2021-10-12 09:08:07 -05:00
|
|
|
package database
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"fmt"
|
|
|
|
"time"
|
|
|
|
|
|
|
|
"github.com/grafana/grafana/pkg/infra/log"
|
2022-02-23 09:04:53 -06:00
|
|
|
"github.com/grafana/grafana/pkg/services/kmsproviders"
|
2021-11-16 04:51:13 -06:00
|
|
|
"github.com/grafana/grafana/pkg/services/secrets"
|
2021-10-12 09:08:07 -05:00
|
|
|
"github.com/grafana/grafana/pkg/services/sqlstore"
|
2021-11-16 04:51:13 -06:00
|
|
|
"xorm.io/xorm"
|
2021-10-12 09:08:07 -05:00
|
|
|
)
|
|
|
|
|
|
|
|
const dataKeysTable = "data_keys"
|
|
|
|
|
|
|
|
type SecretsStoreImpl struct {
|
|
|
|
sqlStore *sqlstore.SQLStore
|
2021-11-24 07:01:44 -06:00
|
|
|
log log.Logger
|
2021-10-12 09:08:07 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
func ProvideSecretsStore(sqlStore *sqlstore.SQLStore) *SecretsStoreImpl {
|
|
|
|
return &SecretsStoreImpl{
|
|
|
|
sqlStore: sqlStore,
|
2021-11-24 07:01:44 -06:00
|
|
|
log: log.New("secrets.store"),
|
2021-10-12 09:08:07 -05:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-05-23 06:13:55 -05:00
|
|
|
func (ss *SecretsStoreImpl) GetDataKey(ctx context.Context, id string) (*secrets.DataKey, error) {
|
|
|
|
dataKey := &secrets.DataKey{}
|
|
|
|
var exists bool
|
|
|
|
|
|
|
|
err := ss.sqlStore.WithDbSession(ctx, func(sess *sqlstore.DBSession) error {
|
|
|
|
var err error
|
|
|
|
exists, err = sess.Table(dataKeysTable).
|
2022-06-04 05:55:49 -05:00
|
|
|
Where("name = ?", id).
|
2022-05-23 06:13:55 -05:00
|
|
|
Get(dataKey)
|
|
|
|
return err
|
|
|
|
})
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("failed getting data key: %w", err)
|
|
|
|
}
|
|
|
|
|
2022-07-14 16:53:43 -05:00
|
|
|
if !exists {
|
|
|
|
return nil, secrets.ErrDataKeyNotFound
|
|
|
|
}
|
|
|
|
|
2022-05-23 06:13:55 -05:00
|
|
|
return dataKey, nil
|
|
|
|
}
|
|
|
|
|
2022-06-04 05:55:49 -05:00
|
|
|
func (ss *SecretsStoreImpl) GetCurrentDataKey(ctx context.Context, label string) (*secrets.DataKey, error) {
|
2021-10-12 09:08:07 -05:00
|
|
|
dataKey := &secrets.DataKey{}
|
|
|
|
var exists bool
|
|
|
|
|
|
|
|
err := ss.sqlStore.WithDbSession(ctx, func(sess *sqlstore.DBSession) error {
|
|
|
|
var err error
|
|
|
|
exists, err = sess.Table(dataKeysTable).
|
2022-06-04 05:55:49 -05:00
|
|
|
Where("label = ? AND active = ?", label, ss.sqlStore.Dialect.BooleanStr(true)).
