Drone: Fixes

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
Drone: Fixes
2020-10-15 13:56:46 +02:00 · 2020-10-15 13:47:14 +02:00 · 2020-10-15 13:14:47 +02:00 · 2020-10-15 13:09:34 +02:00
34 changed files with 148 additions and 563 deletions
--- a/lerna.json
+++ b/lerna.json
@@ -2,5 +2,5 @@
  "npmClient": "yarn",
  "useWorkspaces": true,
  "packages": ["packages/*"],
-  "version": "7.3.0-pre.0"
+  "version": "7.3.0-beta.1"
 }
--- a/package.json
+++ b/package.json
@@ -3,7 +3,7 @@
  "license": "Apache-2.0",
  "private": true,
  "name": "grafana",
-  "version": "7.3.0-pre",
+  "version": "7.3.0-beta1",
  "repository": "github:grafana/grafana",
  "scripts": {
    "api-tests": "jest --notify --watch --config=devenv/e2e-api-tests/jest.js",
@@ -45,8 +45,8 @@
    "ci:test-frontend": "yarn run prettier:check && yarn run packages:typecheck && yarn run typecheck && yarn run test"
  },
  "grafana": {
-    "whatsNewUrl": "https://grafana.com/docs/grafana/latest/guides/whats-new-in-v7-2/",
-    "releaseNotesUrl": "https://community.grafana.com/t/release-notes-v7-2-x/36321"
+    "whatsNewUrl": "https://grafana.com/docs/grafana/latest/guides/whats-new-in-v7-3/",
+    "releaseNotesUrl": "https://community.grafana.com/t/release-notes-v7-3-x/37993"
  },
  "husky": {
    "hooks": {
--- a/packages/grafana-data/package.json
+++ b/packages/grafana-data/package.json
@@ -2,7 +2,7 @@
  "author": "Grafana Labs",
  "license": "Apache-2.0",
  "name": "@grafana/data",
-  "version": "7.3.0-pre.0",
+  "version": "7.3.0-beta.1",
  "description": "Grafana Data Library",
  "keywords": [
    "typescript"
--- a/packages/grafana-e2e-selectors/package.json
+++ b/packages/grafana-e2e-selectors/package.json
@@ -2,7 +2,7 @@
  "author": "Grafana Labs",
  "license": "Apache-2.0",
  "name": "@grafana/e2e-selectors",
-  "version": "7.3.0-pre.0",
+  "version": "7.3.0-beta.1",
  "description": "Grafana End-to-End Test Selectors Library",
  "keywords": [
    "cli",
--- a/packages/grafana-e2e/package.json
+++ b/packages/grafana-e2e/package.json
@@ -2,7 +2,7 @@
  "author": "Grafana Labs",
  "license": "Apache-2.0",
  "name": "@grafana/e2e",
-  "version": "7.3.0-pre.0",
+  "version": "7.3.0-beta.1",
  "description": "Grafana End-to-End Test Library",
  "keywords": [
    "cli",
@@ -44,7 +44,7 @@
  "types": "src/index.ts",
  "dependencies": {
    "@cypress/webpack-preprocessor": "4.1.3",
-    "@grafana/e2e-selectors": "7.3.0-pre.0",
+    "@grafana/e2e-selectors": "7.3.0-beta.1",
    "@grafana/tsconfig": "^1.0.0-rc1",
    "@mochajs/json-file-reporter": "^1.2.0",
    "blink-diff": "1.0.13",
--- a/packages/grafana-runtime/package.json
+++ b/packages/grafana-runtime/package.json
@@ -2,7 +2,7 @@
  "author": "Grafana Labs",
  "license": "Apache-2.0",
  "name": "@grafana/runtime",
-  "version": "7.3.0-pre.0",
+  "version": "7.3.0-beta.1",
  "description": "Grafana Runtime Library",
  "keywords": [
    "grafana",
@@ -22,8 +22,8 @@
    "typecheck": "tsc --noEmit"
  },
  "dependencies": {
-    "@grafana/data": "7.3.0-pre.0",
-    "@grafana/ui": "7.3.0-pre.0",
+    "@grafana/data": "7.3.0-beta.1",
+    "@grafana/ui": "7.3.0-beta.1",
    "systemjs": "0.20.19",
    "systemjs-plugin-css": "0.1.37"
  },
--- a/packages/grafana-toolkit/package.json
+++ b/packages/grafana-toolkit/package.json
@@ -2,7 +2,7 @@
  "author": "Grafana Labs",
  "license": "Apache-2.0",
  "name": "@grafana/toolkit",
-  "version": "7.3.0-pre.0",
+  "version": "7.3.0-beta.1",
  "description": "Grafana Toolkit",
  "keywords": [
    "grafana",
--- a/packages/grafana-ui/package.json
+++ b/packages/grafana-ui/package.json
@@ -2,7 +2,7 @@
  "author": "Grafana Labs",
  "license": "Apache-2.0",
  "name": "@grafana/ui",
-  "version": "7.3.0-pre.0",
+  "version": "7.3.0-beta.1",
  "description": "Grafana Components Library",
  "keywords": [
    "grafana",
@@ -27,15 +27,15 @@
  },
  "dependencies": {
    "@emotion/core": "^10.0.27",
-    "@grafana/data": "7.3.0-pre.0",
-    "@grafana/e2e-selectors": "7.3.0-pre.0",
+    "@grafana/data": "7.3.0-beta.1",
+    "@grafana/e2e-selectors": "7.3.0-beta.1",
    "@grafana/slate-react": "0.22.9-grafana",
    "@grafana/tsconfig": "^1.0.0-rc1",
    "@iconscout/react-unicons": "1.1.4",
    "@torkelo/react-select": "3.0.8",
+    "@types/hoist-non-react-statics": "3.3.1",
    "@types/react-beautiful-dnd": "12.1.2",
    "@types/react-color": "3.0.1",
-    "@types/hoist-non-react-statics": "3.3.1",
    "@types/react-select": "3.0.8",
    "@types/react-table": "7.0.12",
    "@types/slate": "0.47.1",
@@ -43,9 +43,8 @@
    "bizcharts": "^3.5.8",
    "classnames": "2.2.6",
    "d3": "5.15.0",
-    "hoist-non-react-statics": "3.3.2",
-    "immutable": "3.8.2",
    "emotion": "10.0.27",
+    "hoist-non-react-statics": "3.3.2",
    "immutable": "3.8.2",
    "jquery": "3.5.1",
    "lodash": "4.17.19",
--- a/packages/jaeger-ui-components/package.json
+++ b/packages/jaeger-ui-components/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@jaegertracing/jaeger-ui-components",
-  "version": "7.3.0-pre.0",
+  "version": "7.3.0-beta.1",
  "main": "src/index.ts",
  "types": "src/index.ts",
  "license": "Apache-2.0",
@@ -14,8 +14,8 @@
    "typescript": "4.0.2"
  },
  "dependencies": {
-    "@grafana/data": "7.3.0-pre.0",
-    "@grafana/ui": "7.3.0-pre.0",
+    "@grafana/data": "7.3.0-beta.1",
+    "@grafana/ui": "7.3.0-beta.1",
    "@types/classnames": "^2.2.7",
    "@types/deep-freeze": "^0.1.1",
    "@types/hoist-non-react-statics": "^3.3.1",
--- a/pkg/api/login.go
+++ b/pkg/api/login.go
@@ -284,12 +284,12 @@ func tryGetEncryptedCookie(ctx *models.ReqContext, cookieName string) (string, b
 		return "", false
 	}

