Added a test to ensure that when a regex itemTagFilter does not match
any tags, the GetItems function returns an empty list instead of all
items. This addresses a bug where an empty tag filter would lead to
unintended behavior by removing the filter silently.
Fixes#2247
## Summary
Implements configurable query execution timeout controls to prevent
poorly optimized or excessive queries from consuming excessive server
resources, causing performance degradation, or crashing the Zabbix
server.
Fixes: https://github.com/grafana/oss-big-tent-squad/issues/127
## Problem
Previously, the plugin only had an HTTP connection timeout (`timeout`)
that controlled individual API request timeouts. However, a complete
query execution could involve multiple API calls and run indefinitely if
not properly controlled, potentially causing resource exhaustion.
## Solution
Added a new `queryTimeout` setting that enforces a maximum execution
time for entire database queries initiated by the plugin. Queries
exceeding this limit are automatically terminated with proper error
handling and logging.
## Testing
1. Configure a datasource with `queryTimeout` set to a low value (e.g.,
5 seconds)
2. Execute a query that would normally take longer than the timeout
3. Verify that:
- Query is terminated after the timeout period
- Error message indicates timeout occurred
- Logs contain timeout warning with query details
- Other queries in the same request continue to execute
## Notes
- `queryTimeout` is separate from `timeout` (HTTP connection timeout)
- `queryTimeout` applies to the entire query execution, which may
involve multiple API calls
- Default value of 60 seconds ensures reasonable protection while
allowing normal queries to complete
- Timeout errors are logged with query refId, queryType, timeout
duration, and datasourceId for troubleshooting
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) | [`v0.46.0` →
`v0.48.0`](https://cs.opensource.google/go/x/net/+/refs/tags/v0.46.0...refs/tags/v0.48.0)
|
|
|
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
## Need help?
You can ask for more help in the following Slack channel:
#proj-renovate-self-hosted. In that channel you can also find ADR and
FAQ docs in the Resources section.
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi42NC4xIiwidXBkYXRlZEluVmVyIjoiNDIuNjQuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsidXBkYXRlLW1pbm9yIl19-->
---------
Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
Co-authored-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
Co-authored-by: Jocelyn Collado-Kuri <jcolladokuri@icloud.com>
## Sumary
When dealing with multiple hosts, it can be hard for customers filter
through and figure out which host to query metric data from. This PR
aims to make this easier by adding support for host tags so that there
is another layer of filtering / grouping applied for hosts.
## Detailed explanation
- Adds new UI components to allow adding one or more host tag filter,
and a switch to choose between `AND/OR` and `OR` operators when using
more than one filter following Zabbix's UI:
https://github.com/user-attachments/assets/c971f5eb-7e93-4238-bd6b-902cc657c014https://github.com/user-attachments/assets/5f8996de-684e-4ffa-b98e-8e205c4fc1df
- Modifies the existing `getHosts` function to make a call to the
backend with a few additional parameters to `extend` (essentially
extract) the host tags for a given selected group. No backend changes
were required for this.
## Why
To make it easier for customers to query metric data when dealing with
multiple hosts.
## How to test
- Go to explore or a dashboard and create a Zabbix query where the query
type is `Metrics`
- The easiest way to test is by selecting `/.*/` for Groups, checking
the returned `Hosts` they should all be there
- Add a host tag filter and change the keys and operators as well as
switching from `AND/OR` to `OR` you should see how the values returned
for `Host` changes
## Future work
Adding variable support for host tags once this is completed.
Fixes:
https://github.com/orgs/grafana/projects/457/views/40?pane=issue&itemId=3609900134&issue=grafana%7Coss-big-tent-squad%7C126
and https://github.com/grafana/grafana-zabbix/issues/927
---------
Co-authored-by: ismail simsek <ismailsimsek09@gmail.com>
## Summary
Implements query guardrails in the backend to prevent execution of
expensive or malformed queries that could impact customer environments.
