summaryrefslogtreecommitdiff
path: root/app
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2022-02-25 16:56:41 +0000
committerGitLab Bot <gitlab-bot@gitlab.com>2022-02-25 16:56:41 +0000
commit696bef428fae55095e3395bfe439c7ede67c5478 (patch)
tree263abbba97f1d05582a08dcd5de1f6461c0a5fab /app
parentcdc3d9991b0cca2d2243bdf452f61aae40d778cd (diff)
downloadgitlab-ce-696bef428fae55095e3395bfe439c7ede67c5478.tar.gz
Add latest changes from gitlab-org/security/gitlab@14-8-stable-ee
Diffstat (limited to 'app')
-rw-r--r--app/models/concerns/token_authenticatable_strategies/encrypted.rb46
-rw-r--r--app/models/group.rb20
-rw-r--r--app/models/project.rb18
3 files changed, 66 insertions, 18 deletions
diff --git a/app/models/concerns/token_authenticatable_strategies/encrypted.rb b/app/models/concerns/token_authenticatable_strategies/encrypted.rb
index 50a2613bb10..e957d09fbc6 100644
--- a/app/models/concerns/token_authenticatable_strategies/encrypted.rb
+++ b/app/models/concerns/token_authenticatable_strategies/encrypted.rb
@@ -5,16 +5,18 @@ module TokenAuthenticatableStrategies
def find_token_authenticatable(token, unscoped = false)
return if token.blank?
- if required?
- find_by_encrypted_token(token, unscoped)
- elsif optional?
- find_by_encrypted_token(token, unscoped) ||
- find_by_plaintext_token(token, unscoped)
- elsif migrating?
- find_by_plaintext_token(token, unscoped)
- else
- raise ArgumentError, _("Unknown encryption strategy: %{encrypted_strategy}!") % { encrypted_strategy: encrypted_strategy }
- end
+ instance = if required?
+ find_by_encrypted_token(token, unscoped)
+ elsif optional?
+ find_by_encrypted_token(token, unscoped) ||
+ find_by_plaintext_token(token, unscoped)
+ elsif migrating?
+ find_by_plaintext_token(token, unscoped)
+ else
+ raise ArgumentError, _("Unknown encryption strategy: %{encrypted_strategy}!") % { encrypted_strategy: encrypted_strategy }
+ end
+
+ instance if instance && matches_prefix?(instance, token)
end
def ensure_token(instance)
@@ -41,9 +43,7 @@ module TokenAuthenticatableStrategies
def get_token(instance)
return insecure_strategy.get_token(instance) if migrating?
- encrypted_token = instance.read_attribute(encrypted_field)
- token = EncryptionHelper.decrypt_token(encrypted_token)
- token || (insecure_strategy.get_token(instance) if optional?)
+ get_encrypted_token(instance)
end
def set_token(instance, token)
@@ -69,6 +69,12 @@ module TokenAuthenticatableStrategies
protected
+ def get_encrypted_token(instance)
+ encrypted_token = instance.read_attribute(encrypted_field)
+ token = EncryptionHelper.decrypt_token(encrypted_token)
+ token || (insecure_strategy.get_token(instance) if optional?)
+ end
+
def encrypted_strategy
value = options[:encrypted]
value = value.call if value.is_a?(Proc)
@@ -95,14 +101,22 @@ module TokenAuthenticatableStrategies
.new(klass, token_field, options)
end
+ def matches_prefix?(instance, token)
+ prefix = options[:prefix]
+ prefix = prefix.call(instance) if prefix.is_a?(Proc)
+ prefix = '' unless prefix.is_a?(String)
+
+ token.start_with?(prefix)
+ end
+
def token_set?(instance)
- raw_token = instance.read_attribute(encrypted_field)
+ token = get_encrypted_token(instance)
unless required?
- raw_token ||= insecure_strategy.get_token(instance)
+ token ||= insecure_strategy.get_token(instance)
end
- raw_token.present?
+ token.present? && matches_prefix?(instance, token)
end
def encrypted_field
diff --git a/app/models/group.rb b/app/models/group.rb
index 53da70f47e5..a395861fbb6 100644
--- a/app/models/group.rb
+++ b/app/models/group.rb
@@ -20,6 +20,13 @@ class Group < Namespace
include ChronicDurationAttribute
include RunnerTokenExpirationInterval
+ extend ::Gitlab::Utils::Override
+
+ # Prefix for runners_token which can be used to invalidate existing tokens.
+ # The value chosen here is GR (for Gitlab Runner) combined with the rotation
+ # date (20220225) decimal to hex encoded.
+ RUNNERS_TOKEN_PREFIX = 'GR1348941'
+
def self.sti_name
'Group'
end
@@ -115,7 +122,9 @@ class Group < Namespace
message: Gitlab::Regex.group_name_regex_message },
if: :name_changed?
- add_authentication_token_field :runners_token, encrypted: -> { Feature.enabled?(:groups_tokens_optional_encryption, default_enabled: true) ? :optional : :required }
+ add_authentication_token_field :runners_token,
+ encrypted: -> { Feature.enabled?(:groups_tokens_optional_encryption, default_enabled: true) ? :optional : :required },
+ prefix: ->(instance) { instance.runners_token_prefix }
after_create :post_create_hook
after_destroy :post_destroy_hook
@@ -669,6 +678,15 @@ class Group < Namespace
ensure_runners_token!
end
+ def runners_token_prefix
+ Feature.enabled?(:groups_runners_token_prefix, self, default_enabled: :yaml) ? RUNNERS_TOKEN_PREFIX : ''
+ end
+
+ override :format_runners_token
+ def format_runners_token(token)
+ "#{runners_token_prefix}#{token}"
+ end
+
def project_creation_level
super || ::Gitlab::CurrentSettings.default_project_creation
end
diff --git a/app/models/project.rb b/app/models/project.rb
index 512c6ac1acb..de7dd42866f 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -89,6 +89,11 @@ class Project < ApplicationRecord
DEFAULT_SQUASH_COMMIT_TEMPLATE = '%{title}'
+ # Prefix for runners_token which can be used to invalidate existing tokens.
+ # The value chosen here is GR (for Gitlab Runner) combined with the rotation
+ # date (20220225) decimal to hex encoded.
+ RUNNERS_TOKEN_PREFIX = 'GR1348941'
+
cache_markdown_field :description, pipeline: :description
default_value_for :packages_enabled, true
@@ -109,7 +114,9 @@ class Project < ApplicationRecord
default_value_for :autoclose_referenced_issues, true
default_value_for(:ci_config_path) { Gitlab::CurrentSettings.default_ci_config_path }
- add_authentication_token_field :runners_token, encrypted: -> { Feature.enabled?(:projects_tokens_optional_encryption, default_enabled: true) ? :optional : :required }
+ add_authentication_token_field :runners_token,
+ encrypted: -> { Feature.enabled?(:projects_tokens_optional_encryption, default_enabled: true) ? :optional : :required },
+ prefix: ->(instance) { instance.runners_token_prefix }
before_validation :mark_remote_mirrors_for_removal, if: -> { RemoteMirror.table_exists? }
@@ -1873,6 +1880,15 @@ class Project < ApplicationRecord
ensure_runners_token!
end
+ def runners_token_prefix
+ Feature.enabled?(:projects_runners_token_prefix, self, default_enabled: :yaml) ? RUNNERS_TOKEN_PREFIX : ''
+ end
+
+ override :format_runners_token
+ def format_runners_token(token)
+ "#{runners_token_prefix}#{token}"
+ end
+
def pages_deployed?
pages_metadatum&.deployed?
end