percona · JiriCtvrtka · May 23, 2024 · May 23, 2024 · May 23, 2024 · May 23, 2024
@@ -16,6 +16,9 @@ jobs:
     name: Checks
     runs-on: ubuntu-22.04
 
+    env:
+      PMM_ENCRYPTION_KEY_PATH: pmm-encryption.key
+
     steps:
       - name: Check out code
         uses: actions/checkout@v4

@@ -38,3 +38,6 @@ TARGET ?= _bash
 env:								## Run `make TARGET` in devcontainer (`make env TARGET=help`); TARGET defaults to bash
 	COMPOSE_PROFILES=$(PROFILES) \
 	docker exec -it --workdir=/root/go/src/github.com/percona/pmm pmm-server make $(TARGET)
+
+rotate-encryption: 							## Rotate encryption key
+	go run ./encryption-rotation/main.go
@@ -19,6 +19,7 @@ require (
 	github.com/AlekSi/pointer v1.2.0
 	github.com/ClickHouse/clickhouse-go/v2 v2.23.0
 	github.com/DATA-DOG/go-sqlmock v1.5.0
+	github.com/Percona-Lab/kingpin v2.2.6+incompatible
 	github.com/alecthomas/kong v0.9.0
 	github.com/alecthomas/units v0.0.0-20231202071711-9a357b53e9c9
 	github.com/aws/aws-sdk-go v1.55.3
@@ -40,6 +41,7 @@ require (
 	github.com/go-sql-driver/mysql v1.7.1
 	github.com/gogo/status v1.1.1
 	github.com/golang-migrate/migrate/v4 v4.17.0
+	github.com/google/tink/go v1.7.0
 	github.com/google/uuid v1.6.0
 	github.com/grafana/grafana-api-golang-client v0.27.0
 	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0
@@ -103,7 +105,6 @@ require (
 	github.com/google/btree v1.0.0 // indirect
 	github.com/hashicorp/go-hclog v1.6.2 // indirect
 	github.com/hashicorp/go-msgpack/v2 v2.1.1 // indirect
-	github.com/hashicorp/go-uuid v1.0.2 // indirect
 	github.com/kr/fs v0.1.0 // indirect
 	github.com/mattn/go-colorable v0.1.12 // indirect
 	github.com/miekg/dns v1.1.41 // indirect

@@ -34,6 +34,8 @@ github.com/Percona-Lab/go-grpc-prometheus v0.0.0-20230116133345-3487748d4592 h1:
 github.com/Percona-Lab/go-grpc-prometheus v0.0.0-20230116133345-3487748d4592/go.mod h1:xCJfGpj56ERA85Mj1VfBzoeWW4lZ00xXXkvG0LJQjZU=
 github.com/Percona-Lab/kingpin v2.2.6-percona+incompatible h1:N5oM40aAatvf8bCYjv69YsVdxJLIUhY/MerUG1jRL9Y=
 github.com/Percona-Lab/kingpin v2.2.6-percona+incompatible/go.mod h1:UC6j/e2eqpHBB/vn+5214ExsoDLiEo6BfUGBhbtf+x0=
+github.com/Percona-Lab/kingpin v2.2.6+incompatible h1:i7fo0CKR6IGSxe9ErG2DMFz/shUK6vRigVfyQqOyWvs=
+github.com/Percona-Lab/kingpin v2.2.6+incompatible/go.mod h1:UC6j/e2eqpHBB/vn+5214ExsoDLiEo6BfUGBhbtf+x0=
 github.com/Percona-Lab/spec v0.20.5-percona h1:ViCJVq52QIZxpP8/Nv4/nIed+WnqUirNjPtXvHhset4=
 github.com/Percona-Lab/spec v0.20.5-percona/go.mod h1:2OpW+JddWPrpXSCIX8eOx7lZ5iyuWj3RYR6VaaBKcWA=
 github.com/PuerkitoBio/goquery v1.5.1/go.mod h1:GsLWisAFVj4WgDibEWF4pvYnkVQBpKBKeU+7zCJoLcc=
@@ -238,6 +240,8 @@ github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/tink/go v1.7.0 h1:6Eox8zONGebBFcCBqkVmt60LaWZa6xg1cl/DwAh/J1w=
+github.com/google/tink/go v1.7.0/go.mod h1:GAUOd+QE3pgj9q8VKIGTCP33c/B7eb4NhxLcgTJZStM=
 github.com/google/uuid v1.4.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=

@@ -37,7 +37,6 @@ clean:                          ## Remove generated files
 
 release:                        ## Build pmm-managed release binaries
 	env CGO_ENABLED=0 go build -v $(PMM_LD_FLAGS) -o $(PMM_RELEASE_PATH)/ ./cmd/...
-	$(PMM_RELEASE_PATH)/pmm-managed --version
 
 release-starlark:
 	env CGO_ENABLED=0 go build -v $(PMM_LD_FLAGS) -o $(PMM_RELEASE_PATH)/ ./cmd/pmm-managed-starlark/...