-	decryptedError, err := util.Decrypt(decoded)
+	decryptedError, err := util.Decrypt(decoded, setting.SecretKey)
 	return string(decryptedError), err == nil
 }

 func (hs *HTTPServer) trySetEncryptedCookie(ctx *models.ReqContext, cookieName string, value string, maxAge int) error {
-	encryptedError, err := util.Encrypt([]byte(value))
+	encryptedError, err := util.Encrypt([]byte(value), setting.SecretKey)
 	if err != nil {
 		return err
 	}
--- a/pkg/api/login_test.go
+++ b/pkg/api/login_test.go
@@ -109,7 +109,7 @@ func TestLoginErrorCookieApiEndpoint(t *testing.T) {
 	setting.OAuthAutoLogin = true

 	oauthError := errors.New("User not a member of one of the required organizations")
-	encryptedError, _ := util.Encrypt([]byte(oauthError.Error()))
+	encryptedError, _ := util.Encrypt([]byte(oauthError.Error()), setting.SecretKey)
 	expCookiePath := "/"
 	if len(setting.AppSubUrl) > 0 {
 		expCookiePath = setting.AppSubUrl
--- a/pkg/api/pluginproxy/ds_proxy_test.go
+++ b/pkg/api/pluginproxy/ds_proxy_test.go
@@ -75,7 +75,7 @@ func TestDSRouteRule(t *testing.T) {
 			}

 			setting.SecretKey = "password" //nolint:goconst
-			key, _ := util.Encrypt([]byte("123"))
+			key, _ := util.Encrypt([]byte("123"), "password")

 			ds := &models.DataSource{
 				JsonData: simplejson.NewFromAny(map[string]interface{}{
@@ -189,7 +189,7 @@ func TestDSRouteRule(t *testing.T) {
 			}

 			setting.SecretKey = "password"
-			key, _ := util.Encrypt([]byte("123"))
+			key, _ := util.Encrypt([]byte("123"), "password")

 			ds := &models.DataSource{
 				JsonData: simplejson.NewFromAny(map[string]interface{}{
--- a/pkg/api/pluginproxy/pluginproxy_test.go
+++ b/pkg/api/pluginproxy/pluginproxy_test.go
@@ -23,7 +23,7 @@ func TestPluginProxy(t *testing.T) {
 		setting.SecretKey = "password"

 		bus.AddHandler("test", func(query *models.GetPluginSettingByIdQuery) error {
-			key, err := util.Encrypt([]byte("123"))
+			key, err := util.Encrypt([]byte("123"), "password")
 			if err != nil {
 				return err
 			}
--- a/pkg/cmd/grafana-cli/commands/datamigrations/encrypt_datasource_passwords.go
+++ b/pkg/cmd/grafana-cli/commands/datamigrations/encrypt_datasource_passwords.go
@@ -9,6 +9,7 @@ import (

 	"github.com/grafana/grafana/pkg/cmd/grafana-cli/utils"
 	"github.com/grafana/grafana/pkg/services/sqlstore"
+	"github.com/grafana/grafana/pkg/setting"
 	"github.com/grafana/grafana/pkg/util"
 	"github.com/grafana/grafana/pkg/util/errutil"
 )
@@ -108,7 +109,7 @@ func updateRows(session *sqlstore.DBSession, rows []map[string][]byte, passwordF
 }

 func getUpdatedSecureJSONData(row map[string][]byte, passwordFieldName string) (map[string]interface{}, error) {
-	encryptedPassword, err := util.Encrypt(row[passwordFieldName])
+	encryptedPassword, err := util.Encrypt(row[passwordFieldName], setting.SecretKey)
 	if err != nil {
 		return nil, err
 	}
--- a/pkg/components/securedata/securedata.go
+++ b/pkg/components/securedata/securedata.go
@@ -1,15 +1,16 @@
 package securedata

 import (
+	"github.com/grafana/grafana/pkg/setting"
 	"github.com/grafana/grafana/pkg/util"
 )

 type SecureData []byte

 func Encrypt(data []byte) (SecureData, error) {
-	return util.Encrypt(data)
+	return util.Encrypt(data, setting.SecretKey)
 }

 func (s SecureData) Decrypt() ([]byte, error) {
-	return util.Decrypt(s)
+	return util.Decrypt(s, setting.SecretKey)
 }
--- a/pkg/components/securejsondata/securejsondata.go
+++ b/pkg/components/securejsondata/securejsondata.go
@@ -2,6 +2,7 @@ package securejsondata

 import (
 	"github.com/grafana/grafana/pkg/infra/log"
+	"github.com/grafana/grafana/pkg/setting"
 	"github.com/grafana/grafana/pkg/util"
 )

@@ -13,7 +14,7 @@ type SecureJsonData map[string][]byte
 // is true if the key exists and false if not.
 func (s SecureJsonData) DecryptedValue(key string) (string, bool) {
 	if value, ok := s[key]; ok {
-		decryptedData, err := util.Decrypt(value)
+		decryptedData, err := util.Decrypt(value, setting.SecretKey)
 		if err != nil {
 			log.Fatalf(4, err.Error())
 		}
@@ -27,7 +28,7 @@ func (s SecureJsonData) DecryptedValue(key string) (string, bool) {
 func (s SecureJsonData) Decrypt() map[string]string {
 	decrypted := make(map[string]string)
 	for key, data := range s {
-		decryptedData, err := util.Decrypt(data)
+		decryptedData, err := util.Decrypt(data, setting.SecretKey)
 		if err != nil {
 			log.Fatalf(4, err.Error())
 		}
@@ -37,11 +38,11 @@ func (s SecureJsonData) Decrypt() map[string]string {
 	return decrypted
 }

-// GetEncryptedJsonData returns map where all values are encrypted.
+// GetEncryptedJsonData returns map where all keys are encrypted.
 func GetEncryptedJsonData(sjd map[string]string) SecureJsonData {
 	encrypted := make(SecureJsonData)
 	for key, data := range sjd {
-		encryptedData, err := util.Encrypt([]byte(data))
+		encryptedData, err := util.Encrypt([]byte(data), setting.SecretKey)
 		if err != nil {
 			log.Fatalf(4, err.Error())
 		}
--- a/pkg/models/data_key.go
+++ b/pkg/models/data_key.go
@@ -1,19 +0,0 @@
-package models
-
-import (
-	"errors"
-	"time"
-)
-
-var (
-	ErrDataKeyNotFound = errors.New("data key not found")
-)
-
-type DataKey struct {
-	Active        bool      `json:"active"`
-	Name          string    `json:"name"`
-	Provider      string    `json:"provider"`
-	EncryptedData []byte    `json:"-"`
-	Created       time.Time `json:"created"`
-	Updated       time.Time `json:"updated"`
-}
--- a/pkg/models/datasource_cache_test.go
+++ b/pkg/models/datasource_cache_test.go
@@ -54,7 +54,7 @@ func TestDataSourceProxyCache(t *testing.T) {
 		json := simplejson.New()
 		json.Set("tlsAuthWithCACert", true)

-		tlsCaCert, err := util.Encrypt([]byte(caCert))
+		tlsCaCert, err := util.Encrypt([]byte(caCert), "password")
 		So(err, ShouldBeNil)
 		ds := DataSource{
 			Id:             1,
@@ -96,9 +96,9 @@ func TestDataSourceProxyCache(t *testing.T) {
 		json := simplejson.New()
 		json.Set("tlsAuth", true)

-		tlsClientCert, err := util.Encrypt([]byte(clientCert))
+		tlsClientCert, err := util.Encrypt([]byte(clientCert), "password")
 		So(err, ShouldBeNil)
-		tlsClientKey, err := util.Encrypt([]byte(clientKey))
+		tlsClientKey, err := util.Encrypt([]byte(clientKey), "password")
 		So(err, ShouldBeNil)

 		ds := DataSource{
@@ -130,7 +130,7 @@ func TestDataSourceProxyCache(t *testing.T) {
 		json := simplejson.New()
 		json.Set("tlsAuthWithCACert", true)

