Encryption: Use secrets service (#40251)

* Use secrets service in pluginproxy

* Use secrets service in pluginxontext

* Use secrets service in pluginsettings

* Use secrets service in provisioning

* Use secrets service in authinfoservice

* Use secrets service in api

* Use secrets service in sqlstore

* Use secrets service in dashboardshapshots

* Use secrets service in tsdb

* Use secrets service in datasources

* Use secrets service in alerting

* Use secrets service in ngalert

* Break cyclic dependancy

* Refactor service

* Break cyclic dependancy

* Add FakeSecretsStore

* Setup Secrets Service in sqlstore

* Fix

* Continue secrets service refactoring

* Fix cyclic dependancy in sqlstore tests

* Fix secrets service references

* Fix linter errors

* Add fake secrets service for tests

* Refactor SetupTestSecretsService

* Update setting up secret service in tests

* Fix missing secrets service in multiorg_alertmanager_test

* Use fake db in tests and sort imports

* Use fake db in datasources tests

* Fix more tests

* Fix linter issues

* Attempt to fix plugin proxy tests

* Pass secrets service to getPluginProxiedRequest in pluginproxy tests

* Fix pluginproxy tests

* Revert using secrets service in alerting and provisioning

* Update decryptFn in alerting migration

* Rename defaultProvider to currentProvider

* Use fake secrets service in alert channels tests

* Refactor secrets service test helper

* Update setting up secrets service in tests

* Revert alerting changes in api

* Add comments

* Remove secrets service from background services

* Convert global encryption functions into vars

* Revert "Convert global encryption functions into vars"

This reverts commit 498eb19859.

* Add feature toggle for envelope encryption

* Rename toggle

Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
Co-authored-by: Joan López de la Franca Beltran <joanjan14@gmail.com>

pkg/api/pluginproxy/ds_proxy.go

@@ -251,7 +251,7 @@ func (proxy *DataSourceProxy) director(req *http.Request) {
 		}
 	}
 
-	secureJsonData, err := proxy.dataSourcesService.EncryptionService.DecryptJsonData(req.Context(), proxy.ds.SecureJsonData, setting.SecretKey)
+	secureJsonData, err := proxy.dataSourcesService.SecretsService.DecryptJsonData(req.Context(), proxy.ds.SecureJsonData)
 	if err != nil {
 		logger.Error("Error interpolating proxy url", "error", err)
 		return

pkg/api/pluginproxy/ds_proxy_test.go

@@ -19,8 +19,10 @@ import (
 	"github.com/grafana/grafana/pkg/models"
 	"github.com/grafana/grafana/pkg/plugins"
 	"github.com/grafana/grafana/pkg/services/datasources"
-	"github.com/grafana/grafana/pkg/services/encryption/ossencryption"
 	"github.com/grafana/grafana/pkg/services/oauthtoken"
+	"github.com/grafana/grafana/pkg/services/secrets"
+	"github.com/grafana/grafana/pkg/services/secrets/fakes"
+	secretsManager "github.com/grafana/grafana/pkg/services/secrets/manager"
 	"github.com/grafana/grafana/pkg/setting"
 	"github.com/grafana/grafana/pkg/web"
 	"github.com/stretchr/testify/assert"
@@ -83,7 +85,8 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
 		})
 		setting.SecretKey = "password" //nolint:goconst
 
-		key, err := ossencryption.ProvideService().Encrypt(context.Background(), []byte("123"), "password")
+		secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
+		key, err := secretsService.Encrypt(context.Background(), []byte("123"), secrets.WithoutScope())
 		require.NoError(t, err)
 
 		ds := &models.DataSource{
@@ -122,7 +125,7 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
 
