IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Encryption: Fall back to AES-CFB on empty algorithm metadata (#53266)

Browse Source
This commit is contained in:
Joan López de la Franca Beltran 2022-08-04 09:37:53 +02:00 committed by GitHub
parent 2bf37a0d35
commit 6b8316d510
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 15 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
pkg/services/encryption/service/service.go
View File

@ -108,7 +108,7 @@ func (s *Service) Decrypt(ctx context.Context, payload []byte, secret string) ([
algorithm string
toDecrypt []byte
)
algorithm, toDecrypt, err = deriveEncryptionAlgorithm(payload)
algorithm, toDecrypt, err = s.deriveEncryptionAlgorithm(payload)
if err != nil {
return nil, err
}
@ -125,7 +125,7 @@ func (s *Service) Decrypt(ctx context.Context, payload []byte, secret string) ([
return decrypted, err
}
func deriveEncryptionAlgorithm(payload []byte) (string, []byte, error) {
func (s *Service) deriveEncryptionAlgorithm(payload []byte) (string, []byte, error) {
if len(payload) == 0 {
return "", nil, fmt.Errorf("unable to derive encryption algorithm")
}
@ -150,6 +150,19 @@ func deriveEncryptionAlgorithm(payload []byte) (string, []byte, error) {
return "", nil, err
}
// For historical reasons, I guess a bug introduced in the past,
// the algorithm metadata could be missing at this point.
//
// Until now, it hasn't failed because we're used to fall back
// to the default encryption algorithm.
//
// Therefore, we want to keep doing the same to be able to
// decrypt legacy secrets.
if string(algorithm) == "" {
s.log.Warn("Encryption algorithm derivation found an empty string", "error", err)
return encryption.AesCfb, payload, nil
}
return string(algorithm), payload, nil
}