Add table for grafana api tokens

In preparation for supporting the ability to embed Grafana metrics in GitLab Flavored Markdown, we need to allow a way for users to store credentials for us to access the HTTP API for their grafana instance. We expect users to save two key attributes: an authorization token and the url of their grafana instance. This work adds the table and model for storing this auth config.

Add table for grafana api tokens
In preparation for supporting the ability to embed Grafana metrics in GitLab Flavored Markdown, we need to allow a way for users to store credentials for us to access the HTTP API for their grafana instance. We expect users to save two key attributes: an authorization token and the url of their grafana instance. This work adds the table and model for storing this auth config.
48e7ce95 · Sarah Yasonik · Thong Kuah · 9ff8b86e · 48e7ce95 · 48e7ce95
Commit 48e7ce95 authored Oct 03, 2019 by Sarah Yasonik Committed by Thong Kuah Oct 03, 2019
17 changed files
--- a/app/controllers/projects/settings/operations_controller.rb
+++ b/app/controllers/projects/settings/operations_controller.rb
@@ -63,7 +63,9 @@ module Projects
            :api_host,
            :token,
            project: [:slug, :name, :organization_slug, :organization_name]
-          ]
+          ],
+          grafana_integration_attributes: [:token, :grafana_url]
        }
      end
    end

--- a/app/helpers/projects_helper.rb
+++ b/app/helpers/projects_helper.rb
@@ -354,6 +354,14 @@ module ProjectsHelper
    @project.metrics_setting_external_dashboard_url
  end
+  def grafana_integration_url
+    @project.grafana_integration&.grafana_url
+  end
+  def grafana_integration_token
+    @project.grafana_integration&.token
+  end
  private
  def get_project_nav_tabs(project, current_user)

--- a/app/models/grafana_integration.rb
+++ b/app/models/grafana_integration.rb
+# frozen_string_literal: true
+class GrafanaIntegration < ApplicationRecord
+  belongs_to :project
+  attr_encrypted :token,
+    mode:      :per_attribute_iv,
+    algorithm: 'aes-256-gcm',
+    key:       Settings.attr_encrypted_db_key_base_32
+  validates :grafana_url,
+            length: { maximum: 1024 },
+            addressable_url: { enforce_sanitization: true, ascii_only: true }
+  validates :token, :project, presence: true
+end
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -195,6 +195,7 @@ class Project < ApplicationRecord
  has_one :project_repository, inverse_of: :project
  has_one :error_tracking_setting, inverse_of: :project, class_name: 'ErrorTracking::ProjectErrorTrackingSetting'
  has_one :metrics_setting, inverse_of: :project, class_name: 'ProjectMetricsSetting'
+  has_one :grafana_integration, inverse_of: :project
  # Merge Requests for target project should be removed with it
  has_many :merge_requests, foreign_key: 'target_project_id', inverse_of: :target_project
@@ -311,6 +312,7 @@ class Project < ApplicationRecord
  accepts_nested_attributes_for :error_tracking_setting, update_only: true
  accepts_nested_attributes_for :metrics_setting, update_only: true, allow_destroy: true
+  accepts_nested_attributes_for :grafana_integration, update_only: true, allow_destroy: true
  delegate :name, to: :owner, allow_nil: true, prefix: true
  delegate :members, to: :team, prefix: true

--- a/app/services/projects/operations/update_service.rb
+++ b/app/services/projects/operations/update_service.rb
@@ -12,7 +12,9 @@ module Projects
      private
      def project_update_params
-        error_tracking_params.merge(metrics_setting_params)
+        error_tracking_params
+          .merge(metrics_setting_params)
+          .merge(grafana_integration_params)
      end
      def metrics_setting_params
@@ -44,6 +46,14 @@ module Projects
          }
        }
      end
+      def grafana_integration_params
+        return {} unless attrs = params[:grafana_integration_attributes]
+        destroy = attrs[:grafana_url].blank? && attrs[:token].blank?
+        { grafana_integration_attributes: attrs.merge(_destroy: destroy) }
+      end
    end
  end
 end

--- a/changelogs/unreleased/sy-grafana-auth-be.yml
+++ b/changelogs/unreleased/sy-grafana-auth-be.yml
+---
+title: Create table for grafana api token for metrics embeds
+merge_request: 17234
+author:
+type: added
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -16,6 +16,9 @@ en:
        api_url: "Sentry API URL"
      project/metrics_setting:
        external_dashboard_url: "External dashboard URL"
+      project/grafana_integration:
+        token: "Grafana HTTP API Token"
+        grafana_url: "Grafana API URL"
  views:
    pagination:
      previous: "Prev"

