GO-2024-2661: Arbitrary file read in github.com/grafana/grafana

secrets

package

v0.0.85-test Latest Latest Go to latest Published: May 8, 2023 License: AGPL-3.0 Imports: 6 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/grafana/grafana

Documentation ¶

Index ¶

Variables
type BackgroundProvider
type DataKey
type EncryptionOptions
- func WithScope(scope string) EncryptionOptions
- func WithoutScope() EncryptionOptions
type Provider
type ProviderID
- func (id ProviderID) Kind() (string, error)
type Service
type Store

Constants ¶

This section is empty.

Variables ¶

View Source

var ErrDataKeyNotFound = errors.New("data key not found")

Functions ¶

This section is empty.

Types ¶

type BackgroundProvider ¶

type BackgroundProvider interface {
	Run(ctx context.Context) error
}

BackgroundProvider should be implemented for a provider that has a task that needs to be run in the background.

type DataKey ¶

type DataKey struct {
	Active        bool
	Name          string
	Scope         string
	Provider      ProviderID
	EncryptedData []byte
	Created       time.Time
	Updated       time.Time
}

type EncryptionOptions ¶

type EncryptionOptions func() string

func WithScope ¶

func WithScope(scope string) EncryptionOptions

WithScope uses a data key for encryption bound to some specific scope (i.e., user, org, etc.). Scope should look like "user:10", "org:1".

func WithoutScope ¶

func WithoutScope() EncryptionOptions

WithoutScope uses a root level data key for encryption (DEK), in other words this DEK is not bound to any specific scope (not attached to any user, org, etc.).

type Provider ¶

type Provider interface {
	Encrypt(ctx context.Context, blob []byte) ([]byte, error)
	Decrypt(ctx context.Context, blob []byte) ([]byte, error)
}

Provider is a key encryption key provider for envelope encryption

type ProviderID ¶

type ProviderID string

func (ProviderID) Kind ¶

func (id ProviderID) Kind() (string, error)

type Service ¶

type Service interface {
	// Encrypt MUST NOT be used within database transactions, it may cause database locks.
	// For those specific use cases where the encryption operation cannot be moved outside
	// the database transaction, look at database-specific methods present at the specific
	// implementation present at manager.SecretsService.
	Encrypt(ctx context.Context, payload []byte, opt EncryptionOptions) ([]byte, error)
	Decrypt(ctx context.Context, payload []byte) ([]byte, error)

	// EncryptJsonData MUST NOT be used within database transactions.
	// Look at Encrypt method comment for further details.
	EncryptJsonData(ctx context.Context, kv map[string]string, opt EncryptionOptions) (map[string][]byte, error)
	DecryptJsonData(ctx context.Context, sjd map[string][]byte) (map[string]string, error)

	GetDecryptedValue(ctx context.Context, sjd map[string][]byte, key, fallback string) string

	ReEncryptDataKeys(ctx context.Context) error
}

Service is an envelope encryption service in charge of encrypting/decrypting secrets. It is a replacement for encryption.Service

type Store ¶

type Store interface {
	GetDataKey(ctx context.Context, name string) (*DataKey, error)
	GetAllDataKeys(ctx context.Context) ([]*DataKey, error)
	CreateDataKey(ctx context.Context, dataKey DataKey) error
	CreateDataKeyWithDBSession(ctx context.Context, dataKey DataKey, sess *xorm.Session) error
	DeleteDataKey(ctx context.Context, name string) error
	ReEncryptDataKeys(ctx context.Context, providers map[ProviderID]Provider, currProvider ProviderID) error
}

Store defines methods to interact with secrets storage

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
database
fakes
manager

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL