aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorzeripath2021-06-17 21:59:28 +0100
committerGitHub2021-06-17 22:59:28 +0200
commit544ef7d3940adf55b18041bca2c2020cf0fa50f1 (patch)
tree78581373b2dd0ccb1ee548ffdc2ad3cf52e3ee91
parent5ff807acdebdd75960418060f465bb8ba79e96a6 (diff)
Encrypt migration credentials at rest (#15895) (#16187)
Backport #15895 Storing these credentials is a liability. * Encrypt credentials with SECRET_KEY before persisting to task queue table (they need to be persisted due to the nature of the task queue) - security in depth: helps when attacker has access to DB only, but not app.ini * Delete all credentials (even encrypted) from the task table, once the migration is done, for safety - security in depth: minimizes leaked data if attacker gains access to snapshot of both DB and app.ini
-rw-r--r--models/task.go42
-rw-r--r--modules/migrations/base/options.go11
-rw-r--r--modules/task/task.go21
3 files changed, 69 insertions, 5 deletions
diff --git a/models/task.go b/models/task.go
index 8d4bfbf07..a4ab65b5e 100644
--- a/models/task.go
+++ b/models/task.go
@@ -8,8 +8,11 @@ import (
"fmt"
migration "code.gitea.io/gitea/modules/migrations/base"
+ "code.gitea.io/gitea/modules/secret"
+ "code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/structs"
"code.gitea.io/gitea/modules/timeutil"
+ "code.gitea.io/gitea/modules/util"
jsoniter "github.com/json-iterator/go"
"xorm.io/builder"
@@ -110,6 +113,24 @@ func (task *Task) MigrateConfig() (*migration.MigrateOptions, error) {
if err != nil {
return nil, err
}
+
+ // decrypt credentials
+ if opts.CloneAddrEncrypted != "" {
+ if opts.CloneAddr, err = secret.DecryptSecret(setting.SecretKey, opts.CloneAddrEncrypted); err != nil {
+ return nil, err
+ }
+ }
+ if opts.AuthPasswordEncrypted != "" {
+ if opts.AuthPassword, err = secret.DecryptSecret(setting.SecretKey, opts.AuthPasswordEncrypted); err != nil {
+ return nil, err
+ }
+ }
+ if opts.AuthTokenEncrypted != "" {
+ if opts.AuthToken, err = secret.DecryptSecret(setting.SecretKey, opts.AuthTokenEncrypted); err != nil {
+ return nil, err
+ }
+ }
+
return &opts, nil
}
return nil, fmt.Errorf("Task type is %s, not Migrate Repo", task.Type.Name())
@@ -205,12 +226,31 @@ func createTask(e Engine, task *Task) error {
func FinishMigrateTask(task *Task) error {
task.Status = structs.TaskStatusFinished
task.EndTime = timeutil.TimeStampNow()
+
+ // delete credentials when we're done, they're a liability.
+ conf, err := task.MigrateConfig()
+ if err != nil {
+ return err
+ }
+ conf.AuthPassword = ""
+ conf.AuthToken = ""
+ conf.CloneAddr = util.SanitizeURLCredentials(conf.CloneAddr, true)
+ conf.AuthPasswordEncrypted = ""
+ conf.AuthTokenEncrypted = ""
+ conf.CloneAddrEncrypted = ""
+ json := jsoniter.ConfigCompatibleWithStandardLibrary
+ confBytes, err := json.Marshal(conf)
+ if err != nil {
+ return err
+ }
+ task.PayloadContent = string(confBytes)
+
sess := x.NewSession()
defer sess.Close()
if err := sess.Begin(); err != nil {
return err
}
- if _, err := sess.ID(task.ID).Cols("status", "end_time").Update(task); err != nil {
+ if _, err := sess.ID(task.ID).Cols("status", "end_time", "payload_content").Update(task); err != nil {
return err
}
diff --git a/modules/migrations/base/options.go b/modules/migrations/base/options.go
index 168f9848c..ec8392de4 100644
--- a/modules/migrations/base/options.go
+++ b/modules/migrations/base/options.go
@@ -11,10 +11,13 @@ import "code.gitea.io/gitea/modules/structs"
// this is for internal usage by migrations module and func who interact with it
type MigrateOptions struct {
// required: true
- CloneAddr string `json:"clone_addr" binding:"Required"`
- AuthUsername string `json:"auth_username"`
- AuthPassword string `json:"auth_password"`
- AuthToken string `json:"auth_token"`
+ CloneAddr string `json:"clone_addr" binding:"Required"`
+ CloneAddrEncrypted string `json:"clone_addr_encrypted,omitempty"`
+ AuthUsername string `json:"auth_username"`
+ AuthPassword string `json:"auth_password,omitempty"`
+ AuthPasswordEncrypted string `json:"auth_password_encrypted,omitempty"`
+ AuthToken string `json:"auth_token,omitempty"`
+ AuthTokenEncrypted string `json:"auth_token_encrypted,omitempty"`
// required: true
UID int `json:"uid" binding:"Required"`
// required: true
diff --git a/modules/task/task.go b/modules/task/task.go
index 0443517c0..0685aa23d 100644
--- a/modules/task/task.go
+++ b/modules/task/task.go
@@ -13,8 +13,11 @@ import (
"code.gitea.io/gitea/modules/migrations/base"
"code.gitea.io/gitea/modules/queue"
repo_module "code.gitea.io/gitea/modules/repository"
+ "code.gitea.io/gitea/modules/secret"
+ "code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/structs"
"code.gitea.io/gitea/modules/timeutil"
+ "code.gitea.io/gitea/modules/util"
jsoniter "github.com/json-iterator/go"
)
@@ -65,6 +68,24 @@ func MigrateRepository(doer, u *models.User, opts base.MigrateOptions) error {
// CreateMigrateTask creates a migrate task
func CreateMigrateTask(doer, u *models.User, opts base.MigrateOptions) (*models.Task, error) {
+ // encrypt credentials for persistence
+ var err error
+ opts.CloneAddrEncrypted, err = secret.EncryptSecret(setting.SecretKey, opts.CloneAddr)
+ if err != nil {
+ return nil, err
+ }
+ opts.CloneAddr = util.SanitizeURLCredentials(opts.CloneAddr, true)
+ opts.AuthPasswordEncrypted, err = secret.EncryptSecret(setting.SecretKey, opts.AuthPassword)
+ if err != nil {
+ return nil, err
+ }
+ opts.AuthPassword = ""
+ opts.AuthTokenEncrypted, err = secret.EncryptSecret(setting.SecretKey, opts.AuthToken)
+ if err != nil {
+ return nil, err
+ }
+ opts.AuthToken = ""
+
json := jsoniter.ConfigCompatibleWithStandardLibrary
bs, err := json.Marshal(&opts)
if err != nil {