PMM-13129 Basics for settings and migration.

api/serverpb/json/serverpb.json

@@ -338,6 +338,14 @@
                       "type": "boolean",
                       "x-order": 15
                     },
+                    "encrypted_items": {
+                      "description": "Contains all already encrypted tables in format db.table.",
+                      "type": "array",
+                      "items": {
+                        "type": "string"
+                      },
+                      "x-order": 17
+                    },
                     "metrics_resolutions": {
                       "description": "MetricsResolutions represents Prometheus exporters metrics resolutions.",
                       "type": "object",
@@ -531,6 +539,14 @@
                       "type": "boolean",
                       "x-order": 15
                     },
+                    "encrypted_items": {
+                      "description": "Contains all already encrypted tables in format db.table.",
+                      "type": "array",
+                      "items": {
+                        "type": "string"
+                      },
+                      "x-order": 17
+                    },
                     "metrics_resolutions": {
                       "description": "MetricsResolutions represents Prometheus exporters metrics resolutions.",
                       "type": "object",

api/serverpb/server.proto

@@ -169,6 +169,8 @@ message Settings {
   bool enable_access_control = 21;
   // Default Access Control role ID for new users.
   uint32 default_role_id = 22;
+  // Contains all already encrypted tables in format db.table.
+  repeated string encrypted_items = 23;
 }
 
 message GetSettingsRequest {}

api/swagger/swagger-dev.json

@@ -3262,6 +3262,14 @@
                       "type": "integer",
                       "format": "int64",
                       "x-order": 16
+                    },
+                    "encrypted_items": {
+                      "description": "Contains all already encrypted tables in format db.table.",
+                      "type": "array",
+                      "items": {
+                        "type": "string"
+                      },
+                      "x-order": 17
                     }
                   },
                   "x-order": 0
@@ -3455,6 +3463,14 @@
                       "type": "integer",
                       "format": "int64",
                       "x-order": 16
+                    },
+                    "encrypted_items": {
+                      "description": "Contains all already encrypted tables in format db.table.",
+                      "type": "array",
+                      "items": {
+                        "type": "string"
+                      },
+                      "x-order": 17
                     }
                   },
                   "x-order": 0

api/swagger/swagger.json

@@ -418,6 +418,14 @@
                       "type": "integer",
                       "format": "int64",
                       "x-order": 16
+                    },
+                    "encrypted_items": {
+                      "description": "Contains all already encrypted tables in format db.table.",
+                      "type": "array",
+                      "items": {
+                        "type": "string"
+                      },
+                      "x-order": 17
                     }
                   },
                   "x-order": 0
@@ -611,6 +619,14 @@
                       "type": "integer",
                       "format": "int64",
                       "x-order": 16
+                    },
+                    "encrypted_items": {
+                      "description": "Contains all already encrypted tables in format db.table.",
+                      "type": "array",
+                      "items": {
+                        "type": "string"
+                      },
+                      "x-order": 17
                     }
                   },
                   "x-order": 0

managed/models/database.go

@@ -31,6 +31,7 @@ import (
 	"strings"
 
 	"github.com/lib/pq"
+	"github.com/percona/pmm/managed/utils/encryption"
 	"github.com/pkg/errors"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
@@ -1063,38 +1064,54 @@ func SetupDB(ctx context.Context, sqlDB *sql.DB, params SetupDBParams) (*reform.
 		return nil, err
 	}
 
