Secrets: add better error handling for secret plugin failures when updating datasources (#50542)

* Add protobuf config and generated code, and client wrapper

* wire up loading of secretsmanager plugin, using renderer plugin as a model

* update kvstore provider to check if we should use the grpc plugin. return false always in OSS

* add OSS remote plugin check

* refactor wire gen file

* log which secrets manager is being used

* Fix argument types for remote checker

* Turns out if err != nil, then the result is always nil. Return empty values if there is an error.

* remove duplicate import

* ensure atomicity by adding secret management as a step to sql operations and rolling back if necessary

* Update pkg/services/secrets/kvstore/kvstore.go

Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>

* Update pkg/services/secrets/kvstore/kvstore.go

Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>

* refactor RemotePluginCheck interface to just return the Plugin client directly

* rename struct to something less silly

* add special error handling for remote secrets management

* switch to errors.as instead of type inference

* remove unnecessary rollback call

* just declare error once

* refactor .proto file according to prior PR suggestions

* re-generate protobuf files and fix compilation errors

* only wrap (ergo display in the front end) errors that are user friendly from the plugin

* rename error type to suggest user friendly only

* rename plugin functions to be more descriptive

* change delete message name

* Revert "change delete message name"

This reverts commit 8ca978301eea45d3cc6a22cda15b9d099c533955.

* Revert "rename plugin functions to be more descriptive"

This reverts commit 4355c9b9ff95443f74c0b588d1ffeabb544f1a34.

* fix pointer to pointer problem

* change plugin user error to just hold a string

* fix sequencing problem with datasource updates

* clean up some return statements

* need to wrap multiple transactions with the InTransaction() func in order to keep the lock

* make linter happy

* revert input var name

Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>

pkg/api/datasources.go

@@ -24,6 +24,7 @@ import (
 )
 
 var datasourcesLogger = log.New("datasources")
+var secretsPluginError models.ErrDatasourceSecretsPluginUserFriendly
 
 func (hs *HTTPServer) GetDataSources(c *models.ReqContext) response.Response {
 	query := models.GetDataSourcesQuery{OrgId: c.OrgId, DataSourceLimit: hs.Cfg.DataSourceLimit}
@@ -127,6 +128,9 @@ func (hs *HTTPServer) DeleteDataSourceById(c *models.ReqContext) response.Respon
 
 	err = hs.DataSourcesService.DeleteDataSource(c.Req.Context(), cmd)
 	if err != nil {
+		if errors.As(err, &secretsPluginError) {
+			return response.Error(500, "Failed to delete datasource: "+err.Error(), err)
+		}
 		return response.Error(500, "Failed to delete datasource", err)
 	}
 
@@ -178,6 +182,9 @@ func (hs *HTTPServer) DeleteDataSourceByUID(c *models.ReqContext) response.Respo
 
 	err = hs.DataSourcesService.DeleteDataSource(c.Req.Context(), cmd)
 	if err != nil {
+		if errors.As(err, &secretsPluginError) {
+			return response.Error(500, "Failed to delete datasource: "+err.Error(), err)
+		}
 		return response.Error(500, "Failed to delete datasource", err)
 	}
 
@@ -212,6 +219,9 @@ func (hs *HTTPServer) DeleteDataSourceByName(c *models.ReqContext) response.Resp
 	cmd := &models.DeleteDataSourceCommand{Name: name, OrgID: c.OrgId}
 	err := hs.DataSourcesService.DeleteDataSource(c.Req.Context(), cmd)
 	if err != nil {
+		if errors.As(err, &secretsPluginError) {
+			return response.Error(500, "Failed to delete datasource: "+err.Error(), err)
+		}
 		return response.Error(500, "Failed to delete datasource", err)
 	}
 
@@ -252,6 +262,10 @@ func (hs *HTTPServer) AddDataSource(c *models.ReqContext) response.Response {
 			return response.Error(409, err.Error(), err)
 		}
 
+		if errors.As(err, &secretsPluginError) {
+			return response.Error(500, "Failed to add datasource: "+err.Error(), err)
+		}
+
 		return response.Error(500, "Failed to add datasource", err)
 	}
 
@@ -323,6 +337,10 @@ func (hs *HTTPServer) updateDataSourceByID(c *models.ReqContext, ds *models.Data
 		if errors.Is(err, models.ErrDataSourceUpdatingOldVersion) {
 			return response.Error(409, "Datasource has already been updated by someone else. Please reload and try again", err)
 		}
+
+		if errors.As(err, &secretsPluginError) {
+			return response.Error(500, "Failed to update datasource: "+err.Error(), err)
+		}
 		return response.Error(500, "Failed to update datasource", err)
 	}