 		t.Run("When matching route path", func(t *testing.T) {
 			ctx, req := setUp()
-			dsService := datasources.ProvideService(bus.New(), nil, ossencryption.ProvideService())
+			dsService := datasources.ProvideService(bus.New(), nil, secretsService)
 			proxy, err := NewDataSourceProxy(ds, routes, ctx, "api/v4/some/method", cfg, httpClientProvider,
 				&oauthtoken.Service{}, dsService)
 			require.NoError(t, err)
@@ -135,7 +138,7 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
 
 		t.Run("When matching route path and has dynamic url", func(t *testing.T) {
 			ctx, req := setUp()
-			dsService := datasources.ProvideService(bus.New(), nil, ossencryption.ProvideService())
+			dsService := datasources.ProvideService(bus.New(), nil, secretsService)
 			proxy, err := NewDataSourceProxy(ds, routes, ctx, "api/common/some/method", cfg, httpClientProvider, &oauthtoken.Service{}, dsService)
 			require.NoError(t, err)
 			proxy.matchedRoute = routes[3]
@@ -147,7 +150,7 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
 
 		t.Run("When matching route path with no url", func(t *testing.T) {
 			ctx, req := setUp()
-			dsService := datasources.ProvideService(bus.New(), nil, ossencryption.ProvideService())
+			dsService := datasources.ProvideService(bus.New(), nil, secretsService)
 			proxy, err := NewDataSourceProxy(ds, routes, ctx, "", cfg, httpClientProvider, &oauthtoken.Service{}, dsService)
 			require.NoError(t, err)
 			proxy.matchedRoute = routes[4]
@@ -158,7 +161,7 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
 
 		t.Run("When matching route path and has dynamic body", func(t *testing.T) {
 			ctx, req := setUp()
-			dsService := datasources.ProvideService(bus.New(), nil, ossencryption.ProvideService())
+			dsService := datasources.ProvideService(bus.New(), nil, secretsService)
 			proxy, err := NewDataSourceProxy(ds, routes, ctx, "api/body", cfg, httpClientProvider, &oauthtoken.Service{}, dsService)
 			require.NoError(t, err)
 			proxy.matchedRoute = routes[5]
@@ -172,7 +175,7 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
 		t.Run("Validating request", func(t *testing.T) {
 			t.Run("plugin route with valid role", func(t *testing.T) {
 				ctx, _ := setUp()
-				dsService := datasources.ProvideService(bus.New(), nil, ossencryption.ProvideService())
+				dsService := datasources.ProvideService(bus.New(), nil, secretsService)
 				proxy, err := NewDataSourceProxy(ds, routes, ctx, "api/v4/some/method", cfg, httpClientProvider, &oauthtoken.Service{}, dsService)
 				require.NoError(t, err)
 				err = proxy.validateRequest()
@@ -181,7 +184,7 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
 
 			t.Run("plugin route with admin role and user is editor", func(t *testing.T) {
 				ctx, _ := setUp()
-				dsService := datasources.ProvideService(bus.New(), nil, ossencryption.ProvideService())
+				dsService := datasources.ProvideService(bus.New(), nil, secretsService)
 				proxy, err := NewDataSourceProxy(ds, routes, ctx, "api/admin", cfg, httpClientProvider, &oauthtoken.Service{}, dsService)
 				require.NoError(t, err)
 				err = proxy.validateRequest()
@@ -191,7 +194,7 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
 			t.Run("plugin route with admin role and user is admin", func(t *testing.T) {
 				ctx, _ := setUp()
 				ctx.SignedInUser.OrgRole = models.ROLE_ADMIN
-				dsService := datasources.ProvideService(bus.New(), nil, ossencryption.ProvideService())
+				dsService := datasources.ProvideService(bus.New(), nil, secretsService)
 				proxy, err := NewDataSourceProxy(ds, routes, ctx, "api/admin", cfg, httpClientProvider, &oauthtoken.Service{}, dsService)
 				require.NoError(t, err)
 				err = proxy.validateRequest()
@@ -236,7 +239,8 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
 		})
 		setting.SecretKey = "password"
 
