grafana/pkg/infra/proxy/proxyutil/proxyutil.go

package proxyutil

import (
	"crypto/rand"
	"crypto/rsa"
	"crypto/x509"
	"crypto/x509/pkix"
	"encoding/pem"
	"math/big"
	"os"
	"path/filepath"
	"testing"
	"time"

	"github.com/grafana/grafana/pkg/setting"
	"github.com/stretchr/testify/require"
)

func SetupTestSecureSocksProxySettings(t *testing.T) *setting.SecureSocksDSProxySettings {
	proxyAddress := "localhost:3000"
	serverName := "localhost"
	tempDir := t.TempDir()

	// generate test rootCA
	ca := &x509.Certificate{
		SerialNumber: big.NewInt(2019),
		Subject: pkix.Name{
			Organization: []string{"Grafana Labs"},
			CommonName:   "Grafana",
		},
		NotBefore:             time.Now(),
		NotAfter:              time.Now().AddDate(10, 0, 0),
		IsCA:                  true,
		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
		BasicConstraintsValid: true,
	}
	caPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)
	require.NoError(t, err)
	caBytes, err := x509.CreateCertificate(rand.Reader, ca, ca, &caPrivKey.PublicKey, caPrivKey)
	require.NoError(t, err)
	rootCACert := filepath.Join(tempDir, "ca.cert")
	// nolint:gosec
	// The gosec G304 warning can be ignored because all values come from the test
	caCertFile, err := os.Create(rootCACert)
	require.NoError(t, err)
	err = pem.Encode(caCertFile, &pem.Block{
		Type:  "CERTIFICATE",
		Bytes: caBytes,
	})
	require.NoError(t, err)

	// generate test client cert & key
	cert := &x509.Certificate{
		SerialNumber: big.NewInt(2019),
		Subject: pkix.Name{
			Organization: []string{"Grafana Labs"},
			CommonName:   "Grafana",
		},
		NotBefore:    time.Now(),
		NotAfter:     time.Now().AddDate(10, 0, 0),
		SubjectKeyId: []byte{1, 2, 3, 4, 6},
		ExtKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
		KeyUsage:     x509.KeyUsageDigitalSignature,
	}
	certPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)
	require.NoError(t, err)
	certBytes, err := x509.CreateCertificate(rand.Reader, cert, ca, &certPrivKey.PublicKey, caPrivKey)
	require.NoError(t, err)
	clientCert := filepath.Join(tempDir, "client.cert")
	// nolint:gosec
	// The gosec G304 warning can be ignored because all values come from the test
	certFile, err := os.Create(clientCert)
	require.NoError(t, err)
	err = pem.Encode(certFile, &pem.Block{
		Type:  "CERTIFICATE",
		Bytes: certBytes,
	})
	require.NoError(t, err)
	clientKey := filepath.Join(tempDir, "client.key")
	// nolint:gosec
	// The gosec G304 warning can be ignored because all values come from the test
	keyFile, err := os.Create(clientKey)
	require.NoError(t, err)
	err = pem.Encode(keyFile, &pem.Block{
		Type:  "RSA PRIVATE KEY",
		Bytes: x509.MarshalPKCS1PrivateKey(certPrivKey),
	})
	require.NoError(t, err)

	return &setting.SecureSocksDSProxySettings{
		ClientCert:   clientCert,
		ClientKey:    clientKey,
		RootCA:       rootCACert,
		ServerName:   serverName,
		ProxyAddress: proxyAddress,
	}
}
Plugins: Add sql support for the secure socks proxy (#64630) 3 years ago			`package proxyutil`
Plugins: add option to proxy ds connections through a secure socks proxy (#59254) * Plugins: add feature to proxy data source connections 3 years ago
			`import (`
			`"crypto/rand"`
			`"crypto/rsa"`
			`"crypto/x509"`
			`"crypto/x509/pkix"`
			`"encoding/pem"`
			`"math/big"`
			`"os"`
			`"path/filepath"`
			`"testing"`
			`"time"`

			`"github.com/grafana/grafana/pkg/setting"`
			`"github.com/stretchr/testify/require"`
			`)`

Plugins: Add sql support for the secure socks proxy (#64630) 3 years ago			`func SetupTestSecureSocksProxySettings(t testing.T) setting.SecureSocksDSProxySettings {`
Plugins: add option to proxy ds connections through a secure socks proxy (#59254) * Plugins: add feature to proxy data source connections 3 years ago			`proxyAddress := "localhost:3000"`
			`serverName := "localhost"`
			`tempDir := t.TempDir()`

			`// generate test rootCA`
			`ca := &x509.Certificate{`
			`SerialNumber: big.NewInt(2019),`
			`Subject: pkix.Name{`
			`Organization: []string{"Grafana Labs"},`
			`CommonName: "Grafana",`
			`},`
			`NotBefore: time.Now(),`
			`NotAfter: time.Now().AddDate(10, 0, 0),`
			`IsCA: true,`
			`ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},`
			`KeyUsage: x509.KeyUsageDigitalSignature \| x509.KeyUsageCertSign,`
			`BasicConstraintsValid: true,`
			`}`
			`caPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)`
			`require.NoError(t, err)`
			`caBytes, err := x509.CreateCertificate(rand.Reader, ca, ca, &caPrivKey.PublicKey, caPrivKey)`
			`require.NoError(t, err)`
			`rootCACert := filepath.Join(tempDir, "ca.cert")`
			`// nolint:gosec`
			`// The gosec G304 warning can be ignored because all values come from the test`
			`caCertFile, err := os.Create(rootCACert)`
			`require.NoError(t, err)`
			`err = pem.Encode(caCertFile, &pem.Block{`
			`Type: "CERTIFICATE",`
			`Bytes: caBytes,`
			`})`
			`require.NoError(t, err)`

			`// generate test client cert & key`
			`cert := &x509.Certificate{`
			`SerialNumber: big.NewInt(2019),`
			`Subject: pkix.Name{`
			`Organization: []string{"Grafana Labs"},`
			`CommonName: "Grafana",`
			`},`
			`NotBefore: time.Now(),`
			`NotAfter: time.Now().AddDate(10, 0, 0),`
			`SubjectKeyId: []byte{1, 2, 3, 4, 6},`
			`ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},`
			`KeyUsage: x509.KeyUsageDigitalSignature,`
			`}`
			`certPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)`
			`require.NoError(t, err)`
			`certBytes, err := x509.CreateCertificate(rand.Reader, cert, ca, &certPrivKey.PublicKey, caPrivKey)`
			`require.NoError(t, err)`
			`clientCert := filepath.Join(tempDir, "client.cert")`
			`// nolint:gosec`
			`// The gosec G304 warning can be ignored because all values come from the test`
			`certFile, err := os.Create(clientCert)`
			`require.NoError(t, err)`
			`err = pem.Encode(certFile, &pem.Block{`
			`Type: "CERTIFICATE",`
			`Bytes: certBytes,`
			`})`
			`require.NoError(t, err)`
			`clientKey := filepath.Join(tempDir, "client.key")`
			`// nolint:gosec`
			`// The gosec G304 warning can be ignored because all values come from the test`
			`keyFile, err := os.Create(clientKey)`
			`require.NoError(t, err)`
			`err = pem.Encode(keyFile, &pem.Block{`
			`Type: "RSA PRIVATE KEY",`
			`Bytes: x509.MarshalPKCS1PrivateKey(certPrivKey),`
			`})`
			`require.NoError(t, err)`

Plugins: Add sql support for the secure socks proxy (#64630) 3 years ago			`return &setting.SecureSocksDSProxySettings{`
Plugins: add option to proxy ds connections through a secure socks proxy (#59254) * Plugins: add feature to proxy data source connections 3 years ago			`ClientCert: clientCert,`
			`ClientKey: clientKey,`
			`RootCA: rootCACert,`
			`ServerName: serverName,`
			`ProxyAddress: proxyAddress,`
			`}`
			`}`