Encryption: Refactor securejsondata.SecureJsonData to stop relying on global functions (#38865)

* Encryption: Add support to encrypt/decrypt sjd

* Add datasources.Service as a proxy to datasources db operations

* Encrypt ds.SecureJsonData before calling SQLStore

* Move ds cache code into ds service

* Fix tlsmanager tests

* Fix pluginproxy tests

* Remove some securejsondata.GetEncryptedJsonData usages

* Add pluginsettings.Service as a proxy for plugin settings db operations

* Add AlertNotificationService as a proxy for alert notification db operations

* Remove some securejsondata.GetEncryptedJsonData usages

* Remove more securejsondata.GetEncryptedJsonData usages

* Fix lint errors

* Minor fixes

* Remove encryption global functions usages from ngalert

* Fix lint errors

* Minor fixes

* Minor fixes

* Remove securejsondata.DecryptedValue usage

* Refactor the refactor

* Remove securejsondata.DecryptedValue usage

* Move securejsondata to migrations package

* Move securejsondata to migrations package

* Minor fix

* Fix integration test

* Fix integration tests

* Undo undesired changes

* Fix tests

* Add context.Context into encryption methods

* Fix tests

* Fix tests

* Fix tests

* Trigger CI

* Fix test

* Add names to params of encryption service interface

* Remove bus from CacheServiceImpl

* Add logging

* Add keys to logger

Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>

* Add missing key to logger

Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>

* Undo changes in markdown files

* Fix formatting

* Add context to secrets service

* Rename decryptSecureJsonData to decryptSecureJsonDataFn

* Name args in GetDecryptedValueFn

* Add template back to NewAlertmanagerNotifier

* Copy GetDecryptedValueFn to ngalert

* Add logging to pluginsettings

* Fix pluginsettings test

Co-authored-by: Tania B <yalyna.ts@gmail.com>
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>

pkg/plugins/plugincontext/plugincontext.go

@@ -1,36 +1,47 @@
 package plugincontext
 
 import (
+	"context"
 	"encoding/json"
 	"errors"
 	"time"
 
 	"github.com/grafana/grafana-plugin-sdk-go/backend"
-
 	"github.com/grafana/grafana/pkg/bus"
 	"github.com/grafana/grafana/pkg/infra/localcache"
+	"github.com/grafana/grafana/pkg/infra/log"
 	"github.com/grafana/grafana/pkg/models"
 	"github.com/grafana/grafana/pkg/plugins"
 	"github.com/grafana/grafana/pkg/plugins/adapters"
 	"github.com/grafana/grafana/pkg/services/datasources"
+	"github.com/grafana/grafana/pkg/services/encryption"
+	"github.com/grafana/grafana/pkg/services/pluginsettings"
+	"github.com/grafana/grafana/pkg/setting"
 	"github.com/grafana/grafana/pkg/util/errutil"
 )
 
 func ProvideService(bus bus.Bus, cacheService *localcache.CacheService, pluginManager plugins.Manager,
-	dataSourceCache datasources.CacheService) *Provider {
+	dataSourceCache datasources.CacheService, encryptionService encryption.Service,
+	pluginSettingsService *pluginsettings.Service) *Provider {
 	return &Provider{
-		Bus:             bus,
-		CacheService:    cacheService,
-		PluginManager:   pluginManager,
-		DataSourceCache: dataSourceCache,
+		Bus:                   bus,
+		CacheService:          cacheService,
+		PluginManager:         pluginManager,
+		DataSourceCache:       dataSourceCache,
+		EncryptionService:     encryptionService,
+		PluginSettingsService: pluginSettingsService,
+		logger:                log.New("plugincontext"),
 	}
 }
 
 type Provider struct {
-	Bus             bus.Bus
-	CacheService    *localcache.CacheService
-	PluginManager   plugins.Manager
-	DataSourceCache datasources.CacheService
+	Bus                   bus.Bus
+	CacheService          *localcache.CacheService
+	PluginManager         plugins.Manager
+	DataSourceCache       datasources.CacheService
+	EncryptionService     encryption.Service
+	PluginSettingsService *pluginsettings.Service
+	logger                log.Logger
 }
 
 // Get allows getting plugin context by its ID. If datasourceUID is not empty string
@@ -59,7 +70,7 @@ func (p *Provider) Get(pluginID string, datasourceUID string, user *models.Signe
 		if err != nil {
 			return pc, false, errutil.Wrap("Failed to unmarshal plugin json data", err)
 		}
-		decryptedSecureJSONData = ps.DecryptedValues()
+		decryptedSecureJSONData = p.PluginSettingsService.DecryptedValues(ps)
 		updated = ps.Updated
 	}
 
@@ -79,7 +90,7 @@ func (p *Provider) Get(pluginID string, datasourceUID string, user *models.Signe
 		if err != nil {
 			return pc, false, errutil.Wrap("Failed to get datasource", err)
 		}
-		datasourceSettings, err := adapters.ModelToInstanceSettings(ds)
+		datasourceSettings, err := adapters.ModelToInstanceSettings(ds, p.decryptSecureJsonDataFn())
 		if err != nil {
 			return pc, false, errutil.Wrap("Failed to convert datasource", err)
 		}
@@ -110,3 +121,13 @@ func (p *Provider) getCachedPluginSettings(pluginID string, user *models.SignedI
 	p.CacheService.Set(cacheKey, query.Result, pluginSettingsCacheTTL)
 	return query.Result, nil
 }
+
+func (p *Provider) decryptSecureJsonDataFn() func(map[string][]byte) map[string]string {
+	return func(m map[string][]byte) map[string]string {
+		decryptedJsonData, err := p.EncryptionService.DecryptJsonData(context.Background(), m, setting.SecretKey)
+		if err != nil {
+			p.logger.Error("Failed to decrypt secure json data", "error", err)
+		}
+		return decryptedJsonData
+	}
+}