-		key, err := ossencryption.ProvideService().Encrypt(context.Background(), []byte("123"), "password")
+		secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
+		key, err := secretsService.Encrypt(context.Background(), []byte("123"), secrets.WithoutScope())
 		require.NoError(t, err)
 
 		ds := &models.DataSource{
@@ -281,7 +285,7 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
 					},
 				}
 
-				dsService := datasources.ProvideService(bus.New(), nil, ossencryption.ProvideService())
+				dsService := datasources.ProvideService(bus.New(), nil, secretsService)
 				proxy, err := NewDataSourceProxy(ds, routes, ctx, "pathwithtoken1", cfg, httpClientProvider, &oauthtoken.Service{}, dsService)
 				require.NoError(t, err)
 				ApplyRoute(proxy.ctx.Req.Context(), req, proxy.proxyPath, routes[0], dsInfo, cfg)
@@ -297,7 +301,7 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
 					req, err := http.NewRequest("GET", "http://localhost/asd", nil)
 					require.NoError(t, err)
 					client = newFakeHTTPClient(t, json2)
-					dsService := datasources.ProvideService(bus.New(), nil, ossencryption.ProvideService())
+					dsService := datasources.ProvideService(bus.New(), nil, secretsService)
 					proxy, err := NewDataSourceProxy(ds, routes, ctx, "pathwithtoken2", cfg, httpClientProvider, &oauthtoken.Service{}, dsService)
 					require.NoError(t, err)
 					ApplyRoute(proxy.ctx.Req.Context(), req, proxy.proxyPath, routes[1], dsInfo, cfg)
@@ -314,7 +318,7 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
 						require.NoError(t, err)
 
 						client = newFakeHTTPClient(t, []byte{})
-						dsService := datasources.ProvideService(bus.New(), nil, ossencryption.ProvideService())
+						dsService := datasources.ProvideService(bus.New(), nil, secretsService)
 						proxy, err := NewDataSourceProxy(ds, routes, ctx, "pathwithtoken1", cfg, httpClientProvider, &oauthtoken.Service{}, dsService)
 						require.NoError(t, err)
 						ApplyRoute(proxy.ctx.Req.Context(), req, proxy.proxyPath, routes[0], dsInfo, cfg)
@@ -335,7 +339,8 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
 		ds := &models.DataSource{Url: "htttp://graphite:8080", Type: models.DS_GRAPHITE}
 		ctx := &models.ReqContext{}
 
-		dsService := datasources.ProvideService(bus.New(), nil, ossencryption.ProvideService())
+		secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
+		dsService := datasources.ProvideService(bus.New(), nil, secretsService)
 		proxy, err := NewDataSourceProxy(ds, routes, ctx, "/render", &setting.Cfg{BuildVersion: "5.3.0"}, httpClientProvider, &oauthtoken.Service{}, dsService)
 		require.NoError(t, err)
 		req, err := http.NewRequest(http.MethodGet, "http://grafana.com/sub", nil)
@@ -360,7 +365,8 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
 
 		ctx := &models.ReqContext{}
 		var routes []*plugins.Route
-		dsService := datasources.ProvideService(bus.New(), nil, ossencryption.ProvideService())
+		secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
+		dsService := datasources.ProvideService(bus.New(), nil, secretsService)
 		proxy, err := NewDataSourceProxy(ds, routes, ctx, "", &setting.Cfg{}, httpClientProvider, &oauthtoken.Service{}, dsService)
 		require.NoError(t, err)
 
@@ -383,7 +389,8 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
 
 		ctx := &models.ReqContext{}
 		var routes []*plugins.Route
-		dsService := datasources.ProvideService(bus.New(), nil, ossencryption.ProvideService())
+		secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
+		dsService := datasources.ProvideService(bus.New(), nil, secretsService)
 		proxy, err := NewDataSourceProxy(ds, routes, ctx, "", &setting.Cfg{}, httpClientProvider, &oauthtoken.Service{}, dsService)
 		require.NoError(t, err)
 
@@ -410,7 +417,8 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
 
 		ctx := &models.ReqContext{}
 		var pluginRoutes []*plugins.Route
-		dsService := datasources.ProvideService(bus.New(), nil, ossencryption.ProvideService())
+		secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
+		dsService := datasources.ProvideService(bus.New(), nil, secretsService)
 		proxy, err := NewDataSourceProxy(ds, pluginRoutes, ctx, "", &setting.Cfg{}, httpClientProvider, &oauthtoken.Service{}, dsService)
 		require.NoError(t, err)
 
@@ -432,7 +440,8 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
 		}
 		ctx := &models.ReqContext{}
 		var routes []*plugins.Route
-		dsService := datasources.ProvideService(bus.New(), nil, ossencryption.ProvideService())
+		secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
+		dsService := datasources.ProvideService(bus.New(), nil, secretsService)
 		proxy, err := NewDataSourceProxy(ds, routes, ctx, "/path/to/folder/", &setting.Cfg{}, httpClientProvider, &oauthtoken.Service{}, dsService)
 		require.NoError(t, err)
 		req, err := http.NewRequest(http.MethodGet, "http://grafana.com/sub", nil)
@@ -488,7 +497,8 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
 			oAuthEnabled: true,
 		}
 		var routes []*plugins.Route
-		dsService := datasources.ProvideService(bus.New(), nil, ossencryption.ProvideService())
+		secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
+		dsService := datasources.ProvideService(bus.New(), nil, secretsService)
 		proxy, err := NewDataSourceProxy(ds, routes, ctx, "/path/to/folder/", &setting.Cfg{}, httpClientProvider, &mockAuthToken, dsService)
 		require.NoError(t, err)
 		req, err = http.NewRequest(http.MethodGet, "http://grafana.com/sub", nil)
@@ -539,22 +549,24 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
 	})
 
 	t.Run("When proxying data source proxy should handle authentication", func(t *testing.T) {
+		secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
+
 		tests := []*testCase{
-			createAuthTest(t, models.DS_INFLUXDB_08, authTypePassword, authCheckQuery, false),
-			createAuthTest(t, models.DS_INFLUXDB_08, authTypePassword, authCheckQuery, true),
-			createAuthTest(t, models.DS_INFLUXDB, authTypePassword, authCheckHeader, true),
-			createAuthTest(t, models.DS_INFLUXDB, authTypePassword, authCheckHeader, false),
-			createAuthTest(t, models.DS_INFLUXDB, authTypeBasic, authCheckHeader, true),
-			createAuthTest(t, models.DS_INFLUXDB, authTypeBasic, authCheckHeader, false),
+			createAuthTest(t, secretsService, models.DS_INFLUXDB_08, authTypePassword, authCheckQuery, false),
+			createAuthTest(t, secretsService, models.DS_INFLUXDB_08, authTypePassword, authCheckQuery, true),
+			createAuthTest(t, secretsService, models.DS_INFLUXDB, authTypePassword, authCheckHeader, true),
+			createAuthTest(t, secretsService, models.DS_INFLUXDB, authTypePassword, authCheckHeader, false),
+			createAuthTest(t, secretsService, models.DS_INFLUXDB, authTypeBasic, authCheckHeader, true),
+			createAuthTest(t, secretsService, models.DS_INFLUXDB, authTypeBasic, authCheckHeader, false),
 
