Merge branch 'master' into 'master'

Use the exactly 32 byte long version of db_key_base with aes-256-gcm

See merge request gitlab-org/gitlab!53602

app/models/alert_management/http_integration.rb

@@ -10,7 +10,7 @@ module AlertManagement
 
     attr_encrypted :token,
       mode: :per_attribute_iv,
-      key: Settings.attr_encrypted_db_key_base_truncated,
+      key: Settings.attr_encrypted_db_key_base_32,
       algorithm: 'aes-256-gcm'
 
     default_value_for(:endpoint_identifier, allows_nil: false) { SecureRandom.hex(8) }

app/models/alerting/project_alerting_setting.rb

@@ -10,7 +10,7 @@ module Alerting
 
     attr_encrypted :token,
       mode: :per_attribute_iv,
-      key: Settings.attr_encrypted_db_key_base_truncated,
+      key: Settings.attr_encrypted_db_key_base_32,
       algorithm: 'aes-256-gcm'
 
     before_validation :ensure_token

app/models/application_setting.rb

@@ -497,29 +497,29 @@ class ApplicationSetting < ApplicationRecord
                  algorithm: 'aes-256-cbc',
                  insecure_mode: true
 
-  private_class_method def self.encryption_options_base_truncated_aes_256_gcm
+  private_class_method def self.encryption_options_base_32_aes_256_gcm
     {
       mode: :per_attribute_iv,
-      key: Settings.attr_encrypted_db_key_base_truncated,
+      key: Settings.attr_encrypted_db_key_base_32,
       algorithm: 'aes-256-gcm',
       encode: true
     }
   end
 
-  attr_encrypted :external_auth_client_key, encryption_options_base_truncated_aes_256_gcm
-  attr_encrypted :external_auth_client_key_pass, encryption_options_base_truncated_aes_256_gcm
-  attr_encrypted :lets_encrypt_private_key, encryption_options_base_truncated_aes_256_gcm
-  attr_encrypted :eks_secret_access_key, encryption_options_base_truncated_aes_256_gcm
-  attr_encrypted :akismet_api_key, encryption_options_base_truncated_aes_256_gcm
-  attr_encrypted :elasticsearch_aws_secret_access_key, encryption_options_base_truncated_aes_256_gcm
-  attr_encrypted :recaptcha_private_key, encryption_options_base_truncated_aes_256_gcm
-  attr_encrypted :recaptcha_site_key, encryption_options_base_truncated_aes_256_gcm
-  attr_encrypted :slack_app_secret, encryption_options_base_truncated_aes_256_gcm
-  attr_encrypted :slack_app_verification_token, encryption_options_base_truncated_aes_256_gcm
-  attr_encrypted :ci_jwt_signing_key, encryption_options_base_truncated_aes_256_gcm
-  attr_encrypted :secret_detection_token_revocation_token, encryption_options_base_truncated_aes_256_gcm
-  attr_encrypted :cloud_license_auth_token, encryption_options_base_truncated_aes_256_gcm
-  attr_encrypted :external_pipeline_validation_service_token, encryption_options_base_truncated_aes_256_gcm
+  attr_encrypted :external_auth_client_key, encryption_options_base_32_aes_256_gcm
+  attr_encrypted :external_auth_client_key_pass, encryption_options_base_32_aes_256_gcm
+  attr_encrypted :lets_encrypt_private_key, encryption_options_base_32_aes_256_gcm
+  attr_encrypted :eks_secret_access_key, encryption_options_base_32_aes_256_gcm
+  attr_encrypted :akismet_api_key, encryption_options_base_32_aes_256_gcm
+  attr_encrypted :elasticsearch_aws_secret_access_key, encryption_options_base_32_aes_256_gcm
+  attr_encrypted :recaptcha_private_key, encryption_options_base_32_aes_256_gcm
+  attr_encrypted :recaptcha_site_key, encryption_options_base_32_aes_256_gcm
+  attr_encrypted :slack_app_secret, encryption_options_base_32_aes_256_gcm
+  attr_encrypted :slack_app_verification_token, encryption_options_base_32_aes_256_gcm
+  attr_encrypted :ci_jwt_signing_key, encryption_options_base_32_aes_256_gcm
+  attr_encrypted :secret_detection_token_revocation_token, encryption_options_base_32_aes_256_gcm
+  attr_encrypted :cloud_license_auth_token, encryption_options_base_32_aes_256_gcm
+  attr_encrypted :external_pipeline_validation_service_token, encryption_options_base_32_aes_256_gcm
 
   validates :disable_feed_token,
             inclusion: { in: [true, false], message: _('must be a boolean value') }

app/models/atlassian/identity.rb

@@ -11,14 +11,14 @@ module Atlassian
 
     attr_encrypted :token,
                    mode: :per_attribute_iv,
-                   key: Settings.attr_encrypted_db_key_base_truncated,
+                   key: Settings.attr_encrypted_db_key_base_32,
                    algorithm: 'aes-256-gcm',
                    encode: false,
                    encode_iv: false
 
     attr_encrypted :refresh_token,
                    mode: :per_attribute_iv,
-                   key: Settings.attr_encrypted_db_key_base_truncated,
+                   key: Settings.attr_encrypted_db_key_base_32,
                    algorithm: 'aes-256-gcm',
                    encode: false,
                    encode_iv: false

app/models/bulk_imports/configuration.rb

@@ -12,11 +12,11 @@ class BulkImports::Configuration < ApplicationRecord
     allow_nil: true
 
   attr_encrypted :url,
-    key: Settings.attr_encrypted_db_key_base_truncated,
+    key: Settings.attr_encrypted_db_key_base_32,
     mode: :per_attribute_iv,
     algorithm: 'aes-256-gcm'
   attr_encrypted :access_token,
-    key: Settings.attr_encrypted_db_key_base_truncated,
+    key: Settings.attr_encrypted_db_key_base_32,
     mode: :per_attribute_iv,
     algorithm: 'aes-256-gcm'
 end

app/models/clusters/applications/prometheus.rb

@@ -22,7 +22,7 @@ module Clusters
 
       attr_encrypted :alert_manager_token,
         mode: :per_attribute_iv,
-        key: Settings.attr_encrypted_db_key_base_truncated,
+        key: Settings.attr_encrypted_db_key_base_32,
         algorithm: 'aes-256-gcm'
 
       after_destroy do

app/models/clusters/providers/aws.rb

@@ -18,7 +18,7 @@ module Clusters
 
       attr_encrypted :secret_access_key,
         mode: :per_attribute_iv,
-        key: Settings.attr_encrypted_db_key_base_truncated,
+        key: Settings.attr_encrypted_db_key_base_32,
         algorithm: 'aes-256-gcm'
 
       validates :role_arn,

app/models/concerns/packages/debian/distribution.rb

@@ -84,7 +84,7 @@ module Packages
 
         attr_encrypted :signing_keys,
                        mode: :per_attribute_iv,
-                       key: Settings.attr_encrypted_db_key_base_truncated,
+                       key: Settings.attr_encrypted_db_key_base_32,
                        algorithm: 'aes-256-gcm',
                        encode: false,
                        encode_iv: false

app/models/error_tracking/project_error_tracking_setting.rb

@@ -38,7 +38,7 @@ module ErrorTracking
 
     attr_encrypted :token,
       mode: :per_attribute_iv,
-      key: Settings.attr_encrypted_db_key_base_truncated,
+      key: Settings.attr_encrypted_db_key_base_32,
       algorithm: 'aes-256-gcm'
 
     after_save :clear_reactive_cache!

app/models/incident_management/project_incident_management_setting.rb

@@ -12,7 +12,7 @@ module IncidentManagement
 
     attr_encrypted :pagerduty_token,
       mode: :per_attribute_iv,
-      key: ::Settings.attr_encrypted_db_key_base_truncated,
+      key: ::Settings.attr_encrypted_db_key_base_32,
       algorithm: 'aes-256-gcm',
       encode: false, # No need to encode for binary column https://github.com/attr-encrypted/attr_encrypted#the-encode-encode_iv-encode_salt-and-default_encoding-options
       encode_iv: false

app/models/pages_domain_acme_order.rb

@@ -14,7 +14,7 @@ class PagesDomainAcmeOrder < ApplicationRecord
 
   attr_encrypted :private_key,
                  mode: :per_attribute_iv,
-                 key: Settings.attr_encrypted_db_key_base_truncated,
+                 key: Settings.attr_encrypted_db_key_base_32,
                  algorithm: 'aes-256-gcm',
                  encode: true
 

app/models/serverless/domain_cluster.rb

@@ -12,7 +12,7 @@ module Serverless
 
     attr_encrypted :key,
       mode: :per_attribute_iv,
-      key: Settings.attr_encrypted_db_key_base_truncated,
+      key: Settings.attr_encrypted_db_key_base_32,
       algorithm: 'aes-256-gcm'
 
     validates :pages_domain, :knative, presence: true

config/secrets.yml.example

 production:
   # db_key_base is used to encrypt for Variables. Ensure that you don't lose it.
   # If you change or lose this key you will be unable to access variables stored in database.
-  # Make sure the secret is at least 30 characters and all random,
+  # Make sure the secret is at least 32 characters and all random,
   # no regular words or you'll be exposed to dictionary attacks.
   # db_key_base:
 

config/settings.rb

@@ -126,16 +126,18 @@ class Settings < Settingslogic
       File.expand_path(path, Rails.root)
     end
 
-    # Ruby 2.4+ requires passing in the exact required length for OpenSSL keys
-    # (https://github.com/ruby/ruby/commit/ce635262f53b760284d56bb1027baebaaec175d1).
-    # Previous versions quietly truncated the input.
-    #
-    # Use this when using :per_attribute_iv mode for attr_encrypted.
-    # We have to truncate the string to 32 bytes for a 256-bit cipher.
+    # Don't use this in new code, use attr_encrypted_db_key_base_32 instead!
     def attr_encrypted_db_key_base_truncated
       Gitlab::Application.secrets.db_key_base[0..31]
     end
 
+    # Ruby 2.4+ requires passing in the exact required length for OpenSSL keys
+    # (https://github.com/ruby/ruby/commit/ce635262f53b760284d56bb1027baebaaec175d1).
+    # Previous versions quietly truncated the input.
+    #
+    # Makes sure the key is exactly 32 bytes long, either by
+    # truncating or right-padding it with ASCII 0s. Use this when
+    # using :per_attribute_iv mode for attr_encrypted.
     def attr_encrypted_db_key_base_32
       Gitlab::Utils.ensure_utf8_size(attr_encrypted_db_key_base, bytes: 32.bytes)
     end

db/migrate/20191120115530_encrypt_plaintext_attributes_on_application_settings.rb

@@ -17,21 +17,21 @@ class EncryptPlaintextAttributesOnApplicationSettings < ActiveRecord::Migration[
   class ApplicationSetting < ActiveRecord::Base
     self.table_name = 'application_settings'
 
-    def self.encryption_options_base_truncated_aes_256_gcm
+    def self.encryption_options_base_32_aes_256_gcm
       {
         mode: :per_attribute_iv,
-        key: Gitlab::Application.secrets.db_key_base[0..31],
+        key: Gitlab::Utils.ensure_utf8_size(Rails.application.secrets.db_key_base, bytes: 32.bytes),
         algorithm: 'aes-256-gcm',
         encode: true
       }
     end
 
-    attr_encrypted :akismet_api_key, encryption_options_base_truncated_aes_256_gcm
-    attr_encrypted :elasticsearch_aws_secret_access_key, encryption_options_base_truncated_aes_256_gcm
-    attr_encrypted :recaptcha_private_key, encryption_options_base_truncated_aes_256_gcm
-    attr_encrypted :recaptcha_site_key, encryption_options_base_truncated_aes_256_gcm
-    attr_encrypted :slack_app_secret, encryption_options_base_truncated_aes_256_gcm
-    attr_encrypted :slack_app_verification_token, encryption_options_base_truncated_aes_256_gcm
+    attr_encrypted :akismet_api_key, encryption_options_base_32_aes_256_gcm
+    attr_encrypted :elasticsearch_aws_secret_access_key, encryption_options_base_32_aes_256_gcm
+    attr_encrypted :recaptcha_private_key, encryption_options_base_32_aes_256_gcm
+    attr_encrypted :recaptcha_site_key, encryption_options_base_32_aes_256_gcm
+    attr_encrypted :slack_app_secret, encryption_options_base_32_aes_256_gcm
+    attr_encrypted :slack_app_verification_token, encryption_options_base_32_aes_256_gcm
 
     def akismet_api_key
       decrypt(:akismet_api_key, self[:encrypted_akismet_api_key]) || self[:akismet_api_key]

db/migrate/20201008013434_generate_ci_jwt_signing_key.rb

@@ -8,7 +8,7 @@ class GenerateCiJwtSigningKey < ActiveRecord::Migration[6.0]
 
     attr_encrypted :ci_jwt_signing_key, {
       mode: :per_attribute_iv,
-      key: Rails.application.secrets.db_key_base[0..31],
+      key: Gitlab::Utils.ensure_utf8_size(Rails.application.secrets.db_key_base, bytes: 32.bytes),
       algorithm: 'aes-256-gcm',
       encode: true
     }

ee/app/models/geo_node.rb

@@ -55,7 +55,7 @@ class GeoNode < ApplicationRecord
   scope :ordered, -> { order(:id) }
 
   attr_encrypted :secret_access_key,
-                 key: Settings.attr_encrypted_db_key_base_truncated,
+                 key: Settings.attr_encrypted_db_key_base_32,
                  algorithm: 'aes-256-gcm',
                  mode: :per_attribute_iv,
                  encode: true

spec/migrations/generate_ci_jwt_signing_key_spec.rb

@@ -11,7 +11,7 @@ RSpec.describe GenerateCiJwtSigningKey do
 
       attr_encrypted :ci_jwt_signing_key, {
         mode: :per_attribute_iv,
-        key: Rails.application.secrets.db_key_base[0..31],
+        key: Gitlab::Utils.ensure_utf8_size(Rails.application.secrets.db_key_base, bytes: 32.bytes),
         algorithm: 'aes-256-gcm',
         encode: true
       }