Commit 1914a1e3 authored by Gosia Ksionek's avatar Gosia Ksionek Committed by Sean McGivern

Add new way of encrypting tokens

Changelog: changed
parent 9258c973
......@@ -5,10 +5,6 @@ module TokenAuthenticatableStrategies
DYNAMIC_NONCE_IDENTIFIER = "|"
NONCE_SIZE = 12
def self.encrypt_token(plaintext_token)
Gitlab::CryptoHelper.aes256_gcm_encrypt(plaintext_token)
end
def self.decrypt_token(token)
return unless token
......@@ -22,5 +18,13 @@ module TokenAuthenticatableStrategies
Gitlab::CryptoHelper.aes256_gcm_decrypt(token)
end
end
def self.encrypt_token(plaintext_token)
return Gitlab::CryptoHelper.aes256_gcm_encrypt(plaintext_token) unless Feature.enabled?(:dynamic_nonce, type: :ops)
iv = ::Digest::SHA256.hexdigest(plaintext_token).bytes.take(NONCE_SIZE).pack('c*')
token = Gitlab::CryptoHelper.aes256_gcm_encrypt(plaintext_token, nonce: iv)
"#{DYNAMIC_NONCE_IDENTIFIER}#{token}#{iv}"
end
end
end
---
name: dynamic_nonce
introduced_by_url:
rollout_issue_url:
milestone: '14.0'
type: ops
group: group::access
default_enabled: false
......@@ -3,16 +3,67 @@
require 'spec_helper'
RSpec.describe TokenAuthenticatableStrategies::EncryptionHelper do
let(:encrypted_token) { described_class.encrypt_token('my-value') }
let(:encrypted_token) { described_class.encrypt_token('my-value-my-value-my-value') }
describe '.encrypt_token' do
context 'when dynamic_nonce feature flag is switched on' do
it 'adds nonce identifier on the beginning' do
expect(encrypted_token.first).to eq(described_class::DYNAMIC_NONCE_IDENTIFIER)
end
it 'adds nonce at the end' do
nonce = encrypted_token.last(described_class::NONCE_SIZE)
expect(nonce).to eq(::Digest::SHA256.hexdigest('my-value-my-value-my-value').bytes.take(described_class::NONCE_SIZE).pack('c*'))
end
it 'encrypts token' do
expect(encrypted_token).not_to eq('my-value')
expect(encrypted_token[1...-described_class::NONCE_SIZE]).not_to eq('my-value-my-value-my-value')
end
end
context 'when dynamic_nonce feature flag is switched off' do
before do
stub_feature_flags(dynamic_nonce: false)
end
it 'does not add nonce identifier on the beginning' do
expect(encrypted_token.first).not_to eq(described_class::DYNAMIC_NONCE_IDENTIFIER)
end
it 'does not add nonce in the end' do
nonce = encrypted_token.last(described_class::NONCE_SIZE)
expect(nonce).not_to eq(::Digest::SHA256.hexdigest('my-value-my-value-my-value').bytes.take(described_class::NONCE_SIZE).pack('c*'))
end
it 'encrypts token with static iv' do
token = Gitlab::CryptoHelper.aes256_gcm_encrypt('my-value-my-value-my-value')
expect(encrypted_token).to eq(token)
end
end
end
describe '.decrypt_token' do
context 'with feature flag switched off' do
before do
stub_feature_flags(dynamic_nonce: false)
end
it 'decrypts token with static iv' do
encrypted_token = described_class.encrypt_token('my-value')
expect(described_class.decrypt_token(encrypted_token)).to eq('my-value')
end
it 'decrypts token if feature flag changed after encryption' do
encrypted_token = described_class.encrypt_token('my-value')
expect(encrypted_token).not_to eq('my-value')
stub_feature_flags(dynamic_nonce: true)
expect(described_class.decrypt_token(encrypted_token)).to eq('my-value')
end
......@@ -24,4 +75,27 @@ RSpec.describe TokenAuthenticatableStrategies::EncryptionHelper do
expect(described_class.decrypt_token(encrypted_token)).to eq('my-value')
end
end
context 'with feature flag switched on' do
before do
stub_feature_flags(dynamic_nonce: true)
end
it 'decrypts token with dynamic iv' do
encrypted_token = described_class.encrypt_token('my-value')
expect(described_class.decrypt_token(encrypted_token)).to eq('my-value')
end
it 'decrypts token if feature flag changed after encryption' do
encrypted_token = described_class.encrypt_token('my-value')
expect(encrypted_token).not_to eq('my-value')
stub_feature_flags(dynamic_nonce: false)
expect(described_class.decrypt_token(encrypted_token)).to eq('my-value')
end
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment