apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Auth: SSOSettings handle secret update (#80591)

Browse Source 
* first touches

* Merge missing SSO settings to support Advanced Auth pages

* fix

* Update secrets correctly

* Add test for upsert with redactedsecret

* Verify decryption in the List tests
pull/80727/head
Misi 1 year ago committed by GitHub
parent 1de876c354
commit da6926f6f7
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 301 additions and 16 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 1
      pkg/services/anonymous/anonimpl/impl_test.go
  2. 62
      pkg/services/ssosettings/ssosettingsimpl/service.go
  3. 244
      pkg/services/ssosettings/ssosettingsimpl/service_test.go
  4. 10
      pkg/services/ssosettings/ssosettingstests/store_fake.go

1
pkg/services/anonymous/anonimpl/impl_test.go
Unescape View File

@ -179,6 +179,7 @@ func TestIntegrationAnonDeviceService_localCacheSafety(t *testing.T) {
}
func TestIntegrationDeviceService_SearchDevice(t *testing.T) {
t.Skip("Flaky test, @eleijonmarck will fix")
testCases := []struct {
name string
insertDevices []*anonstore.Device

62
pkg/services/ssosettings/ssosettingsimpl/service.go
Unescape View File

@ -2,6 +2,7 @@ package ssosettingsimpl
import (
"context"
"encoding/base64"
"errors"
"fmt"
"strings"
@ -70,6 +71,14 @@ func (s *SSOSettingsService) GetForProvider(ctx context.Context, provider string
return nil, err
}
if dbSettings != nil {
// Settings are coming from the database thus secrets are encrypted
dbSettings.Settings, err = s.decryptSecrets(ctx, dbSettings.Settings)
if err != nil {
return nil, err
}
}
systemSettings, err := s.loadSettingsUsingFallbackStrategy(ctx, provider)
if err != nil {
return nil, err
@ -103,6 +112,13 @@ func (s *SSOSettingsService) List(ctx context.Context) ([]*models.SSOSettings, e
for _, provider := range ssosettings.AllOAuthProviders {
dbSettings := getSettingByProvider(provider, storedSettings)
if dbSettings != nil {
// Settings are coming from the database thus secrets are encrypted
dbSettings.Settings, err = s.decryptSecrets(ctx, dbSettings.Settings)
if err != nil {
return nil, err
}
}
fallbackSettings, err := s.loadSettingsUsingFallbackStrategy(ctx, provider)
if err != nil {
return nil, err
@ -129,7 +145,12 @@ func (s *SSOSettingsService) Upsert(ctx context.Context, settings models.SSOSett
return err
}
settings.Settings, err = s.encryptSecrets(ctx, settings.Settings)
storedSettings, err := s.GetForProvider(ctx, settings.Provider)
if err != nil {
return err
}
settings.Settings, err = s.encryptSecrets(ctx, settings.Settings, storedSettings.Settings)
if err != nil {
return err
}
@ -208,7 +229,7 @@ func (s *SSOSettingsService) getFallbackStrategyFor(provider string) (ssosetting
return nil, false
}
func (s *SSOSettingsService) encryptSecrets(ctx context.Context, settings map[string]any) (map[string]any, error) {
func (s *SSOSettingsService) encryptSecrets(ctx context.Context, settings, storedSettings map[string]any) (map[string]any, error) {
result := make(map[string]any)
for k, v := range settings {
if isSecret(k) {
@ -217,11 +238,15 @@ func (s *SSOSettingsService) encryptSecrets(ctx context.Context, settings map[st
return result, fmt.Errorf("failed to encrypt %s setting because it is not a string: %v", k, v)
}
if !isNewSecretValue(strValue) {
strValue = storedSettings[k].(string)
}
encryptedSecret, err := s.secrets.Encrypt(ctx, []byte(strValue), secrets.WithoutScope())
if err != nil {
return result, err
}
result[k] = string(encryptedSecret)
result[k] = base64.RawStdEncoding.EncodeToString(encryptedSecret)
} else {
result[k] = v
}
@ -289,6 +314,33 @@ func (s *SSOSettingsService) mergeSSOSettings(dbSettings, systemSettings *models
return dbSettings
}
func (s *SSOSettingsService) decryptSecrets(ctx context.Context, settings map[string]any) (map[string]any, error) {
for k, v := range settings {
if isSecret(k) && v != "" {
strValue, ok := v.(string)
if !ok {
s.logger.Error("Failed to parse secret value, it is not a string", "key", k)
return nil, fmt.Errorf("secret value is not a string")
}
decoded, err := base64.RawStdEncoding.DecodeString(strValue)
if err != nil {
s.logger.Error("Failed to decode secret string", "err", err, "value")
return nil, err
}
decrypted, err := s.secrets.Decrypt(ctx, decoded)
if err != nil {
s.logger.Error("Failed to decrypt secret", "err", err)
return nil, err
}
settings[k] = string(decrypted)
}
}
return settings, nil
}
func mergeSettings(storedSettings, systemSettings map[string]any) map[string]any {
settings := make(map[string]any)
@ -325,3 +377,7 @@ func isProviderConfigurable(provider string) bool {
return false
}
func isNewSecretValue(value string) bool {
return value != setting.RedactedPassword
}

