mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
Replace encryption.Service usages by secrets.Service (#41625)
* Replace encryption.Service by secrets.Service on expr.Service * Replace encryption.Service by secrets.Service on live pkg * Rename encryption.Service to encryption.Internal to clarify it must be not used
This commit is contained in:
Joan López de la Franca Beltran
committed by
GitHub
GitHub
parent
dcae138379
commit
44837fc592
@@ -108,7 +108,7 @@ type HTTPServer struct {
|
||||
SocialService social.Service
|
||||
OAuthTokenService oauthtoken.OAuthTokenService
|
||||
Listener net.Listener
|
||||
EncryptionService encryption.Service
|
||||
EncryptionService encryption.Internal
|
||||
SecretsService secrets.Service
|
||||
DataSourcesService *datasources.Service
|
||||
cleanUpService *cleanup.CleanUpService
|
||||
@@ -142,7 +142,7 @@ func ProvideHTTPServer(opts ServerOptions, cfg *setting.Cfg, routeRegister routi
|
||||
notificationService *notifications.NotificationService, tracingService *tracing.TracingService,
|
||||
internalMetricsSvc *metrics.InternalMetricsService, quotaService *quota.QuotaService,
|
||||
socialService social.Service, oauthTokenService oauthtoken.OAuthTokenService,
|
||||
encryptionService encryption.Service, updateChecker *updatechecker.Service, searchUsersService searchusers.Service,
|
||||
encryptionService encryption.Internal, updateChecker *updatechecker.Service, searchUsersService searchusers.Service,
|
||||
dataSourcesService *datasources.Service, secretsService secrets.Service, expressionService *expr.Service) (*HTTPServer, error) {
|
||||
web.Env = cfg.Env
|
||||
m := web.New()
|
||||
|
||||
@@ -7,7 +7,7 @@ import (
|
||||
"github.com/grafana/grafana/pkg/components/simplejson"
|
||||
"github.com/grafana/grafana/pkg/models"
|
||||
"github.com/grafana/grafana/pkg/plugins"
|
||||
"github.com/grafana/grafana/pkg/services/encryption"
|
||||
"github.com/grafana/grafana/pkg/services/secrets"
|
||||
"github.com/grafana/grafana/pkg/setting"
|
||||
)
|
||||
|
||||
@@ -36,16 +36,16 @@ func IsDataSource(uid string) bool {
|
||||
|
||||
// Service is service representation for expression handling.
|
||||
type Service struct {
|
||||
cfg *setting.Cfg
|
||||
dataService backend.QueryDataHandler
|
||||
encryptionService encryption.Service
|
||||
cfg *setting.Cfg
|
||||
dataService backend.QueryDataHandler
|
||||
secretsService secrets.Service
|
||||
}
|
||||
|
||||
func ProvideService(cfg *setting.Cfg, pluginClient plugins.Client, encryptionService encryption.Service) *Service {
|
||||
func ProvideService(cfg *setting.Cfg, pluginClient plugins.Client, secretsService secrets.Service) *Service {
|
||||
return &Service{
|
||||
cfg: cfg,
|
||||
dataService: pluginClient,
|
||||
encryptionService: encryptionService,
|
||||
cfg: cfg,
|
||||
dataService: pluginClient,
|
||||
secretsService: secretsService,
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -14,6 +14,8 @@ import (
|
||||
"github.com/grafana/grafana/pkg/components/simplejson"
|
||||
"github.com/grafana/grafana/pkg/models"
|
||||
"github.com/grafana/grafana/pkg/services/encryption/ossencryption"
|
||||
"github.com/grafana/grafana/pkg/services/secrets/fakes"
|
||||
"github.com/grafana/grafana/pkg/services/secrets/manager"
|
||||
"github.com/grafana/grafana/pkg/setting"
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
@@ -26,11 +28,22 @@ func TestService(t *testing.T) {
|
||||
me := &mockEndpoint{
|
||||
Frames: []*data.Frame{dsDF},
|
||||
}
|
||||
|
||||
