* Encryption: Add support for data keys re-encryption
* Add tests for data keys re-encryption
* Update code after refactorings
Co-authored-by: Leonard Gram <leo@xlson.com>
(cherry picked from commit b2655750e8)
Co-authored-by: Joan López de la Franca Beltran <5459617+joanlopez@users.noreply.github.com>
This commit is contained in:
Grot (@grafanabot)
committed by
GitHub
GitHub
parent
71a0ae7931
commit
a7ad5ee55f
@@ -87,3 +87,42 @@ func (ss *SecretsStoreImpl) DeleteDataKey(ctx context.Context, name string) erro
|
||||
return err
|
||||
})
|
||||
}
|
||||
|
||||
func (ss *SecretsStoreImpl) ReEncryptDataKeys(
|
||||
ctx context.Context,
|
||||
providers map[secrets.ProviderID]secrets.Provider,
|
||||
currProvider secrets.ProviderID,
|
||||
) error {
|
||||
return ss.sqlStore.WithTransactionalDbSession(ctx, func(sess *sqlstore.DBSession) error {
|
||||
keys := make([]*secrets.DataKey, 0)
|
||||
if err := sess.Table(dataKeysTable).Find(&keys); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
for _, k := range keys {
|
||||
provider, ok := providers[k.Provider]
|
||||
if !ok {
|
||||
return fmt.Errorf("could not find encryption provider '%s'", k.Provider)
|
||||
}
|
||||
|
||||
decrypted, err := provider.Decrypt(ctx, k.EncryptedData)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// Updating current data key by re-encrypting it with current provider.
|
||||
// Accessing the current provider within providers map should be safe.
|
||||
k.Provider = currProvider
|
||||
k.EncryptedData, err = providers[currProvider].Encrypt(ctx, decrypted)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if _, err := sess.Table(dataKeysTable).Where("name = ?", k.Name).Update(k); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
})
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user