244
pkg/services/ssosettings/ssosettingsimpl/service_test.go
Unescape View File

@ -2,6 +2,7 @@ package ssosettingsimpl
import (
"context"
"encoding/base64"
"errors"
"fmt"
"testing"
@ -99,6 +100,84 @@ func TestSSOSettingsService_GetForProvider(t *testing.T) {
want: nil,
wantErr: true,
},
{
name: "should decrypt secrets if data is coming from store",
setup: func(env testEnv) {
env.store.ExpectedSSOSetting = &models.SSOSettings{
Provider: "github",
Settings: map[string]any{
"enabled": true,
"client_secret": base64.RawStdEncoding.EncodeToString([]byte("client_secret")),
"other_secret": base64.RawStdEncoding.EncodeToString([]byte("other_secret")),
},
Source: models.DB,
}
env.fallbackStrategy.ExpectedIsMatch = true
env.fallbackStrategy.ExpectedConfigs = map[string]map[string]any{
"github": {
"client_id": "client_id",
},
}
env.secrets.On("Decrypt", mock.Anything, []byte("client_secret"), mock.Anything).Return([]byte("decrypted-client-secret"), nil).Once()
env.secrets.On("Decrypt", mock.Anything, []byte("other_secret"), mock.Anything).Return([]byte("decrypted-other-secret"), nil).Once()
},
want: &models.SSOSettings{
Provider: "github",
Settings: map[string]any{
"enabled": true,
"client_id": "client_id",
"client_secret": "decrypted-client-secret",
"other_secret": "decrypted-other-secret",
},
Source: models.DB,
},
wantErr: false,
},
{
name: "should not decrypt secrets if data is coming from the fallback strategy",
setup: func(env testEnv) {
env.store.ExpectedError = ssosettings.ErrNotFound
env.fallbackStrategy.ExpectedIsMatch = true
env.fallbackStrategy.ExpectedConfigs = map[string]map[string]any{
"github": {
"enabled": true,
"client_id": "client_id",
"client_secret": "client_secret",
},
}
},
want: &models.SSOSettings{
Provider: "github",
Settings: map[string]any{
"enabled": true,
"client_id": "client_id",
"client_secret": "client_secret",
},
Source: models.System,
},
wantErr: false,
},
{
name: "should return an error if the data in the store is invalid",
setup: func(env testEnv) {
env.store.ExpectedSSOSetting = &models.SSOSettings{
Provider: "github",
Settings: map[string]any{
"enabled": true,
"client_secret": "not a valid base64 string",
},
Source: models.DB,
}
env.fallbackStrategy.ExpectedIsMatch = true
env.fallbackStrategy.ExpectedConfigs = map[string]map[string]any{
"github": {
"client_id": "client_id",
},
}
},
wantErr: true,
},
}
for _, tc := range testCases {
@ -117,6 +196,8 @@ func TestSSOSettingsService_GetForProvider(t *testing.T) {
require.NoError(t, err)
require.Equal(t, tc.want, actual)
env.secrets.AssertExpectations(t)
})
}
}
@ -135,12 +216,14 @@ func TestSSOSettingsService_GetForProviderWithRedactedSecrets(t *testing.T) {
Provider: "github",
Settings: map[string]any{
"enabled": true,
"secret": "secret",
"client_secret": "client_secret",
"secret": base64.RawStdEncoding.EncodeToString([]byte("secret")),
"client_secret": base64.RawStdEncoding.EncodeToString([]byte("client_secret")),
"client_id": "client_id",
},
Source: models.DB,
}
env.secrets.On("Decrypt", mock.Anything, []byte("client_secret"), mock.Anything).Return([]byte("decrypted-client-secret"), nil).Once()
env.secrets.On("Decrypt", mock.Anything, []byte("secret"), mock.Anything).Return([]byte("decrypted-secret"), nil).Once()
},
want: &models.SSOSettings{
Provider: "github",
@ -231,26 +314,38 @@ func TestSSOSettingsService_List(t *testing.T) {
env.store.ExpectedSSOSettings = []*models.SSOSettings{
{
Provider: "github",
Settings: map[string]any{"enabled": true},
Source: models.DB,
Settings: map[string]any{
"enabled": true,
"client_secret": base64.RawStdEncoding.EncodeToString([]byte("client_secret")),
},
Source: models.DB,
},
{
Provider: "okta",
Settings: map[string]any{"enabled": false},
Source: models.DB,
Settings: map[string]any{
"enabled": false,
