Merge branch 'master' into 'master'

Use the exactly 32 byte long version of db_key_base with aes-256-gcm See merge request gitlab-org/gitlab!53602

Merge branch 'master' into 'master'
Use the exactly 32 byte long version of db_key_base with aes-256-gcm See merge request gitlab-org/gitlab!53602
eb756336 · Nick Thomas · 69594f08 · a5c78650 · eb756336 · eb756336
Commit eb756336 authored Apr 22, 2021 by Nick Thomas
18 changed files
--- a/app/models/alert_management/http_integration.rb
+++ b/app/models/alert_management/http_integration.rb
@@ -10,7 +10,7 @@ module AlertManagement
    attr_encrypted :token,
      mode: :per_attribute_iv,
-      key: Settings.attr_encrypted_db_key_base_truncated,
+      key: Settings.attr_encrypted_db_key_base_32,
      algorithm: 'aes-256-gcm'
    default_value_for(:endpoint_identifier, allows_nil: false) { SecureRandom.hex(8) }

--- a/app/models/alerting/project_alerting_setting.rb
+++ b/app/models/alerting/project_alerting_setting.rb
@@ -10,7 +10,7 @@ module Alerting
    attr_encrypted :token,
      mode: :per_attribute_iv,
-      key: Settings.attr_encrypted_db_key_base_truncated,
+      key: Settings.attr_encrypted_db_key_base_32,
      algorithm: 'aes-256-gcm'
    before_validation :ensure_token

--- a/app/models/application_setting.rb
+++ b/app/models/application_setting.rb
@@ -497,29 +497,29 @@ class ApplicationSetting < ApplicationRecord
                 algorithm: 'aes-256-cbc',
                 insecure_mode: true
-  private_class_method def self.encryption_options_base_truncated_aes_256_gcm
+  private_class_method def self.encryption_options_base_32_aes_256_gcm
    {
      mode: :per_attribute_iv,
-      key: Settings.attr_encrypted_db_key_base_truncated,
+      key: Settings.attr_encrypted_db_key_base_32,
      algorithm: 'aes-256-gcm',
      encode: true
    }
  end
-  attr_encrypted :external_auth_client_key, encryption_options_base_truncated_aes_256_gcm
+  attr_encrypted :external_auth_client_key, encryption_options_base_32_aes_256_gcm
-  attr_encrypted :external_auth_client_key_pass, encryption_options_base_truncated_aes_256_gcm
+  attr_encrypted :external_auth_client_key_pass, encryption_options_base_32_aes_256_gcm
-  attr_encrypted :lets_encrypt_private_key, encryption_options_base_truncated_aes_256_gcm
+  attr_encrypted :lets_encrypt_private_key, encryption_options_base_32_aes_256_gcm
-  attr_encrypted :eks_secret_access_key, encryption_options_base_truncated_aes_256_gcm
+  attr_encrypted :eks_secret_access_key, encryption_options_base_32_aes_256_gcm
-  attr_encrypted :akismet_api_key, encryption_options_base_truncated_aes_256_gcm
+  attr_encrypted :akismet_api_key, encryption_options_base_32_aes_256_gcm
-  attr_encrypted :elasticsearch_aws_secret_access_key, encryption_options_base_truncated_aes_256_gcm
+  attr_encrypted :elasticsearch_aws_secret_access_key, encryption_options_base_32_aes_256_gcm
-  attr_encrypted :recaptcha_private_key, encryption_options_base_truncated_aes_256_gcm
+  attr_encrypted :recaptcha_private_key, encryption_options_base_32_aes_256_gcm
-  attr_encrypted :recaptcha_site_key, encryption_options_base_truncated_aes_256_gcm
+  attr_encrypted :recaptcha_site_key, encryption_options_base_32_aes_256_gcm
-  attr_encrypted :slack_app_secret, encryption_options_base_truncated_aes_256_gcm
+  attr_encrypted :slack_app_secret, encryption_options_base_32_aes_256_gcm
-  attr_encrypted :slack_app_verification_token, encryption_options_base_truncated_aes_256_gcm
+  attr_encrypted :slack_app_verification_token, encryption_options_base_32_aes_256_gcm
-  attr_encrypted :ci_jwt_signing_key, encryption_options_base_truncated_aes_256_gcm
+  attr_encrypted :ci_jwt_signing_key, encryption_options_base_32_aes_256_gcm
-  attr_encrypted :secret_detection_token_revocation_token, encryption_options_base_truncated_aes_256_gcm
+  attr_encrypted :secret_detection_token_revocation_token, encryption_options_base_32_aes_256_gcm
-  attr_encrypted :cloud_license_auth_token, encryption_options_base_truncated_aes_256_gcm
+  attr_encrypted :cloud_license_auth_token, encryption_options_base_32_aes_256_gcm
-  attr_encrypted :external_pipeline_validation_service_token, encryption_options_base_truncated_aes_256_gcm
+  attr_encrypted :external_pipeline_validation_service_token, encryption_options_base_32_aes_256_gcm
  validates :disable_feed_token,
            inclusion: { in: [true, false], message: _('must be a boolean value') }

