Commit 56e5a2a3 authored by Grzegorz Bizon's avatar Grzegorz Bizon

Reset insecure token when setting an encrypted one

parent b32a9947
...@@ -24,13 +24,16 @@ module TokenAuthenticatableStrategies ...@@ -24,13 +24,16 @@ module TokenAuthenticatableStrategies
# using factory bot to create resources, it might happen that a database # using factory bot to create resources, it might happen that a database
# schema does not have "#{token_name}_encrypted" field yet, however a bunch # schema does not have "#{token_name}_encrypted" field yet, however a bunch
# of models call `ensure_#{token_name}` in `before_save`. # of models call `ensure_#{token_name}` in `before_save`.
#
# In that case we are using insecure strategy, but this should only happen
# in tests, because otherwise `encrypted_field` is going to exist.
return super if instance.has_attribute?(encrypted_field) return super if instance.has_attribute?(encrypted_field)
if fallback? if fallback?
fallback_strategy.ensure_token(instance) fallback_strategy.ensure_token(instance)
else else
raise ArgumentError, 'Encrypted field does not exist without fallback' raise ArgumentError, 'No fallback defined when encrypted field is missing!'
end end
end end
...@@ -45,6 +48,7 @@ module TokenAuthenticatableStrategies ...@@ -45,6 +48,7 @@ module TokenAuthenticatableStrategies
raise ArgumentError unless token.present? raise ArgumentError unless token.present?
instance[encrypted_field] = Gitlab::CryptoHelper.aes256_gcm_encrypt(token) instance[encrypted_field] = Gitlab::CryptoHelper.aes256_gcm_encrypt(token)
instance[token_field] = nil
token token
end end
......
...@@ -63,6 +63,8 @@ describe TokenAuthenticatableStrategies::Encrypted do ...@@ -63,6 +63,8 @@ describe TokenAuthenticatableStrategies::Encrypted do
it 'writes encrypted token to a model instance and returns it' do it 'writes encrypted token to a model instance and returns it' do
expect(instance).to receive(:[]=) expect(instance).to receive(:[]=)
.with('some_field_encrypted', encrypted) .with('some_field_encrypted', encrypted)
expect(instance).to receive(:[]=)
.with('some_field', nil)
expect(subject.set_token(instance, 'my-value')).to eq 'my-value' expect(subject.set_token(instance, 'my-value')).to eq 'my-value'
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment