IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2024-11-28 11:44:26 -06:00
Code Issues Packages Projects Releases Wiki Activity

Encryption: Stop decrypting EE encrypted secrets with legacy encryption (#50090)

Browse Source
This commit is contained in:
Tania 2022-06-03 17:06:00 +02:00 committed by GitHub
parent c85567f490
commit 7a614fd8a1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
pkg/services/secrets/manager/manager.go
View File

@ -291,8 +291,15 @@ func newRandomDataKey() ([]byte, error) {
} }
func (s *SecretsService) Decrypt(ctx context.Context, payload []byte) ([]byte, error) { func (s *SecretsService) Decrypt(ctx context.Context, payload []byte) ([]byte, error) {
if len(payload) == 0 {
return nil, fmt.Errorf("unable to decrypt empty payload")
}
// Use legacy encryption service if featuremgmt.FlagDisableEnvelopeEncryption toggle is on // Use legacy encryption service if featuremgmt.FlagDisableEnvelopeEncryption toggle is on
if s.features.IsEnabled(featuremgmt.FlagDisableEnvelopeEncryption) { if s.features.IsEnabled(featuremgmt.FlagDisableEnvelopeEncryption) {
if len(payload) > 0 && payload[0] == '#' {
return nil, fmt.Errorf("failed to decrypt a secret encrypted with envelope encryption: envelope encryption is disabled")
}
return s.enc.Decrypt(ctx, payload, setting.SecretKey) return s.enc.Decrypt(ctx, payload, setting.SecretKey)
} }
@ -309,11 +316,6 @@ func (s *SecretsService) Decrypt(ctx context.Context, payload []byte) ([]byte, e
} }
}() }()
if len(payload) == 0 {
err = fmt.Errorf("unable to decrypt empty payload")
return nil, err
}
var dataKey []byte var dataKey []byte
if payload[0] != '#' { if payload[0] != '#' {