--- a/db/migrate/20190918102042_create_grafana_integrations.rb
+++ b/db/migrate/20190918102042_create_grafana_integrations.rb
+# frozen_string_literal: true
+class CreateGrafanaIntegrations < ActiveRecord::Migration[5.2]
+  DOWNTIME = false
+  def change
+    create_table :grafana_integrations do |t|
+      t.references :project, index: true, foreign_key: { on_delete: :cascade }, unique: true, null: false
+      t.timestamps_with_timezone null: false
+      t.string :encrypted_token, limit: 255, null: false
+      t.string :encrypted_token_iv, limit: 255, null: false
+      t.string :grafana_url, null: false, limit: 1024
+    end
+  end
+end
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -1704,6 +1704,16 @@ ActiveRecord::Schema.define(version: 2019_09_27_074328) do
    t.index ["project_id"], name: "index_gpg_signatures_on_project_id"
  end
+  create_table "grafana_integrations", force: :cascade do |t|
+    t.bigint "project_id", null: false
+    t.datetime_with_timezone "created_at", null: false
+    t.datetime_with_timezone "updated_at", null: false
+    t.string "encrypted_token", limit: 255, null: false
+    t.string "encrypted_token_iv", limit: 255, null: false
+    t.string "grafana_url", limit: 1024, null: false
+    t.index ["project_id"], name: "index_grafana_integrations_on_project_id"
+  end
  create_table "group_custom_attributes", id: :serial, force: :cascade do |t|
    t.datetime_with_timezone "created_at", null: false
    t.datetime_with_timezone "updated_at", null: false
@@ -3997,6 +4007,7 @@ ActiveRecord::Schema.define(version: 2019_09_27_074328) do
  add_foreign_key "gpg_signatures", "gpg_key_subkeys", on_delete: :nullify
  add_foreign_key "gpg_signatures", "gpg_keys", on_delete: :nullify
  add_foreign_key "gpg_signatures", "projects", on_delete: :cascade
+  add_foreign_key "grafana_integrations", "projects", on_delete: :cascade
  add_foreign_key "group_custom_attributes", "namespaces", column: "group_id", on_delete: :cascade
  add_foreign_key "identities", "saml_providers", name: "fk_aade90f0fc", on_delete: :cascade
  add_foreign_key "import_export_uploads", "projects", on_delete: :cascade

--- a/lib/gitlab/url_blocker.rb
+++ b/lib/gitlab/url_blocker.rb
@@ -125,6 +125,11 @@ module Gitlab
        # If the addr can't be resolved or the url is invalid (i.e http://1.1.1.1.1)
        # we block the url
        raise BlockedUrlError, "Host cannot be resolved or invalid"
+      rescue ArgumentError => error
+        # Addrinfo.getaddrinfo errors if the domain exceeds 1024 characters.
+        raise unless error.message.include?('hostname too long')
+        raise BlockedUrlError, "Host is too long (maximum is 1024 characters)"
      end
      def validate_local_request(

--- a/spec/controllers/projects/settings/operations_controller_spec.rb
+++ b/spec/controllers/projects/settings/operations_controller_spec.rb
@@ -180,6 +180,21 @@ describe Projects::Settings::OperationsController do
    end
  end
+  context 'grafana integration' do
+    describe 'PATCH #update' do
+      let(:params) do
+        {
+          grafana_integration_attributes: {
+            grafana_url: 'https://grafana.gitlab.com',
+            token: 'eyJrIjoicDRlRTREdjhhOEZ5WjZPWXUzazJOSW0zZHJUejVOd3IiLCJuIjoiVGVzdCBLZXkiLCJpZCI6MX0='
+          }
+        }
+      end
+      it_behaves_like 'PATCHable'
+    end
+  end
  private
  def project_params(project, params = {})

