Encryption: Fix b64 encoding on CLI secretsmigrations commands (#49340)

2025-02-25 18:55:37 -06:00 · 2022-05-23 07:57:48 +02:00 · 2022-05-23 07:57:48 +02:00 · 5645d7a5e3
commit 5645d7a5e3
parent aac5c9fd22
3 changed files with 14 additions and 12 deletions
--- a/pkg/cmd/grafana-cli/commands/secretsmigrations/reencrypt_secrets.go
+++ b/pkg/cmd/grafana-cli/commands/secretsmigrations/reencrypt_secrets.go
@ -86,7 +86,7 @@ func (s b64Secret) reencrypt(ctx context.Context, secretsSrv *manager.SecretsSer
 		}

 		err := sqlStore.WithTransactionalDbSession(ctx, func(sess *sqlstore.DBSession) error {
-			decoded, err := base64.StdEncoding.DecodeString(row.Secret)
+			decoded, err := s.encoding.DecodeString(row.Secret)
 			if err != nil {
 				logger.Warn("Could not decode base64-encoded secret while re-encrypting it", "table", s.tableName, "id", row.Id, "error", err)
 				return err
@ -104,7 +104,7 @@ func (s b64Secret) reencrypt(ctx context.Context, secretsSrv *manager.SecretsSer
 				return err
 			}

-			encoded := base64.StdEncoding.EncodeToString(encrypted)
+			encoded := s.encoding.EncodeToString(encrypted)
 			if s.hasUpdatedColumn {
 				updateSQL := fmt.Sprintf("UPDATE %s SET %s = ?, updated = ? WHERE id = ?", s.tableName, s.columnName)
 				_, err = sess.Exec(updateSQL, encoded, nowInUTC(), row.Id)
@ -276,10 +276,10 @@ func ReEncryptSecrets(_ utils.CommandLine, runner runner.Runner) error {
 		reencrypt(context.Context, *manager.SecretsService, *sqlstore.SQLStore)
 	}{
 		simpleSecret{tableName: "dashboard_snapshot", columnName: "dashboard_encrypted"},
-		b64Secret{simpleSecret: simpleSecret{tableName: "user_auth", columnName: "o_auth_access_token"}},
-		b64Secret{simpleSecret: simpleSecret{tableName: "user_auth", columnName: "o_auth_refresh_token"}},
-		b64Secret{simpleSecret: simpleSecret{tableName: "user_auth", columnName: "o_auth_token_type"}},
-		b64Secret{simpleSecret: simpleSecret{tableName: "secrets", columnName: "value"}, hasUpdatedColumn: true},
+		b64Secret{simpleSecret: simpleSecret{tableName: "user_auth", columnName: "o_auth_access_token"}, encoding: base64.StdEncoding},
+		b64Secret{simpleSecret: simpleSecret{tableName: "user_auth", columnName: "o_auth_refresh_token"}, encoding: base64.StdEncoding},
+		b64Secret{simpleSecret: simpleSecret{tableName: "user_auth", columnName: "o_auth_token_type"}, encoding: base64.StdEncoding},
+		b64Secret{simpleSecret: simpleSecret{tableName: "secrets", columnName: "value"}, hasUpdatedColumn: true, encoding: base64.RawStdEncoding},
 		jsonSecret{tableName: "data_source"},
 		jsonSecret{tableName: "plugin_setting"},
 		alertingSecret{},
--- a/pkg/cmd/grafana-cli/commands/secretsmigrations/rollback_secrets.go
+++ b/pkg/cmd/grafana-cli/commands/secretsmigrations/rollback_secrets.go
@ -96,7 +96,7 @@ func (s b64Secret) rollback(
 		}

 		err := sqlStore.WithTransactionalDbSession(ctx, func(sess *sqlstore.DBSession) error {
-			decoded, err := base64.StdEncoding.DecodeString(row.Secret)
+			decoded, err := s.encoding.DecodeString(row.Secret)
 			if err != nil {
 				logger.Warn("Could not decode base64-encoded secret while rolling it back", "table", s.tableName, "id", row.Id, "error", err)
 				return err
@ -114,7 +114,7 @@ func (s b64Secret) rollback(
 				return err
 			}

-			encoded := base64.StdEncoding.EncodeToString(encrypted)
+			encoded := s.encoding.EncodeToString(encrypted)
 			if s.hasUpdatedColumn {
 				updateSQL := fmt.Sprintf("UPDATE %s SET %s = ?, updated = ? WHERE id = ?", s.tableName, s.columnName)
 				_, err = sess.Exec(updateSQL, encoded, nowInUTC(), row.Id)
@ -300,10 +300,10 @@ func RollBackSecrets(_ utils.CommandLine, runner runner.Runner) error {
 		rollback(context.Context, *manager.SecretsService, encryption.Internal, *sqlstore.SQLStore, string) bool
 	}{
 		simpleSecret{tableName: "dashboard_snapshot", columnName: "dashboard_encrypted"},
-		b64Secret{simpleSecret: simpleSecret{tableName: "user_auth", columnName: "o_auth_access_token"}},
-		b64Secret{simpleSecret: simpleSecret{tableName: "user_auth", columnName: "o_auth_refresh_token"}},
-		b64Secret{simpleSecret: simpleSecret{tableName: "user_auth", columnName: "o_auth_token_type"}},
-		b64Secret{simpleSecret: simpleSecret{tableName: "secrets", columnName: "value"}, hasUpdatedColumn: true},
+		b64Secret{simpleSecret: simpleSecret{tableName: "user_auth", columnName: "o_auth_access_token"}, encoding: base64.StdEncoding},
+		b64Secret{simpleSecret: simpleSecret{tableName: "user_auth", columnName: "o_auth_refresh_token"}, encoding: base64.StdEncoding},
+		b64Secret{simpleSecret: simpleSecret{tableName: "user_auth", columnName: "o_auth_token_type"}, encoding: base64.StdEncoding},
+		b64Secret{simpleSecret: simpleSecret{tableName: "secrets", columnName: "value"}, hasUpdatedColumn: true, encoding: base64.RawStdEncoding},
 		jsonSecret{tableName: "data_source"},
 		jsonSecret{tableName: "plugin_setting"},
 		alertingSecret{},
--- a/pkg/cmd/grafana-cli/commands/secretsmigrations/secretsmigrations.go
+++ b/pkg/cmd/grafana-cli/commands/secretsmigrations/secretsmigrations.go
@ -1,6 +1,7 @@
 package secretsmigrations

 import (
+	"encoding/base64"
 	"time"

 	"github.com/grafana/grafana/pkg/infra/log"
@ -14,6 +15,7 @@ type simpleSecret struct {
 type b64Secret struct {
 	simpleSecret
 	hasUpdatedColumn bool
+	encoding         *base64.Encoding
 }

 type jsonSecret struct {