--- a/app/models/atlassian/identity.rb
+++ b/app/models/atlassian/identity.rb
@@ -11,14 +11,14 @@ module Atlassian
    attr_encrypted :token,
                   mode: :per_attribute_iv,
-                   key: Settings.attr_encrypted_db_key_base_truncated,
+                   key: Settings.attr_encrypted_db_key_base_32,
                   algorithm: 'aes-256-gcm',
                   encode: false,
                   encode_iv: false
    attr_encrypted :refresh_token,
                   mode: :per_attribute_iv,
-                   key: Settings.attr_encrypted_db_key_base_truncated,
+                   key: Settings.attr_encrypted_db_key_base_32,
                   algorithm: 'aes-256-gcm',
                   encode: false,
                   encode_iv: false

--- a/app/models/bulk_imports/configuration.rb
+++ b/app/models/bulk_imports/configuration.rb
@@ -12,11 +12,11 @@ class BulkImports::Configuration < ApplicationRecord
    allow_nil: true
  attr_encrypted :url,
-    key: Settings.attr_encrypted_db_key_base_truncated,
+    key: Settings.attr_encrypted_db_key_base_32,
    mode: :per_attribute_iv,
    algorithm: 'aes-256-gcm'
  attr_encrypted :access_token,
-    key: Settings.attr_encrypted_db_key_base_truncated,
+    key: Settings.attr_encrypted_db_key_base_32,
    mode: :per_attribute_iv,
    algorithm: 'aes-256-gcm'
 end
--- a/app/models/clusters/applications/prometheus.rb
+++ b/app/models/clusters/applications/prometheus.rb
@@ -22,7 +22,7 @@ module Clusters
      attr_encrypted :alert_manager_token,
        mode: :per_attribute_iv,
-        key: Settings.attr_encrypted_db_key_base_truncated,
+        key: Settings.attr_encrypted_db_key_base_32,
        algorithm: 'aes-256-gcm'
      after_destroy do

--- a/app/models/clusters/providers/aws.rb
+++ b/app/models/clusters/providers/aws.rb
@@ -18,7 +18,7 @@ module Clusters
      attr_encrypted :secret_access_key,
        mode: :per_attribute_iv,
-        key: Settings.attr_encrypted_db_key_base_truncated,
+        key: Settings.attr_encrypted_db_key_base_32,
        algorithm: 'aes-256-gcm'
      validates :role_arn,

--- a/app/models/concerns/packages/debian/distribution.rb
+++ b/app/models/concerns/packages/debian/distribution.rb
@@ -84,7 +84,7 @@ module Packages
        attr_encrypted :signing_keys,
                       mode: :per_attribute_iv,
-                       key: Settings.attr_encrypted_db_key_base_truncated,
+                       key: Settings.attr_encrypted_db_key_base_32,
                       algorithm: 'aes-256-gcm',
                       encode: false,
                       encode_iv: false

--- a/app/models/error_tracking/project_error_tracking_setting.rb
+++ b/app/models/error_tracking/project_error_tracking_setting.rb
@@ -38,7 +38,7 @@ module ErrorTracking
    attr_encrypted :token,
      mode: :per_attribute_iv,
-      key: Settings.attr_encrypted_db_key_base_truncated,
+      key: Settings.attr_encrypted_db_key_base_32,
      algorithm: 'aes-256-gcm'
    after_save :clear_reactive_cache!

--- a/app/models/incident_management/project_incident_management_setting.rb
+++ b/app/models/incident_management/project_incident_management_setting.rb
@@ -12,7 +12,7 @@ module IncidentManagement
    attr_encrypted :pagerduty_token,
      mode: :per_attribute_iv,
-      key: ::Settings.attr_encrypted_db_key_base_truncated,
+      key: ::Settings.attr_encrypted_db_key_base_32,
      algorithm: 'aes-256-gcm',
      encode: false, # No need to encode for binary column https://github.com/attr-encrypted/attr_encrypted#the-encode-encode_iv-encode_salt-and-default_encoding-options
      encode_iv: false

--- a/app/models/pages_domain_acme_order.rb
+++ b/app/models/pages_domain_acme_order.rb
@@ -14,7 +14,7 @@ class PagesDomainAcmeOrder < ApplicationRecord
  attr_encrypted :private_key,
                 mode: :per_attribute_iv,
-                 key: Settings.attr_encrypted_db_key_base_truncated,
+                 key: Settings.attr_encrypted_db_key_base_32,
                 algorithm: 'aes-256-gcm',
                 encode: true

--- a/app/models/serverless/domain_cluster.rb
+++ b/app/models/serverless/domain_cluster.rb
@@ -12,7 +12,7 @@ module Serverless
    attr_encrypted :key,
      mode: :per_attribute_iv,
-      key: Settings.attr_encrypted_db_key_base_truncated,
+      key: Settings.attr_encrypted_db_key_base_32,
      algorithm: 'aes-256-gcm'
    validates :pages_domain, :knative, presence: true

--- a/config/secrets.yml.example
+++ b/config/secrets.yml.example
 production:
  # db_key_base is used to encrypt for Variables. Ensure that you don't lose it.
  # If you change or lose this key you will be unable to access variables stored in database.
-  # Make sure the secret is at least 30 characters and all random,
+  # Make sure the secret is at least 32 characters and all random,
  # no regular words or you'll be exposed to dictionary attacks.
  # db_key_base:

--- a/config/settings.rb
+++ b/config/settings.rb
@@ -126,16 +126,18 @@ class Settings < Settingslogic
      File.expand_path(path, Rails.root)
    end
-    # Ruby 2.4+ requires passing in the exact required length for OpenSSL keys
+    # Don't use this in new code, use attr_encrypted_db_key_base_32 instead!
-    # (https://github.com/ruby/ruby/commit/ce635262f53b760284d56bb1027baebaaec175d1).
-    # Previous versions quietly truncated the input.
-    #
-    # Use this when using :per_attribute_iv mode for attr_encrypted.
-    # We have to truncate the string to 32 bytes for a 256-bit cipher.
    def attr_encrypted_db_key_base_truncated
      Gitlab::Application.secrets.db_key_base[0..31]
    end
+    # Ruby 2.4+ requires passing in the exact required length for OpenSSL keys
+    # (https://github.com/ruby/ruby/commit/ce635262f53b760284d56bb1027baebaaec175d1).
+    # Previous versions quietly truncated the input.
+    #
+    # Makes sure the key is exactly 32 bytes long, either by
+    # truncating or right-padding it with ASCII 0s. Use this when
+    # using :per_attribute_iv mode for attr_encrypted.
    def attr_encrypted_db_key_base_32
      Gitlab::Utils.ensure_utf8_size(attr_encrypted_db_key_base, bytes: 32.bytes)
    end

