grafana/pkg/services/secrets/secrets_test.go

package secrets

import (
	"context"
	"testing"

	"github.com/grafana/grafana/pkg/services/secrets/types"
	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
)

func TestSecrets_EnvelopeEncryption(t *testing.T) {
	svc := SetupTestService(t)
	ctx := context.Background()

	t.Run("encrypting with no entity_id should create DEK", func(t *testing.T) {
		plaintext := []byte("very secret string")

		encrypted, err := svc.Encrypt(context.Background(), plaintext, WithoutScope())
		require.NoError(t, err)

		decrypted, err := svc.Decrypt(context.Background(), encrypted)
		require.NoError(t, err)
		assert.Equal(t, plaintext, decrypted)

		keys, err := svc.GetAllDataKeys(ctx)
		require.NoError(t, err)
		assert.Equal(t, len(keys), 1)
	})
	t.Run("encrypting another secret with no entity_id should use the same DEK", func(t *testing.T) {
		plaintext := []byte("another very secret string")

		encrypted, err := svc.Encrypt(context.Background(), plaintext, WithoutScope())
		require.NoError(t, err)

		decrypted, err := svc.Decrypt(context.Background(), encrypted)
		require.NoError(t, err)
		assert.Equal(t, plaintext, decrypted)

		keys, err := svc.GetAllDataKeys(ctx)
		require.NoError(t, err)
		assert.Equal(t, len(keys), 1)
	})
	t.Run("encrypting with entity_id provided should create a new DEK", func(t *testing.T) {
		plaintext := []byte("some test data")

		encrypted, err := svc.Encrypt(context.Background(), plaintext, WithScope("user:100"))
		require.NoError(t, err)

		decrypted, err := svc.Decrypt(context.Background(), encrypted)
		require.NoError(t, err)
		assert.Equal(t, plaintext, decrypted)

		keys, err := svc.GetAllDataKeys(ctx)
		require.NoError(t, err)
		assert.Equal(t, len(keys), 2)
	})

	t.Run("decrypting empty payload should return error", func(t *testing.T) {
		_, err := svc.Decrypt(context.Background(), []byte(""))
		require.Error(t, err)

		assert.Equal(t, "unable to decrypt empty payload", err.Error())
	})

	t.Run("decrypting legacy secret encrypted with secret key from settings", func(t *testing.T) {
		expected := "grafana"
		encrypted := []byte{122, 56, 53, 113, 101, 117, 73, 89, 20, 254, 36, 112, 112, 16, 128, 232, 227, 52, 166, 108, 192, 5, 28, 125, 126, 42, 197, 190, 251, 36, 94}
		decrypted, err := svc.Decrypt(context.Background(), encrypted)
		require.NoError(t, err)
		assert.Equal(t, expected, string(decrypted))
	})
}

func TestSecretsService_DataKeys(t *testing.T) {
	svc := SetupTestService(t)
	ctx := context.Background()

	dataKey := types.DataKey{
		Active:        true,
		Name:          "test1",
		Provider:      "test",
		EncryptedData: []byte{0x62, 0xAF, 0xA1, 0x1A},
	}

	t.Run("querying for a DEK that does not exist", func(t *testing.T) {
		res, err := svc.GetDataKey(ctx, dataKey.Name)
		assert.ErrorIs(t, types.ErrDataKeyNotFound, err)
		assert.Nil(t, res)
	})

	t.Run("creating an active DEK", func(t *testing.T) {
		err := svc.CreateDataKey(ctx, dataKey)
		require.NoError(t, err)

		res, err := svc.GetDataKey(ctx, dataKey.Name)
		require.NoError(t, err)
		assert.Equal(t, dataKey.EncryptedData, res.EncryptedData)
		assert.Equal(t, dataKey.Provider, res.Provider)
		assert.Equal(t, dataKey.Name, res.Name)
		assert.True(t, dataKey.Active)
	})

	t.Run("creating an inactive DEK", func(t *testing.T) {
		k := types.DataKey{
			Active:        false,
			Name:          "test2",
			Provider:      "test",
			EncryptedData: []byte{0x62, 0xAF, 0xA1, 0x1A},
		}

		err := svc.CreateDataKey(ctx, k)
		require.Error(t, err)

		res, err := svc.GetDataKey(ctx, k.Name)
		assert.Equal(t, types.ErrDataKeyNotFound, err)
		assert.Nil(t, res)
	})

