Encryption PoC

commands/run.go

@@ -17,6 +17,7 @@ package commands
 
 import (
 	"context"
+	"github.com/percona/pmm-agent/utils/encryption"
 	"os"
 	"os/signal"
 
@@ -35,6 +36,10 @@ import (
 func Run() {
 	l := logrus.WithField("component", "main")
 	ctx, cancel := context.WithCancel(context.Background())
+	ctx, err := encryption.InjectEncryptorIfNotPresent(ctx)
+	if err != nil {
+		l.Fatalf("Failed to inject encryptor: %s.", err)
+	}
 	defer l.Info("Done.")
 
 	// handle termination signals

connectionchecker/connection_checker.go

@@ -20,6 +20,7 @@ import (
 	"context"
 	"database/sql"
 	"fmt"
+	"github.com/percona/pmm-agent/utils/encryption"
 	"io"
 	"math"
 	"net/http"
@@ -65,6 +66,14 @@ func (cc *ConnectionChecker) Check(ctx context.Context, msg *agentpb.CheckConnec
 		defer cancel()
 	}
 
+	encryptor := encryption.GetEncryptor(ctx)
+	dsn, err := encryptor.DecryptDsn(msg.Dsn)
+	if err != nil {
+		cc.l.Debugf("Failed to decrypt DSN: %s", err)
+	} else {
+		msg.Dsn = dsn
+	}
+
 	switch msg.Type {
 	case inventorypb.ServiceType_MYSQL_SERVICE:
 		return cc.checkMySQLConnection(ctx, msg.Dsn, msg.TextFiles, msg.TlsSkipVerify, id)

