Secrets: Add unified secrets table to reencryption (#48582)

* Add secrets table to reencryption

* Add updated column check for b64Secret reencryption

* Use field values for b64Secret to clarify booleans

pkg/cmd/grafana-cli/commands/secretsmigrations/reencrypt_secrets.go

@@ -104,8 +104,13 @@ func (s b64Secret) reencrypt(secretsSrv *manager.SecretsService, sess *xorm.Sess
 		}
 
 		encoded := base64.StdEncoding.EncodeToString(encrypted)
+		if s.hasUpdatedColumn {
+			updateSQL := fmt.Sprintf("UPDATE %s SET %s = ?, updated = ? WHERE id = ?", s.tableName, s.columnName)
+			_, err = sess.Exec(updateSQL, encoded, nowInUTC(), row.Id)
+		} else {
 			updateSQL := fmt.Sprintf("UPDATE %s SET %s = ? WHERE id = ?", s.tableName, s.columnName)
 			_, err = sess.Exec(updateSQL, encoded, row.Id)
+		}
 
 		if err != nil {
 			anyFailure = true
@@ -256,9 +261,10 @@ func ReEncryptSecrets(_ utils.CommandLine, runner runner.Runner) error {
 		reencrypt(*manager.SecretsService, *xorm.Session)
 	}{
 		simpleSecret{tableName: "dashboard_snapshot", columnName: "dashboard_encrypted"},
-		b64Secret{simpleSecret{tableName: "user_auth", columnName: "o_auth_access_token"}},
+		b64Secret{simpleSecret: simpleSecret{tableName: "user_auth", columnName: "o_auth_access_token"}},
-		b64Secret{simpleSecret{tableName: "user_auth", columnName: "o_auth_refresh_token"}},
+		b64Secret{simpleSecret: simpleSecret{tableName: "user_auth", columnName: "o_auth_refresh_token"}},
-		b64Secret{simpleSecret{tableName: "user_auth", columnName: "o_auth_token_type"}},
+		b64Secret{simpleSecret: simpleSecret{tableName: "user_auth", columnName: "o_auth_token_type"}},
+		b64Secret{simpleSecret: simpleSecret{tableName: "secrets", columnName: "value"}, hasUpdatedColumn: true},
 		jsonSecret{tableName: "data_source"},
 		jsonSecret{tableName: "plugin_setting"},
 		alertingSecret{},

pkg/cmd/grafana-cli/commands/secretsmigrations/rollback_secrets.go

@@ -112,8 +112,15 @@ func (s b64Secret) rollback(
 		}
 
 		encoded := base64.StdEncoding.EncodeToString(encrypted)
+		if s.hasUpdatedColumn {
+			updateSQL := fmt.Sprintf("UPDATE %s SET %s = ?, updated = ? WHERE id = ?", s.tableName, s.columnName)
+			_, err = sess.Exec(updateSQL, encoded, nowInUTC(), row.Id)
+		} else {
 			updateSQL := fmt.Sprintf("UPDATE %s SET %s = ? WHERE id = ?", s.tableName, s.columnName)
-		if _, err := sess.Exec(updateSQL, encoded, row.Id); err != nil {
+			_, err = sess.Exec(updateSQL, encoded, row.Id)
+		}
+
+		if err != nil {
 			anyFailure = true
 			logger.Warn("Could not update secret while rolling it back", "table", s.tableName, "id", row.Id, "error", err)
 			continue
@@ -272,9 +279,10 @@ func RollBackSecrets(_ utils.CommandLine, runner runner.Runner) error {
 		rollback(*manager.SecretsService, encryption.Internal, *xorm.Session, string) bool
 	}{
 		simpleSecret{tableName: "dashboard_snapshot", columnName: "dashboard_encrypted"},
-		b64Secret{simpleSecret{tableName: "user_auth", columnName: "o_auth_access_token"}},
+		b64Secret{simpleSecret: simpleSecret{tableName: "user_auth", columnName: "o_auth_access_token"}},
-		b64Secret{simpleSecret{tableName: "user_auth", columnName: "o_auth_refresh_token"}},
+		b64Secret{simpleSecret: simpleSecret{tableName: "user_auth", columnName: "o_auth_refresh_token"}},
-		b64Secret{simpleSecret{tableName: "user_auth", columnName: "o_auth_token_type"}},
+		b64Secret{simpleSecret: simpleSecret{tableName: "user_auth", columnName: "o_auth_token_type"}},
+		b64Secret{simpleSecret: simpleSecret{tableName: "secrets", columnName: "value"}, hasUpdatedColumn: true},
 		jsonSecret{tableName: "data_source"},
 		jsonSecret{tableName: "plugin_setting"},
 		alertingSecret{},

pkg/cmd/grafana-cli/commands/secretsmigrations/secretsmigrations.go

@@ -13,6 +13,7 @@ type simpleSecret struct {
 
 type b64Secret struct {
 	simpleSecret
+	hasUpdatedColumn bool
 }
 
 type jsonSecret struct {