Replace encryption.Service usages by secrets.Service (#41625)

* Replace encryption.Service by secrets.Service on expr.Service * Replace encryption.Service by secrets.Service on live pkg * Rename encryption.Service to encryption.Internal to clarify it must be not used
4 years ago · 44837fc592
parent dcae138379
commit 44837fc592
16 changed files with 66 additions and 53 deletions
--- a/pkg/api/http_server.go
+++ b/pkg/api/http_server.go
@ -108,7 +108,7 @@ type HTTPServer struct {
 	SocialService             social.Service
 	OAuthTokenService         oauthtoken.OAuthTokenService
 	Listener                  net.Listener
-	EncryptionService         encryption.Service
+	EncryptionService         encryption.Internal
 	SecretsService            secrets.Service
 	DataSourcesService        *datasources.Service
 	cleanUpService            *cleanup.CleanUpService
@ -142,7 +142,7 @@ func ProvideHTTPServer(opts ServerOptions, cfg *setting.Cfg, routeRegister routi
 	notificationService *notifications.NotificationService, tracingService *tracing.TracingService,
 	internalMetricsSvc *metrics.InternalMetricsService, quotaService *quota.QuotaService,
 	socialService social.Service, oauthTokenService oauthtoken.OAuthTokenService,
-	encryptionService encryption.Service, updateChecker *updatechecker.Service, searchUsersService searchusers.Service,
+	encryptionService encryption.Internal, updateChecker *updatechecker.Service, searchUsersService searchusers.Service,
 	dataSourcesService *datasources.Service, secretsService secrets.Service, expressionService *expr.Service) (*HTTPServer, error) {
 	web.Env = cfg.Env
 	m := web.New()
--- a/pkg/expr/service.go
+++ b/pkg/expr/service.go
@ -7,7 +7,7 @@ import (
 	"github.com/grafana/grafana/pkg/components/simplejson"
 	"github.com/grafana/grafana/pkg/models"
 	"github.com/grafana/grafana/pkg/plugins"
-	"github.com/grafana/grafana/pkg/services/encryption"
+	"github.com/grafana/grafana/pkg/services/secrets"
 	"github.com/grafana/grafana/pkg/setting"
 )

@ -36,16 +36,16 @@ func IsDataSource(uid string) bool {

 // Service is service representation for expression handling.
 type Service struct {
-	cfg               *setting.Cfg
-	dataService       backend.QueryDataHandler
-	encryptionService encryption.Service
+	cfg            *setting.Cfg
+	dataService    backend.QueryDataHandler
+	secretsService secrets.Service
 }

-func ProvideService(cfg *setting.Cfg, pluginClient plugins.Client, encryptionService encryption.Service) *Service {
+func ProvideService(cfg *setting.Cfg, pluginClient plugins.Client, secretsService secrets.Service) *Service {
 	return &Service{
-		cfg:               cfg,
-		dataService:       pluginClient,
-		encryptionService: encryptionService,
+		cfg:            cfg,
+		dataService:    pluginClient,
+		secretsService: secretsService,
 	}
 }

--- a/pkg/expr/service_test.go
+++ b/pkg/expr/service_test.go
@ -14,6 +14,8 @@ import (
 	"github.com/grafana/grafana/pkg/components/simplejson"
 	"github.com/grafana/grafana/pkg/models"
 	"github.com/grafana/grafana/pkg/services/encryption/ossencryption"
+	"github.com/grafana/grafana/pkg/services/secrets/fakes"
+	"github.com/grafana/grafana/pkg/services/secrets/manager"
 	"github.com/grafana/grafana/pkg/setting"
 	"github.com/stretchr/testify/require"
 )
@ -26,11 +28,22 @@ func TestService(t *testing.T) {
 	me := &mockEndpoint{
 		Frames: []*data.Frame{dsDF},
 	}
+
+	cfg := setting.NewCfg()
+
+	secretsService := manager.ProvideSecretsService(
+		fakes.NewFakeSecretsStore(),
+		bus.GetBus(),
+		ossencryption.ProvideService(),
+		setting.ProvideProvider(cfg),
+	)
+
 	s := Service{
-		cfg:               setting.NewCfg(),
-		dataService:       me,
-		encryptionService: ossencryption.ProvideService(),
+		cfg:            cfg,
+		dataService:    me,
+		secretsService: secretsService,
 	}
+
 	bus.AddHandlerCtx("test", func(_ context.Context, query *models.GetDataSourceQuery) error {
 		query.Result = &models.DataSource{Id: 1, OrgId: 1, Type: "test", JsonData: simplejson.New()}
 		return nil
--- a/pkg/expr/transform.go
+++ b/pkg/expr/transform.go
@ -219,7 +219,7 @@ func (s *Service) queryData(ctx context.Context, req *backend.QueryDataRequest)

