commit
4fe6f6c11b
@ -0,0 +1,3 @@
|
|||||||
|
SOURCES/grafana-10.2.6.tar.gz
|
||||||
|
SOURCES/grafana-vendor-10.2.6-2.tar.xz
|
||||||
|
SOURCES/grafana-webpack-10.2.6-2.tar.gz
|
@ -0,0 +1,3 @@
|
|||||||
|
5c65a9460e0d0ecff29e397b5889b4167f046142 SOURCES/grafana-10.2.6.tar.gz
|
||||||
|
1dbd3823c3004d7127fab43b82a0ca9e988922dc SOURCES/grafana-vendor-10.2.6-2.tar.xz
|
||||||
|
7229d7721cd93d95fde2a306ae775876053a05b0 SOURCES/grafana-webpack-10.2.6-2.tar.gz
|
@ -0,0 +1,66 @@
|
|||||||
|
From 1e47ea7adc316e2df3d0081c2c0ebe75ddd6bda0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Gerstmayr <agerstmayr@redhat.com>
|
||||||
|
Date: Wed, 22 Jun 2022 16:57:52 +0200
|
||||||
|
Subject: [PATCH] update grafana-cli script with distro-specific paths and
|
||||||
|
switch to grafana user
|
||||||
|
|
||||||
|
|
||||||
|
diff --git a/packaging/wrappers/grafana-cli b/packaging/wrappers/grafana-cli
|
||||||
|
index 7c6c46aef9..945714642b 100755
|
||||||
|
--- a/packaging/wrappers/grafana-cli
|
||||||
|
+++ b/packaging/wrappers/grafana-cli
|
||||||
|
@@ -5,7 +5,7 @@
|
||||||
|
# the system-wide Grafana configuration that was bundled with the package as we
|
||||||
|
# use the binary.
|
||||||
|
|
||||||
|
-DEFAULT=/etc/default/grafana
|
||||||
|
+DEFAULT=/etc/sysconfig/grafana-server
|
||||||
|
|
||||||
|
GRAFANA_HOME="${GRAFANA_HOME:-/usr/share/grafana}"
|
||||||
|
|
||||||
|
@@ -13,11 +13,12 @@ CONF_DIR=/etc/grafana
|
||||||
|
DATA_DIR=/var/lib/grafana
|
||||||
|
PLUGINS_DIR=/var/lib/grafana/plugins
|
||||||
|
LOG_DIR=/var/log/grafana
|
||||||
|
+LIBEXEC_DIR=/usr/libexec/grafana
|
||||||
|
|
||||||
|
CONF_FILE=$CONF_DIR/grafana.ini
|
||||||
|
PROVISIONING_CFG_DIR=$CONF_DIR/provisioning
|
||||||
|
|
||||||
|
-EXECUTABLE="$GRAFANA_HOME/bin/grafana"
|
||||||
|
+EXECUTABLE=$LIBEXEC_DIR/grafana-cli
|
||||||
|
|
||||||
|
if [ ! -x $EXECUTABLE ]; then
|
||||||
|
echo "$EXECUTABLE not installed or not executable"
|
||||||
|
@@ -29,14 +30,23 @@ if [ -f "$DEFAULT" ]; then
|
||||||
|
. "$DEFAULT"
|
||||||
|
fi
|
||||||
|
|
||||||
|
-OPTS="--homepath=${GRAFANA_HOME} \
|
||||||
|
- --config=${CONF_FILE} \
|
||||||
|
- --pluginsDir=${PLUGINS_DIR} \
|
||||||
|
- --configOverrides='cfg:default.paths.provisioning=$PROVISIONING_CFG_DIR \
|
||||||
|
- cfg:default.paths.data=${DATA_DIR} \
|
||||||
|
- cfg:default.paths.logs=${LOG_DIR} \
|
||||||
|
- cfg:default.paths.plugins=${PLUGINS_DIR}'"
|
||||||
|
+OPTS=("--homepath=${GRAFANA_HOME}"
|
||||||
|
+ "--config=${CONF_FILE}"
|
||||||
|
+ "--pluginsDir=${PLUGINS_DIR}"
|
||||||
|
+ "--configOverrides=cfg:default.paths.provisioning=$PROVISIONING_CFG_DIR \
|
||||||
|
+ cfg:default.paths.data=${DATA_DIR} \
|
||||||
|
+ cfg:default.paths.logs=${LOG_DIR} \
|
||||||
|
+ cfg:default.paths.plugins=${PLUGINS_DIR}")
|
||||||
|
|
||||||
|
CMD=cli
|
||||||
|
|
||||||
|
-eval $EXECUTABLE "$CMD" "$OPTS" "$@"
|
||||||
|
+if [ "$(id -u)" -eq 0 -o "$(id -g)" -eq 0 ]; then
|
||||||
|
+ cd "${GRAFANA_HOME}"
|
||||||
|
+ exec runuser -u "${GRAFANA_USER}" -- "$EXECUTABLE" "${OPTS[@]}" "$@"
|
||||||
|
+elif [ "$(id -u -n)" = "${GRAFANA_USER}" ]; then
|
||||||
|
+ cd "${GRAFANA_HOME}"
|
||||||
|
+ exec "$EXECUTABLE" "${OPTS[@]}" "$@"
|
||||||
|
+else
|
||||||
|
+ echo "$0: please run this script as user \"${GRAFANA_USER}\" or root."
|
||||||
|
+ exit 5
|
||||||
|
+fi
|
@ -0,0 +1,161 @@
|
|||||||
|
From 5b6c18f715808f99c32550fc3b670fc5bf600f72 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Gerstmayr <agerstmayr@redhat.com>
|
||||||
|
Date: Wed, 22 Jun 2022 17:01:09 +0200
|
||||||
|
Subject: [PATCH] add manpages
|
||||||
|
|
||||||
|
|
||||||
|
diff --git a/docs/man/man1/grafana-cli.1 b/docs/man/man1/grafana-cli.1
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000000..39c0d5cee0
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/docs/man/man1/grafana-cli.1
|
||||||
|
@@ -0,0 +1,63 @@
|
||||||
|
+.TH GRAFANA "1" "September 2022" "Grafana cli version 9.0.9" "User Commands"
|
||||||
|
+.SH NAME
|
||||||
|
+grafana-cli \- command line administration for the Grafana metrics dashboard and graph editor
|
||||||
|
+.SH DESCRIPTION
|
||||||
|
+.SS "NAME:"
|
||||||
|
+.IP
|
||||||
|
+grafana-cli
|
||||||
|
+.SS "USAGE:"
|
||||||
|
+.IP
|
||||||
|
+\fBgrafana\-cli\fP [\fIglobal options\fP] \fIcommand\fP [\fIcommand options\fP] [\fIarguments\fP...]
|
||||||
|
+.SS "COMMANDS:"
|
||||||
|
+.TP
|
||||||
|
+plugins
|
||||||
|
+Manage plugins for grafana
|
||||||
|
+.TP
|
||||||
|
+admin
|
||||||
|
+Grafana admin commands
|
||||||
|
+.TP
|
||||||
|
+cue
|
||||||
|
+Cue validation commands
|
||||||
|
+.TP
|
||||||
|
+help, h
|
||||||
|
+Shows a list of commands or help for one command
|
||||||
|
+.SS "GLOBAL OPTIONS:"
|
||||||
|
+.TP
|
||||||
|
+\fB\-\-pluginsDir\fR value
|
||||||
|
+path to the grafana plugin directory (default: "/var/lib/grafana/plugins") [$GF_PLUGIN_DIR]
|
||||||
|
+.TP
|
||||||
|
+\fB\-\-repo\fR value
|
||||||
|
+url to the plugin repository (default: "https://grafana.com/api/plugins") [$GF_PLUGIN_REPO]
|
||||||
|
+.TP
|
||||||
|
+\fB\-\-pluginUrl\fR value
|
||||||
|
+Full url to the plugin zip file instead of downloading the plugin from grafana.com/api [$GF_PLUGIN_URL]
|
||||||
|
+.TP
|
||||||
|
+\fB\-\-insecure\fR
|
||||||
|
+Skip TLS verification (insecure) (default: false)
|
||||||
|
+.TP
|
||||||
|
+\fB\-\-debug\fR
|
||||||
|
+Enable debug logging (default: false)
|
||||||
|
+.TP
|
||||||
|
+\fB\-\-configOverrides\fR value
|
||||||
|
+Configuration options to override defaults as a string. e.g. cfg:default.paths.log=/dev/null
|
||||||
|
+.TP
|
||||||
|
+\fB\-\-homepath\fR value
|
||||||
|
+Path to Grafana install/home path, defaults to working directory
|
||||||
|
+.TP
|
||||||
|
+\fB\-\-config\fR value
|
||||||
|
+Path to config file
|
||||||
|
+.TP
|
||||||
|
+\fB\-\-help\fR, \fB\-h\fR
|
||||||
|
+show help
|
||||||
|
+.TP
|
||||||
|
+\fB\-\-version\fR, \fB\-v\fR
|
||||||
|
+print the version
|
||||||
|
+.SH "SEE ALSO"
|
||||||
|
+Additional documentation for
|
||||||
|
+.B grafana-cli
|
||||||
|
+is available on-line at
|
||||||
|
+.BR http://docs.grafana.org/administration/cli/ .
|
||||||
|
+The full documentation for
|
||||||
|
+.B Grafana
|
||||||
|
+is available on-line at
|
||||||
|
+.BR http://docs.grafana.org/ .
|
||||||
|
diff --git a/docs/man/man1/grafana-server.1 b/docs/man/man1/grafana-server.1
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000000..683a2369cc
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/docs/man/man1/grafana-server.1
|
||||||
|
@@ -0,0 +1,80 @@
|
||||||
|
+.TH VERSION "1" "September 2022" "Version 9.0.9" "User Commands"
|
||||||
|
+.SH NAME
|
||||||
|
+grafana-server \- back-end server for the Grafana metrics dashboard and graph editor
|
||||||
|
+.SH DESCRIPTION
|
||||||
|
+.B grafana-server
|
||||||
|
+is the back-end server for the Grafana metrics dashboard and graph editor.
|
||||||
|
+The
|
||||||
|
+.B grafana-server
|
||||||
|
+program should not normally be run from the command line,
|
||||||
|
+except when testing or for development purposes.
|
||||||
|
+Rather it should be managed by
|
||||||
|
+.BR systemd .
|
||||||
|
+After installing Grafana, the systemd service should be enabled and started as follows:
|
||||||
|
+.P
|
||||||
|
+.in 1i
|
||||||
|
+.B systemctl daemon-reload
|
||||||
|
+.br
|
||||||
|
+.B systemctl enable grafana-server.service
|
||||||
|
+.br
|
||||||
|
+.B systemctl start grafana-server.service
|
||||||
|
+.in
|
||||||
|
+.P
|
||||||
|
+.SH OPTIONS
|
||||||
|
+The
|
||||||
|
+.B grafana-server
|
||||||
|
+configuration is specified in
|
||||||
|
+.BR /etc/grafana/grafana.ini
|
||||||
|
+and is well documented with comments.
|
||||||
|
+The command-line options listed below override options of
|
||||||
|
+the same (or similar) name in the configuration file.
|
||||||
|
+.P
|
||||||
|
+.HP
|
||||||
|
+\fB\-config\fR string
|
||||||
|
+.IP
|
||||||
|
+path to config file
|
||||||
|
+.HP
|
||||||
|
+\fB\-homepath\fR string
|
||||||
|
+.IP
|
||||||
|
+path to grafana install/home path, defaults to working directory
|
||||||
|
+.HP
|
||||||
|
+\fB\-packaging\fR string
|
||||||
|
+.IP
|
||||||
|
+describes the way Grafana was installed (default "unknown")
|
||||||
|
+.HP
|
||||||
|
+\fB\-pidfile\fR string
|
||||||
|
+.IP
|
||||||
|
+path to pid file
|
||||||
|
+.HP
|
||||||
|
+\fB\-profile\fR
|
||||||
|
+.IP
|
||||||
|
+Turn on pprof profiling
|
||||||
|
+.HP
|
||||||
|
+\fB\-profile\-addr\fR string
|
||||||
|
+.IP
|
||||||
|
+Define custom address for profiling (default "localhost")
|
||||||
|
+.HP
|
||||||
|
+\fB\-profile\-port\fR uint
|
||||||
|
+.IP
|
||||||
|
+Define custom port for profiling (default 6060)
|
||||||
|
+.HP
|
||||||
|
+\fB\-tracing\fR
|
||||||
|
+.IP
|
||||||
|
+Turn on tracing
|
||||||
|
+.HP
|
||||||
|
+\fB\-tracing\-file\fR string
|
||||||
|
+.IP
|
||||||
|
+Define tracing output file (default "trace.out")
|
||||||
|
+.TP
|
||||||
|
+\fB\-v\fR
|
||||||
|
+.IP
|
||||||
|
+prints current version and exits
|
||||||
|
+.TP
|
||||||
|
+\fB\-vv\fR
|
||||||
|
+.IP
|
||||||
|
+prints current version, all dependencies and exits
|
||||||
|
+.SH "SEE ALSO"
|
||||||
|
+The full documentation for
|
||||||
|
+.B Grafana
|
||||||
|
+is available on-line at
|
||||||
|
+.BR http://docs.grafana.org/ .
