Datasource: Remove support for unencrypted passwords (#49987)

* Datasource: Remove support for unencrypted passwords * regenerate swagger * [WIP] Remove references to datasource password and basic auth password fields (#50015) * try delete moar tings * delete provisioning stuff * remove from yaml * update snapshots * remove lingering snapshot fields * fix ds http settings * Re-generate swagger and fix swagger-api-spec make target Co-authored-by: Will Browne <will.browne@grafana.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
2025-08-06 01:39:25 +08:00 · 2022-06-03 17:38:22 +02:00
parent b344f48e68
commit 36c3398c6d
33 changed files with 268 additions and 430 deletions
--- a/pkg/api/datasources.go
+++ b/pkg/api/datasources.go
@ -48,7 +48,6 @@ func (hs *HTTPServer) GetDataSources(c *models.ReqContext) response.Response {
 			Type:      ds.Type,
 			TypeName:  ds.Type,
 			Access:    ds.Access,
-			Password:  ds.Password,
 			Database:  ds.Database,
 			User:      ds.User,
 			BasicAuth: ds.BasicAuth,
@ -481,25 +480,23 @@ func (hs *HTTPServer) CallDatasourceResourceWithUID(c *models.ReqContext) {

 func (hs *HTTPServer) convertModelToDtos(ctx context.Context, ds *models.DataSource) dtos.DataSource {
 	dto := dtos.DataSource{
-		Id:                ds.Id,
-		UID:               ds.Uid,
-		OrgId:             ds.OrgId,
-		Name:              ds.Name,
-		Url:               ds.Url,
-		Type:              ds.Type,
-		Access:            ds.Access,
-		Password:          ds.Password,
-		Database:          ds.Database,
-		User:              ds.User,
-		BasicAuth:         ds.BasicAuth,
-		BasicAuthUser:     ds.BasicAuthUser,
-		BasicAuthPassword: ds.BasicAuthPassword,
-		WithCredentials:   ds.WithCredentials,
-		IsDefault:         ds.IsDefault,
-		JsonData:          ds.JsonData,
-		SecureJsonFields:  map[string]bool{},
-		Version:           ds.Version,
-		ReadOnly:          ds.ReadOnly,
+		Id:               ds.Id,
+		UID:              ds.Uid,
+		OrgId:            ds.OrgId,
+		Name:             ds.Name,
+		Url:              ds.Url,
+		Type:             ds.Type,
+		Access:           ds.Access,
+		Database:         ds.Database,
+		User:             ds.User,
+		BasicAuth:        ds.BasicAuth,
+		BasicAuthUser:    ds.BasicAuthUser,
+		WithCredentials:  ds.WithCredentials,
+		IsDefault:        ds.IsDefault,
+		JsonData:         ds.JsonData,
+		SecureJsonFields: map[string]bool{},
+		Version:          ds.Version,
+		ReadOnly:         ds.ReadOnly,
 	}

 	secrets, err := hs.DataSourcesService.DecryptedValues(ctx, ds)
--- a/pkg/api/dtos/datasource.go
+++ b/pkg/api/dtos/datasource.go
@ -9,27 +9,25 @@ import (
 )

 type DataSource struct {
-	Id                int64                  `json:"id"`
-	UID               string                 `json:"uid"`
-	OrgId             int64                  `json:"orgId"`
-	Name              string                 `json:"name"`
-	Type              string                 `json:"type"`
-	TypeLogoUrl       string                 `json:"typeLogoUrl"`
-	Access            models.DsAccess        `json:"access"`
-	Url               string                 `json:"url"`
-	Password          string                 `json:"password"`
-	User              string                 `json:"user"`
-	Database          string                 `json:"database"`
-	BasicAuth         bool                   `json:"basicAuth"`
-	BasicAuthUser     string                 `json:"basicAuthUser"`
-	BasicAuthPassword string                 `json:"basicAuthPassword"`
-	WithCredentials   bool                   `json:"withCredentials"`
-	IsDefault         bool                   `json:"isDefault"`
-	JsonData          *simplejson.Json       `json:"jsonData,omitempty"`
-	SecureJsonFields  map[string]bool        `json:"secureJsonFields"`
-	Version           int                    `json:"version"`
-	ReadOnly          bool                   `json:"readOnly"`
-	AccessControl     accesscontrol.Metadata `json:"accessControl,omitempty"`
+	Id               int64                  `json:"id"`
+	UID              string                 `json:"uid"`
+	OrgId            int64                  `json:"orgId"`
+	Name             string                 `json:"name"`
+	Type             string                 `json:"type"`
+	TypeLogoUrl      string                 `json:"typeLogoUrl"`
+	Access           models.DsAccess        `json:"access"`
+	Url              string                 `json:"url"`
+	User             string                 `json:"user"`
+	Database         string                 `json:"database"`
+	BasicAuth        bool                   `json:"basicAuth"`
+	BasicAuthUser    string                 `json:"basicAuthUser"`
+	WithCredentials  bool                   `json:"withCredentials"`
+	IsDefault        bool                   `json:"isDefault"`
+	JsonData         *simplejson.Json       `json:"jsonData,omitempty"`
+	SecureJsonFields map[string]bool        `json:"secureJsonFields"`
+	Version          int                    `json:"version"`
+	ReadOnly         bool                   `json:"readOnly"`
+	AccessControl    accesscontrol.Metadata `json:"accessControl,omitempty"`
 }

 type DataSourceListItemDTO struct {
@ -42,7 +40,6 @@ type DataSourceListItemDTO struct {
 	TypeLogoUrl string           `json:"typeLogoUrl"`
 	Access      models.DsAccess  `json:"access"`
 	Url         string           `json:"url"`
-	Password    string           `json:"password"`
 	User        string           `json:"user"`
 	Database    string           `json:"database"`
 	BasicAuth   bool             `json:"basicAuth"`
--- a/pkg/api/pluginproxy/ds_proxy_test.go
+++ b/pkg/api/pluginproxy/ds_proxy_test.go
@ -366,7 +366,6 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
 			Url:      "http://influxdb:8083",
 			Database: "site",
 			User:     "user",
-			Password: "password",
 		}

 		ctx := &models.ReqContext{}
@ -557,18 +556,18 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
 		secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())

 		tests := []*testCase{
-			createAuthTest(t, secretsStore, models.DS_INFLUXDB_08, "http://localhost:9090", authTypePassword, authCheckQuery, false),
-			createAuthTest(t, secretsStore, models.DS_INFLUXDB_08, "http://localhost:9090", authTypePassword, authCheckQuery, true),
-			createAuthTest(t, secretsStore, models.DS_INFLUXDB, "http://localhost:9090", authTypePassword, authCheckHeader, true),
-			createAuthTest(t, secretsStore, models.DS_INFLUXDB, "http://localhost:9090", authTypePassword, authCheckHeader, false),
-			createAuthTest(t, secretsStore, models.DS_INFLUXDB, "http://localhost:9090", authTypeBasic, authCheckHeader, true),
-			createAuthTest(t, secretsStore, models.DS_INFLUXDB, "http://localhost:9090", authTypeBasic, authCheckHeader, false),
+			createAuthTest(t, secretsStore, models.DS_INFLUXDB_08, "http://localhost:9090", authTypePassword, authCheckQuery),
+			createAuthTest(t, secretsStore, models.DS_INFLUXDB_08, "http://localhost:9090", authTypePassword, authCheckQuery),
+			createAuthTest(t, secretsStore, models.DS_INFLUXDB, "http://localhost:9090", authTypePassword, authCheckHeader),
+			createAuthTest(t, secretsStore, models.DS_INFLUXDB, "http://localhost:9090", authTypePassword, authCheckHeader),
+			createAuthTest(t, secretsStore, models.DS_INFLUXDB, "http://localhost:9090", authTypeBasic, authCheckHeader),
+			createAuthTest(t, secretsStore, models.DS_INFLUXDB, "http://localhost:9090", authTypeBasic, authCheckHeader),

