Merge branch 'revert-d5d11f29' into 'master'

Revert !1095 into 'master'"

See merge request gitlab-org/security/gitlab!1207

app/models/concerns/token_authenticatable_strategies/encrypted.rb

@@ -85,17 +85,10 @@ module TokenAuthenticatableStrategies
     end
 
     def find_by_encrypted_token(token, unscoped)
-      encrypted_value = Gitlab::CryptoHelper.aes256_gcm_encrypt(token, nonce: find_hashed_iv(token) || Gitlab::CryptoHelper::AES256_GCM_IV_STATIC)
-
+      encrypted_value = Gitlab::CryptoHelper.aes256_gcm_encrypt(token)
       relation(unscoped).find_by(encrypted_field => encrypted_value)
     end
 
-    def find_hashed_iv(token)
-      token_record = TokenWithIv.find_by_plaintext_token(token)
-
-      token_record&.iv
-    end
-
     def insecure_strategy
       @insecure_strategy ||= TokenAuthenticatableStrategies::Insecure
         .new(klass, token_field, options)

app/models/token_with_iv.rb

-# frozen_string_literal: true
-
-# rubocop: todo Gitlab/NamespacedClass
-class TokenWithIv < ApplicationRecord
-  validates :hashed_token, presence: true
-  validates :iv, presence: true
-  validates :hashed_plaintext_token, presence: true
-
-  def self.find_by_hashed_token(value)
-    find_by(hashed_token: ::Digest::SHA256.digest(value))
-  end
-
-  def self.find_by_plaintext_token(value)
-    find_by(hashed_plaintext_token: ::Digest::SHA256.digest(value))
-  end
-end

changelogs/unreleased/security-299-crypto-helper.yml

----
-title: Fix AES-GCM issues in lib/gitlab/crypto_helper.rb
-merge_request:
-author:
-type: security

db/migrate/20201120144823_create_tokens_with_iv.rb

-# frozen_string_literal: true
-
-class CreateTokensWithIv < ActiveRecord::Migration[6.0]
-  include Gitlab::Database::MigrationHelpers
-
-  DOWNTIME = false
-
-  def change
-    create_table :token_with_ivs do |t|
-      t.binary :hashed_token, null: false
-      t.binary :hashed_plaintext_token, null: false
-      t.binary :iv, null: false
-
-      t.index :hashed_token, name: 'index_token_with_ivs_on_hashed_token', unique: true, using: :btree
-      t.index :hashed_plaintext_token, name: 'index_token_with_ivs_on_hashed_plaintext_token', unique: true, using: :btree
-    end
-  end
-end

db/post_migrate/20190606175050_encrypt_feature_flags_clients_tokens.rb

@@ -10,7 +10,7 @@ class EncryptFeatureFlagsClientsTokens < ActiveRecord::Migration[5.1]
   def up
     say_with_time("Encrypting tokens from operations_feature_flags_clients") do
       FeatureFlagsClient.where('token_encrypted is NULL AND token IS NOT NULL').find_each do |feature_flags_client|
-        token_encrypted = Gitlab::CryptoHelper.aes256_gcm_encrypt(feature_flags_client.token, nonce: Gitlab::CryptoHelper::AES256_GCM_IV_STATIC)
+        token_encrypted = Gitlab::CryptoHelper.aes256_gcm_encrypt(feature_flags_client.token)
         feature_flags_client.update!(token_encrypted: token_encrypted)
       end
     end

db/post_migrate/20190711201818_encrypt_deploy_tokens_tokens.rb

@@ -10,7 +10,7 @@ class EncryptDeployTokensTokens < ActiveRecord::Migration[5.1]
   def up
     say_with_time("Encrypting tokens from deploy_tokens") do
       DeploymentTokens.where('token_encrypted is NULL AND token IS NOT NULL').find_each(batch_size: 10000) do |deploy_token|
-        token_encrypted = Gitlab::CryptoHelper.aes256_gcm_encrypt(deploy_token.token, nonce: Gitlab::CryptoHelper::AES256_GCM_IV_STATIC)
+        token_encrypted = Gitlab::CryptoHelper.aes256_gcm_encrypt(deploy_token.token)
         deploy_token.update!(token_encrypted: token_encrypted)
       end
     end

db/schema_migrations/20201120144823

-dde424c434c78e22087123fa30eec75c07268a9079fea44339915747aae235e0
\ No newline at end of file

db/structure.sql

@@ -17401,22 +17401,6 @@ CREATE SEQUENCE todos_id_seq
 
 ALTER SEQUENCE todos_id_seq OWNED BY todos.id;
 
-CREATE TABLE token_with_ivs (
-    id bigint NOT NULL,
-    hashed_token bytea NOT NULL,
-    hashed_plaintext_token bytea NOT NULL,
-    iv bytea NOT NULL
-);
-
-CREATE SEQUENCE token_with_ivs_id_seq
-    START WITH 1
-    INCREMENT BY 1
-    NO MINVALUE
-    NO MAXVALUE
-    CACHE 1;
-
-ALTER SEQUENCE token_with_ivs_id_seq OWNED BY token_with_ivs.id;
-
 CREATE TABLE trending_projects (
     id integer NOT NULL,
     project_id integer NOT NULL
@@ -19134,8 +19118,6 @@ ALTER TABLE ONLY timelogs ALTER COLUMN id SET DEFAULT nextval('timelogs_id_seq':
 
 ALTER TABLE ONLY todos ALTER COLUMN id SET DEFAULT nextval('todos_id_seq'::regclass);
 
-ALTER TABLE ONLY token_with_ivs ALTER COLUMN id SET DEFAULT nextval('token_with_ivs_id_seq'::regclass);
-
 ALTER TABLE ONLY trending_projects ALTER COLUMN id SET DEFAULT nextval('trending_projects_id_seq'::regclass);
 
 ALTER TABLE ONLY u2f_registrations ALTER COLUMN id SET DEFAULT nextval('u2f_registrations_id_seq'::regclass);
@@ -20658,9 +20640,6 @@ ALTER TABLE ONLY timelogs
 ALTER TABLE ONLY todos
     ADD CONSTRAINT todos_pkey PRIMARY KEY (id);
 
-ALTER TABLE ONLY token_with_ivs
-    ADD CONSTRAINT token_with_ivs_pkey PRIMARY KEY (id);
-
 ALTER TABLE ONLY trending_projects
     ADD CONSTRAINT trending_projects_pkey PRIMARY KEY (id);
 
@@ -23185,10 +23164,6 @@ CREATE INDEX index_todos_on_user_id_and_id_done ON todos USING btree (user_id, i
 
 CREATE INDEX index_todos_on_user_id_and_id_pending ON todos USING btree (user_id, id) WHERE ((state)::text = 'pending'::text);
 
-CREATE UNIQUE INDEX index_token_with_ivs_on_hashed_plaintext_token ON token_with_ivs USING btree (hashed_plaintext_token);
-
-CREATE UNIQUE INDEX index_token_with_ivs_on_hashed_token ON token_with_ivs USING btree (hashed_token);
-
 CREATE UNIQUE INDEX index_trending_projects_on_project_id ON trending_projects USING btree (project_id);
 
 CREATE INDEX index_u2f_registrations_on_key_handle ON u2f_registrations USING btree (key_handle);

ee/spec/features/read_only_spec.rb

@@ -23,7 +23,7 @@ RSpec.describe 'Geo read-only message', :geo do
 
   context 'when in maintenance mode' do
     before do
-      stub_maintenance_mode_setting(true)
+      stub_application_setting(maintenance_mode: true)
     end
 
     it_behaves_like 'Read-only instance', /This GitLab instance is undergoing maintenance and is operating in read\-only mode./

ee/spec/helpers/application_helper_spec.rb

@@ -22,7 +22,7 @@ RSpec.describe ApplicationHelper do
       context 'maintenance mode' do
         context 'enabled' do
           before do
-            stub_maintenance_mode_setting(true)
+            stub_application_setting(maintenance_mode: true)
           end
 
           it 'returns default message' do
@@ -48,7 +48,7 @@ RSpec.describe ApplicationHelper do
 
         context 'disabled' do
           it 'returns nil' do
-            stub_maintenance_mode_setting(false)
+            stub_application_setting(maintenance_mode: false)
 
             expect(helper.read_only_message).to be_nil
           end
@@ -60,7 +60,7 @@ RSpec.describe ApplicationHelper do
       context 'maintenance mode on' do
         it 'returns messages for both' do
           expect(Gitlab::Geo).to receive(:secondary?).twice { true }
-          stub_maintenance_mode_setting(true)
+          stub_application_setting(maintenance_mode: true)
 
           expect(helper.read_only_message).to match(/you must visit the primary site/)
           expect(helper.read_only_message).to match(/#{default_maintenance_mode_message}/)

ee/spec/lib/ee/gitlab/crypto_helper_spec.rb

-# frozen_string_literal: true
-
-require 'spec_helper'
-
-RSpec.describe Gitlab::CryptoHelper do
-  include ::EE::GeoHelpers
-
-  describe '.read_only?' do
-    context 'with Geo enabled' do
-      before do
-        allow(Gitlab::Geo).to receive(:enabled?) { true }
-        allow(Gitlab::Geo).to receive(:current_node) { geo_node }
-      end
-
-      context 'is Geo secondary node' do
-        let(:geo_node) { create(:geo_node) }
-
-        it 'returns true' do
-          expect(described_class.read_only?).to be_truthy
-        end
-      end
-
-      context 'is Geo primary node' do
-        let(:geo_node) { create(:geo_node, :primary) }
-
-        it 'returns false when is Geo primary node' do
-          expect(described_class.read_only?).to be_falsey
-        end
-      end
-    end
-  end
-end

ee/spec/lib/ee/gitlab/database_spec.rb

@@ -37,7 +37,7 @@ RSpec.describe Gitlab::Database do
 
     context 'in maintenance mode' do
       before do
-        stub_maintenance_mode_setting(true)
+        stub_application_setting(maintenance_mode: true)
       end
 
       it 'returns true' do

ee/spec/lib/ee/gitlab/middleware/read_only_spec.rb

@@ -5,7 +5,7 @@ require 'spec_helper'
 RSpec.describe Gitlab::Middleware::ReadOnly do
   context 'when maintenance mode is on' do
     before do
-      stub_maintenance_mode_setting(true)
+      stub_application_setting(maintenance_mode: true)
     end
 
     it_behaves_like 'write access for a read-only GitLab (EE) instance in maintenance mode'
@@ -13,7 +13,7 @@ RSpec.describe Gitlab::Middleware::ReadOnly do
 
   context 'when maintenance mode is not on' do
     before do
-      stub_maintenance_mode_setting(false)
+      stub_application_setting(maintenance_mode: false)
     end
 
     it_behaves_like 'write access for a read-only GitLab (EE) instance'

ee/spec/lib/gitlab/git_access_spec.rb

@@ -758,7 +758,7 @@ RSpec.describe Gitlab::GitAccess do
 
     context 'when maintenance mode is enabled' do
       before do
-        stub_maintenance_mode_setting(true)
+        stub_application_setting(maintenance_mode: true)
       end
 
       it 'blocks git push' do
@@ -770,7 +770,7 @@ RSpec.describe Gitlab::GitAccess do
 
     context 'when maintenance mode is disabled' do
       before do
-        stub_maintenance_mode_setting(false)
+        stub_application_setting(maintenance_mode: false)
       end
 
       it 'allows git push' do

ee/spec/migrations/nullify_feature_flag_plaintext_tokens_spec.rb

@@ -12,8 +12,8 @@ RSpec.describe NullifyFeatureFlagPlaintextTokens do
   let!(:project1) { projects.create!(namespace_id: namespace.id, name: 'Project 1') }
   let!(:project2) { projects.create!(namespace_id: namespace.id, name: 'Project 2') }
 
-  let(:secret1_encrypted) { Gitlab::CryptoHelper.aes256_gcm_encrypt('secret1', nonce: Gitlab::CryptoHelper::AES256_GCM_IV_STATIC) }
-  let(:secret2_encrypted) { Gitlab::CryptoHelper.aes256_gcm_encrypt('secret2', nonce: Gitlab::CryptoHelper::AES256_GCM_IV_STATIC) }
+  let(:secret1_encrypted) { Gitlab::CryptoHelper.aes256_gcm_encrypt('secret1') }
+  let(:secret2_encrypted) { Gitlab::CryptoHelper.aes256_gcm_encrypt('secret2') }
 
   before do
     feature_flags_clients.create!(token: 'secret1', token_encrypted: secret1_encrypted, project_id: project1.id)

ee/spec/requests/api/internal/base_spec.rb

@@ -248,7 +248,7 @@ RSpec.describe API::Internal::Base do
       let_it_be(:project) { create(:project, :repository) }
 
       before do
-        stub_maintenance_mode_setting(true)
+        stub_application_setting(maintenance_mode: true)
 
         project.add_developer(user)
       end

ee/spec/services/ee/auth/container_registry_authentication_service_spec.rb

@@ -19,7 +19,7 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
     end
 
     before do
-      stub_maintenance_mode_setting(true)
+      stub_application_setting(maintenance_mode: true)
       project.add_developer(current_user)
     end
 

ee/spec/support/shared_examples/lib/gitlab/middleware/maintenance_mode_gitlab_ee_instance_shared_examples.rb

@@ -7,7 +7,7 @@ RSpec.shared_examples 'write access for a read-only GitLab (EE) instance in main
   include_context 'with a mocked GitLab instance'
 
   before do
-    stub_maintenance_mode_setting(true)
+    stub_application_setting(maintenance_mode: true)
   end
 
   context 'normal requests to a read-only GitLab instance' do

lib/gitlab.rb

@@ -118,7 +118,6 @@ module Gitlab
 
   def self.maintenance_mode?
     return false unless ::Feature.enabled?(:maintenance_mode)
-    return false unless ::Gitlab::CurrentSettings.current_application_settings?
 
     ::Gitlab::CurrentSettings.maintenance_mode
   end

lib/gitlab/crypto_helper.rb

@@ -6,74 +6,25 @@ module Gitlab
 
     AES256_GCM_OPTIONS = {
       algorithm: 'aes-256-gcm',
-      key: Settings.attr_encrypted_db_key_base_32
+      key: Settings.attr_encrypted_db_key_base_32,
+      iv: Settings.attr_encrypted_db_key_base_12
     }.freeze
 
-    AES256_GCM_IV_STATIC = Settings.attr_encrypted_db_key_base_12
-
     def sha256(value)
       salt = Settings.attr_encrypted_db_key_base_truncated
       ::Digest::SHA256.base64digest("#{value}#{salt}")
     end
 
-    def aes256_gcm_encrypt(value, nonce: nil)
-      return aes256_gcm_encrypt_for_non_read_db(value) if read_only?
-
-      found_nonce = nonce || find_nonce_by_token(value)
-      iv = found_nonce || create_nonce
-
-      encrypted_token = create_encrypted_token(value, iv)
-      save_token_with_nonce!(encrypted_token, value, iv) unless found_nonce
-      encrypted_token
+    def aes256_gcm_encrypt(value)
+      encrypted_token = Encryptor.encrypt(AES256_GCM_OPTIONS.merge(value: value))
+      Base64.strict_encode64(encrypted_token)
     end
 
     def aes256_gcm_decrypt(value)
       return unless value
 
-      nonce = find_nonce_by_hashed_token(value)
       encrypted_token = Base64.decode64(value)
-      decrypted_token = Encryptor.decrypt(AES256_GCM_OPTIONS.merge(value: encrypted_token, iv: nonce || AES256_GCM_IV_STATIC))
-      aes256_gcm_encrypt(value) unless nonce
-      decrypted_token
-    end
-
-    def read_only?
-      Gitlab::Database.read_only?
-    end
-
-    def aes256_gcm_encrypt_for_non_read_db(value)
-      create_encrypted_token(value, AES256_GCM_IV_STATIC)
-    end
-
-    def create_encrypted_token(value, iv)
-      encrypted_token = Encryptor.encrypt(AES256_GCM_OPTIONS.merge(value: value, iv: iv))
-      Base64.strict_encode64(encrypted_token)
-    end
-
-    def save_token_with_nonce!(encrypted_token, plaintext_token, nonce)
-      return unless TokenWithIv.table_exists?
-
-      TokenWithIv.create!(hashed_token: Digest::SHA256.digest(encrypted_token), hashed_plaintext_token: Digest::SHA256.digest(plaintext_token), iv: nonce)
-    end
-
-    def create_nonce
-      cipher = OpenSSL::Cipher.new('aes-256-gcm')
-      cipher.encrypt # Required before '#random_iv' can be called
-      cipher.random_iv # Ensures that the IV is the correct length respective to the algorithm used.
-    end
-
-    def find_nonce_by_hashed_token(value)
-      return unless TokenWithIv.table_exists?
-
-      token_record = TokenWithIv.find_by_hashed_token(value)
-      token_record&.iv
-    end
-
-    def find_nonce_by_token(value)
-      return unless TokenWithIv.table_exists?
-
-      token_record = TokenWithIv.find_by_plaintext_token(value)
-      token_record&.iv
+      Encryptor.decrypt(AES256_GCM_OPTIONS.merge(value: encrypted_token))
     end
   end
 end

lib/gitlab/current_settings.rb

@@ -7,10 +7,6 @@ module Gitlab
         Gitlab::SafeRequestStore.fetch(:current_application_settings) { ensure_application_settings! }
       end
 
-      def current_application_settings?
-        Gitlab::SafeRequestStore.exist?(:current_application_settings) || ::ApplicationSetting.current.present?
-      end
-
       def expire_current_application_settings
         ::ApplicationSetting.expire
         Gitlab::SafeRequestStore.delete(:current_application_settings)

spec/controllers/admin/runners_controller_spec.rb

@@ -27,8 +27,7 @@ RSpec.describe Admin::RunnersController do
 
       # There is still an N+1 query for `runner.builds.count`
       # We also need to add 1 because it takes 2 queries to preload tags
-      # also looking for token nonce requires database queries
-      expect { get :index }.not_to exceed_query_limit(control_count + 16)
+      expect { get :index }.not_to exceed_query_limit(control_count + 6)
 
       expect(response).to have_gitlab_http_status(:ok)
       expect(response.body).to have_content('tag1')

spec/factories/token_with_ivs.rb

-# frozen_string_literal: true
-
-FactoryBot.define do
-  factory :token_with_iv do
-    hashed_token { ::Digest::SHA256.digest(SecureRandom.hex(50)) }
-    iv { ::Digest::SHA256.digest(SecureRandom.hex(50)) }
-    hashed_plaintext_token { ::Digest::SHA256.digest(SecureRandom.hex(50)) }
-  end
-end

spec/lib/gitlab/crypto_helper_spec.rb

@@ -19,83 +19,21 @@ RSpec.describe Gitlab::CryptoHelper do
       expect(encrypted).to match %r{\A[A-Za-z0-9+/=]+\z}
       expect(encrypted).not_to include "\n"
     end
-
-    it 'saves hashed token with iv value in database' do
-      expect { described_class.aes256_gcm_encrypt('some-value') }.to change { TokenWithIv.count }.by(1)
-    end
-
-    it 'saves hashed token in database' do
-      encrypted_token = described_class.aes256_gcm_encrypt('some-value')
-
-      expect(TokenWithIv.last.hashed_token).to eq(Digest::SHA256.digest(encrypted_token))
-    end
-
-    it 'saves digested plaintext token in database' do
-      described_class.aes256_gcm_encrypt('some-value')
-
-      expect(TokenWithIv.last.hashed_plaintext_token).to eq(Digest::SHA256.digest('some-value'))
-    end
-
-    context 'when we are encrypting the same token for a second time' do
-      before do
-        described_class.aes256_gcm_encrypt('some-value')
-      end
-
-      it 'does not save digested plaintext token in database' do
-        expect { described_class.aes256_gcm_encrypt('some-value') }.not_to change { TokenWithIv.count }
-      end
-    end
-
-    context 'when read only is true' do
-      before do
-        allow(described_class).to receive(:read_only?).and_return(true)
-      end
-
-      it 'does not save tokens in database' do
-        expect { described_class.aes256_gcm_encrypt('some-value') }.not_to change { TokenWithIv.count }
-      end
-
-      it 'encrypts using static iv' do
-        expect(Encryptor).to receive(:encrypt).with(described_class::AES256_GCM_OPTIONS.merge(value: 'some-value', iv: described_class::AES256_GCM_IV_STATIC)).and_return('hashed_value')
-
-        described_class.aes256_gcm_encrypt('some-value')
-      end
-    end
   end
 
   describe '.aes256_gcm_decrypt' do
-    context 'when token was encrypted using static nonce' do
-      let(:encrypted) { described_class.aes256_gcm_encrypt('some-value', nonce: described_class::AES256_GCM_IV_STATIC) }
+    let(:encrypted) { described_class.aes256_gcm_encrypt('some-value') }
 
-      it 'correctly decrypts encrypted string' do
-        decrypted = described_class.aes256_gcm_decrypt(encrypted)
+    it 'correctly decrypts encrypted string' do
+      decrypted = described_class.aes256_gcm_decrypt(encrypted)
 
-        expect(decrypted).to eq 'some-value'
-      end
-
-      it 'decrypts a value when it ends with a new line character' do
-        decrypted = described_class.aes256_gcm_decrypt(encrypted + "\n")
-
-        expect(decrypted).to eq 'some-value'
-      end
-
-      it 'saves hashed token with iv value in database' do
-        expect { described_class.aes256_gcm_decrypt(encrypted) }.to change { TokenWithIv.count }.by(1)
-      end
+      expect(decrypted).to eq 'some-value'
     end
 
-    context 'when token was encrypted using random nonce' do
-      let!(:encrypted) { described_class.aes256_gcm_encrypt('some-value') }
-
-      it 'correctly decrypts encrypted string' do
-        decrypted = described_class.aes256_gcm_decrypt(encrypted)
-
-        expect(decrypted).to eq 'some-value'
-      end
+    it 'decrypts a value when it ends with a new line character' do
+      decrypted = described_class.aes256_gcm_decrypt(encrypted + "\n")
 
-      it 'does not save hashed token with iv value in database' do
-        expect { described_class.aes256_gcm_decrypt(encrypted) }.not_to change { TokenWithIv.count }
-      end
+      expect(decrypted).to eq 'some-value'
     end
   end
 end

spec/lib/gitlab/current_settings_spec.rb

@@ -194,32 +194,4 @@ RSpec.describe Gitlab::CurrentSettings do
       end
     end
   end
-
-  describe '#current_application_settings?', :use_clean_rails_memory_store_caching do
-    before do
-      allow(Gitlab::CurrentSettings).to receive(:current_application_settings?).and_call_original
-    end
-
-    it 'returns true when settings exist' do
-      create(:application_setting,
-        home_page_url: 'http://mydomain.com',
-        signup_enabled: false)
-
-      expect(described_class.current_application_settings?).to eq(true)
-    end
-
-    it 'returns false when settings do not exist' do
-      expect(described_class.current_application_settings?).to eq(false)
-    end
-
-    context 'with cache', :request_store do
-      include_context 'with settings in cache'
-
-      it 'returns an in-memory ApplicationSetting object' do
-        expect(ApplicationSetting).not_to receive(:current)
-
-        expect(described_class.current_application_settings?).to eq(true)
-      end
-    end
-  end
 end

spec/lib/gitlab_spec.rb

@@ -332,13 +332,13 @@ RSpec.describe Gitlab do
 
   describe '.maintenance_mode?' do
     it 'returns true when maintenance mode is enabled' do
-      stub_maintenance_mode_setting(true)
+      stub_application_setting(maintenance_mode: true)
 
       expect(described_class.maintenance_mode?).to eq(true)
     end
 
     it 'returns false when maintenance mode is disabled' do
-      stub_maintenance_mode_setting(false)
+      stub_application_setting(maintenance_mode: false)
 
       expect(described_class.maintenance_mode?).to eq(false)
     end

spec/migrations/encrypt_feature_flags_clients_tokens_spec.rb

@@ -8,7 +8,7 @@ RSpec.describe EncryptFeatureFlagsClientsTokens do
   let(:feature_flags_clients) { table(:operations_feature_flags_clients) }
   let(:projects) { table(:projects) }
   let(:plaintext) { "secret-token" }
-  let(:ciphertext) { Gitlab::CryptoHelper.aes256_gcm_encrypt(plaintext, nonce: Gitlab::CryptoHelper::AES256_GCM_IV_STATIC) }
+  let(:ciphertext) { Gitlab::CryptoHelper.aes256_gcm_encrypt(plaintext) }
 
   describe '#up' do
     it 'keeps plaintext token the same and populates token_encrypted if not present' do

spec/models/active_session_spec.rb

@@ -358,7 +358,7 @@ RSpec.describe ActiveSession, :clean_gitlab_redis_shared_state do
       it 'calls .destroy_sessions' do
         expect(ActiveSession).to(
           receive(:destroy_sessions)
-            .with(anything, user, [encrypted_active_session_id, rack_session.public_id, rack_session.private_id]))
+            .with(anything, user, [active_session.public_id, rack_session.public_id, rack_session.private_id]))
 
         subject
       end

spec/models/concerns/token_authenticatable_spec.rb

@@ -53,9 +53,8 @@ RSpec.describe ApplicationSetting, 'TokenAuthenticatable' do
 
         it 'persists new token as an encrypted string' do
           expect(subject).to eq settings.reload.runners_registration_token
-          nonce = TokenWithIv.find_by_hashed_token(settings.read_attribute('runners_registration_token_encrypted')).iv
           expect(settings.read_attribute('runners_registration_token_encrypted'))
-            .to eq Gitlab::CryptoHelper.aes256_gcm_encrypt(subject, nonce: nonce)
+            .to eq Gitlab::CryptoHelper.aes256_gcm_encrypt(subject)
           expect(settings).to be_persisted
         end
 
@@ -244,8 +243,7 @@ RSpec.describe Ci::Build, 'TokenAuthenticatable' do
         it 'persists new token as an encrypted string' do
           build.ensure_token!
 
-          nonce = TokenWithIv.find_by_hashed_token(build.token_encrypted).iv
-          encrypted = Gitlab::CryptoHelper.aes256_gcm_encrypt(build.token, nonce: nonce)
+          encrypted = Gitlab::CryptoHelper.aes256_gcm_encrypt(build.token)
 
           expect(build.read_attribute('token_encrypted')).to eq encrypted
         end

spec/models/concerns/token_authenticatable_strategies/encrypted_spec.rb

@@ -124,7 +124,7 @@ RSpec.describe TokenAuthenticatableStrategies::Encrypted do
 
       it 'writes encrypted token and removes plaintext token and returns it' do
         expect(instance).to receive(:[]=)
-          .with('some_field_encrypted', any_args)
+          .with('some_field_encrypted', encrypted)
         expect(instance).to receive(:[]=)
           .with('some_field', nil)
 
@@ -137,7 +137,7 @@ RSpec.describe TokenAuthenticatableStrategies::Encrypted do
 
       it 'writes encrypted token and writes plaintext token' do
         expect(instance).to receive(:[]=)
-          .with('some_field_encrypted', any_args)
+          .with('some_field_encrypted', encrypted)
         expect(instance).to receive(:[]=)
           .with('some_field', 'my-value')
 

spec/models/token_with_iv_spec.rb

-# frozen_string_literal: true
-
-require 'spec_helper'
-
-RSpec.describe TokenWithIv do
-  describe 'validations' do
-    it { is_expected.to validate_presence_of :hashed_token }
-    it { is_expected.to validate_presence_of :iv }
-    it { is_expected.to validate_presence_of :hashed_plaintext_token }
-  end
-
-  describe '.find_by_hashed_token' do
-    it 'only includes matching record' do
-      matching_record = create(:token_with_iv, hashed_token: ::Digest::SHA256.digest('hashed-token'))
-      create(:token_with_iv)
-
-      expect(described_class.find_by_hashed_token('hashed-token')).to eq(matching_record)
-    end
-  end
-
-  describe '.find_by_plaintext_token' do
-    it 'only includes matching record' do
-      matching_record = create(:token_with_iv, hashed_plaintext_token: ::Digest::SHA256.digest('hashed-token'))
-      create(:token_with_iv)
-
-      expect(described_class.find_by_plaintext_token('hashed-token')).to eq(matching_record)
-    end
-  end
-end

spec/spec_helper.rb

@@ -282,8 +282,6 @@ RSpec.configure do |config|
         current_user_mode.send(:user)&.admin?
       end
     end
-
-    allow(Gitlab::CurrentSettings).to receive(:current_application_settings?).and_return(false)
   end
 
   config.around(:example, :quarantine) do |example|

spec/support/helpers/stub_configuration.rb

@@ -121,12 +121,6 @@ module StubConfiguration
     allow(::Gitlab.config.packages).to receive_messages(to_settings(messages))
   end
 
-  def stub_maintenance_mode_setting(value)
-    allow(Gitlab::CurrentSettings).to receive(:current_application_settings?).and_return(true)
-
-    stub_application_setting(maintenance_mode: value)
-  end
-
   private
 
   # Modifies stubbed messages to also stub possible predicate versions