	t.Run("deleting DEK when no name provided must fail", func(t *testing.T) {
		beforeDelete, err := svc.GetAllDataKeys(ctx)
		require.NoError(t, err)
		err = svc.DeleteDataKey(ctx, "")
		require.Error(t, err)

		afterDelete, err := svc.GetAllDataKeys(ctx)
		require.NoError(t, err)
		assert.Equal(t, beforeDelete, afterDelete)
	})

	t.Run("deleting a DEK", func(t *testing.T) {
		err := svc.DeleteDataKey(ctx, dataKey.Name)
		require.NoError(t, err)

		res, err := svc.GetDataKey(ctx, dataKey.Name)
		assert.Equal(t, types.ErrDataKeyNotFound, err)
		assert.Nil(t, res)
	})
}
Security: Add secrets service (#39418) * Add secrets service * Revert accidental changes in util encryption * Make minor changes Move functional options to models Revert renaming types to models * Add context * Minor change in GetDataKey * Use CreateDataKeyWithDBSession in CreateDataKey * Handle empty DEK name in DeleteDataKey * Rename defaultProvider * Remove secrets store service 2021-10-01 07:39:57 -05:00			`package secrets`

			`import (`
			`"context"`
			`"testing"`

			`"github.com/grafana/grafana/pkg/services/secrets/types"`
			`"github.com/stretchr/testify/assert"`
			`"github.com/stretchr/testify/require"`
			`)`

			`func TestSecrets_EnvelopeEncryption(t *testing.T) {`
			`svc := SetupTestService(t)`
			`ctx := context.Background()`

			`t.Run("encrypting with no entity_id should create DEK", func(t *testing.T) {`
			`plaintext := []byte("very secret string")`

			`encrypted, err := svc.Encrypt(context.Background(), plaintext, WithoutScope())`
			`require.NoError(t, err)`

			`decrypted, err := svc.Decrypt(context.Background(), encrypted)`
			`require.NoError(t, err)`
			`assert.Equal(t, plaintext, decrypted)`

			`keys, err := svc.GetAllDataKeys(ctx)`
			`require.NoError(t, err)`
			`assert.Equal(t, len(keys), 1)`
			`})`
			`t.Run("encrypting another secret with no entity_id should use the same DEK", func(t *testing.T) {`
			`plaintext := []byte("another very secret string")`

			`encrypted, err := svc.Encrypt(context.Background(), plaintext, WithoutScope())`
			`require.NoError(t, err)`

			`decrypted, err := svc.Decrypt(context.Background(), encrypted)`
			`require.NoError(t, err)`
			`assert.Equal(t, plaintext, decrypted)`

			`keys, err := svc.GetAllDataKeys(ctx)`
			`require.NoError(t, err)`
			`assert.Equal(t, len(keys), 1)`
			`})`
			`t.Run("encrypting with entity_id provided should create a new DEK", func(t *testing.T) {`
			`plaintext := []byte("some test data")`

			`encrypted, err := svc.Encrypt(context.Background(), plaintext, WithScope("user:100"))`
			`require.NoError(t, err)`

			`decrypted, err := svc.Decrypt(context.Background(), encrypted)`
			`require.NoError(t, err)`
			`assert.Equal(t, plaintext, decrypted)`

			`keys, err := svc.GetAllDataKeys(ctx)`
			`require.NoError(t, err)`
			`assert.Equal(t, len(keys), 2)`
			`})`

			`t.Run("decrypting empty payload should return error", func(t *testing.T) {`
			`_, err := svc.Decrypt(context.Background(), []byte(""))`
			`require.Error(t, err)`

			`assert.Equal(t, "unable to decrypt empty payload", err.Error())`
			`})`

			`t.Run("decrypting legacy secret encrypted with secret key from settings", func(t *testing.T) {`
			`expected := "grafana"`
			`encrypted := []byte{122, 56, 53, 113, 101, 117, 73, 89, 20, 254, 36, 112, 112, 16, 128, 232, 227, 52, 166, 108, 192, 5, 28, 125, 126, 42, 197, 190, 251, 36, 94}`
			`decrypted, err := svc.Decrypt(context.Background(), encrypted)`
			`require.NoError(t, err)`
			`assert.Equal(t, expected, string(decrypted))`
			`})`
			`}`

			`func TestSecretsService_DataKeys(t *testing.T) {`
			`svc := SetupTestService(t)`
			`ctx := context.Background()`

			`dataKey := types.DataKey{`
			`Active: true,`
			`Name: "test1",`
			`Provider: "test",`
			`EncryptedData: []byte{0x62, 0xAF, 0xA1, 0x1A},`
			`}`