 			// These two should be enough for any other datasource at the moment. Proxy has special handling
 			// only for Influx, others have the same path and only BasicAuth. Non BasicAuth datasources
 			// do not go through proxy but through TSDB API which is not tested here.
-			createAuthTest(t, secretsStore, models.DS_ES, "http://localhost:9200", authTypeBasic, authCheckHeader, false),
-			createAuthTest(t, secretsStore, models.DS_ES, "http://localhost:9200", authTypeBasic, authCheckHeader, true),
+			createAuthTest(t, secretsStore, models.DS_ES, "http://localhost:9200", authTypeBasic, authCheckHeader),
+			createAuthTest(t, secretsStore, models.DS_ES, "http://localhost:9200", authTypeBasic, authCheckHeader),
 		}
 		for _, test := range tests {
 			runDatasourceAuthTest(t, secretsService, secretsStore, cfg, test)
@ -918,7 +917,7 @@ const (
 	authCheckHeader = "header"
 )

-func createAuthTest(t *testing.T, secretsStore kvstore.SecretsKVStore, dsType string, url string, authType string, authCheck string, useSecureJsonData bool) *testCase {
+func createAuthTest(t *testing.T, secretsStore kvstore.SecretsKVStore, dsType string, url string, authType string, authCheck string) *testCase {
 	// Basic user:password
 	base64AuthHeader := "Basic dXNlcjpwYXNzd29yZA=="

@ -926,7 +925,7 @@ func createAuthTest(t *testing.T, secretsStore kvstore.SecretsKVStore, dsType st
 		datasource: &models.DataSource{
 			Id:       1,
 			OrgId:    1,
-			Name:     fmt.Sprintf("%s,%s,%s,%s,%t", dsType, url, authType, authCheck, useSecureJsonData),
+			Name:     fmt.Sprintf("%s,%s,%s,%s", dsType, url, authType, authCheck),
 			Type:     dsType,
 			JsonData: simplejson.New(),
 			Url:      url,
@ -937,38 +936,28 @@ func createAuthTest(t *testing.T, secretsStore kvstore.SecretsKVStore, dsType st
 	if authType == authTypePassword {
 		message = fmt.Sprintf("%v should add username and password", dsType)
 		test.datasource.User = "user"
-		if useSecureJsonData {
-			secureJsonData, err := json.Marshal(map[string]string{
-				"password": "password",
-			})
-			require.NoError(t, err)
+		secureJsonData, err := json.Marshal(map[string]string{
+			"password": "password",
+		})
+		require.NoError(t, err)

-			err = secretsStore.Set(context.Background(), test.datasource.OrgId, test.datasource.Name, "datasource", string(secureJsonData))
-			require.NoError(t, err)
-		} else {
-			test.datasource.Password = "password"
-		}
+		err = secretsStore.Set(context.Background(), test.datasource.OrgId, test.datasource.Name, "datasource", string(secureJsonData))
+		require.NoError(t, err)
 	} else {
 		message = fmt.Sprintf("%v should add basic auth username and password", dsType)
 		test.datasource.BasicAuth = true
 		test.datasource.BasicAuthUser = "user"
-		if useSecureJsonData {
-			secureJsonData, err := json.Marshal(map[string]string{
-				"basicAuthPassword": "password",
-			})
-			require.NoError(t, err)
+		secureJsonData, err := json.Marshal(map[string]string{
+			"basicAuthPassword": "password",
+		})
+		require.NoError(t, err)

-			err = secretsStore.Set(context.Background(), test.datasource.OrgId, test.datasource.Name, "datasource", string(secureJsonData))
-			require.NoError(t, err)
-		} else {
-			test.datasource.BasicAuthPassword = "password"
-		}
+		err = secretsStore.Set(context.Background(), test.datasource.OrgId, test.datasource.Name, "datasource", string(secureJsonData))
+		require.NoError(t, err)
 	}
 	require.NoError(t, err)

-	if useSecureJsonData {
-		message += " from securejsondata"
-	}
+	message += " from securejsondata"

 	if authCheck == authCheckQuery {
 		message += " to query params"