diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-04-20 23:50:22 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-04-20 23:50:22 +0000 |
commit | 9dc93a4519d9d5d7be48ff274127136236a3adb3 (patch) | |
tree | 70467ae3692a0e35e5ea56bcb803eb512a10bedb /app/models/concerns/token_authenticatable_strategies | |
parent | 4b0f34b6d759d6299322b3a54453e930c6121ff0 (diff) | |
download | gitlab-ce-9dc93a4519d9d5d7be48ff274127136236a3adb3.tar.gz |
Add latest changes from gitlab-org/gitlab@13-11-stable-eev13.11.0-rc43
Diffstat (limited to 'app/models/concerns/token_authenticatable_strategies')
-rw-r--r-- | app/models/concerns/token_authenticatable_strategies/encrypted.rb | 17 | ||||
-rw-r--r-- | app/models/concerns/token_authenticatable_strategies/encryption_helper.rb | 26 |
2 files changed, 31 insertions, 12 deletions
diff --git a/app/models/concerns/token_authenticatable_strategies/encrypted.rb b/app/models/concerns/token_authenticatable_strategies/encrypted.rb index 672402ee4d6..50a2613bb10 100644 --- a/app/models/concerns/token_authenticatable_strategies/encrypted.rb +++ b/app/models/concerns/token_authenticatable_strategies/encrypted.rb @@ -42,14 +42,14 @@ module TokenAuthenticatableStrategies return insecure_strategy.get_token(instance) if migrating? encrypted_token = instance.read_attribute(encrypted_field) - token = Gitlab::CryptoHelper.aes256_gcm_decrypt(encrypted_token) + token = EncryptionHelper.decrypt_token(encrypted_token) token || (insecure_strategy.get_token(instance) if optional?) end def set_token(instance, token) raise ArgumentError unless token.present? - instance[encrypted_field] = Gitlab::CryptoHelper.aes256_gcm_encrypt(token) + instance[encrypted_field] = EncryptionHelper.encrypt_token(token) instance[token_field] = token if migrating? instance[token_field] = nil if optional? token @@ -85,16 +85,9 @@ module TokenAuthenticatableStrategies end def find_by_encrypted_token(token, unscoped) - nonce = Feature.enabled?(:dynamic_nonce_creation) ? find_hashed_iv(token) : Gitlab::CryptoHelper::AES256_GCM_IV_STATIC - encrypted_value = Gitlab::CryptoHelper.aes256_gcm_encrypt(token, nonce: nonce) - - relation(unscoped).find_by(encrypted_field => encrypted_value) - end - - def find_hashed_iv(token) - token_record = TokenWithIv.find_by_plaintext_token(token) - - token_record&.iv || Gitlab::CryptoHelper::AES256_GCM_IV_STATIC + encrypted_value = EncryptionHelper.encrypt_token(token) + token_encrypted_with_static_iv = Gitlab::CryptoHelper.aes256_gcm_encrypt(token) + relation(unscoped).find_by(encrypted_field => [encrypted_value, token_encrypted_with_static_iv]) end def insecure_strategy diff --git a/app/models/concerns/token_authenticatable_strategies/encryption_helper.rb b/app/models/concerns/token_authenticatable_strategies/encryption_helper.rb new file mode 100644 index 00000000000..25c050820d6 --- /dev/null +++ b/app/models/concerns/token_authenticatable_strategies/encryption_helper.rb @@ -0,0 +1,26 @@ +# frozen_string_literal: true + +module TokenAuthenticatableStrategies + class EncryptionHelper + DYNAMIC_NONCE_IDENTIFIER = "|" + NONCE_SIZE = 12 + + def self.encrypt_token(plaintext_token) + Gitlab::CryptoHelper.aes256_gcm_encrypt(plaintext_token) + end + + def self.decrypt_token(token) + return unless token + + # The pattern of the token is "#{DYNAMIC_NONCE_IDENTIFIER}#{token}#{iv_of_12_characters}" + if token.start_with?(DYNAMIC_NONCE_IDENTIFIER) && token.size > NONCE_SIZE + DYNAMIC_NONCE_IDENTIFIER.size + token_to_decrypt = token[1...-NONCE_SIZE] + iv = token[-NONCE_SIZE..-1] + + Gitlab::CryptoHelper.aes256_gcm_decrypt(token_to_decrypt, nonce: iv) + else + Gitlab::CryptoHelper.aes256_gcm_decrypt(token) + end + end + end +end |