grafana/pkg/services/encryption/encryption.go

package encryption

import (
	"context"
	"crypto/sha256"

	"golang.org/x/crypto/pbkdf2"
)

const (
	SaltLength = 8

	AesCfb = "aes-cfb"
	AesGcm = "aes-gcm"
)

// Internal must not be used for general purpose encryption.
// This service is used as an internal component for envelope encryption
// and for very specific few use cases that still require legacy encryption.
//
// Unless there is any specific reason, you must use secrets.Service instead.
type Internal interface {
	Cipher
	Decipher

	EncryptJsonData(ctx context.Context, kv map[string]string, secret string) (map[string][]byte, error)
	DecryptJsonData(ctx context.Context, sjd map[string][]byte, secret string) (map[string]string, error)

	GetDecryptedValue(ctx context.Context, sjd map[string][]byte, key string, fallback string, secret string) string
}

type Cipher interface {
	Encrypt(ctx context.Context, payload []byte, secret string) ([]byte, error)
}

type Decipher interface {
	Decrypt(ctx context.Context, payload []byte, secret string) ([]byte, error)
}

type Provider interface {
	ProvideCiphers() map[string]Cipher
	ProvideDeciphers() map[string]Decipher
}

// KeyToBytes key length needs to be 32 bytes
func KeyToBytes(secret, salt string) ([]byte, error) {
	return pbkdf2.Key([]byte(secret), []byte(salt), 10000, 32, sha256.New), nil
}
Encryption: Extract encryption into service (#38442) * Add encryption service * Add tests for encryption service * Inject encryption service into http server * Replace encryption global function usage in login tests * Apply suggestions from code review Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * Migrate to Wire * Undo non-desired changes * Move Encryption bindings to OSS Wire set Co-authored-by: Joan López de la Franca Beltran <joanjan14@gmail.com> Co-authored-by: Joan López de la Franca Beltran <5459617+joanlopez@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-08-31 01:39:55 +08:00			`package encryption`

Encryption: De-duplicate encryption code with extensible service (#52472) * Encryption: De-duplicate encryption code with extensible service * Fix Wire injections * Fix tests * Register reload handler 2022-08-02 21:08:09 +08:00			`import (`
			`"context"`
			`"crypto/sha256"`