@@ -0,0 +1,90 @@
+// Copyright (C) 2023 Percona LLC
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program. If not, see <https://www.gnu.org/licenses/>.
+// Package main is the main package for encryption keys rotation.
+package main
+
+import (
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/Percona-Lab/kingpin"
+	"github.com/sirupsen/logrus"
+
+	"github.com/percona/pmm/managed/models"
+	"github.com/percona/pmm/utils/logger"
+)
+
+func main() {
+	signal.Ignore(syscall.SIGINT, syscall.SIGTERM) // to prevent any interuptions during process
+
+	logger.SetupGlobalLogger()
+
+	sqlDB, err := models.OpenDB(setupParams())
+	if err != nil {
+		logrus.Error(err)
+		os.Exit(1)
+	}
+
+	statusCode := models.RotateEncryptionKey(sqlDB, "pmm-managed")
+	sqlDB.Close() //nolint:errcheck
+
+	os.Exit(statusCode)
+}
+
+func setupParams() models.SetupDBParams {
+	postgresAddrF := kingpin.Flag("postgres-addr", "PostgreSQL address").
+		Default(models.DefaultPostgreSQLAddr).
+		Envar("PMM_POSTGRES_ADDR").
+		String()
+	postgresDBNameF := kingpin.Flag("postgres-name", "PostgreSQL database name").
+		Default("pmm-managed").
+		Envar("PMM_POSTGRES_DBNAME").
+		String()
+	postgresDBUsernameF := kingpin.Flag("postgres-username", "PostgreSQL database username").
+		Default("pmm-managed").
+		Envar("PMM_POSTGRES_USERNAME").
+		String()
+	postgresSSLModeF := kingpin.Flag("postgres-ssl-mode", "PostgreSQL SSL mode").
+		Default(models.DisableSSLMode).
+		Envar("PMM_POSTGRES_SSL_MODE").
+		Enum(models.DisableSSLMode, models.RequireSSLMode, models.VerifyCaSSLMode, models.VerifyFullSSLMode)
+	postgresSSLCAPathF := kingpin.Flag("postgres-ssl-ca-path", "PostgreSQL SSL CA root certificate path").
+		Envar("PMM_POSTGRES_SSL_CA_PATH").
+		String()
+	postgresDBPasswordF := kingpin.Flag("postgres-password", "PostgreSQL database password").
+		Default("pmm-managed").
+		Envar("PMM_POSTGRES_DBPASSWORD").
+		String()
+	postgresSSLKeyPathF := kingpin.Flag("postgres-ssl-key-path", "PostgreSQL SSL key path").
+		Envar("PMM_POSTGRES_SSL_KEY_PATH").
+		String()
+	postgresSSLCertPathF := kingpin.Flag("postgres-ssl-cert-path", "PostgreSQL SSL certificate path").
+		Envar("PMM_POSTGRES_SSL_CERT_PATH").
+		String()
+
+	kingpin.Parse()
+
+	return models.SetupDBParams{
+		Address:     *postgresAddrF,
+		Name:        *postgresDBNameF,
+		Username:    *postgresDBUsernameF,
+		Password:    *postgresDBPasswordF,
+		SSLMode:     *postgresSSLModeF,
+		SSLCAPath:   *postgresSSLCAPathF,
+		SSLKeyPath:  *postgresSSLKeyPathF,
+		SSLCertPath: *postgresSSLCertPathF,
+	}
+}
@@ -229,7 +229,8 @@
 
 	agents := make([]*Agent, len(structs))
 	for i, s := range structs {
-		agents[i] = s.(*Agent) //nolint:forcetypeassert
+		decryptedAgent := DecryptAgent(*s.(*Agent)) //nolint:forcetypeassert
+		agents[i] = &decryptedAgent
 	}
 
 	return agents, nil
@@ -249,8 +250,9 @@
 		}
 		return nil, errors.WithStack(err)
 	}
+	decryptedAgent := DecryptAgent(*agent)
 