			`t.Run("querying for a DEK that does not exist", func(t *testing.T) {`
			`res, err := svc.GetDataKey(ctx, dataKey.Name)`
			`assert.ErrorIs(t, types.ErrDataKeyNotFound, err)`
			`assert.Nil(t, res)`
			`})`

			`t.Run("creating an active DEK", func(t *testing.T) {`
			`err := svc.CreateDataKey(ctx, dataKey)`
			`require.NoError(t, err)`

			`res, err := svc.GetDataKey(ctx, dataKey.Name)`
			`require.NoError(t, err)`
			`assert.Equal(t, dataKey.EncryptedData, res.EncryptedData)`
			`assert.Equal(t, dataKey.Provider, res.Provider)`
			`assert.Equal(t, dataKey.Name, res.Name)`
			`assert.True(t, dataKey.Active)`
			`})`

			`t.Run("creating an inactive DEK", func(t *testing.T) {`
			`k := types.DataKey{`
			`Active: false,`
			`Name: "test2",`
			`Provider: "test",`
			`EncryptedData: []byte{0x62, 0xAF, 0xA1, 0x1A},`
			`}`
Encryption: Refactor securejsondata.SecureJsonData to stop relying on global functions (#38865) * Encryption: Add support to encrypt/decrypt sjd * Add datasources.Service as a proxy to datasources db operations * Encrypt ds.SecureJsonData before calling SQLStore * Move ds cache code into ds service * Fix tlsmanager tests * Fix pluginproxy tests * Remove some securejsondata.GetEncryptedJsonData usages * Add pluginsettings.Service as a proxy for plugin settings db operations * Add AlertNotificationService as a proxy for alert notification db operations * Remove some securejsondata.GetEncryptedJsonData usages * Remove more securejsondata.GetEncryptedJsonData usages * Fix lint errors * Minor fixes * Remove encryption global functions usages from ngalert * Fix lint errors * Minor fixes * Minor fixes * Remove securejsondata.DecryptedValue usage * Refactor the refactor * Remove securejsondata.DecryptedValue usage * Move securejsondata to migrations package * Move securejsondata to migrations package * Minor fix * Fix integration test * Fix integration tests * Undo undesired changes * Fix tests * Add context.Context into encryption methods * Fix tests * Fix tests * Fix tests * Trigger CI * Fix test * Add names to params of encryption service interface * Remove bus from CacheServiceImpl * Add logging * Add keys to logger Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * Add missing key to logger Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * Undo changes in markdown files * Fix formatting * Add context to secrets service * Rename decryptSecureJsonData to decryptSecureJsonDataFn * Name args in GetDecryptedValueFn * Add template back to NewAlertmanagerNotifier * Copy GetDecryptedValueFn to ngalert * Add logging to pluginsettings * Fix pluginsettings test Co-authored-by: Tania B <yalyna.ts@gmail.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-10-07 09:33:50 -05:00
Security: Add secrets service (#39418) * Add secrets service * Revert accidental changes in util encryption * Make minor changes Move functional options to models Revert renaming types to models * Add context * Minor change in GetDataKey * Use CreateDataKeyWithDBSession in CreateDataKey * Handle empty DEK name in DeleteDataKey * Rename defaultProvider * Remove secrets store service 2021-10-01 07:39:57 -05:00			`err := svc.CreateDataKey(ctx, k)`
			`require.Error(t, err)`

			`res, err := svc.GetDataKey(ctx, k.Name)`
			`assert.Equal(t, types.ErrDataKeyNotFound, err)`
			`assert.Nil(t, res)`
			`})`

			`t.Run("deleting DEK when no name provided must fail", func(t *testing.T) {`
			`beforeDelete, err := svc.GetAllDataKeys(ctx)`
			`require.NoError(t, err)`
			`err = svc.DeleteDataKey(ctx, "")`
			`require.Error(t, err)`

			`afterDelete, err := svc.GetAllDataKeys(ctx)`
			`require.NoError(t, err)`
			`assert.Equal(t, beforeDelete, afterDelete)`
			`})`

			`t.Run("deleting a DEK", func(t *testing.T) {`
			`err := svc.DeleteDataKey(ctx, dataKey.Name)`
			`require.NoError(t, err)`

			`res, err := svc.GetDataKey(ctx, dataKey.Name)`
			`assert.Equal(t, types.ErrDataKeyNotFound, err)`
			`assert.Nil(t, res)`
			`})`
			`}`