Use encrypted runner tokens

This makes code to support encrypted runner tokens. This code also finished previously started encryption process.

Use encrypted runner tokens
This makes code to support encrypted runner tokens. This code also finished previously started encryption process.
c5f1f7f3 · Kamil Trzciński · Grzegorz Bizon · f100c9ba · c5f1f7f3 · c5f1f7f3
Commit c5f1f7f3 authored Mar 06, 2019 by Kamil Trzciński Committed by Grzegorz Bizon Mar 06, 2019
14 changed files
--- a/app/models/application_setting.rb
+++ b/app/models/application_setting.rb
@@ -7,7 +7,7 @@ class ApplicationSetting < ActiveRecord::Base
  include IgnorableColumn
  include ChronicDurationAttribute

-  add_authentication_token_field :runners_registration_token, encrypted: true, fallback: true
+  add_authentication_token_field :runners_registration_token, encrypted: -> { Feature.enabled?(:application_settings_tokens_optional_encryption) ? :optional : :required }
  add_authentication_token_field :health_check_access_token

  DOMAIN_LIST_SEPARATOR = %r{\s*[,;]\s*     # comma or semicolon, optionally surrounded by whitespace

--- a/app/models/ci/build.rb
+++ b/app/models/ci/build.rb
@@ -138,7 +138,7 @@ module Ci

    acts_as_taggable

-    add_authentication_token_field :token, encrypted: true, fallback: true
+    add_authentication_token_field :token, encrypted: :optional

    before_save :update_artifacts_size, if: :artifacts_file_changed?
    before_save :ensure_token

--- a/app/models/ci/runner.rb
+++ b/app/models/ci/runner.rb
@@ -10,7 +10,7 @@ module Ci
    include FromUnion
    include TokenAuthenticatable

-    add_authentication_token_field :token, encrypted: true, migrating: true
+    add_authentication_token_field :token, encrypted: -> { Feature.enabled?(:ci_runners_tokens_optional_encryption) ? :optional : :required }

    enum access_level: {
      not_protected: 0,

--- a/app/models/concerns/token_authenticatable_strategies/base.rb
+++ b/app/models/concerns/token_authenticatable_strategies/base.rb
@@ -39,22 +39,6 @@ module TokenAuthenticatableStrategies
      instance.save! if Gitlab::Database.read_write?
    end

-    def fallback?
-      unless options[:fallback].in?([true, false, nil])
-        raise ArgumentError, 'fallback: needs to be a boolean value!'
-      end
-
-      options[:fallback] == true
-    end
-
-    def migrating?
-      unless options[:migrating].in?([true, false, nil])
-        raise ArgumentError, 'migrating: needs to be a boolean value!'
-      end
-
-      options[:migrating] == true
-    end
-
    def self.fabricate(model, field, options)
      if options[:digest] && options[:encrypted]
        raise ArgumentError, 'Incompatible options set!'

--- a/app/models/concerns/token_authenticatable_strategies/encrypted.rb
+++ b/app/models/concerns/token_authenticatable_strategies/encrypted.rb
@@ -2,28 +2,18 @@

 module TokenAuthenticatableStrategies
  class Encrypted < Base
-    def initialize(*)
-      super
-
-      if migrating? && fallback?
-        raise ArgumentError, '`fallback` and `migrating` options are not compatible!'
-      end
-    end
-
    def find_token_authenticatable(token, unscoped = false)
      return if token.blank?

-      if fully_encrypted?
-        return find_by_encrypted_token(token, unscoped)
-      end
-
-      if fallback?
+      if required?
+        find_by_encrypted_token(token, unscoped)
+      elsif optional?
        find_by_encrypted_token(token, unscoped) ||
          find_by_plaintext_token(token, unscoped)
      elsif migrating?
        find_by_plaintext_token(token, unscoped)
      else
-        raise ArgumentError, 'Unknown encryption phase!'
+        raise ArgumentError, "Unknown encryption strategy: #{encrypted_strategy}!"
      end
    end

@@ -41,8 +31,8 @@ module TokenAuthenticatableStrategies

      return super if instance.has_attribute?(encrypted_field)

-      if fully_encrypted?
-        raise ArgumentError, 'Using encrypted strategy when encrypted field is missing!'
+      if required?
+        raise ArgumentError, 'Using required encryption strategy when encrypted field is missing!'
      else
        insecure_strategy.ensure_token(instance)
      end
@@ -53,8 +43,7 @@ module TokenAuthenticatableStrategies

      encrypted_token = instance.read_attribute(encrypted_field)
      token = Gitlab::CryptoHelper.aes256_gcm_decrypt(encrypted_token)
-
-      token || (insecure_strategy.get_token(instance) if fallback?)
+      token || (insecure_strategy.get_token(instance) if optional?)
    end

    def set_token(instance, token)
@@ -62,16 +51,35 @@ module TokenAuthenticatableStrategies

      instance[encrypted_field] = Gitlab::CryptoHelper.aes256_gcm_encrypt(token)
      instance[token_field] = token if migrating?
-      instance[token_field] = nil if fallback?
+      instance[token_field] = nil if optional?
      token
    end

-    def fully_encrypted?
-      !migrating? && !fallback?
+    def required?
+      encrypted_strategy == :required
+    end
+
+    def migrating?
+      encrypted_strategy == :migrating
+    end
+
+    def optional?
+      encrypted_strategy == :optional
    end

    protected

+    def encrypted_strategy
+      value = options[:encrypted]
+      value = value.call if value.is_a?(Proc)
+
+      unless value.in?([:required, :optional, :migrating])
+        raise ArgumentError, 'encrypted: needs to be a :required, :optional or :migrating!'
+      end
+
+      value
+    end
+
    def find_by_plaintext_token(token, unscoped)
      insecure_strategy.find_token_authenticatable(token, unscoped)
    end
@@ -89,7 +97,7 @@ module TokenAuthenticatableStrategies
    def token_set?(instance)
      raw_token = instance.read_attribute(encrypted_field)

-      unless fully_encrypted?
+      unless required?
        raw_token ||= insecure_strategy.get_token(instance)
      end


--- a/app/models/group.rb
+++ b/app/models/group.rb
@@ -56,7 +56,7 @@ class Group < Namespace

  validates :two_factor_grace_period, presence: true, numericality: { greater_than_or_equal_to: 0 }

-  add_authentication_token_field :runners_token, encrypted: true, migrating: true
+  add_authentication_token_field :runners_token, encrypted: -> { Feature.enabled?(:groups_tokens_optional_encryption) ? :optional : :required }

  after_create :post_create_hook
  after_destroy :post_destroy_hook

--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -85,7 +85,7 @@ class Project < ActiveRecord::Base
  default_value_for :snippets_enabled, gitlab_config_features.snippets
  default_value_for :only_allow_merge_if_all_discussions_are_resolved, false

-  add_authentication_token_field :runners_token, encrypted: true, migrating: true
+  add_authentication_token_field :runners_token, encrypted: -> { Feature.enabled?(:projects_tokens_optional_encryption) ? :optional : :required }

  before_validation :mark_remote_mirrors_for_removal, if: -> { RemoteMirror.table_exists? }


