apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Secrets: Add unified secrets table to reencryption (#48582)

Browse Source 
* Add secrets table to reencryption

* Add updated column check for b64Secret reencryption

* Use field values for b64Secret to clarify booleans
pull/48612/head
Guilherme Caulada 3 years ago committed by GitHub
parent 815fc42da3
commit 2e9c38c951
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 25 additions and 10 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 16
      pkg/cmd/grafana-cli/commands/secretsmigrations/reencrypt_secrets.go
  2. 18
      pkg/cmd/grafana-cli/commands/secretsmigrations/rollback_secrets.go
  3. 1
      pkg/cmd/grafana-cli/commands/secretsmigrations/secretsmigrations.go

16
pkg/cmd/grafana-cli/commands/secretsmigrations/reencrypt_secrets.go
Unescape View File

@ -104,8 +104,13 @@ func (s b64Secret) reencrypt(secretsSrv *manager.SecretsService, sess *xorm.Sess
} }
encoded := base64.StdEncoding.EncodeToString(encrypted) encoded := base64.StdEncoding.EncodeToString(encrypted)
updateSQL := fmt.Sprintf("UPDATE %s SET %s = ? WHERE id = ?", s.tableName, s.columnName) if s.hasUpdatedColumn {
_, err = sess.Exec(updateSQL, encoded, row.Id) updateSQL := fmt.Sprintf("UPDATE %s SET %s = ?, updated = ? WHERE id = ?", s.tableName, s.columnName)
_, err = sess.Exec(updateSQL, encoded, nowInUTC(), row.Id)
} else {
updateSQL := fmt.Sprintf("UPDATE %s SET %s = ? WHERE id = ?", s.tableName, s.columnName)
_, err = sess.Exec(updateSQL, encoded, row.Id)
}
if err != nil { if err != nil {
anyFailure = true anyFailure = true
@ -256,9 +261,10 @@ func ReEncryptSecrets(_ utils.CommandLine, runner runner.Runner) error {
reencrypt(*manager.SecretsService, *xorm.Session) reencrypt(*manager.SecretsService, *xorm.Session)
}{ }{
simpleSecret{tableName: "dashboard_snapshot", columnName: "dashboard_encrypted"}, simpleSecret{tableName: "dashboard_snapshot", columnName: "dashboard_encrypted"},
b64Secret{simpleSecret{tableName: "user_auth", columnName: "o_auth_access_token"}}, b64Secret{simpleSecret: simpleSecret{tableName: "user_auth", columnName: "o_auth_access_token"}},
b64Secret{simpleSecret{tableName: "user_auth", columnName: "o_auth_refresh_token"}}, b64Secret{simpleSecret: simpleSecret{tableName: "user_auth", columnName: "o_auth_refresh_token"}},
b64Secret{simpleSecret{tableName: "user_auth", columnName: "o_auth_token_type"}}, b64Secret{simpleSecret: simpleSecret{tableName: "user_auth", columnName: "o_auth_token_type"}},
b64Secret{simpleSecret: simpleSecret{tableName: "secrets", columnName: "value"}, hasUpdatedColumn: true},
jsonSecret{tableName: "data_source"}, jsonSecret{tableName: "data_source"},
jsonSecret{tableName: "plugin_setting"}, jsonSecret{tableName: "plugin_setting"},
alertingSecret{}, alertingSecret{},

18
pkg/cmd/grafana-cli/commands/secretsmigrations/rollback_secrets.go
Unescape View File

@ -112,8 +112,15 @@ func (s b64Secret) rollback(
} }
encoded := base64.StdEncoding.EncodeToString(encrypted) encoded := base64.StdEncoding.EncodeToString(encrypted)
updateSQL := fmt.Sprintf("UPDATE %s SET %s = ? WHERE id = ?", s.tableName, s.columnName) if s.hasUpdatedColumn {
if _, err := sess.Exec(updateSQL, encoded, row.Id); err != nil { updateSQL := fmt.Sprintf("UPDATE %s SET %s = ?, updated = ? WHERE id = ?", s.tableName, s.columnName)
_, err = sess.Exec(updateSQL, encoded, nowInUTC(), row.Id)
} else {
updateSQL := fmt.Sprintf("UPDATE %s SET %s = ? WHERE id = ?", s.tableName, s.columnName)
_, err = sess.Exec(updateSQL, encoded, row.Id)
}
if err != nil {
anyFailure = true anyFailure = true
logger.Warn("Could not update secret while rolling it back", "table", s.tableName, "id", row.Id, "error", err) logger.Warn("Could not update secret while rolling it back", "table", s.tableName, "id", row.Id, "error", err)
continue continue
@ -272,9 +279,10 @@ func RollBackSecrets(_ utils.CommandLine, runner runner.Runner) error {
rollback(*manager.SecretsService, encryption.Internal, *xorm.Session, string) bool rollback(*manager.SecretsService, encryption.Internal, *xorm.Session, string) bool
}{ }{
simpleSecret{tableName: "dashboard_snapshot", columnName: "dashboard_encrypted"}, simpleSecret{tableName: "dashboard_snapshot", columnName: "dashboard_encrypted"},
b64Secret{simpleSecret{tableName: "user_auth", columnName: "o_auth_access_token"}}, b64Secret{simpleSecret: simpleSecret{tableName: "user_auth", columnName: "o_auth_access_token"}},
b64Secret{simpleSecret{tableName: "user_auth", columnName: "o_auth_refresh_token"}}, b64Secret{simpleSecret: simpleSecret{tableName: "user_auth", columnName: "o_auth_refresh_token"}},
b64Secret{simpleSecret{tableName: "user_auth", columnName: "o_auth_token_type"}}, b64Secret{simpleSecret: simpleSecret{tableName: "user_auth", columnName: "o_auth_token_type"}},
b64Secret{simpleSecret: simpleSecret{tableName: "secrets", columnName: "value"}, hasUpdatedColumn: true},
jsonSecret{tableName: "data_source"}, jsonSecret{tableName: "data_source"},
jsonSecret{tableName: "plugin_setting"}, jsonSecret{tableName: "plugin_setting"},
alertingSecret{}, alertingSecret{},

1
pkg/cmd/grafana-cli/commands/secretsmigrations/secretsmigrations.go
Unescape View File

@ -13,6 +13,7 @@ type simpleSecret struct {
type b64Secret struct { type b64Secret struct {
simpleSecret simpleSecret
hasUpdatedColumn bool
} }
type jsonSecret struct { type jsonSecret struct {

Write Preview
Loading…
Cancel
Save