grafana: ensure snapshots api returns a 403

Change-Id: I216528a76307189d8d87bd2fcfeff95c6ceb53cc
2021-02-15 14:41:44 +11:00 · 2021-02-15 14:41:44 +11:00 · c7de005738
commit c7de005738
parent 6d0c4b0b3b
2 changed files with 12 additions and 0 deletions
--- a/playbooks/roles/grafana/templates/grafana.vhost.j2
+++ b/playbooks/roles/grafana/templates/grafana.vhost.j2
@ -34,6 +34,9 @@
  SSLCertificateKeyFile /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.key
  SSLCertificateChainFile /etc/letsencrypt-certs/{{ inventory_hostname }}/ca.cer

+  RewriteEngine on
+  RewriteRule "^/api/snapshots(.*?)$" "-" [F]
+
  ProxyPass  / http://localhost:3000/ retry=0
  ProxyPassReverse / http://localhost:3000/

--- a/testinfra/test_grafana.py
+++ b/testinfra/test_grafana.py
@ -25,3 +25,12 @@ def test_grafana_proxy(host):
                   '--resolve grafana.opendev.org:443:127.0.0.1 '
                   'https://grafana.opendev.org')
    assert '<title>Grafana</title>' in cmd.stdout
+
+def test_grafana_api_denial(host):
+    cmd = host.run('curl -s --insecure '
+                   '--resolve grafana.opendev.org:443:127.0.0.1 '
+                   '-XPOST -H "Accept: application/json" '
+                   '-H "Content-Type: application/json" '
+                   '-d \'{"dashboard": {}}\' '
+                   'https://grafana.opendev.org/api/snapshots')
+    assert '403 Forbidden' in cmd.stdout