Encryption: De-duplicate encryption code with extensible service (#52472)

* Encryption: De-duplicate encryption code with extensible service

* Fix Wire injections

* Fix tests

* Register reload handler

pkg/services/encryption/provider/cipher_aescfb.go

@@ -0,0 +1,45 @@
+package provider
+
+import (
+	"context"
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
+	"io"
+
+	"github.com/grafana/grafana/pkg/services/encryption"
+	"github.com/grafana/grafana/pkg/util"
+)
+
+type aesCfbCipher struct{}
+
+func (c aesCfbCipher) Encrypt(_ context.Context, payload []byte, secret string) ([]byte, error) {
+	salt, err := util.GetRandomString(encryption.SaltLength)
+	if err != nil {
+		return nil, err
+	}
+
+	key, err := encryption.KeyToBytes(secret, salt)
+	if err != nil {
+		return nil, err
+	}
+
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+
+	// The IV needs to be unique, but not secure. Therefore, it's common to
+	// include it at the beginning of the ciphertext.
+	ciphertext := make([]byte, encryption.SaltLength+aes.BlockSize+len(payload))
+	copy(ciphertext[:encryption.SaltLength], salt)
+	iv := ciphertext[encryption.SaltLength : encryption.SaltLength+aes.BlockSize]
+	if _, err := io.ReadFull(rand.Reader, iv); err != nil {
+		return nil, err
+	}
+
+	stream := cipher.NewCFBEncrypter(block, iv)
+	stream.XORKeyStream(ciphertext[encryption.SaltLength+aes.BlockSize:], payload)
+
+	return ciphertext, nil
+}

pkg/services/encryption/provider/cipher_aescfb_test.go

@@ -0,0 +1,20 @@
+package provider
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/stretchr/testify/require"
+)
+
+func Test_aesCfbCipher(t *testing.T) {
+	cipher := aesCfbCipher{}
+	ctx := context.Background()
+
+	encrypted, err := cipher.Encrypt(ctx, []byte("grafana"), "1234")
+	require.NoError(t, err)
+	assert.NotNil(t, encrypted)
+	assert.NotEmpty(t, encrypted)
+}

pkg/services/encryption/provider/decipher_aes.go

@@ -0,0 +1,67 @@
+package provider
+
+import (
+	"context"
+	"crypto/aes"
+	"crypto/cipher"
+	"errors"
+
+	"github.com/grafana/grafana/pkg/services/encryption"
+)
+
+type aesDecipher struct {
+	algorithm string
+}
+
+func (d aesDecipher) Decrypt(_ context.Context, payload []byte, secret string) ([]byte, error) {
+	if len(payload) < encryption.SaltLength {
+		return nil, errors.New("unable to compute salt")
+	}
+
+	salt := payload[:encryption.SaltLength]
+	key, err := encryption.KeyToBytes(secret, string(salt))
+	if err != nil {
+		return nil, err
+	}
+
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+
+	switch d.algorithm {
+	case encryption.AesGcm:
+		return decryptGCM(block, payload)
+	default:
+		return decryptCFB(block, payload)
+	}
+}
+
+func decryptGCM(block cipher.Block, payload []byte) ([]byte, error) {
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return nil, err
+	}
+
+	nonce := payload[encryption.SaltLength : encryption.SaltLength+gcm.NonceSize()]
+	ciphertext := payload[encryption.SaltLength+gcm.NonceSize():]
+	return gcm.Open(nil, nonce, ciphertext, nil)
+}
+
+func decryptCFB(block cipher.Block, payload []byte) ([]byte, error) {
+	// The IV needs to be unique, but not secure. Therefore, it's common to
+	// include it at the beginning of the ciphertext.
+	if len(payload) < aes.BlockSize {
+		return nil, errors.New("payload too short")
+	}
+
+	iv := payload[encryption.SaltLength : encryption.SaltLength+aes.BlockSize]
+	payload = payload[encryption.SaltLength+aes.BlockSize:]
+	payloadDst := make([]byte, len(payload))
+
+	stream := cipher.NewCFBDecrypter(block, iv)
+
+	// XORKeyStream can work in-place if the two arguments are the same.
+	stream.XORKeyStream(payloadDst, payload)
+	return payloadDst, nil
+}

pkg/services/encryption/provider/decipher_aes_test.go

@@ -0,0 +1,32 @@
+package provider
+
+import (
+	"context"
+	"testing"
+
+	"github.com/grafana/grafana/pkg/services/encryption"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func Test_aesDecipher(t *testing.T) {
+	ctx := context.Background()
+
+	t.Run("aes-cfb", func(t *testing.T) {
+		cipher := aesDecipher{algorithm: encryption.AesCfb}
+		cfbEncryptedCiphertext := []byte{69, 84, 85, 120, 65, 82, 107, 88, 144, 188, 109, 229, 91, 88, 85, 113, 220, 35, 178, 190, 208, 182, 209, 91, 252, 119, 138, 133, 198, 8, 1}
+
+		decrypted, err := cipher.Decrypt(ctx, cfbEncryptedCiphertext, "1234")
+		require.NoError(t, err)
+		assert.Equal(t, []byte("grafana"), decrypted)
+	})
+
+	t.Run("aes-gcm", func(t *testing.T) {
+		cipher := aesDecipher{algorithm: encryption.AesGcm}
+		gcmEncryptedCiphertext := []byte{48, 99, 55, 50, 51, 48, 83, 66, 20, 99, 47, 238, 61, 44, 129, 125, 14, 37, 162, 230, 47, 31, 104, 70, 144, 223, 26, 51, 180, 17, 76, 52, 36, 93, 17, 203, 99, 158, 219, 102, 74, 173, 74}
+
+		decrypted, err := cipher.Decrypt(ctx, gcmEncryptedCiphertext, "1234")
+		require.NoError(t, err)
+		assert.Equal(t, []byte("grafana"), decrypted)
+	})
+}

pkg/services/encryption/provider/provider.go

@@ -0,0 +1,24 @@
+package provider
+
+import (
+	"github.com/grafana/grafana/pkg/services/encryption"
+)
+
+type Provider struct{}
+
+func ProvideEncryptionProvider() Provider {
+	return Provider{}
+}
+
+func (p Provider) ProvideCiphers() map[string]encryption.Cipher {
+	return map[string]encryption.Cipher{
+		encryption.AesCfb: aesCfbCipher{},
+	}
+}
+
+func (p Provider) ProvideDeciphers() map[string]encryption.Decipher {
+	return map[string]encryption.Decipher{
+		encryption.AesCfb: aesDecipher{algorithm: encryption.AesCfb},
+		encryption.AesGcm: aesDecipher{algorithm: encryption.AesGcm},
+	}
+}