|
2021-10-12 09:08:07 -05:00
|
|
|
Get(dataKey)
|
|
|
|
return err
|
|
|
|
})
|
|
|
|
|
|
|
|
if !exists {
|
|
|
|
return nil, secrets.ErrDataKeyNotFound
|
|
|
|
}
|
|
|
|
|
|
|
|
if err != nil {
|
2022-06-04 05:55:49 -05:00
|
|
|
return nil, fmt.Errorf("failed getting current data key: %w", err)
|
2021-10-12 09:08:07 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
return dataKey, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (ss *SecretsStoreImpl) GetAllDataKeys(ctx context.Context) ([]*secrets.DataKey, error) {
|
|
|
|
result := make([]*secrets.DataKey, 0)
|
|
|
|
err := ss.sqlStore.WithDbSession(ctx, func(sess *sqlstore.DBSession) error {
|
|
|
|
err := sess.Table(dataKeysTable).Find(&result)
|
|
|
|
return err
|
|
|
|
})
|
|
|
|
return result, err
|
|
|
|
}
|
|
|
|
|
2022-05-23 06:13:55 -05:00
|
|
|
func (ss *SecretsStoreImpl) CreateDataKey(ctx context.Context, dataKey *secrets.DataKey) error {
|
2021-10-12 09:08:07 -05:00
|
|
|
return ss.sqlStore.WithDbSession(ctx, func(sess *sqlstore.DBSession) error {
|
|
|
|
return ss.CreateDataKeyWithDBSession(ctx, dataKey, sess.Session)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2022-05-23 06:13:55 -05:00
|
|
|
func (ss *SecretsStoreImpl) CreateDataKeyWithDBSession(_ context.Context, dataKey *secrets.DataKey, sess *xorm.Session) error {
|
2021-10-12 09:08:07 -05:00
|
|
|
if !dataKey.Active {
|
|
|
|
return fmt.Errorf("cannot insert deactivated data keys")
|
|
|
|
}
|
|
|
|
|
|
|
|
dataKey.Created = time.Now()
|
|
|
|
dataKey.Updated = dataKey.Created
|
|
|
|
|
2022-05-23 06:13:55 -05:00
|
|
|
_, err := sess.Table(dataKeysTable).Insert(dataKey)
|
2021-10-12 09:08:07 -05:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2022-05-23 06:13:55 -05:00
|
|
|
func (ss *SecretsStoreImpl) DisableDataKeys(ctx context.Context) error {
|
|
|
|
return ss.sqlStore.WithTransactionalDbSession(ctx, func(sess *sqlstore.DBSession) error {
|
|
|
|
_, err := sess.Table(dataKeysTable).
|
|
|
|
Where("active = ?", ss.sqlStore.Dialect.BooleanStr(true)).
|
|
|
|
UseBool("active").Update(&secrets.DataKey{Active: false})
|
|
|
|
return err
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
func (ss *SecretsStoreImpl) DeleteDataKey(ctx context.Context, id string) error {
|
|
|
|
if len(id) == 0 {
|
|
|
|
return fmt.Errorf("data key id is missing")
|
2021-10-12 09:08:07 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
return ss.sqlStore.WithDbSession(ctx, func(sess *sqlstore.DBSession) error {
|
2022-05-23 06:13:55 -05:00
|
|
|
_, err := sess.Table(dataKeysTable).Delete(&secrets.DataKey{Id: id})
|
2021-10-12 09:08:07 -05:00
|
|
|
|
|
|
|
return err
|
|
|
|
})
|
|
|
|
}
|
2022-02-03 02:15:38 -06:00
|
|
|
|
|
|
|
func (ss *SecretsStoreImpl) ReEncryptDataKeys(
|
|
|
|
ctx context.Context,
|
|
|
|
providers map[secrets.ProviderID]secrets.Provider,
|
|
|
|
currProvider secrets.ProviderID,
|
|
|
|
) error {
|
2022-05-23 06:13:55 -05:00
|
|
|
keys := make([]*secrets.DataKey, 0)
|
|
|
|
if err := ss.sqlStore.NewSession(ctx).Table(dataKeysTable).Find(&keys); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2022-02-03 02:15:38 -06:00
|
|
|
|
2022-05-23 06:13:55 -05:00
|
|
|
for _, k := range keys {
|
|
|
|
err := ss.sqlStore.WithTransactionalDbSession(ctx, func(sess *sqlstore.DBSession) error {
|
2022-02-23 09:04:53 -06:00
|
|
|
provider, ok := providers[kmsproviders.NormalizeProviderID(k.Provider)]
|
2022-02-03 02:15:38 -06:00
|
|
|
if !ok {
|
2022-02-23 09:04:53 -06:00
|
|
|
ss.log.Warn(
|
|
|
|
"Could not find provider to re-encrypt data encryption key",
|
2022-05-23 06:13:55 -05:00
|
|
|
"id", k.Id,
|
2022-06-04 05:55:49 -05:00
|
|
|
"label", k.Label,
|
2022-02-23 09:04:53 -06:00
|
|
|
"provider", k.Provider,
|
|
|
|
)
|
2022-05-23 06:13:55 -05:00
|
|
|
return nil
|
2022-02-03 02:15:38 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
decrypted, err := provider.Decrypt(ctx, k.EncryptedData)
|
|
|
|
if err != nil {
|
2022-02-23 09:04:53 -06:00
|
|
|
ss.log.Warn(
|
|
|
|
"Error while decrypting data encryption key to re-encrypt it",
|
2022-05-23 06:13:55 -05:00
|
|
|
"id", k.Id,
|
2022-06-04 05:55:49 -05:00
|
|
|
"label", k.Label,
|
2022-02-23 09:04:53 -06:00
|
|
|
"provider", k.Provider,
|
|
|
|
"err", err,
|
|
|
|
)
|
2022-05-23 06:13:55 -05:00
|
|
|
return nil
|
2022-02-03 02:15:38 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
// Updating current data key by re-encrypting it with current provider.
|
|
|
|
// Accessing the current provider within providers map should be safe.
|
|
|
|
k.Provider = currProvider
|
2022-06-04 05:55:49 -05:00
|
|
|
k.Label = secrets.KeyLabel(k.Scope, currProvider)
|
2022-02-23 09:04:53 -06:00
|
|
|
k.Updated = time.Now()
|
2022-02-03 02:15:38 -06:00
|
|
|
k.EncryptedData, err = providers[currProvider].Encrypt(ctx, decrypted)
|
|
|
|
if err != nil {
|
2022-02-23 09:04:53 -06:00
|
|
|
ss.log.Warn(
|
|
|
|
"Error while re-encrypting data encryption key",
|
2022-05-23 06:13:55 -05:00
|
|
|
"id", k.Id,
|
2022-06-04 05:55:49 -05:00
|
|
|
"label", k.Label,
|
2022-02-23 09:04:53 -06:00
|
|
|
"provider", k.Provider,
|
|
|
|
"err", err,
|
|
|
|
)
|
2022-05-23 06:13:55 -05:00
|
|
|
return nil
|
2022-02-03 02:15:38 -06:00
|
|
|
}
|
|
|
|
|
2022-06-04 05:55:49 -05:00
|
|
|
if _, err := sess.Table(dataKeysTable).Where("name = ?", k.Id).Update(k); err != nil {
|
2022-02-23 09:04:53 -06:00
|
|
|
ss.log.Warn(
|
|
|
|
"Error while re-encrypting data encryption key",
|
2022-05-23 06:13:55 -05:00
|
|
|
"id", k.Id,
|
2022-06-04 05:55:49 -05:00
|
|
|
"label", k.Label,
|
2022-02-23 09:04:53 -06:00
|
|
|
"provider", k.Provider,
|
|
|
|
"err", err,
|
|
|
|
)
|
2022-05-23 06:13:55 -05:00
|
|
|
return nil
|
2022-02-03 02:15:38 -06:00
|
|
|
}
|
2022-05-23 06:13:55 -05:00
|
|
|
|
|
|
|
return nil
|
|
|
|
})
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
return err
|
2022-02-03 02:15:38 -06:00
|
|
|
}
|
2022-05-23 06:13:55 -05:00
|
|
|
}
|
2022-02-03 02:15:38 -06:00
|
|
|
|
2022-05-23 06:13:55 -05:00
|
|
|
return nil
|
2022-02-03 02:15:38 -06:00
|
|
|
}
|