 			// These two should be enough for any other datasource at the moment. Proxy has special handling
 			// only for Influx, others have the same path and only BasicAuth. Non BasicAuth datasources
 			// do not go through proxy but through TSDB API which is not tested here.
-			createAuthTest(t, models.DS_ES, authTypeBasic, authCheckHeader, false),
-			createAuthTest(t, models.DS_ES, authTypeBasic, authCheckHeader, true),
+			createAuthTest(t, secretsService, models.DS_ES, authTypeBasic, authCheckHeader, false),
+			createAuthTest(t, secretsService, models.DS_ES, authTypeBasic, authCheckHeader, true),
 		}
 		for _, test := range tests {
-			runDatasourceAuthTest(t, test)
+			runDatasourceAuthTest(t, secretsService, test)
 		}
 	})
 }
@@ -613,9 +625,9 @@ func TestDataSourceProxy_requestHandling(t *testing.T) {
 
 	t.Run("When response header Set-Cookie is not set should remove proxied Set-Cookie header", func(t *testing.T) {
 		ctx, ds := setUp(t)
-
 		var routes []*plugins.Route
-		dsService := datasources.ProvideService(bus.New(), nil, ossencryption.ProvideService())
+		secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
+		dsService := datasources.ProvideService(bus.New(), nil, secretsService)
 		proxy, err := NewDataSourceProxy(ds, routes, ctx, "/render", &setting.Cfg{}, httpClientProvider, &oauthtoken.Service{}, dsService)
 		require.NoError(t, err)
 
@@ -632,7 +644,8 @@ func TestDataSourceProxy_requestHandling(t *testing.T) {
 			},
 		})
 		var routes []*plugins.Route
-		dsService := datasources.ProvideService(bus.New(), nil, ossencryption.ProvideService())
+		secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
+		dsService := datasources.ProvideService(bus.New(), nil, secretsService)
 		proxy, err := NewDataSourceProxy(ds, routes, ctx, "/render", &setting.Cfg{}, httpClientProvider, &oauthtoken.Service{}, dsService)
 		require.NoError(t, err)
 
@@ -653,7 +666,8 @@ func TestDataSourceProxy_requestHandling(t *testing.T) {
 			},
 		})
 		var routes []*plugins.Route
-		dsService := datasources.ProvideService(bus.New(), nil, ossencryption.ProvideService())
+		secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
+		dsService := datasources.ProvideService(bus.New(), nil, secretsService)
 		proxy, err := NewDataSourceProxy(ds, routes, ctx, "/render", &setting.Cfg{}, httpClientProvider, &oauthtoken.Service{}, dsService)
 		require.NoError(t, err)
 
@@ -677,7 +691,8 @@ func TestDataSourceProxy_requestHandling(t *testing.T) {
 
 		ctx.Req = httptest.NewRequest("GET", "/api/datasources/proxy/1/path/%2Ftest%2Ftest%2F?query=%2Ftest%2Ftest%2F", nil)
 		var routes []*plugins.Route
-		dsService := datasources.ProvideService(bus.New(), nil, ossencryption.ProvideService())
+		secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
+		dsService := datasources.ProvideService(bus.New(), nil, secretsService)
 		proxy, err := NewDataSourceProxy(ds, routes, ctx, "/path/%2Ftest%2Ftest%2F", &setting.Cfg{}, httpClientProvider, &oauthtoken.Service{}, dsService)
 		require.NoError(t, err)
 
@@ -700,7 +715,8 @@ func TestNewDataSourceProxy_InvalidURL(t *testing.T) {
 	}
 	cfg := setting.Cfg{}
 	var routes []*plugins.Route
-	dsService := datasources.ProvideService(bus.New(), nil, ossencryption.ProvideService())
+	secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
+	dsService := datasources.ProvideService(bus.New(), nil, secretsService)
 	_, err := NewDataSourceProxy(&ds, routes, &ctx, "api/method", &cfg, httpclient.NewProvider(), &oauthtoken.Service{}, dsService)
 	require.Error(t, err)
 	assert.True(t, strings.HasPrefix(err.Error(), `validation of data source URL "://host/root" failed`))
@@ -718,7 +734,8 @@ func TestNewDataSourceProxy_ProtocolLessURL(t *testing.T) {
 	cfg := setting.Cfg{}
 
