tyler.durden/gitea
1
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2025-07-26 07:16:42 +02:00
Code Issues Packages Projects Releases Wiki Activity

Revert "Add AES GCM encryption provider"

Browse Source 
This reverts commit 4af45f7bc9d82b973e341cb2793bd8101fa88f7e.
This commit is contained in:
Jason Song 2022-12-22 11:37:11 +08:00
parent 118a454f93
commit b54f148164
No known key found for this signature in database
GPG Key ID: 8402EEEE4511A8B5
5 changed files with 6 additions and 231 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
cmd/generate.go
View File

@ -141,13 +141,10 @@ func runGenerateMasterKey(c *cli.Context) error {
fmt.Printf("%s\n", base64.StdEncoding.EncodeToString(secret)) fmt.Printf("%s\n", base64.StdEncoding.EncodeToString(secret))
} }
} }
fmt.Println("Setting changes required:")
fmt.Println("[secrets]")
if providerType == secrets.MasterKeyProviderTypePlain && len(scrts) == 1 { if providerType == secrets.MasterKeyProviderTypePlain && len(scrts) == 1 {
fmt.Printf("%s", base64.StdEncoding.EncodeToString(scrts[0])) fmt.Printf("MASTER_KEY = %s\n", base64.StdEncoding.EncodeToString(scrts[0]))
if isatty.IsTerminal(os.Stdout.Fd()) {
fmt.Printf("\n")
}
} }
return nil return nil

15
services/secrets/encryption.go
View File

@ -1,15 +0,0 @@
// Copyright 2021 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package secrets
// EncryptionProvider encrypts and decrypts secrets
type EncryptionProvider interface {
Encrypt(secret, key []byte) ([]byte, error)
EncryptString(secret string, key []byte) (string, error)
Decrypt(enc, key []byte) ([]byte, error)
DecryptString(enc string, key []byte) (string, error)
}

87
services/secrets/encryption_aes.go
View File

@ -1,87 +0,0 @@
// Copyright 2021 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package secrets
import (
"crypto/aes"
"crypto/cipher"
"crypto/rand"
"encoding/base64"
"fmt"
"io"
)
type aesEncryptionProvider struct{}
func NewAesEncryptionProvider() EncryptionProvider {
return &aesEncryptionProvider{}
}
func (e *aesEncryptionProvider) Encrypt(secret, key []byte) ([]byte, error) {
block, err := aes.NewCipher(key)
if err != nil {
return nil, err
}
c, err := cipher.NewGCM(block)
if err != nil {
return nil, err
}
nonce := make([]byte, c.NonceSize(), c.NonceSize()+c.Overhead()+len(secret))
if _, err = io.ReadFull(rand.Reader, nonce); err != nil {
return nil, err
}
out := c.Seal(nil, nonce, secret, nil)
return append(nonce, out...), nil
}
func (e *aesEncryptionProvider) EncryptString(secret string, key []byte) (string, error) {
out, err := e.Encrypt([]byte(secret), key)
if err != nil {
return "", err
}
return base64.StdEncoding.EncodeToString(out), nil
}
func (e *aesEncryptionProvider) Decrypt(enc, key []byte) ([]byte, error) {
block, err := aes.NewCipher(key)
if err != nil {
return nil, err
}
c, err := cipher.NewGCM(block)
if err != nil {
return nil, err
}
if len(enc) < c.NonceSize() {
return nil, fmt.Errorf("encrypted value too short")
}
nonce := enc[:c.NonceSize()]
ciphertext := enc[c.NonceSize():]
out, err := c.Open(nil, nonce, ciphertext, nil)
if err != nil {
return nil, err
}
return out, nil
}
func (e *aesEncryptionProvider) DecryptString(enc string, key []byte) (string, error) {
encb, err := base64.StdEncoding.DecodeString(enc)
if err != nil {
return "", err
}
out, err := e.Decrypt(encb, key)
if err != nil {
return "", err
}
return string(out), nil
}