-		tlsCaCert, err := util.Encrypt([]byte(caCert))
+		tlsCaCert, err := util.Encrypt([]byte(caCert), "password")
 		So(err, ShouldBeNil)

 		ds := DataSource{
@@ -179,7 +179,7 @@ func TestDataSourceProxyCache(t *testing.T) {
 		json := simplejson.NewFromAny(map[string]interface{}{
 			"httpHeaderName1": "Authorization",
 		})
-		encryptedData, err := util.Encrypt([]byte(`Bearer xf5yhfkpsnmgo`))
+		encryptedData, err := util.Encrypt([]byte(`Bearer xf5yhfkpsnmgo`), setting.SecretKey)
 		if err != nil {
 			log.Fatal(err.Error())
 		}
--- a/pkg/server/server.go
+++ b/pkg/server/server.go
@@ -39,7 +39,6 @@ import (
 	_ "github.com/grafana/grafana/pkg/services/provisioning"
 	_ "github.com/grafana/grafana/pkg/services/rendering"
 	_ "github.com/grafana/grafana/pkg/services/search"
-	_ "github.com/grafana/grafana/pkg/services/secrets"
 	_ "github.com/grafana/grafana/pkg/services/sqlstore"
 	"github.com/grafana/grafana/pkg/setting"
 	"github.com/grafana/grafana/pkg/util/errutil"
--- a/pkg/services/secrets/encryption.go
+++ b/pkg/services/secrets/encryption.go
@@ -1,80 +0,0 @@
-package secrets
-
-import (
-	"crypto/aes"
-	"crypto/cipher"
-	"crypto/rand"
-	"crypto/sha256"
-	"errors"
-	"io"
-
-	"github.com/grafana/grafana/pkg/util"
-	"golang.org/x/crypto/pbkdf2"
-)
-
-const saltLength = 8
-
-// Decrypt decrypts a payload with a given secret.
-func decrypt(payload, secret []byte) ([]byte, error) {
-	salt := payload[:saltLength]
-	key, err := encryptionKeyToBytes(secret, salt)
-	if err != nil {
-		return nil, err
-	}
-
-	block, err := aes.NewCipher(key)
-	if err != nil {
-		return nil, err
-	}
-
-	// The IV needs to be unique, but not secure. Therefore it's common to
-	// include it at the beginning of the ciphertext.
-	if len(payload) < aes.BlockSize {
-		return nil, errors.New("payload too short")
-	}
-	iv := payload[saltLength : saltLength+aes.BlockSize]
-	payload = payload[saltLength+aes.BlockSize:]
-	payloadDst := make([]byte, len(payload))
-
-	stream := cipher.NewCFBDecrypter(block, iv)
-
-	// XORKeyStream can work in-place if the two arguments are the same.
-	stream.XORKeyStream(payloadDst, payload)
-	return payloadDst, nil
-}
-
-// Encrypt encrypts a payload with a given secret.
-func encrypt(payload, secret []byte) ([]byte, error) {
-	salt, err := util.GetRandomString(saltLength)
-	if err != nil {
-		return nil, err
-	}
-
-	key, err := encryptionKeyToBytes(secret, []byte(salt))
-	if err != nil {
-		return nil, err
-	}
-	block, err := aes.NewCipher(key)
-	if err != nil {
-		return nil, err
-	}
-
-	// The IV needs to be unique, but not secure. Therefore it's common to
-	// include it at the beginning of the ciphertext.
-	ciphertext := make([]byte, saltLength+aes.BlockSize+len(payload))
-	copy(ciphertext[:saltLength], salt)
-	iv := ciphertext[saltLength : saltLength+aes.BlockSize]
-	if _, err := io.ReadFull(rand.Reader, iv); err != nil {
-		return nil, err
-	}
-
-	stream := cipher.NewCFBEncrypter(block, iv)
-	stream.XORKeyStream(ciphertext[saltLength+aes.BlockSize:], payload)
-
-	return ciphertext, nil
-}
-
-// Key needs to be 32bytes
-func encryptionKeyToBytes(secret, salt []byte) ([]byte, error) {
-	return pbkdf2.Key(secret, salt, 10000, 32, sha256.New), nil
-}
--- a/pkg/services/secrets/encryption_test.go
+++ b/pkg/services/secrets/encryption_test.go
@@ -1,40 +0,0 @@
-package secrets
-
-import (
-	"fmt"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestEncryption_keyDerivationLength(t *testing.T) {
-	salt := []byte("salt")
-
-	tests := []struct {
-		secret []byte
-		salt   []byte
-	}{
-		{[]byte("secret"), salt},
-		{[]byte("a very long secret key that is larger then 32bytes"), salt},
-	}
-
-	for i, tc := range tests {
-		tc := tc
-		t.Run(fmt.Sprintf("deriving key #%d", i), func(t *testing.T) {
-			key, err := encryptionKeyToBytes(tc.secret, tc.salt)
-			require.NoError(t, err)
-			assert.Len(t, key, 32)
-		})
-	}
-}
-
-func TestEncryption_basic(t *testing.T) {
-	encrypted, err := encrypt([]byte("grafana"), []byte("1234"))
-	require.NoError(t, err)
-
-	decrypted, err := decrypt(encrypted, []byte("1234"))
-	require.NoError(t, err)
-
-	assert.Equal(t, []byte("grafana"), decrypted)
-}
--- a/pkg/services/secrets/secretkey.go
+++ b/pkg/services/secrets/secretkey.go
@@ -1,13 +0,0 @@
-package secrets
-
-type secretKey struct {
-	key func() []byte
-}
-
-func (s *secretKey) Encrypt(blob []byte) ([]byte, error) {
-	return encrypt(blob, s.key())
-}
-
-func (s *secretKey) Decrypt(blob []byte) ([]byte, error) {
-	return decrypt(blob, s.key())
-}
--- a/pkg/services/secrets/secrets.go
+++ b/pkg/services/secrets/secrets.go
@@ -1,196 +0,0 @@
-package secrets
-
-import (
-	"bytes"
-	"context"
-	"crypto/rand"
-	"encoding/base64"
-	"errors"
-	"fmt"
-	"time"
-
-	"github.com/grafana/grafana/pkg/util"
-
-	"github.com/grafana/grafana/pkg/bus"
-
-	"github.com/grafana/grafana/pkg/models"
-
-	"github.com/grafana/grafana/pkg/services/sqlstore"
-
-	"github.com/grafana/grafana/pkg/infra/log"
-	"github.com/grafana/grafana/pkg/setting"
-)
-
-var logger = log.New("secrets")
-
-type Secrets struct {
-	store *sqlstore.SqlStore `inject:""`
-	bus   bus.Bus            `inject:""`
-
-	defaultEncryptionKey string
-	defaultProvider      string
-	providers            map[string]Provider
-	dataKeyCache         map[string]dataKeyCacheItem
-}
-
-type dataKeyCacheItem struct {
-	expiry  time.Time
-	dataKey []byte
-}
-
-type Provider interface {
-	Encrypt(blob []byte) ([]byte, error)
-	Decrypt(blob []byte) ([]byte, error)
-}
-
-func (s *Secrets) Init() error {
-	s.providers = map[string]Provider{
-		"": &secretKey{
-			key: func() []byte {
-				return []byte(setting.SecretKey)
-			},
-		},
-	}
-
-	base_key := "root"
-
-	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
-	defer cancel()
-	_, err := s.store.GetDataKey(ctx, base_key)
-	if err != nil {
-		if errors.Is(err, models.ErrDataKeyNotFound) {
-			err = s.newRandomDataKey(ctx, base_key)
-			if err != nil {
-				return err
-			}
-		} else {
-			return err
-		}
-	}
-
-	util.Encrypt = s.Encrypt
-	util.Decrypt = s.Decrypt
-
-	return nil
-}
-
-func (s *Secrets) newRandomDataKey(ctx context.Context, base_key string) error {
-	b := make([]byte, 16)
-	_, err := rand.Read(b)
-	if err != nil {
-		return err
-	}
-
-	encrypted, err := s.Encrypt(b)
-	if err != nil {
-		return err
-	}
-
-	err = s.store.CreateDataKey(ctx, models.DataKey{
-		Active:        true,
-		Name:          base_key,
-		Provider:      s.defaultProvider,
-		EncryptedData: encrypted,
-	})
-	return nil
-}
-
-var b64 = base64.RawStdEncoding
-
-func (s *Secrets) Encrypt(payload []byte) ([]byte, error) {
-	key := s.defaultEncryptionKey
-
-	dataKey, err := s.dataKey(key)
-	if err != nil {
-		return nil, err
-	}
-
-	encrypted, err := encrypt(payload, dataKey)
-	if err != nil {
-		return nil, err
-	}
-
-	prefix := make([]byte, b64.EncodedLen(len(key))+2)
-	b64.Encode(prefix[1:], []byte(key))
-	prefix[0] = '#'
-	prefix[len(prefix)-1] = '#'
-
-	blob := make([]byte, len(prefix)+len(encrypted))
-	copy(blob, prefix)
-	copy(blob[len(prefix):], encrypted)
-
-	return blob, nil
-}
-
-func (s *Secrets) Decrypt(payload []byte) ([]byte, error) {
-	if len(payload) == 0 {
-		return []byte{}, nil
-	}
-
-	var dataKey []byte
-
-	if payload[0] != '#' {
-		dataKey = []byte(setting.SecretKey)
-	} else {
-		payload = payload[1:]
-		endOfKey := bytes.Index(payload, []byte{'#'})
-		if endOfKey == -1 {
-			return nil, fmt.Errorf("could not find valid key in encrypted payload")
-		}
-		b64Key := payload[:endOfKey]
-		payload = payload[endOfKey+1:]
-		key := make([]byte, b64.DecodedLen(len(b64Key)))
-		_, err := b64.Decode(key, b64Key)
-		if err != nil {
-			return nil, err
-		}
-
-		dataKey, err = s.dataKey(string(key))
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	return decrypt(payload, dataKey)
-}
-
-func (s *Secrets) dataKey(key string) ([]byte, error) {
-	if key == "" {
-		return []byte(setting.SecretKey), nil
-	}
-
-	if item, exists := s.dataKeyCache[key]; exists {
-		if item.expiry.Before(time.Now()) && !item.expiry.IsZero() {
-			delete(s.dataKeyCache, key)
-		} else {
-			return item.dataKey, nil
-		}
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), time.Second)
-	defer cancel()
-	// 1. get encrypted data key from database
-	dataKey, err := s.store.GetDataKey(ctx, key)
-	if err != nil {
-		return nil, err
-	}
-
-	// 2. decrypt data key
-	provider, exists := s.providers[dataKey.Provider]
-	if !exists {
-		return nil, fmt.Errorf("could not find encryption provider '%s'", dataKey.Provider)
-	}
-
-	decrypted, err := provider.Decrypt(dataKey.EncryptedData)
-	if err != nil {
-		return nil, err
-	}
-
-	// 3. cache data key
-	s.dataKeyCache[key] = dataKeyCacheItem{
-		expiry:  time.Now().Add(15 * time.Minute),
-		dataKey: decrypted,
-	}
-
-	return decrypted, nil
-}
--- a/pkg/services/secrets/secrets_test.go
+++ b/pkg/services/secrets/secrets_test.go
@@ -1,45 +0,0 @@
-package secrets
-
-import (
-	"fmt"
-	"testing"
-
-	"github.com/grafana/grafana/pkg/services/sqlstore"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/grafana/grafana/pkg/setting"