|
@ -0,0 +1,72 @@
|
|||||||
|
From 026c4f235fd3bfc741304a5e12e13bd1c7b85eac Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Gerstmayr <agerstmayr@redhat.com>
|
||||||
|
Date: Wed, 22 Jun 2022 17:05:48 +0200
|
||||||
|
Subject: [PATCH] update default configuration
|
||||||
|
|
||||||
|
|
||||||
|
diff --git a/conf/defaults.ini b/conf/defaults.ini
|
||||||
|
index 9f7cf4a90b..e1e5468bfa 100644
|
||||||
|
--- a/conf/defaults.ini
|
||||||
|
+++ b/conf/defaults.ini
|
||||||
|
@@ -240,7 +240,7 @@ user_agent =
|
||||||
|
# No ip addresses are being tracked, only simple counters to track
|
||||||
|
# running instances, dashboard and error counts. It is very helpful to us.
|
||||||
|
# Change this option to false to disable reporting.
|
||||||
|
-reporting_enabled = true
|
||||||
|
+reporting_enabled = false
|
||||||
|
|
||||||
|
# The name of the distributor of the Grafana instance. Ex hosted-grafana, grafana-labs
|
||||||
|
reporting_distributor = grafana-labs
|
||||||
|
@@ -249,8 +249,8 @@ reporting_distributor = grafana-labs
|
||||||
|
# for new versions of grafana. The check is used
|
||||||
|
# in some UI views to notify that a grafana update exists.
|
||||||
|
# This option does not cause any auto updates, nor send any information
|
||||||
|
-# only a GET request to https://grafana.com/api/grafana/versions/stable to get the latest version.
|
||||||
|
-check_for_updates = true
|
||||||
|
+# only a GET request to https://raw.githubusercontent.com/grafana/grafana/main/latest.json to get the latest version.
|
||||||
|
+check_for_updates = false
|
||||||
|
|
||||||
|
# Set to false to disable all checks to https://grafana.com
|
||||||
|
# for new versions of plugins. The check is used
|
||||||
|
diff --git a/conf/sample.ini b/conf/sample.ini
|
||||||
|
index 916de769f9..2f270d4940 100644
|
||||||
|
--- a/conf/sample.ini
|
||||||
|
+++ b/conf/sample.ini
|
||||||
|
@@ -247,7 +247,7 @@
|
||||||
|
# No ip addresses are being tracked, only simple counters to track
|
||||||
|
# running instances, dashboard and error counts. It is very helpful to us.
|
||||||
|
# Change this option to false to disable reporting.
|
||||||
|
-;reporting_enabled = true
|
||||||
|
+;reporting_enabled = false
|
||||||
|
|
||||||
|
# The name of the distributor of the Grafana instance. Ex hosted-grafana, grafana-labs
|
||||||
|
;reporting_distributor = grafana-labs
|
||||||
|
@@ -256,8 +256,8 @@
|
||||||
|
# for new versions of grafana. The check is used
|
||||||
|
# in some UI views to notify that a grafana update exists.
|
||||||
|
# This option does not cause any auto updates, nor send any information
|
||||||
|
-# only a GET request to https://grafana.com/api/grafana/versions/stable to get the latest version.
|
||||||
|
-;check_for_updates = true
|
||||||
|
+# only a GET request to https://raw.githubusercontent.com/grafana/grafana/main/latest.json to get the latest version.
|
||||||
|
+;check_for_updates = false
|
||||||
|
|
||||||
|
# Set to false to disable all checks to https://grafana.com
|
||||||
|
# for new versions of plugins. The check is used
|
||||||
|
@@ -427,7 +427,7 @@
|
||||||
|
|
||||||
|
# Minimum dashboard refresh interval. When set, this will restrict users to set the refresh interval of a dashboard lower than given interval. Per default this is 5 seconds.
|
||||||
|
# The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.
|
||||||
|
-;min_refresh_interval = 5s
|
||||||
|
+min_refresh_interval = 1s
|
||||||
|
|
||||||
|
# Path to the default home dashboard. If this value is empty, then Grafana uses StaticRootPath + "dashboards/home.json"
|
||||||
|
;default_home_dashboard_path =
|
||||||
|
@@ -1411,7 +1411,7 @@
|
||||||
|
;enable_alpha = false
|
||||||
|
;app_tls_skip_verify_insecure = false
|
||||||
|
# Enter a comma-separated list of plugin identifiers to identify plugins to load even if they are unsigned. Plugins with modified signatures are never loaded.
|
||||||
|
-;allow_loading_unsigned_plugins =
|
||||||
|
+allow_loading_unsigned_plugins = performancecopilot-pcp-app,pcp-redis-datasource,pcp-vector-datasource,pcp-bpftrace-datasource,pcp-flamegraph-panel,pcp-breadcrumbs-panel,pcp-troubleshooting-panel,performancecopilot-redis-datasource,performancecopilot-vector-datasource,performancecopilot-bpftrace-datasource,performancecopilot-flamegraph-panel,performancecopilot-breadcrumbs-panel,performancecopilot-troubleshooting-panel
|
||||||
|
# Enable or disable installing / uninstalling / updating plugins directly from within Grafana.
|
||||||
|
;plugin_admin_enabled = false
|
||||||
|
;plugin_admin_external_manage_enabled = false
|
@ -0,0 +1,62 @@
|
|||||||
|
From 076177ff583b8e6d92948e0a4ddde0e8992d09a3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Gerstmayr <agerstmayr@redhat.com>
|
||||||
|
Date: Wed, 22 Jun 2022 17:18:56 +0200
|
||||||
|
Subject: [PATCH] remove unused backend dependencies
|
||||||
|
|
||||||
|
saml and gofpdf are not used in the OSS edition of Grafana
|
||||||
|
after editing `pkg/extensions/main.go`, run `go mod tidy`
|
||||||
|
|
||||||
|
diff --git a/go.mod b/go.mod
|
||||||
|
index fcbc09da5e..82fdf39842 100644
|
||||||
|
--- a/go.mod
|
||||||
|
+++ b/go.mod
|
||||||
|
@@ -45,7 +45,6 @@ require (
|
||||||
|
github.com/blang/semver/v4 v4.0.0 // @grafana/grafana-release-guild
|
||||||
|
github.com/bradfitz/gomemcache v0.0.0-20190913173617-a41fca850d0b // @grafana/backend-platform
|
||||||
|
github.com/centrifugal/centrifuge v0.30.2 // @grafana/grafana-app-platform-squad
|
||||||
|
- github.com/crewjam/saml v0.4.13 // @grafana/grafana-authnz-team
|
||||||
|
github.com/fatih/color v1.15.0 // @grafana/backend-platform
|
||||||
|
github.com/gchaincl/sqlhooks v1.3.0 // @grafana/backend-platform
|
||||||
|
github.com/go-ldap/ldap/v3 v3.4.4 // @grafana/grafana-authnz-team
|
||||||
|
@@ -187,7 +186,6 @@ require (
|
||||||
|
github.com/josharian/intern v1.0.0 // indirect
|
||||||
|
github.com/jpillora/backoff v1.0.0 // indirect
|
||||||
|
github.com/mailru/easyjson v0.7.7 // indirect
|
||||||
|
- github.com/mattermost/xml-roundtrip-validator v0.1.0 // indirect
|
||||||
|
github.com/mattetti/filebuffer v1.0.1 // indirect
|
||||||
|
github.com/mattn/go-runewidth v0.0.13 // indirect
|
||||||
|
github.com/miekg/dns v1.1.51 // indirect
|
||||||
|
diff --git a/go.sum b/go.sum
|
||||||
|
index d05dfb55fd..b160387abe 100644
|
||||||
|
--- a/go.sum
|
||||||
|
+++ b/go.sum
|
||||||
|
@@ -1826,8 +1826,6 @@ github.com/grafana/pyroscope/api v0.3.0/go.mod h1:JggA80ToAAUACYGfwL49XoFk5aN5ec
|
||||||
|
github.com/grafana/regexp v0.0.0-20221122212121-6b5c0a4cb7fd/go.mod h1:M5qHK+eWfAv8VR/265dIuEpL3fNfeC21tXXp9itM24A=
|
||||||
|
github.com/grafana/regexp v0.0.0-20221123153739-15dc172cd2db h1:7aN5cccjIqCLTzedH7MZzRZt5/lsAHch6Z3L2ZGn5FA=
|
||||||
|
github.com/grafana/regexp v0.0.0-20221123153739-15dc172cd2db/go.mod h1:M5qHK+eWfAv8VR/265dIuEpL3fNfeC21tXXp9itM24A=
|
||||||
|
-github.com/grafana/saml v0.4.15-0.20231025143828-a6c0e9b86a4c h1:1pHLC1ZTz7N5QI3jzCs5sqmVvAKe+JwGnpp9lQ+iUjY=
|
||||||
|
-github.com/grafana/saml v0.4.15-0.20231025143828-a6c0e9b86a4c/go.mod h1:S4+611dxnKt8z/ulbvaJzcgSHsuhjVc1QHNTcr1R7Fw=
|
||||||
|
github.com/grafana/sqlds/v2 v2.3.10 h1:HWKhE0vR6LoEiE+Is8CSZOgaB//D1yqb2ntkass9Fd4=
|
||||||
|
github.com/grafana/sqlds/v2 v2.3.10/go.mod h1:c6ibxnxRVGxV/0YkEgvy7QpQH/lyifFyV7K/14xvdIs=
|
||||||
|
github.com/grafana/tempo v1.5.1-0.20230524121406-1dc1bfe7085b h1:mDlkqgTEJuK7vjPG44f3ZMtId5AAYLWHvBVbiGqIOOQ=
|
||||||
|
@@ -2222,8 +2220,6 @@ github.com/markbates/sigtx v1.0.0/go.mod h1:QF1Hv6Ic6Ca6W+T+DL0Y/ypborFKyvUY9Hmu
|
||||||
|
github.com/markbates/willie v1.0.9/go.mod h1:fsrFVWl91+gXpx/6dv715j7i11fYPfZ9ZGfH0DQzY7w=
|
||||||
|
github.com/matryer/is v1.4.0 h1:sosSmIWwkYITGrxZ25ULNDeKiMNzFSr4V/eqBQP0PeE=
|
||||||
|
github.com/matryer/is v1.4.0/go.mod h1:8I/i5uYgLzgsgEloJE1U6xx5HkBQpAZvepWuujKwMRU=
|
||||||
|
-github.com/mattermost/xml-roundtrip-validator v0.1.0 h1:RXbVD2UAl7A7nOTR4u7E3ILa4IbtvKBHw64LDsmu9hU=
|
||||||
|
-github.com/mattermost/xml-roundtrip-validator v0.1.0/go.mod h1:qccnGMcpgwcNaBnxqpJpWWUiPNr5H3O8eDgGV9gT5To=
|
||||||
|
github.com/mattetti/filebuffer v1.0.1 h1:gG7pyfnSIZCxdoKq+cPa8T0hhYtD9NxCdI4D7PTjRLM=
|
||||||
|
github.com/mattetti/filebuffer v1.0.1/go.mod h1:YdMURNDOttIiruleeVr6f56OrMc+MydEnTcXwtkxNVs=
|
||||||
|
github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
|
||||||
|
diff --git a/pkg/extensions/main.go b/pkg/extensions/main.go
|
||||||
|
index 327e208221..426aad2a21 100644
|
||||||
|
--- a/pkg/extensions/main.go
|
||||||
|
+++ b/pkg/extensions/main.go
|
||||||
|
@@ -11,7 +11,6 @@ import (
|
||||||
|
_ "github.com/beevik/etree"
|
||||||
|
_ "github.com/blugelabs/bluge"
|
||||||
|
_ "github.com/blugelabs/bluge_segment_api"
|
||||||
|
- _ "github.com/crewjam/saml"
|
||||||
|
_ "github.com/go-jose/go-jose/v3"
|
||||||
|
_ "github.com/gobwas/glob"
|
||||||
|
_ "github.com/googleapis/gax-go/v2"
|
@ -0,0 +1,333 @@
|
|||||||
|
From ddd615152004e0bc5985a574c05d31778351dfa3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Gerstmayr <agerstmayr@redhat.com>
|
||||||
|
Date: Wed, 22 Jun 2022 17:36:47 +0200
|
||||||
|
Subject: [PATCH] remove unused frontend crypto
|
||||||
|
|
||||||
|
update `package.json` and then run `yarn install` to update the
|
||||||
|
`yarn.lock` lockfile
|
||||||
|
|
||||||
|
diff --git a/package.json b/package.json
|
||||||
|
index 38deb6d7de..aad5e88bf0 100644
|
||||||
|
--- a/package.json
|
||||||
|
+++ b/package.json
|
||||||
|
@@ -425,6 +425,9 @@