utils/encryption/default-key

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCawg8C/6YNMFfi
+QBUV6ifAsdxc6PO7+GBxrV/hsKCzJO+hR1yDsQAiWl+/XicJD7XNRcjeHSJYf9km
+wc1vtbI1hlmmQIitaT1dS49vOKNrOMu8FozPJUtvzNAURK+4q6ZI5n5aLO+4cvYw
+ZomotgjZ5UsMpfdNV4kJ7wcrwoDpdRq7by00MTKZ/8fKTsFAAg2RBOfAhYhf6XN4
+Yj54zNO6m0Mh/c4K+h79rWqnRE/uNDxtTZ+PpJQHROzcUSWpOwZlzM/rNqDbQJHS
+FLOWo0jvzkxy/e1HGzPC76sRP0JXKNEb1jpf1Oo84Nu4zWfpoqVrVf1aS3fzouLR
+OBe0X9K0kD8Ersms+tJHP68pqSGqpya508Dk16p2ML3aN3Ga0s5tWbgv84XQXBFg
+AR5hFWIJk1OjwPASN5xgfL4U260bG84/+nXmKndgbogcanWQ+gZ3HDMAlAr3ntlW
+pBQkIAIzaVw08RD6a5hFMwcti40zJVVb4451MWsXFQr/GKxiFvu0mg39plSvDDsp
+UNUPoAMciavVMvuET2v+Sjd7/RNA3wP5+As+kovJqC64sjYfJFqXMVa5BIRZQ7P/
+YhDvqRGCUvbJBUA6HygbyxfrFdjV8Wl+m9l3hUJZ1Y5B9ba0Go4qlwyCaSDEpy0x
+R4eGGDEYUjtvrlJcr248HdGzoRdt3wIDAQABAoICAClfF4RFs65y7gud9gUVw+rP
+oYl0/TOTArVhE/DRtyQtC6Kh4SmTd+W3I0GVefoCKSfnL/uw7i2agALMbI8gk7Ob
+Zvv65I73Q2BdgsrI6WcQl+aAYMQ/xBrvNfE1K4TC3oE+nSieOrekhAwMXWCsyVD2
+60lGVQZoEEqHi/M23B+NHshcwEjjnhNtPYvn4eGqqtXJ6eqdyAdb8XKNUQYaO7/3
+IctEfoCQvRgz8/8jU/rqG/1ccvuDk88drfR3/QlwrhUo26yVvgrfCByRTDFJFYaG
+MAnNuFD6BKxoReMmdiW207ANZS2ZTcVYl2SgBNeAk5hONJye8EJBmUE1LaEavMj9
+429Ecc+9B88xuEkE/bxdWxTP446A+7xyhIoOUKgElr6yoUQFdZEOFCb99wIfqp/u
+jDSIbT8LTC5VAH7tyB/YvP480LCKSblYD+jKzCx74H6ZJ0rxcNg+76Ip7ZEyA3uY
+11vA9LTeKN4KQPxJ1odJdgGuV9Zvxs5IISNCPzMufCOxm16XJM7Ap8KQ39qX5l9i
+gKAD39SApCThTty5D8OXBlb1xEXNMblXQXfUiSUnXTrg4sddTCwqbq15man6PR0D
+qYppNd5NrCba0Zk3xrnUu09P1sRcHTSbOuMkkdFzWVOqAY4f6cA9ZSNJsKjyndPC
+M4Ylb9ltLhg38CJucQgBAoIBAQDUJrJYfHTlEOXCx0Klz7f/vHa3nqqgIXOT8RMN
+9dZ5+91KJTI855/NDRlgehKgC+0poqU9UfYYn6u2F+DaGX8ZtIKfUqEUHwHIS3JZ
+Fn8dZT9prJsyzhP/EcOkpstKL4GwiLiIWmyqJA0byBRglbKKWK86NkS3y4q097h7
+6HqtnpyX1MdUvfbBRuWtEpOhjgDtrqIsl/6bAXrzLNqmpMNG4pEJ3IzB8+HYN84s
+BRBdeo8BWAwoUY1VTtZIDjGkWDMmvYuKoc655s2VeUuvKljB5akUTlxBgOG+a32N
+YYD9rmPpZRtOhoq4jdwvi8SwlyJ9lgBuIBwXXF37BbfnE5ZBAoIBAQC6vpZ9GFJJ
+UAw/xwPPFhPsghO5WiBvBw9/GBvAlstItYZWpZjaA48wuSe8ffawiGG25gT+GPll
+MaLBwbuhJu6GARb876QUUyxbwa2m7KPc6F7VRgs+OxxwNIEXCzn7KTs+gsLkYZpW
+pSMBDPi/JgKXwOUs1EMRKM+47Ii5uCKYIa3mpmOjIb0fX8Kx/Ev0KBWiiPgLTPS/
+gvr19slvB+felwkiJ0cvZvKrVdki0Q/wOJsI/HNYwbzfRi9LAJX7vHnx6gN1eKtm
++P+N3mNp9Jo971GCT6mZxH9yyfNoQqRs6BcNqlK+I+0lBFHWduybozf+J4iaWgNi
+bAghRaLoQTwfAoIBABrfD+XvVasR+dgy/vkbl1W4HF1jpn8D3azWczBofBMVWNEk
+ZvmZ6P7C8vzqWWOWPyLv6/gZYo954fj9i0h0xEmQOJ9PiwGOb95b2A76r30cruyG
+pV3JBnVfXaWETumFnOqsVptGwM7IJDTpodMeAvBNDVzVNN0G1fnYCrD/IFLPbUw5
+8kmEijWu8jZ6zOJAp1NztCzrz574kAcvHj7PTcCzv+U830NNzcRiRSYEOi9s76Ie
+8eNFeR5eDvwveBA177yvc3ZKynF3j4CoTXLRbU6Z9VGSH1NYrL8+xDddK0Z2iUct
+vEi09+sqZMJM9MvdSMwZbNKGFKjM1UaPUdzd+UECggEBAJRWM//mQ+bMWQ6ILXRf
+2y+xG63N85l+CEcyhUjz/0IgPzewjrwOu70+Nlw5yqzriILaL/kPKXvCc8Bo/XvD
+CxES6Im+aZ1jfAbez+uaaYdeZYYP/3pNRgezDR+a4VGqrM6428rB5PESd72r6iMc
+NE8LAIAdk7CbtHT2Hp03sPMbPaHLZbX9ZNb5IBR1jnfBJ35WQoHnfTpq9qJOiC9U
+HlDntG+Wt6rlobmLldFcM8bjj/MRZSaJrlfEzmhLbNfsHQmWk2zKj4xaGdU9Y8aU
+b7jm0t4qHVRxi7NIy7pzxVxk93r5YoR60TLoPYGYMdZnTmDqUk4ZVjrmCYc0Y3UN
+7I0CggEADTR7I5Pcgn1T5LkcZlESFfwGGkq5F3I1DckHz55jkdPS1bsFSAnJLnhS
+Rw9iij+YxkpbFgmUlm2U4JGJFMg2IyZmBFuEAyKn3F3LuRR93Tw3LVJ0Rp2FuvUe
+BAU5ZdcV9ZqBDCbYbiGmT6tTTuUaoJVqHWI/rWReRQH/mBSWE5WSdxs9RCk5ItkI
+y0lN4ciGLSEtCJ0nPS5gsZSAjfR91rA8LzxfWGSvfGLBnQ9yZk+dWMEoJ1YfHdID
+qPo3RhWm1PofU1GI1ZEmMSMSqpk+Ii+eeusWTbPhutodeQTi4fwvxsKscLEXND04
+281eBVUKTQll92Pc9h3YBktcWHXwfQ==
+-----END PRIVATE KEY-----

utils/encryption/encryption.go

@@ -0,0 +1,33 @@
+package encryption
+
+import (
+	"context"
+	_ "embed"
+	"github.com/percona/pmm/utils/rsa_encryptor"
+)
+
+//go:embed default-key
+var privateKey []byte
+
+const EncryptorKey = "encryptor"
+
+func NewFromDefaultKey() (*rsa_encryptor.Service, error) {
+	return rsa_encryptor.NewFromPrivateKey("d1", privateKey)
+}
+
+func InjectEncryptorIfNotPresent(ctx context.Context) (context.Context, error) {
+	encryptor := ctx.Value(EncryptorKey)
+	if encryptor == nil {
+		encryptor, err := NewFromDefaultKey()
+		if err != nil {
+			return nil, err
+		}
+		return context.WithValue(ctx, EncryptorKey, encryptor), nil
+	}
+
+	return ctx, nil
+}
+
+func GetEncryptor(ctx context.Context) *rsa_encryptor.Service {
+	return ctx.Value(EncryptorKey).(*rsa_encryptor.Service)
+}