Security: Store datasource passwords encrypted in secureJsonData (#16175)

* Store passwords in secureJsonData * Revert unnecessary refactors * Fix for nil jsonSecureData value * Remove copied encryption code from migration * Fix wrong field reference * Remove migration and provisioning changes * Use password getters in datasource proxy * Refactor password handling in datasource configs * Add provisioning warnings * Update documentation * Remove migration command, moved to separate PR * Remove unused code * Set the upgrade version * Remove unused code * Remove double reference
2025-02-25 18:55:37 -06:00 · 2019-04-15 11:11:17 +02:00
parent 844ec82eb0
commit 66f6e16916
30 changed files with 352 additions and 85 deletions
--- a/public/app/plugins/datasource/influxdb/module.ts
+++ b/public/app/plugins/datasource/influxdb/module.ts
@@ -1,8 +1,21 @@
 import InfluxDatasource from './datasource';
 import { InfluxQueryCtrl } from './query_ctrl';
+import {
+  createChangeHandler,
+  createResetHandler,
+  PasswordFieldEnum,
+} from '../../../features/datasources/utils/passwordHandlers';

 class InfluxConfigCtrl {
  static templateUrl = 'partials/config.html';
+  current: any;
+  onPasswordReset: ReturnType<typeof createResetHandler>;
+  onPasswordChange: ReturnType<typeof createChangeHandler>;
+
+  constructor() {
+    this.onPasswordReset = createResetHandler(this, PasswordFieldEnum.Password);
+    this.onPasswordChange = createChangeHandler(this, PasswordFieldEnum.Password);
+  }
 }

 class InfluxAnnotationsQueryCtrl {
--- a/public/app/plugins/datasource/influxdb/partials/config.html
+++ b/public/app/plugins/datasource/influxdb/partials/config.html
@@ -16,9 +16,14 @@
 			<span class="gf-form-label width-10">User</span>
 			<input type="text" class="gf-form-input" ng-model='ctrl.current.user' placeholder=""></input>
 		</div>
-		<div class="gf-form max-width-15">
-			<span class="gf-form-label width-10">Password</span>
-			<input type="password" class="gf-form-input" ng-model='ctrl.current.password' placeholder=""></input>
+		<div class="gf-form">
+      <secret-form-field
+        isConfigured="ctrl.current.password || ctrl.current.secureJsonFields.password"
+        value="ctrl.current.secureJsonData.password || ''"
+        on-reset="ctrl.onPasswordReset"
+        on-change="ctrl.onPasswordChange"
+        inputWidth="9"
+      />
 		</div>
 	</div>
 </div>
--- a/public/app/plugins/datasource/mssql/config_ctrl.ts
+++ b/public/app/plugins/datasource/mssql/config_ctrl.ts
@@ -1,24 +1,20 @@
-import { SyntheticEvent } from 'react';
+import {
+  createChangeHandler,
+  createResetHandler,
+  PasswordFieldEnum,
+} from '../../../features/datasources/utils/passwordHandlers';

 export class MssqlConfigCtrl {
  static templateUrl = 'partials/config.html';

  current: any;
+  onPasswordReset: ReturnType<typeof createResetHandler>;
+  onPasswordChange: ReturnType<typeof createChangeHandler>;

  /** @ngInject */
  constructor($scope) {
    this.current.jsonData.encrypt = this.current.jsonData.encrypt || 'false';
+    this.onPasswordReset = createResetHandler(this, PasswordFieldEnum.Password);
+    this.onPasswordChange = createChangeHandler(this, PasswordFieldEnum.Password);
  }
-
-  onPasswordReset = (event: SyntheticEvent<HTMLInputElement>) => {
-    event.preventDefault();
-    this.current.secureJsonFields.password = false;
-    this.current.secureJsonData = this.current.secureJsonData || {};
-    this.current.secureJsonData.password = '';
-  };
-
-  onPasswordChange = (event: SyntheticEvent<HTMLInputElement>) => {
-    this.current.secureJsonData = this.current.secureJsonData || {};
-    this.current.secureJsonData.password = event.currentTarget.value;
-  };
 }
--- a/public/app/plugins/datasource/mysql/module.ts
+++ b/public/app/plugins/datasource/mysql/module.ts
@@ -1,8 +1,21 @@
 import { MysqlDatasource } from './datasource';
 import { MysqlQueryCtrl } from './query_ctrl';
+import {
+  createChangeHandler,
+  createResetHandler,
+  PasswordFieldEnum,
+} from '../../../features/datasources/utils/passwordHandlers';

 class MysqlConfigCtrl {
  static templateUrl = 'partials/config.html';
+  current: any;
+  onPasswordReset: ReturnType<typeof createResetHandler>;
+  onPasswordChange: ReturnType<typeof createChangeHandler>;
+
+  constructor() {
+    this.onPasswordReset = createResetHandler(this, PasswordFieldEnum.Password);
+    this.onPasswordChange = createChangeHandler(this, PasswordFieldEnum.Password);
+  }
 }

 const defaultQuery = `SELECT
--- a/public/app/plugins/datasource/mysql/partials/config.html
+++ b/public/app/plugins/datasource/mysql/partials/config.html
@@ -16,9 +16,14 @@
 			<span class="gf-form-label width-7">User</span>
 			<input type="text" class="gf-form-input" ng-model='ctrl.current.user' placeholder="user"></input>
 		</div>
-		<div class="gf-form max-width-15">
-			<span class="gf-form-label width-7">Password</span>
-			<input type="password" class="gf-form-input" ng-model='ctrl.current.password' placeholder="password"></input>
+		<div class="gf-form">
+      <secret-form-field
+        isConfigured="ctrl.current.secureJsonFields.password"
+        value="ctrl.current.secureJsonData.password"
+        on-reset="ctrl.onPasswordReset"
+        on-change="ctrl.onPasswordChange"
+        inputWidth="9"
+      />
 		</div>
 	</div>

--- a/public/app/plugins/datasource/postgres/config_ctrl.ts
+++ b/public/app/plugins/datasource/postgres/config_ctrl.ts
@@ -1,5 +1,9 @@
 import _ from 'lodash';
-import { SyntheticEvent } from 'react';
+import {
+  createChangeHandler,
+  createResetHandler,
+  PasswordFieldEnum,
+} from '../../../features/datasources/utils/passwordHandlers';

 export class PostgresConfigCtrl {
  static templateUrl = 'partials/config.html';
@@ -7,6 +11,8 @@ export class PostgresConfigCtrl {
  current: any;
  datasourceSrv: any;
  showTimescaleDBHelp: boolean;
+  onPasswordReset: ReturnType<typeof createResetHandler>;
+  onPasswordChange: ReturnType<typeof createChangeHandler>;

  /** @ngInject */
  constructor($scope, datasourceSrv) {
@@ -15,6 +21,8 @@ export class PostgresConfigCtrl {
    this.current.jsonData.postgresVersion = this.current.jsonData.postgresVersion || 903;
    this.showTimescaleDBHelp = false;
    this.autoDetectFeatures();
+    this.onPasswordReset = createResetHandler(this, PasswordFieldEnum.Password);
+    this.onPasswordChange = createChangeHandler(this, PasswordFieldEnum.Password);
  }

  autoDetectFeatures() {
@@ -53,18 +61,6 @@ export class PostgresConfigCtrl {
    this.showTimescaleDBHelp = !this.showTimescaleDBHelp;
  }

-  onPasswordReset = (event: SyntheticEvent<HTMLInputElement>) => {
-    event.preventDefault();
-    this.current.secureJsonFields.password = false;
-    this.current.secureJsonData = this.current.secureJsonData || {};
-    this.current.secureJsonData.password = '';
-  };
-
-  onPasswordChange = (event: SyntheticEvent<HTMLInputElement>) => {
-    this.current.secureJsonData = this.current.secureJsonData || {};
-    this.current.secureJsonData.password = event.currentTarget.value;
-  };
-
  // the value portion is derived from postgres server_version_num/100
  postgresVersions = [
    { name: '9.3', value: 903 },