Secrets: Make the Migrator extensible (#67307)

* [Chore] Remove setting provider from secret service

Co-authored-by: Tania B <yalyna.ts@gmail.com>
Co-authored-by: Joan López de la Franca Beltran <joanjan14@gmail.com>

* Add a ShouldBeRedacted func

Co-authored-by: Tania B <yalyna.ts@gmail.com>
Co-authored-by: Joan López de la Franca Beltran <joanjan14@gmail.com>

* Secrets: Make Migrator extensible

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
Co-authored-by: Tania B <yalyna.ts@gmail.com>

* Alerting: Fix tests after refactor

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
Co-authored-by: Tania B <yalyna.ts@gmail.com>

* Remove commented code no longer used

* Fix Wire bindings

Co-authored-by: Tania B <yalyna.ts@gmail.com>

* Add constructors to secrets

* Linting

* Undo undesired change

---------

Co-authored-by: gamab <gabi.mabs@gmail.com>
Co-authored-by: Tania B <yalyna.ts@gmail.com>
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

pkg/services/secrets/migrator/migrator.go

@@ -13,12 +13,18 @@ import (
 	"github.com/grafana/grafana/pkg/setting"
 )
 
+type SecretsRotator interface {
+	ReEncrypt(context.Context, *manager.SecretsService, db.DB) bool
+	Rollback(context.Context, *manager.SecretsService, encryption.Internal, db.DB, string) bool
+}
+
 type SecretsMigrator struct {
 	encryptionSrv encryption.Internal
 	secretsSrv    *manager.SecretsService
 	sqlStore      db.DB
 	settings      setting.Provider
 	features      featuremgmt.FeatureToggles
+	rotators      []SecretsRotator
 }
 
 func ProvideSecretsMigrator(
@@ -28,24 +34,7 @@ func ProvideSecretsMigrator(
 	settings setting.Provider,
 	features featuremgmt.FeatureToggles,
 ) *SecretsMigrator {
-	return &SecretsMigrator{
-		encryptionSrv: encryptionSrv,
-		secretsSrv:    service,
-		sqlStore:      sqlStore,
-		settings:      settings,
-		features:      features,
-	}
-}
-
-func (m *SecretsMigrator) ReEncryptSecrets(ctx context.Context) (bool, error) {
-	err := m.initProvidersIfNeeded()
-	if err != nil {
-		return false, err
-	}
-
-	toReencrypt := []interface {
-		reencrypt(context.Context, *manager.SecretsService, db.DB) bool
-	}{
+	rotators := []SecretsRotator{
 		simpleSecret{tableName: "dashboard_snapshot", columnName: "dashboard_encrypted"},
 		b64Secret{simpleSecret: simpleSecret{tableName: "user_auth", columnName: "o_auth_access_token"}, encoding: base64.StdEncoding},
 		b64Secret{simpleSecret: simpleSecret{tableName: "user_auth", columnName: "o_auth_refresh_token"}, encoding: base64.StdEncoding},
@@ -56,10 +45,30 @@ func (m *SecretsMigrator) ReEncryptSecrets(ctx context.Context) (bool, error) {
 		alertingSecret{},
 	}
 
+	return &SecretsMigrator{
+		encryptionSrv: encryptionSrv,
+		secretsSrv:    service,
+		sqlStore:      sqlStore,
+		settings:      settings,
+		features:      features,
+		rotators:      rotators,
+	}
+}
+
+func (m *SecretsMigrator) RegisterRotators(rotators ...SecretsRotator) {
+	m.rotators = append(m.rotators, rotators...)
+}
+
+func (m *SecretsMigrator) ReEncryptSecrets(ctx context.Context) (bool, error) {
+	err := m.initProvidersIfNeeded()
+	if err != nil {
+		return false, err
+	}
+
 	var anyFailure bool
 
-	for _, r := range toReencrypt {
-		if success := r.reencrypt(ctx, m.secretsSrv, m.sqlStore); !success {
+	for _, r := range m.rotators {
+		if success := r.ReEncrypt(ctx, m.secretsSrv, m.sqlStore); !success {
 			anyFailure = true
 		}
 	}
@@ -73,23 +82,10 @@ func (m *SecretsMigrator) RollBackSecrets(ctx context.Context) (bool, error) {
 		return false, err
 	}
 
-	toRollback := []interface {
-		rollback(context.Context, *manager.SecretsService, encryption.Internal, db.DB, string) bool
-	}{
-		simpleSecret{tableName: "dashboard_snapshot", columnName: "dashboard_encrypted"},
-		b64Secret{simpleSecret: simpleSecret{tableName: "user_auth", columnName: "o_auth_access_token"}, encoding: base64.StdEncoding},
-		b64Secret{simpleSecret: simpleSecret{tableName: "user_auth", columnName: "o_auth_refresh_token"}, encoding: base64.StdEncoding},
-		b64Secret{simpleSecret: simpleSecret{tableName: "user_auth", columnName: "o_auth_token_type"}, encoding: base64.StdEncoding},
-		b64Secret{simpleSecret: simpleSecret{tableName: "secrets", columnName: "value"}, hasUpdatedColumn: true, encoding: base64.RawStdEncoding},
-		jsonSecret{tableName: "data_source"},
-		jsonSecret{tableName: "plugin_setting"},
-		alertingSecret{},
-	}
-
 	var anyFailure bool
 
