From c7de005738efbb813118cd9d76cb77324374e23e Mon Sep 17 00:00:00 2001
From: Ian Wienand <iwienand@redhat.com>
Date: Mon, 15 Feb 2021 14:41:44 +1100
Subject: [PATCH] grafana: ensure snapshots api returns a 403

Change-Id: I216528a76307189d8d87bd2fcfeff95c6ceb53cc
---
 playbooks/roles/grafana/templates/grafana.vhost.j2 | 3 +++
 testinfra/test_grafana.py                          | 9 +++++++++
 2 files changed, 12 insertions(+)

diff --git a/playbooks/roles/grafana/templates/grafana.vhost.j2 b/playbooks/roles/grafana/templates/grafana.vhost.j2
index 05df712e2b..afddd47487 100644
--- a/playbooks/roles/grafana/templates/grafana.vhost.j2
+++ b/playbooks/roles/grafana/templates/grafana.vhost.j2
@@ -34,6 +34,9 @@
   SSLCertificateKeyFile /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.key
   SSLCertificateChainFile /etc/letsencrypt-certs/{{ inventory_hostname }}/ca.cer
 
+  RewriteEngine on
+  RewriteRule "^/api/snapshots(.*?)$" "-" [F]
+
   ProxyPass  / http://localhost:3000/ retry=0
   ProxyPassReverse / http://localhost:3000/
 
diff --git a/testinfra/test_grafana.py b/testinfra/test_grafana.py
index 79019d64d7..526b082853 100644
--- a/testinfra/test_grafana.py
+++ b/testinfra/test_grafana.py
@@ -25,3 +25,12 @@ def test_grafana_proxy(host):
                    '--resolve grafana.opendev.org:443:127.0.0.1 '
                    'https://grafana.opendev.org')
     assert '<title>Grafana</title>' in cmd.stdout
+
+def test_grafana_api_denial(host):
+    cmd = host.run('curl -s --insecure '
+                   '--resolve grafana.opendev.org:443:127.0.0.1 '
+                   '-XPOST -H "Accept: application/json" '
+                   '-H "Content-Type: application/json" '
+                   '-d \'{"dashboard": {}}\' '
+                   'https://grafana.opendev.org/api/snapshots')
+    assert '403 Forbidden' in cmd.stdout