1 files changed, 71 insertions, 7 deletions

diff --git a/spec/lib/gitlab/crypto_helper_spec.rb b/spec/lib/gitlab/crypto_helper_spec.rb
index c07089d8ef0..024564ea213 100644
--- a/spec/lib/gitlab/crypto_helper_spec.rb
+++ b/spec/lib/gitlab/crypto_helper_spec.rb
@@ -19,21 +19,85 @@ RSpec.describe Gitlab::CryptoHelper do
       expect(encrypted).to match %r{\A[A-Za-z0-9+/=]+\z}
       expect(encrypted).not_to include "\n"
     end
+
+    it 'does not save hashed token with iv value in database' do
+      expect { described_class.aes256_gcm_encrypt('some-value') }.not_to change { TokenWithIv.count }
+    end
+
+    it 'encrypts using static iv' do
+      expect(Encryptor).to receive(:encrypt).with(described_class::AES256_GCM_OPTIONS.merge(value: 'some-value', iv: described_class::AES256_GCM_IV_STATIC)).and_return('hashed_value')
+
+      described_class.aes256_gcm_encrypt('some-value')
+    end
   end
 
   describe '.aes256_gcm_decrypt' do
-    let(:encrypted) { described_class.aes256_gcm_encrypt('some-value') }
+    before do
+      stub_feature_flags(dynamic_nonce_creation: false)
+    end
+
+    context 'when token was encrypted using static nonce' do
+      let(:encrypted) { described_class.aes256_gcm_encrypt('some-value', nonce: described_class::AES256_GCM_IV_STATIC) }
+
+      it 'correctly decrypts encrypted string' do
+        decrypted = described_class.aes256_gcm_decrypt(encrypted)
+
+        expect(decrypted).to eq 'some-value'
+      end
+
+      it 'decrypts a value when it ends with a new line character' do
+        decrypted = described_class.aes256_gcm_decrypt(encrypted + "\n")
 
-    it 'correctly decrypts encrypted string' do
-      decrypted = described_class.aes256_gcm_decrypt(encrypted)
+        expect(decrypted).to eq 'some-value'
+      end
 
-      expect(decrypted).to eq 'some-value'
+      it 'does not save hashed token with iv value in database' do
+        expect { described_class.aes256_gcm_decrypt(encrypted) }.not_to change { TokenWithIv.count }
+      end
+
+      context 'with feature flag switched on' do
+        before do
+          stub_feature_flags(dynamic_nonce_creation: true)
+        end
+
+        it 'correctly decrypts encrypted string' do
+          decrypted = described_class.aes256_gcm_decrypt(encrypted)
+
+          expect(decrypted).to eq 'some-value'
+        end
+      end
     end
 
-    it 'decrypts a value when it ends with a new line character' do
-      decrypted = described_class.aes256_gcm_decrypt(encrypted + "\n")
+    context 'when token was encrypted using random nonce' do
+      let(:value) { 'random-value' }
+
+      # for compatibility with tokens encrypted using dynamic nonce
+      let!(:encrypted) do
+        iv = create_nonce
+        encrypted_token = described_class.create_encrypted_token(value, iv)
+        TokenWithIv.create!(hashed_token: Digest::SHA256.digest(encrypted_token), hashed_plaintext_token: Digest::SHA256.digest(encrypted_token), iv: iv)
+        encrypted_token
+      end
+
+      before do
+        stub_feature_flags(dynamic_nonce_creation: true)
+      end
 
-      expect(decrypted).to eq 'some-value'
+      it 'correctly decrypts encrypted string' do
+        decrypted = described_class.aes256_gcm_decrypt(encrypted)
+
+        expect(decrypted).to eq value
+      end
+
+      it 'does not save hashed token with iv value in database' do
+        expect { described_class.aes256_gcm_decrypt(encrypted) }.not_to change { TokenWithIv.count }
+      end
     end
   end
+
+  def create_nonce
+    cipher = OpenSSL::Cipher.new('aes-256-gcm')
+    cipher.encrypt # Required before '#random_iv' can be called
+    cipher.random_iv # Ensures that the IV is the correct length respective to the algorithm used.
+  end
 end