From 4af45f7bc9d82b973e341cb2793bd8101fa88f7e Mon Sep 17 00:00:00 2001 From: Lauris BH Date: Thu, 7 Jan 2021 11:31:54 +0200 Subject: [PATCH] Add AES GCM encryption provider --- cmd/generate.go | 9 ++- services/secrets/encryption.go | 16 +++++ services/secrets/encryption_aes.go | 89 ++++++++++++++++++++++++++ services/secrets/masterkey_nop_test.go | 12 ++++ services/secrets/secrets.go | 58 ++++++++++++++++- 5 files changed, 180 insertions(+), 4 deletions(-) create mode 100644 services/secrets/encryption.go create mode 100644 services/secrets/encryption_aes.go create mode 100644 services/secrets/masterkey_nop_test.go diff --git a/cmd/generate.go b/cmd/generate.go index aaf1fe7020..629c948eda 100644 --- a/cmd/generate.go +++ b/cmd/generate.go @@ -142,10 +142,13 @@ func runGenerateMasterKey(c *cli.Context) error { fmt.Printf("%s\n", base64.StdEncoding.EncodeToString(secret)) } } - fmt.Println("Setting changes required:") - fmt.Println("[secrets]") + if providerType == secrets.MasterKeyProviderTypePlain && len(scrts) == 1 { - fmt.Printf("MASTER_KEY = %s\n", base64.StdEncoding.EncodeToString(scrts[0])) + fmt.Printf("%s", base64.StdEncoding.EncodeToString(scrts[0])) + + if isatty.IsTerminal(os.Stdout.Fd()) { + fmt.Printf("\n") + } } return nil diff --git a/services/secrets/encryption.go b/services/secrets/encryption.go new file mode 100644 index 0000000000..4cf192ee61 --- /dev/null +++ b/services/secrets/encryption.go @@ -0,0 +1,16 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package secrets + +// EncryptionProvider encrypts and decrypts secrets +type EncryptionProvider interface { + Encrypt(secret, key []byte) ([]byte, error) + + EncryptString(secret string, key []byte) (string, error) + + Decrypt(enc, key []byte) ([]byte, error) + + DecryptString(enc string, key []byte) (string, error) +} diff --git a/services/secrets/encryption_aes.go b/services/secrets/encryption_aes.go new file mode 100644 index 0000000000..d34636c7aa --- /dev/null +++ b/services/secrets/encryption_aes.go @@ -0,0 +1,89 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package secrets + +import ( + "crypto/aes" + "crypto/cipher" + "crypto/rand" + "encoding/base64" + "fmt" + "io" +) + +type aesEncryptionProvider struct { +} + +func NewAesEncryptionProvider() EncryptionProvider { + return &aesEncryptionProvider{} +} + +func (e *aesEncryptionProvider) Encrypt(secret, key []byte) ([]byte, error) { + block, err := aes.NewCipher(key) + if err != nil { + return nil, err + } + + c, err := cipher.NewGCM(block) + if err != nil { + return nil, err + } + + nonce := make([]byte, c.NonceSize(), c.NonceSize()+c.Overhead()+len(secret)) + if _, err = io.ReadFull(rand.Reader, nonce); err != nil { + return nil, err + } + out := c.Seal(nil, nonce, secret, nil) + + return append(nonce, out...), nil +} + +func (e *aesEncryptionProvider) EncryptString(secret string, key []byte) (string, error) { + out, err := e.Encrypt([]byte(secret), key) + if err != nil { + return "", err + } + return base64.StdEncoding.EncodeToString(out), nil +} + +func (e *aesEncryptionProvider) Decrypt(enc, key []byte) ([]byte, error) { + block, err := aes.NewCipher(key) + if err != nil { + return nil, err + } + + c, err := cipher.NewGCM(block) + if err != nil { + return nil, err + } + + if len(enc) < c.NonceSize() { + return nil, fmt.Errorf("encrypted value too short") + } + + nonce := enc[:c.NonceSize()] + ciphertext := enc[c.NonceSize():] + + out, err := c.Open(nil, nonce, ciphertext, nil) + if err != nil { + return nil, err + } + + return out, nil +} + +func (e *aesEncryptionProvider) DecryptString(enc string, key []byte) (string, error) { + encb, err := base64.StdEncoding.DecodeString(enc) + if err != nil { + return "", err + } + + out, err := e.Encrypt(encb, key) + if err != nil { + return "", err + } + + return string(out), nil +} diff --git a/services/secrets/masterkey_nop_test.go b/services/secrets/masterkey_nop_test.go new file mode 100644 index 0000000000..09e4587d4d --- /dev/null +++ b/services/secrets/masterkey_nop_test.go @@ -0,0 +1,12 @@ +package secrets + +import ( + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestNopMasterKey_IsSealed(t *testing.T) { + k := NewNopMasterKeyProvider() + assert.False(t, k.IsSealed()) +} diff --git a/services/secrets/secrets.go b/services/secrets/secrets.go index accaabea2c..0459855781 100644 --- a/services/secrets/secrets.go +++ b/services/secrets/secrets.go @@ -20,7 +20,8 @@ const ( ) var ( - masterKey MasterKeyProvider + masterKey MasterKeyProvider + encProvider EncryptionProvider ) // Init initializes master key provider based on settings @@ -33,6 +34,9 @@ func Init() error { default: return fmt.Errorf("invalid master key provider %v", setting.MasterKeyProvider) } + + encProvider = NewAesEncryptionProvider() + return nil } @@ -40,3 +44,55 @@ func Init() error { func GenerateMasterKey() ([][]byte, error) { return masterKey.GenerateMasterKey() } + +func Encrypt(secret []byte) ([]byte, error) { + key, err := masterKey.GetMasterKey() + if err != nil { + return nil, err + } + + if len(key) == 0 { + return secret, nil + } + + return encProvider.Encrypt(secret, key) +} + +func EncryptString(secret string) (string, error) { + key, err := masterKey.GetMasterKey() + if err != nil { + return "", err + } + + if len(key) == 0 { + return secret, nil + } + + return encProvider.EncryptString(secret, key) +} + +func Decrypt(enc []byte) ([]byte, error) { + key, err := masterKey.GetMasterKey() + if err != nil { + return nil, err + } + + if len(key) == 0 { + return enc, nil + } + + return encProvider.Decrypt(enc, key) +} + +func DecryptString(enc string) (string, error) { + key, err := masterKey.GetMasterKey() + if err != nil { + return "", err + } + + if len(key) == 0 { + return enc, nil + } + + return encProvider.DecryptString(enc, key) +}