Encryption: Refactor securejsondata.SecureJsonData to stop relying on global functions (#38865)

* Encryption: Add support to encrypt/decrypt sjd * Add datasources.Service as a proxy to datasources db operations * Encrypt ds.SecureJsonData before calling SQLStore * Move ds cache code into ds service * Fix tlsmanager tests * Fix pluginproxy tests * Remove some securejsondata.GetEncryptedJsonData usages * Add pluginsettings.Service as a proxy for plugin settings db operations * Add AlertNotificationService as a proxy for alert notification db operations * Remove some securejsondata.GetEncryptedJsonData usages * Remove more securejsondata.GetEncryptedJsonData usages * Fix lint errors * Minor fixes * Remove encryption global functions usages from ngalert * Fix lint errors * Minor fixes * Minor fixes * Remove securejsondata.DecryptedValue usage * Refactor the refactor * Remove securejsondata.DecryptedValue usage * Move securejsondata to migrations package * Move securejsondata to migrations package * Minor fix * Fix integration test * Fix integration tests * Undo undesired changes * Fix tests * Add context.Context into encryption methods * Fix tests * Fix tests * Fix tests * Trigger CI * Fix test * Add names to params of encryption service interface * Remove bus from CacheServiceImpl * Add logging * Add keys to logger Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * Add missing key to logger Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * Undo changes in markdown files * Fix formatting * Add context to secrets service * Rename decryptSecureJsonData to decryptSecureJsonDataFn * Name args in GetDecryptedValueFn * Add template back to NewAlertmanagerNotifier * Copy GetDecryptedValueFn to ngalert * Add logging to pluginsettings * Fix pluginsettings test Co-authored-by: Tania B <yalyna.ts@gmail.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2025-09-26 20:13:45 +08:00 · 2021-10-07 16:33:50 +02:00
parent da813877fb
commit 722c414fef
141 changed files with 1968 additions and 1197 deletions
--- a/pkg/api/pluginproxy/pluginproxy_test.go
+++ b/pkg/api/pluginproxy/pluginproxy_test.go
@ -1,18 +1,19 @@
 package pluginproxy

 import (
+	"context"
 	"io/ioutil"
 	"net/http"
 	"testing"

 	"github.com/grafana/grafana/pkg/bus"
-	"github.com/grafana/grafana/pkg/components/securejsondata"
 	"github.com/grafana/grafana/pkg/models"
 	"github.com/grafana/grafana/pkg/plugins"
+	"github.com/grafana/grafana/pkg/services/encryption/ossencryption"
 	"github.com/grafana/grafana/pkg/setting"
-	"github.com/grafana/grafana/pkg/util"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"gopkg.in/macaron.v1"
 )

 func TestPluginProxy(t *testing.T) {
@ -25,8 +26,8 @@ func TestPluginProxy(t *testing.T) {

 		setting.SecretKey = "password"

-		bus.AddHandler("test", func(query *models.GetPluginSettingByIdQuery) error {
-			key, err := util.Encrypt([]byte("123"), "password")
+		bus.AddHandlerCtx("test", func(ctx context.Context, query *models.GetPluginSettingByIdQuery) error {
+			key, err := ossencryption.ProvideService().Encrypt(ctx, []byte("123"), "password")
 			if err != nil {
 				return err
 			}
@ -39,12 +40,18 @@ func TestPluginProxy(t *testing.T) {
 			return nil
 		})

+		httpReq, err := http.NewRequest(http.MethodGet, "", nil)
+		require.NoError(t, err)
+
 		req := getPluginProxiedRequest(
 			t,
 			&models.ReqContext{
 				SignedInUser: &models.SignedInUser{
 					Login: "test_user",
 				},
+				Context: &macaron.Context{
+					Req: httpReq,
+				},
 			},
 			&setting.Cfg{SendUserHeader: true},
 			route,
@ -54,12 +61,18 @@ func TestPluginProxy(t *testing.T) {
 	})

 	t.Run("When SendUserHeader config is enabled", func(t *testing.T) {
+		httpReq, err := http.NewRequest(http.MethodGet, "", nil)
+		require.NoError(t, err)
+
 		req := getPluginProxiedRequest(
 			t,
 			&models.ReqContext{
 				SignedInUser: &models.SignedInUser{
 					Login: "test_user",
 				},
+				Context: &macaron.Context{
+					Req: httpReq,
+				},
 			},
 			&setting.Cfg{SendUserHeader: true},
 			nil,
@ -70,12 +83,18 @@ func TestPluginProxy(t *testing.T) {
 	})