cfg := setting.NewCfg()
|
||||
|
||||
secretsService := manager.ProvideSecretsService(
|
||||
fakes.NewFakeSecretsStore(),
|
||||
bus.GetBus(),
|
||||
ossencryption.ProvideService(),
|
||||
setting.ProvideProvider(cfg),
|
||||
)
|
||||
|
||||
s := Service{
|
||||
cfg: setting.NewCfg(),
|
||||
dataService: me,
|
||||
encryptionService: ossencryption.ProvideService(),
|
||||
cfg: cfg,
|
||||
dataService: me,
|
||||
secretsService: secretsService,
|
||||
}
|
||||
|
||||
bus.AddHandlerCtx("test", func(_ context.Context, query *models.GetDataSourceQuery) error {
|
||||
query.Result = &models.DataSource{Id: 1, OrgId: 1, Type: "test", JsonData: simplejson.New()}
|
||||
return nil
|
||||
|
||||
@@ -219,7 +219,7 @@ func (s *Service) queryData(ctx context.Context, req *backend.QueryDataRequest)
|
||||
|
||||
func (s *Service) decryptSecureJsonDataFn(ctx context.Context) func(map[string][]byte) map[string]string {
|
||||
return func(m map[string][]byte) map[string]string {
|
||||
decryptedJsonData, err := s.encryptionService.DecryptJsonData(ctx, m, s.cfg.SecretKey)
|
||||
decryptedJsonData, err := s.secretsService.DecryptJsonData(ctx, m)
|
||||
if err != nil {
|
||||
logger.Error("Failed to decrypt secure json data", "error", err)
|
||||
}
|
||||
|
||||
@@ -52,7 +52,7 @@ var wireExtsBasicSet = wire.NewSet(
|
||||
authinfoservice.ProvideOSSUserProtectionService,
|
||||
wire.Bind(new(login.UserProtectionService), new(*authinfoservice.OSSUserProtectionImpl)),
|
||||
ossencryption.ProvideService,
|
||||
wire.Bind(new(encryption.Service), new(*ossencryption.Service)),
|
||||
wire.Bind(new(encryption.Internal), new(*ossencryption.Service)),
|
||||
filters.ProvideOSSSearchUserFilter,
|
||||
wire.Bind(new(models.SearchUserFilter), new(*filters.OSSSearchUserFilter)),
|
||||
searchusers.ProvideUsersService,
|
||||
|
||||
@@ -48,7 +48,7 @@ func (e *AlertEngine) IsDisabled() bool {
|
||||
|
||||
// ProvideAlertEngine returns a new AlertEngine.
|
||||
func ProvideAlertEngine(renderer rendering.Service, bus bus.Bus, requestValidator models.PluginRequestValidator,
|
||||
dataService legacydata.RequestHandler, usageStatsService usagestats.Service, encryptionService encryption.Service,
|
||||
dataService legacydata.RequestHandler, usageStatsService usagestats.Service, encryptionService encryption.Internal,
|
||||
cfg *setting.Cfg) *AlertEngine {
|
||||
e := &AlertEngine{
|
||||
Cfg: cfg,
|
||||
|
||||
@@ -13,10 +13,10 @@ import (
|
||||
type AlertNotificationService struct {
|
||||
Bus bus.Bus
|
||||
SQLStore *sqlstore.SQLStore
|
||||
EncryptionService encryption.Service
|
||||
EncryptionService encryption.Internal
|
||||
}
|
||||
|
||||
func ProvideService(bus bus.Bus, store *sqlstore.SQLStore, encryptionService encryption.Service,
|
||||
func ProvideService(bus bus.Bus, store *sqlstore.SQLStore, encryptionService encryption.Internal,
|
||||
) *AlertNotificationService {
|
||||
s := &AlertNotificationService{
|
||||
Bus: bus,
|
||||
|
||||
@@ -2,9 +2,12 @@ package encryption
|
||||
|
||||
import "context"
|
||||
|
||||
// Service must not be used for encryption,
|
||||
// use secrets.Service implementing envelope encryption instead.
|
||||
type Service interface {
|
||||
// Internal must not be used for general purpose encryption.
|
||||
// This service is used as an internal component for envelope encryption
|
||||
// and for very specific few use cases that still require legacy encryption.
|
||||
//
|
||||
// Unless there is any specific reason, you must use secrets.Service instead.
