Merge branch 'fix/gb/encrypt-ci-build-token' into 'master'

Add CI/CD build encrypted tokens (after revert) Closes #52342 See merge request gitlab-org/gitlab-ce!23649

Merge branch 'fix/gb/encrypt-ci-build-token' into 'master'
Add CI/CD build encrypted tokens (after revert) Closes #52342 See merge request gitlab-org/gitlab-ce!23649
5d9a2e3b · Kamil Trzciński · a7a11f82 · a910c09b · 5d9a2e3b · 5d9a2e3b
Commit 5d9a2e3b authored Dec 07, 2018 by Kamil Trzciński
9 changed files
--- a/app/models/ci/build.rb
+++ b/app/models/ci/build.rb
@@ -120,7 +120,7 @@ module Ci
    acts_as_taggable
-    add_authentication_token_field :token
+    add_authentication_token_field :token, encrypted: true, fallback: true
    before_save :update_artifacts_size, if: :artifacts_file_changed?
    before_save :ensure_token

--- a/changelogs/unreleased/fix-gb-encrypt-ci-build-token.yml
+++ b/changelogs/unreleased/fix-gb-encrypt-ci-build-token.yml
+---
+title: Encrypt CI/CD builds authentication tokens
+merge_request: 23436
+author:
+type: security
--- a/db/migrate/20181129104854_add_token_encrypted_to_ci_builds.rb
+++ b/db/migrate/20181129104854_add_token_encrypted_to_ci_builds.rb
+# frozen_string_literal: true
+class AddTokenEncryptedToCiBuilds < ActiveRecord::Migration[5.0]
+  include Gitlab::Database::MigrationHelpers
+  DOWNTIME = false
+  def change
+    add_column :ci_builds, :token_encrypted, :string
+  end
+end
--- a/db/migrate/20181129104944_add_index_to_ci_builds_token_encrypted.rb
+++ b/db/migrate/20181129104944_add_index_to_ci_builds_token_encrypted.rb
+# frozen_string_literal: true
+class AddIndexToCiBuildsTokenEncrypted < ActiveRecord::Migration[5.0]
+  include Gitlab::Database::MigrationHelpers
+  DOWNTIME = false
+  disable_ddl_transaction!
+  def up
+    add_concurrent_index :ci_builds, :token_encrypted, unique: true, where: 'token_encrypted IS NOT NULL'
+  end
+  def down
+    remove_concurrent_index :ci_builds, :token_encrypted
+  end
+end
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -345,6 +345,7 @@ ActiveRecord::Schema.define(version: 20181203002526) do
    t.boolean "protected"
    t.integer "failure_reason"
    t.datetime_with_timezone "scheduled_at"
+    t.string "token_encrypted"
    t.index ["artifacts_expire_at"], name: "index_ci_builds_on_artifacts_expire_at", where: "(artifacts_file <> ''::text)", using: :btree
    t.index ["auto_canceled_by_id"], name: "index_ci_builds_on_auto_canceled_by_id", using: :btree
    t.index ["commit_id", "stage_idx", "created_at"], name: "index_ci_builds_on_commit_id_and_stage_idx_and_created_at", using: :btree
@@ -361,6 +362,7 @@ ActiveRecord::Schema.define(version: 20181203002526) do
    t.index ["stage_id"], name: "index_ci_builds_on_stage_id", using: :btree
    t.index ["status", "type", "runner_id"], name: "index_ci_builds_on_status_and_type_and_runner_id", using: :btree
    t.index ["token"], name: "index_ci_builds_on_token", unique: true, using: :btree
+    t.index ["token_encrypted"], name: "index_ci_builds_on_token_encrypted", unique: true, where: "(token_encrypted IS NOT NULL)", using: :btree
    t.index ["updated_at"], name: "index_ci_builds_on_updated_at", using: :btree
    t.index ["user_id"], name: "index_ci_builds_on_user_id", using: :btree
  end

--- a/lib/gitlab/import_export/import_export.yml
+++ b/lib/gitlab/import_export/import_export.yml
@@ -143,6 +143,7 @@ excluded_attributes:
  statuses:
    - :trace
    - :token
+    - :token_encrypted
    - :when
    - :artifacts_file
    - :artifacts_metadata

--- a/spec/models/ci/build_spec.rb
+++ b/spec/models/ci/build_spec.rb
@@ -1925,7 +1925,7 @@ describe Ci::Build do
    context 'when token is empty' do
      before do
-        build.token = nil
+        build.update_columns(token: nil, token_encrypted: nil)
      end
      it { is_expected.to be_nil}
@@ -2141,7 +2141,7 @@ describe Ci::Build do
      end
      before do
-        build.token = 'my-token'
+        build.set_token('my-token')
        build.yaml_variables = []
      end

--- a/spec/models/concerns/token_authenticatable_spec.rb
+++ b/spec/models/concerns/token_authenticatable_spec.rb
@@ -351,3 +351,89 @@ describe PersonalAccessToken, 'TokenAuthenticatable' do
    end
  end
 end
+describe Ci::Build, 'TokenAuthenticatable' do
+  let(:token_field) { :token }
+  let(:build) { FactoryBot.build(:ci_build) }
+  it_behaves_like 'TokenAuthenticatable'
+  describe 'generating new token' do
+    context 'token is not generated yet' do
+      describe 'token field accessor' do
+        it 'makes it possible to access token' do
+          expect(build.token).to be_nil
+          build.save!
+          expect(build.token).to be_present
+        end
+      end
+      describe "ensure_token" do
+        subject { build.ensure_token }
+        it { is_expected.to be_a String }
+        it { is_expected.not_to be_blank }
+        it 'does not persist token' do
+          expect(build).not_to be_persisted
+        end
+      end
+      describe 'ensure_token!' do
+        it 'persists a new token' do
+          expect(build.ensure_token!).to eq build.reload.token
+          expect(build).to be_persisted
+        end
+        it 'persists new token as an encrypted string' do
+          build.ensure_token!
+          encrypted = Gitlab::CryptoHelper.aes256_gcm_encrypt(build.token)
+          expect(build.read_attribute('token_encrypted')).to eq encrypted
+        end
+        it 'does not persist a token in a clear text' do
+          build.ensure_token!
+          expect(build.read_attribute('token')).to be_nil
+        end
+      end
+    end
+    describe '#reset_token!' do
+      it 'persists a new token' do
+        build.save!
+        build.token.yield_self do |previous_token|
+          build.reset_token!
+          expect(build.token).not_to eq previous_token
+          expect(build.token).to be_a String
+        end
+      end
+    end
+  end
+  describe 'setting a new token' do
+    subject { build.set_token('0123456789') }
+    it 'returns the token' do
+      expect(subject).to eq '0123456789'
+    end
+    it 'writes a new encrypted token' do
+      expect(build.read_attribute('token_encrypted')).to be_nil
+      expect(subject).to eq '0123456789'
+      expect(build.read_attribute('token_encrypted')).to be_present
+    end
+    it 'does not write a new cleartext token' do
+      expect(build.read_attribute('token')).to be_nil
+      expect(subject).to eq '0123456789'
+      expect(build.read_attribute('token')).to be_nil
+    end
+  end
+end
--- a/spec/services/ci/retry_build_service_spec.rb
+++ b/spec/services/ci/retry_build_service_spec.rb
@@ -20,9 +20,9 @@ describe Ci::RetryBuildService do
  CLONE_ACCESSORS = described_class::CLONE_ACCESSORS
  REJECT_ACCESSORS =
-    %i[id status user token coverage trace runner artifacts_expire_at
+    %i[id status user token token_encrypted coverage trace runner
-       artifacts_file artifacts_metadata artifacts_size created_at
+       artifacts_expire_at artifacts_file artifacts_metadata artifacts_size
-       updated_at started_at finished_at queued_at erased_by
+       created_at updated_at started_at finished_at queued_at erased_by
       erased_at auto_canceled_by job_artifacts job_artifacts_archive
       job_artifacts_metadata job_artifacts_trace job_artifacts_junit
       job_artifacts_sast job_artifacts_dependency_scanning