Merge branch '322594-create-a-new-way-of-encrypting-tokens-phase2-writer-v2' into 'master'

Create new way of encrypting tokens - phase 2- writer [RUN ALL RSPEC] [RUN AS-IF-FOSS]

See merge request gitlab-org/gitlab!58902

app/models/concerns/token_authenticatable_strategies/encryption_helper.rb

@@ -5,10 +5,6 @@ module TokenAuthenticatableStrategies
     DYNAMIC_NONCE_IDENTIFIER = "|"
     NONCE_SIZE = 12
 
-    def self.encrypt_token(plaintext_token)
-      Gitlab::CryptoHelper.aes256_gcm_encrypt(plaintext_token)
-    end
-
     def self.decrypt_token(token)
       return unless token
 
@@ -22,5 +18,13 @@ module TokenAuthenticatableStrategies
         Gitlab::CryptoHelper.aes256_gcm_decrypt(token)
       end
     end
+
+    def self.encrypt_token(plaintext_token)
+      return Gitlab::CryptoHelper.aes256_gcm_encrypt(plaintext_token) unless Feature.enabled?(:dynamic_nonce, type: :ops)
+
+      iv = ::Digest::SHA256.hexdigest(plaintext_token).bytes.take(NONCE_SIZE).pack('c*')
+      token = Gitlab::CryptoHelper.aes256_gcm_encrypt(plaintext_token, nonce: iv)
+      "#{DYNAMIC_NONCE_IDENTIFIER}#{token}#{iv}"
+    end
   end
 end

config/feature_flags/ops/dynamic_nonce.yml

+---
+name: dynamic_nonce
+introduced_by_url:
+rollout_issue_url:
+milestone: '14.0'
+type: ops
+group: group::access
+default_enabled: false

spec/models/concerns/token_authenticatable_strategies/encryption_helper_spec.rb

@@ -3,25 +3,99 @@
 require 'spec_helper'
 
 RSpec.describe TokenAuthenticatableStrategies::EncryptionHelper do
-  let(:encrypted_token) { described_class.encrypt_token('my-value') }
+  let(:encrypted_token) { described_class.encrypt_token('my-value-my-value-my-value') }
 
   describe '.encrypt_token' do
-    it 'encrypts token' do
-      expect(encrypted_token).not_to eq('my-value')
+    context 'when dynamic_nonce feature flag is switched on' do
+      it 'adds nonce identifier on the beginning' do
+        expect(encrypted_token.first).to eq(described_class::DYNAMIC_NONCE_IDENTIFIER)
+      end
+
+      it 'adds nonce at the end' do
+        nonce = encrypted_token.last(described_class::NONCE_SIZE)
+
+        expect(nonce).to eq(::Digest::SHA256.hexdigest('my-value-my-value-my-value').bytes.take(described_class::NONCE_SIZE).pack('c*'))
+      end
+
+      it 'encrypts token' do
+        expect(encrypted_token[1...-described_class::NONCE_SIZE]).not_to eq('my-value-my-value-my-value')
+      end
+    end
+
+    context 'when dynamic_nonce feature flag is switched off' do
+      before do
+        stub_feature_flags(dynamic_nonce: false)
+      end
+
+      it 'does not add nonce identifier on the beginning' do
+        expect(encrypted_token.first).not_to eq(described_class::DYNAMIC_NONCE_IDENTIFIER)
+      end
+
+      it 'does not add nonce in the end' do
+        nonce = encrypted_token.last(described_class::NONCE_SIZE)
+
+        expect(nonce).not_to eq(::Digest::SHA256.hexdigest('my-value-my-value-my-value').bytes.take(described_class::NONCE_SIZE).pack('c*'))
+      end
+
+      it 'encrypts token with static iv' do
+        token = Gitlab::CryptoHelper.aes256_gcm_encrypt('my-value-my-value-my-value')
+
+        expect(encrypted_token).to eq(token)
+      end
     end
   end
 
   describe '.decrypt_token' do
-    it 'decrypts token with static iv' do
-      expect(described_class.decrypt_token(encrypted_token)).to eq('my-value')
+    context 'with feature flag switched off' do
+      before do
+        stub_feature_flags(dynamic_nonce: false)
+      end
+
+      it 'decrypts token with static iv' do
+        encrypted_token = described_class.encrypt_token('my-value')
+
+        expect(described_class.decrypt_token(encrypted_token)).to eq('my-value')
+      end
+
+      it 'decrypts token if feature flag changed after encryption' do
+        encrypted_token = described_class.encrypt_token('my-value')
+
+        expect(encrypted_token).not_to eq('my-value')
+
+        stub_feature_flags(dynamic_nonce: true)
+
+        expect(described_class.decrypt_token(encrypted_token)).to eq('my-value')
+      end
+
+      it 'decrypts token with dynamic iv' do
+        iv = ::Digest::SHA256.hexdigest('my-value').bytes.take(described_class::NONCE_SIZE).pack('c*')
+        token = Gitlab::CryptoHelper.aes256_gcm_encrypt('my-value', nonce: iv)
+        encrypted_token = "#{described_class::DYNAMIC_NONCE_IDENTIFIER}#{token}#{iv}"
+
+        expect(described_class.decrypt_token(encrypted_token)).to eq('my-value')
+      end
     end
 
-    it 'decrypts token with dynamic iv' do
-      iv = ::Digest::SHA256.hexdigest('my-value').bytes.take(described_class::NONCE_SIZE).pack('c*')
-      token = Gitlab::CryptoHelper.aes256_gcm_encrypt('my-value', nonce: iv)
-      encrypted_token = "#{described_class::DYNAMIC_NONCE_IDENTIFIER}#{token}#{iv}"
+    context 'with feature flag switched on' do
+      before do
+        stub_feature_flags(dynamic_nonce: true)
+      end
+
+      it 'decrypts token with dynamic iv' do
+        encrypted_token = described_class.encrypt_token('my-value')
+
+        expect(described_class.decrypt_token(encrypted_token)).to eq('my-value')
+      end
+
+      it 'decrypts token if feature flag changed after encryption' do
+        encrypted_token = described_class.encrypt_token('my-value')
+
+        expect(encrypted_token).not_to eq('my-value')
+
+        stub_feature_flags(dynamic_nonce: false)
 
-      expect(described_class.decrypt_token(encrypted_token)).to eq('my-value')
+        expect(described_class.decrypt_token(encrypted_token)).to eq('my-value')
+      end
     end
   end
 end