Shard: Add support for HTTP Basic Auth

The API end point of some shards are protected with HTTP Basic Auth. This will make the promql-query component to fail receiving a '401 Unauthorized' error response. To address that, we have added the possibility to specify HTTP Basic Auth credentials on shards. Apart from that, the query is performed in the back end for security issues. Since the request's "Authorization" header contains the base64-encoded user and password, if we performed the query in the front end that information would be easy to obtain by inspecting the HTTP requests.
line · Jun 4, 2024 · 4eee35c · 4eee35c
1 parent 4ed6d1b
commit 4eee35c
Show file tree

Hide file tree

Showing 8 changed files with 96 additions and 8 deletions.
diff --git a/promgen/migrations/0023_shard_basic_auth.py b/promgen/migrations/0023_shard_basic_auth.py
@@ -0,0 +1,36 @@
+# Generated by Django 4.2.11 on 2024-06-04 07:52
+
+from django.db import migrations, models
+
+import promgen.validators
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("promgen", "0022_rule_labels_annotations"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="shard",
+            name="basic_auth",
+            field=models.BooleanField(
+                default=False, help_text="This shard's API requires HTTP Basic Auth"
+            ),
+        ),
+        migrations.AddField(
+            model_name="shard",
+            name="basic_auth_password",
+            field=models.CharField(blank=True, max_length=255, null=True),
+        ),
+        migrations.AddField(
+            model_name="shard",
+            name="basic_auth_user",
+            field=models.CharField(
+                blank=True,
+                max_length=255,
+                null=True,
+                validators=[promgen.validators.http_basic_auth_user_id],
+            ),
+        ),
+    ]
diff --git a/promgen/models.py b/promgen/models.py
@@ -189,6 +189,14 @@ class Shard(models.Model):
         default=10000,
         help_text="Estimated Target Count",
     )
+    basic_auth = models.BooleanField(
+        default=False,
+        help_text="This shard's API requires HTTP Basic Auth",
+    )
+    basic_auth_user = models.CharField(
+        max_length=255, validators=[validators.http_basic_auth_user_id], blank=True, null=True
+    )
+    basic_auth_password = models.CharField(max_length=255, blank=True, null=True)
 
     class Meta:
         ordering = ["name"]

diff --git a/promgen/static/js/promgen.vue.js b/promgen/static/js/promgen.vue.js
@@ -185,7 +185,7 @@ app.component('silence-form', {
 
 app.component("promql-query", {
     delimiters: ['[[', ']]'],
-    props: ["href", "query", "max"],
+    props: ["shard", "query", "max"],
     data: function () {
         return {
             count: 0,
@@ -207,9 +207,11 @@ app.component("promql-query", {
     },
     template: '#promql-query-template',
     mounted() {
-        var url = new URL(this.href);
-        url.search = new URLSearchParams({ query: this.query });
-        fetch(url)
+        const params = new URLSearchParams({
+            shard: this.shard,
+            query: this.query,
+        });
+        fetch(`/promql-query?${params}`)
             .then(response => response.json())
             .then(result => this.count = Number.parseInt(result.data.result[0].value[1]))
             .finally(() => this.ready = true);

diff --git a/promgen/templates/promgen/project_form.html b/promgen/templates/promgen/project_form.html
@@ -87,10 +87,10 @@ <h1>Register new Project</h1>
         </td>
         {% if shard.proxy %}
         <td>
-          <promql-query class="label" href='{{shard.url}}/api/v1/query' query='sum(scrape_samples_scraped)' max="{{shard.samples}}">Samples: </promql-query>
+          <promql-query class="label" shard='{{shard.id}}' query='sum(scrape_samples_scraped)' max="{{shard.samples}}">Samples: </promql-query>
         </td>
         <td>
-          <promql-query class="label" href='{{shard.url}}/api/v1/query' query='count(up)' max="{{shard.targets}}">Exporters: </promql-query>
+          <promql-query class="label" shard='{{shard.id}}' query='count(up)' max="{{shard.targets}}">Exporters: </promql-query>
         </td>
         {% else %}
         <td>&nbsp;</td>

diff --git a/promgen/templates/promgen/shard_header.html b/promgen/templates/promgen/shard_header.html
@@ -1,8 +1,8 @@
 {% load i18n %}
 <div class="well">
   {% if shard.proxy %}
-  <promql-query class="label" href='{{shard.url}}/api/v1/query' query='sum(scrape_samples_scraped)' max="{{shard.samples}}">Samples: </promql-query>
-  <promql-query class="label" href='{{shard.url}}/api/v1/query' query='count(up)' max="{{shard.targets}}">Exporters: </promql-query>
+  <promql-query class="label" shard='{{shard.id}}' query='sum(scrape_samples_scraped)' max="{{shard.samples}}">Samples: </promql-query>
+  <promql-query class="label" shard='{{shard.id}}' query='count(up)' max="{{shard.targets}}">Exporters: </promql-query>
   {% endif %}
 
   {% if user.is_superuser %}

diff --git a/promgen/urls.py b/promgen/urls.py
@@ -126,6 +126,8 @@
     path("proxy/v1/silences/<silence_id>", csrf_exempt(proxy.ProxyDeleteSilence.as_view()), name="proxy-silence-delete"),
     # Promgen rest API
     path("rest/", include((router.urls, "api"), namespace="api")),
+    # PromQL Query
+    path("promql-query", views.PromqlQuery.as_view(), name="promql-query"),
 ]
 
 try:

diff --git a/promgen/validators.py b/promgen/validators.py
@@ -52,3 +52,13 @@ def datetime(value):
         parser.parse(value)
     except ValueError:
         raise ValidationError("Invalid timestamp")
+
+
+def http_basic_auth_user_id(value):
+    """
+    Validate a string as an HTTP Basic Auth user-id.
+
+    A valid user-id must not contain colons (:).
+    """
+    if ":" in value:
+        raise ValidationError("Invalid user-id")
diff --git a/promgen/views.py b/promgen/views.py
@@ -8,6 +8,7 @@
 import logging
 import platform
 import time
+from base64 import b64encode
 from itertools import chain
 
 import prometheus_client
@@ -28,6 +29,7 @@
 from django.views.generic.detail import SingleObjectMixin
 from django.views.generic.edit import CreateView, DeleteView, FormView
 from prometheus_client.core import CounterMetricFamily, GaugeMetricFamily
+from requests.exceptions import HTTPError
 
 import promgen.templatetags.promgen as macro
 from promgen import (
@@ -1374,3 +1376,31 @@ def post(self, request, pk):
         return JsonResponse(
             {request.POST["target"]: render_to_string("promgen/ajax_clause_check.html", result)}
         )
+
+
+class PromqlQuery(View):
+    def get(self, request):
+        if not all(x in request.GET for x in ["shard", "query"]):
+            return HttpResponse("BAD REQUEST", status=400)
+
+        shard = models.Shard.objects.get(pk=request.GET["shard"])
+        params = {"query": request.GET["query"]}
+        headers = {}
+
+        if shard.basic_auth:
+            user_pass = b64encode(
+                f"{shard.basic_auth_user}:{shard.basic_auth_password}".encode()
+            ).decode()
+            headers["Authorization"] = f"Basic {user_pass}"
+
+        try:
+            response = util.get(f"{shard.url}/api/v1/query", params=params, headers=headers)
+            response.raise_for_status()
+        except HTTPError:
+            return HttpResponse(
+                response.content,
+                content_type=response.headers["content-type"],
+                status=response.status_code,
+            )
+
+        return HttpResponse(response.content, content_type="application/json")