forked from grafana/grafana
-
Notifications
You must be signed in to change notification settings - Fork 0
/
encrypt_datasource_passwords_test.go
91 lines (77 loc) · 2.69 KB
/
encrypt_datasource_passwords_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
package datamigrations
import (
"testing"
"time"
"github.com/grafana/grafana/pkg/cmd/grafana-cli/commands/commandstest"
"github.com/grafana/grafana/pkg/components/securejsondata"
"github.com/grafana/grafana/pkg/models"
"github.com/grafana/grafana/pkg/services/sqlstore"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func TestPasswordMigrationCommand(t *testing.T) {
//setup datasources with password, basic_auth and none
sqlstore := sqlstore.InitTestDB(t)
session := sqlstore.NewSession()
defer session.Close()
datasources := []*models.DataSource{
{Type: "influxdb", Name: "influxdb", Password: "foobar"},
{Type: "graphite", Name: "graphite", BasicAuthPassword: "foobar"},
{Type: "prometheus", Name: "prometheus"},
{Type: "elasticsearch", Name: "elasticsearch", Password: "pwd"},
}
// set required default values
for _, ds := range datasources {
ds.Created = time.Now()
ds.Updated = time.Now()
if ds.Name == "elasticsearch" {
ds.SecureJsonData = securejsondata.GetEncryptedJsonData(map[string]string{
"key": "value",
})
} else {
ds.SecureJsonData = securejsondata.GetEncryptedJsonData(map[string]string{})
}
}
_, err := session.Insert(&datasources)
assert.Nil(t, err)
// force secure_json_data to be null to verify that migration can handle that
_, err = session.Exec("update data_source set secure_json_data = null where name = 'influxdb'")
assert.Nil(t, err)
//run migration
c, err := commandstest.NewCliContext(map[string]string{})
require.Nil(t, err)
err = EncryptDatasourcePaswords(c, sqlstore)
assert.Nil(t, err)
//verify that no datasources still have password or basic_auth
var dss []*models.DataSource
err = session.SQL("select * from data_source").Find(&dss)
assert.Nil(t, err)
assert.Equal(t, len(dss), 4)
for _, ds := range dss {
sj := ds.SecureJsonData.Decrypt()
if ds.Name == "influxdb" {
assert.Equal(t, ds.Password, "")
v, exist := sj["password"]
assert.True(t, exist)
assert.Equal(t, v, "foobar", "expected password to be moved to securejson")
}
if ds.Name == "graphite" {
assert.Equal(t, ds.BasicAuthPassword, "")
v, exist := sj["basicAuthPassword"]
assert.True(t, exist)
assert.Equal(t, v, "foobar", "expected basic_auth_password to be moved to securejson")
}
if ds.Name == "prometheus" {
assert.Equal(t, len(sj), 0)
}
if ds.Name == "elasticsearch" {
assert.Equal(t, ds.Password, "")
key, exist := sj["key"]
assert.True(t, exist)
password, exist := sj["password"]
assert.True(t, exist)
assert.Equal(t, password, "pwd", "expected password to be moved to securejson")
assert.Equal(t, key, "value", "expected existing key to be kept intact in securejson")
}
}
}