Merge branch 'updated-secure-files-encryption' into 'master'

Updated encyption key generation for Secure Files See merge request gitlab-org/gitlab!83652

Merge branch 'updated-secure-files-encryption' into 'master'
Updated encyption key generation for Secure Files See merge request gitlab-org/gitlab!83652
2fddd8d0 · Andreas Brandl · ca7cdac7 · 7e3d5508 · 2fddd8d0 · 2fddd8d0
Commit 2fddd8d0 authored Apr 08, 2022 by Andreas Brandl
6 changed files
--- a/app/models/ci/secure_file.rb
+++ b/app/models/ci/secure_file.rb
@@ -16,6 +16,7 @@ module Ci
    validates :file, presence: true, file_size: { maximum: FILE_SIZE_LIMIT }
    validates :checksum, :file_store, :name, :permissions, :project_id, presence: true
+    after_initialize :generate_key_data
    before_validation :assign_checksum
    enum permissions: { read_only: 0, read_write: 1, execute: 2 }
@@ -33,5 +34,11 @@ module Ci
    def assign_checksum
      self.checksum = file.checksum if file.present? && file_changed?
    end
+    def generate_key_data
+      return if key_data.present?
+      self.key_data = SecureRandom.hex(64)
+    end
  end
 end
--- a/app/uploaders/ci/secure_file_uploader.rb
+++ b/app/uploaders/ci/secure_file_uploader.rb
@@ -10,7 +10,7 @@ module Ci
    encrypt(key: :key)
    def key
-      OpenSSL::HMAC.digest('SHA256', Gitlab::Application.secrets.db_key_base, model.project_id.to_s)
+      Digest::SHA256.digest model.key_data
    end
    def checksum

--- a/db/migrate/20220324175325_add_key_data_to_secure_files.rb
+++ b/db/migrate/20220324175325_add_key_data_to_secure_files.rb
+# frozen_string_literal: true
+class AddKeyDataToSecureFiles < Gitlab::Database::Migration[1.0]
+  disable_ddl_transaction!
+  def up
+    unless column_exists? :ci_secure_files, :key_data
+      add_column :ci_secure_files, :key_data, :text
+    end
+    add_text_limit :ci_secure_files, :key_data, 128
+  end
+  def down
+    remove_column :ci_secure_files, :key_data
+  end
+end
--- a/db/schema_migrations/20220324175325
+++ b/db/schema_migrations/20220324175325
+8f423af68f25fb58374321eb38ff830fc47237005a23a66f61d5b794d519ef58
\ No newline at end of file
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -13038,8 +13038,10 @@ CREATE TABLE ci_secure_files (
    name text NOT NULL,
    file text NOT NULL,
    checksum bytea NOT NULL,
+    key_data text,
    CONSTRAINT check_320790634d CHECK ((char_length(file) <= 255)),
-    CONSTRAINT check_402c7b4a56 CHECK ((char_length(name) <= 255))
+    CONSTRAINT check_402c7b4a56 CHECK ((char_length(name) <= 255)),
+    CONSTRAINT check_7279b4e293 CHECK ((char_length(key_data) <= 128))
 );
 CREATE SEQUENCE ci_secure_files_id_seq
--- a/spec/uploaders/ci/secure_file_uploader_spec.rb
+++ b/spec/uploaders/ci/secure_file_uploader_spec.rb
@@ -15,9 +15,9 @@ RSpec.describe Ci::SecureFileUploader do
  describe '#key' do
    it 'creates a digest with a secret key and the project id' do
-      expect(OpenSSL::HMAC)
+      expect(Digest::SHA256)
        .to receive(:digest)
-        .with('SHA256', Gitlab::Application.secrets.db_key_base, ci_secure_file.project_id.to_s)
+        .with(ci_secure_file.key_data)
        .and_return('digest')
      expect(subject.key).to eq('digest')