From 81753526bd02240b5d8ba4dc09454fd3e424aaa1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Joan=20L=C3=B3pez=20de=20la=20Franca=20Beltran?= <5459617+joanlopez@users.noreply.github.com> Date: Thu, 7 Jul 2022 09:48:25 +0200 Subject: [PATCH] Encryption: Refactor secrets.Service initialization (#51091) * Encryption: Refactor secrets.Service initialization --- .../osskmsproviders/osskmsproviders.go | 4 -- pkg/services/secrets/manager/manager.go | 61 +++++++++++-------- 2 files changed, 37 insertions(+), 28 deletions(-) diff --git a/pkg/services/kmsproviders/osskmsproviders/osskmsproviders.go b/pkg/services/kmsproviders/osskmsproviders/osskmsproviders.go index 4292ed16a58..511e7dc7091 100644 --- a/pkg/services/kmsproviders/osskmsproviders/osskmsproviders.go +++ b/pkg/services/kmsproviders/osskmsproviders/osskmsproviders.go @@ -24,10 +24,6 @@ func ProvideService(enc encryption.Internal, settings setting.Provider, features } func (s Service) Provide() (map[secrets.ProviderID]secrets.Provider, error) { - if s.features.IsEnabled(featuremgmt.FlagDisableEnvelopeEncryption) { - return nil, nil - } - return map[secrets.ProviderID]secrets.Provider{ kmsproviders.Default: grafana.New(s.settings, s.enc), }, nil diff --git a/pkg/services/secrets/manager/manager.go b/pkg/services/secrets/manager/manager.go index 03cb18ede29..1c3c391f01e 100644 --- a/pkg/services/secrets/manager/manager.go +++ b/pkg/services/secrets/manager/manager.go @@ -34,7 +34,10 @@ type SecretsService struct { mtx sync.Mutex dataKeyCache *dataKeyCache - providers map[secrets.ProviderID]secrets.Provider + pOnce sync.Once + providers map[secrets.ProviderID]secrets.Provider + kmsProvidersService kmsproviders.Service + currentProviderID secrets.ProviderID log log.Logger @@ -48,46 +51,56 @@ func ProvideSecretsService( features featuremgmt.FeatureToggles, usageStats usagestats.Service, ) (*SecretsService, error) { - providers, err := kmsProvidersService.Provide() - if err != nil { - return nil, err - } + ttl := settings.KeyValue("security.encryption", "data_keys_cache_ttl").MustDuration(15 * time.Minute) - logger := log.New("secrets") - enabled := !features.IsEnabled(featuremgmt.FlagDisableEnvelopeEncryption) currentProviderID := kmsproviders.NormalizeProviderID(secrets.ProviderID( settings.KeyValue("security", "encryption_provider").MustString(kmsproviders.Default), )) - if _, ok := providers[currentProviderID]; enabled && !ok { - return nil, fmt.Errorf("missing configuration for current encryption provider %s", currentProviderID) + s := &SecretsService{ + store: store, + enc: enc, + settings: settings, + usageStats: usageStats, + kmsProvidersService: kmsProvidersService, + dataKeyCache: newDataKeyCache(ttl), + currentProviderID: currentProviderID, + features: features, + log: log.New("secrets"), } - if !enabled && currentProviderID != kmsproviders.Default { - logger.Warn("Changing encryption provider requires enabling envelope encryption feature") - } + enabled := !features.IsEnabled(featuremgmt.FlagDisableEnvelopeEncryption) - logger.Info("Envelope encryption state", "enabled", enabled, "current provider", currentProviderID) + if enabled { + err := s.InitProviders() + if err != nil { + return nil, err + } + } - ttl := settings.KeyValue("security.encryption", "data_keys_cache_ttl").MustDuration(15 * time.Minute) + if _, ok := s.providers[currentProviderID]; enabled && !ok { + return nil, fmt.Errorf("missing configuration for current encryption provider %s", currentProviderID) + } - s := &SecretsService{ - store: store, - enc: enc, - settings: settings, - usageStats: usageStats, - providers: providers, - dataKeyCache: newDataKeyCache(ttl), - currentProviderID: currentProviderID, - features: features, - log: logger, + if !enabled && currentProviderID != kmsproviders.Default { + s.log.Warn("Changing encryption provider requires enabling envelope encryption feature") } + s.log.Info("Envelope encryption state", "enabled", enabled, "current provider", currentProviderID) + s.registerUsageMetrics() return s, nil } +func (s *SecretsService) InitProviders() (err error) { + s.pOnce.Do(func() { + s.providers, err = s.kmsProvidersService.Provide() + }) + + return +} + func (s *SecretsService) registerUsageMetrics() { s.usageStats.RegisterMetricsFunc(func(context.Context) (map[string]interface{}, error) { usageMetrics := make(map[string]interface{})