From cc65b4d46a0bccf143f9375dcb98df6e09b2484b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Joan=20L=C3=B3pez=20de=20la=20Franca=20Beltran?= <5459617+joanlopez@users.noreply.github.com> Date: Mon, 19 Jun 2023 23:44:01 +0200 Subject: [PATCH] Secrets: Make the Migrator extensible (#67307) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * [Chore] Remove setting provider from secret service Co-authored-by: Tania B Co-authored-by: Joan López de la Franca Beltran * Add a ShouldBeRedacted func Co-authored-by: Tania B Co-authored-by: Joan López de la Franca Beltran * Secrets: Make Migrator extensible Co-authored-by: Gabriel MABILLE Co-authored-by: Tania B * Alerting: Fix tests after refactor Co-authored-by: Gabriel MABILLE Co-authored-by: Tania B * Remove commented code no longer used * Fix Wire bindings Co-authored-by: Tania B * Add constructors to secrets * Linting * Undo undesired change --------- Co-authored-by: gamab Co-authored-by: Tania B Co-authored-by: Gabriel MABILLE --- pkg/server/wire.go | 3 - pkg/server/wireexts_oss.go | 4 ++ .../alerting/engine_integration_test.go | 5 +- pkg/services/alerting/engine_test.go | 5 +- pkg/services/alerting/service_test.go | 4 +- pkg/services/encryption/service/helpers.go | 2 +- pkg/services/encryption/service/service.go | 38 +++------- .../encryption/service/service_test.go | 8 +-- .../defaultprovider/grafana_provider.go | 10 +-- .../osskmsproviders/osskmsproviders.go | 8 +-- pkg/services/secrets/manager/helpers.go | 7 +- pkg/services/secrets/manager/manager.go | 14 ++-- pkg/services/secrets/manager/manager_test.go | 10 +-- pkg/services/secrets/migrator/migrator.go | 70 +++++++++++-------- pkg/services/secrets/migrator/reencrypt.go | 8 +-- pkg/services/secrets/migrator/rollback.go | 8 +-- 16 files changed, 92 insertions(+), 112 deletions(-) diff --git a/pkg/server/wire.go b/pkg/server/wire.go index d1ce2905ecf..7f74d3eadfa 100644 --- a/pkg/server/wire.go +++ b/pkg/server/wire.go @@ -111,7 +111,6 @@ import ( secretsStore "github.com/grafana/grafana/pkg/services/secrets/kvstore" secretsMigrations "github.com/grafana/grafana/pkg/services/secrets/kvstore/migrations" secretsManager "github.com/grafana/grafana/pkg/services/secrets/manager" - secretsMigrator "github.com/grafana/grafana/pkg/services/secrets/migrator" "github.com/grafana/grafana/pkg/services/serviceaccounts" serviceaccountsmanager "github.com/grafana/grafana/pkg/services/serviceaccounts/manager" serviceaccountsretriever "github.com/grafana/grafana/pkg/services/serviceaccounts/retriever" @@ -264,8 +263,6 @@ var wireBasicSet = wire.NewSet( wire.Bind(new(secrets.Service), new(*secretsManager.SecretsService)), secretsDatabase.ProvideSecretsStore, wire.Bind(new(secrets.Store), new(*secretsDatabase.SecretsStoreImpl)), - secretsMigrator.ProvideSecretsMigrator, - wire.Bind(new(secrets.Migrator), new(*secretsMigrator.SecretsMigrator)), grafanads.ProvideService, wire.Bind(new(dashboardsnapshots.Store), new(*dashsnapstore.DashboardSnapshotStore)), dashsnapstore.ProvideStore, diff --git a/pkg/server/wireexts_oss.go b/pkg/server/wireexts_oss.go index 761bc0ced01..ae597e24e2b 100644 --- a/pkg/server/wireexts_oss.go +++ b/pkg/server/wireexts_oss.go @@ -35,6 +35,8 @@ import ( publicdashboardsService "github.com/grafana/grafana/pkg/services/publicdashboards/service" "github.com/grafana/grafana/pkg/services/searchusers" "github.com/grafana/grafana/pkg/services/searchusers/filters" + "github.com/grafana/grafana/pkg/services/secrets" + secretsMigrator "github.com/grafana/grafana/pkg/services/secrets/migrator" "github.com/grafana/grafana/pkg/services/sqlstore/migrations" "github.com/grafana/grafana/pkg/services/user" "github.com/grafana/grafana/pkg/services/validations" @@ -88,6 +90,8 @@ var wireExtsBasicSet = wire.NewSet( wire.Bind(new(publicdashboards.ServiceWrapper), new(*publicdashboardsService.PublicDashboardServiceWrapperImpl)), caching.ProvideCachingService, wire.Bind(new(caching.CachingService), new(*caching.OSSCachingService)), + secretsMigrator.ProvideSecretsMigrator, + wire.Bind(new(secrets.Migrator), new(*secretsMigrator.SecretsMigrator)), ) var wireExtsSet = wire.NewSet( diff --git a/pkg/services/alerting/engine_integration_test.go b/pkg/services/alerting/engine_integration_test.go index 0f0a48545e0..bc114528e7b 100644 --- a/pkg/services/alerting/engine_integration_test.go +++ b/pkg/services/alerting/engine_integration_test.go @@ -31,10 +31,7 @@ func TestIntegrationEngineTimeouts(t *testing.T) { usValidatorMock := &validator.FakeUsageStatsValidator{} encProvider := encryptionprovider.ProvideEncryptionProvider() - cfg := setting.NewCfg() - settings := &setting.OSSImpl{Cfg: cfg} - - encService, err := encryptionservice.ProvideEncryptionService(encProvider, usMock, settings) + encService, err := encryptionservice.ProvideEncryptionService(encProvider, usMock, setting.NewCfg()) require.NoError(t, err) tracer := tracing.InitializeTracerForTest() diff --git a/pkg/services/alerting/engine_test.go b/pkg/services/alerting/engine_test.go index fcad2e3f60d..bcdd30ed157 100644 --- a/pkg/services/alerting/engine_test.go +++ b/pkg/services/alerting/engine_test.go @@ -122,10 +122,7 @@ func TestEngineProcessJob(t *testing.T) { usValidatorMock := &validator.FakeUsageStatsValidator{} encProvider := encryptionprovider.ProvideEncryptionProvider() - cfg := setting.NewCfg() - settings := &setting.OSSImpl{Cfg: cfg} - - encService, err := encryptionservice.ProvideEncryptionService(encProvider, usMock, settings) + encService, err := encryptionservice.ProvideEncryptionService(encProvider, usMock, setting.NewCfg()) require.NoError(t, err) tracer := tracing.InitializeTracerForTest() diff --git a/pkg/services/alerting/service_test.go b/pkg/services/alerting/service_test.go index 53ca26cdbb3..0cea01be6d3 100644 --- a/pkg/services/alerting/service_test.go +++ b/pkg/services/alerting/service_test.go @@ -33,9 +33,7 @@ func TestService(t *testing.T) { usMock := &usagestats.UsageStatsMock{T: t} encProvider := encryptionprovider.ProvideEncryptionProvider() - settings := &setting.OSSImpl{Cfg: setting.NewCfg()} - - encService, err := encryptionservice.ProvideEncryptionService(encProvider, usMock, settings) + encService, err := encryptionservice.ProvideEncryptionService(encProvider, usMock, setting.NewCfg()) require.NoError(t, err) s := ProvideService(sqlStore.db, encService, nil) diff --git a/pkg/services/encryption/service/helpers.go b/pkg/services/encryption/service/helpers.go index bbd1b5850f1..53f64239311 100644 --- a/pkg/services/encryption/service/helpers.go +++ b/pkg/services/encryption/service/helpers.go @@ -15,7 +15,7 @@ func SetupTestService(tb testing.TB) *Service { usMock := &usagestats.UsageStatsMock{T: tb} provider := encryptionprovider.ProvideEncryptionProvider() - settings := &setting.OSSImpl{Cfg: setting.NewCfg()} + settings := setting.NewCfg() service, err := ProvideEncryptionService(provider, usMock, settings) require.NoError(tb, err) diff --git a/pkg/services/encryption/service/service.go b/pkg/services/encryption/service/service.go index 59f96889f7d..9b77f18c5e6 100644 --- a/pkg/services/encryption/service/service.go +++ b/pkg/services/encryption/service/service.go @@ -26,8 +26,8 @@ const ( type Service struct { log log.Logger - settingsProvider setting.Provider - usageMetrics usagestats.Service + cfg *setting.Cfg + usageMetrics usagestats.Service ciphers map[string]encryption.Cipher deciphers map[string]encryption.Decipher @@ -36,7 +36,7 @@ type Service struct { func ProvideEncryptionService( provider encryption.Provider, usageMetrics usagestats.Service, - settingsProvider setting.Provider, + cfg *setting.Cfg, ) (*Service, error) { s := &Service{ log: log.New("encryption"), @@ -44,20 +44,17 @@ func ProvideEncryptionService( ciphers: provider.ProvideCiphers(), deciphers: provider.ProvideDeciphers(), - usageMetrics: usageMetrics, - settingsProvider: settingsProvider, + usageMetrics: usageMetrics, + cfg: cfg, } - algorithm := s.settingsProvider. - KeyValue(securitySection, encryptionAlgorithmKey). + algorithm := s.cfg.SectionWithEnvOverrides(securitySection).Key(encryptionAlgorithmKey). MustString(defaultEncryptionAlgorithm) if err := s.checkEncryptionAlgorithm(algorithm); err != nil { return nil, err } - settingsProvider.RegisterReloadHandler(securitySection, s) - s.registerUsageMetrics() return s, nil @@ -86,8 +83,7 @@ func (s *Service) checkEncryptionAlgorithm(algorithm string) error { func (s *Service) registerUsageMetrics() { s.usageMetrics.RegisterMetricsFunc(func(context.Context) (map[string]interface{}, error) { - algorithm := s.settingsProvider. - KeyValue(securitySection, encryptionAlgorithmKey). + algorithm := s.cfg.SectionWithEnvOverrides(securitySection).Key(encryptionAlgorithmKey). MustString(defaultEncryptionAlgorithm) return map[string]interface{}{ @@ -174,8 +170,7 @@ func (s *Service) Encrypt(ctx context.Context, payload []byte, secret string) ([ } }() - algorithm := s.settingsProvider. - KeyValue(securitySection, encryptionAlgorithmKey). + algorithm := s.cfg.SectionWithEnvOverrides(securitySection).Key(encryptionAlgorithmKey). MustString(defaultEncryptionAlgorithm) cipher, ok := s.ciphers[algorithm] @@ -237,20 +232,3 @@ func (s *Service) GetDecryptedValue(ctx context.Context, sjd map[string][]byte, return fallback } - -func (s *Service) Validate(section setting.Section) error { - s.log.Debug("Validating encryption config") - - algorithm := section.KeyValue(encryptionAlgorithmKey). - MustString(defaultEncryptionAlgorithm) - - if err := s.checkEncryptionAlgorithm(algorithm); err != nil { - return err - } - - return nil -} - -func (s *Service) Reload(_ setting.Section) error { - return nil -} diff --git a/pkg/services/encryption/service/service_test.go b/pkg/services/encryption/service/service_test.go index 6e0a58d40d8..e785f8a3ab1 100644 --- a/pkg/services/encryption/service/service_test.go +++ b/pkg/services/encryption/service/service_test.go @@ -18,7 +18,7 @@ func Test_Service(t *testing.T) { encProvider := provider.Provider{} usageStats := &usagestats.UsageStatsMock{} - settings := &setting.OSSImpl{Cfg: setting.NewCfg()} + settings := setting.NewCfg() svc, err := ProvideEncryptionService(encProvider, usageStats, settings) require.NoError(t, err) @@ -31,7 +31,7 @@ func Test_Service(t *testing.T) { }) t.Run("encrypt and decrypt with aes-cfb should work", func(t *testing.T) { - settings.Cfg.Raw.Section(securitySection).Key(encryptionAlgorithmKey).SetValue(encryption.AesCfb) + settings.Raw.Section(securitySection).Key(encryptionAlgorithmKey).SetValue(encryption.AesCfb) encrypted, err := svc.Encrypt(ctx, []byte("grafana"), "1234") require.NoError(t, err) @@ -55,7 +55,7 @@ func Test_Service(t *testing.T) { }) t.Run("encrypt with aes-gcm should fail", func(t *testing.T) { - settings.Cfg.Raw.Section(securitySection).Key(encryptionAlgorithmKey).SetValue(encryption.AesGcm) + settings.Raw.Section(securitySection).Key(encryptionAlgorithmKey).SetValue(encryption.AesGcm) _, err := svc.Encrypt(ctx, []byte("grafana"), "1234") require.Error(t, err) @@ -77,7 +77,7 @@ func Test_Service(t *testing.T) { func Test_Service_MissingProvider(t *testing.T) { encProvider := fakeProvider{} usageStats := &usagestats.UsageStatsMock{} - settings := &setting.OSSImpl{Cfg: setting.NewCfg()} + settings := setting.NewCfg() service, err := ProvideEncryptionService(encProvider, usageStats, settings) assert.Nil(t, service) diff --git a/pkg/services/kmsproviders/defaultprovider/grafana_provider.go b/pkg/services/kmsproviders/defaultprovider/grafana_provider.go index 6728e667126..6e5023937c4 100644 --- a/pkg/services/kmsproviders/defaultprovider/grafana_provider.go +++ b/pkg/services/kmsproviders/defaultprovider/grafana_provider.go @@ -9,23 +9,23 @@ import ( ) type grafanaProvider struct { - settings setting.Provider + cfg *setting.Cfg encryption encryption.Internal } -func New(settings setting.Provider, encryption encryption.Internal) secrets.Provider { +func New(cfg *setting.Cfg, encryption encryption.Internal) secrets.Provider { return grafanaProvider{ - settings: settings, + cfg: cfg, encryption: encryption, } } func (p grafanaProvider) Encrypt(ctx context.Context, blob []byte) ([]byte, error) { - key := p.settings.KeyValue("security", "secret_key").Value() + key := p.cfg.SectionWithEnvOverrides("security").Key("secret_key").Value() return p.encryption.Encrypt(ctx, blob, key) } func (p grafanaProvider) Decrypt(ctx context.Context, blob []byte) ([]byte, error) { - key := p.settings.KeyValue("security", "secret_key").Value() + key := p.cfg.SectionWithEnvOverrides("security").Key("secret_key").Value() return p.encryption.Decrypt(ctx, blob, key) } diff --git a/pkg/services/kmsproviders/osskmsproviders/osskmsproviders.go b/pkg/services/kmsproviders/osskmsproviders/osskmsproviders.go index 511e7dc7091..082ad8f95db 100644 --- a/pkg/services/kmsproviders/osskmsproviders/osskmsproviders.go +++ b/pkg/services/kmsproviders/osskmsproviders/osskmsproviders.go @@ -11,20 +11,20 @@ import ( type Service struct { enc encryption.Internal - settings setting.Provider + cfg *setting.Cfg features featuremgmt.FeatureToggles } -func ProvideService(enc encryption.Internal, settings setting.Provider, features featuremgmt.FeatureToggles) Service { +func ProvideService(enc encryption.Internal, cfg *setting.Cfg, features featuremgmt.FeatureToggles) Service { return Service{ enc: enc, - settings: settings, + cfg: cfg, features: features, } } func (s Service) Provide() (map[secrets.ProviderID]secrets.Provider, error) { return map[secrets.ProviderID]secrets.Provider{ - kmsproviders.Default: grafana.New(s.settings, s.enc), + kmsproviders.Default: grafana.New(s.cfg, s.enc), }, nil } diff --git a/pkg/services/secrets/manager/helpers.go b/pkg/services/secrets/manager/helpers.go index e063c38046d..aacbb636e13 100644 --- a/pkg/services/secrets/manager/helpers.go +++ b/pkg/services/secrets/manager/helpers.go @@ -39,19 +39,18 @@ func setupTestService(tb testing.TB, store secrets.Store, features *featuremgmt. require.NoError(tb, err) cfg := &setting.Cfg{Raw: raw} - settings := &setting.OSSImpl{Cfg: cfg} encProvider := encryptionprovider.Provider{} usageStats := &usagestats.UsageStatsMock{} - encryption, err := encryptionservice.ProvideEncryptionService(encProvider, usageStats, settings) + encryption, err := encryptionservice.ProvideEncryptionService(encProvider, usageStats, cfg) require.NoError(tb, err) secretsService, err := ProvideSecretsService( store, - osskmsproviders.ProvideService(encryption, settings, features), + osskmsproviders.ProvideService(encryption, cfg, features), encryption, - settings, + cfg, features, &usagestats.UsageStatsMock{T: tb}, ) diff --git a/pkg/services/secrets/manager/manager.go b/pkg/services/secrets/manager/manager.go index 6e0180a2454..ef0b1f84500 100644 --- a/pkg/services/secrets/manager/manager.go +++ b/pkg/services/secrets/manager/manager.go @@ -37,7 +37,7 @@ var ( type SecretsService struct { store secrets.Store enc encryption.Internal - settings setting.Provider + cfg *setting.Cfg features featuremgmt.FeatureToggles usageStats usagestats.Service @@ -57,20 +57,20 @@ func ProvideSecretsService( store secrets.Store, kmsProvidersService kmsproviders.Service, enc encryption.Internal, - settings setting.Provider, + cfg *setting.Cfg, features featuremgmt.FeatureToggles, usageStats usagestats.Service, ) (*SecretsService, error) { - ttl := settings.KeyValue("security.encryption", "data_keys_cache_ttl").MustDuration(15 * time.Minute) + ttl := cfg.SectionWithEnvOverrides("security.encryption").Key("data_keys_cache_ttl").MustDuration(15 * time.Minute) currentProviderID := kmsproviders.NormalizeProviderID(secrets.ProviderID( - settings.KeyValue("security", "encryption_provider").MustString(kmsproviders.Default), + cfg.SectionWithEnvOverrides("security").Key("encryption_provider").MustString(kmsproviders.Default), )) s := &SecretsService{ store: store, enc: enc, - settings: settings, + cfg: cfg, usageStats: usageStats, kmsProvidersService: kmsProvidersService, dataKeyCache: newDataKeyCache(ttl), @@ -342,7 +342,7 @@ func (s *SecretsService) Decrypt(ctx context.Context, payload []byte) ([]byte, e var dataKey []byte if !s.encryptedWithEnvelopeEncryption(payload) { - secretKey := s.settings.KeyValue("security", "secret_key").Value() + secretKey := s.cfg.SectionWithEnvOverrides("security").Key("secret_key").Value() dataKey = []byte(secretKey) } else { payload = payload[1:] @@ -491,7 +491,7 @@ func (s *SecretsService) ReEncryptDataKeys(ctx context.Context) error { func (s *SecretsService) Run(ctx context.Context) error { gc := time.NewTicker( - s.settings.KeyValue("security.encryption", "data_keys_cache_cleanup_interval"). + s.cfg.SectionWithEnvOverrides("security.encryption").Key("data_keys_cache_cleanup_interval"). MustDuration(time.Minute), ) diff --git a/pkg/services/secrets/manager/manager_test.go b/pkg/services/secrets/manager/manager_test.go index a08065826e7..7b83dc45ef9 100644 --- a/pkg/services/secrets/manager/manager_test.go +++ b/pkg/services/secrets/manager/manager_test.go @@ -182,16 +182,16 @@ func TestSecretsService_UseCurrentProvider(t *testing.T) { raw, err := ini.Load([]byte(rawCfg)) require.NoError(t, err) - settings := &setting.OSSImpl{Cfg: &setting.Cfg{Raw: raw}} + cfg := &setting.Cfg{Raw: raw} encProvider := encryptionprovider.Provider{} usageStats := &usagestats.UsageStatsMock{} - encryptionService, err := encryptionservice.ProvideEncryptionService(encProvider, usageStats, settings) + encryptionService, err := encryptionservice.ProvideEncryptionService(encProvider, usageStats, cfg) require.NoError(t, err) features := featuremgmt.WithFeatures() - kms := newFakeKMS(osskmsproviders.ProvideService(encryptionService, settings, features)) + kms := newFakeKMS(osskmsproviders.ProvideService(encryptionService, cfg, features)) testDB := db.InitTestDB(t) secretStore := database.ProvideSecretsStore(testDB) @@ -199,7 +199,7 @@ func TestSecretsService_UseCurrentProvider(t *testing.T) { secretStore, &kms, encryptionService, - settings, + cfg, features, &usagestats.UsageStatsMock{T: t}, ) @@ -217,7 +217,7 @@ func TestSecretsService_UseCurrentProvider(t *testing.T) { secretStore, &kms, encryptionService, - settings, + cfg, features, &usagestats.UsageStatsMock{T: t}, ) diff --git a/pkg/services/secrets/migrator/migrator.go b/pkg/services/secrets/migrator/migrator.go index 1eca52f9d2c..6fe1a291ae7 100644 --- a/pkg/services/secrets/migrator/migrator.go +++ b/pkg/services/secrets/migrator/migrator.go @@ -13,12 +13,18 @@ import ( "github.com/grafana/grafana/pkg/setting" ) +type SecretsRotator interface { + ReEncrypt(context.Context, *manager.SecretsService, db.DB) bool + Rollback(context.Context, *manager.SecretsService, encryption.Internal, db.DB, string) bool +} + type SecretsMigrator struct { encryptionSrv encryption.Internal secretsSrv *manager.SecretsService sqlStore db.DB settings setting.Provider features featuremgmt.FeatureToggles + rotators []SecretsRotator } func ProvideSecretsMigrator( @@ -28,38 +34,41 @@ func ProvideSecretsMigrator( settings setting.Provider, features featuremgmt.FeatureToggles, ) *SecretsMigrator { + rotators := []SecretsRotator{ + simpleSecret{tableName: "dashboard_snapshot", columnName: "dashboard_encrypted"}, + b64Secret{simpleSecret: simpleSecret{tableName: "user_auth", columnName: "o_auth_access_token"}, encoding: base64.StdEncoding}, + b64Secret{simpleSecret: simpleSecret{tableName: "user_auth", columnName: "o_auth_refresh_token"}, encoding: base64.StdEncoding}, + b64Secret{simpleSecret: simpleSecret{tableName: "user_auth", columnName: "o_auth_token_type"}, encoding: base64.StdEncoding}, + b64Secret{simpleSecret: simpleSecret{tableName: "secrets", columnName: "value"}, hasUpdatedColumn: true, encoding: base64.RawStdEncoding}, + jsonSecret{tableName: "data_source"}, + jsonSecret{tableName: "plugin_setting"}, + alertingSecret{}, + } + return &SecretsMigrator{ encryptionSrv: encryptionSrv, secretsSrv: service, sqlStore: sqlStore, settings: settings, features: features, + rotators: rotators, } } +func (m *SecretsMigrator) RegisterRotators(rotators ...SecretsRotator) { + m.rotators = append(m.rotators, rotators...) +} + func (m *SecretsMigrator) ReEncryptSecrets(ctx context.Context) (bool, error) { err := m.initProvidersIfNeeded() if err != nil { return false, err } - toReencrypt := []interface { - reencrypt(context.Context, *manager.SecretsService, db.DB) bool - }{ - simpleSecret{tableName: "dashboard_snapshot", columnName: "dashboard_encrypted"}, - b64Secret{simpleSecret: simpleSecret{tableName: "user_auth", columnName: "o_auth_access_token"}, encoding: base64.StdEncoding}, - b64Secret{simpleSecret: simpleSecret{tableName: "user_auth", columnName: "o_auth_refresh_token"}, encoding: base64.StdEncoding}, - b64Secret{simpleSecret: simpleSecret{tableName: "user_auth", columnName: "o_auth_token_type"}, encoding: base64.StdEncoding}, - b64Secret{simpleSecret: simpleSecret{tableName: "secrets", columnName: "value"}, hasUpdatedColumn: true, encoding: base64.RawStdEncoding}, - jsonSecret{tableName: "data_source"}, - jsonSecret{tableName: "plugin_setting"}, - alertingSecret{}, - } - var anyFailure bool - for _, r := range toReencrypt { - if success := r.reencrypt(ctx, m.secretsSrv, m.sqlStore); !success { + for _, r := range m.rotators { + if success := r.ReEncrypt(ctx, m.secretsSrv, m.sqlStore); !success { anyFailure = true } } @@ -73,23 +82,10 @@ func (m *SecretsMigrator) RollBackSecrets(ctx context.Context) (bool, error) { return false, err } - toRollback := []interface { - rollback(context.Context, *manager.SecretsService, encryption.Internal, db.DB, string) bool - }{ - simpleSecret{tableName: "dashboard_snapshot", columnName: "dashboard_encrypted"}, - b64Secret{simpleSecret: simpleSecret{tableName: "user_auth", columnName: "o_auth_access_token"}, encoding: base64.StdEncoding}, - b64Secret{simpleSecret: simpleSecret{tableName: "user_auth", columnName: "o_auth_refresh_token"}, encoding: base64.StdEncoding}, - b64Secret{simpleSecret: simpleSecret{tableName: "user_auth", columnName: "o_auth_token_type"}, encoding: base64.StdEncoding}, - b64Secret{simpleSecret: simpleSecret{tableName: "secrets", columnName: "value"}, hasUpdatedColumn: true, encoding: base64.RawStdEncoding}, - jsonSecret{tableName: "data_source"}, - jsonSecret{tableName: "plugin_setting"}, - alertingSecret{}, - } - var anyFailure bool - for _, r := range toRollback { - if failed := r.rollback(ctx, + for _, r := range m.rotators { + if failed := r.Rollback(ctx, m.secretsSrv, m.encryptionSrv, m.sqlStore, @@ -133,12 +129,26 @@ type simpleSecret struct { columnName string } +func NewSimpleSecret(tableName, columnName string) simpleSecret { + return simpleSecret{ + tableName: tableName, + columnName: columnName, + } +} + type b64Secret struct { simpleSecret hasUpdatedColumn bool encoding *base64.Encoding } +func NewBase64Secret(simple simpleSecret, encoding *base64.Encoding) b64Secret { + return b64Secret{ + simpleSecret: simple, + encoding: encoding, + } +} + type jsonSecret struct { tableName string } diff --git a/pkg/services/secrets/migrator/reencrypt.go b/pkg/services/secrets/migrator/reencrypt.go index c976253ff23..990774e6b86 100644 --- a/pkg/services/secrets/migrator/reencrypt.go +++ b/pkg/services/secrets/migrator/reencrypt.go @@ -13,7 +13,7 @@ import ( "github.com/grafana/grafana/pkg/services/sqlstore" ) -func (s simpleSecret) reencrypt(ctx context.Context, secretsSrv *manager.SecretsService, sqlStore db.DB) bool { +func (s simpleSecret) ReEncrypt(ctx context.Context, secretsSrv *manager.SecretsService, sqlStore db.DB) bool { var rows []struct { Id int Secret []byte @@ -72,7 +72,7 @@ func (s simpleSecret) reencrypt(ctx context.Context, secretsSrv *manager.Secrets return !anyFailure } -func (s b64Secret) reencrypt(ctx context.Context, secretsSrv *manager.SecretsService, sqlStore db.DB) bool { +func (s b64Secret) ReEncrypt(ctx context.Context, secretsSrv *manager.SecretsService, sqlStore db.DB) bool { var rows []struct { Id int Secret string @@ -143,7 +143,7 @@ func (s b64Secret) reencrypt(ctx context.Context, secretsSrv *manager.SecretsSer return !anyFailure } -func (s jsonSecret) reencrypt(ctx context.Context, secretsSrv *manager.SecretsService, sqlStore db.DB) bool { +func (s jsonSecret) ReEncrypt(ctx context.Context, secretsSrv *manager.SecretsService, sqlStore db.DB) bool { var rows []struct { Id int SecureJsonData map[string][]byte @@ -206,7 +206,7 @@ func (s jsonSecret) reencrypt(ctx context.Context, secretsSrv *manager.SecretsSe return !anyFailure } -func (s alertingSecret) reencrypt(ctx context.Context, secretsSrv *manager.SecretsService, sqlStore db.DB) bool { +func (s alertingSecret) ReEncrypt(ctx context.Context, secretsSrv *manager.SecretsService, sqlStore db.DB) bool { var results []struct { Id int AlertmanagerConfiguration string diff --git a/pkg/services/secrets/migrator/rollback.go b/pkg/services/secrets/migrator/rollback.go index b7b91e0f372..c68c0962771 100644 --- a/pkg/services/secrets/migrator/rollback.go +++ b/pkg/services/secrets/migrator/rollback.go @@ -12,7 +12,7 @@ import ( "github.com/grafana/grafana/pkg/services/secrets/manager" ) -func (s simpleSecret) rollback( +func (s simpleSecret) Rollback( ctx context.Context, secretsSrv *manager.SecretsService, encryptionSrv encryption.Internal, @@ -72,7 +72,7 @@ func (s simpleSecret) rollback( return anyFailure } -func (s b64Secret) rollback( +func (s b64Secret) Rollback( ctx context.Context, secretsSrv *manager.SecretsService, encryptionSrv encryption.Internal, @@ -146,7 +146,7 @@ func (s b64Secret) rollback( return anyFailure } -func (s jsonSecret) rollback( +func (s jsonSecret) Rollback( ctx context.Context, secretsSrv *manager.SecretsService, encryptionSrv encryption.Internal, @@ -210,7 +210,7 @@ func (s jsonSecret) rollback( return anyFailure } -func (s alertingSecret) rollback( +func (s alertingSecret) Rollback( ctx context.Context, secretsSrv *manager.SecretsService, encryptionSrv encryption.Internal,