Part of https://github.com/grafana/oss-big-tent-squad/issues/127
## Changes
### New guardrails added:
1. **Item ID validation** (`queryItemIdData`)
- Validates that item IDs are non-empty
- Validates that item IDs contain only numeric values
2. **Time range validation** (`QueryData`)
- Validates that `From` timestamp is before `To` timestamp
3. **API method allowlist** (`ZabbixAPIHandler`)
- Only allows Zabbix API methods defined in the frontend type
`zabbixMethodName`
- Blocks any write/delete/update operations not in the allowlist
### New files:
- `pkg/datasource/guardrails.go` - Validation functions and error
definitions
- `pkg/datasource/guardrails_test.go` - Unit tests for all validation
functions
### Modified files:
- `pkg/datasource/datasource.go` - Added time range validation
- `pkg/datasource/zabbix.go` - Added item ID validation
- `pkg/datasource/resource_handler.go` - Added API method validation
## Reasoning
- Allowed functions might be unnecessary as we've already prevent using
those in
[types.ts](https://github.com/grafana/grafana-zabbix/blob/main/src/datasource/zabbix/types.ts#L1-L23)
but it's nice to be cautious.
- itemid and time validation is just for sanity.
- Time range validation will be necessary in the future to warn user
agains running expensive queries.
Previously we were only fetching the version when the version was `0`.
This generally worked, but posed some problems when customers were
updating their Zabbix version, specifically when upgrading from a
version < `7.2.x` to `7.2.x` or above.
Before `7.2.x`, an `auth` parameter was still supported when issuing a
zabbix request, this was deprecated in `6.4.x` and later removed in
`7.2.x`. When a user was on a version < `7.2.x` all the outgoing
requests would add this `auth` parameter. When upgrading to `7.2.x` this
was a problem, because the version was not `0`, hence, not requiring
getting the version again, but also because we were still building the
request considering an older version and adding the `auth` parameter,
when this was no longer supported.
This PR removes the check for `version == 0`, though this now means that
every request that goes out will check the version before hand, I think
this will give us a more accurate representation of the version that
needs to be used.
fixes
https://github.com/orgs/grafana/projects/457/views/40?pane=issue&itemId=3683181283&issue=grafana%7Coss-big-tent-squad%7C135
This PR moves the health check to backend only leaving in the frontend
the functionality to test the dbconnector datasource.
Leaving the `dbconnector.testDataSource` should be fine since the
datasource types we allow for db connection with Zabbix already are
backend datasources, and so their health requests would go through the
backend.
Verified:
Clicking test and seeing a `health` request go out.
IMPORTANT: While testing this in the UI, I found a bug with the config
editor - whenever a change is made in the UI and tested, the changes
don't take effect (i.e. disabling trends, keeps `trends` set to `true`,
enabling db connection keep `dbConnectionEnabled` set to `false` and so
on.). Created a separate
[issue](https://github.com/orgs/grafana/projects/457/views/40?pane=issue&itemId=3627315751&issue=grafana%7Coss-big-tent-squad%7C132)
to fix this
Fixes https://github.com/grafana/oss-big-tent-squad/issues/124
Fixes https://github.com/grafana/grafana-zabbix/issues/2004
- Remove isPathologicalRegex function and replace with MatchTimeout
- Simplify parseFilter by relying on runtime timeout protection
- Add comprehensive timeout test for pathological regex patterns
- Set 5-second timeout for all compiled regex operations
In this PR I removed the regex pattern length restriction because from
multi value variables this length can be easly reached, also if the
regex is going to be too long it will be caught in the timeout.
Fixes#2086
Fixes#1986Fixes#1994
- Updated .gitignore to include SSL certificate files.
- Introduced new GitHub Actions workflows for testing compatibility with
Zabbix versions 5.0, 6.0, 7.0, and 7.2.
- Added integration tests for Zabbix API for each version, ensuring
proper authentication and API version handling.
- Updated Docker Compose files to support SSL configuration for Zabbix
web services.
- Removed deprecated default Docker Compose and bootstrap files.
- Removed devenv for version 6.2.
