Change the secret key name

From `enc_settings_key_base` to `encrypted_settings_key_base`

Change the secret key name
From `enc_settings_key_base` to `encrypted_settings_key_base`
d33611a6 · DJ Mountney · 1e8d0c0f · d33611a6 · d33611a6 · d33611a6
Commit d33611a6 authored Nov 23, 2020 by DJ Mountney
5 changed files
--- a/config/initializers/01_secret_token.rb
+++ b/config/initializers/01_secret_token.rb
@@ -34,8 +34,8 @@ def create_tokens
    openid_connect_signing_key: generate_new_rsa_private_key
  }

-  # enc_settings_key_base is optional for now
-  defaults[:enc_settings_key_base] = generate_new_secure_token if ENV['GITLAB_GENERATE_ENC_SETTINGS_KEY_BASE']
+  # encrypted_settings_key_base is optional for now
+  defaults[:encrypted_settings_key_base] = generate_new_secure_token if ENV['GITLAB_GENERATE_ENCRYPTED_SETTINGS_KEY_BASE']

  missing_secrets = set_missing_keys(defaults)
  write_secrets_yml(missing_secrets) unless missing_secrets.empty?

--- a/config/settings.rb
+++ b/config/settings.rb
@@ -155,8 +155,8 @@ class Settings < Settingslogic
    def encrypted(path)
      Gitlab::EncryptedConfiguration.new(
        content_path: Settings.absolute(path),
-        base_key: Gitlab::Application.secrets.enc_settings_key_base,
-        previous_keys: Gitlab::Application.secrets.rotated_enc_settings_key_base || []
+        base_key: Gitlab::Application.secrets.encrypted_settings_key_base,
+        previous_keys: Gitlab::Application.secrets.rotated_encrypted_settings_key_base || []
      )
    end


--- a/doc/development/application_secrets.md
+++ b/doc/development/application_secrets.md
@@ -16,7 +16,7 @@ This page is a development guide for application secrets.
 | `otp_key_base`                   | The base key for One Time Passwords, described in [User management](../raketasks/user_management.md#rotate-two-factor-authentication-encryption-key)              |
 |`db_key_base`                     | The base key to encrypt the data for `attr_encrypted` columns     |
 |`openid_connect_signing_key`      | The singing key for OpenID Connect                                |
-| `enc_settings_key_base`          | The base key to encrypt settings files with                       |
+| `encrypted_settings_key_base`    | The base key to encrypt settings files with                       |

 ## Where the secrets are stored


--- a/spec/config/settings_spec.rb
+++ b/spec/config/settings_spec.rb
@@ -137,11 +137,11 @@ RSpec.describe Settings do

  describe '.encrypted' do
    before do
-      allow(Gitlab::Application.secrets).to receive(:enc_settings_key_base).and_return(SecureRandom.hex(64))
+      allow(Gitlab::Application.secrets).to receive(:encryped_settings_key_base).and_return(SecureRandom.hex(64))
    end

-    it 'defaults to using the enc_settings_key_base for the key' do
-      expect(Gitlab::EncryptedConfiguration).to receive(:new).with(hash_including(base_key: Gitlab::Application.secrets.enc_settings_key_base))
+    it 'defaults to using the encrypted_settings_key_base for the key' do
+      expect(Gitlab::EncryptedConfiguration).to receive(:new).with(hash_including(base_key: Gitlab::Application.secrets.encrypted_settings_key_base))
      Settings.encrypted('tmp/tests/test.enc')
    end

@@ -150,7 +150,7 @@ RSpec.describe Settings do
    end

    it 'returns empty encrypted config when a key has not been set' do
-      allow(Gitlab::Application.secrets).to receive(:enc_settings_key_base).and_return(nil)
+      allow(Gitlab::Application.secrets).to receive(:encrypted_settings_key_base).and_return(nil)
      expect(Settings.encrypted('tmp/tests/test.enc').read).to be_empty
    end
  end

--- a/spec/initializers/secret_token_spec.rb
+++ b/spec/initializers/secret_token_spec.rb
@@ -24,7 +24,7 @@ RSpec.describe 'create_tokens' do

  describe 'ensure acknowledged secrets in any installations' do
    let(:acknowledged_secrets) do
-      %w[secret_key_base otp_key_base db_key_base openid_connect_signing_key enc_settings_key_base rotated_enc_settings_key_base]
+      %w[secret_key_base otp_key_base db_key_base openid_connect_signing_key encrypted_settings_key_base rotated_encrypted_settings_key_base]
    end

    it 'does not allow to add a new secret without a proper handling' do
@@ -90,7 +90,7 @@ RSpec.describe 'create_tokens' do
          expect(new_secrets['otp_key_base']).to eq(secrets.otp_key_base)
          expect(new_secrets['db_key_base']).to eq(secrets.db_key_base)
          expect(new_secrets['openid_connect_signing_key']).to eq(secrets.openid_connect_signing_key)
-          expect(new_secrets['enc_settings_key_base']).to eq(secrets.enc_settings_key_base)
+          expect(new_secrets['encrypted_settings_key_base']).to eq(secrets.encrypted_settings_key_base)
        end

        create_tokens
@@ -107,7 +107,7 @@ RSpec.describe 'create_tokens' do
      before do
        secrets.db_key_base = 'db_key_base'
        secrets.openid_connect_signing_key = 'openid_connect_signing_key'
-        secrets.enc_settings_key_base = 'enc_settings_key_base'
+        secrets.encrypted_settings_key_base = 'encrypted_settings_key_base'

        allow(File).to receive(:exist?).with('.secret').and_return(true)
        stub_file_read('.secret', content: 'file_key')
@@ -160,7 +160,7 @@ RSpec.describe 'create_tokens' do
          expect(secrets.otp_key_base).to eq('otp_key_base')
          expect(secrets.db_key_base).to eq('db_key_base')
          expect(secrets.openid_connect_signing_key).to eq('openid_connect_signing_key')
-          expect(secrets.enc_settings_key_base).to eq('enc_settings_key_base')
+          expect(secrets.encrypted_settings_key_base).to eq('encrypted_settings_key_base')
        end

        it 'deletes the .secret file' do
@@ -212,16 +212,16 @@ RSpec.describe 'create_tokens' do
        end
      end

-      context 'when rotated_enc_settings_key_base does not exist' do
+      context 'when rotated_encrypted_settings_key_base does not exist' do
        before do
          secrets.secret_key_base = 'secret_key_base'
          secrets.otp_key_base = 'otp_key_base'
          secrets.openid_connect_signing_key = 'openid_connect_signing_key'
-          secrets.enc_settings_key_base = 'enc_settings_key_base'
+          secrets.encrypted_settings_key_base = 'encrypted_settings_key_base'
        end

        it 'does not warn about the missing secrets' do
-          expect(self).not_to receive(:warn_missing_secret).with('rotated_enc_settings_key_base')
+          expect(self).not_to receive(:warn_missing_secret).with('rotated_encrypted_settings_key_base')

          create_tokens
        end
@@ -238,7 +238,7 @@ RSpec.describe 'create_tokens' do
      before do
        secrets.otp_key_base = 'otp_key_base'
        secrets.secret_key_base = 'secret_key_base'
-        secrets.enc_settings_key_base = 'enc_settings_key_base'
+        secrets.encrypted_settings_key_base = 'encrypted_settings_key_base'
        yaml_secrets = secrets.to_h.stringify_keys.merge('db_key_base' => '<%= an_erb_expression %>')

        allow(File).to receive(:exist?).with('.secret').and_return(false)