2022-04-14 13:06:21 -05:00
|
|
|
package notifier
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
|
|
|
|
"encoding/base64"
|
|
|
|
|
"errors"
|
|
|
|
|
"fmt"
|
|
|
|
|
|
|
|
|
|
"github.com/grafana/grafana/pkg/infra/log"
|
|
|
|
|
"github.com/grafana/grafana/pkg/services/ngalert/api/tooling/definitions"
|
|
|
|
|
"github.com/grafana/grafana/pkg/services/ngalert/store"
|
|
|
|
|
"github.com/grafana/grafana/pkg/services/secrets"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// Crypto allows decryption of Alertmanager Configuration and encryption of arbitrary payloads.
|
|
|
|
|
type Crypto interface {
|
|
|
|
|
LoadSecureSettings(ctx context.Context, orgId int64, receivers []*definitions.PostableApiReceiver) error
|
|
|
|
|
Encrypt(ctx context.Context, payload []byte, opt secrets.EncryptionOptions) ([]byte, error)
|
|
|
|
|
|
|
|
|
|
getDecryptedSecret(r *definitions.PostableGrafanaReceiver, key string) (string, error)
|
2023-07-25 09:04:27 -05:00
|
|
|
ProcessSecureSettings(ctx context.Context, orgId int64, recvs []*definitions.PostableApiReceiver) error
|
2022-04-14 13:06:21 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// alertmanagerCrypto implements decryption of Alertmanager configuration and encryption of arbitrary payloads based on Grafana's encryptions.
|
|
|
|
|
type alertmanagerCrypto struct {
|
|
|
|
|
secrets secrets.Service
|
|
|
|
|
configs configurationStore
|
|
|
|
|
log log.Logger
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func NewCrypto(secrets secrets.Service, configs configurationStore, log log.Logger) Crypto {
|
|
|
|
|
return &alertmanagerCrypto{
|
|
|
|
|
secrets: secrets,
|
|
|
|
|
configs: configs,
|
|
|
|
|
log: log,
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-07-25 09:04:27 -05:00
|
|
|
// ProcessSecureSettings encrypts new secure settings and loads existing secure settings from the database.
|
|
|
|
|
func (c *alertmanagerCrypto) ProcessSecureSettings(ctx context.Context, orgId int64, recvs []*definitions.PostableApiReceiver) error {
|
|
|
|
|
// First, we encrypt the new or updated secure settings. Then, we load the existing secure settings from the database
|
|
|
|
|
// and add back any that weren't updated.
|
|
|
|
|
// We perform these steps in this order to ensure the hash of the secure settings remains stable when no secure
|
|
|
|
|
// settings were modified.
|
|
|
|
|
if err := EncryptReceiverConfigs(recvs, func(ctx context.Context, payload []byte) ([]byte, error) {
|
|
|
|
|
return c.Encrypt(ctx, payload, secrets.WithoutScope())
|
|
|
|
|
}); err != nil {
|
|
|
|
|
return fmt.Errorf("failed to encrypt receivers: %w", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err := c.LoadSecureSettings(ctx, orgId, recvs); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// EncryptReceiverConfigs encrypts all SecureSettings in the given receivers.
|
|
|
|
|
func EncryptReceiverConfigs(c []*definitions.PostableApiReceiver, encrypt definitions.EncryptFn) error {
|
|
|
|
|
// encrypt secure settings for storing them in DB
|
|
|
|
|
for _, r := range c {
|
|
|
|
|
switch r.Type() {
|
|
|
|
|
case definitions.GrafanaReceiverType:
|
|
|
|
|
for _, gr := range r.PostableGrafanaReceivers.GrafanaManagedReceivers {
|
|
|
|
|
for k, v := range gr.SecureSettings {
|
|
|
|
|
encryptedData, err := encrypt(context.Background(), []byte(v))
|
|
|
|
|
if err != nil {
|
|
|
|
|
return fmt.Errorf("failed to encrypt secure settings: %w", err)
|
|
|
|
|
}
|
|
|
|
|
gr.SecureSettings[k] = base64.StdEncoding.EncodeToString(encryptedData)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
default:
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2022-04-14 13:06:21 -05:00
|
|
|
// LoadSecureSettings adds the corresponding unencrypted secrets stored to the list of input receivers.
|
|
|
|
|
func (c *alertmanagerCrypto) LoadSecureSettings(ctx context.Context, orgId int64, receivers []*definitions.PostableApiReceiver) error {
|
|
|
|
|
// Get the last known working configuration.
|
2023-12-12 06:49:54 -06:00
|
|
|
amConfig, err := c.configs.GetLatestAlertmanagerConfiguration(ctx, orgId)
|
2023-03-28 03:34:35 -05:00
|
|
|
if err != nil {
|
2022-04-14 13:06:21 -05:00
|
|
|
// If we don't have a configuration there's nothing for us to know and we should just continue saving the new one.
|
|
|
|
|
if !errors.Is(err, store.ErrNoAlertmanagerConfiguration) {
|
|
|
|
|
return fmt.Errorf("failed to get latest configuration: %w", err)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
currentReceiverMap := make(map[string]*definitions.PostableGrafanaReceiver)
|
2023-03-28 03:34:35 -05:00
|
|
|
if amConfig != nil {
|
|
|
|
|
currentConfig, err := Load([]byte(amConfig.AlertmanagerConfiguration))
|
2022-04-14 13:06:21 -05:00
|
|
|
// If the current config is un-loadable, treat it as if it never existed. Providing a new, valid config should be able to "fix" this state.
|
|
|
|
|
if err != nil {
|
2023-05-25 10:55:01 -05:00
|
|
|
c.log.Warn("Last known alertmanager configuration was invalid. Overwriting...")
|
2022-04-14 13:06:21 -05:00
|
|
|
} else {
|
|
|
|
|
currentReceiverMap = currentConfig.GetGrafanaReceiverMap()
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Copy the previously known secure settings.
|
|
|
|
|
for i, r := range receivers {
|
|
|
|
|
for j, gr := range r.PostableGrafanaReceivers.GrafanaManagedReceivers {
|
|
|
|
|
if gr.UID == "" { // new receiver
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
cgmr, ok := currentReceiverMap[gr.UID]
|
|
|
|
|
if !ok {
|
|
|
|
|
// It tries to update a receiver that didn't previously exist
|
|
|
|
|
return UnknownReceiverError{UID: gr.UID}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Frontend sends only the secure settings that have to be updated
|
|
|
|
|
// Therefore we have to copy from the last configuration only those secure settings not included in the request
|
Alerting: Fix Alertmanager change detection for receivers with secure settings (#71307)
* Alerting: Make ApplyAlertmanagerConfiguration only decrypt/encrypt new/changed secure settings
Previously, ApplyAlertmanagerConfiguration would decrypt and re-encrypt all secure settings. However, this caused re-encrypted secure settings to be included in the raw configuration when applied to the embedded alertmanager, resulting in changes to the hash. Consequently, even if no actual modifications were made, saving any alertmanager configuration triggered an apply/restart and created a new historical entry in the database.
To address the issue, this modifies ApplyAlertmanagerConfiguration, which is called by POST `api/alertmanager/grafana/config/api/v1/alerts`, to decrypt and re-encrypt only new and updated secure settings. Unchanged secure settings are loaded directly from the database without alteration.
We determine whether secure settings have changed based on the following (already in-use) assumption: Only new or updated secure settings are provided via the POST `api/alertmanager/grafana/config/api/v1/alerts` request, while existing unchanged settings are omitted.
* Ensure saving a grafana-managed contact point will only send new/changed secure settings
Previously, when saving a grafana-managed contact point, empty string values were transmitted for all unset secure settings. This led to potential backend issues, as it assumed that only newly added or updated secure settings would be provided.
To address this, we now exclude empty ('', null, undefined) secure settings, unless there was a pre-existing entry in secureFields for that specific setting. In essence, this means we only transmit an empty secure setting if a previously configured value was cleared.
* Fix linting
* refactor omitEmptyUnlessExisting
* fixup
---------
Co-authored-by: Gilles De Mey <gilles.de.mey@gmail.com>
2023-07-11 01:23:07 -05:00
|
|
|
for key, encryptedValue := range cgmr.SecureSettings {
|
2022-04-14 13:06:21 -05:00
|
|
|
_, ok := gr.SecureSettings[key]
|
|
|
|
|
if !ok {
|
|
|
|
|
if receivers[i].PostableGrafanaReceivers.GrafanaManagedReceivers[j].SecureSettings == nil {
|
|
|
|
|
receivers[i].PostableGrafanaReceivers.GrafanaManagedReceivers[j].SecureSettings = make(map[string]string, len(cgmr.SecureSettings))
|
|
|
|
|
}
|
Alerting: Fix Alertmanager change detection for receivers with secure settings (#71307)
* Alerting: Make ApplyAlertmanagerConfiguration only decrypt/encrypt new/changed secure settings
Previously, ApplyAlertmanagerConfiguration would decrypt and re-encrypt all secure settings. However, this caused re-encrypted secure settings to be included in the raw configuration when applied to the embedded alertmanager, resulting in changes to the hash. Consequently, even if no actual modifications were made, saving any alertmanager configuration triggered an apply/restart and created a new historical entry in the database.
To address the issue, this modifies ApplyAlertmanagerConfiguration, which is called by POST `api/alertmanager/grafana/config/api/v1/alerts`, to decrypt and re-encrypt only new and updated secure settings. Unchanged secure settings are loaded directly from the database without alteration.
We determine whether secure settings have changed based on the following (already in-use) assumption: Only new or updated secure settings are provided via the POST `api/alertmanager/grafana/config/api/v1/alerts` request, while existing unchanged settings are omitted.
* Ensure saving a grafana-managed contact point will only send new/changed secure settings
Previously, when saving a grafana-managed contact point, empty string values were transmitted for all unset secure settings. This led to potential backend issues, as it assumed that only newly added or updated secure settings would be provided.
To address this, we now exclude empty ('', null, undefined) secure settings, unless there was a pre-existing entry in secureFields for that specific setting. In essence, this means we only transmit an empty secure setting if a previously configured value was cleared.
* Fix linting
* refactor omitEmptyUnlessExisting
* fixup
---------
Co-authored-by: Gilles De Mey <gilles.de.mey@gmail.com>
2023-07-11 01:23:07 -05:00
|
|
|
receivers[i].PostableGrafanaReceivers.GrafanaManagedReceivers[j].SecureSettings[key] = encryptedValue
|
2022-04-14 13:06:21 -05:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (c *alertmanagerCrypto) getDecryptedSecret(r *definitions.PostableGrafanaReceiver, key string) (string, error) {
|
|
|
|
|
storedValue, ok := r.SecureSettings[key]
|
|
|
|
|
if !ok {
|
|
|
|
|
return "", nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
decodeValue, err := base64.StdEncoding.DecodeString(storedValue)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
decryptedValue, err := c.secrets.Decrypt(context.Background(), decodeValue)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return string(decryptedValue), nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Encrypt delegates encryption to secrets.Service.
|
|
|
|
|
func (c *alertmanagerCrypto) Encrypt(ctx context.Context, payload []byte, opt secrets.EncryptionOptions) ([]byte, error) {
|
|
|
|
|
return c.secrets.Encrypt(ctx, payload, opt)
|
|
|
|
|
}
|
