public/grafana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Encryption: Cache new DEKs (only) after a caution period (#60664)

Browse Source 
* Encryption: Cache new DEKs (only) after commit

* Fix typo

* Update secrets manager tests with new failing case

* Update secrets manager tests with new clarifications (comments)

* Correct broken method calls

* Unify methods

* Cache data keys only after a caution period

* Caution period for data keys caching only for encrypt ops
This commit is contained in:
Joan López de la Franca Beltran
2023-01-26 10:54:31 +01:00
committed by GitHub
parent 3a442610d2
commit c4e067d49d
7 changed files with 301 additions and 114 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pkg/services/secrets/database/database.go
+25 -25
View File
@@ -5,8 +5,6 @@ import (
"fmt"
"time"
"xorm.io/xorm"
"github.com/grafana/grafana/pkg/infra/db"
"github.com/grafana/grafana/pkg/infra/log"
"github.com/grafana/grafana/pkg/services/kmsproviders"
@@ -16,22 +14,24 @@ import (
const dataKeysTable = "data_keys"
type SecretsStoreImpl struct {
sqlStore db.DB
log log.Logger
db db.DB
log log.Logger
}
func ProvideSecretsStore(sqlStore db.DB) *SecretsStoreImpl {
return &SecretsStoreImpl{
sqlStore: sqlStore,
log: log.New("secrets.store"),
func ProvideSecretsStore(db db.DB) *SecretsStoreImpl {
store := &SecretsStoreImpl{
db: db,
log: log.New("secrets.store"),
}
return store
}
func (ss *SecretsStoreImpl) GetDataKey(ctx context.Context, id string) (*secrets.DataKey, error) {
dataKey := &secrets.DataKey{}
var exists bool
err := ss.sqlStore.WithDbSession(ctx, func(sess *db.Session) error {
err := ss.db.WithDbSession(ctx, func(sess *db.Session) error {
var err error
exists, err = sess.Table(dataKeysTable).
Where("name = ?", id).
@@ -54,10 +54,10 @@ func (ss *SecretsStoreImpl) GetCurrentDataKey(ctx context.Context, label string)
dataKey := &secrets.DataKey{}
var exists bool
err := ss.sqlStore.WithDbSession(ctx, func(sess *db.Session) error {
err := ss.db.WithDbSession(ctx, func(sess *db.Session) error {
var err error
exists, err = sess.Table(dataKeysTable).
Where("label = ? AND active = ?", label, ss.sqlStore.GetDialect().BooleanStr(true)).
Where("label = ? AND active = ?", label, ss.db.GetDialect().BooleanStr(true)).
Get(dataKey)
return err
})
@@ -75,7 +75,7 @@ func (ss *SecretsStoreImpl) GetCurrentDataKey(ctx context.Context, label string)
func (ss *SecretsStoreImpl) GetAllDataKeys(ctx context.Context) ([]*secrets.DataKey, error) {
result := make([]*secrets.DataKey, 0)
err := ss.sqlStore.WithDbSession(ctx, func(sess *db.Session) error {
err := ss.db.WithDbSession(ctx, func(sess *db.Session) error {
err := sess.Table(dataKeysTable).Find(&result)
return err
})
@@ -83,12 +83,6 @@ func (ss *SecretsStoreImpl) GetAllDataKeys(ctx context.Context) ([]*secrets.Data
}
func (ss *SecretsStoreImpl) CreateDataKey(ctx context.Context, dataKey *secrets.DataKey) error {
return ss.sqlStore.WithDbSession(ctx, func(sess *db.Session) error {
return ss.CreateDataKeyWithDBSession(ctx, dataKey, sess.Session)
})
}
func (ss *SecretsStoreImpl) CreateDataKeyWithDBSession(_ context.Context, dataKey *secrets.DataKey, sess *xorm.Session) error {
if !dataKey.Active {
return fmt.Errorf("cannot insert deactivated data keys")
}
@@ -96,14 +90,20 @@ func (ss *SecretsStoreImpl) CreateDataKeyWithDBSession(_ context.Context, dataKe
dataKey.Created = time.Now()
dataKey.Updated = dataKey.Created
_, err := sess.Table(dataKeysTable).Insert(dataKey)
return err
return ss.db.WithTransactionalDbSession(ctx, func(sess *db.Session) error {
_, err := sess.Table(dataKeysTable).Insert(dataKey)
if err != nil {
return err
}
return nil
})
}
func (ss *SecretsStoreImpl) DisableDataKeys(ctx context.Context) error {
return ss.sqlStore.WithTransactionalDbSession(ctx, func(sess *db.Session) error {
return ss.db.WithTransactionalDbSession(ctx, func(sess *db.Session) error {
_, err := sess.Table(dataKeysTable).
Where("active = ?", ss.sqlStore.GetDialect().BooleanStr(true)).
Where("active = ?", ss.db.GetDialect().BooleanStr(true)).
UseBool("active").Update(&secrets.DataKey{Active: false})
return err
})
@@ -114,7 +114,7 @@ func (ss *SecretsStoreImpl) DeleteDataKey(ctx context.Context, id string) error
return fmt.Errorf("data key id is missing")
}
return ss.sqlStore.WithDbSession(ctx, func(sess *db.Session) error {
return ss.db.WithDbSession(ctx, func(sess *db.Session) error {
_, err := sess.Table(dataKeysTable).Delete(&secrets.DataKey{Id: id})
return err
@@ -127,14 +127,14 @@ func (ss *SecretsStoreImpl) ReEncryptDataKeys(
currProvider secrets.ProviderID,
) error {
keys := make([]*secrets.DataKey, 0)
if err := ss.sqlStore.WithDbSession(ctx, func(sess *db.Session) error {
if err := ss.db.WithDbSession(ctx, func(sess *db.Session) error {
return sess.Table(dataKeysTable).Find(&keys)
}); err != nil {
return err
}
for _, k := range keys {
err := ss.sqlStore.WithTransactionalDbSession(ctx, func(sess *db.Session) error {
err := ss.db.WithTransactionalDbSession(ctx, func(sess *db.Session) error {
provider, ok := providers[kmsproviders.NormalizeProviderID(k.Provider)]
if !ok {
ss.log.Warn(