 	t.Run("When SendUserHeader config is disabled", func(t *testing.T) {
+		httpReq, err := http.NewRequest(http.MethodGet, "", nil)
+		require.NoError(t, err)
+
 		req := getPluginProxiedRequest(
 			t,
 			&models.ReqContext{
 				SignedInUser: &models.SignedInUser{
 					Login: "test_user",
 				},
+				Context: &macaron.Context{
+					Req: httpReq,
+				},
 			},
 			&setting.Cfg{SendUserHeader: false},
 			nil,
@ -85,10 +104,16 @@ func TestPluginProxy(t *testing.T) {
 	})

 	t.Run("When SendUserHeader config is enabled but user is anonymous", func(t *testing.T) {
+		httpReq, err := http.NewRequest(http.MethodGet, "", nil)
+		require.NoError(t, err)
+
 		req := getPluginProxiedRequest(
 			t,
 			&models.ReqContext{
 				SignedInUser: &models.SignedInUser{IsAnonymous: true},
+				Context: &macaron.Context{
+					Req: httpReq,
+				},
 			},
 			&setting.Cfg{SendUserHeader: true},
 			nil,
@ -104,7 +129,7 @@ func TestPluginProxy(t *testing.T) {
 			Method: "GET",
 		}

-		bus.AddHandler("test", func(query *models.GetPluginSettingByIdQuery) error {
+		bus.AddHandlerCtx("test", func(_ context.Context, query *models.GetPluginSettingByIdQuery) error {
 			query.Result = &models.PluginSetting{
 				JsonData: map[string]interface{}{
 					"dynamicUrl": "https://dynamic.grafana.com",
@ -113,12 +138,18 @@ func TestPluginProxy(t *testing.T) {
 			return nil
 		})

+		httpReq, err := http.NewRequest(http.MethodGet, "", nil)
+		require.NoError(t, err)
+
 		req := getPluginProxiedRequest(
 			t,
 			&models.ReqContext{
 				SignedInUser: &models.SignedInUser{
 					Login: "test_user",
 				},
+				Context: &macaron.Context{
+					Req: httpReq,
+				},
 			},
 			&setting.Cfg{SendUserHeader: true},
 			route,
@ -138,12 +169,18 @@ func TestPluginProxy(t *testing.T) {
 			return nil
 		})

+		httpReq, err := http.NewRequest(http.MethodGet, "", nil)
+		require.NoError(t, err)
+
 		req := getPluginProxiedRequest(
 			t,
 			&models.ReqContext{
 				SignedInUser: &models.SignedInUser{
 					Login: "test_user",
 				},
+				Context: &macaron.Context{
+					Req: httpReq,
+				},
 			},
 			&setting.Cfg{SendUserHeader: true},
 			route,
@ -158,22 +195,38 @@ func TestPluginProxy(t *testing.T) {
 			Body: []byte(`{ "url": "{{.JsonData.dynamicUrl}}", "secret": "{{.SecureJsonData.key}}"	}`),
 		}

-		bus.AddHandler("test", func(query *models.GetPluginSettingByIdQuery) error {
+		bus.AddHandlerCtx("test", func(ctx context.Context, query *models.GetPluginSettingByIdQuery) error {
+			encryptedJsonData, err := ossencryption.ProvideService().EncryptJsonData(
+				ctx,
+				map[string]string{"key": "123"},
+				setting.SecretKey,
+			)
+
+			if err != nil {
+				return err
+			}
+
 			query.Result = &models.PluginSetting{
 				JsonData: map[string]interface{}{
 					"dynamicUrl": "https://dynamic.grafana.com",
 				},
-				SecureJsonData: securejsondata.GetEncryptedJsonData(map[string]string{"key": "123"}),
+				SecureJsonData: encryptedJsonData,
 			}
 			return nil
 		})

+		httpReq, err := http.NewRequest(http.MethodGet, "", nil)
+		require.NoError(t, err)
+
 		req := getPluginProxiedRequest(
 			t,
 			&models.ReqContext{
 				SignedInUser: &models.SignedInUser{
 					Login: "test_user",
 				},
+				Context: &macaron.Context{
+					Req: httpReq,
+				},
 			},
 			&setting.Cfg{SendUserHeader: true},
 			route,
@ -194,7 +247,7 @@ func getPluginProxiedRequest(t *testing.T, ctx *models.ReqContext, cfg *setting.
 			ReqRole: models.ROLE_EDITOR,
 		}
 	}
-	proxy := NewApiPluginProxy(ctx, "", route, "", cfg)
+	proxy := NewApiPluginProxy(ctx, "", route, "", cfg, ossencryption.ProvideService())

 	req, err := http.NewRequest(http.MethodGet, "/api/plugin-proxy/grafana-simple-app/api/v4/alerts", nil)
 	require.NoError(t, err)