--- a/db/migrate/20191120115530_encrypt_plaintext_attributes_on_application_settings.rb
+++ b/db/migrate/20191120115530_encrypt_plaintext_attributes_on_application_settings.rb
@@ -17,21 +17,21 @@ class EncryptPlaintextAttributesOnApplicationSettings < ActiveRecord::Migration[
  class ApplicationSetting < ActiveRecord::Base
    self.table_name = 'application_settings'
-    def self.encryption_options_base_truncated_aes_256_gcm
+    def self.encryption_options_base_32_aes_256_gcm
      {
        mode: :per_attribute_iv,
-        key: Gitlab::Application.secrets.db_key_base[0..31],
+        key: Gitlab::Utils.ensure_utf8_size(Rails.application.secrets.db_key_base, bytes: 32.bytes),
        algorithm: 'aes-256-gcm',
        encode: true
      }
    end
-    attr_encrypted :akismet_api_key, encryption_options_base_truncated_aes_256_gcm
+    attr_encrypted :akismet_api_key, encryption_options_base_32_aes_256_gcm
-    attr_encrypted :elasticsearch_aws_secret_access_key, encryption_options_base_truncated_aes_256_gcm
+    attr_encrypted :elasticsearch_aws_secret_access_key, encryption_options_base_32_aes_256_gcm
-    attr_encrypted :recaptcha_private_key, encryption_options_base_truncated_aes_256_gcm
+    attr_encrypted :recaptcha_private_key, encryption_options_base_32_aes_256_gcm
-    attr_encrypted :recaptcha_site_key, encryption_options_base_truncated_aes_256_gcm
+    attr_encrypted :recaptcha_site_key, encryption_options_base_32_aes_256_gcm
-    attr_encrypted :slack_app_secret, encryption_options_base_truncated_aes_256_gcm
+    attr_encrypted :slack_app_secret, encryption_options_base_32_aes_256_gcm
-    attr_encrypted :slack_app_verification_token, encryption_options_base_truncated_aes_256_gcm
+    attr_encrypted :slack_app_verification_token, encryption_options_base_32_aes_256_gcm
    def akismet_api_key
      decrypt(:akismet_api_key, self[:encrypted_akismet_api_key]) || self[:akismet_api_key]

--- a/db/migrate/20201008013434_generate_ci_jwt_signing_key.rb
+++ b/db/migrate/20201008013434_generate_ci_jwt_signing_key.rb
@@ -8,7 +8,7 @@ class GenerateCiJwtSigningKey < ActiveRecord::Migration[6.0]
    attr_encrypted :ci_jwt_signing_key, {
      mode: :per_attribute_iv,
-      key: Rails.application.secrets.db_key_base[0..31],
+      key: Gitlab::Utils.ensure_utf8_size(Rails.application.secrets.db_key_base, bytes: 32.bytes),
      algorithm: 'aes-256-gcm',
      encode: true
    }

--- a/ee/app/models/geo_node.rb
+++ b/ee/app/models/geo_node.rb
@@ -55,7 +55,7 @@ class GeoNode < ApplicationRecord
  scope :ordered, -> { order(:id) }
  attr_encrypted :secret_access_key,
-                 key: Settings.attr_encrypted_db_key_base_truncated,
+                 key: Settings.attr_encrypted_db_key_base_32,
                 algorithm: 'aes-256-gcm',
                 mode: :per_attribute_iv,
                 encode: true

--- a/spec/migrations/generate_ci_jwt_signing_key_spec.rb
+++ b/spec/migrations/generate_ci_jwt_signing_key_spec.rb
@@ -11,7 +11,7 @@ RSpec.describe GenerateCiJwtSigningKey do
      attr_encrypted :ci_jwt_signing_key, {
        mode: :per_attribute_iv,
-        key: Rails.application.secrets.db_key_base[0..31],
+        key: Gitlab::Utils.ensure_utf8_size(Rails.application.secrets.db_key_base, bytes: 32.bytes),
        algorithm: 'aes-256-gcm',
        encode: true
      }