FEATURE (encryption): Add encyption for secrets in notifiers and storages

Author: RostislavDugin

backend/internal/features/backups/backups/background_service.go

@@ -5,6 +5,7 @@ import (
 	"postgresus-backend/internal/config"
 	backups_config "postgresus-backend/internal/features/backups/config"
 	"postgresus-backend/internal/features/storages"
+	"postgresus-backend/internal/util/encryption"
 	"postgresus-backend/internal/util/period"
 	"time"
 )
@@ -131,7 +132,8 @@ func (s *BackupBackgroundService) cleanOldBackups() error {
 				continue
 			}
 
-			err = storage.DeleteFile(backup.ID)
+			encryptor := encryption.GetFieldEncryptor()
+			err = storage.DeleteFile(encryptor, backup.ID)
 			if err != nil {
 				s.logger.Error("Failed to delete backup file", "backupId", backup.ID, "error", err)
 			}

backend/internal/features/backups/backups/controller_test.go

@@ -26,6 +26,7 @@ import (
 	users_testing "postgresus-backend/internal/features/users/testing"
 	workspaces_models "postgresus-backend/internal/features/workspaces/models"
 	workspaces_testing "postgresus-backend/internal/features/workspaces/testing"
+	"postgresus-backend/internal/util/encryption"
 	test_utils "postgresus-backend/internal/util/testing"
 	"postgresus-backend/internal/util/tools"
 )
@@ -700,7 +701,7 @@ func createTestBackup(
 	dummyContent := []byte("dummy backup content for testing")
 	reader := strings.NewReader(string(dummyContent))
 	logger := slog.New(slog.NewTextHandler(io.Discard, nil))
-	if err := storages[0].SaveFile(logger, backup.ID, reader); err != nil {
+	if err := storages[0].SaveFile(encryption.GetFieldEncryptor(), logger, backup.ID, reader); err != nil {
 		panic(fmt.Sprintf("Failed to create test backup file: %v", err))
 	}
 

backend/internal/features/backups/backups/di.go

@@ -9,6 +9,7 @@ import (
 	"postgresus-backend/internal/features/storages"
 	users_repositories "postgresus-backend/internal/features/users/repositories"
 	workspaces_services "postgresus-backend/internal/features/workspaces/services"
+	"postgresus-backend/internal/util/encryption"
 	"postgresus-backend/internal/util/logger"
 	"time"
 )
@@ -25,6 +26,7 @@ var backupService = &BackupService{
 	notifiers.GetNotifierService(),
 	backups_config.GetBackupConfigService(),
 	users_repositories.GetSecretKeyRepository(),
+	encryption.GetFieldEncryptor(),
 	usecases.GetCreateBackupUsecase(),
 	logger.GetLogger(),
 	[]BackupRemoveListener{},

backend/internal/features/backups/backups/service.go

@@ -16,6 +16,7 @@ import (
 	users_models "postgresus-backend/internal/features/users/models"
 	users_repositories "postgresus-backend/internal/features/users/repositories"
 	workspaces_services "postgresus-backend/internal/features/workspaces/services"
+	util_encryption "postgresus-backend/internal/util/encryption"
 	"slices"
 	"strings"
 	"time"
@@ -31,6 +32,7 @@ type BackupService struct {
 	notificationSender  NotificationSender
 	backupConfigService *backups_config.BackupConfigService
 	secretKeyRepo       *users_repositories.SecretKeyRepository
+	fieldEncryptor      util_encryption.FieldEncryptor
 
 	createBackupUseCase CreateBackupUsecase
 
@@ -284,7 +286,7 @@ func (s *BackupService) MakeBackup(databaseID uuid.UUID, isLastTry bool) {
 			// Delete partial backup from storage
 			storage, storageErr := s.storageService.GetStorageByID(backup.StorageID)
 			if storageErr == nil {
-				if deleteErr := storage.DeleteFile(backup.ID); deleteErr != nil {
+				if deleteErr := storage.DeleteFile(s.fieldEncryptor, backup.ID); deleteErr != nil {
 					s.logger.Error(
 						"Failed to delete partial backup file",
 						"backupId",
@@ -545,7 +547,7 @@ func (s *BackupService) deleteBackup(backup *Backup) error {
 		return err
 	}
 
-	err = storage.DeleteFile(backup.ID)
+	err = storage.DeleteFile(s.fieldEncryptor, backup.ID)
 	if err != nil {
 		// we do not return error here, because sometimes clean up performed
 		// before unavailable storage removal or change - therefore we should
@@ -599,7 +601,7 @@ func (s *BackupService) getBackupReader(backupID uuid.UUID) (io.ReadCloser, erro
 		return nil, fmt.Errorf("failed to get storage: %w", err)
 	}
 
-	fileReader, err := storage.GetFile(backup.ID)
+	fileReader, err := storage.GetFile(s.fieldEncryptor, backup.ID)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get backup file: %w", err)
 	}

backend/internal/features/backups/backups/service_test.go

@@ -13,6 +13,7 @@ import (
 	users_testing "postgresus-backend/internal/features/users/testing"
 	workspaces_services "postgresus-backend/internal/features/workspaces/services"
 	workspaces_testing "postgresus-backend/internal/features/workspaces/testing"
+	"postgresus-backend/internal/util/encryption"
 	"postgresus-backend/internal/util/logger"
 	"strings"
 	"testing"
@@ -56,11 +57,12 @@ func Test_BackupExecuted_NotificationSent(t *testing.T) {
 			mockNotificationSender,
 			backups_config.GetBackupConfigService(),
 			users_repositories.GetSecretKeyRepository(),
+			encryption.GetFieldEncryptor(),
 			&CreateFailedBackupUsecase{},
 			logger.GetLogger(),
 			[]BackupRemoveListener{},
 			workspaces_services.GetWorkspaceService(),
-			nil, // auditLogService
+			nil,
 			NewBackupContextManager(),
 		}
 
@@ -103,11 +105,12 @@ func Test_BackupExecuted_NotificationSent(t *testing.T) {
 			mockNotificationSender,
 			backups_config.GetBackupConfigService(),
 			users_repositories.GetSecretKeyRepository(),
+			encryption.GetFieldEncryptor(),
 			&CreateSuccessBackupUsecase{},
 			logger.GetLogger(),
 			[]BackupRemoveListener{},
 			workspaces_services.GetWorkspaceService(),
-			nil, // auditLogService
+			nil,
 			NewBackupContextManager(),
 		}
 
@@ -127,11 +130,12 @@ func Test_BackupExecuted_NotificationSent(t *testing.T) {
 			mockNotificationSender,
 			backups_config.GetBackupConfigService(),
 			users_repositories.GetSecretKeyRepository(),
+			encryption.GetFieldEncryptor(),
 			&CreateSuccessBackupUsecase{},
 			logger.GetLogger(),
 			[]BackupRemoveListener{},
 			workspaces_services.GetWorkspaceService(),
-			nil, // auditLogService
+			nil,
 			NewBackupContextManager(),
 		}
 

backend/internal/features/backups/backups/usecases/postgresql/create_backup_uc.go

@@ -15,12 +15,13 @@ import (
 	"time"
 
 	"postgresus-backend/internal/config"
-	"postgresus-backend/internal/features/backups/backups/encryption"
+	backup_encryption "postgresus-backend/internal/features/backups/backups/encryption"
 	backups_config "postgresus-backend/internal/features/backups/config"
 	"postgresus-backend/internal/features/databases"
 	pgtypes "postgresus-backend/internal/features/databases/databases/postgresql"
 	"postgresus-backend/internal/features/storages"
 	users_repositories "postgresus-backend/internal/features/users/repositories"
+	"postgresus-backend/internal/util/encryption"
 	"postgresus-backend/internal/util/tools"
 
