Commit 983a1c52 authored by Imre Farkas's avatar Imre Farkas

Merge branch '322592-clean-up-a-token_with_ivs-table' into 'master'

Remove referencing TokenWithIv model in the codebase [RUN ALL RSPEC] [RUN AS-IF-FOSS]

See merge request gitlab-org/gitlab!55209
parents 564405e4 20818fa9
...@@ -85,18 +85,12 @@ module TokenAuthenticatableStrategies ...@@ -85,18 +85,12 @@ module TokenAuthenticatableStrategies
end end
def find_by_encrypted_token(token, unscoped) def find_by_encrypted_token(token, unscoped)
nonce = Feature.enabled?(:dynamic_nonce_creation) ? find_hashed_iv(token) : Gitlab::CryptoHelper::AES256_GCM_IV_STATIC nonce = Gitlab::CryptoHelper::AES256_GCM_IV_STATIC
encrypted_value = Gitlab::CryptoHelper.aes256_gcm_encrypt(token, nonce: nonce) encrypted_value = Gitlab::CryptoHelper.aes256_gcm_encrypt(token, nonce: nonce)
relation(unscoped).find_by(encrypted_field => encrypted_value) relation(unscoped).find_by(encrypted_field => encrypted_value)
end end
def find_hashed_iv(token)
token_record = TokenWithIv.find_by_plaintext_token(token)
token_record&.iv || Gitlab::CryptoHelper::AES256_GCM_IV_STATIC
end
def insecure_strategy def insecure_strategy
@insecure_strategy ||= TokenAuthenticatableStrategies::Insecure @insecure_strategy ||= TokenAuthenticatableStrategies::Insecure
.new(klass, token_field, options) .new(klass, token_field, options)
......
---
title: Remove referencing TokenWithIv model in the codebase and dynamic nonce creation
feature flag
merge_request: 55209
author:
type: changed
---
name: dynamic_nonce_creation
introduced_by_url:
rollout_issue_url:
milestone: '13.9'
type: development
group: group::manage
default_enabled: false
...@@ -23,16 +23,12 @@ module Gitlab ...@@ -23,16 +23,12 @@ module Gitlab
def aes256_gcm_decrypt(value) def aes256_gcm_decrypt(value)
return unless value return unless value
nonce = Feature.enabled?(:dynamic_nonce_creation) ? dynamic_nonce(value) : AES256_GCM_IV_STATIC nonce = AES256_GCM_IV_STATIC
encrypted_token = Base64.decode64(value) encrypted_token = Base64.decode64(value)
decrypted_token = Encryptor.decrypt(AES256_GCM_OPTIONS.merge(value: encrypted_token, iv: nonce)) decrypted_token = Encryptor.decrypt(AES256_GCM_OPTIONS.merge(value: encrypted_token, iv: nonce))
decrypted_token decrypted_token
end end
def dynamic_nonce(value)
TokenWithIv.find_nonce_by_hashed_token(value) || AES256_GCM_IV_STATIC
end
def aes256_gcm_encrypt_using_static_nonce(value) def aes256_gcm_encrypt_using_static_nonce(value)
create_encrypted_token(value, AES256_GCM_IV_STATIC) create_encrypted_token(value, AES256_GCM_IV_STATIC)
end end
......
...@@ -32,10 +32,6 @@ RSpec.describe Gitlab::CryptoHelper do ...@@ -32,10 +32,6 @@ RSpec.describe Gitlab::CryptoHelper do
end end
describe '.aes256_gcm_decrypt' do describe '.aes256_gcm_decrypt' do
before do
stub_feature_flags(dynamic_nonce_creation: false)
end
context 'when token was encrypted using static nonce' do context 'when token was encrypted using static nonce' do
let(:encrypted) { described_class.aes256_gcm_encrypt('some-value', nonce: described_class::AES256_GCM_IV_STATIC) } let(:encrypted) { described_class.aes256_gcm_encrypt('some-value', nonce: described_class::AES256_GCM_IV_STATIC) }
...@@ -54,50 +50,6 @@ RSpec.describe Gitlab::CryptoHelper do ...@@ -54,50 +50,6 @@ RSpec.describe Gitlab::CryptoHelper do
it 'does not save hashed token with iv value in database' do it 'does not save hashed token with iv value in database' do
expect { described_class.aes256_gcm_decrypt(encrypted) }.not_to change { TokenWithIv.count } expect { described_class.aes256_gcm_decrypt(encrypted) }.not_to change { TokenWithIv.count }
end end
context 'with feature flag switched on' do
before do
stub_feature_flags(dynamic_nonce_creation: true)
end
it 'correctly decrypts encrypted string' do
decrypted = described_class.aes256_gcm_decrypt(encrypted)
expect(decrypted).to eq 'some-value'
end
end
end end
context 'when token was encrypted using random nonce' do
let(:value) { 'random-value' }
# for compatibility with tokens encrypted using dynamic nonce
let!(:encrypted) do
iv = create_nonce
encrypted_token = described_class.create_encrypted_token(value, iv)
TokenWithIv.create!(hashed_token: Digest::SHA256.digest(encrypted_token), hashed_plaintext_token: Digest::SHA256.digest(encrypted_token), iv: iv)
encrypted_token
end
before do
stub_feature_flags(dynamic_nonce_creation: true)
end
it 'correctly decrypts encrypted string' do
decrypted = described_class.aes256_gcm_decrypt(encrypted)
expect(decrypted).to eq value
end
it 'does not save hashed token with iv value in database' do
expect { described_class.aes256_gcm_decrypt(encrypted) }.not_to change { TokenWithIv.count }
end
end
end
def create_nonce
cipher = OpenSSL::Cipher.new('aes-256-gcm')
cipher.encrypt # Required before '#random_iv' can be called
cipher.random_iv # Ensures that the IV is the correct length respective to the algorithm used.
end end
end end
...@@ -68,10 +68,6 @@ RSpec.describe TokenAuthenticatableStrategies::Encrypted do ...@@ -68,10 +68,6 @@ RSpec.describe TokenAuthenticatableStrategies::Encrypted do
context 'when using optional strategy' do context 'when using optional strategy' do
let(:options) { { encrypted: :optional } } let(:options) { { encrypted: :optional } }
before do
stub_feature_flags(dynamic_nonce_creation: false)
end
it 'returns decrypted token when an encrypted token is present' do it 'returns decrypted token when an encrypted token is present' do
allow(instance).to receive(:read_attribute) allow(instance).to receive(:read_attribute)
.with('some_field_encrypted') .with('some_field_encrypted')
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment