From 2e9c38c95136ab4bd70ed25f67aa3fb87f5c8c4f Mon Sep 17 00:00:00 2001
From: Guilherme Caulada <guilherme.caulada@grafana.com>
Date: Mon, 2 May 2022 18:15:46 -0300
Subject: [PATCH] Secrets: Add unified secrets table to reencryption (#48582)

* Add secrets table to reencryption

* Add updated column check for b64Secret reencryption

* Use field values for b64Secret to clarify booleans
---
 .../secretsmigrations/reencrypt_secrets.go     | 16 +++++++++++-----
 .../secretsmigrations/rollback_secrets.go      | 18 +++++++++++++-----
 .../secretsmigrations/secretsmigrations.go     |  1 +
 3 files changed, 25 insertions(+), 10 deletions(-)

diff --git a/pkg/cmd/grafana-cli/commands/secretsmigrations/reencrypt_secrets.go b/pkg/cmd/grafana-cli/commands/secretsmigrations/reencrypt_secrets.go
index 257259ad2a7..fb8504f5e0e 100644
--- a/pkg/cmd/grafana-cli/commands/secretsmigrations/reencrypt_secrets.go
+++ b/pkg/cmd/grafana-cli/commands/secretsmigrations/reencrypt_secrets.go
@@ -104,8 +104,13 @@ func (s b64Secret) reencrypt(secretsSrv *manager.SecretsService, sess *xorm.Sess
 		}
 
 		encoded := base64.StdEncoding.EncodeToString(encrypted)
-		updateSQL := fmt.Sprintf("UPDATE %s SET %s = ? WHERE id = ?", s.tableName, s.columnName)
-		_, err = sess.Exec(updateSQL, encoded, row.Id)
+		if s.hasUpdatedColumn {
+			updateSQL := fmt.Sprintf("UPDATE %s SET %s = ?, updated = ? WHERE id = ?", s.tableName, s.columnName)
+			_, err = sess.Exec(updateSQL, encoded, nowInUTC(), row.Id)
+		} else {
+			updateSQL := fmt.Sprintf("UPDATE %s SET %s = ? WHERE id = ?", s.tableName, s.columnName)
+			_, err = sess.Exec(updateSQL, encoded, row.Id)
+		}
 
 		if err != nil {
 			anyFailure = true
@@ -256,9 +261,10 @@ func ReEncryptSecrets(_ utils.CommandLine, runner runner.Runner) error {
 		reencrypt(*manager.SecretsService, *xorm.Session)
 	}{
 		simpleSecret{tableName: "dashboard_snapshot", columnName: "dashboard_encrypted"},
-		b64Secret{simpleSecret{tableName: "user_auth", columnName: "o_auth_access_token"}},
-		b64Secret{simpleSecret{tableName: "user_auth", columnName: "o_auth_refresh_token"}},
-		b64Secret{simpleSecret{tableName: "user_auth", columnName: "o_auth_token_type"}},
+		b64Secret{simpleSecret: simpleSecret{tableName: "user_auth", columnName: "o_auth_access_token"}},
+		b64Secret{simpleSecret: simpleSecret{tableName: "user_auth", columnName: "o_auth_refresh_token"}},
+		b64Secret{simpleSecret: simpleSecret{tableName: "user_auth", columnName: "o_auth_token_type"}},
+		b64Secret{simpleSecret: simpleSecret{tableName: "secrets", columnName: "value"}, hasUpdatedColumn: true},
 		jsonSecret{tableName: "data_source"},
 		jsonSecret{tableName: "plugin_setting"},
 		alertingSecret{},
diff --git a/pkg/cmd/grafana-cli/commands/secretsmigrations/rollback_secrets.go b/pkg/cmd/grafana-cli/commands/secretsmigrations/rollback_secrets.go
index fc17c10aaed..25aa2162ae7 100644
--- a/pkg/cmd/grafana-cli/commands/secretsmigrations/rollback_secrets.go
+++ b/pkg/cmd/grafana-cli/commands/secretsmigrations/rollback_secrets.go
@@ -112,8 +112,15 @@ func (s b64Secret) rollback(
 		}
 
 		encoded := base64.StdEncoding.EncodeToString(encrypted)
-		updateSQL := fmt.Sprintf("UPDATE %s SET %s = ? WHERE id = ?", s.tableName, s.columnName)
-		if _, err := sess.Exec(updateSQL, encoded, row.Id); err != nil {
+		if s.hasUpdatedColumn {
+			updateSQL := fmt.Sprintf("UPDATE %s SET %s = ?, updated = ? WHERE id = ?", s.tableName, s.columnName)
+			_, err = sess.Exec(updateSQL, encoded, nowInUTC(), row.Id)
+		} else {
+			updateSQL := fmt.Sprintf("UPDATE %s SET %s = ? WHERE id = ?", s.tableName, s.columnName)
+			_, err = sess.Exec(updateSQL, encoded, row.Id)
+		}
+
+		if err != nil {
 			anyFailure = true
 			logger.Warn("Could not update secret while rolling it back", "table", s.tableName, "id", row.Id, "error", err)
 			continue
@@ -272,9 +279,10 @@ func RollBackSecrets(_ utils.CommandLine, runner runner.Runner) error {
 		rollback(*manager.SecretsService, encryption.Internal, *xorm.Session, string) bool
 	}{
 		simpleSecret{tableName: "dashboard_snapshot", columnName: "dashboard_encrypted"},
-		b64Secret{simpleSecret{tableName: "user_auth", columnName: "o_auth_access_token"}},
-		b64Secret{simpleSecret{tableName: "user_auth", columnName: "o_auth_refresh_token"}},
-		b64Secret{simpleSecret{tableName: "user_auth", columnName: "o_auth_token_type"}},
+		b64Secret{simpleSecret: simpleSecret{tableName: "user_auth", columnName: "o_auth_access_token"}},
+		b64Secret{simpleSecret: simpleSecret{tableName: "user_auth", columnName: "o_auth_refresh_token"}},
+		b64Secret{simpleSecret: simpleSecret{tableName: "user_auth", columnName: "o_auth_token_type"}},
+		b64Secret{simpleSecret: simpleSecret{tableName: "secrets", columnName: "value"}, hasUpdatedColumn: true},
 		jsonSecret{tableName: "data_source"},
 		jsonSecret{tableName: "plugin_setting"},
 		alertingSecret{},
diff --git a/pkg/cmd/grafana-cli/commands/secretsmigrations/secretsmigrations.go b/pkg/cmd/grafana-cli/commands/secretsmigrations/secretsmigrations.go
index a75e2e9b329..ab663701967 100644
--- a/pkg/cmd/grafana-cli/commands/secretsmigrations/secretsmigrations.go
+++ b/pkg/cmd/grafana-cli/commands/secretsmigrations/secretsmigrations.go
@@ -13,6 +13,7 @@ type simpleSecret struct {
 
 type b64Secret struct {
 	simpleSecret
+	hasUpdatedColumn bool
 }
 
 type jsonSecret struct {