 	"github.com/google/uuid"
@@ -40,8 +41,9 @@ const (
 )
 
 type CreatePostgresqlBackupUsecase struct {
-	logger        *slog.Logger
-	secretKeyRepo *users_repositories.SecretKeyRepository
+	logger         *slog.Logger
+	secretKeyRepo  *users_repositories.SecretKeyRepository
+	fieldEncryptor encryption.FieldEncryptor
 }
 
 // Execute creates a backup of the database
@@ -166,7 +168,7 @@ func (uc *CreatePostgresqlBackupUsecase) streamToStorage(
 	// Start streaming into storage in its own goroutine
 	saveErrCh := make(chan error, 1)
 	go func() {
-		saveErr := storage.SaveFile(uc.logger, backupID, storageReader)
+		saveErr := storage.SaveFile(uc.fieldEncryptor, uc.logger, backupID, storageReader)
 		saveErrCh <- saveErr
 	}()
 
@@ -440,7 +442,7 @@ func (uc *CreatePostgresqlBackupUsecase) setupBackupEncryption(
 	backupID uuid.UUID,
 	backupConfig *backups_config.BackupConfig,
 	storageWriter io.WriteCloser,
-) (io.Writer, *encryption.EncryptionWriter, BackupMetadata, error) {
+) (io.Writer, *backup_encryption.EncryptionWriter, BackupMetadata, error) {
 	metadata := BackupMetadata{}
 
 	if backupConfig.Encryption != backups_config.BackupEncryptionEncrypted {
@@ -449,12 +451,12 @@ func (uc *CreatePostgresqlBackupUsecase) setupBackupEncryption(
 		return storageWriter, nil, metadata, nil
 	}
 
-	salt, err := encryption.GenerateSalt()
+	salt, err := backup_encryption.GenerateSalt()
 	if err != nil {
 		return nil, nil, metadata, fmt.Errorf("failed to generate salt: %w", err)
 	}
 
-	nonce, err := encryption.GenerateNonce()
+	nonce, err := backup_encryption.GenerateNonce()
 	if err != nil {
 		return nil, nil, metadata, fmt.Errorf("failed to generate nonce: %w", err)
 	}
@@ -464,7 +466,7 @@ func (uc *CreatePostgresqlBackupUsecase) setupBackupEncryption(
 		return nil, nil, metadata, fmt.Errorf("failed to get master key: %w", err)
 	}
 
-	encWriter, err := encryption.NewEncryptionWriter(
+	encWriter, err := backup_encryption.NewEncryptionWriter(
 		storageWriter,
 		masterKey,
 		backupID,
@@ -486,7 +488,7 @@ func (uc *CreatePostgresqlBackupUsecase) setupBackupEncryption(
 }
 
 func (uc *CreatePostgresqlBackupUsecase) cleanupOnCancellation(
-	encryptionWriter *encryption.EncryptionWriter,
+	encryptionWriter *backup_encryption.EncryptionWriter,
 	storageWriter io.WriteCloser,
 	saveErrCh chan error,
 ) {
@@ -510,7 +512,7 @@ func (uc *CreatePostgresqlBackupUsecase) cleanupOnCancellation(
 }
 
 func (uc *CreatePostgresqlBackupUsecase) closeWriters(
-	encryptionWriter *encryption.EncryptionWriter,
+	encryptionWriter *backup_encryption.EncryptionWriter,
 	storageWriter io.WriteCloser,
 ) error {
 	encryptionCloseErrCh := make(chan error, 1)

backend/internal/features/backups/backups/usecases/postgresql/di.go

@@ -2,12 +2,14 @@ package usecases_postgresql
 
 import (
 	users_repositories "postgresus-backend/internal/features/users/repositories"
+	"postgresus-backend/internal/util/encryption"
 	"postgresus-backend/internal/util/logger"
 )
 
 var createPostgresqlBackupUsecase = &CreatePostgresqlBackupUsecase{
 	logger.GetLogger(),
 	users_repositories.GetSecretKeyRepository(),
+	encryption.GetFieldEncryptor(),
 }
 
