grafana
diff --git a/‎go.mod‎
Lines changed: 2 additions & 1 deletion b/‎go.mod‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎go.sum‎
Lines changed: 4 additions & 3 deletions b/‎go.sum‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎internal/prober/interpolation/interpolation.go‎
Lines changed: 235 additions & 0 deletions b/‎internal/prober/interpolation/interpolation.go‎
Lines changed: 235 additions & 0 deletions
@@ -58,12 +58,13 @@ require (
 	github.com/google/cel-go v0.25.0 // indirect
 	github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
-	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pbnjay/memory v0.0.0-20210728143218-7b4eea64cf58 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
+	github.com/rogpeppe/go-internal v1.13.1 // indirect
 	github.com/stoewer/go-strcase v1.2.0 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
 	golang.org/x/mod v0.27.0 // indirect
 
@@ -103,8 +103,9 @@ github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/mattn/go-colorable v0.1.0/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
-github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
+github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
+github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
 github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
 github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
@@ -150,8 +151,8 @@ github.com/prometheus/sigv4 v0.1.2 h1:R7570f8AoM5YnTUPFm3mjZH5q2k4D+I/phCWvZ4PXG
 github.com/prometheus/sigv4 v0.1.2/go.mod h1:GF9fwrvLgkQwDdQ5BXeV9XUSCH/IPNqzvAoaohfjqMU=
 github.com/quasilyte/go-ruleguard/dsl v0.3.22 h1:wd8zkOhSNr+I+8Qeciml08ivDt1pSXe60+5DqOpCjPE=
 github.com/quasilyte/go-ruleguard/dsl v0.3.22/go.mod h1:KeCP03KrjuSO0H1kTuZQCWlQPulDV6YMIXmpQss17rU=
-github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
-github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
+github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
 github.com/rs/xid v1.6.0/go.mod h1:7XoLgs4eV+QndskICGsho+ADou8ySMSjJKDIan90Nz0=
 github.com/rs/zerolog v1.34.0 h1:k43nTLIwcTVQAncfCw4KZ2VY6ukYoZaBPNOE8txlOeY=
 github.com/rs/zerolog v1.34.0/go.mod h1:bJsvje4Z08ROH4Nhs5iH600c3IkWhwp44iRc54W6wYQ=
 
@@ -0,0 +1,235 @@
+package interpolation
+
+import (
+	"context"
+	"fmt"
+	"regexp"
+	"strings"
+
+	"github.com/grafana/synthetic-monitoring-agent/internal/model"
+	"github.com/rs/zerolog"
+)
+
+// VariableRegex matches ${variable_name} patterns
+var VariableRegex = regexp.MustCompile(`\$\{([a-zA-Z_][a-zA-Z0-9_]*)\}`)
+
+// SecretRegex matches ${secrets.secret_name} patterns
+var SecretRegex = regexp.MustCompile(`\$\{secrets\.([^}]*)\}`)
+
+// VariableProvider defines the interface for resolving variables
+type VariableProvider interface {
+	GetVariable(name string) (string, error)
+}
+
+// SecretProvider defines the interface for resolving secrets
+type SecretProvider interface {
+	GetSecretValue(ctx context.Context, tenantID model.GlobalID, secretKey string) (string, error)
+}
+
+// Resolver handles string interpolation for both variables and secrets
+type Resolver struct {
+	variableProvider VariableProvider
+	secretProvider   SecretProvider
+	tenantID         model.GlobalID
+	logger           zerolog.Logger
+	secretEnabled    bool
+}
+
+// NewResolver creates a new interpolation resolver
+func NewResolver(variableProvider VariableProvider, secretProvider SecretProvider, tenantID model.GlobalID, logger zerolog.Logger, secretEnabled bool) *Resolver {
+	return &Resolver{
+		variableProvider: variableProvider,
+		secretProvider:   secretProvider,
+		tenantID:         tenantID,
+		logger:           logger,
+		secretEnabled:    secretEnabled,
+	}
+}
+
+// Resolve performs string interpolation, replacing both variables and secrets
+func (r *Resolver) Resolve(ctx context.Context, value string) (string, error) {
+	if value == "" {
+		return "", nil
+	}
+
+	// First resolve secrets if enabled
+	if r.secretEnabled {
+		resolvedValue, err := r.resolveSecrets(ctx, value)
+		if err != nil {
+			return "", err
+		}
+		value = resolvedValue
+	}
+
+	// Then resolve variables
+	if r.variableProvider != nil {
+		resolvedValue, err := r.resolveVariables(value)
+		if err != nil {
+			return "", err
+		}
+		value = resolvedValue
+	}