|
||||||
|
"resolutions": {
|
||||||
|
"underscore": "1.13.6",
|
||||||
|
"@types/slate": "0.47.11",
|
||||||
|
+ "crypto-browserify": "https://registry.yarnpkg.com/@favware/skip-dependency/-/skip-dependency-1.1.3.tgz",
|
||||||
|
+ "selfsigned": "https://registry.yarnpkg.com/@favware/skip-dependency/-/skip-dependency-1.1.3.tgz",
|
||||||
|
+ "http-signature": "https://registry.yarnpkg.com/@favware/skip-dependency/-/skip-dependency-1.1.3.tgz",
|
||||||
|
"ngtemplate-loader/loader-utils": "^2.0.0",
|
||||||
|
"semver@~7.0.0": "7.5.4",
|
||||||
|
"semver@7.3.4": "7.5.4",
|
||||||
|
diff --git a/yarn.lock b/yarn.lock
|
||||||
|
index bf22ba52a1..1552ddc052 100644
|
||||||
|
--- a/yarn.lock
|
||||||
|
+++ b/yarn.lock
|
||||||
|
@@ -10935,22 +10935,6 @@ __metadata:
|
||||||
|
languageName: node
|
||||||
|
linkType: hard
|
||||||
|
|
||||||
|
-"asn1@npm:~0.2.3":
|
||||||
|
- version: 0.2.6
|
||||||
|
- resolution: "asn1@npm:0.2.6"
|
||||||
|
- dependencies:
|
||||||
|
- safer-buffer: "npm:~2.1.0"
|
||||||
|
- checksum: cf629291fee6c1a6f530549939433ebf32200d7849f38b810ff26ee74235e845c0c12b2ed0f1607ac17383d19b219b69cefa009b920dab57924c5c544e495078
|
||||||
|
- languageName: node
|
||||||
|
- linkType: hard
|
||||||
|
-
|
||||||
|
-"assert-plus@npm:1.0.0, assert-plus@npm:^1.0.0":
|
||||||
|
- version: 1.0.0
|
||||||
|
- resolution: "assert-plus@npm:1.0.0"
|
||||||
|
- checksum: f4f991ae2df849cc678b1afba52d512a7cbf0d09613ba111e72255409ff9158550c775162a47b12d015d1b82b3c273e8e25df0e4783d3ddb008a293486d00a07
|
||||||
|
- languageName: node
|
||||||
|
- linkType: hard
|
||||||
|
-
|
||||||
|
"assert@npm:2.0.0, assert@npm:^2.0.0":
|
||||||
|
version: 2.0.0
|
||||||
|
resolution: "assert@npm:2.0.0"
|
||||||
|
@@ -11427,15 +11411,6 @@ __metadata:
|
||||||
|
languageName: node
|
||||||
|
linkType: hard
|
||||||
|
|
||||||
|
-"bcrypt-pbkdf@npm:^1.0.0":
|
||||||
|
- version: 1.0.2
|
||||||
|
- resolution: "bcrypt-pbkdf@npm:1.0.2"
|
||||||
|
- dependencies:
|
||||||
|
- tweetnacl: "npm:^0.14.3"
|
||||||
|
- checksum: 13a4cde058250dbf1fa77a4f1b9a07d32ae2e3b9e28e88a0c7a1827835bc3482f3e478c4a0cfd4da6ff0c46dae07da1061123a995372b32cc563d9975f975404
|
||||||
|
- languageName: node
|
||||||
|
- linkType: hard
|
||||||
|
-
|
||||||
|
"before-after-hook@npm:^2.2.0":
|
||||||
|
version: 2.2.2
|
||||||
|
resolution: "before-after-hook@npm:2.2.2"
|
||||||
|
@@ -12929,13 +12904,6 @@ __metadata:
|
||||||
|
languageName: node
|
||||||
|
linkType: hard
|
||||||
|
|
||||||
|
-"core-util-is@npm:1.0.2":
|
||||||
|
- version: 1.0.2
|
||||||
|
- resolution: "core-util-is@npm:1.0.2"
|
||||||
|
- checksum: d0f7587346b44a1fe6c269267e037dd34b4787191e473c3e685f507229d88561c40eb18872fabfff02977301815d474300b7bfbd15396c13c5377393f7e87ec3
|
||||||
|
- languageName: node
|
||||||
|
- linkType: hard
|
||||||
|
-
|
||||||
|
"core-util-is@npm:~1.0.0":
|
||||||
|
version: 1.0.3
|
||||||
|
resolution: "core-util-is@npm:1.0.3"
|
||||||
|
@@ -13857,15 +13825,6 @@ __metadata:
|
||||||
|
languageName: node
|
||||||
|
linkType: hard
|
||||||
|
|
||||||
|
-"dashdash@npm:^1.12.0":
|
||||||
|
- version: 1.14.1
|
||||||
|
- resolution: "dashdash@npm:1.14.1"
|
||||||
|
- dependencies:
|
||||||
|
- assert-plus: "npm:^1.0.0"
|
||||||
|
- checksum: 137b287fa021201ce100cef772c8eeeaaafdd2aa7282864022acf3b873021e54cb809e9c060fa164840bf54ff72d00d6e2d8da1ee5a86d7200eeefa1123a8f7f
|
||||||
|
- languageName: node
|
||||||
|
- linkType: hard
|
||||||
|
-
|
||||||
|
"data-urls@npm:^3.0.2":
|
||||||
|
version: 3.0.2
|
||||||
|
resolution: "data-urls@npm:3.0.2"
|
||||||
|
@@ -14573,16 +14532,6 @@ __metadata:
|
||||||
|
languageName: node
|
||||||
|
linkType: hard
|
||||||
|
|
||||||
|
-"ecc-jsbn@npm:~0.1.1":
|
||||||
|
- version: 0.1.2
|
||||||
|
- resolution: "ecc-jsbn@npm:0.1.2"
|
||||||
|
- dependencies:
|
||||||
|
- jsbn: "npm:~0.1.0"
|
||||||
|
- safer-buffer: "npm:^2.1.0"
|
||||||
|
- checksum: d43591f2396196266e186e6d6928038cc11c76c3699a912cb9c13757060f7bbc7f17f47c4cb16168cdeacffc7965aef021142577e646fb3cb88810c15173eb57
|
||||||
|
- languageName: node
|
||||||
|
- linkType: hard
|
||||||
|
-
|
||||||
|
"ee-first@npm:1.1.1":
|
||||||
|
version: 1.1.1
|
||||||
|
resolution: "ee-first@npm:1.1.1"
|
||||||
|
@@ -15991,20 +15940,6 @@ __metadata:
|
||||||
|
languageName: node
|
||||||
|
linkType: hard
|
||||||
|
|
||||||
|
-"extsprintf@npm:1.3.0":
|
||||||
|
- version: 1.3.0
|
||||||
|
- resolution: "extsprintf@npm:1.3.0"
|
||||||
|
- checksum: 26967d6c7ecbfb5bc5b7a6c43503dc5fafd9454802037e9fa1665e41f615da4ff5918bd6cb871a3beabed01a31eca1ccd0bdfb41231f50ad50d405a430f78377
|
||||||
|
- languageName: node
|
||||||
|
- linkType: hard
|
||||||
|
-
|
||||||
|
-"extsprintf@npm:^1.2.0":
|
||||||
|
- version: 1.4.1
|
||||||
|
- resolution: "extsprintf@npm:1.4.1"
|
||||||
|
- checksum: bfd6d55f3c0c04d826fe0213264b383c03f32825af6b1ff777f3f2dc49467e599361993568d75b7b19a8ea1bb08c8e7cd8c3d87d179ced91bb0dcf81ca6938e0
|
||||||
|
- languageName: node
|
||||||
|
- linkType: hard
|
||||||
|
-
|
||||||
|
"fast-deep-equal@npm:^3.1.1, fast-deep-equal@npm:^3.1.3":
|
||||||
|
version: 3.1.3
|
||||||
|
resolution: "fast-deep-equal@npm:3.1.3"
|
||||||
|
@@ -16916,15 +16851,6 @@ __metadata:
|
||||||
|
languageName: node
|
||||||
|
linkType: hard
|
||||||
|
|
||||||
|
-"getpass@npm:^0.1.1":
|
||||||
|
- version: 0.1.7
|
||||||
|
- resolution: "getpass@npm:0.1.7"
|
||||||
|
- dependencies:
|
||||||
|
- assert-plus: "npm:^1.0.0"
|
||||||
|
- checksum: ab18d55661db264e3eac6012c2d3daeafaab7a501c035ae0ccb193c3c23e9849c6e29b6ac762b9c2adae460266f925d55a3a2a3a3c8b94be2f222df94d70c046
|
||||||
|
- languageName: node
|
||||||
|
- linkType: hard
|
||||||
|
-
|
||||||
|
"giget@npm:^1.0.0":
|
||||||
|
version: 1.1.2
|
||||||
|
resolution: "giget@npm:1.1.2"
|
||||||
|
@@ -18263,25 +18189,10 @@ __metadata:
|
||||||
|
languageName: node
|
||||||
|
linkType: hard
|
||||||
|
|
||||||
|
-"http-signature@npm:~1.2.0":
|
||||||
|
- version: 1.2.0
|
||||||
|
- resolution: "http-signature@npm:1.2.0"
|
||||||
|
- dependencies:
|
||||||
|
- assert-plus: "npm:^1.0.0"
|
||||||
|
- jsprim: "npm:^1.2.2"
|
||||||
|
- sshpk: "npm:^1.7.0"
|
||||||
|
- checksum: 2ff7112e6b0d8f08b382dfe705078c655501f2ddd76cf589d108445a9dd388a0a9be928c37108261519a7f53e6bbd1651048d74057b804807cce1ec49e87a95b
|
||||||
|
- languageName: node
|
||||||
|
- linkType: hard
|
||||||
|
-
|
||||||
|
-"http-signature@npm:~1.3.6":
|
||||||
|
- version: 1.3.6
|
||||||
|
- resolution: "http-signature@npm:1.3.6"
|
||||||
|
- dependencies:
|
||||||
|
- assert-plus: "npm:^1.0.0"
|
||||||
|
- jsprim: "npm:^2.0.2"
|
||||||
|
- sshpk: "npm:^1.14.1"
|
||||||
|
- checksum: 5f08e0c82174999da97114facb0d0d47e268d60b6fc10f92cb87b99d5ccccd36f79b9508c29dda0b4f4e3a1b2f7bcaf847e68ecd5da2f1fc465fcd1d054b7884
|
||||||
|
+"http-signature@https://registry.yarnpkg.com/@favware/skip-dependency/-/skip-dependency-1.1.3.tgz":
|
||||||
|
+ version: 1.1.3
|
||||||
|
+ resolution: "http-signature@https://registry.yarnpkg.com/@favware/skip-dependency/-/skip-dependency-1.1.3.tgz"
|
||||||
|
+ checksum: 78b64605540e2d25bede2d74ec9e7740ab9a466c9a562ae3a8ccc7e07e26e601a013859c94adf890679403cd337b9690f598d64bc4fbc1d2eaa2f27241ca08a1
|
||||||
|
languageName: node
|
||||||
|
linkType: hard
|
||||||
|
|
||||||
|
@@ -20609,13 +20520,6 @@ __metadata:
|
||||||
|
languageName: node
|
||||||
|
linkType: hard
|
||||||
|
|
||||||
|
-"jsbn@npm:~0.1.0":
|
||||||
|
- version: 0.1.1
|
||||||
|
- resolution: "jsbn@npm:0.1.1"
|
||||||
|
- checksum: 5450133242845100e694f0ef9175f44c012691a9b770b2571e677314e6f70600abb10777cdfc9a0c6a9f2ac6d134577403633de73e2fcd0f97875a67744e2d14
|
||||||
|
- languageName: node
|
||||||
|
- linkType: hard
|
||||||
|
-
|
||||||
|
"jscodeshift@npm:^0.14.0":
|
||||||
|
version: 0.14.0
|
||||||
|
resolution: "jscodeshift@npm:0.14.0"
|
||||||
|
@@ -20767,13 +20671,6 @@ __metadata:
|
||||||
|
languageName: node
|
||||||
|
linkType: hard
|
||||||
|
|
||||||
|
-"json-schema@npm:0.4.0":
|
||||||
|
- version: 0.4.0
|
||||||
|
- resolution: "json-schema@npm:0.4.0"
|
||||||
|
- checksum: 8b3b64eff4a807dc2a3045b104ed1b9335cd8d57aa74c58718f07f0f48b8baa3293b00af4dcfbdc9144c3aafea1e97982cc27cc8e150fc5d93c540649507a458
|
||||||
|
- languageName: node
|
||||||
|
- linkType: hard
|
||||||
|
-
|
||||||
|
"json-source-map@npm:0.6.1":
|
||||||
|
version: 0.6.1
|
||||||
|
resolution: "json-source-map@npm:0.6.1"
|
||||||
|
@@ -20886,30 +20783,6 @@ __metadata:
|
||||||
|
languageName: node
|
||||||
|
linkType: hard
|
||||||
|
|
||||||
|
-"jsprim@npm:^1.2.2":
|
||||||
|
- version: 1.4.2
|
||||||
|
- resolution: "jsprim@npm:1.4.2"
|
||||||
|
- dependencies:
|
||||||
|
- assert-plus: "npm:1.0.0"
|
||||||
|
- extsprintf: "npm:1.3.0"
|
||||||
|
- json-schema: "npm:0.4.0"
|
||||||
|
- verror: "npm:1.10.0"
|
||||||
|
- checksum: df2bf234eab1b5078d01bcbff3553d50a243f7b5c10a169745efeda6344d62798bd1d85bcca6a8446f3b5d0495e989db45f9de8dae219f0f9796e70e0c776089
|
||||||
|
- languageName: node
|
||||||
|
- linkType: hard
|
||||||
|
-
|
||||||
|
-"jsprim@npm:^2.0.2":
|
||||||
|
- version: 2.0.2
|
||||||
|
- resolution: "jsprim@npm:2.0.2"
|
||||||
|
- dependencies:
|
||||||
|
- assert-plus: "npm:1.0.0"
|
||||||
|
- extsprintf: "npm:1.3.0"
|
||||||
|
- json-schema: "npm:0.4.0"
|
||||||
|
- verror: "npm:1.10.0"
|
||||||
|
- checksum: fcfca5b55f83e1b8be5f932c71754bd37afd2611f81685abd05689e8ce718a91155ff7bd5b94c65ce483a787b5c43c6d0c18c1d2259fca5bb61a3f8ea2e29c0a
|
||||||
|
- languageName: node
|
||||||
|
- linkType: hard
|
||||||
|
-
|
||||||
|
"jsurl@npm:^0.1.5":
|
||||||
|
version: 0.1.5
|
||||||
|
resolution: "jsurl@npm:0.1.5"
|
||||||
|
@@ -22734,7 +22607,7 @@ __metadata:
|
||||||
|
languageName: node
|
||||||
|
linkType: hard
|
||||||
|
|
||||||
|
-"node-forge@npm:^1, node-forge@npm:^1.3.1":
|
||||||
|
+"node-forge@npm:^1.3.1":
|
||||||
|
version: 1.3.1
|
||||||
|
resolution: "node-forge@npm:1.3.1"
|
||||||
|
checksum: 05bab6868633bf9ad4c3b1dd50ec501c22ffd69f556cdf169a00998ca1d03e8107a6032ba013852f202035372021b845603aeccd7dfcb58cdb7430013b3daa8d
|
||||||
|
@@ -27151,7 +27024,7 @@ __metadata:
|
||||||
|
languageName: node
|
||||||
|
linkType: hard
|
||||||
|
|
||||||
|
-"safer-buffer@npm:>= 2.1.2 < 3, safer-buffer@npm:>= 2.1.2 < 3.0.0, safer-buffer@npm:^2.0.2, safer-buffer@npm:^2.1.0, safer-buffer@npm:~2.1.0":
|
||||||
|
+"safer-buffer@npm:>= 2.1.2 < 3, safer-buffer@npm:>= 2.1.2 < 3.0.0":
|
||||||
|
version: 2.1.2
|
||||||
|
resolution: "safer-buffer@npm:2.1.2"
|
||||||
|
checksum: 7eaf7a0cf37cc27b42fb3ef6a9b1df6e93a1c6d98c6c6702b02fe262d5fcbd89db63320793b99b21cb5348097d0a53de81bd5f4e8b86e20cc9412e3f1cfb4e83
|
||||||
|
@@ -27282,12 +27155,10 @@ __metadata:
|
||||||
|
languageName: node
|
||||||
|
linkType: hard
|
||||||
|
|
||||||
|
-"selfsigned@npm:^2.1.1":
|
||||||
|
- version: 2.1.1
|
||||||
|
- resolution: "selfsigned@npm:2.1.1"
|
||||||
|
- dependencies:
|
||||||
|
- node-forge: "npm:^1"
|
||||||
|
- checksum: 6005206e0d005448274aceceaded5195b944f67a42b72d212a6169d2e5f4bdc87c15a3fe45732c544db8c7175702091aaf95403ad6632585294a6ec8cca63638
|
||||||
|
+"selfsigned@https://registry.yarnpkg.com/@favware/skip-dependency/-/skip-dependency-1.1.3.tgz":
|
||||||
|
+ version: 1.1.3
|
||||||
|
+ resolution: "selfsigned@https://registry.yarnpkg.com/@favware/skip-dependency/-/skip-dependency-1.1.3.tgz"
|
||||||
|
+ checksum: 4988a0dbdf123fb808194a6198f5951e2df711de6fd967d72a8876baccaa23d5c260efb8f1dbfbc5bf1f852e81f897ad09267908977ab94862867ef971a3d48d
|
||||||
|
languageName: node
|
||||||
|
linkType: hard
|
||||||
|
|
||||||
|
@@ -28053,27 +27924,6 @@ __metadata:
|
||||||
|
languageName: node
|
||||||
|
linkType: hard
|
||||||
|
|
||||||
|
-"sshpk@npm:^1.14.1, sshpk@npm:^1.7.0":
|
||||||
|
- version: 1.17.0
|
||||||
|
- resolution: "sshpk@npm:1.17.0"
|
||||||
|
- dependencies:
|
||||||
|
- asn1: "npm:~0.2.3"
|
||||||
|
- assert-plus: "npm:^1.0.0"
|
||||||
|
- bcrypt-pbkdf: "npm:^1.0.0"
|
||||||
|
- dashdash: "npm:^1.12.0"
|
||||||
|
- ecc-jsbn: "npm:~0.1.1"
|
||||||
|
- getpass: "npm:^0.1.1"
|
||||||
|
- jsbn: "npm:~0.1.0"
|
||||||
|
- safer-buffer: "npm:^2.0.2"
|
||||||
|
- tweetnacl: "npm:~0.14.0"
|
||||||
|
- bin:
|
||||||
|
- sshpk-conv: bin/sshpk-conv
|
||||||
|
- sshpk-sign: bin/sshpk-sign
|
||||||
|
- sshpk-verify: bin/sshpk-verify
|
||||||
|
- checksum: 668c2a279a6ce66fd739ce5684e37927dd75427cc020c828a208f85890a4c400705d4ba09f32fa44efca894339dc6931941664f6f6ba36dfa543de6d006cbe9c
|
||||||
|
- languageName: node
|
||||||
|
- linkType: hard
|
||||||
|
-
|
||||||
|
"ssri@npm:^10.0.0, ssri@npm:^10.0.1":
|
||||||
|
version: 10.0.5
|
||||||
|
resolution: "ssri@npm:10.0.5"
|
||||||
|
@@ -29479,13 +29329,6 @@ __metadata:
|
||||||
|
languageName: node
|
||||||
|
linkType: hard
|
||||||
|
|
||||||
|
-"tweetnacl@npm:^0.14.3, tweetnacl@npm:~0.14.0":
|
||||||
|
- version: 0.14.5
|
||||||
|
- resolution: "tweetnacl@npm:0.14.5"
|
||||||
|
- checksum: 04ee27901cde46c1c0a64b9584e04c96c5fe45b38c0d74930710751ea991408b405747d01dfae72f80fc158137018aea94f9c38c651cb9c318f0861a310c3679
|
||||||
|
- languageName: node
|
||||||
|
- linkType: hard
|
||||||
|
-
|
||||||
|
"type-check@npm:^0.4.0, type-check@npm:~0.4.0":
|
||||||
|
version: 0.4.0
|
||||||
|
resolution: "type-check@npm:0.4.0"
|
||||||
|
@@ -30199,17 +30042,6 @@ __metadata:
|
||||||
|
languageName: node
|
||||||
|
linkType: soft
|
||||||
|
|
||||||
|
-"verror@npm:1.10.0":
|
||||||
|
- version: 1.10.0
|
||||||
|
- resolution: "verror@npm:1.10.0"
|
||||||
|
- dependencies:
|
||||||
|
- assert-plus: "npm:^1.0.0"
|
||||||
|
- core-util-is: "npm:1.0.2"
|
||||||
|
- extsprintf: "npm:^1.2.0"
|
||||||
|
- checksum: da548149dd9c130a8a2587c9ee71ea30128d1526925707e2d01ed9c5c45c9e9f86733c66a328247cdd5f7c1516fb25b0f959ba754bfbe15072aa99ff96468a29
|
||||||
|
- languageName: node
|
||||||
|
- linkType: hard
|
||||||
|
-
|
||||||
|
"vinyl-fs@npm:^3.0.2":
|
||||||
|
version: 3.0.3
|
||||||
|
resolution: "vinyl-fs@npm:3.0.3"
|
@ -0,0 +1,21 @@
|
|||||||
|
From ed8a438d72a667844ae07804491b568ad2f5dcdd Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Gerstmayr <agerstmayr@redhat.com>
|
||||||
|
Date: Thu, 23 Jun 2022 17:00:46 +0200
|
||||||
|
Subject: [PATCH] skip marketplace plugin install test
|
||||||
|
|
||||||
|
This test (tries to) install a plugin from the Grafana marketplace.
|
||||||
|
Network connectivity is disabled in the build environment for security
|
||||||
|
reasons, therefore we need to disable this test.
|
||||||
|
|
||||||
|
diff --git a/pkg/tests/api/plugins/api_plugins_test.go b/pkg/tests/api/plugins/api_plugins_test.go
|
||||||
|
index 4fc2295ed8..a326c40b04 100644
|
||||||
|
--- a/pkg/tests/api/plugins/api_plugins_test.go
|
||||||
|
+++ b/pkg/tests/api/plugins/api_plugins_test.go
|
||||||
|
@@ -71,6 +71,7 @@ func TestIntegrationPlugins(t *testing.T) {
|
||||||
|
})
|
||||||
|
|
||||||
|
t.Run("Request is not forbidden if from an admin", func(t *testing.T) {
|
||||||
|
+ t.Skip("this test requires connectivity to the Grafana plugin marketplace (fetching metadata)")
|
||||||
|
statusCode, body := makePostRequest(t, grafanaAPIURL(usernameAdmin, grafanaListedAddr, "plugins/test/install"))
|
||||||
|
|
||||||
|
assert.Equal(t, 404, statusCode)
|
@ -0,0 +1,30 @@
|
|||||||
|
From 7ac26d6beb2175f0d6001ca0df322ce610401cce Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stan Cox <scox@redhat.com>
|
||||||
|
Date: Wed, 22 Jun 2022 17:05:48 +0200
|
||||||
|
Subject: [PATCH] redact weak ciphers
|
||||||
|
|
||||||
|
|
||||||
|
diff --git a/pkg/api/http_server.go b/pkg/api/http_server.go
|
||||||
|
index da04044683..8a29270d4d 100644
|
||||||
|
--- a/pkg/api/http_server.go
|
||||||
|
+++ b/pkg/api/http_server.go
|
||||||
|
@@ -820,13 +820,13 @@ func (hs *HTTPServer) getDefaultCiphers(tlsVersion uint16, protocol string) []ui
|
||||||
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||||
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||||
|
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||||
|
- tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
|
||||||
|
+ // tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
|
||||||
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
|
||||||
|
- tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
|
||||||
|
- tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
|
||||||
|
- tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
|
||||||
|
- tls.TLS_RSA_WITH_AES_128_CBC_SHA,
|
||||||
|
- tls.TLS_RSA_WITH_AES_256_CBC_SHA,
|
||||||
|
+ // tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
|
||||||
|
+ // tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
|
||||||
|
+ // tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
|
||||||
|
+ // tls.TLS_RSA_WITH_AES_128_CBC_SHA,
|
||||||
|
+ // tls.TLS_RSA_WITH_AES_256_CBC_SHA,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if protocol == "h2" {
|
@ -0,0 +1,40 @@
|
|||||||
|
From 3f45f26993ed94837001bb9760d7859e7a057649 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sam Feifer <sfeifer@redhat.com>
|
||||||
|
Date: Fri, 1 Mar 2024 15:00:55 -0500
|
||||||
|
Subject: [PATCH] replace faulty slices sort
|
||||||
|
|
||||||
|
|
||||||
|
diff --git a/pkg/services/sqlstore/migrator/dialect.go b/pkg/services/sqlstore/migrator/dialect.go
|
||||||
|
index 183b619de8..da21edeafa 100644
|
||||||
|
--- a/pkg/services/sqlstore/migrator/dialect.go
|
||||||
|
+++ b/pkg/services/sqlstore/migrator/dialect.go
|
||||||
|
@@ -368,7 +368,8 @@ func (b *BaseDialect) InsertQuery(tableName string, row map[string]any) (string,
|
||||||
|
for col := range row {
|
||||||
|
keys = append(keys, col)
|
||||||
|
}
|
||||||
|
- slices.Sort[string](keys)
|
||||||
|
+ slices.Sort(keys)
|
||||||
|
+ //slices.Sort[string](keys)
|
||||||
|
|
||||||
|
// build query and values
|
||||||
|
for _, col := range keys {
|
||||||
|
@@ -398,7 +399,8 @@ func (b *BaseDialect) UpdateQuery(tableName string, row map[string]any, where ma
|
||||||
|
for col := range row {
|
||||||
|
keys = append(keys, col)
|
||||||
|
}
|
||||||
|
- slices.Sort[string](keys)
|
||||||
|
+ slices.Sort(keys)
|
||||||
|
+ //slices.Sort[string](keys)
|
||||||
|
|
||||||
|
// build update query and values
|
||||||
|
for _, col := range keys {
|
||||||
|
@@ -411,7 +413,8 @@ func (b *BaseDialect) UpdateQuery(tableName string, row map[string]any, where ma
|
||||||
|
for col := range where {
|
||||||
|
keys = append(keys, col)
|
||||||
|
}
|
||||||
|
- slices.Sort[string](keys)
|
||||||
|
+ slices.Sort(keys)
|
||||||
|
+ //slices.Sort[string](keys)
|
||||||
|
|
||||||
|
// build where clause and values
|
||||||
|
for _, col := range keys {
|
@ -0,0 +1,76 @@
|
|||||||
|
From 5fe02f961e67af04907dc57beda42456128ab1c8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sam Feifer <sfeifer@redhat.com>
|
||||||
|
Date: Fri, 1 Mar 2024 15:05:24 -0500
|
||||||
|
Subject: [PATCH] update wrappers and systemd with distro paths
|
||||||
|
|
||||||
|
|
||||||
|
diff --git a/packaging/rpm/systemd/grafana-server.service b/packaging/rpm/systemd/grafana-server.service
|
||||||
|
index e3adc3f469..b2e4aced06 100644
|
||||||
|
--- a/packaging/rpm/systemd/grafana-server.service
|
||||||
|
+++ b/packaging/rpm/systemd/grafana-server.service
|
||||||
|
@@ -14,7 +14,7 @@ Restart=on-failure
|
||||||
|
WorkingDirectory=/usr/share/grafana
|
||||||
|
RuntimeDirectory=grafana
|
||||||
|
RuntimeDirectoryMode=0750
|
||||||
|
-ExecStart=/usr/share/grafana/bin/grafana server \
|
||||||
|
+ExecStart=/usr/sbin/grafana server \
|
||||||
|
--config=${CONF_FILE} \
|
||||||
|
--pidfile=${PID_FILE_DIR}/grafana-server.pid \
|
||||||
|
--packaging=rpm \
|
||||||
|
diff --git a/packaging/wrappers/grafana b/packaging/wrappers/grafana
|
||||||
|
index 86e0fc9faa..5c88bae4c3 100755
|
||||||
|
--- a/packaging/wrappers/grafana
|
||||||
|
+++ b/packaging/wrappers/grafana
|
||||||
|
@@ -5,7 +5,7 @@
|
||||||
|
# the system-wide Grafana configuration that was bundled with the package as we
|
||||||
|
# use the binary.
|
||||||
|
|
||||||
|
-DEFAULT=/etc/default/grafana
|
||||||
|
+DEFAULT=/etc/sysconfig/grafana-server
|
||||||
|
|
||||||
|
GRAFANA_HOME="${GRAFANA_HOME:-/usr/share/grafana}"
|
||||||
|
|
||||||
|
@@ -13,11 +13,12 @@ CONF_DIR=/etc/grafana
|
||||||
|
DATA_DIR=/var/lib/grafana
|
||||||
|
PLUGINS_DIR=/var/lib/grafana/plugins
|
||||||
|
LOG_DIR=/var/log/grafana
|
||||||
|
++LIBEXEC_DIR=/usr/libexec/grafana
|
||||||
|
|
||||||
|
CONF_FILE=$CONF_DIR/grafana.ini
|
||||||
|
PROVISIONING_CFG_DIR=$CONF_DIR/provisioning
|
||||||
|
|
||||||
|
-EXECUTABLE="$GRAFANA_HOME/bin/grafana"
|
||||||
|
++EXECUTABLE=$LIBEXEC_DIR/grafana
|
||||||
|
|
||||||
|
if [ ! -x $EXECUTABLE ]; then
|
||||||
|
echo "$EXECUTABLE not installed or not executable"
|
||||||
|
@@ -46,4 +47,13 @@ if [ "$CMD" = cli ]; then
|
||||||
|
--pluginsDir=${PLUGINS_DIR}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
-eval $EXECUTABLE "$CMD" "$OPTS" "$@"
|
||||||
|
+if [ "$(id -u)" -eq 0 -o "$(id -g)" -eq 0 ]; then
|
||||||
|
+ cd "${GRAFANA_HOME}"
|
||||||
|
+ exec runuser -u "${GRAFANA_USER}" -- "$EXECUTABLE" "$CMD" "${OPTS[@]}" "$@"
|
||||||
|
+elif [ "$(id -u -n)" = "${GRAFANA_USER}" ]; then
|
||||||
|
+ cd "${GRAFANA_HOME}"
|
||||||
|
+ exec "$EXECUTABLE" "$CMD" "${OPTS[@]}" "$@"
|
||||||
|
+else
|
||||||
|
+ echo "$0: please run this script as user \"${GRAFANA_USER}\" or root."
|
||||||
|
+ exit 5
|
||||||
|
+fi
|
||||||
|
\ No newline at end of file
|
||||||
|
diff --git a/packaging/wrappers/grafana-server b/packaging/wrappers/grafana-server
|
||||||
|
index 466b0d7c69..6be356f562 100755
|
||||||
|
--- a/packaging/wrappers/grafana-server
|
||||||
|
+++ b/packaging/wrappers/grafana-server
|
||||||
|
@@ -7,7 +7,8 @@
|
||||||
|
|
||||||
|
GRAFANA_HOME="${GRAFANA_HOME:-/usr/share/grafana}"
|
||||||
|
|
||||||
|
-EXECUTABLE="$GRAFANA_HOME/bin/grafana"
|
||||||
|
+LIBEXEC_DIR=/usr/libexec/grafana
|
||||||
|
+EXECUTABLE=$LIBEXEC_DIR/grafana
|
||||||
|
|
||||||
|
if [ ! -x $EXECUTABLE ]; then
|
||||||
|
echo "$EXECUTABLE not installed or not executable"
|
@ -0,0 +1,108 @@
|
|||||||
|
From eb711315d4c8a81ff52984293758a47372c21b8d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sam Feifer <sfeifer@redhat.com>
|
||||||
|
Date: Fri, 1 Mar 2024 15:07:22 -0500
|
||||||
|
Subject: [PATCH] remove bcrypt references
|
||||||
|
|
||||||
|
|
||||||
|
diff --git a/pkg/services/extsvcauth/oauthserver/oasimpl/service.go b/pkg/services/extsvcauth/oauthserver/oasimpl/service.go
|
||||||
|
index 8c5a90248d..43f6d11e08 100644
|
||||||
|
--- a/pkg/services/extsvcauth/oauthserver/oasimpl/service.go
|
||||||
|
+++ b/pkg/services/extsvcauth/oauthserver/oasimpl/service.go
|
||||||
|
@@ -19,7 +19,6 @@ import (
|
||||||
|
"github.com/ory/fosite/compose"
|
||||||
|
"github.com/ory/fosite/storage"
|
||||||
|
"github.com/ory/fosite/token/jwt"
|
||||||
|
- "golang.org/x/crypto/bcrypt"
|
||||||
|
|
||||||
|
"github.com/grafana/grafana/pkg/api/routing"
|
||||||
|
"github.com/grafana/grafana/pkg/bus"
|
||||||
|
@@ -235,88 +234,7 @@ func (s *OAuth2ServiceImpl) RemoveExternalService(ctx context.Context, name stri
|
||||||
|
// it ensures that the associated service account has the correct permissions.
|
||||||
|
// Database consistency is not guaranteed, consider changing this in the future.
|
||||||
|
func (s *OAuth2ServiceImpl) SaveExternalService(ctx context.Context, registration *extsvcauth.ExternalServiceRegistration) (*extsvcauth.ExternalService, error) {
|
||||||
|
- if registration == nil {
|
||||||
|
- s.logger.Warn("RegisterExternalService called without registration")
|
||||||
|
- return nil, nil
|
||||||
|
- }
|
||||||
|
- slug := registration.Name
|
||||||
|
- s.logger.Info("Registering external service", "external service", slug)
|
||||||
|
-
|
||||||
|
- // Check if the client already exists in store
|
||||||
|
- client, errFetchExtSvc := s.sqlstore.GetExternalServiceByName(ctx, slug)
|
||||||
|
- if errFetchExtSvc != nil && !errors.Is(errFetchExtSvc, oauthserver.ErrClientNotFound) {
|
||||||
|
- s.logger.Error("Error fetching service", "external service", slug, "error", errFetchExtSvc)
|
||||||
|
- return nil, errFetchExtSvc
|
||||||
|
- }
|
||||||
|
- // Otherwise, create a new client
|
||||||
|
- if client == nil {
|
||||||
|
- s.logger.Debug("External service does not yet exist", "external service", slug)
|
||||||
|
- client = &oauthserver.OAuthExternalService{
|
||||||
|
- Name: slug,
|
||||||
|
- ServiceAccountID: oauthserver.NoServiceAccountID,
|
||||||
|
- Audiences: s.cfg.AppURL,
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- // Parse registration form to compute required permissions for the client
|
||||||
|
- client.SelfPermissions, client.ImpersonatePermissions = s.handleRegistrationPermissions(registration)
|
||||||
|
-
|
||||||
|
- if registration.OAuthProviderCfg == nil {
|
||||||
|
- return nil, errors.New("missing oauth provider configuration")
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if registration.OAuthProviderCfg.RedirectURI != nil {
|
||||||
|
- client.RedirectURI = *registration.OAuthProviderCfg.RedirectURI
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- var errGenCred error
|
||||||
|
- client.ClientID, client.Secret, errGenCred = s.genCredentials()
|
||||||
|
- if errGenCred != nil {
|
||||||
|
- s.logger.Error("Error generating credentials", "client", client.LogID(), "error", errGenCred)
|
||||||
|
- return nil, errGenCred
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- grantTypes := s.computeGrantTypes(registration.Self.Enabled, registration.Impersonation.Enabled)
|
||||||
|
- client.GrantTypes = strings.Join(grantTypes, ",")
|
||||||
|
-
|
||||||
|
- // Handle key options
|
||||||
|
- s.logger.Debug("Handle key options")
|
||||||
|
- keys, err := s.handleKeyOptions(ctx, registration.OAuthProviderCfg.Key)
|
||||||
|
- if err != nil {
|
||||||
|
- s.logger.Error("Error handling key options", "client", client.LogID(), "error", err)
|
||||||
|
- return nil, err
|
||||||
|
- }
|
||||||
|
- if keys != nil {
|
||||||
|
- client.PublicPem = []byte(keys.PublicPem)
|
||||||
|
- }
|
||||||
|
- dto := client.ToExternalService(keys)
|
||||||
|
-
|
||||||
|
- hashedSecret, err := bcrypt.GenerateFromPassword([]byte(client.Secret), bcrypt.DefaultCost)
|
||||||
|
- if err != nil {
|
||||||
|
- s.logger.Error("Error hashing secret", "client", client.LogID(), "error", err)
|
||||||
|
- return nil, err
|
||||||
|
- }
|
||||||
|
- client.Secret = string(hashedSecret)
|
||||||
|
-
|
||||||
|
- s.logger.Debug("Save service account")
|
||||||
|
- saID, errSaveServiceAccount := s.saService.ManageExtSvcAccount(ctx, &serviceaccounts.ManageExtSvcAccountCmd{
|
||||||
|
- ExtSvcSlug: slugify.Slugify(client.Name),
|
||||||
|
- Enabled: registration.Self.Enabled,
|
||||||
|
- OrgID: oauthserver.TmpOrgID,
|
||||||
|
- Permissions: client.SelfPermissions,
|
||||||
|
- })
|
||||||
|
- if errSaveServiceAccount != nil {
|
||||||
|
- return nil, errSaveServiceAccount
|
||||||
|
- }
|
||||||
|
- client.ServiceAccountID = saID
|
||||||
|
-
|
||||||
|
- err = s.sqlstore.SaveExternalService(ctx, client)
|
||||||
|
- if err != nil {
|
||||||
|
- s.logger.Error("Error saving external service", "client", client.LogID(), "error", err)
|
||||||
|
- return nil, err
|
||||||
|
- }
|
||||||
|
- s.logger.Debug("Registered", "client", client.LogID())
|
||||||
|
- return dto, nil
|
||||||
|
+ panic("bcrypt cipher not available")
|
||||||
|
}
|
||||||
|
|
||||||
|
// randString generates a a cryptographically secure random string of n bytes
|
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,135 @@
|
|||||||
|
use pbkdf2 from OpenSSL if FIPS mode is enabled
|
||||||
|
|
||||||
|
This patch modifies the x/crypto/pbkdf2 function to use OpenSSL
|
||||||
|
if FIPS mode is enabled.
|
||||||
|
DEFINEFUNC is from /usr/lib/golang/src/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h
|
||||||
|
|
||||||
|
diff --git a/vendor/golang.org/x/crypto/internal/boring/boring.go b/vendor/golang.org/x/crypto/internal/boring/boring.go
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000000..5a06918832
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/vendor/golang.org/x/crypto/internal/boring/boring.go
|
||||||
|
@@ -0,0 +1,74 @@
|
||||||
|
+// Copyright 2017 The Go Authors. All rights reserved.
|
||||||
|
+// Copyright 2021 Red Hat.
|
||||||
|
+// Use of this source code is governed by a BSD-style
|
||||||
|
+// license that can be found in the LICENSE file.
|
||||||
|
+
|
||||||
|
+// +build linux
|
||||||
|
+// +build !android
|
||||||
|
+// +build !no_openssl
|
||||||
|
+// +build !cmd_go_bootstrap
|
||||||
|
+// +build !msan
|
||||||
|
+
|
||||||
|
+package boring
|
||||||
|
+
|
||||||
|
+// #include "/usr/lib/golang/src/vendor/github.com/golang-fips/openssl/v2/goopenssl.h"
|
||||||
|
+// #cgo LDFLAGS: -ldl
|
||||||
|
+import "C"
|
||||||
|
+import (
|
||||||
|
+ "bytes"
|
||||||
|
+ "crypto/sha1"
|
||||||
|
+ "crypto/sha256"
|
||||||
|
+ "hash"
|
||||||
|
+ "unsafe"
|
||||||
|
+)
|
||||||
|
+
|
||||||
|
+var (
|
||||||
|
+ emptySha1 = sha1.Sum([]byte{})
|
||||||
|
+ emptySha256 = sha256.Sum256([]byte{})
|
||||||
|
+)
|
||||||
|
+
|
||||||
|
+func hashToMD(h hash.Hash) C.GO_EVP_MD_PTR {
|
||||||
|
+ emptyHash := h.Sum([]byte{})
|
||||||
|
+
|
||||||
|
+ switch {
|
||||||
|
+ case bytes.Equal(emptyHash, emptySha1[:]):
|
||||||
|
+ return C.go_openssl_EVP_sha1()
|
||||||
|
+ case bytes.Equal(emptyHash, emptySha256[:]):
|
||||||
|
+ return C.go_openssl_EVP_sha256()
|
||||||
|
+ }
|
||||||
|
+ return nil
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+// charptr returns the address of the underlying array in b,
|
||||||
|
+// being careful not to panic when b has zero length.
|
||||||
|
+func charptr(b []byte) *C.char {
|
||||||
|
+ if len(b) == 0 {
|
||||||
|
+ return nil
|
||||||
|
+ }
|
||||||
|
+ return (*C.char)(unsafe.Pointer(&b[0]))
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+// ucharptr returns the address of the underlying array in b,
|
||||||
|
+// being careful not to panic when b has zero length.
|
||||||
|
+func ucharptr(b []byte) *C.uchar {
|
||||||
|
+ if len(b) == 0 {
|
||||||
|
+ return nil
|
||||||
|
+ }
|
||||||
|
+ return (*C.uchar)(unsafe.Pointer(&b[0]))
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+func Pbkdf2Key(password, salt []byte, iter, keyLen int, h func() hash.Hash) []byte {
|
||||||
|
+ // println("[debug] using pbkdf2 from OpenSSL")
|
||||||
|
+ ch := h()
|
||||||
|
+ md := hashToMD(ch)
|
||||||
|
+ if md == nil {
|
||||||
|
+ return nil
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ out := make([]byte, keyLen)
|
||||||
|
+ ok := C.go_openssl_PKCS5_PBKDF2_HMAC(charptr(password), C.int(len(password)), ucharptr(salt), C.int(len(salt)), C.int(iter), md, C.int(keyLen), ucharptr(out))
|
||||||
|
+ if ok != 1 {
|
||||||
|
+ panic("boringcrypto: PKCS5_PBKDF2_HMAC failed")
|
||||||
|
+ }
|
||||||
|
+ return out
|
||||||
|
+}
|
||||||
|
diff --git a/vendor/golang.org/x/crypto/internal/boring/notboring.go b/vendor/golang.org/x/crypto/internal/boring/notboring.go
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000000..e244fb5663
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/vendor/golang.org/x/crypto/internal/boring/notboring.go
|
||||||
|
@@ -0,0 +1,16 @@
|
||||||
|
+// Copyright 2017 The Go Authors. All rights reserved.
|
||||||
|
+// Copyright 2021 Red Hat.
|
||||||
|
+// Use of this source code is governed by a BSD-style
|
||||||
|
+// license that can be found in the LICENSE file.
|
||||||
|
+
|
||||||
|
+// +build !linux !cgo android cmd_go_bootstrap msan no_openssl
|
||||||
|
+
|
||||||
|
+package boring
|
||||||
|
+
|
||||||
|
+import (
|
||||||
|
+ "hash"
|
||||||
|
+)
|
||||||
|
+
|
||||||
|
+func Pbkdf2Key(password, salt []byte, iter, keyLen int, h func() hash.Hash) []byte {
|
||||||
|
+ panic("boringcrypto: not available")
|
||||||
|
+}
|
||||||
|
diff --git a/vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go b/vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go
|
||||||
|
index 593f653008..799a611f94 100644
|
||||||
|
--- a/vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go
|
||||||
|
+++ b/vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go
|
||||||
|
@@ -19,8 +19,11 @@ pbkdf2.Key.
|
||||||
|
package pbkdf2 // import "golang.org/x/crypto/pbkdf2"
|
||||||
|
|
||||||
|
import (
|
||||||
|
+ "crypto/boring"
|
||||||
|
"crypto/hmac"
|
||||||
|
"hash"
|
||||||
|
+
|
||||||
|
+ xboring "golang.org/x/crypto/internal/boring"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Key derives a key from the password, salt and iteration count, returning a
|
||||||
|
@@ -40,6 +43,10 @@ import (
|
||||||
|
// Using a higher iteration count will increase the cost of an exhaustive
|
||||||
|
// search but will also make derivation proportionally slower.
|
||||||
|
func Key(password, salt []byte, iter, keyLen int, h func() hash.Hash) []byte {
|
||||||
|
+ if boring.Enabled() {
|
||||||
|
+ return xboring.Pbkdf2Key(password, salt, iter, keyLen, h)
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
prf := hmac.New(h, password)
|
||||||
|
hashLen := prf.Size()
|
||||||
|
numBlocks := (keyLen + hashLen - 1) / hashLen
|
@ -0,0 +1,18 @@
|
|||||||
|
skip goldenfiles tests
|
||||||
|
|
||||||
|
The golden files include memory dumps from a x86_64 machine.
|
||||||
|
Integers are stored as little endian on x86, but as big endian on s390x,
|
||||||
|
therefore loading this memory dump fails on s390x.
|
||||||
|
|
||||||
|
diff --git a/vendor/github.com/grafana/grafana-plugin-sdk-go/experimental/golden_response_checker.go b/vendor/github.com/grafana/grafana-plugin-sdk-go/experimental/golden_response_checker.go
|
||||||
|
index 320f40f3bd..20f5fa4f46 100644
|
||||||
|
--- a/vendor/github.com/grafana/grafana-plugin-sdk-go/experimental/golden_response_checker.go
|
||||||
|
+++ b/vendor/github.com/grafana/grafana-plugin-sdk-go/experimental/golden_response_checker.go
|
||||||
|
@@ -203,6 +203,7 @@ func CheckGoldenJSONFrame(t *testing.T, dir string, name string, f *data.Frame,
|
||||||
|
// CheckGoldenJSONResponse will verify that the stored JSON file matches the given backend.DataResponse.
|
||||||
|
func CheckGoldenJSONResponse(t *testing.T, dir string, name string, dr *backend.DataResponse, updateFile bool) {
|
||||||
|
t.Helper()
|
||||||
|
+ t.Skip("skipping test: x86_64 memory dump is not compatible with other architectures")
|
||||||
|
fpath := path.Join(dir, name+".jsonc")
|
||||||
|
|
||||||
|
expected, err := readGoldenJSONFile(fpath)
|
@ -0,0 +1,51 @@
|
|||||||
|
diff --git a/vendor/github.com/hashicorp/go-retryablehttp/client.go b/vendor/github.com/hashicorp/go-retryablehttp/client.go
|
||||||
|
index f40d241..765a828 100644
|
||||||
|
--- a/vendor/github.com/hashicorp/go-retryablehttp/client.go
|
||||||
|
+++ b/vendor/github.com/hashicorp/go-retryablehttp/client.go
|
||||||
|
@@ -584,9 +584,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
|
||||||
|
if logger != nil {
|
||||||
|
switch v := logger.(type) {
|
||||||
|
case LeveledLogger:
|
||||||
|
- v.Debug("performing request", "method", req.Method, "url", req.URL)
|
||||||
|
+ v.Debug("performing request", "method", req.Method, "url", req.URL.Redacted())
|
||||||
|
case Logger:
|
||||||
|
- v.Printf("[DEBUG] %s %s", req.Method, req.URL)
|
||||||
|
+ v.Printf("[DEBUG] %s %s", req.Method, req.URL.Redacted())
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -641,9 +641,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
|
||||||
|
if err != nil {
|
||||||
|
switch v := logger.(type) {
|
||||||
|
case LeveledLogger:
|
||||||
|
- v.Error("request failed", "error", err, "method", req.Method, "url", req.URL)
|
||||||
|
+ v.Error("request failed", "error", err, "method", req.Method, "url", req.URL.Redacted())
|
||||||
|
case Logger:
|
||||||
|
- v.Printf("[ERR] %s %s request failed: %v", req.Method, req.URL, err)
|
||||||
|
+ v.Printf("[ERR] %s %s request failed: %v", req.Method, req.URL.Redacted(), err)
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
// Call this here to maintain the behavior of logging all requests,
|
||||||
|
@@ -679,7 +679,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
|
||||||
|
|
||||||
|
wait := c.Backoff(c.RetryWaitMin, c.RetryWaitMax, i, resp)
|
||||||
|
if logger != nil {
|
||||||
|
- desc := fmt.Sprintf("%s %s", req.Method, req.URL)
|
||||||
|
+ desc := fmt.Sprintf("%s %s", req.Method, req.URL.Redacted())
|
||||||
|
if resp != nil {
|
||||||
|
desc = fmt.Sprintf("%s (status: %d)", desc, resp.StatusCode)
|
||||||
|
}
|
||||||
|
@@ -735,11 +735,11 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
|
||||||
|
// communicate why
|
||||||
|
if err == nil {
|
||||||
|
return nil, fmt.Errorf("%s %s giving up after %d attempt(s)",
|
||||||
|
- req.Method, req.URL, attempt)
|
||||||
|
+ req.Method, req.URL.Redacted(), attempt)
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil, fmt.Errorf("%s %s giving up after %d attempt(s): %w",
|
||||||
|
- req.Method, req.URL, attempt, err)
|
||||||
|
+ req.Method, req.URL.Redacted(), attempt, err)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Try to read the response body so we can reuse this connection.
