Merge branch '322594-create-a-new-way-of-encrypting-tokens-phase2-writer-v2' into 'master'

Create new way of encrypting tokens - phase 2- writer [RUN ALL RSPEC] [RUN AS-IF-FOSS] See merge request gitlab-org/gitlab!58902

Merge branch '322594-create-a-new-way-of-encrypting-tokens-phase2-writer-v2' into 'master'
Create new way of encrypting tokens - phase 2- writer [RUN ALL RSPEC] [RUN AS-IF-FOSS] See merge request gitlab-org/gitlab!58902
863aa3cb · Sean McGivern · b5c5b319 · 1914a1e3 · 863aa3cb · 863aa3cb
Commit 863aa3cb authored Jun 10, 2021 by Sean McGivern
3 changed files
--- a/app/models/concerns/token_authenticatable_strategies/encryption_helper.rb
+++ b/app/models/concerns/token_authenticatable_strategies/encryption_helper.rb
@@ -5,10 +5,6 @@ module TokenAuthenticatableStrategies
    DYNAMIC_NONCE_IDENTIFIER = "|"
    NONCE_SIZE = 12

-    def self.encrypt_token(plaintext_token)
-      Gitlab::CryptoHelper.aes256_gcm_encrypt(plaintext_token)
-    end
-
    def self.decrypt_token(token)
      return unless token

@@ -22,5 +18,13 @@ module TokenAuthenticatableStrategies
        Gitlab::CryptoHelper.aes256_gcm_decrypt(token)
      end
    end
+
+    def self.encrypt_token(plaintext_token)
+      return Gitlab::CryptoHelper.aes256_gcm_encrypt(plaintext_token) unless Feature.enabled?(:dynamic_nonce, type: :ops)
+
+      iv = ::Digest::SHA256.hexdigest(plaintext_token).bytes.take(NONCE_SIZE).pack('c*')
+      token = Gitlab::CryptoHelper.aes256_gcm_encrypt(plaintext_token, nonce: iv)
+      "#{DYNAMIC_NONCE_IDENTIFIER}#{token}#{iv}"
+    end
  end
 end
--- a/config/feature_flags/ops/dynamic_nonce.yml
+++ b/config/feature_flags/ops/dynamic_nonce.yml
+---
+name: dynamic_nonce
+introduced_by_url:
+rollout_issue_url:
+milestone: '14.0'
+type: ops
+group: group::access
+default_enabled: false
--- a/spec/models/concerns/token_authenticatable_strategies/encryption_helper_spec.rb
+++ b/spec/models/concerns/token_authenticatable_strategies/encryption_helper_spec.rb
@@ -3,16 +3,67 @@
 require 'spec_helper'

 RSpec.describe TokenAuthenticatableStrategies::EncryptionHelper do
-  let(:encrypted_token) { described_class.encrypt_token('my-value') }
+  let(:encrypted_token) { described_class.encrypt_token('my-value-my-value-my-value') }

  describe '.encrypt_token' do
+    context 'when dynamic_nonce feature flag is switched on' do
+      it 'adds nonce identifier on the beginning' do
+        expect(encrypted_token.first).to eq(described_class::DYNAMIC_NONCE_IDENTIFIER)
+      end
+
+      it 'adds nonce at the end' do
+        nonce = encrypted_token.last(described_class::NONCE_SIZE)
+
+        expect(nonce).to eq(::Digest::SHA256.hexdigest('my-value-my-value-my-value').bytes.take(described_class::NONCE_SIZE).pack('c*'))
+      end
+
      it 'encrypts token' do
-      expect(encrypted_token).not_to eq('my-value')
+        expect(encrypted_token[1...-described_class::NONCE_SIZE]).not_to eq('my-value-my-value-my-value')
+      end
+    end
+
+    context 'when dynamic_nonce feature flag is switched off' do
+      before do
+        stub_feature_flags(dynamic_nonce: false)
+      end
+
+      it 'does not add nonce identifier on the beginning' do
+        expect(encrypted_token.first).not_to eq(described_class::DYNAMIC_NONCE_IDENTIFIER)
+      end
+
+      it 'does not add nonce in the end' do
+        nonce = encrypted_token.last(described_class::NONCE_SIZE)
+
+        expect(nonce).not_to eq(::Digest::SHA256.hexdigest('my-value-my-value-my-value').bytes.take(described_class::NONCE_SIZE).pack('c*'))
+      end
+
+      it 'encrypts token with static iv' do
+        token = Gitlab::CryptoHelper.aes256_gcm_encrypt('my-value-my-value-my-value')
+
+        expect(encrypted_token).to eq(token)
+      end
    end
  end

  describe '.decrypt_token' do
+    context 'with feature flag switched off' do
+      before do
+        stub_feature_flags(dynamic_nonce: false)
+      end
+
      it 'decrypts token with static iv' do
+        encrypted_token = described_class.encrypt_token('my-value')
+
+        expect(described_class.decrypt_token(encrypted_token)).to eq('my-value')
+      end
+
+      it 'decrypts token if feature flag changed after encryption' do
+        encrypted_token = described_class.encrypt_token('my-value')
+
+        expect(encrypted_token).not_to eq('my-value')
+
+        stub_feature_flags(dynamic_nonce: true)
+
        expect(described_class.decrypt_token(encrypted_token)).to eq('my-value')
      end

@@ -24,4 +75,27 @@ RSpec.describe TokenAuthenticatableStrategies::EncryptionHelper do
        expect(described_class.decrypt_token(encrypted_token)).to eq('my-value')
      end
    end
+
+    context 'with feature flag switched on' do
+      before do
+        stub_feature_flags(dynamic_nonce: true)
+      end
+
+      it 'decrypts token with dynamic iv' do
+        encrypted_token = described_class.encrypt_token('my-value')
+
+        expect(described_class.decrypt_token(encrypted_token)).to eq('my-value')
+      end
+
+      it 'decrypts token if feature flag changed after encryption' do
+        encrypted_token = described_class.encrypt_token('my-value')
+
+        expect(encrypted_token).not_to eq('my-value')
+
+        stub_feature_flags(dynamic_nonce: false)
+
+        expect(described_class.decrypt_token(encrypted_token)).to eq('my-value')
+      end
+    end
+  end
 end