-	// host, p, err := net.SplitHostPort(params.Address)
-	// if err != nil {
-	// 	return nil, err
-	// }
-
-	// port, err := strconv.ParseInt(p, 10, 16)
-	// if err != nil {
-	// 	return nil, err
-	// }
-
-	// c := &encryption.DatabaseConnection{
-	// 	Host:        host,
-	// 	Port:        int16(port),
-	// 	User:        params.Username,
-	// 	Password:    params.Password,
-	// 	SSLMode:     params.SSLMode,
-	// 	SSLCAPath:   params.SSLCAPath,
-	// 	SSLKeyPath:  params.SSLKeyPath,
-	// 	SSLCertPath: params.SSLCertPath,
-	// 	EncryptedItems: []encryption.EncryptedItem{
-	// 		{
-	// 			Database:       "pmm-managed",
-	// 			Table:          "agents",
-	// 			Identificators: []string{"agent_id"},
-	// 			Columns:        []string{"username", "password"},
-	// 		},
-	// 	},
-	// }
-
-	// if err := encryption.EncryptDB(ctx, c); err != nil {
-	// 	return nil, err
-	// }
+	settings, err := GetSettings(sqlDB)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(settings.EncryptedItems) > 0 {
+		return db, nil
+	}
+
+	host, p, err := net.SplitHostPort(params.Address)
+	if err != nil {
+		return nil, err
+	}
+
+	port, err := strconv.ParseInt(p, 10, 16)
+	if err != nil {
+		return nil, err
+	}
+
+	c := &encryption.DatabaseConnection{
+		Host:        host,
+		Port:        int16(port),
+		User:        params.Username,
+		Password:    params.Password,
+		SSLMode:     params.SSLMode,
+		SSLCAPath:   params.SSLCAPath,
+		SSLKeyPath:  params.SSLKeyPath,
+		SSLCertPath: params.SSLCertPath,
+		EncryptedItems: []encryption.EncryptedItem{
+			{
+				Database:       "pmm-managed",
+				Table:          "agents",
+				Identificators: []string{"agent_id"},
+				Columns:        []string{"username", "password"},
+			},
+		},
+	}
+
+	if err := encryption.EncryptDB(ctx, c); err != nil {
+		return nil, err
+	}
+
+	_, err = UpdateSettings(sqlDB, &ChangeSettingsParams{
+		EncryptedItems: []string{"pmm-managed.agents"},
+	})
+	if err != nil {
+		return nil, err
+	}
 
 	return db, nil
 }

managed/models/settings.go

@@ -100,6 +100,9 @@ type Settings struct {
 		// Enabled is true if access control is enabled.
 		Enabled bool `json:"enabled"`
 	} `json:"access_control"`
+
+	// Contains all already encrypted tables in format db.table.
+	EncryptedItems []string `json:"encrypted_items"`
 }
 
 // STTCheckIntervals represents intervals between STT checks.

managed/models/settings_helpers.go

@@ -105,6 +105,9 @@ type ChangeSettingsParams struct {
 
 	// DefaultRoleID sets a default role to be assigned to new users.
 	DefaultRoleID int
+
+	// List of tables in format db.table to be encrypted.
+	EncryptedItems []string
 }
 
 // SetPMMServerID should be run on start up to generate unique PMM Server ID.
@@ -262,6 +265,10 @@ func UpdateSettings(q reform.DBTX, params *ChangeSettingsParams) (*Settings, err
 		settings.DefaultRoleID = params.DefaultRoleID
 	}
 
+	if len(params.EncryptedItems) != 0 {
+		settings.EncryptedItems = params.EncryptedItems
+	}
+
 	err = SaveSettings(q, settings)
 	if err != nil {
 		return nil, err

managed/utils/encryption/encryption.go

@@ -20,6 +20,7 @@ import (
 	"database/sql"
 	"encoding/base64"
 	"errors"
+	"fmt"
 	"os"
 	"slices"
 
@@ -156,7 +157,7 @@ func (e *Encryption) Decrypt(cipherText string) (string, error) {
 	}
 	decoded, err := base64.StdEncoding.DecodeString(cipherText)
 	if err != nil {
-		return cipherText, err
+		return cipherText, fmt.Errorf("value %s is probably not encrypted, error: %v", cipherText, err)
 	}
 	secret, err := e.Primitive.Decrypt(decoded, []byte(""))
 	if err != nil {