|
@ -0,0 +1,20 @@
|
|||||||
|
#!/bin/bash -eu
|
||||||
|
|
||||||
|
# Webpack needs more than the default 4GB RAM
|
||||||
|
export NODE_OPTIONS="${NODE_OPTIONS:-} --max_old_space_size=6144"
|
||||||
|
|
||||||
|
# Build the frontend
|
||||||
|
yarn run build
|
||||||
|
|
||||||
|
# Build the bundled plugins
|
||||||
|
mkdir plugins-bundled/external
|
||||||
|
yarn run plugins:build-bundled
|
||||||
|
for plugin in plugins-bundled/internal/input-datasource; do
|
||||||
|
mv $plugin $plugin.tmp
|
||||||
|
mv $plugin.tmp/dist $plugin
|
||||||
|
rm -rf $plugin.tmp
|
||||||
|
done
|
||||||
|
rm plugins-bundled/README.md plugins-bundled/.gitignore plugins-bundled/external.json
|
||||||
|
|
||||||
|
# Fix permissions (webpack sometimes outputs files with mode = 666 due to reasons unknown (race condition/umask issue afaics))
|
||||||
|
chmod -R g-w,o-w public/build plugins-bundled
|
@ -0,0 +1,104 @@
|
|||||||
|
#!/bin/bash -eux
|
||||||
|
VERSION=$(rpm --specfile ./*.spec --qf '%{VERSION}\n' | head -1)
|
||||||
|
RELEASE=$(rpm --specfile ./*.spec --qf '%{RELEASE}\n' | head -1 | cut -d. -f1)
|
||||||
|
CHANGELOGTIME=$(rpm --specfile ./*.spec --qf '%{CHANGELOGTIME}\n' | head -1)
|
||||||
|
SOURCE_DATE_EPOCH=$((CHANGELOGTIME - CHANGELOGTIME % 86400))
|
||||||
|
|
||||||
|
SOURCE_DIR=grafana-$VERSION
|
||||||
|
SOURCE_TAR=grafana-$VERSION.tar.gz
|
||||||
|
VENDOR_TAR=grafana-vendor-$VERSION-$RELEASE.tar.xz
|
||||||
|
WEBPACK_TAR=grafana-webpack-$VERSION-$RELEASE.tar.gz
|
||||||
|
|
||||||
|
|
||||||
|
## Download and extract source tarball
|
||||||
|
spectool -g grafana.spec
|
||||||
|
rm -rf "${SOURCE_DIR}"
|
||||||
|
tar xf "${SOURCE_TAR}"
|
||||||
|
|
||||||
|
|
||||||
|
## Create vendor bundle
|
||||||
|
pushd "${SOURCE_DIR}"
|
||||||
|
|
||||||
|
# Vendor Go dependencies
|
||||||
|
patch -p1 --fuzz=0 < ../0004-remove-unused-backend-dependencies.patch
|
||||||
|
go mod vendor
|
||||||
|
|
||||||
|
# Generate Go files
|
||||||
|
make gen-go
|
||||||
|
|
||||||
|
# Remove unused crypto
|
||||||
|
rm -r vendor/golang.org/x/crypto/bcrypt
|
||||||
|
rm -r vendor/golang.org/x/crypto/blowfish
|
||||||
|
rm -r vendor/golang.org/x/crypto/cast5
|
||||||
|
rm -r vendor/golang.org/x/crypto/acme
|
||||||
|
rm -r vendor/golang.org/x/crypto/argon2
|
||||||
|
rm -r vendor/golang.org/x/crypto/blake2b
|
||||||
|
rm -r vendor/golang.org/x/crypto/chacha20
|
||||||
|
rm -r vendor/golang.org/x/crypto/chacha20poly1305
|
||||||
|
rm -r vendor/golang.org/x/crypto/cryptobyte
|
||||||
|
rm -r vendor/golang.org/x/crypto/curve25519
|
||||||
|
rm -r vendor/golang.org/x/crypto/ed25519
|
||||||
|
rm -r vendor/golang.org/x/crypto/hkdf
|
||||||
|
rm -r vendor/golang.org/x/crypto/internal
|
||||||
|
rm -r vendor/golang.org/x/crypto/md4
|
||||||
|
rm -r vendor/golang.org/x/crypto/nacl
|
||||||
|
rm -r vendor/golang.org/x/crypto/openpgp
|
||||||
|
rm -r vendor/golang.org/x/crypto/pkcs12
|
||||||
|
rm -r vendor/golang.org/x/crypto/poly1305
|
||||||
|
rm -r vendor/golang.org/x/crypto/salsa20
|
||||||
|
rm -r vendor/golang.org/x/crypto/scrypt
|
||||||
|
rm -r vendor/golang.org/x/crypto/sha3
|
||||||
|
|
||||||
|
# Remove unused code under apsl licenses
|
||||||
|
rm -r vendor/modernc.org/libc
|
||||||
|
rm -r vendor/modernc.org/sqlite
|
||||||
|
|
||||||
|
# List bundled dependencies
|
||||||
|
awk '$2 ~ /^v/ && $4 != "indirect" {print "Provides: bundled(golang(" $1 ")) = " substr($2, 2)}' go.mod | \
|
||||||
|
sed -E 's/=(.*)-(.*)-(.*)/=\1-\2.\3/g' > "../${VENDOR_TAR}.manifest"
|
||||||
|
|
||||||
|
# Vendor Node.js dependencies
|
||||||
|
patch -p1 --fuzz=0 < ../0005-remove-unused-frontend-crypto.patch
|
||||||
|
export HUSKY=0
|
||||||
|
yarn install --frozen-lockfile
|
||||||
|
|
||||||
|
# Remove files with licensing issues
|
||||||
|
find .yarn -name 'node-notifier' -prune -exec rm -r {} \;
|
||||||
|
find .yarn -name 'nodemon' -prune -exec rm -r {} \;
|
||||||
|
|
||||||
|
# List bundled dependencies
|
||||||
|
../list_bundled_nodejs_packages.py . >> "../${VENDOR_TAR}.manifest"
|
||||||
|
|
||||||
|
popd
|
||||||
|
|
||||||
|
# Create tarball
|
||||||
|
# shellcheck disable=SC2046
|
||||||
|
XZ_OPT=-9 tar \
|
||||||
|
--sort=name \
|
||||||
|
--mtime="@${SOURCE_DATE_EPOCH}" --clamp-mtime \
|
||||||
|
--owner=0 --group=0 --numeric-owner \
|
||||||
|
-cJf "${VENDOR_TAR}" \
|
||||||
|
"${SOURCE_DIR}/vendor" \
|
||||||
|
$(find "${SOURCE_DIR}" -type f -name wire_gen.go | LC_ALL=C sort) \
|
||||||
|
"${SOURCE_DIR}/.pnp.cjs" \
|
||||||
|
"${SOURCE_DIR}/.yarn/cache" \
|
||||||
|
"${SOURCE_DIR}/.yarn/unplugged"
|
||||||
|
|
||||||
|
|
||||||
|
## Create webpack
|
||||||
|
pushd "${SOURCE_DIR}"
|
||||||
|
../build_frontend.sh
|
||||||
|
popd
|
||||||
|
|
||||||
|
# Create tarball
|
||||||
|
tar \
|
||||||
|
--sort=name \
|
||||||
|
--mtime="@${SOURCE_DATE_EPOCH}" --clamp-mtime \
|
||||||
|
--owner=0 --group=0 --numeric-owner \
|
||||||
|
-czf "${WEBPACK_TAR}" \
|
||||||
|
"${SOURCE_DIR}/plugins-bundled" \
|
||||||
|
"${SOURCE_DIR}/public/build" \
|
||||||
|
"${SOURCE_DIR}/public/img" \
|
||||||
|
"${SOURCE_DIR}/public/lib" \
|
||||||
|
"${SOURCE_DIR}/public/locales" \
|
||||||
|
"${SOURCE_DIR}/public/views"
|
@ -0,0 +1,24 @@
|
|||||||
|
#!/bin/bash -eu
|
||||||
|
#
|
||||||
|
# create vendor and webpack bundles inside a container (for reproducibility)
|
||||||
|
# using a Go cache:
|
||||||
|
# ./create_bundles_in_container.sh --security-opt label=disable -v $(pwd)/.gocache:/root/go
|
||||||
|
#
|
||||||
|
|
||||||
|
cat <<EOF | podman build -t grafana-build -f - .
|
||||||
|
FROM fedora:39
|
||||||
|
|
||||||
|
RUN dnf upgrade -y && \
|
||||||
|
dnf install -y rpmdevtools python3-packaging python3-pyyaml make golang nodejs yarnpkg
|
||||||
|
|
||||||
|
# https://groups.google.com/g/golang-nuts/c/MVtHZUtZru4
|
||||||
|
ENV GOPROXY=https://proxy.golang.org,direct
|
||||||
|
|
||||||
|
WORKDIR /tmp/grafana-build
|
||||||
|
COPY grafana.spec create_bundles.sh build_frontend.sh list_bundled_nodejs_packages.py *.patch .
|
||||||
|
RUN mkdir bundles
|
||||||
|
CMD ./create_bundles.sh && mv *.tar.* bundles
|
||||||
|
EOF
|
||||||
|
|
||||||
|
podman run --name grafana-build --replace "$@" grafana-build
|
||||||
|
podman cp grafana-build:bundles/. .
|
@ -0,0 +1,25 @@
|
|||||||
|
/etc/systemd/system/grafana-server.service -- gen_context(system_u:object_r:grafana_unit_file_t,s0)
|
||||||
|
/usr/lib/systemd/system/grafana-server.service -- gen_context(system_u:object_r:grafana_unit_file_t,s0)
|
||||||
|
|
||||||
|
/etc/grafana(/.*)? gen_context(system_u:object_r:grafana_conf_t,s0)
|
||||||
|
|
||||||
|
/usr/sbin/grafana-cli -- gen_context(system_u:object_r:grafana_exec_t,s0)
|
||||||
|
/usr/sbin/grafana-server -- gen_context(system_u:object_r:grafana_exec_t,s0)
|
||||||
|
/usr/sbin/grafana -- gen_context(system_u:object_r:grafana_exec_t,s0)
|
||||||
|
|
||||||
|
/var/lib/grafana(/.*)? gen_context(system_u:object_r:grafana_var_lib_t,s0)
|
||||||
|
#/var/lib/grafana/grafana.db -- gen_context(system_u:object_r:grafana_db_t,s0)
|
||||||
|
|
||||||
|
/var/log/grafana(/.*)? gen_context(system_u:object_r:grafana_log_t,s0)
|
||||||
|
|
||||||
|
/var/run/grafana(/.*)? -- gen_context(system_u:object_r:grafana_var_run_t,s0)
|
||||||
|
|
||||||
|
#/var/lib/grafana/plugins(/.*)? gen_context(system_u:object_r:grafana_plugin_t,s0)
|
||||||
|
|
||||||
|
/usr/share/grafana/bin/grafana -- gen_context(system_u:object_r:grafana_exec_t,s0)
|
||||||
|
/usr/share/grafana/bin/grafana-cli -- gen_context(system_u:object_r:grafana_exec_t,s0)
|
||||||
|
/usr/share/grafana/bin/grafana-server -- gen_context(system_u:object_r:grafana_exec_t,s0)
|
||||||
|
|
||||||
|
#define context for pcp plugin
|
||||||
|
#/usr/share/performancecopilot-pcp-app/datasources/redis/pcp_redis_datasource_(.*) -- gen_context(system_u:object_r:grafana_pcp_exec_t,s0)
|
||||||
|
/usr/libexec/grafana-pcp/datasources/redis/pcp_redis_datasource_(.*) -- gen_context(system_u:object_r:grafana_pcp_exec_t,s0)
|
@ -0,0 +1,141 @@
|
|||||||
|
## <summary>policy for grafana</summary>
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute grafana_exec_t in the grafana domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed to transition.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`grafana_domtrans',`
|
||||||
|
gen_require(`
|
||||||
|
type grafana_t, grafana_exec_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
corecmd_search_bin($1)
|
||||||
|
domtrans_pattern($1, grafana_exec_t, grafana_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Allow domain to name_connect to grafana port. Default :3000
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`connect_grafana_port',`
|
||||||
|
gen_require(`
|
||||||
|
class tcp_socket name_connect;
|
||||||
|
type grafana_port_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 grafana_port_t:tcp_socket name_connect;
|
||||||
|
')
|
||||||
|
|
||||||
|
#######################################
|
||||||
|
## <summary>
|
||||||
|
## Read grafana database.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`grafana_read_db',`
|
||||||
|
gen_require(`
|
||||||
|
type grafana_db_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_var_lib($1)
|
||||||
|
search_dirs_pattern($1, grafana_var_lib_t, grafana_var_lib_t)
|
||||||
|
read_files_pattern($1, grafana_db_t, grafana_db_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
######################################
|
||||||
|
## <summary>
|
||||||
|
## Execute grafana in the caller domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`grafana_exec',`
|
||||||
|
gen_require(`
|
||||||
|
type grafana_exec_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
corecmd_search_bin($1)
|
||||||
|
can_exec($1, grafana_exec_t)
|
||||||
|
')
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute grafana server in the grafana domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed to transition.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`grafana_systemctl',`
|
||||||
|
gen_require(`
|
||||||
|
type grafana_t;
|
||||||
|
type grafana_unit_file_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
systemd_exec_systemctl($1)
|
||||||
|
systemd_read_fifo_file_passwd_run($1)
|
||||||
|
allow $1 grafana_unit_file_t:file read_file_perms;
|
||||||
|
allow $1 grafana_unit_file_t:service manage_service_perms;
|
||||||
|
|
||||||
|
ps_process_pattern($1, grafana_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## All of the rules required to administrate
|
||||||
|
## an grafana environment
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <param name="role">
|
||||||
|
## <summary>
|
||||||
|
## Role allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
|
#
|
||||||
|
interface(`grafana_admin',`
|
||||||
|
gen_require(`
|
||||||
|
type grafana_t;
|
||||||
|
type grafana_unit_file_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 grafana_t:process { signal_perms };
|
||||||
|
ps_process_pattern($1, grafana_t)
|
||||||
|
|
||||||
|
tunable_policy(`deny_ptrace',`',`
|
||||||