-	for _, r := range toRollback {
-		if failed := r.rollback(ctx,
+	for _, r := range m.rotators {
+		if failed := r.Rollback(ctx,
 			m.secretsSrv,
 			m.encryptionSrv,
 			m.sqlStore,
@@ -133,12 +129,26 @@ type simpleSecret struct {
 	columnName string
 }
 
+func NewSimpleSecret(tableName, columnName string) simpleSecret {
+	return simpleSecret{
+		tableName:  tableName,
+		columnName: columnName,
+	}
+}
+
 type b64Secret struct {
 	simpleSecret
 	hasUpdatedColumn bool
 	encoding         *base64.Encoding
 }
 
+func NewBase64Secret(simple simpleSecret, encoding *base64.Encoding) b64Secret {
+	return b64Secret{
+		simpleSecret: simple,
+		encoding:     encoding,
+	}
+}
+
 type jsonSecret struct {
 	tableName string
 }

pkg/services/secrets/migrator/reencrypt.go

@@ -13,7 +13,7 @@ import (
 	"github.com/grafana/grafana/pkg/services/sqlstore"
 )
 
-func (s simpleSecret) reencrypt(ctx context.Context, secretsSrv *manager.SecretsService, sqlStore db.DB) bool {
+func (s simpleSecret) ReEncrypt(ctx context.Context, secretsSrv *manager.SecretsService, sqlStore db.DB) bool {
 	var rows []struct {
 		Id     int
 		Secret []byte
@@ -72,7 +72,7 @@ func (s simpleSecret) reencrypt(ctx context.Context, secretsSrv *manager.Secrets
 	return !anyFailure
 }
 
-func (s b64Secret) reencrypt(ctx context.Context, secretsSrv *manager.SecretsService, sqlStore db.DB) bool {
+func (s b64Secret) ReEncrypt(ctx context.Context, secretsSrv *manager.SecretsService, sqlStore db.DB) bool {
 	var rows []struct {
 		Id     int
 		Secret string
@@ -143,7 +143,7 @@ func (s b64Secret) reencrypt(ctx context.Context, secretsSrv *manager.SecretsSer
 	return !anyFailure
 }
 
-func (s jsonSecret) reencrypt(ctx context.Context, secretsSrv *manager.SecretsService, sqlStore db.DB) bool {
+func (s jsonSecret) ReEncrypt(ctx context.Context, secretsSrv *manager.SecretsService, sqlStore db.DB) bool {
 	var rows []struct {
 		Id             int
 		SecureJsonData map[string][]byte
@@ -206,7 +206,7 @@ func (s jsonSecret) reencrypt(ctx context.Context, secretsSrv *manager.SecretsSe
 	return !anyFailure
 }
 
-func (s alertingSecret) reencrypt(ctx context.Context, secretsSrv *manager.SecretsService, sqlStore db.DB) bool {
+func (s alertingSecret) ReEncrypt(ctx context.Context, secretsSrv *manager.SecretsService, sqlStore db.DB) bool {
 	var results []struct {
 		Id                        int
 		AlertmanagerConfiguration string

pkg/services/secrets/migrator/rollback.go

@@ -12,7 +12,7 @@ import (
 	"github.com/grafana/grafana/pkg/services/secrets/manager"
 )
 
-func (s simpleSecret) rollback(
+func (s simpleSecret) Rollback(
 	ctx context.Context,
 	secretsSrv *manager.SecretsService,
 	encryptionSrv encryption.Internal,
@@ -72,7 +72,7 @@ func (s simpleSecret) rollback(
 	return anyFailure
 }
 
-func (s b64Secret) rollback(
+func (s b64Secret) Rollback(
 	ctx context.Context,
 	secretsSrv *manager.SecretsService,
 	encryptionSrv encryption.Internal,
@@ -146,7 +146,7 @@ func (s b64Secret) rollback(
 	return anyFailure
 }
 
-func (s jsonSecret) rollback(
+func (s jsonSecret) Rollback(
 	ctx context.Context,
 	secretsSrv *manager.SecretsService,
 	encryptionSrv encryption.Internal,
@@ -210,7 +210,7 @@ func (s jsonSecret) rollback(
 	return anyFailure
 }
 
-func (s alertingSecret) rollback(
+func (s alertingSecret) Rollback(
 	ctx context.Context,
 	secretsSrv *manager.SecretsService,
 	encryptionSrv encryption.Internal,