15
services/secrets/masterkey_nop_test.go
View File

@ -1,15 +0,0 @@
// Copyright 2022 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package secrets
import (
"testing"
"github.com/stretchr/testify/assert"
)
func TestNopMasterKey_IsSealed(t *testing.T) {
k := NewNopMasterKeyProvider()
assert.False(t, k.IsSealed())
}

111
services/secrets/secrets.go
View File

@ -1,17 +1,13 @@
// Copyright 2021 The Gitea Authors. All rights reserved. // Copyright 2021 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT // Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
package secrets package secrets
import ( import (
"context"
"fmt" "fmt"
auth_model "code.gitea.io/gitea/models/auth"
"code.gitea.io/gitea/models/db"
"code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/setting"
"xorm.io/builder"
) )
// MasterKeyProviderType is the type of master key provider // MasterKeyProviderType is the type of master key provider
@ -24,8 +20,7 @@ const (
) )
var ( var (
masterKey MasterKeyProvider masterKey MasterKeyProvider
encProvider EncryptionProvider
) )
// Init initializes master key provider based on settings // Init initializes master key provider based on settings
@ -38,13 +33,6 @@ func Init() error {
default: default:
return fmt.Errorf("invalid master key provider %v", setting.MasterKeyProvider) return fmt.Errorf("invalid master key provider %v", setting.MasterKeyProvider)
} }
if err := masterKey.Init(); err != nil {
return err
}
encProvider = NewAesEncryptionProvider()
return nil return nil
} }
@ -52,96 +40,3 @@ func Init() error {
func GenerateMasterKey() ([][]byte, error) { func GenerateMasterKey() ([][]byte, error) {
return masterKey.GenerateMasterKey() return masterKey.GenerateMasterKey()
} }
func Encrypt(secret []byte) ([]byte, error) {
key, err := masterKey.GetMasterKey()
if err != nil {
return nil, err
}
if len(key) == 0 {
return secret, nil
}
return encProvider.Encrypt(secret, key)
}
func EncryptString(secret string) (string, error) {
key, err := masterKey.GetMasterKey()
if err != nil {
return "", err
}
if len(key) == 0 {
return secret, nil
}
return encProvider.EncryptString(secret, key)
}
func Decrypt(enc []byte) ([]byte, error) {
key, err := masterKey.GetMasterKey()
if err != nil {
return nil, err
}
if len(key) == 0 {
return enc, nil
}
return encProvider.Decrypt(enc, key)
}
func DecryptString(enc string) (string, error) {
key, err := masterKey.GetMasterKey()
if err != nil {
return "", err
}
if len(key) == 0 {
return enc, nil
}
return encProvider.DecryptString(enc, key)
}
func InsertRepoSecret(ctx context.Context, repoID int64, key, data string, pullRequest bool) error {
v, err := EncryptString(data)
if err != nil {
return err
}
return db.Insert(ctx, &auth_model.Secret{
RepoID: repoID,
Name: key,
Data: v,
PullRequest: pullRequest,
})
}
func InsertOrgSecret(ctx context.Context, userID int64, key, data string, pullRequest bool) error {
v, err := EncryptString(data)
if err != nil {
return err
}
return db.Insert(ctx, &auth_model.Secret{
UserID: userID,
Name: key,
Data: v,
PullRequest: pullRequest,
})
}
func DeleteSecretByID(ctx context.Context, id int64) error {
_, err := db.DeleteByBean(ctx, &auth_model.Secret{ID: id})
return err
}
func FindRepoSecrets(ctx context.Context, repoID int64) ([]*auth_model.Secret, error) {
var res []*auth_model.Secret
return res, db.FindObjects(ctx, builder.Eq{"repo_id": repoID}, nil, &res)
}
func FindUserSecrets(ctx context.Context, userID int64) ([]*auth_model.Secret, error) {
var res []*auth_model.Secret
return res, db.FindObjects(ctx, builder.Eq{"user_id": userID}, nil, &res)
}