-)
-
-func TestSecrets_Encrypt(t *testing.T) {
-	s := Secrets{
-		store: sqlstore.InitTestDB(t),
-	}
-
-	require.NoError(t, s.Init())
-
-	{
-		old := setting.SecretKey
-		defer func() {
-			setting.SecretKey = old
-		}()
-		setting.SecretKey = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
-	}
-
-	plaintexts := [][]byte{
-		{},
-		[]byte("hello, world"),
-	}
-
-	for _, plaintext := range plaintexts {
-		t.Run(fmt.Sprintf("encrypting and decrypting %s", string(plaintext)), func(t *testing.T) {
-			encrypted, err := s.Encrypt(plaintext)
-			require.NoError(t, err)
-			decrypted, err := s.Decrypt(encrypted)
-			require.NoError(t, err)
-
-			assert.Equal(t, plaintext, decrypted)
-		})
-	}
-}
--- a/pkg/services/sqlstore/data_keys.go
+++ b/pkg/services/sqlstore/data_keys.go
@@ -1,48 +0,0 @@
-package sqlstore
-
-import (
-	"context"
-	"fmt"
-	"time"
-
-	"github.com/grafana/grafana/pkg/models"
-	"xorm.io/xorm"
-)
-
-const dataKeysTable = "data_keys"
-
-func (ss *SqlStore) GetDataKey(ctx context.Context, name string) (*models.DataKey, error) {
-	return getDataKey(ctx, name, ss.engine)
-}
-
-func (ss *SqlStore) CreateDataKey(ctx context.Context, dataKey models.DataKey) error {
-	dataKey.Created = time.Now()
-	dataKey.Updated = dataKey.Created
-
-	if !dataKey.Active {
-		return fmt.Errorf("cannot insert deactivated data keys")
-	}
-
-	_, err := ss.engine.Context(ctx).Table(dataKeysTable).InsertOne(dataKey)
-	return err
-}
-
-func (ss *SqlStore) DeleteDataKey(ctx context.Context, name string) error {
-	_, err := ss.engine.Context(ctx).Table(dataKeysTable).Delete(models.DataKey{Name: name})
-	return err
-}
-
-func getDataKey(ctx context.Context, name string, engine *xorm.Engine) (*models.DataKey, error) {
-	dataKey := &models.DataKey{Name: name, Active: true}
-	exists, err := engine.Context(ctx).Table(dataKeysTable).Get(dataKey)
-
-	if err != nil {
-		sqlog.Error("Failed getting data key", "err", err, "name", name)
-		return nil, fmt.Errorf("failed getting data key: %w", err)
-	}
-	if !exists {
-		return nil, models.ErrDataKeyNotFound
-	}
-
-	return dataKey, nil
-}
--- a/pkg/services/sqlstore/data_keys_test.go
+++ b/pkg/services/sqlstore/data_keys_test.go
@@ -1,44 +0,0 @@
-package sqlstore
-
-import (
-	"context"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-
-	"github.com/grafana/grafana/pkg/models"
-	"github.com/stretchr/testify/assert"
-)
-
-func TestDataKeys(t *testing.T) {
-	db := InitTestDB(t)
-	ctx := context.Background()
-
-	dataKey := models.DataKey{
-		Active:        true,
-		Name:          "Testing",
-		Provider:      "test",
-		EncryptedData: []byte{0x62, 0xAF, 0xA1, 0x1A},
-	}
-
-	res, err := db.GetDataKey(ctx, dataKey.Name)
-	assert.Equal(t, models.ErrDataKeyNotFound, err)
-	assert.Nil(t, res)
-
-	err = db.CreateDataKey(ctx, dataKey)
-	require.NoError(t, err)
-
-	res, err = db.GetDataKey(ctx, dataKey.Name)
-	require.NoError(t, err)
-	assert.Equal(t, dataKey.EncryptedData, res.EncryptedData)
-	assert.Equal(t, dataKey.Provider, res.Provider)
-	assert.Equal(t, dataKey.Name, res.Name)
-	assert.True(t, dataKey.Active)
-
-	err = db.DeleteDataKey(ctx, dataKey.Name)
-	require.NoError(t, err)
-
-	res, err = db.GetDataKey(ctx, dataKey.Name)
-	assert.Equal(t, models.ErrDataKeyNotFound, err)
-	assert.Nil(t, res)
-}
--- a/pkg/services/sqlstore/migrations/data_keys_mig.go
+++ b/pkg/services/sqlstore/migrations/data_keys_mig.go
@@ -1,20 +0,0 @@
-package migrations
-
-import "github.com/grafana/grafana/pkg/services/sqlstore/migrator"
-
-func addDataKeysMigrations(mg *migrator.Migrator) {
-	dataKeysV1 := migrator.Table{
-		Name: "data_keys",
-		Columns: []*migrator.Column{
-			{Name: "name", Type: migrator.DB_NVarchar, Length: 50, IsPrimaryKey: true},
-			{Name: "active", Type: migrator.DB_Bool},
-			{Name: "provider", Type: migrator.DB_NVarchar, Length: 50, Nullable: true},
-			{Name: "encrypted_data", Type: migrator.DB_Blob, Nullable: false},
-			{Name: "created", Type: migrator.DB_DateTime, Nullable: false},
-			{Name: "updated", Type: migrator.DB_DateTime, Nullable: false},
-		},
-		Indices: []*migrator.Index{},
-	}
-
-	mg.AddMigration("create data keys table", migrator.NewAddTableMigration(dataKeysV1))
-}
--- a/pkg/services/sqlstore/migrations/migrations.go
+++ b/pkg/services/sqlstore/migrations/migrations.go
@@ -35,7 +35,6 @@ func AddMigrations(mg *Migrator) {
 	addUserAuthTokenMigrations(mg)
 	addCacheMigration(mg)
 	addShortURLMigrations(mg)
-	addDataKeysMigrations(mg)
 }

