIn, hs.Index)

-	// api for dashboard snapshots
-	r.Post("/api/snapshots/", bind(models.CreateDashboardSnapshotCommand{}), CreateDashboardSnapshot)
-	r.Get("/api/snapshot/shared-options/", GetSharingOptions)
-	r.Get("/api/snapshots/:key", GetDashboardSnapshot)
-	r.Get("/api/snapshots-delete/:deleteKey", Wrap(DeleteDashboardSnapshotByDeleteKey))
-	r.Delete("/api/snapshots/:key", reqEditorRole, Wrap(DeleteDashboardSnapshot))
-
 	// api renew session based on cookie
 	r.Get("/api/login/ping", quota("session"), Wrap(hs.LoginAPIPing))

@@ -418,4 +412,11 @@ func (hs *HTTPServer) registerRoutes() {

 	// streams
 	//r.Post("/api/streams/push", reqSignedIn, bind(dtos.StreamMessage{}), liveConn.PushToStream)
+
+	// Snapshots
+	r.Post("/api/snapshots/", reqSnapshotPublicModeOrSignedIn, bind(models.CreateDashboardSnapshotCommand{}), CreateDashboardSnapshot)
+	r.Get("/api/snapshot/shared-options/", reqSignedIn, GetSharingOptions)
+	r.Get("/api/snapshots/:key", GetDashboardSnapshot)
+	r.Get("/api/snapshots-delete/:deleteKey", reqSnapshotPublicModeOrSignedIn, Wrap(DeleteDashboardSnapshotByDeleteKey))
+	r.Delete("/api/snapshots/:key", reqEditorRole, Wrap(DeleteDashboardSnapshot))
 }
--- a/pkg/middleware/auth.go
+++ b/pkg/middleware/auth.go
@@ -103,3 +103,16 @@ func AdminOrFeatureEnabled(enabled bool) macaron.Handler {
 		}
 	}
 }
+
+func SnapshotPublicModeOrSignedIn() macaron.Handler {
+	return func(c *m.ReqContext) {
+		if setting.SnapshotPublicMode {
+			return
+		}
+
+		_, err := c.Invoke(ReqSignedIn)
+		if err != nil {
+			c.JsonApiErr(500, "Failed to invoke required signed in middleware", err)
+		}
+	}
+}
--- a/pkg/middleware/auth_test.go
+++ b/pkg/middleware/auth_test.go
@@ -3,6 +3,8 @@ package middleware
 import (
 	"testing"

+	"github.com/grafana/grafana/pkg/setting"
+
 	. "github.com/smartystreets/goconvey/convey"
 )

@@ -31,5 +33,19 @@ func TestMiddlewareAuth(t *testing.T) {
 			})
 		})

+		Convey("snapshot public mode or signed in", func() {
+			middlewareScenario(t, "Snapshot public mode disabled and unauthenticated request should return 401", func(sc *scenarioContext) {
+				sc.m.Get("/api/snapshot", SnapshotPublicModeOrSignedIn(), sc.defaultHandler)
+				sc.fakeReq("GET", "/api/snapshot").exec()
+				So(sc.resp.Code, ShouldEqual, 401)
+			})
+
+			middlewareScenario(t, "Snapshot public mode enabled and unauthenticated request should return 200", func(sc *scenarioContext) {
+				setting.SnapshotPublicMode = true
+				sc.m.Get("/api/snapshot", SnapshotPublicModeOrSignedIn(), sc.defaultHandler)
+				sc.fakeReq("GET", "/api/snapshot").exec()
+				So(sc.resp.Code, ShouldEqual, 200)
+			})
+		})
 	})
 }
--- a/pkg/setting/setting.go
+++ b/pkg/setting/setting.go
@@ -108,6 +108,7 @@ var (
 	ExternalSnapshotName  string
 	ExternalEnabled       bool
 	SnapShotRemoveExpired bool
+	SnapshotPublicMode    bool

 	// Dashboard history
 	DashboardVersionsToKeep int
@@ -734,6 +735,7 @@ func (cfg *Cfg) Load(args *CommandLineArgs) error {
 	}
 	ExternalEnabled = snapshots.Key("external_enabled").MustBool(true)
 	SnapShotRemoveExpired = snapshots.Key("snapshot_remove_expired").MustBool(true)
+	SnapshotPublicMode = snapshots.Key("public_mode").MustBool(false)

 	// read dashboard settings
 	dashboards := iniFile.Section("dashboards")