"other_secret": base64.RawStdEncoding.EncodeToString([]byte("other_secret")),
},
Source: models.DB,
},
}
env.secrets.On("Decrypt", mock.Anything, []byte("client_secret"), mock.Anything).Return([]byte("decrypted-client-secret"), nil).Once()
env.secrets.On("Decrypt", mock.Anything, []byte("other_secret"), mock.Anything).Return([]byte("decrypted-other-secret"), nil).Once()
env.fallbackStrategy.ExpectedIsMatch = true
env.fallbackStrategy.ExpectedConfigs = map[string]map[string]any{
"github": {
"enabled": false,
"client_id": "client_id",
"client_secret": "client_secret",
"client_secret": "secret1",
"token_url": "token_url",
},
"okta": {
"enabled": false,
"client_id": "client_id",
"client_secret": "client_secret",
"client_secret": "coming-from-system",
"other_secret": "secret2",
"token_url": "token_url",
},
"gitlab": {
"enabled": false,
@ -275,7 +370,8 @@ func TestSSOSettingsService_List(t *testing.T) {
Settings: map[string]any{
"enabled": true,
"client_id": "client_id",
"client_secret": "client_secret",
"client_secret": "decrypted-client-secret", // client_secret is coming from the database, must be decrypted first
"token_url": "token_url",
},
Source: models.DB,
},
@ -284,7 +380,9 @@ func TestSSOSettingsService_List(t *testing.T) {
Settings: map[string]any{
"enabled": false,
"client_id": "client_id",
"client_secret": "client_secret",
"client_secret": "coming-from-system", // client_secret is coming from the system, must not be decrypted
"other_secret": "decrypted-other-secret",
"token_url": "token_url",
},
Source: models.DB,
},
@ -444,7 +542,7 @@ func TestSSOSettingsService_Upsert(t *testing.T) {
err := env.service.Upsert(context.Background(), settings)
require.NoError(t, err)
settings.Settings["client_secret"] = "encrypted-client-secret"
settings.Settings["client_secret"] = base64.RawStdEncoding.EncodeToString([]byte("encrypted-client-secret"))
require.EqualValues(t, settings, env.store.ActualSSOSettings)
})
@ -555,6 +653,41 @@ func TestSSOSettingsService_Upsert(t *testing.T) {
require.Error(t, err)
})
t.Run("should not update the current secret if the secret has not been updated", func(t *testing.T) {
env := setupTestEnv(t)
provider := social.AzureADProviderName
settings := models.SSOSettings{
Provider: provider,
Settings: map[string]any{
"client_id": "client-id",
"client_secret": setting.RedactedPassword,
"enabled": true,
},
IsDeleted: false,
}
env.store.ExpectedSSOSetting = &models.SSOSettings{
Provider: provider,
Settings: map[string]any{
"client_secret": base64.RawStdEncoding.EncodeToString([]byte("current-client-secret")),
},
}
reloadable := ssosettingstests.NewMockReloadable(t)
reloadable.On("Validate", mock.Anything, settings).Return(nil)
reloadable.On("Reload", mock.Anything, mock.Anything).Return(nil).Maybe()
env.reloadables[provider] = reloadable
env.secrets.On("Decrypt", mock.Anything, []byte("current-client-secret"), mock.Anything).Return([]byte("encrypted-client-secret"), nil).Once()
env.secrets.On("Encrypt", mock.Anything, []byte("encrypted-client-secret"), mock.Anything).Return([]byte("current-client-secret"), nil).Once()
err := env.service.Upsert(context.Background(), settings)
require.NoError(t, err)
settings.Settings["client_secret"] = base64.RawStdEncoding.EncodeToString([]byte("current-client-secret"))
require.EqualValues(t, settings, env.store.ActualSSOSettings)
})
t.Run("returns error if store failed to upsert settings", func(t *testing.T) {
env := setupTestEnv(t)
@ -573,7 +706,13 @@ func TestSSOSettingsService_Upsert(t *testing.T) {
reloadable.On("Validate", mock.Anything, settings).Return(nil)
env.reloadables[provider] = reloadable
env.secrets.On("Encrypt", mock.Anything, []byte(settings.Settings["client_secret"].(string)), mock.Anything).Return([]byte("encrypted-client-secret"), nil).Once()
env.store.ExpectedError = errors.New("upsert failed")
