Merge pull request #4985 from grafana/dev

v1.9.22

Author: mderynck

.github/actions/install-frontend-dependencies/action.yml

@@ -1,18 +1,33 @@
 name: Install frontend dependencies
 description: Setup node/pnpm + install frontend dependencies
+inputs:
+  oncall-directory:
+    description: "Relative path to oncall directory"
+    required: false
+    default: "."
 runs:
   using: composite
   steps:
     - name: Install pnpm
       uses: pnpm/action-setup@v4
       with:
         version: 9.1.4
+    - name: Determine grafana-plugin directory location
+      id: grafana-plugin-directory
+      shell: bash
+      run: echo "grafana-plugin-directory=${{ inputs.oncall-directory }}/grafana-plugin" >> $GITHUB_OUTPUT
+    - name: Determine pnpm-lock.yaml location
+      id: pnpm-lock-location
+      shell: bash
+      # yamllint disable rule:line-length
+      run: echo "pnpm-lock-location=${{ steps.grafana-plugin-directory.outputs.grafana-plugin-directory }}/pnpm-lock.yaml" >> $GITHUB_OUTPUT
+      # yamllint enable rule:line-length
     - uses: actions/setup-node@v4
       with:
         node-version: 20.15.1
         cache: pnpm
-        cache-dependency-path: grafana-plugin/pnpm-lock.yaml
+        cache-dependency-path: ${{ steps.pnpm-lock-location.outputs.pnpm-lock-location }}
     - name: Install frontend dependencies
       shell: bash
-      working-directory: grafana-plugin
+      working-directory: ${{ steps.grafana-plugin-directory.outputs.grafana-plugin-directory }}
       run: pnpm install --frozen-lockfile --prefer-offline

docs/sources/configure/jinja2-templating/advanced-templates/index.md

@@ -95,6 +95,8 @@ Grafana OnCall enhances Jinja with additional functions:
 - `regex_replace`: Performs a regex find and replace
 - `regex_match`: Performs a regex match, returns `True` or `False`
   - Usage example: `{{ payload.ruleName | regex_match(".*") }}`
+- `regex_search`: Performs a regex search, returns `True` or `False`
+  - Usage example: `{{ payload.message | regex_search("Severity: (High|Critical)") }}`
 - `b64decode`: Performs a base64 string decode
   - Usage example: `{{ payload.data | b64decode }}`
 - `parse_json`:Parses a JSON string to an object

engine/apps/email/tasks.py

@@ -21,7 +21,7 @@ def get_from_email(user):
         return live_settings.EMAIL_FROM_ADDRESS
 
     if settings.LICENSE == settings.CLOUD_LICENSE_NAME:
-        return "oncall@{}.grafana.net".format(user.organization.stack_slug)
+        return "oncall@{}.{}".format(user.organization.stack_slug, settings.EMAIL_FROM_DOMAIN)
 
     return live_settings.EMAIL_HOST_USER
 

engine/common/jinja_templater/filters.py

@@ -1,11 +1,13 @@
 import base64
 import json
-import re
 from datetime import datetime
 
+import regex
 from django.utils.dateparse import parse_datetime
 from pytz import timezone
 
+REGEX_TIMEOUT = 2
+
 
 def datetimeparse(value, format="%H:%M / %d-%m-%Y"):
     try:
@@ -52,22 +54,22 @@ def json_dumps(value):
 
 def regex_replace(value, find, replace):
     try:
-        return re.sub(find, replace, value)
-    except (ValueError, AttributeError, TypeError):
+        return regex.sub(find, replace, value, timeout=REGEX_TIMEOUT)
+    except (ValueError, AttributeError, TypeError, TimeoutError):
         return None
 
 
 def regex_match(pattern, value):
     try:
-        return bool(re.match(value, pattern))
-    except (ValueError, AttributeError, TypeError):
+        return bool(regex.match(value, pattern, timeout=REGEX_TIMEOUT))
+    except (ValueError, AttributeError, TypeError, TimeoutError):
         return None
 
 
 def regex_search(pattern, value):
     try:
-        return bool(re.search(value, pattern))
-    except (ValueError, AttributeError, TypeError):
+        return bool(regex.search(value, pattern, timeout=REGEX_TIMEOUT))
+    except (ValueError, AttributeError, TypeError, TimeoutError):
         return None
 
 

engine/common/tests/test_apply_jinja_template.py

@@ -15,6 +15,38 @@
     templated_value_is_truthy,
 )
 