|
||||
type Internal interface {
|
||||
Encrypt(ctx context.Context, payload []byte, secret string) ([]byte, error)
|
||||
Decrypt(ctx context.Context, payload []byte, secret string) ([]byte, error)
|
||||
|
||||
|
||||
@@ -13,8 +13,6 @@ import (
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
"github.com/grafana/grafana/pkg/services/encryption"
|
||||
|
||||
"github.com/centrifugal/centrifuge"
|
||||
"github.com/go-redis/redis/v8"
|
||||
"github.com/gobwas/glob"
|
||||
@@ -41,6 +39,7 @@ import (
|
||||
"github.com/grafana/grafana/pkg/services/live/pushws"
|
||||
"github.com/grafana/grafana/pkg/services/live/runstream"
|
||||
"github.com/grafana/grafana/pkg/services/live/survey"
|
||||
"github.com/grafana/grafana/pkg/services/secrets"
|
||||
"github.com/grafana/grafana/pkg/services/sqlstore"
|
||||
"github.com/grafana/grafana/pkg/setting"
|
||||
"github.com/grafana/grafana/pkg/tsdb/cloudwatch"
|
||||
@@ -64,7 +63,7 @@ type CoreGrafanaScope struct {
|
||||
|
||||
func ProvideService(plugCtxProvider *plugincontext.Provider, cfg *setting.Cfg, routeRegister routing.RouteRegister,
|
||||
logsService *cloudwatch.LogsService, pluginStore plugins.Store, cacheService *localcache.CacheService,
|
||||
dataSourceCache datasources.CacheService, sqlStore *sqlstore.SQLStore, encService encryption.Service,
|
||||
dataSourceCache datasources.CacheService, sqlStore *sqlstore.SQLStore, secretsService secrets.Service,
|
||||
usageStatsService usagestats.Service) (*GrafanaLive, error) {
|
||||
g := &GrafanaLive{
|
||||
Cfg: cfg,
|
||||
@@ -75,7 +74,7 @@ func ProvideService(plugCtxProvider *plugincontext.Provider, cfg *setting.Cfg, r
|
||||
CacheService: cacheService,
|
||||
DataSourceCache: dataSourceCache,
|
||||
SQLStore: sqlStore,
|
||||
EncryptionService: encService,
|
||||
SecretsService: secretsService,
|
||||
channels: make(map[string]models.ChannelHandler),
|
||||
GrafanaScope: CoreGrafanaScope{
|
||||
Features: make(map[string]models.ChannelHandlerFactory),
|
||||
@@ -183,8 +182,8 @@ func ProvideService(plugCtxProvider *plugincontext.Provider, cfg *setting.Cfg, r
|
||||
}
|
||||
} else {
|
||||
storage := &pipeline.FileStorage{
|
||||
DataPath: cfg.DataPath,
|
||||
EncryptionService: g.EncryptionService,
|
||||
DataPath: cfg.DataPath,
|
||||
SecretsService: g.SecretsService,
|
||||
}
|
||||
g.pipelineStorage = storage
|
||||
builder = &pipeline.StorageRuleBuilder{
|
||||
@@ -193,7 +192,7 @@ func ProvideService(plugCtxProvider *plugincontext.Provider, cfg *setting.Cfg, r
|
||||
FrameStorage: pipeline.NewFrameStorage(),
|
||||
Storage: storage,
|
||||
ChannelHandlerGetter: g,
|
||||
EncryptionService: g.EncryptionService,
|
||||
SecretsService: g.SecretsService,
|
||||
}
|
||||
}
|
||||
channelRuleGetter := pipeline.NewCacheSegmentedTree(builder)
|
||||
@@ -369,7 +368,7 @@ type GrafanaLive struct {
|
||||
CacheService *localcache.CacheService
|
||||
DataSourceCache datasources.CacheService
|
||||
SQLStore *sqlstore.SQLStore
|
||||
EncryptionService encryption.Service
|
||||
SecretsService secrets.Service
|
||||
pluginStore plugins.Store
|
||||
|
||||
node *centrifuge.Node
|
||||
@@ -1220,7 +1219,7 @@ func (g *GrafanaLive) HandleWriteConfigsPutHTTP(c *models.ReqContext) response.R
|
||||
if cmd.SecureSettings == nil {
|
||||
cmd.SecureSettings = map[string]string{}
|
||||
}
|
||||
secureJSONData, err := g.EncryptionService.DecryptJsonData(c.Req.Context(), existingBackend.SecureSettings, setting.SecretKey)
|
||||
secureJSONData, err := g.SecretsService.DecryptJsonData(c.Req.Context(), existingBackend.SecureSettings)
|
||||
if err != nil {
|
||||
logger.Error("Error decrypting secure settings", "error", err)
|
||||
return response.Error(http.StatusInternalServerError, "Error decrypting secure settings", err)
|
||||
|
||||
@@ -4,14 +4,13 @@ import (
|
||||
"context"
|
||||
"fmt"
|
||||
|
||||
"github.com/grafana/grafana/pkg/services/secrets"
|
||||
|
||||
"github.com/centrifugal/centrifuge"
|
||||
"github.com/grafana/grafana/pkg/models"
|
||||
"github.com/grafana/grafana/pkg/services/encryption"
|
||||
"github.com/grafana/grafana/pkg/services/live/managedstream"
|
||||
"github.com/grafana/grafana/pkg/services/live/pipeline/pattern"
|
||||
"github.com/grafana/grafana/pkg/services/live/pipeline/tree"
|
||||
"github.com/grafana/grafana/pkg/setting"
|
||||
|
||||
"github.com/centrifugal/centrifuge"
|
||||
)
|
||||
|
||||
type JsonAutoSettings struct{}
|
||||
@@ -298,7 +297,7 @@ type StorageRuleBuilder struct {
|
||||
FrameStorage *FrameStorage
|
||||
Storage Storage
|
||||
ChannelHandlerGetter ChannelHandlerGetter
|
||||
EncryptionService encryption.Service
|
||||
SecretsService secrets.Service
|
||||
}
|
||||
|
||||
func (f *StorageRuleBuilder) extractSubscriber(config *SubscriberConfig) (Subscriber, error) {
|
||||
@@ -434,7 +433,7 @@ func (f *StorageRuleBuilder) constructBasicAuth(writeConfig WriteConfig) (*Basic
|
||||
var password string
|
||||
hasSecurePassword := len(writeConfig.SecureSettings["basicAuthPassword"]) > 0
|
||||
if hasSecurePassword {
|
||||
passwordBytes, err := f.EncryptionService.Decrypt(context.Background(), writeConfig.SecureSettings["basicAuthPassword"], setting.SecretKey)
|
||||
passwordBytes, err := f.SecretsService.Decrypt(context.Background(), writeConfig.SecureSettings["basicAuthPassword"])
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("basicAuthPassword can't be decrypted: %w", err)
|
||||
}
|
||||
|
||||
@@ -9,15 +9,14 @@ import (
|
||||
"os"
|
||||
"path/filepath"
|
||||
|
||||
"github.com/grafana/grafana/pkg/services/encryption"
|
||||
"github.com/grafana/grafana/pkg/setting"
|
||||
"github.com/grafana/grafana/pkg/services/secrets"
|
||||
"github.com/grafana/grafana/pkg/util"
|
||||
)
|
||||
|
||||
// FileStorage can load channel rules from a file on disk.
|
||||
type FileStorage struct {
|
||||
DataPath string
|
||||
EncryptionService encryption.Service
|
||||
DataPath string
|
||||
SecretsService secrets.Service
|
||||
}
|
||||
|
||||
func (f *FileStorage) ListWriteConfigs(_ context.Context, orgID int64) ([]WriteConfig, error) {
|
||||
@@ -56,7 +55,7 @@ func (f *FileStorage) CreateWriteConfig(ctx context.Context, orgID int64, cmd Wr
|
||||
cmd.UID = util.GenerateShortUID()
|
||||
}
|
||||
|
||||
secureSettings, err := f.EncryptionService.EncryptJsonData(ctx, cmd.SecureSettings, setting.SecretKey)
|
||||
secureSettings, err := f.SecretsService.EncryptJsonData(ctx, cmd.SecureSettings, secrets.WithoutScope())
|
||||
if err != nil {
|
||||
return WriteConfig{}, fmt.Errorf("error encrypting data: %w", err)
|
||||
}
|
||||
@@ -88,7 +87,7 @@ func (f *FileStorage) UpdateWriteConfig(ctx context.Context, orgID int64, cmd Wr
|
||||
return WriteConfig{}, fmt.Errorf("can't read write configs: %w", err)
|
||||
}
|
||||
|
||||
secureSettings, err := f.EncryptionService.EncryptJsonData(ctx, cmd.SecureSettings, setting.SecretKey)
|
||||
secureSettings, err := f.SecretsService.EncryptJsonData(ctx, cmd.SecureSettings, secrets.WithoutScope())
|
||||
if err != nil {
|
||||
return WriteConfig{}, fmt.Errorf("error encrypting data: %w", err)
|
||||
}
|
||||
|
||||
@@ -9,7 +9,7 @@ import (
|
||||
)
|
||||
|
||||
// Provision alert notifiers
|
||||
func Provision(ctx context.Context, configDirectory string, encryptionService encryption.Service) error {
|
||||
func Provision(ctx context.Context, configDirectory string, encryptionService encryption.Internal) error {
|
||||
dc := newNotificationProvisioner(encryptionService, log.New("provisioning.notifiers"))