 func GetCreatePostgresqlBackupUsecase() *CreatePostgresqlBackupUsecase {

backend/internal/features/databases/controller_test.go

@@ -16,6 +16,7 @@ import (
 	users_testing "postgresus-backend/internal/features/users/testing"
 	workspaces_controllers "postgresus-backend/internal/features/workspaces/controllers"
 	workspaces_testing "postgresus-backend/internal/features/workspaces/testing"
+	"postgresus-backend/internal/util/encryption"
 	test_utils "postgresus-backend/internal/util/testing"
 	"postgresus-backend/internal/util/tools"
 )
@@ -769,6 +770,71 @@ func createTestDatabaseViaAPI(
 	return &database
 }
 
+func Test_CreateDatabase_PasswordIsEncryptedInDB(t *testing.T) {
+	router := createTestRouter()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+
+	testDbName := "test_db"
+	plainPassword := "my-super-secret-password-123"
+	request := Database{
+		Name:        "Test Database",
+		WorkspaceID: &workspace.ID,
+		Type:        DatabaseTypePostgres,
+		Postgresql: &postgresql.PostgresqlDatabase{
+			Version:  tools.PostgresqlVersion16,
+			Host:     "localhost",
+			Port:     5432,
+			Username: "postgres",
+			Password: plainPassword,
+			Database: &testDbName,
+		},
+	}
+
+	var createdDatabase Database
+	test_utils.MakePostRequestAndUnmarshal(
+		t,
+		router,
+		"/api/v1/databases/create",
+		"Bearer "+owner.Token,
+		request,
+		http.StatusCreated,
+		&createdDatabase,
+	)
+
+	repository := &DatabaseRepository{}
+	databaseFromDB, err := repository.FindByID(createdDatabase.ID)
+	assert.NoError(t, err)
+	assert.NotNil(t, databaseFromDB)
+	assert.NotNil(t, databaseFromDB.Postgresql)
+
+	assert.True(
+		t,
+		strings.HasPrefix(databaseFromDB.Postgresql.Password, "enc:"),
+		"Password should be encrypted in database with 'enc:' prefix, got: %s",
+		databaseFromDB.Postgresql.Password,
+	)
+
+	encryptor := encryption.GetFieldEncryptor()
+	decryptedPassword, err := encryptor.Decrypt(
+		databaseFromDB.ID,
+		databaseFromDB.Postgresql.Password,
+	)
+	assert.NoError(t, err)
+	assert.Equal(t, plainPassword, decryptedPassword,
+		"Decrypted password should match original plaintext password")
+
+	test_utils.MakeDeleteRequest(
+		t,
+		router,
+		"/api/v1/databases/"+createdDatabase.ID.String(),
+		"Bearer "+owner.Token,
+		http.StatusNoContent,
+	)
+
+	workspaces_testing.RemoveTestWorkspace(workspace, router)
+}
+
 func Test_DatabaseSensitiveDataLifecycle_AllTypes(t *testing.T) {
 	testCases := []struct {
 		name                string
@@ -815,7 +881,15 @@ func Test_DatabaseSensitiveDataLifecycle_AllTypes(t *testing.T) {
 				}
 			},
 			verifySensitiveData: func(t *testing.T, database *Database) {
-				assert.Equal(t, "original-password-secret", database.Postgresql.Password)
+				// Verify password is encrypted
+				assert.True(t, strings.HasPrefix(database.Postgresql.Password, "enc:"),
+					"Password should be encrypted in database")
+
+				// Verify it can be decrypted back to original
+				encryptor := encryption.GetFieldEncryptor()
+				decrypted, err := encryptor.Decrypt(database.ID, database.Postgresql.Password)
+				assert.NoError(t, err)
+				assert.Equal(t, "original-password-secret", decrypted)
 			},
 			verifyHiddenData: func(t *testing.T, database *Database) {
 				assert.Equal(t, "", database.Postgresql.Password)