+EMAIL_SAMPLE_PAYLOAD = {
+    "subject": "[Reminder] Review GKE getServerConfig API permission changes",
+    "message": "Hello Google Kubernetes Customer,\r\n"
+    "\r\n"
+    "We’re writing to remind you that starting October 22, 2024, "
+    "the  \r\n"
+    "getServerConfig API for Google Kubernetes Engine (GKE) will "
+    "enforce  \r\n"
+    "Identity and Access Management (IAM) container.clusters.list "
+    "checks. This  \r\n"
+    "change follows a series of security improvements as IAM  \r\n"
+    "container.clusters.list permissions are being enforced across "
+    "the  \r\n"
+    "getServerConfig API.\r\n"
+    "\r\n"
+    "We’ve provided additional information below to guide you through "
+    "this  \r\n"
+    "change.\r\n"
+    "\r\n"
+    "What you need to know\r\n"
+    "\r\n"
+    "The current implementation doesn’t apply a specific permissions "
+    "check via  \r\n"
+    "getServerConfig API. After this change goes into effect for the "
+    "Google  \r\n"
+    "Kubernetes Engine API getServerConfig, only authorized users with "
+    "the  \r\n"
+    "container.clusters.list permissions will be able to call the  \r\n"
+    "GetServerConfig.\r\n",
+    "sender": "[email protected]",
+}
+
 
 def test_apply_jinja_template():
     payload = {"name": "test"}
@@ -127,25 +159,49 @@ def test_apply_jinja_template_json_dumps():
     assert result == expected
 
 
+@pytest.mark.filterwarnings("ignore:::jinja2.*")  # ignore regex escape sequence warning
 def test_apply_jinja_template_regex_match():
-    payload = {"name": "test"}
+    payload = {
+        "name": "test",
+        "message": json.dumps(EMAIL_SAMPLE_PAYLOAD),
+    }
 
     assert apply_jinja_template("{{ payload.name | regex_match('.*') }}", payload) == "True"
     assert apply_jinja_template("{{ payload.name | regex_match('tes') }}", payload) == "True"
     assert apply_jinja_template("{{ payload.name | regex_match('test1') }}", payload) == "False"
+    # check for timeouts
+    with patch("common.jinja_templater.filters.REGEX_TIMEOUT", 1):
+        assert (
+            apply_jinja_template(
+                "{{ payload.message | regex_match('(.|\\s)+Severity(.|\\s){2}High(.|\\s)+') }}", payload
+            )
+            == "False"
+        )
 
     # Check that exception is raised when regex is invalid
     with pytest.raises(JinjaTemplateError):
         apply_jinja_template("{{ payload.name | regex_match('*') }}", payload)
 
 
+@pytest.mark.filterwarnings("ignore:::jinja2.*")  # ignore regex escape sequence warning
 def test_apply_jinja_template_regex_search():
-    payload = {"name": "test"}
+    payload = {
+        "name": "test",
+        "message": json.dumps(EMAIL_SAMPLE_PAYLOAD),
+    }
 
     assert apply_jinja_template("{{ payload.name | regex_search('.*') }}", payload) == "True"
     assert apply_jinja_template("{{ payload.name | regex_search('tes') }}", payload) == "True"
     assert apply_jinja_template("{{ payload.name | regex_search('est') }}", payload) == "True"
     assert apply_jinja_template("{{ payload.name | regex_search('test1') }}", payload) == "False"
+    # check for timeouts
+    with patch("common.jinja_templater.filters.REGEX_TIMEOUT", 1):
+        assert (
+            apply_jinja_template(
+                "{{ payload.message | regex_search('(.|\\s)+Severity(.|\\s){2}High(.|\\s)+') }}", payload
+            )
+            == "False"
+        )
 
     # Check that exception is raised when regex is invalid
     with pytest.raises(JinjaTemplateError):

engine/pyproject.toml

@@ -71,6 +71,7 @@ module = [
     "polymorphic.*",
     "pyroscope.*",
     "ratelimit.*",
+    "regex.*",
     "recurring_ical_events.*",
     "rest_polymorphic.*",
     "slackclient.*",

engine/requirements.in

@@ -1,7 +1,7 @@
 babel==2.12.1
 beautifulsoup4==4.12.2
 celery[redis]==5.3.1
-cryptography==42.0.8
+cryptography==43.0.1
 django==4.2.15
 django-add-default-value==0.10.0
 django-amazon-ses==4.0.1
@@ -52,7 +52,7 @@ PyMySQL==1.1.1
 python-telegram-bot==13.13
 recurring-ical-events==2.1.0
 redis==5.0.1
-regex==2021.11.2
+regex==2024.7.24
 requests==2.32.3
 slack-export-viewer==1.1.4
 slack_sdk==3.21.3