-	return agent, nil
+	return &decryptedAgent, nil
 }
 
 // FindAgentsByIDs finds Agents by IDs.
@@ -272,7 +274,8 @@
 
 	res := make([]*Agent, len(structs))
 	for i, s := range structs {
-		res[i] = s.(*Agent) //nolint:forcetypeassert
+		decryptedAgent := DecryptAgent(*s.(*Agent)) //nolint:forcetypeassert
+		res[i] = &decryptedAgent
 	}
 	return res, nil
 }
@@ -323,7 +326,8 @@
 
 	res := make([]*Agent, len(structs))
 	for i, s := range structs {
-		res[i] = s.(*Agent) //nolint:forcetypeassert
+		decryptedAgent := DecryptAgent(*s.(*Agent)) //nolint:forcetypeassert
+		res[i] = &decryptedAgent
 	}
 
 	if len(res) == 0 {
@@ -350,8 +354,8 @@
 
 	res := make([]*Agent, 0, len(structs))
 	for _, str := range structs {
-		row := str.(*Agent) //nolint:forcetypeassert
-		res = append(res, row)
+		decryptedAgent := DecryptAgent(*str.(*Agent)) //nolint:forcetypeassert
+		res = append(res, &decryptedAgent)
 	}
 
 	return res, nil
@@ -395,8 +399,8 @@
 	}
 	res := make([]*Agent, 0, len(pmmAgentRecords))
 	for _, str := range pmmAgentRecords {
-		row := str.(*Agent) //nolint:forcetypeassert
-		res = append(res, row)
+		decryptedAgent := DecryptAgent(*str.(*Agent)) //nolint:forcetypeassert
+		res = append(res, &decryptedAgent)
 	}
 
 	return res, nil
@@ -477,7 +481,8 @@
 
 	res := make([]*Agent, len(allAgents))
 	for i, s := range allAgents {
-		res[i] = s.(*Agent) //nolint:forcetypeassert
+		decryptedAgent := DecryptAgent(*s.(*Agent)) //nolint:forcetypeassert
+		res[i] = &decryptedAgent
 	}
 	return res, nil
 }
@@ -624,8 +629,8 @@
 		return nil, err
 	}
 	if !IsPushMetricsSupported(pmmAgent.Version) {
 		return nil, status.Errorf(codes.FailedPrecondition, "cannot use push_metrics_enabled with pmm_agent version=%q,"+
 			" it doesn't support it, minimum supported version=%q", pointer.GetString(pmmAgent.Version), PMMAgentWithPushMetricsSupport.String())
 	}
 	row := &Agent{
 		AgentID:            id,
@@ -641,11 +646,14 @@
 	if err := row.SetCustomLabels(customLabels); err != nil {
 		return nil, err
 	}
-	if err := q.Insert(row); err != nil {
+
+	encryptedAgent := EncryptAgent(*row)
+	if err := q.Insert(&encryptedAgent); err != nil {
 		return nil, errors.WithStack(err)
 	}
+	agent := DecryptAgent(encryptedAgent)
 
-	return row, nil
+	return &agent, nil
 }
 
 // CreateExternalExporterParams params for add external exporter.
@@ -725,11 +733,14 @@
 	if err := row.SetCustomLabels(params.CustomLabels); err != nil {
 		return nil, err
 	}
-	if err := q.Insert(row); err != nil {
+
+	encryptedAgent := EncryptAgent(*row)
+	if err := q.Insert(&encryptedAgent); err != nil {
 		return nil, errors.WithStack(err)
 	}
+	agent := DecryptAgent(encryptedAgent)
 
-	return row, nil
+	return &agent, nil
 }
 
 // CreateAgentParams params for add common exporter.
@@ -912,15 +923,17 @@
 		DisabledCollectors:             params.DisableCollectors,
 		LogLevel:                       pointer.ToStringOrNil(params.LogLevel),
 	}
-
 	if err := row.SetCustomLabels(params.CustomLabels); err != nil {
 		return nil, err
 	}
-	if err := q.Insert(row); err != nil {
+
+	encryptedAgent := EncryptAgent(*row)
+	if err := q.Insert(&encryptedAgent); err != nil {
 		return nil, errors.WithStack(err)
 	}
+	agent := DecryptAgent(encryptedAgent)
 
-	return row, nil
+	return &agent, nil
 }
 
 // ChangeCommonAgentParams contains parameters that can be changed for all Agents.