 	var routes []*plugins.Route
-	dsService := datasources.ProvideService(bus.New(), nil, ossencryption.ProvideService())
+	secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
+	dsService := datasources.ProvideService(bus.New(), nil, secretsService)
 	_, err := NewDataSourceProxy(&ds, routes, &ctx, "api/method", &cfg, httpclient.NewProvider(), &oauthtoken.Service{}, dsService)
 
 	require.NoError(t, err)
@@ -757,7 +774,8 @@ func TestNewDataSourceProxy_MSSQL(t *testing.T) {
 			}
 
 			var routes []*plugins.Route
-			dsService := datasources.ProvideService(bus.New(), nil, ossencryption.ProvideService())
+			secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
+			dsService := datasources.ProvideService(bus.New(), nil, secretsService)
 			p, err := NewDataSourceProxy(&ds, routes, &ctx, "api/method", &cfg, httpclient.NewProvider(), &oauthtoken.Service{}, dsService)
 			if tc.err == nil {
 				require.NoError(t, err)
@@ -781,7 +799,8 @@ func getDatasourceProxiedRequest(t *testing.T, ctx *models.ReqContext, cfg *sett
 	}
 
 	var routes []*plugins.Route
-	dsService := datasources.ProvideService(bus.New(), nil, ossencryption.ProvideService())
+	secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
+	dsService := datasources.ProvideService(bus.New(), nil, secretsService)
 	proxy, err := NewDataSourceProxy(ds, routes, ctx, "", cfg, httpclient.NewProvider(), &oauthtoken.Service{}, dsService)
 	require.NoError(t, err)
 	req, err := http.NewRequest(http.MethodGet, "http://grafana.com/sub", nil)
@@ -834,7 +853,7 @@ const (
 	authCheckHeader = "header"
 )
 
-func createAuthTest(t *testing.T, dsType string, authType string, authCheck string, useSecureJsonData bool) *testCase {
+func createAuthTest(t *testing.T, secretsService secrets.Service, dsType string, authType string, authCheck string, useSecureJsonData bool) *testCase {
 	ctx := context.Background()
 
 	// Basic user:password
@@ -853,11 +872,11 @@ func createAuthTest(t *testing.T, dsType string, authType string, authCheck stri
 		message = fmt.Sprintf("%v should add username and password", dsType)
 		test.datasource.User = "user"
 		if useSecureJsonData {
-			test.datasource.SecureJsonData, err = ossencryption.ProvideService().EncryptJsonData(
+			test.datasource.SecureJsonData, err = secretsService.EncryptJsonData(
 				ctx,
 				map[string]string{
 					"password": "password",
-				}, setting.SecretKey)
+				}, secrets.WithoutScope())
 		} else {
 			test.datasource.Password = "password"
 		}
@@ -866,11 +885,11 @@ func createAuthTest(t *testing.T, dsType string, authType string, authCheck stri
 		test.datasource.BasicAuth = true
 		test.datasource.BasicAuthUser = "user"
 		if useSecureJsonData {
-			test.datasource.SecureJsonData, err = ossencryption.ProvideService().EncryptJsonData(
+			test.datasource.SecureJsonData, err = secretsService.EncryptJsonData(
 				ctx,
 				map[string]string{
 					"basicAuthPassword": "password",
-				}, setting.SecretKey)
+				}, secrets.WithoutScope())
 		} else {
 			test.datasource.BasicAuthPassword = "password"
 		}
@@ -898,10 +917,10 @@ func createAuthTest(t *testing.T, dsType string, authType string, authCheck stri
 	return test
 }
 
-func runDatasourceAuthTest(t *testing.T, test *testCase) {
+func runDatasourceAuthTest(t *testing.T, secretsService secrets.Service, test *testCase) {
 	ctx := &models.ReqContext{}
 	var routes []*plugins.Route
-	dsService := datasources.ProvideService(bus.New(), nil, ossencryption.ProvideService())
+	dsService := datasources.ProvideService(bus.New(), nil, secretsService)
 	proxy, err := NewDataSourceProxy(test.datasource, routes, ctx, "", &setting.Cfg{}, httpclient.NewProvider(), &oauthtoken.Service{}, dsService)
 	require.NoError(t, err)
 
@@ -940,7 +959,8 @@ func Test_PathCheck(t *testing.T) {
 		return ctx, req
 	}
 	ctx, _ := setUp()
-	dsService := datasources.ProvideService(bus.New(), nil, ossencryption.ProvideService())
+	secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
+	dsService := datasources.ProvideService(bus.New(), nil, secretsService)
 	proxy, err := NewDataSourceProxy(&models.DataSource{}, routes, ctx, "b", &setting.Cfg{}, httpclient.NewProvider(), &oauthtoken.Service{}, dsService)
 	require.NoError(t, err)
 

pkg/api/pluginproxy/pluginproxy.go

@@ -9,7 +9,7 @@ import (
 	"github.com/grafana/grafana/pkg/bus"
 	"github.com/grafana/grafana/pkg/models"
 	"github.com/grafana/grafana/pkg/plugins"
-	"github.com/grafana/grafana/pkg/services/encryption"
+	"github.com/grafana/grafana/pkg/services/secrets"
 	"github.com/grafana/grafana/pkg/setting"
 	"github.com/grafana/grafana/pkg/util"
 	"github.com/grafana/grafana/pkg/util/proxyutil"
@@ -22,7 +22,7 @@ type templateData struct {
 
 // NewApiPluginProxy create a plugin proxy
 func NewApiPluginProxy(ctx *models.ReqContext, proxyPath string, route *plugins.Route,
-	appID string, cfg *setting.Cfg, encryptionService encryption.Service) *httputil.ReverseProxy {
+	appID string, cfg *setting.Cfg, secretsService secrets.Service) *httputil.ReverseProxy {
 	director := func(req *http.Request) {
 		query := models.GetPluginSettingByIdQuery{OrgId: ctx.OrgId, PluginId: appID}
 		if err := bus.DispatchCtx(ctx.Req.Context(), &query); err != nil {
@@ -30,7 +30,7 @@ func NewApiPluginProxy(ctx *models.ReqContext, proxyPath string, route *plugins.
 			return
 		}
 
-		secureJsonData, err := encryptionService.DecryptJsonData(ctx.Req.Context(), query.Result.SecureJsonData, setting.SecretKey)
+		secureJsonData, err := secretsService.DecryptJsonData(ctx.Req.Context(), query.Result.SecureJsonData)
 		if err != nil {
 			ctx.JsonApiErr(500, "Failed to decrypt plugin settings", err)
 			return

pkg/api/pluginproxy/pluginproxy_test.go

@@ -9,7 +9,9 @@ import (
 	"github.com/grafana/grafana/pkg/bus"
 	"github.com/grafana/grafana/pkg/models"
 	"github.com/grafana/grafana/pkg/plugins"
-	"github.com/grafana/grafana/pkg/services/encryption/ossencryption"
+	"github.com/grafana/grafana/pkg/services/secrets"
+	"github.com/grafana/grafana/pkg/services/secrets/fakes"
+	secretsManager "github.com/grafana/grafana/pkg/services/secrets/manager"
 	"github.com/grafana/grafana/pkg/setting"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -17,6 +19,9 @@ import (
 )
 
 func TestPluginProxy(t *testing.T) {
+	setting.SecretKey = "password"
+	secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
+
 	t.Run("When getting proxy headers", func(t *testing.T) {
 		route := &plugins.Route{
 			Headers: []plugins.Header{
@@ -24,10 +29,8 @@ func TestPluginProxy(t *testing.T) {
 			},
 		}
 
