Commit 863aa3cb authored by Sean McGivern's avatar Sean McGivern

Merge branch '322594-create-a-new-way-of-encrypting-tokens-phase2-writer-v2' into 'master'

Create new way of encrypting tokens - phase 2- writer [RUN ALL RSPEC] [RUN AS-IF-FOSS]

See merge request gitlab-org/gitlab!58902
parents b5c5b319 1914a1e3
...@@ -5,10 +5,6 @@ module TokenAuthenticatableStrategies ...@@ -5,10 +5,6 @@ module TokenAuthenticatableStrategies
DYNAMIC_NONCE_IDENTIFIER = "|" DYNAMIC_NONCE_IDENTIFIER = "|"
NONCE_SIZE = 12 NONCE_SIZE = 12
def self.encrypt_token(plaintext_token)
Gitlab::CryptoHelper.aes256_gcm_encrypt(plaintext_token)
end
def self.decrypt_token(token) def self.decrypt_token(token)
return unless token return unless token
...@@ -22,5 +18,13 @@ module TokenAuthenticatableStrategies ...@@ -22,5 +18,13 @@ module TokenAuthenticatableStrategies
Gitlab::CryptoHelper.aes256_gcm_decrypt(token) Gitlab::CryptoHelper.aes256_gcm_decrypt(token)
end end
end end
def self.encrypt_token(plaintext_token)
return Gitlab::CryptoHelper.aes256_gcm_encrypt(plaintext_token) unless Feature.enabled?(:dynamic_nonce, type: :ops)
iv = ::Digest::SHA256.hexdigest(plaintext_token).bytes.take(NONCE_SIZE).pack('c*')
token = Gitlab::CryptoHelper.aes256_gcm_encrypt(plaintext_token, nonce: iv)
"#{DYNAMIC_NONCE_IDENTIFIER}#{token}#{iv}"
end
end end
end end
---
name: dynamic_nonce
introduced_by_url:
rollout_issue_url:
milestone: '14.0'
type: ops
group: group::access
default_enabled: false
...@@ -3,16 +3,67 @@ ...@@ -3,16 +3,67 @@
require 'spec_helper' require 'spec_helper'
RSpec.describe TokenAuthenticatableStrategies::EncryptionHelper do RSpec.describe TokenAuthenticatableStrategies::EncryptionHelper do
let(:encrypted_token) { described_class.encrypt_token('my-value') } let(:encrypted_token) { described_class.encrypt_token('my-value-my-value-my-value') }
describe '.encrypt_token' do describe '.encrypt_token' do
context 'when dynamic_nonce feature flag is switched on' do
it 'adds nonce identifier on the beginning' do
expect(encrypted_token.first).to eq(described_class::DYNAMIC_NONCE_IDENTIFIER)
end
it 'adds nonce at the end' do
nonce = encrypted_token.last(described_class::NONCE_SIZE)
expect(nonce).to eq(::Digest::SHA256.hexdigest('my-value-my-value-my-value').bytes.take(described_class::NONCE_SIZE).pack('c*'))
end
it 'encrypts token' do it 'encrypts token' do
expect(encrypted_token).not_to eq('my-value') expect(encrypted_token[1...-described_class::NONCE_SIZE]).not_to eq('my-value-my-value-my-value')
end
end
context 'when dynamic_nonce feature flag is switched off' do
before do
stub_feature_flags(dynamic_nonce: false)
end
it 'does not add nonce identifier on the beginning' do
expect(encrypted_token.first).not_to eq(described_class::DYNAMIC_NONCE_IDENTIFIER)
end
it 'does not add nonce in the end' do
nonce = encrypted_token.last(described_class::NONCE_SIZE)
expect(nonce).not_to eq(::Digest::SHA256.hexdigest('my-value-my-value-my-value').bytes.take(described_class::NONCE_SIZE).pack('c*'))
end
it 'encrypts token with static iv' do
token = Gitlab::CryptoHelper.aes256_gcm_encrypt('my-value-my-value-my-value')
expect(encrypted_token).to eq(token)
end
end end
end end
describe '.decrypt_token' do describe '.decrypt_token' do
context 'with feature flag switched off' do
before do
stub_feature_flags(dynamic_nonce: false)
end
it 'decrypts token with static iv' do it 'decrypts token with static iv' do
encrypted_token = described_class.encrypt_token('my-value')
expect(described_class.decrypt_token(encrypted_token)).to eq('my-value')
end
it 'decrypts token if feature flag changed after encryption' do
encrypted_token = described_class.encrypt_token('my-value')
expect(encrypted_token).not_to eq('my-value')
stub_feature_flags(dynamic_nonce: true)
expect(described_class.decrypt_token(encrypted_token)).to eq('my-value') expect(described_class.decrypt_token(encrypted_token)).to eq('my-value')
end end
...@@ -24,4 +75,27 @@ RSpec.describe TokenAuthenticatableStrategies::EncryptionHelper do ...@@ -24,4 +75,27 @@ RSpec.describe TokenAuthenticatableStrategies::EncryptionHelper do
expect(described_class.decrypt_token(encrypted_token)).to eq('my-value') expect(described_class.decrypt_token(encrypted_token)).to eq('my-value')
end end
end end
context 'with feature flag switched on' do
before do
stub_feature_flags(dynamic_nonce: true)
end
it 'decrypts token with dynamic iv' do
encrypted_token = described_class.encrypt_token('my-value')
expect(described_class.decrypt_token(encrypted_token)).to eq('my-value')
end
it 'decrypts token if feature flag changed after encryption' do
encrypted_token = described_class.encrypt_token('my-value')
expect(encrypted_token).not_to eq('my-value')
stub_feature_flags(dynamic_nonce: false)
expect(described_class.decrypt_token(encrypted_token)).to eq('my-value')
end
end
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment