Security: Store datasource passwords encrypted in secureJsonData (#16175)

* Store passwords in secureJsonData * Revert unnecessary refactors * Fix for nil jsonSecureData value * Remove copied encryption code from migration * Fix wrong field reference * Remove migration and provisioning changes * Use password getters in datasource proxy * Refactor password handling in datasource configs * Add provisioning warnings * Update documentation * Remove migration command, moved to separate PR * Remove unused code * Set the upgrade version * Remove unused code * Remove double reference
2025-02-25 18:55:37 -06:00 · 2019-04-15 11:11:17 +02:00
parent 844ec82eb0
commit 66f6e16916
30 changed files with 352 additions and 85 deletions
--- a/pkg/models/datasource.go
+++ b/pkg/models/datasource.go
@@ -61,6 +61,26 @@ type DataSource struct {
 	Updated time.Time
 }

+// DecryptedBasicAuthPassword returns data source basic auth password in plain text. It uses either deprecated
+// basic_auth_password field or encrypted secure_json_data[basicAuthPassword] variable.
+func (ds *DataSource) DecryptedBasicAuthPassword() string {
+	return ds.decryptedValue("basicAuthPassword", ds.BasicAuthPassword)
+}
+
+// DecryptedPassword returns data source password in plain text. It uses either deprecated password field
+// or encrypted secure_json_data[password] variable.
+func (ds *DataSource) DecryptedPassword() string {
+	return ds.decryptedValue("password", ds.Password)
+}
+
+// decryptedValue returns decrypted value from secureJsonData
+func (ds *DataSource) decryptedValue(field string, fallback string) string {
+	if value, ok := ds.SecureJsonData.DecryptedValue(field); ok {
+		return value
+	}
+	return fallback
+}
+
 var knownDatasourcePlugins = map[string]bool{
 	DS_ES:                                 true,
 	DS_GRAPHITE:                           true,