Skip to content

Commit

Permalink
fix: add custom certs verification logic
Browse files Browse the repository at this point in the history
This fix adds the `validate_certs`, `ca_path` options to the lookup
plugin. Both parameters comply with the `get_url` functionality
of ansible-core and provides additional utility to perform lookup
of dashboards from Grafana instances that are configured with
Self-Signed Certificates.

`validate_certs` option value defaults to `true` - following the
pattern of `url` lookup plugin from the Core.

`ca_path` option value is set explicitly when using the plugin else
defaults to `None`.

closes #346

Signed-off-by: Shantanoo 'Shan' Desai <[email protected]>
  • Loading branch information
shantanoo-desai committed Apr 14, 2024
1 parent a3056e9 commit 3c2c150
Show file tree
Hide file tree
Showing 2 changed files with 49 additions and 4 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
minor_changes:
- lookup - grafana_dashboards - add `validate_certs` and `ca_path` options to plugin for custom certs validation
51 changes: 47 additions & 4 deletions plugins/lookup/grafana_dashboard.py
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,13 @@
description: optional filter for dashboard search.
env:
- name: GRAFANA_DASHBOARD_SEARCH
validate_certs:
description: flag to control SSL certificate validation
type: boolean
default: True
ca_path:
description: string of the file system path to CA cert bundle to use for validation
type: string
"""

EXAMPLES = """
Expand All @@ -51,13 +58,25 @@
- name: get all grafana dashboards
set_fact:
grafana_dashboards: "{{ lookup('grafana_dashboard', 'grafana_url=http://grafana.company.com grafana_api_key=' ~ grafana_api_key) }}"
- name: get project foo grafana dashboards (validate SSL certificates of the instance with custom CA Certificate Bundle)
set_fact:
grafana_dashboards: |
{{
lookup(
'grafana_dashboard',
'grafana_url=https://grafana.company.com grafana_user=admin grafana_password=admin search=foo',
validate_cert=true,
ca_path='/path/to/chain.crt'
)
}}
"""

import json
import os
from ansible.errors import AnsibleError
from ansible.plugins.lookup import LookupBase
from ansible.module_utils.urls import basic_auth_header, open_url
from ansible.module_utils.urls import basic_auth_header, open_url, SSLValidationError
from ansible.module_utils._text import to_native
from ansible.module_utils.six.moves.urllib.error import HTTPError
from ansible.utils.display import Display
Expand Down Expand Up @@ -96,26 +115,35 @@ class GrafanaAPIException(Exception):


class GrafanaAPI:
def __init__(self, **kwargs):
def __init__(self, validate_certs, ca_path, **kwargs):
self.grafana_url = kwargs.get("grafana_url", ANSIBLE_GRAFANA_URL)
self.grafana_api_key = kwargs.get("grafana_api_key", ANSIBLE_GRAFANA_API_KEY)
self.grafana_user = kwargs.get("grafana_user", ANSIBLE_GRAFANA_USER)
self.grafana_password = kwargs.get("grafana_password", ANSIBLE_GRAFANA_PASSWORD)
self.grafana_org_id = kwargs.get("grafana_org_id", ANSIBLE_GRAFANA_ORG_ID)
self.search = kwargs.get("search", ANSIBLE_GRAFANA_DASHBOARD_SEARCH)
self.validate_certs = validate_certs
self.ca_path = ca_path

def grafana_switch_organisation(self, headers):
try:
r = open_url(
"%s/api/user/using/%s" % (self.grafana_url, self.grafana_org_id),
headers=headers,
method="POST",
validate_certs=self.validate_certs,
ca_path=self.ca_path,
)
except HTTPError as e:
raise GrafanaAPIException(
"Unable to switch to organization %s : %s"
% (self.grafana_org_id, to_native(e))
)
except SSLValidationError as e:
raise GrafanaAPIException(
"Unable to validate server's certificate with %s: %s"
% (self.ca_path, to_native(e))
)
if r.getcode() != 200:
raise GrafanaAPIException(
"Unable to switch to organization %s : %s"
Expand Down Expand Up @@ -153,13 +181,23 @@ def grafana_list_dashboards(self):
"%s/api/search?query=%s" % (self.grafana_url, self.search),
headers=headers,
method="GET",
validate_certs=self.validate_certs,
ca_path=self.ca_path,
)
else:
r = open_url(
"%s/api/search/" % self.grafana_url, headers=headers, method="GET"
"%s/api/search/" % self.grafana_url,
headers=headers,
method="GET",
validate_certs=self.validate_certs,
ca_path=self.ca_path,
)
except HTTPError as e:
raise GrafanaAPIException("Unable to search dashboards : %s" % to_native(e))
except SSLValidationError as e:
raise GrafanaAPIException(
"Unable to validate server's certificate with %s: %s" % (self.ca_path, to_native(e))
)
if r.getcode() == 200:
try:
dashboard_list = json.loads(r.read())
Expand All @@ -175,6 +213,7 @@ def grafana_list_dashboards(self):

class LookupModule(LookupBase):
def run(self, terms, variables=None, **kwargs):
self.set_options(var_options=variables, direct=kwargs)
grafana_args = terms[0].split(" ")
grafana_dict = {}
ret = []
Expand All @@ -189,7 +228,11 @@ def run(self, terms, variables=None, **kwargs):
)
grafana_dict[key] = value

grafana = GrafanaAPI(**grafana_dict)
grafana = GrafanaAPI(
**grafana_dict,
validate_certs=self.get_option("validate_certs"),
ca_path=self.get_option("ca_path"),
)

ret = grafana.grafana_list_dashboards()

Expand Down

0 comments on commit 3c2c150

Please sign in to comment.