--- a/changelogs/unreleased/use-encrypted-runner-tokens.yml
+++ b/changelogs/unreleased/use-encrypted-runner-tokens.yml
+---
+title: Use encrypted runner tokens
+merge_request: 25532
+author:
+type: security
--- a/db/migrate/20190225160300_steal_encrypt_runners_tokens.rb
+++ b/db/migrate/20190225160300_steal_encrypt_runners_tokens.rb
+# frozen_string_literal: true
+
+class StealEncryptRunnersTokens < ActiveRecord::Migration[5.0]
+  include Gitlab::Database::MigrationHelpers
+
+  # This cleans after `EncryptRunnersTokens`
+
+  DOWNTIME = false
+
+  disable_ddl_transaction!
+
+  def up
+    Gitlab::BackgroundMigration.steal('EncryptRunnersTokens')
+  end
+
+  def down
+    # no-op
+  end
+end
--- a/db/migrate/20190225160301_add_runner_tokens_indexes.rb
+++ b/db/migrate/20190225160301_add_runner_tokens_indexes.rb
+# frozen_string_literal: true
+
+class AddRunnerTokensIndexes < ActiveRecord::Migration[5.0]
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  disable_ddl_transaction!
+
+  # It seems that `ci_runners.token_encrypted` and `projects.runners_token_encrypted`
+  # are non-unique
+
+  def up
+    add_concurrent_index :ci_runners, :token_encrypted
+    add_concurrent_index :projects, :runners_token_encrypted
+    add_concurrent_index :namespaces, :runners_token_encrypted, unique: true
+  end
+
+  def down
+    remove_concurrent_index :ci_runners, :token_encrypted
+    remove_concurrent_index :projects, :runners_token_encrypted
+    remove_concurrent_index :namespaces, :runners_token_encrypted, unique: true
+  end
+end
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -556,6 +556,7 @@ ActiveRecord::Schema.define(version: 20190301081611) do
    t.index ["locked"], name: "index_ci_runners_on_locked", using: :btree
    t.index ["runner_type"], name: "index_ci_runners_on_runner_type", using: :btree
    t.index ["token"], name: "index_ci_runners_on_token", using: :btree
+    t.index ["token_encrypted"], name: "index_ci_runners_on_token_encrypted", using: :btree
  end

  create_table "ci_stages", force: :cascade do |t|
@@ -1383,6 +1384,7 @@ ActiveRecord::Schema.define(version: 20190301081611) do
    t.index ["path"], name: "index_namespaces_on_path_trigram", using: :gin, opclasses: {"path"=>"gin_trgm_ops"}
    t.index ["require_two_factor_authentication"], name: "index_namespaces_on_require_two_factor_authentication", using: :btree
    t.index ["runners_token"], name: "index_namespaces_on_runners_token", unique: true, using: :btree
+    t.index ["runners_token_encrypted"], name: "index_namespaces_on_runners_token_encrypted", unique: true, using: :btree
    t.index ["type"], name: "index_namespaces_on_type", using: :btree
  end

@@ -1752,6 +1754,7 @@ ActiveRecord::Schema.define(version: 20190301081611) do
    t.index ["repository_storage", "created_at"], name: "idx_project_repository_check_partial", where: "(last_repository_check_at IS NULL)", using: :btree
    t.index ["repository_storage"], name: "index_projects_on_repository_storage", using: :btree
    t.index ["runners_token"], name: "index_projects_on_runners_token", using: :btree
+    t.index ["runners_token_encrypted"], name: "index_projects_on_runners_token_encrypted", using: :btree
    t.index ["star_count"], name: "index_projects_on_star_count", using: :btree
    t.index ["visibility_level"], name: "index_projects_on_visibility_level", using: :btree
  end

--- a/lib/gitlab/background_migration/encrypt_columns.rb
+++ b/lib/gitlab/background_migration/encrypt_columns.rb
@@ -91,7 +91,8 @@ module Gitlab

        # No need to do anything if the plaintext is nil, or an encrypted
        # value already exists
-        return nil unless plaintext.present? && !ciphertext.present?
+        return unless plaintext.present?
+        return if ciphertext.present?

        # attr_encrypted will calculate and set the expected value for us
        instance.public_send("#{plain_column}=", plaintext) # rubocop:disable GitlabSecurity/PublicSend

--- a/spec/models/concerns/token_authenticatable_strategies/base_spec.rb
+++ b/spec/models/concerns/token_authenticatable_strategies/base_spec.rb
@@ -15,7 +15,7 @@ describe TokenAuthenticatableStrategies::Base do

    context 'when encrypted strategy is specified' do
      it 'fabricates encrypted strategy object' do
-        strategy = described_class.fabricate(instance, field, encrypted: true)
+        strategy = described_class.fabricate(instance, field, encrypted: :required)

        expect(strategy).to be_a TokenAuthenticatableStrategies::Encrypted
      end
@@ -23,7 +23,7 @@ describe TokenAuthenticatableStrategies::Base do

    context 'when no strategy is specified' do
      it 'fabricates insecure strategy object' do
-        strategy = described_class.fabricate(instance, field, something: true)
+        strategy = described_class.fabricate(instance, field, something: :required)

        expect(strategy).to be_a TokenAuthenticatableStrategies::Insecure
      end
@@ -31,35 +31,9 @@ describe TokenAuthenticatableStrategies::Base do

    context 'when incompatible options are provided' do
      it 'raises an error' do
-        expect { described_class.fabricate(instance, field, digest: true, encrypted: true) }
+        expect { described_class.fabricate(instance, field, digest: true, encrypted: :required) }
          .to raise_error ArgumentError
      end
    end
  end
-
-  describe '#fallback?' do
-    context 'when fallback is set' do
-      it 'recognizes fallback setting' do
-        strategy = described_class.new(instance, field, fallback: true)
-
-        expect(strategy.fallback?).to be true
-      end
-    end
-
-    context 'when fallback is not a valid value' do
-      it 'raises an error' do
-        strategy = described_class.new(instance, field, fallback: 'something')
-
-        expect { strategy.fallback? }.to raise_error ArgumentError
-      end
-    end
-
-    context 'when fallback is not set' do
-      it 'raises an error' do
-        strategy = described_class.new(instance, field, {})
-
-        expect(strategy.fallback?).to eq false
-      end
-    end
-  end
 end
--- a/spec/models/concerns/token_authenticatable_strategies/encrypted_spec.rb
+++ b/spec/models/concerns/token_authenticatable_strategies/encrypted_spec.rb
@@ -12,19 +12,9 @@ describe TokenAuthenticatableStrategies::Encrypted do
    described_class.new(model, 'some_field', options)
  end

-  describe '.new' do
-    context 'when fallback and migration strategies are set' do
-      let(:options) { { fallback: true, migrating: true } }
-
-      it 'raises an error' do
-        expect { subject }.to raise_error ArgumentError, /not compatible/
-      end
-    end
-  end
-
  describe '#find_token_authenticatable' do
-    context 'when using fallback strategy' do
-      let(:options) { { fallback: true } }
+    context 'when using optional strategy' do
+      let(:options) { { encrypted: :optional } }

      it 'finds the encrypted resource by cleartext' do
        allow(model).to receive(:find_by)
@@ -50,7 +40,7 @@ describe TokenAuthenticatableStrategies::Encrypted do
    end

    context 'when using migration strategy' do
-      let(:options) { { migrating: true } }
+      let(:options) { { encrypted: :migrating } }

      it 'finds the cleartext resource by cleartext' do
        allow(model).to receive(:find_by)
@@ -73,8 +63,8 @@ describe TokenAuthenticatableStrategies::Encrypted do
  end

  describe '#get_token' do
-    context 'when using fallback strategy' do
-      let(:options) { { fallback: true } }
+    context 'when using optional strategy' do
+      let(:options) { { encrypted: :optional } }

      it 'returns decrypted token when an encrypted token is present' do
        allow(instance).to receive(:read_attribute)
@@ -98,7 +88,7 @@ describe TokenAuthenticatableStrategies::Encrypted do
    end

    context 'when using migration strategy' do
-      let(:options) { { migrating: true } }
+      let(:options) { { encrypted: :migrating } }

      it 'returns cleartext token when an encrypted token is present' do
        allow(instance).to receive(:read_attribute)
@@ -127,8 +117,8 @@ describe TokenAuthenticatableStrategies::Encrypted do
  end

  describe '#set_token' do
-    context 'when using fallback strategy' do
-      let(:options) { { fallback: true } }
+    context 'when using optional strategy' do
+      let(:options) { { encrypted: :optional } }

      it 'writes encrypted token and removes plaintext token and returns it' do
        expect(instance).to receive(:[]=)
@@ -141,7 +131,7 @@ describe TokenAuthenticatableStrategies::Encrypted do
    end

    context 'when using migration strategy' do
-      let(:options) { { migrating: true } }
+      let(:options) { { encrypted: :migrating } }

      it 'writes encrypted token and writes plaintext token' do
        expect(instance).to receive(:[]=)