Postgres: allow providing TLS/SSL certificates as text in addition to file paths (#30353)

* postgres SSL certification

* add back the UI to configure SSL Authentication files by file path

* add backend logic

* correct unittest

* mini changes

* Update public/app/plugins/datasource/postgres/config_ctrl.ts

Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>

* Update public/app/plugins/datasource/postgres/partials/config.html

Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>

* mutex

* check file exist before remove

* change permission

* change default configuremethod to file-path

* Update public/app/plugins/datasource/postgres/partials/config.html

Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>

* Update public/app/plugins/datasource/postgres/partials/config.html

Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>

* Update public/app/plugins/datasource/postgres/partials/config.html

Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>

* Update public/app/plugins/datasource/postgres/partials/config.html

Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>

* rename sslconfiguremethod to sslconfigurationmethod

* frontend update

* solve comments

* Postgres: Convert tests to stdlib

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>

* Postgres: Be consistent about TLS/SSL terminology

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>

* fix init inconsistancy

* Fix tests

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>

* naming convention

* Fix tests

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>

* Fix tests

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>

* Undo change

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>

* Fix TLS issue

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>

* Fix tests

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>

* Fix tests

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>

* change permissions

* Fix data source field names

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>

* Clean up HTML

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>

* Improve popover text

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>

* Fix SSL input bug

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>

* Undo unnecessary change

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>

* Clean up backend code

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>

* Fix build

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>

* More consistent naming

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>

* Clean up code

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>

* Enforce certificate file permissions

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>

* add settings

* Undo changes

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>

* fix windows file path

* PostgresDataSource: Fix mutex usage

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>

* Fix tests

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>

* Update pkg/tsdb/postgres/postgres.go

Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>

* Apply suggestions from code review

Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>

* fix compilation

* fix unittest

* Apply suggestions from code review

Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>

* Apply suggestions from code review

Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>

* mock function

* change kmutex package

* add kmutex into middleware

* lock connection file per datasource

* add unittest regarding concurrency

* version should be equal

* adding unittest

* fix the loop

* fix unitest

* fix postgres unittst

* remove comments

* move dataPath from arg to tlsManager struct field

* Use DecryptedValues method

Use cached decrypted values instead of
using secure json data decrypt which will
decrypt unchanged values over and over again.

* remove unneeded mutex in tests and cleanup tests

* fix the lint

Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>

public/app/plugins/datasource/postgres/config_ctrl.ts

@@ -19,11 +19,13 @@ export class PostgresConfigCtrl {
   constructor($scope: any, datasourceSrv: DatasourceSrv) {
     this.datasourceSrv = datasourceSrv;
     this.current.jsonData.sslmode = this.current.jsonData.sslmode || 'verify-full';
+    this.current.jsonData.tlsConfigurationMethod = this.current.jsonData.tlsConfigurationMethod || 'file-path';
     this.current.jsonData.postgresVersion = this.current.jsonData.postgresVersion || 903;
     this.showTimescaleDBHelp = false;
     this.autoDetectFeatures();
     this.onPasswordReset = createResetHandler(this, PasswordFieldEnum.Password);
     this.onPasswordChange = createChangeHandler(this, PasswordFieldEnum.Password);
+    this.tlsModeMapping();
   }
 
   autoDetectFeatures() {
@@ -62,6 +64,18 @@ export class PostgresConfigCtrl {
     this.showTimescaleDBHelp = !this.showTimescaleDBHelp;
   }
 
+  tlsModeMapping() {
+    if (this.current.jsonData.sslmode === 'disable') {
+      this.current.jsonData.tlsAuth = false;
+      this.current.jsonData.tlsAuthWithCACert = false;
+      this.current.jsonData.tlsSkipVerify = true;
+    } else {
+      this.current.jsonData.tlsAuth = true;
+      this.current.jsonData.tlsAuthWithCACert = true;
+      this.current.jsonData.tlsSkipVerify = false;
+    }
+  }
+
   // the value portion is derived from postgres server_version_num/100
   postgresVersions = [
     { name: '9.3', value: 903 },

public/app/plugins/datasource/postgres/partials/config.html

@@ -28,45 +28,72 @@
       />
     </div>
   </div>
+
   <div class="gf-form">
     <label class="gf-form-label width-10">TLS/SSL Mode</label>
     <div class="gf-form-select-wrapper max-width-15 gf-form-select-wrapper--has-help-icon">
       <select class="gf-form-input" ng-model="ctrl.current.jsonData.sslmode"
         ng-options="mode for mode in ['disable', 'require', 'verify-ca', 'verify-full']"
-        ng-init="ctrl.current.jsonData.sslmode"></select>
+        ng-init="ctrl.current.jsonData.sslmode" ng-change="ctrl.tlsModeMapping()"></select>
       <info-popover mode="right-absolute">
         This option determines whether or with what priority a secure TLS/SSL TCP/IP connection will be negotiated with the server.
       </info-popover>
     </div>
   </div>
-  <div class="gf-form max-width-30" ng-if="ctrl.current.jsonData.sslmode != 'disable'">
+
+  <div class="gf-form" ng-if="ctrl.current.jsonData.sslmode != 'disable'">
+    <label class="gf-form-label width-10">TLS/SSL Method</label>
+    <div class="gf-form-select-wrapper max-width-15 gf-form-select-wrapper--has-help-icon">
+      <select class="gf-form-input" ng-model="ctrl.current.jsonData.tlsConfigurationMethod"
+        ng-options="f.id as f.label for f in [{ id: 'file-path', label: 'File system path' }, { id: 'file-content', label: 'Certificate  content' }]"
+        ng-init="ctrl.current.jsonData.tlsConfigurationMethod"></select>
+      <info-popover mode="right-absolute">
+        This option determines how TLS/SSL certifications are configured. Selecting <i>File system path</i> will allow
+        you to configure certificates by specifying paths to existing certificates on the local file system where
+        Grafana is running. Be sure that the file is readable by the user executing the Grafana process.<br><br>
+
+        Selecting <i>Certificate content</i> will allow you to configure certificates by specifying its content.
+        The content will be stored encrypted in Grafana's database. When connecting to the database the certificates
+        will be written as files to Grafana's configured data path on the local file system.
+      </info-popover>
+    </div>
+  </div>
+</div>
+
+<div class="gf-form-group" ng-if="ctrl.current.jsonData.sslmode != 'disable' && ctrl.current.jsonData.tlsConfigurationMethod === 'file-path'">
+  <div class="gf-form">
+    <h6>TLS/SSL Auth Details</h6>
+  </div>
+  <div class="gf-form max-width-30">
     <span class="gf-form-label width-10">TLS/SSL Root Certificate</span>
     <input type="text" class="gf-form-input gf-form-input--has-help-icon"
       ng-model='ctrl.current.jsonData.sslRootCertFile' placeholder="TLS/SSL root cert file"></input>
     <info-popover mode="right-absolute">
-      If the selected TLS/SSL mode requires a server root certificate, provide the path to the file here.
-      Be sure that the file is readable by the user executing the grafana process.
+    If the selected TLS/SSL mode requires a server root certificate, provide the path to the file here.
     </info-popover>
   </div>
-  <div class="gf-form max-width-30" ng-if="ctrl.current.jsonData.sslmode != 'disable'">
+  <div class="gf-form max-width-30">
     <span class="gf-form-label width-10">TLS/SSL Client Certificate</span>
     <input type="text" class="gf-form-input gf-form-input--has-help-icon" ng-model='ctrl.current.jsonData.sslCertFile'
-    placeholder="TLS/SSL client cert file"></input>
+      placeholder="TLS/SSL client cert file"></input>
     <info-popover mode="right-absolute">
       To authenticate with an TLS/SSL client certificate, provide the path to the file here.
       Be sure that the file is readable by the user executing the grafana process.
     </info-popover>
   </div>
-  <div class="gf-form max-width-30" ng-if="ctrl.current.jsonData.sslmode != 'disable'">
+  <div class="gf-form max-width-30">
     <span class="gf-form-label width-10">TLS/SSL Client Key</span>
     <input type="text" class="gf-form-input gf-form-input--has-help-icon" ng-model='ctrl.current.jsonData.sslKeyFile'
-    placeholder="TLS/SSL client key file"></input>
+      placeholder="TLS/SSL client key file"></input>
     <info-popover mode="right-absolute">
       To authenticate with a client TLS/SSL certificate, provide the path to the corresponding key file here.
       Be sure that the file is <i>only</i> readable by the user executing the grafana process.
     </info-popover>
   </div>
 </div>
+<datasource-tls-auth-settings current="ctrl.current"
+  ng-if="ctrl.current.jsonData.sslmode != 'disable' && ctrl.current.jsonData.tlsConfigurationMethod === 'file-content'">
+</datasource-tls-auth-settings>
 
 <b>Connection limits</b>
 
@@ -74,7 +101,7 @@
   <div class="gf-form max-width-15">
     <span class="gf-form-label width-7">Max open</span>
     <input type="number" min="0" class="gf-form-input gf-form-input--has-help-icon"
-    ng-model="ctrl.current.jsonData.maxOpenConns" placeholder="unlimited"></input>
+      ng-model="ctrl.current.jsonData.maxOpenConns" placeholder="unlimited"></input>
     <info-popover mode="right-absolute">
       The maximum number of open connections to the database. If <i>Max idle connections</i> is greater than 0 and the
       <i>Max open connections</i> is less than <i>Max idle connections</i>, then <i>Max idle connections</i> will be
@@ -85,7 +112,7 @@
   <div class="gf-form max-width-15">
     <span class="gf-form-label width-7">Max idle</span>
     <input type="number" min="0" class="gf-form-input gf-form-input--has-help-icon"
-    ng-model="ctrl.current.jsonData.maxIdleConns" placeholder="2"></input>
+      ng-model="ctrl.current.jsonData.maxIdleConns" placeholder="2"></input>
     <info-popover mode="right-absolute">
       The maximum number of connections in the idle connection pool. If <i>Max open connections</i> is greater than 0 but
       less than the <i>Max idle connections</i>, then the <i>Max idle connections</i> will be reduced to match the
@@ -95,7 +122,7 @@
   <div class="gf-form max-width-15">
     <span class="gf-form-label width-7">Max lifetime</span>
     <input type="number" min="0" class="gf-form-input gf-form-input--has-help-icon"
-    ng-model="ctrl.current.jsonData.connMaxLifetime" placeholder="14400"></input>
+      ng-model="ctrl.current.jsonData.connMaxLifetime" placeholder="14400"></input>
     <info-popover mode="right-absolute">
       The maximum amount of time in seconds a connection may be reused. If set to 0, connections are reused forever.
     </info-popover>