|
||||
return dc.applyChanges(ctx, configDirectory)
|
||||
}
|
||||
@@ -20,7 +20,7 @@ type NotificationProvisioner struct {
|
||||
cfgProvider *configReader
|
||||
}
|
||||
|
||||
func newNotificationProvisioner(encryptionService encryption.Service, log log.Logger) NotificationProvisioner {
|
||||
func newNotificationProvisioner(encryptionService encryption.Internal, log log.Logger) NotificationProvisioner {
|
||||
return NotificationProvisioner{
|
||||
log: log,
|
||||
cfgProvider: &configReader{
|
||||
|
||||
@@ -18,7 +18,7 @@ import (
|
||||
)
|
||||
|
||||
type configReader struct {
|
||||
encryptionService encryption.Service
|
||||
encryptionService encryption.Internal
|
||||
log log.Logger
|
||||
}
|
||||
|
||||
|
||||
@@ -19,7 +19,7 @@ import (
|
||||
)
|
||||
|
||||
func ProvideService(cfg *setting.Cfg, sqlStore *sqlstore.SQLStore, pluginStore plugifaces.Store,
|
||||
encryptionService encryption.Service) (*ProvisioningServiceImpl, error) {
|
||||
encryptionService encryption.Internal) (*ProvisioningServiceImpl, error) {
|
||||
s := &ProvisioningServiceImpl{
|
||||
Cfg: cfg,
|
||||
SQLStore: sqlStore,
|
||||
@@ -59,7 +59,7 @@ func NewProvisioningServiceImpl() *ProvisioningServiceImpl {
|
||||
// Used for testing purposes
|
||||
func newProvisioningServiceImpl(
|
||||
newDashboardProvisioner dashboards.DashboardProvisionerFactory,
|
||||
provisionNotifiers func(context.Context, string, encryption.Service) error,
|
||||
provisionNotifiers func(context.Context, string, encryption.Internal) error,
|
||||
provisionDatasources func(context.Context, string) error,
|
||||
provisionPlugins func(string, plugifaces.Store) error,
|
||||
) *ProvisioningServiceImpl {
|
||||
@@ -76,12 +76,12 @@ type ProvisioningServiceImpl struct {
|
||||
Cfg *setting.Cfg
|
||||
SQLStore *sqlstore.SQLStore
|
||||
pluginStore plugifaces.Store
|
||||
EncryptionService encryption.Service
|
||||
EncryptionService encryption.Internal
|
||||
log log.Logger
|
||||
pollingCtxCancel context.CancelFunc
|
||||
newDashboardProvisioner dashboards.DashboardProvisionerFactory
|
||||
dashboardProvisioner dashboards.DashboardProvisioner
|
||||
provisionNotifiers func(context.Context, string, encryption.Service) error
|
||||
provisionNotifiers func(context.Context, string, encryption.Internal) error
|
||||
provisionDatasources func(context.Context, string) error
|
||||
provisionPlugins func(string, plugifaces.Store) error
|
||||
mutex sync.Mutex
|
||||
|
||||
@@ -10,10 +10,10 @@ import (
|
||||
|
||||
type grafanaProvider struct {
|
||||
settings setting.Provider
|
||||
encryption encryption.Service
|
||||
encryption encryption.Internal
|
||||
}
|
||||
|
||||
func New(settings setting.Provider, encryption encryption.Service) secrets.Provider {
|
||||
func New(settings setting.Provider, encryption encryption.Internal) secrets.Provider {
|
||||
return grafanaProvider{
|
||||
settings: settings,
|
||||
encryption: encryption,
|
||||
|
||||
@@ -24,7 +24,7 @@ const (
|
||||
type SecretsService struct {
|
||||
store secrets.Store
|
||||
bus bus.Bus
|
||||
enc encryption.Service
|
||||
enc encryption.Internal
|
||||
settings setting.Provider
|
||||
|
||||
currentProvider string
|
||||
@@ -32,7 +32,7 @@ type SecretsService struct {
|
||||
dataKeyCache map[string]dataKeyCacheItem
|
||||
}
|
||||
|
||||
func ProvideSecretsService(store secrets.Store, bus bus.Bus, enc encryption.Service, settings setting.Provider) *SecretsService {
|
||||
func ProvideSecretsService(store secrets.Store, bus bus.Bus, enc encryption.Internal, settings setting.Provider) *SecretsService {
|
||||
providers := map[string]secrets.Provider{
|
||||
defaultProvider: grafana.New(settings, enc),
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user