 func (s *Service) decryptSecureJsonDataFn(ctx context.Context) func(map[string][]byte) map[string]string {
 	return func(m map[string][]byte) map[string]string {
-		decryptedJsonData, err := s.encryptionService.DecryptJsonData(ctx, m, s.cfg.SecretKey)
+		decryptedJsonData, err := s.secretsService.DecryptJsonData(ctx, m)
 		if err != nil {
 			logger.Error("Failed to decrypt secure json data", "error", err)
 		}
--- a/pkg/server/wireexts_oss.go
+++ b/pkg/server/wireexts_oss.go
@ -52,7 +52,7 @@ var wireExtsBasicSet = wire.NewSet(
 	authinfoservice.ProvideOSSUserProtectionService,
 	wire.Bind(new(login.UserProtectionService), new(*authinfoservice.OSSUserProtectionImpl)),
 	ossencryption.ProvideService,
-	wire.Bind(new(encryption.Service), new(*ossencryption.Service)),
+	wire.Bind(new(encryption.Internal), new(*ossencryption.Service)),
 	filters.ProvideOSSSearchUserFilter,
 	wire.Bind(new(models.SearchUserFilter), new(*filters.OSSSearchUserFilter)),
 	searchusers.ProvideUsersService,
--- a/pkg/services/alerting/engine.go
+++ b/pkg/services/alerting/engine.go
@ -48,7 +48,7 @@ func (e *AlertEngine) IsDisabled() bool {

 // ProvideAlertEngine returns a new AlertEngine.
 func ProvideAlertEngine(renderer rendering.Service, bus bus.Bus, requestValidator models.PluginRequestValidator,
-	dataService legacydata.RequestHandler, usageStatsService usagestats.Service, encryptionService encryption.Service,
+	dataService legacydata.RequestHandler, usageStatsService usagestats.Service, encryptionService encryption.Internal,
 	cfg *setting.Cfg) *AlertEngine {
 	e := &AlertEngine{
 		Cfg:               cfg,
--- a/pkg/services/alerting/service.go
+++ b/pkg/services/alerting/service.go
@ -13,10 +13,10 @@ import (
 type AlertNotificationService struct {
 	Bus               bus.Bus
 	SQLStore          *sqlstore.SQLStore
-	EncryptionService encryption.Service
+	EncryptionService encryption.Internal
 }

-func ProvideService(bus bus.Bus, store *sqlstore.SQLStore, encryptionService encryption.Service,
+func ProvideService(bus bus.Bus, store *sqlstore.SQLStore, encryptionService encryption.Internal,
 ) *AlertNotificationService {
 	s := &AlertNotificationService{
 		Bus:               bus,
--- a/pkg/services/encryption/encryption.go
+++ b/pkg/services/encryption/encryption.go
@ -2,9 +2,12 @@ package encryption

 import "context"

-// Service must not be used for encryption,
-// use secrets.Service implementing envelope encryption instead.
-type Service interface {
+// Internal must not be used for general purpose encryption.
+// This service is used as an internal component for envelope encryption
+// and for very specific few use cases that still require legacy encryption.
+//
+// Unless there is any specific reason, you must use secrets.Service instead.
+type Internal interface {
 	Encrypt(ctx context.Context, payload []byte, secret string) ([]byte, error)
 	Decrypt(ctx context.Context, payload []byte, secret string) ([]byte, error)

--- a/pkg/services/live/live.go
+++ b/pkg/services/live/live.go
@ -13,8 +13,6 @@ import (
 	"sync"
 	"time"

