Cloud migration: encryption key is a byte slice (#90739)

* Cloud migrations: include metadata returned by CMS in the index file * Cloud migrations: make EncryptionKey a []byte in structs * test
2025-02-25 18:55:37 -06:00 · 2024-07-22 11:25:12 -03:00 · 2024-07-22 11:25:12 -03:00 · 8d8f2ba587
commit 8d8f2ba587
parent 7fdf992dab
4 changed files with 8 additions and 13 deletions
--- a/pkg/services/cloudmigration/cloudmigrationimpl/snapshot_mgmt.go
+++ b/pkg/services/cloudmigration/cloudmigrationimpl/snapshot_mgmt.go
@ -188,7 +188,7 @@ func (s *Service) buildSnapshot(ctx context.Context, signedInUser *user.SignedIn

 	// Use GMS public key + the grafana generated private private key to encrypt snapshot files.
 	snapshotWriter, err := snapshot.NewSnapshotWriter(contracts.AssymetricKeys{
-		Public:  []byte(snapshotMeta.EncryptionKey),
+		Public:  snapshotMeta.EncryptionKey,
 		Private: privateKey[:],
 	},
 		crypto.NewNacl(),
--- a/pkg/services/cloudmigration/cloudmigrationimpl/xorm_store.go
+++ b/pkg/services/cloudmigration/cloudmigrationimpl/xorm_store.go
@ -413,27 +413,22 @@ func (ss *sqlStore) decryptToken(ctx context.Context, cm *cloudmigration.CloudMi
 }

 func (ss *sqlStore) encryptKey(ctx context.Context, snapshot *cloudmigration.CloudMigrationSnapshot) error {
-	s, err := ss.secretsService.Encrypt(ctx, []byte(snapshot.EncryptionKey), secrets.WithoutScope())
+	s, err := ss.secretsService.Encrypt(ctx, snapshot.EncryptionKey, secrets.WithoutScope())
 	if err != nil {
 		return fmt.Errorf("encrypting key: %w", err)
 	}

-	snapshot.EncryptionKey = base64.StdEncoding.EncodeToString(s)
+	snapshot.EncryptionKey = s

 	return nil
 }

 func (ss *sqlStore) decryptKey(ctx context.Context, snapshot *cloudmigration.CloudMigrationSnapshot) error {
-	decoded, err := base64.StdEncoding.DecodeString(snapshot.EncryptionKey)
-	if err != nil {
-		return fmt.Errorf("key could not be decoded")
-	}
-
-	t, err := ss.secretsService.Decrypt(ctx, decoded)
+	t, err := ss.secretsService.Decrypt(ctx, snapshot.EncryptionKey)
 	if err != nil {
 		return fmt.Errorf("decrypting key: %w", err)
 	}
-	snapshot.EncryptionKey = string(t)
+	snapshot.EncryptionKey = t

 	return nil
 }
--- a/pkg/services/cloudmigration/gmsclient/inmemory_client.go
+++ b/pkg/services/cloudmigration/gmsclient/inmemory_client.go
@ -57,7 +57,7 @@ func (c *memoryClientImpl) StartSnapshot(context.Context, cloudmigration.CloudMi
 		return nil, fmt.Errorf("nacl: generating public and private key: %w", err)
 	}
 	c.snapshot = &cloudmigration.StartSnapshotResponse{
-		EncryptionKey:        fmt.Sprintf("%x", publicKey[:]),
+		EncryptionKey:        publicKey[:],
 		SnapshotID:           uuid.NewString(),
 		MaxItemsPerPartition: 10,
 		Algo:                 "nacl",
--- a/pkg/services/cloudmigration/model.go
+++ b/pkg/services/cloudmigration/model.go
@ -37,7 +37,7 @@ type CloudMigrationSnapshot struct {
 	UID            string `xorm:"uid"`
 	SessionUID     string `xorm:"session_uid"`
 	Status         SnapshotStatus
-	EncryptionKey  string `xorm:"encryption_key"` // stored in the unified secrets table
+	EncryptionKey  []byte `xorm:"encryption_key"` // stored in the unified secrets table
 	LocalDir       string `xorm:"local_directory"`
 	GMSSnapshotUID string `xorm:"gms_snapshot_uid"`
 	ErrorString    string `xorm:"error_string"`
@ -207,7 +207,7 @@ type StartSnapshotResponse struct {
 	SnapshotID           string `json:"snapshotID"`
 	MaxItemsPerPartition uint32 `json:"maxItemsPerPartition"`
 	Algo                 string `json:"algo"`
-	EncryptionKey        string `json:"encryptionKey"`
+	EncryptionKey        []byte `json:"encryptionKey"`
 	Metadata             []byte `json:"metadata"`
 }