Merge remote-tracking branch 'refs/remotes/origin/dev' into fix_dynam…

…ic_label_template_validation
grafana · Dec 18, 2024 · 7cfe85e · 7cfe85e
2 parents 1fe72b4 + 1399ba9
commit 7cfe85e
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 14 deletions.
diff --git a/docs/sources/set-up/open-source/index.md b/docs/sources/set-up/open-source/index.md
@@ -221,6 +221,9 @@ The benefits of connecting to Grafana Cloud OnCall include:
 
 To connect to Grafana Cloud OnCall, refer to the **Cloud** page in your OSS Grafana OnCall instance.
 
+Check the Settings page for the Grafana Cloud OnCall API URL. If it's not `https://oncall-prod-us-central-0.grafana.net/oncall`,
+you will need to set the `GRAFANA_CLOUD_ONCALL_API_URL` variable in your self-hosted OnCall, so that it can connect properly.
+
 ## Supported Phone Providers
 
 ### Exotel

diff --git a/engine/apps/auth_token/auth.py b/engine/apps/auth_token/auth.py
@@ -16,6 +16,7 @@
 from apps.user_management.models import User
 from apps.user_management.models.organization import Organization
 from apps.user_management.sync import get_or_create_user
+from common.utils import validate_url
 from settings.base import SELF_HOSTED_SETTINGS
 
 from .constants import GOOGLE_OAUTH2_AUTH_TOKEN_NAME, SCHEDULE_EXPORT_TOKEN_NAME, SLACK_AUTH_TOKEN_NAME
@@ -370,14 +371,17 @@ def authenticate(self, request):
     def get_organization(self, request, auth):
         grafana_url = request.headers.get(X_GRAFANA_URL)
         if grafana_url:
-            organization = Organization.objects.filter(grafana_url=grafana_url).first()
-            if not organization:
-                # trigger a request to sync the organization
-                # (ignore response since we can get a 400 if sync was already triggered;
-                # if organization exists, we are good)
-                setup_organization(grafana_url, auth)
-                organization = Organization.objects.filter(grafana_url=grafana_url).first()
-            return organization
+            url = validate_url(grafana_url)
+            if url is not None:
+                url = url.rstrip("/")
+                organization = Organization.objects.filter(grafana_url=url).first()
+                if not organization:
+                    # trigger a request to sync the organization
+                    # (ignore response since we can get a 400 if sync was already triggered;
+                    # if organization exists, we are good)
+                    setup_organization(url, auth)
+                    organization = Organization.objects.filter(grafana_url=url).first()
+                return organization
 
         if settings.LICENSE == settings.CLOUD_LICENSE_NAME:
             instance_id = request.headers.get(X_GRAFANA_INSTANCE_ID)

diff --git a/engine/apps/auth_token/tests/test_grafana_auth.py b/engine/apps/auth_token/tests/test_grafana_auth.py
@@ -98,7 +98,7 @@ def test_grafana_authentication_missing_org():
 
 @pytest.mark.django_db
 @httpretty.activate(verbose=True, allow_net_connect=False)
-def test_grafana_authentication_invalid_grafana_url():
+def test_grafana_authentication_no_org_grafana_url():
     grafana_url = "http://grafana.test"
     token = f"{ServiceAccountToken.GRAFANA_SA_PREFIX}xyz"
     headers = {
@@ -115,6 +115,23 @@ def test_grafana_authentication_invalid_grafana_url():
     assert exc.value.detail == "Organization not found."
 
 
+@pytest.mark.parametrize("grafana_url", ["null;", "foo", ""])
+@pytest.mark.django_db
+@httpretty.activate(verbose=True, allow_net_connect=False)
+def test_grafana_authentication_invalid_grafana_url(grafana_url):
+    token = f"{ServiceAccountToken.GRAFANA_SA_PREFIX}xyz"
+    headers = {
+        "HTTP_AUTHORIZATION": token,
+        "HTTP_X_GRAFANA_URL": grafana_url,  # no org for this URL
+    }
+    request = APIRequestFactory().get("/", **headers)
+
+    # NOTE: no sync requests are made in this case
+    with pytest.raises(exceptions.AuthenticationFailed) as exc:
+        GrafanaServiceAccountAuthentication().authenticate(request)
+    assert exc.value.detail == "Organization not found."
+
+
 @pytest.mark.django_db
 @httpretty.activate(verbose=True, allow_net_connect=False)
 def test_grafana_authentication_permissions_call_fails(make_organization):
@@ -144,22 +161,24 @@ def test_grafana_authentication_permissions_call_fails(make_organization):
 
 
 @pytest.mark.django_db
+@pytest.mark.parametrize("grafana_url", ["http://grafana.test", "http://grafana.test/"])
 @httpretty.activate(verbose=True, allow_net_connect=False)
 def test_grafana_authentication_existing_token(
-    make_organization, make_service_account_for_organization, make_token_for_service_account
+    make_organization, make_service_account_for_organization, make_token_for_service_account, grafana_url
 ):
+    # org grafana_url is consistently stored without trailing slash
     organization = make_organization(grafana_url="http://grafana.test")
     service_account = make_service_account_for_organization(organization)
     token_string = "glsa_the-token"
     token = make_token_for_service_account(service_account, token_string)
 
     headers = {
         "HTTP_AUTHORIZATION": token_string,
-        "HTTP_X_GRAFANA_URL": organization.grafana_url,
+        "HTTP_X_GRAFANA_URL": grafana_url,  # trailing slash is ignored
     }
     request = APIRequestFactory().get("/", **headers)
 
-    # setup Grafana API responses
+    # setup Grafana API responses (use URL without trailing slash)
     setup_service_account_api_mocks(organization.grafana_url, {"some-perm": "value"})
 
     user, auth_token = GrafanaServiceAccountAuthentication().authenticate(request)

diff --git a/helm/oncall/Chart.yaml b/helm/oncall/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 name: oncall
 description: Developer-friendly incident response with brilliant Slack integration
 type: application
-version: 1.10.2
-appVersion: v1.10.2
+version: 1.13.10
+appVersion: v1.13.10
 dependencies:
   - name: cert-manager
     version: v1.8.0