-	"github.com/grafana/grafana/pkg/services/encryption"
-
 	"github.com/centrifugal/centrifuge"
 	"github.com/go-redis/redis/v8"
 	"github.com/gobwas/glob"
@ -41,6 +39,7 @@ import (
 	"github.com/grafana/grafana/pkg/services/live/pushws"
 	"github.com/grafana/grafana/pkg/services/live/runstream"
 	"github.com/grafana/grafana/pkg/services/live/survey"
+	"github.com/grafana/grafana/pkg/services/secrets"
 	"github.com/grafana/grafana/pkg/services/sqlstore"
 	"github.com/grafana/grafana/pkg/setting"
 	"github.com/grafana/grafana/pkg/tsdb/cloudwatch"
@ -64,7 +63,7 @@ type CoreGrafanaScope struct {

 func ProvideService(plugCtxProvider *plugincontext.Provider, cfg *setting.Cfg, routeRegister routing.RouteRegister,
 	logsService *cloudwatch.LogsService, pluginStore plugins.Store, cacheService *localcache.CacheService,
-	dataSourceCache datasources.CacheService, sqlStore *sqlstore.SQLStore, encService encryption.Service,
+	dataSourceCache datasources.CacheService, sqlStore *sqlstore.SQLStore, secretsService secrets.Service,
 	usageStatsService usagestats.Service) (*GrafanaLive, error) {
 	g := &GrafanaLive{
 		Cfg:                   cfg,
@ -75,7 +74,7 @@ func ProvideService(plugCtxProvider *plugincontext.Provider, cfg *setting.Cfg, r
 		CacheService:          cacheService,
 		DataSourceCache:       dataSourceCache,
 		SQLStore:              sqlStore,
-		EncryptionService:     encService,
+		SecretsService:        secretsService,
 		channels:              make(map[string]models.ChannelHandler),
 		GrafanaScope: CoreGrafanaScope{
 			Features: make(map[string]models.ChannelHandlerFactory),
@ -183,8 +182,8 @@ func ProvideService(plugCtxProvider *plugincontext.Provider, cfg *setting.Cfg, r
 			}
 		} else {
 			storage := &pipeline.FileStorage{
-				DataPath:          cfg.DataPath,
-				EncryptionService: g.EncryptionService,
+				DataPath:       cfg.DataPath,
+				SecretsService: g.SecretsService,
 			}
 			g.pipelineStorage = storage
 			builder = &pipeline.StorageRuleBuilder{
@ -193,7 +192,7 @@ func ProvideService(plugCtxProvider *plugincontext.Provider, cfg *setting.Cfg, r
 				FrameStorage:         pipeline.NewFrameStorage(),
 				Storage:              storage,
 				ChannelHandlerGetter: g,
-				EncryptionService:    g.EncryptionService,
+				SecretsService:       g.SecretsService,
 			}
 		}
 		channelRuleGetter := pipeline.NewCacheSegmentedTree(builder)
@ -369,7 +368,7 @@ type GrafanaLive struct {
 	CacheService          *localcache.CacheService
 	DataSourceCache       datasources.CacheService
 	SQLStore              *sqlstore.SQLStore
-	EncryptionService     encryption.Service
+	SecretsService        secrets.Service
 	pluginStore           plugins.Store

 	node         *centrifuge.Node
@ -1220,7 +1219,7 @@ func (g *GrafanaLive) HandleWriteConfigsPutHTTP(c *models.ReqContext) response.R
 		if cmd.SecureSettings == nil {
 			cmd.SecureSettings = map[string]string{}
 		}
-		secureJSONData, err := g.EncryptionService.DecryptJsonData(c.Req.Context(), existingBackend.SecureSettings, setting.SecretKey)
+		secureJSONData, err := g.SecretsService.DecryptJsonData(c.Req.Context(), existingBackend.SecureSettings)
 		if err != nil {
 			logger.Error("Error decrypting secure settings", "error", err)
 			return response.Error(http.StatusInternalServerError, "Error decrypting secure settings", err)
--- a/pkg/services/live/pipeline/config.go
+++ b/pkg/services/live/pipeline/config.go
@ -4,14 +4,13 @@ import (
 	"context"
 	"fmt"

+	"github.com/grafana/grafana/pkg/services/secrets"
+
+	"github.com/centrifugal/centrifuge"
 	"github.com/grafana/grafana/pkg/models"
-	"github.com/grafana/grafana/pkg/services/encryption"
 	"github.com/grafana/grafana/pkg/services/live/managedstream"
 	"github.com/grafana/grafana/pkg/services/live/pipeline/pattern"
 	"github.com/grafana/grafana/pkg/services/live/pipeline/tree"
-	"github.com/grafana/grafana/pkg/setting"
-
-	"github.com/centrifugal/centrifuge"
 )

 type JsonAutoSettings struct{}
@ -298,7 +297,7 @@ type StorageRuleBuilder struct {
 	FrameStorage         *FrameStorage
 	Storage              Storage
 	ChannelHandlerGetter ChannelHandlerGetter
-	EncryptionService    encryption.Service
+	SecretsService       secrets.Service
 }

 func (f *StorageRuleBuilder) extractSubscriber(config *SubscriberConfig) (Subscriber, error) {
@ -434,7 +433,7 @@ func (f *StorageRuleBuilder) constructBasicAuth(writeConfig WriteConfig) (*Basic
 	var password string
 	hasSecurePassword := len(writeConfig.SecureSettings["basicAuthPassword"]) > 0
 	if hasSecurePassword {
-		passwordBytes, err := f.EncryptionService.Decrypt(context.Background(), writeConfig.SecureSettings["basicAuthPassword"], setting.SecretKey)
+		passwordBytes, err := f.SecretsService.Decrypt(context.Background(), writeConfig.SecureSettings["basicAuthPassword"])
 		if err != nil {
 			return nil, fmt.Errorf("basicAuthPassword can't be decrypted: %w", err)
 		}
--- a/pkg/services/live/pipeline/storage_file.go
+++ b/pkg/services/live/pipeline/storage_file.go
@ -9,15 +9,14 @@ import (
 	"os"
 	"path/filepath"

-	"github.com/grafana/grafana/pkg/services/encryption"
-	"github.com/grafana/grafana/pkg/setting"
+	"github.com/grafana/grafana/pkg/services/secrets"
 	"github.com/grafana/grafana/pkg/util"
 )

 // FileStorage can load channel rules from a file on disk.
 type FileStorage struct {
-	DataPath          string
-	EncryptionService encryption.Service
+	DataPath       string
+	SecretsService secrets.Service
 }

 func (f *FileStorage) ListWriteConfigs(_ context.Context, orgID int64) ([]WriteConfig, error) {
@ -56,7 +55,7 @@ func (f *FileStorage) CreateWriteConfig(ctx context.Context, orgID int64, cmd Wr
 		cmd.UID = util.GenerateShortUID()
 	}

-	secureSettings, err := f.EncryptionService.EncryptJsonData(ctx, cmd.SecureSettings, setting.SecretKey)
+	secureSettings, err := f.SecretsService.EncryptJsonData(ctx, cmd.SecureSettings, secrets.WithoutScope())
 	if err != nil {
 		return WriteConfig{}, fmt.Errorf("error encrypting data: %w", err)
 	}
@ -88,7 +87,7 @@ func (f *FileStorage) UpdateWriteConfig(ctx context.Context, orgID int64, cmd Wr
 		return WriteConfig{}, fmt.Errorf("can't read write configs: %w", err)
 	}

-	secureSettings, err := f.EncryptionService.EncryptJsonData(ctx, cmd.SecureSettings, setting.SecretKey)
+	secureSettings, err := f.SecretsService.EncryptJsonData(ctx, cmd.SecureSettings, secrets.WithoutScope())
 	if err != nil {
 		return WriteConfig{}, fmt.Errorf("error encrypting data: %w", err)
 	}
--- a/pkg/services/provisioning/notifiers/alert_notifications.go
+++ b/pkg/services/provisioning/notifiers/alert_notifications.go
@ -9,7 +9,7 @@ import (
 )

 // Provision alert notifiers
-func Provision(ctx context.Context, configDirectory string, encryptionService encryption.Service) error {
+func Provision(ctx context.Context, configDirectory string, encryptionService encryption.Internal) error {
 	dc := newNotificationProvisioner(encryptionService, log.New("provisioning.notifiers"))
 	return dc.applyChanges(ctx, configDirectory)
 }
@ -20,7 +20,7 @@ type NotificationProvisioner struct {
 	cfgProvider *configReader
 }

-func newNotificationProvisioner(encryptionService encryption.Service, log log.Logger) NotificationProvisioner {
+func newNotificationProvisioner(encryptionService encryption.Internal, log log.Logger) NotificationProvisioner {
 	return NotificationProvisioner{
 		log: log,
 		cfgProvider: &configReader{
--- a/pkg/services/provisioning/notifiers/config_reader.go
+++ b/pkg/services/provisioning/notifiers/config_reader.go
@ -18,7 +18,7 @@ import (
 )

 type configReader struct {
-	encryptionService encryption.Service
+	encryptionService encryption.Internal
 	log               log.Logger
 }

--- a/pkg/services/provisioning/provisioning.go
+++ b/pkg/services/provisioning/provisioning.go
@ -19,7 +19,7 @@ import (
 )

 func ProvideService(cfg *setting.Cfg, sqlStore *sqlstore.SQLStore, pluginStore plugifaces.Store,
-	encryptionService encryption.Service) (*ProvisioningServiceImpl, error) {
+	encryptionService encryption.Internal) (*ProvisioningServiceImpl, error) {
 	s := &ProvisioningServiceImpl{
 		Cfg:                     cfg,
 		SQLStore:                sqlStore,
@ -59,7 +59,7 @@ func NewProvisioningServiceImpl() *ProvisioningServiceImpl {
 // Used for testing purposes
 func newProvisioningServiceImpl(
 	newDashboardProvisioner dashboards.DashboardProvisionerFactory,
-	provisionNotifiers func(context.Context, string, encryption.Service) error,
+	provisionNotifiers func(context.Context, string, encryption.Internal) error,
 	provisionDatasources func(context.Context, string) error,
 	provisionPlugins func(string, plugifaces.Store) error,
 ) *ProvisioningServiceImpl {
@ -76,12 +76,12 @@ type ProvisioningServiceImpl struct {
 	Cfg                     *setting.Cfg
 	SQLStore                *sqlstore.SQLStore
 	pluginStore             plugifaces.Store
-	EncryptionService       encryption.Service
+	EncryptionService       encryption.Internal
 	log                     log.Logger
 	pollingCtxCancel        context.CancelFunc
 	newDashboardProvisioner dashboards.DashboardProvisionerFactory
 	dashboardProvisioner    dashboards.DashboardProvisioner
-	provisionNotifiers      func(context.Context, string, encryption.Service) error
+	provisionNotifiers      func(context.Context, string, encryption.Internal) error
 	provisionDatasources    func(context.Context, string) error
 	provisionPlugins        func(string, plugifaces.Store) error
 	mutex                   sync.Mutex
--- a/pkg/services/secrets/defaultprovider/grafana_provider.go
+++ b/pkg/services/secrets/defaultprovider/grafana_provider.go
@ -10,10 +10,10 @@ import (

 type grafanaProvider struct {
 	settings   setting.Provider
-	encryption encryption.Service
+	encryption encryption.Internal
 }

-func New(settings setting.Provider, encryption encryption.Service) secrets.Provider {
+func New(settings setting.Provider, encryption encryption.Internal) secrets.Provider {
 	return grafanaProvider{
 		settings:   settings,
 		encryption: encryption,
--- a/pkg/services/secrets/manager/manager.go
+++ b/pkg/services/secrets/manager/manager.go
@ -24,7 +24,7 @@ const (
 type SecretsService struct {
 	store    secrets.Store
 	bus      bus.Bus
-	enc      encryption.Service
+	enc      encryption.Internal
 	settings setting.Provider

 	currentProvider string
@ -32,7 +32,7 @@ type SecretsService struct {
 	dataKeyCache    map[string]dataKeyCacheItem
 }

-func ProvideSecretsService(store secrets.Store, bus bus.Bus, enc encryption.Service, settings setting.Provider) *SecretsService {
+func ProvideSecretsService(store secrets.Store, bus bus.Bus, enc encryption.Internal, settings setting.Provider) *SecretsService {
 	providers := map[string]secrets.Provider{
 		defaultProvider: grafana.New(settings, enc),
 	}