+
+	return value, nil
+}
+
+// resolveSecrets resolves ${secrets.secret_name} patterns
+func (r *Resolver) resolveSecrets(ctx context.Context, value string) (string, error) {
+	matches := SecretRegex.FindAllStringSubmatch(value, -1)
+	if len(matches) == 0 {
+		return value, nil
+	}
+
+	result := value
+	for _, match := range matches {
+		if len(match) < 2 {
+			continue
+		}
+
+		secretName := match[1]
+		placeholder := match[0] // ${secrets.secret_name}
+
+		// Validate secret name follows Kubernetes DNS subdomain convention
+		if !isValidSecretName(secretName) {
+			return "", fmt.Errorf("invalid secret name '%s': must follow Kubernetes DNS subdomain naming convention", secretName)
+		}
+
+		r.logger.Debug().Str("secretName", secretName).Int64("tenantId", int64(r.tenantID)).Msg("resolving secret from GSM")
+
+		secretValue, err := r.secretProvider.GetSecretValue(ctx, r.tenantID, secretName)
+		if err != nil {
+			return "", fmt.Errorf("failed to get secret '%s' from GSM: %w", secretName, err)
+		}
+
+		// Replace the placeholder with the actual secret value
+		result = strings.ReplaceAll(result, placeholder, secretValue)
+	}
+
+	return result, nil
+}
+
+// resolveVariables resolves ${variable_name} patterns
+func (r *Resolver) resolveVariables(value string) (string, error) {
+	// If no variable provider is set, return the value as-is
+	if r.variableProvider == nil {
+		return value, nil
+	}
+
+	matches := VariableRegex.FindAllStringSubmatch(value, -1)
+	if len(matches) == 0 {
+		return value, nil
+	}
+
+	result := value
+	for _, match := range matches {
+		if len(match) < 2 {
+			continue
+		}
+
+		varName := match[1]
+		placeholder := match[0] // ${variable_name}
+
+		varValue, err := r.variableProvider.GetVariable(varName)
+		if err != nil {
+			return "", fmt.Errorf("failed to get variable '%s': %w", varName, err)
+		}
+
+		// Replace the placeholder with the actual variable value
+		result = strings.ReplaceAll(result, placeholder, varValue)
+	}
+
+	return result, nil
+}
+
+// isValidSecretName validates that a secret name follows Kubernetes DNS subdomain naming convention.
+// See: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#dns-subdomain-names
+func isValidSecretName(name string) bool {
+	if len(name) == 0 || len(name) > 253 {
+		return false
+	}
+
+	// Must consist of lowercase alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character
+	if !regexp.MustCompile(`^[a-z0-9]([a-z0-9\-\.]*[a-z0-9])?$`).MatchString(name) {
+		return false
+	}
+
+	return true
+}
+
+// ToJavaScript converts a string with variable interpolation to JavaScript code
+// This is used by multihttp to generate JavaScript that references variables
+func ToJavaScript(value string) string {
+	if len(value) == 0 {
+		return `''`
+	}
+
+	var s strings.Builder
+	buf := []byte(value)
+	locs := VariableRegex.FindAllSubmatchIndex(buf, -1)
+
+	p := 0
+	for _, loc := range locs {
+		if len(loc) < 4 { // put the bounds checker at ease
+			panic("unexpected result while building JavaScript")
+		}
+
+		if s.Len() > 0 {
+			s.WriteRune('+')
+		}
+
+		if pre := buf[p:loc[0]]; len(pre) > 0 {
+			s.WriteRune('\'')
+			escapeJavaScript(&s, pre)
+			s.WriteRune('\'')
+			s.WriteRune('+')
+		}
+
+		s.WriteString(`vars['`)
+		// Because of the capture in the regular expression, the result
+		// has two indices that represent the matched substring, and
+		// two more indices that represent the capture group.
+		s.Write(buf[loc[2]:loc[3]])
+		s.WriteString(`']`)
+
+		p = loc[1]
+	}
+
+	if len(buf[p:]) > 0 {
+		if s.Len() > 0 {
+			s.WriteRune('+')
+		}
+
+		s.WriteRune('\'')
+		escapeJavaScript(&s, buf[p:])
+		s.WriteRune('\'')
+	}
+
+	return s.String()
+}
+
+// escapeJavaScript escapes a byte slice for use in JavaScript strings
+func escapeJavaScript(s *strings.Builder, buf []byte) {
+	for _, b := range buf {
+		switch b {
+		case '\'':
+			s.WriteString(`\'`)
+		case '"':
+			s.WriteString(`\"`)
+		case '\\':
+			s.WriteString(`\\`)
+		case '\n':
+			s.WriteString(`\n`)
+		case '\r':
+			s.WriteString(`\r`)
+		case '\t':
+			s.WriteString(`\t`)
+		default:
+			if b < 32 || b > 126 {
+				// Escape non-printable characters
+				fmt.Fprintf(s, `\x%02x`, b)
+			} else {
+				s.WriteByte(b)
+			}
+		}
+	}
+}