Merge branch '322592-clean-up-a-token_with_ivs-table' into 'master'

Remove referencing TokenWithIv model in the codebase [RUN ALL RSPEC] [RUN AS-IF-FOSS] See merge request gitlab-org/gitlab!55209

Merge branch '322592-clean-up-a-token_with_ivs-table' into 'master'
Remove referencing TokenWithIv model in the codebase [RUN ALL RSPEC] [RUN AS-IF-FOSS] See merge request gitlab-org/gitlab!55209
983a1c52 · Imre Farkas · 564405e4 · 20818fa9 · 983a1c52 · 983a1c52
Commit 983a1c52 authored Mar 23, 2021 by Imre Farkas
6 changed files
--- a/app/models/concerns/token_authenticatable_strategies/encrypted.rb
+++ b/app/models/concerns/token_authenticatable_strategies/encrypted.rb
@@ -85,18 +85,12 @@ module TokenAuthenticatableStrategies
    end

    def find_by_encrypted_token(token, unscoped)
-      nonce = Feature.enabled?(:dynamic_nonce_creation) ? find_hashed_iv(token) : Gitlab::CryptoHelper::AES256_GCM_IV_STATIC
+      nonce = Gitlab::CryptoHelper::AES256_GCM_IV_STATIC
      encrypted_value = Gitlab::CryptoHelper.aes256_gcm_encrypt(token, nonce: nonce)

      relation(unscoped).find_by(encrypted_field => encrypted_value)
    end

-    def find_hashed_iv(token)
-      token_record = TokenWithIv.find_by_plaintext_token(token)
-
-      token_record&.iv || Gitlab::CryptoHelper::AES256_GCM_IV_STATIC
-    end
-
    def insecure_strategy
      @insecure_strategy ||= TokenAuthenticatableStrategies::Insecure
        .new(klass, token_field, options)

--- a/changelogs/unreleased/322592-clean-up-a-token_with_ivs-table.yml
+++ b/changelogs/unreleased/322592-clean-up-a-token_with_ivs-table.yml
+---
+title: Remove referencing TokenWithIv model in the codebase and dynamic nonce creation
+  feature flag
+merge_request: 55209
+author:
+type: changed
--- a/config/feature_flags/development/dynamic_nonce_creation.yml
+++ b/config/feature_flags/development/dynamic_nonce_creation.yml
---
-name: dynamic_nonce_creation
-introduced_by_url:
-rollout_issue_url:
-milestone: '13.9'
-type: development
-group: group::manage
-default_enabled: false
--- a/lib/gitlab/crypto_helper.rb
+++ b/lib/gitlab/crypto_helper.rb
@@ -23,16 +23,12 @@ module Gitlab
    def aes256_gcm_decrypt(value)
      return unless value

-      nonce = Feature.enabled?(:dynamic_nonce_creation) ? dynamic_nonce(value) : AES256_GCM_IV_STATIC
+      nonce = AES256_GCM_IV_STATIC
      encrypted_token = Base64.decode64(value)
      decrypted_token = Encryptor.decrypt(AES256_GCM_OPTIONS.merge(value: encrypted_token, iv: nonce))
      decrypted_token
    end

-    def dynamic_nonce(value)
-      TokenWithIv.find_nonce_by_hashed_token(value) || AES256_GCM_IV_STATIC
-    end
-
    def aes256_gcm_encrypt_using_static_nonce(value)
      create_encrypted_token(value, AES256_GCM_IV_STATIC)
    end

--- a/spec/lib/gitlab/crypto_helper_spec.rb
+++ b/spec/lib/gitlab/crypto_helper_spec.rb
@@ -32,10 +32,6 @@ RSpec.describe Gitlab::CryptoHelper do
  end

  describe '.aes256_gcm_decrypt' do
-    before do
-      stub_feature_flags(dynamic_nonce_creation: false)
-    end
-
    context 'when token was encrypted using static nonce' do
      let(:encrypted) { described_class.aes256_gcm_encrypt('some-value', nonce: described_class::AES256_GCM_IV_STATIC) }

@@ -54,50 +50,6 @@ RSpec.describe Gitlab::CryptoHelper do
      it 'does not save hashed token with iv value in database' do
        expect { described_class.aes256_gcm_decrypt(encrypted) }.not_to change { TokenWithIv.count }
      end
-
-      context 'with feature flag switched on' do
-        before do
-          stub_feature_flags(dynamic_nonce_creation: true)
-        end
-
-        it 'correctly decrypts encrypted string' do
-          decrypted = described_class.aes256_gcm_decrypt(encrypted)
-
-          expect(decrypted).to eq 'some-value'
-        end
-      end
    end
-
-    context 'when token was encrypted using random nonce' do
-      let(:value) { 'random-value' }
-
-      # for compatibility with tokens encrypted using dynamic nonce
-      let!(:encrypted) do
-        iv = create_nonce
-        encrypted_token = described_class.create_encrypted_token(value, iv)
-        TokenWithIv.create!(hashed_token: Digest::SHA256.digest(encrypted_token), hashed_plaintext_token: Digest::SHA256.digest(encrypted_token), iv: iv)
-        encrypted_token
-      end
-
-      before do
-        stub_feature_flags(dynamic_nonce_creation: true)
-      end
-
-      it 'correctly decrypts encrypted string' do
-        decrypted = described_class.aes256_gcm_decrypt(encrypted)
-
-        expect(decrypted).to eq value
-      end
-
-      it 'does not save hashed token with iv value in database' do
-        expect { described_class.aes256_gcm_decrypt(encrypted) }.not_to change { TokenWithIv.count }
-      end
-    end
-  end
-
-  def create_nonce
-    cipher = OpenSSL::Cipher.new('aes-256-gcm')
-    cipher.encrypt # Required before '#random_iv' can be called
-    cipher.random_iv # Ensures that the IV is the correct length respective to the algorithm used.
  end
 end
--- a/spec/models/concerns/token_authenticatable_strategies/encrypted_spec.rb
+++ b/spec/models/concerns/token_authenticatable_strategies/encrypted_spec.rb
@@ -68,10 +68,6 @@ RSpec.describe TokenAuthenticatableStrategies::Encrypted do
    context 'when using optional strategy' do
      let(:options) { { encrypted: :optional } }

-      before do
-        stub_feature_flags(dynamic_nonce_creation: false)
-      end
-
      it 'returns decrypted token when an encrypted token is present' do
        allow(instance).to receive(:read_attribute)
          .with('some_field_encrypted')