-		setting.SecretKey = "password"
-
 		bus.AddHandlerCtx("test", func(ctx context.Context, query *models.GetPluginSettingByIdQuery) error {
-			key, err := ossencryption.ProvideService().Encrypt(ctx, []byte("123"), "password")
+			key, err := secretsService.Encrypt(ctx, []byte("123"), secrets.WithoutScope())
 			if err != nil {
 				return err
 			}
@@ -45,6 +48,7 @@ func TestPluginProxy(t *testing.T) {
 
 		req := getPluginProxiedRequest(
 			t,
+			secretsService,
 			&models.ReqContext{
 				SignedInUser: &models.SignedInUser{
 					Login: "test_user",
@@ -66,6 +70,7 @@ func TestPluginProxy(t *testing.T) {
 
 		req := getPluginProxiedRequest(
 			t,
+			secretsService,
 			&models.ReqContext{
 				SignedInUser: &models.SignedInUser{
 					Login: "test_user",
@@ -88,6 +93,7 @@ func TestPluginProxy(t *testing.T) {
 
 		req := getPluginProxiedRequest(
 			t,
+			secretsService,
 			&models.ReqContext{
 				SignedInUser: &models.SignedInUser{
 					Login: "test_user",
@@ -109,6 +115,7 @@ func TestPluginProxy(t *testing.T) {
 
 		req := getPluginProxiedRequest(
 			t,
+			secretsService,
 			&models.ReqContext{
 				SignedInUser: &models.SignedInUser{IsAnonymous: true},
 				Context: &macaron.Context{
@@ -143,6 +150,7 @@ func TestPluginProxy(t *testing.T) {
 
 		req := getPluginProxiedRequest(
 			t,
+			secretsService,
 			&models.ReqContext{
 				SignedInUser: &models.SignedInUser{
 					Login: "test_user",
@@ -174,6 +182,7 @@ func TestPluginProxy(t *testing.T) {
 
 		req := getPluginProxiedRequest(
 			t,
+			secretsService,
 			&models.ReqContext{
 				SignedInUser: &models.SignedInUser{
 					Login: "test_user",
@@ -196,10 +205,10 @@ func TestPluginProxy(t *testing.T) {
 		}
 
 		bus.AddHandlerCtx("test", func(ctx context.Context, query *models.GetPluginSettingByIdQuery) error {
-			encryptedJsonData, err := ossencryption.ProvideService().EncryptJsonData(
+			encryptedJsonData, err := secretsService.EncryptJsonData(
 				ctx,
 				map[string]string{"key": "123"},
-				setting.SecretKey,
+				secrets.WithoutScope(),
 			)
 
 			if err != nil {
@@ -220,6 +229,7 @@ func TestPluginProxy(t *testing.T) {
 
 		req := getPluginProxiedRequest(
 			t,
+			secretsService,
 			&models.ReqContext{
 				SignedInUser: &models.SignedInUser{
 					Login: "test_user",
@@ -238,7 +248,7 @@ func TestPluginProxy(t *testing.T) {
 }
 
 // getPluginProxiedRequest is a helper for easier setup of tests based on global config and ReqContext.
-func getPluginProxiedRequest(t *testing.T, ctx *models.ReqContext, cfg *setting.Cfg, route *plugins.Route) *http.Request {
+func getPluginProxiedRequest(t *testing.T, secretsService secrets.Service, ctx *models.ReqContext, cfg *setting.Cfg, route *plugins.Route) *http.Request {
 	// insert dummy route if none is specified
 	if route == nil {
 		route = &plugins.Route{
@@ -247,7 +257,7 @@ func getPluginProxiedRequest(t *testing.T, ctx *models.ReqContext, cfg *setting.
 			ReqRole: models.ROLE_EDITOR,
 		}
 	}
-	proxy := NewApiPluginProxy(ctx, "", route, "", cfg, ossencryption.ProvideService())
+	proxy := NewApiPluginProxy(ctx, "", route, "", cfg, secretsService)
 
 	req, err := http.NewRequest(http.MethodGet, "/api/plugin-proxy/grafana-simple-app/api/v4/alerts", nil)
 	require.NoError(t, err)