diff --git a/pkg/api/admin_encryption.go b/pkg/api/admin_encryption.go index f5e5d80d8f5..579fa1b3dd4 100644 --- a/pkg/api/admin_encryption.go +++ b/pkg/api/admin_encryption.go @@ -1,6 +1,7 @@ package api import ( + "fmt" "net/http" "github.com/grafana/grafana/pkg/api/response" @@ -52,7 +53,7 @@ func (hs *HTTPServer) AdminRollbackSecrets(c *models.ReqContext) response.Respon // To migrate to the plugin, it must be installed and configured // so as not to lose access to migrated secrets -func (hs *HTTPServer) MigrateSecretsToPlugin(c *models.ReqContext) response.Response { +func (hs *HTTPServer) AdminMigrateSecretsToPlugin(c *models.ReqContext) response.Response { if skv.EvaluateRemoteSecretsPlugin(hs.secretsPluginManager, hs.Cfg) != nil { hs.log.Warn("Received secrets plugin migration request while plugin is not available") return response.Respond(http.StatusBadRequest, "Secrets plugin is not available") @@ -67,7 +68,7 @@ func (hs *HTTPServer) MigrateSecretsToPlugin(c *models.ReqContext) response.Resp // To migrate from the plugin, it must be installed only // as it is possible the user disabled it and then wants to migrate -func (hs *HTTPServer) MigrateSecretsFromPlugin(c *models.ReqContext) response.Response { +func (hs *HTTPServer) AdminMigrateSecretsFromPlugin(c *models.ReqContext) response.Response { if hs.secretsPluginManager.SecretsManager() == nil { hs.log.Warn("Received secrets plugin migration request while plugin is not installed") return response.Respond(http.StatusBadRequest, "Secrets plugin is not installed") @@ -79,3 +80,21 @@ func (hs *HTTPServer) MigrateSecretsFromPlugin(c *models.ReqContext) response.Re } return response.Respond(http.StatusOK, "Secret migration from plugin triggered successfully") } + +func (hs *HTTPServer) AdminDeleteAllSecretsManagerPluginSecrets(c *models.ReqContext) response.Response { + if hs.secretsPluginManager.SecretsManager() == nil { + hs.log.Warn("Received secrets plugin deletion request while plugin is not installed") + return response.Respond(http.StatusBadRequest, "Secrets plugin is not installed") + } + items, err := hs.secretsStore.GetAll(c.Req.Context()) + if err != nil { + return response.Respond(http.StatusInternalServerError, "an error occurred while retrieving secrets") + } + for _, item := range items { + err := hs.secretsStore.Del(c.Req.Context(), *item.OrgId, *item.Namespace, *item.Type) + if err != nil { + return response.Respond(http.StatusInternalServerError, fmt.Sprintf("error deleting key with org=%v namespace=%v type=%v. error=%v", *item.OrgId, *item.Namespace, *item.Type, err.Error())) + } + } + return response.Respond(http.StatusOK, fmt.Sprintf("All %d Secrets Manager plugin secrets deleted", len(items))) +} diff --git a/pkg/api/api.go b/pkg/api/api.go index 5f060c89fbd..9b1f92e4146 100644 --- a/pkg/api/api.go +++ b/pkg/api/api.go @@ -601,8 +601,9 @@ func (hs *HTTPServer) registerRoutes() { adminRoute.Post("/encryption/reencrypt-data-keys", reqGrafanaAdmin, routing.Wrap(hs.AdminReEncryptEncryptionKeys)) adminRoute.Post("/encryption/reencrypt-secrets", reqGrafanaAdmin, routing.Wrap(hs.AdminReEncryptSecrets)) adminRoute.Post("/encryption/rollback-secrets", reqGrafanaAdmin, routing.Wrap(hs.AdminRollbackSecrets)) - adminRoute.Post("/encryption/migrate-secrets/to-plugin", reqGrafanaAdmin, routing.Wrap(hs.MigrateSecretsToPlugin)) - adminRoute.Post("/encryption/migrate-secrets/from-plugin", reqGrafanaAdmin, routing.Wrap(hs.MigrateSecretsFromPlugin)) + adminRoute.Post("/encryption/migrate-secrets/to-plugin", reqGrafanaAdmin, routing.Wrap(hs.AdminMigrateSecretsToPlugin)) + adminRoute.Post("/encryption/migrate-secrets/from-plugin", reqGrafanaAdmin, routing.Wrap(hs.AdminMigrateSecretsFromPlugin)) + adminRoute.Post("/encryption/delete-secretsmanagerplugin-secrets", reqGrafanaAdmin, routing.Wrap(hs.AdminDeleteAllSecretsManagerPluginSecrets)) adminRoute.Post("/provisioning/dashboards/reload", authorize(reqGrafanaAdmin, ac.EvalPermission(ActionProvisioningReload, ScopeProvisionersDashboards)), routing.Wrap(hs.AdminProvisioningReloadDashboards)) adminRoute.Post("/provisioning/plugins/reload", authorize(reqGrafanaAdmin, ac.EvalPermission(ActionProvisioningReload, ScopeProvisionersPlugins)), routing.Wrap(hs.AdminProvisioningReloadPlugins)) diff --git a/pkg/api/http_server.go b/pkg/api/http_server.go index 9cdd3db3dce..82e8013fe6d 100644 --- a/pkg/api/http_server.go +++ b/pkg/api/http_server.go @@ -41,6 +41,7 @@ import ( "github.com/grafana/grafana/pkg/services/cleanup" "github.com/grafana/grafana/pkg/services/comments" "github.com/grafana/grafana/pkg/services/contexthandler" + "github.com/grafana/grafana/pkg/services/correlations" "github.com/grafana/grafana/pkg/services/dashboards" "github.com/grafana/grafana/pkg/services/dashboardsnapshots" dashver "github.com/grafana/grafana/pkg/services/dashboardversion" @@ -57,6 +58,7 @@ import ( "github.com/grafana/grafana/pkg/services/live" "github.com/grafana/grafana/pkg/services/live/pushhttp" "github.com/grafana/grafana/pkg/services/login" + loginAttempt "github.com/grafana/grafana/pkg/services/login_attempt" "github.com/grafana/grafana/pkg/services/ngalert" "github.com/grafana/grafana/pkg/services/notifications" "github.com/grafana/grafana/pkg/services/org" @@ -65,17 +67,15 @@ import ( pluginSettings "github.com/grafana/grafana/pkg/services/pluginsettings/service" pref "github.com/grafana/grafana/pkg/services/preference" "github.com/grafana/grafana/pkg/services/provisioning" - "github.com/grafana/grafana/pkg/services/quota" - - "github.com/grafana/grafana/pkg/services/correlations" - loginAttempt "github.com/grafana/grafana/pkg/services/login_attempt" publicdashboardsApi "github.com/grafana/grafana/pkg/services/publicdashboards/api" "github.com/grafana/grafana/pkg/services/query" "github.com/grafana/grafana/pkg/services/queryhistory" + "github.com/grafana/grafana/pkg/services/quota" "github.com/grafana/grafana/pkg/services/rendering" "github.com/grafana/grafana/pkg/services/search" "github.com/grafana/grafana/pkg/services/searchusers" "github.com/grafana/grafana/pkg/services/secrets" + secretsKV "github.com/grafana/grafana/pkg/services/secrets/kvstore" spm "github.com/grafana/grafana/pkg/services/secrets/kvstore/migrations" "github.com/grafana/grafana/pkg/services/serviceaccounts" "github.com/grafana/grafana/pkg/services/shorturls" @@ -144,6 +144,9 @@ type HTTPServer struct { EncryptionService encryption.Internal SecretsService secrets.Service secretsPluginManager plugins.SecretsPluginManager + secretsStore secretsKV.SecretsKVStore + secretsMigrator secrets.Migrator + secretsPluginMigrator *spm.SecretMigrationServiceImpl DataSourcesService datasources.DataSourceService cleanUpService *cleanup.CleanUpService tracer tracing.Tracer @@ -178,13 +181,12 @@ type HTTPServer struct { playlistService playlist.Service apiKeyService apikey.Service kvStore kvstore.KVStore - secretsMigrator secrets.Migrator - secretsPluginMigrator *spm.SecretMigrationServiceImpl - userService user.Service - tempUserService tempUser.Service - loginAttemptService loginAttempt.Service - orgService org.Service - accesscontrolService accesscontrol.Service + + userService user.Service + tempUserService tempUser.Service + loginAttemptService loginAttempt.Service + orgService org.Service + accesscontrolService accesscontrol.Service } type ServerOptions struct { @@ -208,7 +210,7 @@ func ProvideHTTPServer(opts ServerOptions, cfg *setting.Cfg, routeRegister routi quotaService quota.Service, socialService social.Service, tracer tracing.Tracer, exportService export.ExportService, encryptionService encryption.Internal, grafanaUpdateChecker *updatechecker.GrafanaService, pluginsUpdateChecker *updatechecker.PluginsService, searchUsersService searchusers.Service, - dataSourcesService datasources.DataSourceService, secretsService secrets.Service, queryDataService *query.Service, + dataSourcesService datasources.DataSourceService, queryDataService *query.Service, ldapGroups ldap.Groups, teamGuardian teamguardian.TeamGuardian, serviceaccountsService serviceaccounts.Service, authInfoService login.AuthInfoService, storageService store.StorageService, notificationService *notifications.NotificationService, dashboardService dashboards.DashboardService, @@ -220,7 +222,8 @@ func ProvideHTTPServer(opts ServerOptions, cfg *setting.Cfg, routeRegister routi dashboardPermissionsService accesscontrol.DashboardPermissionsService, dashboardVersionService dashver.Service, starService star.Service, csrfService csrf.Service, coremodels *registry.Base, playlistService playlist.Service, apiKeyService apikey.Service, kvStore kvstore.KVStore, - secretsMigrator secrets.Migrator, secretsPluginManager plugins.SecretsPluginManager, secretsPluginMigrator *spm.SecretMigrationServiceImpl, + secretsMigrator secrets.Migrator, secretsPluginManager plugins.SecretsPluginManager, secretsService secrets.Service, + secretsPluginMigrator *spm.SecretMigrationServiceImpl, secretsStore secretsKV.SecretsKVStore, publicDashboardsApi *publicdashboardsApi.Api, userService user.Service, tempUserService tempUser.Service, loginAttemptService loginAttempt.Service, orgService org.Service, accesscontrolService accesscontrol.Service, ) (*HTTPServer, error) { @@ -279,6 +282,9 @@ func ProvideHTTPServer(opts ServerOptions, cfg *setting.Cfg, routeRegister routi EncryptionService: encryptionService, SecretsService: secretsService, secretsPluginManager: secretsPluginManager, + secretsMigrator: secretsMigrator, + secretsPluginMigrator: secretsPluginMigrator, + secretsStore: secretsStore, DataSourcesService: dataSourcesService, searchUsersService: searchUsersService, ldapGroups: ldapGroups, @@ -309,8 +315,6 @@ func ProvideHTTPServer(opts ServerOptions, cfg *setting.Cfg, routeRegister routi apiKeyService: apiKeyService, kvStore: kvStore, PublicDashboardsApi: publicDashboardsApi, - secretsMigrator: secretsMigrator, - secretsPluginMigrator: secretsPluginMigrator, userService: userService, tempUserService: tempUserService, loginAttemptService: loginAttemptService,