 func addMigrationLogMigrations(mg *Migrator) {
--- a/pkg/services/sqlstore/plugin_setting.go
+++ b/pkg/services/sqlstore/plugin_setting.go
@@ -5,6 +5,7 @@ import (

 	"github.com/grafana/grafana/pkg/bus"
 	"github.com/grafana/grafana/pkg/models"
+	"github.com/grafana/grafana/pkg/setting"
 	"github.com/grafana/grafana/pkg/util"
 )

@@ -76,7 +77,7 @@ func UpdatePluginSetting(cmd *models.UpdatePluginSettingCmd) error {
 			return err
 		}
 		for key, data := range cmd.SecureJsonData {
-			encryptedData, err := util.Encrypt([]byte(data))
+			encryptedData, err := util.Encrypt([]byte(data), setting.SecretKey)
 			if err != nil {
 				return err
 			}
--- a/pkg/services/sqlstore/user_auth.go
+++ b/pkg/services/sqlstore/user_auth.go
@@ -6,6 +6,7 @@ import (

 	"github.com/grafana/grafana/pkg/bus"
 	"github.com/grafana/grafana/pkg/models"
+	"github.com/grafana/grafana/pkg/setting"
 	"github.com/grafana/grafana/pkg/util"
 )

@@ -264,7 +265,7 @@ func decodeAndDecrypt(s string) (string, error) {
 	if err != nil {
 		return "", err
 	}
-	decrypted, err := util.Decrypt(decoded)
+	decrypted, err := util.Decrypt(decoded, setting.SecretKey)
 	if err != nil {
 		return "", err
 	}
@@ -274,7 +275,7 @@ func decodeAndDecrypt(s string) (string, error) {
 // encryptAndEncode will encrypt a string with grafana's secretKey, and
 // then encode it with the standard bas64 encoder
 func encryptAndEncode(s string) (string, error) {
-	encrypted, err := util.Encrypt([]byte(s))
+	encrypted, err := util.Encrypt([]byte(s), setting.SecretKey)
 	if err != nil {
 		return "", err
 	}
--- a/pkg/util/encryption.go
+++ b/pkg/util/encryption.go
@@ -1,19 +1,79 @@
 package util

 import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
+	"crypto/sha256"
 	"errors"
+	"io"
+
+	"golang.org/x/crypto/pbkdf2"
 )

-var ErrNotInitialized = errors.New("function is not initialized")
+const saltLength = 8

 // Decrypt decrypts a payload with a given secret.
-// Real implementation in github.com/grafana/grafana/pkg/services/secrets
-var Decrypt = func(_ []byte) ([]byte, error) {
-	return nil, ErrNotInitialized
+func Decrypt(payload []byte, secret string) ([]byte, error) {
+	salt := payload[:saltLength]
+	key, err := encryptionKeyToBytes(secret, string(salt))
+	if err != nil {
+		return nil, err
+	}
+
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+
+	// The IV needs to be unique, but not secure. Therefore it's common to
+	// include it at the beginning of the ciphertext.
+	if len(payload) < aes.BlockSize {
+		return nil, errors.New("payload too short")
+	}
+	iv := payload[saltLength : saltLength+aes.BlockSize]
+	payload = payload[saltLength+aes.BlockSize:]
+	payloadDst := make([]byte, len(payload))
+
+	stream := cipher.NewCFBDecrypter(block, iv)
+
+	// XORKeyStream can work in-place if the two arguments are the same.
+	stream.XORKeyStream(payloadDst, payload)
+	return payloadDst, nil
 }