			`"golang.org/x/crypto/pbkdf2"`
			`)`

			`const (`
			`SaltLength = 8`

			`AesCfb = "aes-cfb"`
			`AesGcm = "aes-gcm"`
			`)`
Encryption: Refactor securejsondata.SecureJsonData to stop relying on global functions (#38865) * Encryption: Add support to encrypt/decrypt sjd * Add datasources.Service as a proxy to datasources db operations * Encrypt ds.SecureJsonData before calling SQLStore * Move ds cache code into ds service * Fix tlsmanager tests * Fix pluginproxy tests * Remove some securejsondata.GetEncryptedJsonData usages * Add pluginsettings.Service as a proxy for plugin settings db operations * Add AlertNotificationService as a proxy for alert notification db operations * Remove some securejsondata.GetEncryptedJsonData usages * Remove more securejsondata.GetEncryptedJsonData usages * Fix lint errors * Minor fixes * Remove encryption global functions usages from ngalert * Fix lint errors * Minor fixes * Minor fixes * Remove securejsondata.DecryptedValue usage * Refactor the refactor * Remove securejsondata.DecryptedValue usage * Move securejsondata to migrations package * Move securejsondata to migrations package * Minor fix * Fix integration test * Fix integration tests * Undo undesired changes * Fix tests * Add context.Context into encryption methods * Fix tests * Fix tests * Fix tests * Trigger CI * Fix test * Add names to params of encryption service interface * Remove bus from CacheServiceImpl * Add logging * Add keys to logger Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * Add missing key to logger Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * Undo changes in markdown files * Fix formatting * Add context to secrets service * Rename decryptSecureJsonData to decryptSecureJsonDataFn * Name args in GetDecryptedValueFn * Add template back to NewAlertmanagerNotifier * Copy GetDecryptedValueFn to ngalert * Add logging to pluginsettings * Fix pluginsettings test Co-authored-by: Tania B <yalyna.ts@gmail.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-10-07 22:33:50 +08:00
Replace encryption.Service usages by secrets.Service (#41625) * Replace encryption.Service by secrets.Service on expr.Service * Replace encryption.Service by secrets.Service on live pkg * Rename encryption.Service to encryption.Internal to clarify it must be not used 2021-11-12 19:16:39 +08:00			`// Internal must not be used for general purpose encryption.`
			`// This service is used as an internal component for envelope encryption`
			`// and for very specific few use cases that still require legacy encryption.`
			`//`
			`// Unless there is any specific reason, you must use secrets.Service instead.`
			`type Internal interface {`
Encryption: De-duplicate encryption code with extensible service (#52472) * Encryption: De-duplicate encryption code with extensible service * Fix Wire injections * Fix tests * Register reload handler 2022-08-02 21:08:09 +08:00			`Cipher`
			`Decipher`
Encryption: Refactor securejsondata.SecureJsonData to stop relying on global functions (#38865) * Encryption: Add support to encrypt/decrypt sjd * Add datasources.Service as a proxy to datasources db operations * Encrypt ds.SecureJsonData before calling SQLStore * Move ds cache code into ds service * Fix tlsmanager tests * Fix pluginproxy tests * Remove some securejsondata.GetEncryptedJsonData usages * Add pluginsettings.Service as a proxy for plugin settings db operations * Add AlertNotificationService as a proxy for alert notification db operations * Remove some securejsondata.GetEncryptedJsonData usages * Remove more securejsondata.GetEncryptedJsonData usages * Fix lint errors * Minor fixes * Remove encryption global functions usages from ngalert * Fix lint errors * Minor fixes * Minor fixes * Remove securejsondata.DecryptedValue usage * Refactor the refactor * Remove securejsondata.DecryptedValue usage * Move securejsondata to migrations package * Move securejsondata to migrations package * Minor fix * Fix integration test * Fix integration tests * Undo undesired changes * Fix tests * Add context.Context into encryption methods * Fix tests * Fix tests * Fix tests * Trigger CI * Fix test * Add names to params of encryption service interface * Remove bus from CacheServiceImpl * Add logging * Add keys to logger Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * Add missing key to logger Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * Undo changes in markdown files * Fix formatting * Add context to secrets service * Rename decryptSecureJsonData to decryptSecureJsonDataFn * Name args in GetDecryptedValueFn * Add template back to NewAlertmanagerNotifier * Copy GetDecryptedValueFn to ngalert * Add logging to pluginsettings * Fix pluginsettings test Co-authored-by: Tania B <yalyna.ts@gmail.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-10-07 22:33:50 +08:00
			`EncryptJsonData(ctx context.Context, kv map[string]string, secret string) (map[string][]byte, error)`
			`DecryptJsonData(ctx context.Context, sjd map[string][]byte, secret string) (map[string]string, error)`

			`GetDecryptedValue(ctx context.Context, sjd map[string][]byte, key string, fallback string, secret string) string`
Encryption: Extract encryption into service (#38442) * Add encryption service * Add tests for encryption service * Inject encryption service into http server * Replace encryption global function usage in login tests * Apply suggestions from code review Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * Migrate to Wire * Undo non-desired changes * Move Encryption bindings to OSS Wire set Co-authored-by: Joan López de la Franca Beltran <joanjan14@gmail.com> Co-authored-by: Joan López de la Franca Beltran <5459617+joanlopez@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-08-31 01:39:55 +08:00			`}`
Encryption: De-duplicate encryption code with extensible service (#52472) * Encryption: De-duplicate encryption code with extensible service * Fix Wire injections * Fix tests * Register reload handler 2022-08-02 21:08:09 +08:00
			`type Cipher interface {`
			`Encrypt(ctx context.Context, payload []byte, secret string) ([]byte, error)`
			`}`

			`type Decipher interface {`
			`Decrypt(ctx context.Context, payload []byte, secret string) ([]byte, error)`
			`}`

			`type Provider interface {`
			`ProvideCiphers() map[string]Cipher`
			`ProvideDeciphers() map[string]Decipher`
			`}`

			`// KeyToBytes key length needs to be 32 bytes`
			`func KeyToBytes(secret, salt string) ([]byte, error) {`
			`return pbkdf2.Key([]byte(secret), []byte(salt), 10000, 32, sha256.New), nil`
			`}`