--- a/spec/factories/grafana_integrations.rb
+++ b/spec/factories/grafana_integrations.rb
+# frozen_string_literal: true
+FactoryBot.define do
+  factory :grafana_integration, class: GrafanaIntegration do
+    project
+    grafana_url { 'https://grafana.com' }
+    token { SecureRandom.hex(10) }
+  end
+end
--- a/spec/helpers/projects_helper_spec.rb
+++ b/spec/helpers/projects_helper_spec.rb
@@ -902,4 +902,40 @@ describe ProjectsHelper do
      end
    end
  end
+  describe '#grafana_integration_url' do
+    let(:project) { create(:project) }
+    before do
+      helper.instance_variable_set(:@project, project)
+    end
+    subject { helper.grafana_integration_url }
+    it { is_expected.to eq(nil) }
+    context 'grafana integration exists' do
+      let!(:grafana_integration) { create(:grafana_integration, project: project) }
+      it { is_expected.to eq(grafana_integration.grafana_url) }
+    end
+  end
+  describe '#grafana_integration_token' do
+    let(:project) { create(:project) }
+    before do
+      helper.instance_variable_set(:@project, project)
+    end
+    subject { helper.grafana_integration_token }
+    it { is_expected.to eq(nil) }
+    context 'grafana integration exists' do
+      let!(:grafana_integration) { create(:grafana_integration, project: project) }
+      it { is_expected.to eq(grafana_integration.token) }
+    end
+  end
 end
--- a/spec/lib/gitlab/import_export/all_models.yml
+++ b/spec/lib/gitlab/import_export/all_models.yml
@@ -411,6 +411,7 @@ project:
 - external_pull_requests
 - pages_metadatum
 - alerts_service
+- grafana_integration
 award_emoji:
 - awardable
 - user

--- a/spec/lib/gitlab/url_blocker_spec.rb
+++ b/spec/lib/gitlab/url_blocker_spec.rb
@@ -62,6 +62,14 @@ describe Gitlab::UrlBlocker do
          expect { subject }.to raise_error(described_class::BlockedUrlError)
        end
      end
+      context 'when domain is too long' do
+        let(:import_url) { 'https://example' + 'a' * 1024 + '.com' }
+        it 'raises an error' do
+          expect { subject }.to raise_error(described_class::BlockedUrlError)
+        end
+      end
    end
    context 'when the URL hostname is an IP address' do

--- a/spec/models/grafana_integration_spec.rb
+++ b/spec/models/grafana_integration_spec.rb
+# frozen_string_literal: true
+require 'spec_helper'
+describe GrafanaIntegration do
+  describe 'associations' do
+    it { is_expected.to belong_to(:project) }
+  end
+  describe 'validations' do
+    it { is_expected.to validate_presence_of(:project) }
+    it { is_expected.to validate_presence_of(:token) }
+    it 'disallows invalid urls for grafana_url' do
+      unsafe_url = %{https://replaceme.com/'><script>alert(document.cookie)</script>}
+      non_ascii_url = 'http://gitlab.com/api/0/projects/project1/something€'
+      blank_url = ''
+      excessively_long_url = 'https://grafan' + 'a' * 1024 + '.com'
+      is_expected.not_to allow_values(
+        unsafe_url,
+        non_ascii_url,
+        blank_url,
+        excessively_long_url
+      ).for(:grafana_url)
+    end
+    it 'allows valid urls for grafana_url' do
+      external_url = 'http://grafana.com/'
+      internal_url = 'http://192.168.1.1'
+      is_expected.to allow_value(
+        external_url,
+        internal_url
+      ).for(:grafana_url)
+    end
+  end
+end
--- a/spec/services/projects/operations/update_service_spec.rb
+++ b/spec/services/projects/operations/update_service_spec.rb
@@ -170,5 +170,61 @@ describe Projects::Operations::UpdateService do
        expect(project.reload.name).to eq(original_name)
      end
    end
+    context 'grafana integration' do
+      let(:params) do
+        {
+          grafana_integration_attributes: {
+            grafana_url: 'http://new.grafana.com',
+            token: 'VerySecureToken='
+          }
+        }
+      end
+      context 'without existing grafana integration' do
+        it 'creates an integration' do
+          expect(result[:status]).to eq(:success)
+          expected_attrs = params[:grafana_integration_attributes]
+          integration = project.reload.grafana_integration
+          expect(integration.grafana_url).to eq(expected_attrs[:grafana_url])
+          expect(integration.token).to eq(expected_attrs[:token])
+        end
+      end
+      context 'with an existing grafana integration' do
+        before do
+          create(:grafana_integration, project: project)
+        end
+        it 'updates the settings' do
+          expect(result[:status]).to eq(:success)
+          expected_attrs = params[:grafana_integration_attributes]
+          integration = project.reload.grafana_integration
+          expect(integration.grafana_url).to eq(expected_attrs[:grafana_url])
+          expect(integration.token).to eq(expected_attrs[:token])
+        end
+        context 'with all grafana attributes blank in params' do
+          let(:params) do
+            {
+              grafana_integration_attributes: {
+                grafana_url: '',
+                token: ''
+              }
+            }
+          end
+          it 'destroys the metrics_setting entry in DB' do
+            expect(result[:status]).to eq(:success)
+            expect(project.reload.grafana_integration).to be_nil
+          end
+        end
+      end
+    end
  end
 end