|
allow $1 grafana_t:process ptrace;
|
||||||
|
')
|
||||||
|
|
||||||
|
grafana_systemctl($1)
|
||||||
|
admin_pattern($1, grafana_unit_file_t)
|
||||||
|
allow $1 grafana_unit_file_t:service all_service_perms;
|
||||||
|
optional_policy(`
|
||||||
|
systemd_passwd_agent_exec($1)
|
||||||
|
systemd_read_fifo_file_passwd_run($1)
|
||||||
|
')
|
||||||
|
')
|
@ -0,0 +1,2 @@
|
|||||||
|
#Type Name ID GECOS Home directory
|
||||||
|
u grafana - "Grafana user account" /usr/share/grafana
|
@ -0,0 +1,207 @@
|
|||||||
|
policy_module(grafana, 1.0.4)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Declarations
|
||||||
|
#
|
||||||
|
#permissive grafana_t;
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow grafana to be used with a reverse proxy
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(grafana_can_reverse_proxy, false)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow grafana to connect to elasticsearch's default tcp port of 9200
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(grafana_can_tcp_connect_elasticsearch_port, false)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow grafana to connect to mysql's default tcp port of 3306
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(grafana_can_tcp_connect_mysql_port, false)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow grafana to connect to postgresql's default tcp port of 5432
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(grafana_can_tcp_connect_postgresql_port, false)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow grafana to connect to prometheus' default tcp port of 9090
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(grafana_can_tcp_connect_prometheus_port, false)
|
||||||
|
|
||||||
|
|
||||||
|
type grafana_t;
|
||||||
|
type grafana_exec_t;
|
||||||
|
init_daemon_domain(grafana_t, grafana_exec_t)
|
||||||
|
init_nnp_daemon_domain(grafana_t)
|
||||||
|
|
||||||
|
type grafana_unit_file_t;
|
||||||
|
systemd_unit_file(grafana_unit_file_t)
|
||||||
|
|
||||||
|
type grafana_conf_t;
|
||||||
|
files_config_file(grafana_conf_t)
|
||||||
|
|
||||||
|
type grafana_db_t;
|
||||||
|
files_config_file(grafana_db_t)
|
||||||
|
|
||||||
|
type grafana_tmp_t;
|
||||||
|
files_tmp_file(grafana_tmp_t)
|
||||||
|
|
||||||
|
type grafana_tmpfs_t;
|
||||||
|
files_tmpfs_file(grafana_tmpfs_t)
|
||||||
|
|
||||||
|
type grafana_log_t;
|
||||||
|
logging_log_file(grafana_log_t)
|
||||||
|
|
||||||
|
type grafana_var_run_t;
|
||||||
|
files_pid_file(grafana_var_run_t)
|
||||||
|
|
||||||
|
type grafana_var_lib_t;
|
||||||
|
files_type(grafana_var_lib_t)
|
||||||
|
|
||||||
|
type grafana_port_t;
|
||||||
|
corenet_port(grafana_port_t)
|
||||||
|
|
||||||
|
type grafana_pcp_exec_t;
|
||||||
|
corecmd_executable_file(grafana_pcp_exec_t)
|
||||||
|
can_exec(grafana_t, grafana_pcp_exec_t)
|
||||||
|
|
||||||
|
# Ports 32768-60999 (pcp port is 44322)
|
||||||
|
corenet_tcp_connect_all_ephemeral_ports(grafana_t)
|
||||||
|
grafana_exec(grafana_t)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# grafana local policy
|
||||||
|
#
|
||||||
|
allow grafana_t self:tcp_socket create_stream_socket_perms;
|
||||||
|
allow grafana_t self:udp_socket create_stream_socket_perms;
|
||||||
|
allow grafana_t self:unix_dgram_socket create_socket_perms;
|
||||||
|
|
||||||
|
allow grafana_t grafana_port_t:tcp_socket { name_bind name_connect };
|
||||||
|
|
||||||
|
allow grafana_t self:unix_stream_socket connectto;
|
||||||
|
|
||||||
|
allow grafana_t self:netlink_route_socket { create bind getattr nlmsg_read };
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
require {
|
||||||
|
type smtp_port_t;
|
||||||
|
class tcp_socket { name_connect };
|
||||||
|
}
|
||||||
|
allow grafana_t smtp_port_t:tcp_socket name_connect;
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
require {
|
||||||
|
type usr_t;
|
||||||
|
class file { execute execute_no_trans };
|
||||||
|
}
|
||||||
|
allow grafana_t usr_t:file { execute execute_no_trans };
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
require {
|
||||||
|
type postgresql_t;
|
||||||
|
type postgresql_var_run_t;
|
||||||
|
class unix_stream_socket { connectto };
|
||||||
|
class sock_file { write };
|
||||||
|
}
|
||||||
|
allow grafana_t postgresql_t:unix_stream_socket connectto;
|
||||||
|
allow grafana_t postgresql_var_run_t:sock_file write;
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
require {
|
||||||
|
type proc_net_t;
|
||||||
|
class lnk_file { read };
|
||||||
|
}
|
||||||
|
allow grafana_t proc_net_t:lnk_file read;
|
||||||
|
')
|
||||||
|
|
||||||
|
manage_dirs_pattern(grafana_t, grafana_conf_t, grafana_conf_t)
|
||||||
|
manage_files_pattern(grafana_t, grafana_conf_t, grafana_conf_t)
|
||||||
|
|
||||||
|
manage_dirs_pattern(grafana_t, grafana_db_t, grafana_db_t)
|
||||||
|
manage_files_pattern(grafana_t, grafana_db_t, grafana_db_t)
|
||||||
|
|
||||||
|
manage_dirs_pattern(grafana_t, grafana_tmp_t, grafana_tmp_t)
|
||||||
|
manage_files_pattern(grafana_t, grafana_tmp_t, grafana_tmp_t)
|
||||||
|
manage_sock_files_pattern(grafana_t, grafana_tmp_t, grafana_tmp_t)
|
||||||
|
files_tmp_filetrans(grafana_t, grafana_tmp_t, { dir file sock_file })
|
||||||
|
|
||||||
|
manage_dirs_pattern(grafana_t, grafana_tmpfs_t, grafana_tmpfs_t)
|
||||||
|
manage_files_pattern(grafana_t, grafana_tmpfs_t, grafana_tmpfs_t)
|
||||||
|
fs_tmpfs_filetrans(grafana_t, grafana_tmpfs_t, {dir file})
|
||||||
|
|
||||||
|
manage_dirs_pattern(grafana_t, grafana_log_t, grafana_log_t)
|
||||||
|
manage_files_pattern(grafana_t, grafana_log_t, grafana_log_t)
|
||||||
|
logging_log_filetrans(grafana_t, grafana_log_t, { dir file })
|
||||||
|
|
||||||
|
manage_dirs_pattern(grafana_t, grafana_var_run_t, grafana_var_run_t)
|
||||||
|
manage_files_pattern(grafana_t, grafana_var_run_t, grafana_var_run_t)
|
||||||
|
files_pid_filetrans(grafana_t, grafana_var_run_t, { dir file })
|
||||||
|
|
||||||
|
manage_dirs_pattern(grafana_t, grafana_var_lib_t, grafana_var_lib_t)
|
||||||
|
manage_files_pattern(grafana_t, grafana_var_lib_t, grafana_var_lib_t)
|
||||||
|
manage_lnk_files_pattern(grafana_t, grafana_var_lib_t, grafana_var_lib_t)
|
||||||
|
files_var_lib_filetrans(grafana_t, grafana_var_lib_t, { dir file })
|
||||||
|
|
||||||
|
|
||||||
|
corenet_tcp_connect_http_port(grafana_t)
|
||||||
|
corenet_tcp_bind_generic_node(grafana_t)
|
||||||
|
|
||||||
|
kernel_dgram_send(grafana_t)
|
||||||
|
kernel_read_net_sysctls(grafana_t)
|
||||||
|
kernel_read_system_state(grafana_t)
|
||||||
|
|
||||||
|
auth_read_passwd(grafana_t)
|
||||||
|
|
||||||
|
dev_read_sysfs(grafana_t)
|
||||||
|
|
||||||
|
sysnet_read_config(grafana_t)
|
||||||
|
|
||||||
|
logging_send_syslog_msg(grafana_t)
|
||||||
|
|
||||||
|
miscfiles_read_generic_certs(grafana_t)
|
||||||
|
|
||||||
|
tunable_policy(`grafana_can_reverse_proxy',`
|
||||||
|
gen_require(`
|
||||||
|
type httpd_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
connect_grafana_port(httpd_t) # Reverse proxy support
|
||||||
|
corenet_tcp_connect_http_port(grafana_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
tunable_policy(`grafana_can_tcp_connect_elasticsearch_port',` # Elasticsearch default tcp port 9200
|
||||||
|
corenet_tcp_connect_wap_wsp_port(grafana_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
tunable_policy(`grafana_can_tcp_connect_mysql_port',` # Mysql default tcp port 3306
|
||||||
|
corenet_tcp_connect_mysqld_port(grafana_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
tunable_policy(`grafana_can_tcp_connect_postgresql_port',` # Postgresql default tcp port 5432
|
||||||
|
corenet_tcp_connect_postgresql_port(grafana_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
tunable_policy(`grafana_can_tcp_connect_prometheus_port',` # Prometheus default tcp port 9090
|
||||||
|
corenet_tcp_connect_websm_port(grafana_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
systemd_private_tmp(grafana_tmp_t)
|
||||||
|
')
|
@ -0,0 +1,72 @@
|
|||||||
|
#!/usr/bin/env python3
|
||||||
|
#
|
||||||
|
# generates Provides: bundled(npm(...)) = ... lines for each declared dependency and devDependency of package.json
|
||||||
|
#
|
||||||
|
import os
|
||||||
|
import sys
|
||||||
|
import json
|
||||||
|
import yaml
|
||||||
|
from packaging import version
|
||||||
|
|
||||||
|
|
||||||
|
def scan_package_json(package_dir):
|
||||||
|
for root, dirs, files in os.walk(package_dir, topdown=True):
|
||||||
|
dirs[:] = [d for d in dirs if d not in ["node_modules", "vendor"]]
|
||||||
|
if "package.json" in files:
|
||||||
|
yield os.path.join(root, "package.json")
|
||||||
|
|
||||||
|
|
||||||
|
def read_declared_pkgs(package_json_path):
|
||||||
|
with open(package_json_path) as f:
|
||||||
|
package_json = json.load(f)
|
||||||
|
return list(package_json.get("dependencies", {}).keys()) + list(
|
||||||
|
package_json.get("devDependencies", {}).keys()
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
def read_installed_pkgs(yarn_lock_path):
|
||||||
|
bad_version_strings = ['0.0.0-use.local', '7.0.1-patch.1']
|
||||||
|
with open(yarn_lock_path) as f:
|
||||||
|
lockfile = yaml.safe_load(f)
|
||||||
|
for pkg_decl, meta in lockfile.items():
|
||||||
|
for pkg in pkg_decl.split(", "):
|
||||||
|
if ":" not in pkg:
|
||||||
|
continue
|
||||||
|
pkg_name = pkg[: pkg.index("@", 1)]
|
||||||
|
pkg_version = meta["version"]
|
||||||
|
if pkg_version not in bad_version_strings:
|
||||||
|
yield (pkg_name, pkg_version)
|
||||||
|
|
||||||
|
|
||||||
|
def list_provides(declared_pkgs, installed_pkgs):
|
||||||
|
for declared_pkg in declared_pkgs:
|
||||||
|
# there can be multiple versions installed of one package (transitive dependencies)
|
||||||
|
# but rpm doesn't support Provides: with a single package and multiple versions
|
||||||
|
# so let's declare the oldest version here
|
||||||
|
versions = [
|
||||||
|
version.parse(pkg_version)
|
||||||
|
for pkg_name, pkg_version in installed_pkgs
|
||||||
|
if pkg_name == declared_pkg
|
||||||
|
]
|
||||||
|
|
||||||
|
if not versions:
|
||||||
|
print(f"warning: {declared_pkg} missing in yarn.lock", file=sys.stderr)
|
||||||
|
continue
|
||||||
|
|
||||||
|
oldest_version = sorted(versions)[0]
|
||||||
|
yield f"Provides: bundled(npm({declared_pkg})) = {oldest_version}"
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
if len(sys.argv) != 2:
|
||||||
|
print(f"usage: {sys.argv[0]} package-X.Y.Z/", file=sys.stdout)
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
package_dir = sys.argv[1]
|
||||||
|
declared_pkgs = set()
|
||||||
|
for package_json_path in scan_package_json(package_dir):
|
||||||
|
declared_pkgs.update(read_declared_pkgs(package_json_path))
|
||||||
|
installed_pkgs = list(read_installed_pkgs(f"{package_dir}/yarn.lock"))
|
||||||
|
provides = list_provides(declared_pkgs, installed_pkgs)
|
||||||
|
for provide in sorted(provides):
|
||||||
|
print(provide)
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in new issue