-
Notifications
You must be signed in to change notification settings - Fork 11.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Plugins: Only set non-existing headers for core plugin requests #78633
Conversation
- Add test scenario
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, makes sense.
pkg/services/pluginsintegration/clientmiddleware/httpclient_middleware_test.go
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please make sure to document this as a breaking change 🙏
Can this be considered a breaking change? I would say it's more of a bug fix. |
6c798e0
to
d6cb569
Compare
Hmmm.. I guess depending on how you look at it, but not sure if someone could be tripped up by this as result and it'd be better to have notice like this to point to. I would say it's safer to add this, but I'd defer to @marefr as he has the most context here. |
@aangelisc can you provide an example of headers causing problems for you? Might be security concerns to allow the client (end user) to override certain headers |
@marefr the Azure auth middleware sets the Afaict, the plugin-sdk middleware will not overwrite a header if it has a non-empty value which is what I'd expect to happen in core as well. |
@aangelisc thanks. Since only Authorization header I would perhaps suggest to only add this logic for this specific header. I'm a bit concerned with security and at the same time have a hard time to see everything that this potentially could affect. But a general example I think about is that the client/user could include HTTP headers that with your logic they'll be sent to the plugin rather than being overwritten by Grafana's internal middlewares. Your main problem is that your Azure HTTP client middleware is executed after the ContextualMiddleware. Rather than appending your middleware here https://github.com/grafana/grafana-azure-sdk-go/blob/b20aac068928f54c7c89e32ef07b517d9cec8750/azhttpclient/options.go#L26 you might be able to use the opts.ConfigureMiddleware = func(opts Options, existingMiddleware []Middleware) []Middleware {
mws := []httpclient.Middleware{}
inserted := false
for _, mw := range existingMiddleware {
if name, ok := mw.(httpclient.MiddlewareName); ok && name.MiddlewareName() ==httpclient.ContextualMiddlewareName {
mws = append(mws, <azure middleware>
inserted = true
}
mws = append(mws, mw)
}
if !inserted {
mws = append(mws, <azure middleware>
}
} Update: I'll go ahead and approve this. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM and agree bugfix and not breaking and should only affect core plugins (I believe)
Thanks for the review comments all @andresmgot @wbrowne @marefr! |
Fixes #78629
When a plugin request has headers that have been set by some logic in the plugin or some other middleware this change prevents the
HTTPClient
middleware from overwriting those headers. This is the same logic as that which already exists in the plugin-sdk.