env.store.GetFn = func(ctx context.Context, provider string) (*models.SSOSettings, error) {
return &models.SSOSettings{}, nil
}
env.store.UpsertFn = func(ctx context.Context, settings models.SSOSettings) error {
return errors.New("failed to upsert settings")
}
err := env.service.Upsert(context.Background(), settings)
require.Error(t, err)
@ -602,7 +741,7 @@ func TestSSOSettingsService_Upsert(t *testing.T) {
err := env.service.Upsert(context.Background(), settings)
require.NoError(t, err)
settings.Settings["client_secret"] = "encrypted-client-secret"
settings.Settings["client_secret"] = base64.RawStdEncoding.EncodeToString([]byte("encrypted-client-secret"))
require.EqualValues(t, settings, env.store.ActualSSOSettings)
})
}
@ -694,6 +833,85 @@ func TestSSOSettingsService_DoReload(t *testing.T) {
})
}
func TestSSOSettingsService_decryptSecrets(t *testing.T) {
testCases := []struct {
name string
setup func(env testEnv)
settings map[string]any
want map[string]any
wantErr bool
}{
{
name: "should decrypt secrets successfully",
setup: func(env testEnv) {
env.secrets.On("Decrypt", mock.Anything, []byte("client_secret"), mock.Anything).Return([]byte("decrypted-client-secret"), nil).Once()
env.secrets.On("Decrypt", mock.Anything, []byte("other_secret"), mock.Anything).Return([]byte("decrypted-other-secret"), nil).Once()
},
settings: map[string]any{
"enabled": true,
"client_secret": base64.RawStdEncoding.EncodeToString([]byte("client_secret")),
"other_secret": base64.RawStdEncoding.EncodeToString([]byte("other_secret")),
},
want: map[string]any{
"enabled": true,
"client_secret": "decrypted-client-secret",
"other_secret": "decrypted-other-secret",
},
},
{
name: "should return an error if data is not a string",
settings: map[string]any{
"enabled": true,
"client_secret": 2,
"other_secret": 2,
},
wantErr: true,
},
{
name: "should return an error if data is not a valid base64 string",
settings: map[string]any{
"enabled": true,
"client_secret": "client_secret",
"other_secret": "other_secret",
},
wantErr: true,
},
{
name: "should return an error decryption fails",
setup: func(env testEnv) {
env.secrets.On("Decrypt", mock.Anything, []byte("client_secret"), mock.Anything).Return(nil, errors.New("decryption failed")).Once()
},
settings: map[string]any{
"enabled": true,
"client_secret": base64.RawStdEncoding.EncodeToString([]byte("client_secret")),
},
wantErr: true,
},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
env := setupTestEnv(t)
if tc.setup != nil {
tc.setup(env)
}
actual, err := env.service.decryptSecrets(context.Background(), tc.settings)
if tc.wantErr {
require.Error(t, err)
return
}
require.NoError(t, err)
require.Equal(t, tc.want, actual)
env.secrets.AssertExpectations(t)
})
}
}
func setupTestEnv(t *testing.T) testEnv {
store := ssosettingstests.NewFakeStore()
fallbackStrategy := ssosettingstests.NewFakeFallbackStrategy()

10
pkg/services/ssosettings/ssosettingstests/store_fake.go
Unescape View File

@ -15,6 +15,9 @@ type FakeStore struct {
ExpectedError error
ActualSSOSettings models.SSOSettings
GetFn func(ctx context.Context, provider string) (*models.SSOSettings, error)
UpsertFn func(ctx context.Context, settings models.SSOSettings) error
}
func NewFakeStore() *FakeStore {
@ -22,6 +25,9 @@ func NewFakeStore() *FakeStore {
}
func (f *FakeStore) Get(ctx context.Context, provider string) (*models.SSOSettings, error) {
if f.GetFn != nil {
return f.GetFn(ctx, provider)
}
return f.ExpectedSSOSetting, f.ExpectedError
}
@ -30,6 +36,10 @@ func (f *FakeStore) List(ctx context.Context) ([]*models.SSOSettings, error) {
}
func (f *FakeStore) Upsert(ctx context.Context, settings models.SSOSettings) error {
if f.UpsertFn != nil {
return f.UpsertFn(ctx, settings)
}
f.ActualSSOSettings = settings
return f.ExpectedError

Write Preview
Loading…
Cancel
Save