 // Encrypt encrypts a payload with a given secret.
-// Real implementation in github.com/grafana/grafana/pkg/services/secrets
-var Encrypt = func(_ []byte) ([]byte, error) {
-	return nil, ErrNotInitialized
+func Encrypt(payload []byte, secret string) ([]byte, error) {
+	salt, err := GetRandomString(saltLength)
+	if err != nil {
+		return nil, err
+	}
+
+	key, err := encryptionKeyToBytes(secret, salt)
+	if err != nil {
+		return nil, err
+	}
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+
+	// The IV needs to be unique, but not secure. Therefore it's common to
+	// include it at the beginning of the ciphertext.
+	ciphertext := make([]byte, saltLength+aes.BlockSize+len(payload))
+	copy(ciphertext[:saltLength], salt)
+	iv := ciphertext[saltLength : saltLength+aes.BlockSize]
+	if _, err := io.ReadFull(rand.Reader, iv); err != nil {
+		return nil, err
+	}
+
+	stream := cipher.NewCFBEncrypter(block, iv)
+	stream.XORKeyStream(ciphertext[saltLength+aes.BlockSize:], payload)
+
+	return ciphertext, nil
+}
+
+// Key needs to be 32bytes
+func encryptionKeyToBytes(secret, salt string) ([]byte, error) {
+	return pbkdf2.Key([]byte(secret), []byte(salt), 10000, 32, sha256.New), nil
 }
--- a/pkg/util/encryption_test.go
+++ b/pkg/util/encryption_test.go
@@ -0,0 +1,30 @@
+package util
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestEncryption(t *testing.T) {
+	t.Run("getting encryption key", func(t *testing.T) {
+		key, err := encryptionKeyToBytes("secret", "salt")
+		require.NoError(t, err)
+		assert.Len(t, key, 32)
+
+		key, err = encryptionKeyToBytes("a very long secret key that is larger then 32bytes", "salt")
+		require.NoError(t, err)
+		assert.Len(t, key, 32)
+	})
+
+	t.Run("decrypting basic payload", func(t *testing.T) {
+		encrypted, err := Encrypt([]byte("grafana"), "1234")
+		require.NoError(t, err)
+
+		decrypted, err := Decrypt(encrypted, "1234")
+		require.NoError(t, err)
+
+		assert.Equal(t, []byte("grafana"), decrypted)
+	})
+}
--- a/plugins-bundled/internal/input-datasource/package.json
+++ b/plugins-bundled/internal/input-datasource/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@grafana-plugins/input-datasource",
-  "version": "7.3.0-pre.0",
+  "version": "7.3.0-beta.1",
  "description": "Input Datasource",
  "private": true,
  "repository": {
@@ -16,9 +16,9 @@
  "author": "Grafana Labs",
  "license": "Apache-2.0",
  "devDependencies": {
-    "@grafana/data": "7.3.0-pre.0",
-    "@grafana/toolkit": "7.3.0-pre.0",
-    "@grafana/ui": "7.3.0-pre.0"
+    "@grafana/data": "7.3.0-beta.1",
+    "@grafana/toolkit": "7.3.0-beta.1",
+    "@grafana/ui": "7.3.0-beta.1"
  },
  "volta": {
    "node": "12.16.2"
--- a/public/app/features/alerting/components/NotificationChannelForm.tsx
+++ b/public/app/features/alerting/components/NotificationChannelForm.tsx
@@ -7,8 +7,6 @@ import { NotificationSettings } from './NotificationSettings';
 import { BasicSettings } from './BasicSettings';
 import { ChannelSettings } from './ChannelSettings';

-import config from 'app/core/config';
-
 interface Props extends Omit<FormAPI<NotificationChannelDTO>, 'formState'> {
  selectableChannels: Array<SelectableValue<string>>;
  selectedChannel?: NotificationChannelType;
@@ -104,7 +102,7 @@ export const NotificationChannelForm: FC<Props> = ({
          <Button type="button" variant="secondary" onClick={() => onTestChannel(getValues({ nest: true }))}>
            Test
          </Button>
-          <a href={`${config.appSubUrl}/alerting/notifications`}>
+          <a href="/alerting/notifications">
            <Button type="button" variant="secondary">
              Back
            </Button>
Author	SHA1	Message	Date
Arve Knudsen	c11c8b0b4a	Drone: Fixes Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>	2020-10-15 13:56:46 +02:00
Arve Knudsen	0df7b25a49	Drone: Fixes Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>	2020-10-15 13:47:14 +02:00
Arve Knudsen	68a3631ed0	Release 7.3.0-beta1 Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>	2020-10-15 13:14:47 +02:00
Arve Knudsen	2e9a0d4755	Chore: Update what's new and release notes URL in package.json Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>	2020-10-15 13:09:34 +02:00