Encrypt migration credentials at rest (#15895) (#16187)

Backport #15895

Storing these credentials is a liability.

* Encrypt credentials with SECRET_KEY before persisting to task queue table (they need to be persisted due to the nature of the task queue)
  - security in depth: helps when attacker has access to DB only, but not app.ini
* Delete all credentials (even encrypted) from the task table, once the migration is done, for safety
  - security in depth: minimizes leaked data if attacker gains access to snapshot of both DB and app.ini
This commit is contained in:
zeripath 2021-06-17 21:59:28 +01:00 committed by GitHub
parent 5ff807acde
commit 544ef7d394
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 69 additions and 5 deletions

View file

@ -8,8 +8,11 @@ import (
"fmt" "fmt"
migration "code.gitea.io/gitea/modules/migrations/base" migration "code.gitea.io/gitea/modules/migrations/base"
"code.gitea.io/gitea/modules/secret"
"code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/structs" "code.gitea.io/gitea/modules/structs"
"code.gitea.io/gitea/modules/timeutil" "code.gitea.io/gitea/modules/timeutil"
"code.gitea.io/gitea/modules/util"
jsoniter "github.com/json-iterator/go" jsoniter "github.com/json-iterator/go"
"xorm.io/builder" "xorm.io/builder"
@ -110,6 +113,24 @@ func (task *Task) MigrateConfig() (*migration.MigrateOptions, error) {
if err != nil { if err != nil {
return nil, err return nil, err
} }
// decrypt credentials
if opts.CloneAddrEncrypted != "" {
if opts.CloneAddr, err = secret.DecryptSecret(setting.SecretKey, opts.CloneAddrEncrypted); err != nil {
return nil, err
}
}
if opts.AuthPasswordEncrypted != "" {
if opts.AuthPassword, err = secret.DecryptSecret(setting.SecretKey, opts.AuthPasswordEncrypted); err != nil {
return nil, err
}
}
if opts.AuthTokenEncrypted != "" {
if opts.AuthToken, err = secret.DecryptSecret(setting.SecretKey, opts.AuthTokenEncrypted); err != nil {
return nil, err
}
}
return &opts, nil return &opts, nil
} }
return nil, fmt.Errorf("Task type is %s, not Migrate Repo", task.Type.Name()) return nil, fmt.Errorf("Task type is %s, not Migrate Repo", task.Type.Name())
@ -205,12 +226,31 @@ func createTask(e Engine, task *Task) error {
func FinishMigrateTask(task *Task) error { func FinishMigrateTask(task *Task) error {
task.Status = structs.TaskStatusFinished task.Status = structs.TaskStatusFinished
task.EndTime = timeutil.TimeStampNow() task.EndTime = timeutil.TimeStampNow()
// delete credentials when we're done, they're a liability.
conf, err := task.MigrateConfig()
if err != nil {
return err
}
conf.AuthPassword = ""
conf.AuthToken = ""
conf.CloneAddr = util.SanitizeURLCredentials(conf.CloneAddr, true)
conf.AuthPasswordEncrypted = ""
conf.AuthTokenEncrypted = ""
conf.CloneAddrEncrypted = ""
json := jsoniter.ConfigCompatibleWithStandardLibrary
confBytes, err := json.Marshal(conf)
if err != nil {
return err
}
task.PayloadContent = string(confBytes)
sess := x.NewSession() sess := x.NewSession()
defer sess.Close() defer sess.Close()
if err := sess.Begin(); err != nil { if err := sess.Begin(); err != nil {
return err return err
} }
if _, err := sess.ID(task.ID).Cols("status", "end_time").Update(task); err != nil { if _, err := sess.ID(task.ID).Cols("status", "end_time", "payload_content").Update(task); err != nil {
return err return err
} }

View file

@ -12,9 +12,12 @@ import "code.gitea.io/gitea/modules/structs"
type MigrateOptions struct { type MigrateOptions struct {
// required: true // required: true
CloneAddr string `json:"clone_addr" binding:"Required"` CloneAddr string `json:"clone_addr" binding:"Required"`
CloneAddrEncrypted string `json:"clone_addr_encrypted,omitempty"`
AuthUsername string `json:"auth_username"` AuthUsername string `json:"auth_username"`
AuthPassword string `json:"auth_password"` AuthPassword string `json:"auth_password,omitempty"`
AuthToken string `json:"auth_token"` AuthPasswordEncrypted string `json:"auth_password_encrypted,omitempty"`
AuthToken string `json:"auth_token,omitempty"`
AuthTokenEncrypted string `json:"auth_token_encrypted,omitempty"`
// required: true // required: true
UID int `json:"uid" binding:"Required"` UID int `json:"uid" binding:"Required"`
// required: true // required: true

View file

@ -13,8 +13,11 @@ import (
"code.gitea.io/gitea/modules/migrations/base" "code.gitea.io/gitea/modules/migrations/base"
"code.gitea.io/gitea/modules/queue" "code.gitea.io/gitea/modules/queue"
repo_module "code.gitea.io/gitea/modules/repository" repo_module "code.gitea.io/gitea/modules/repository"
"code.gitea.io/gitea/modules/secret"
"code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/structs" "code.gitea.io/gitea/modules/structs"
"code.gitea.io/gitea/modules/timeutil" "code.gitea.io/gitea/modules/timeutil"
"code.gitea.io/gitea/modules/util"
jsoniter "github.com/json-iterator/go" jsoniter "github.com/json-iterator/go"
) )
@ -65,6 +68,24 @@ func MigrateRepository(doer, u *models.User, opts base.MigrateOptions) error {
// CreateMigrateTask creates a migrate task // CreateMigrateTask creates a migrate task
func CreateMigrateTask(doer, u *models.User, opts base.MigrateOptions) (*models.Task, error) { func CreateMigrateTask(doer, u *models.User, opts base.MigrateOptions) (*models.Task, error) {
// encrypt credentials for persistence
var err error
opts.CloneAddrEncrypted, err = secret.EncryptSecret(setting.SecretKey, opts.CloneAddr)
if err != nil {
return nil, err
}
opts.CloneAddr = util.SanitizeURLCredentials(opts.CloneAddr, true)
opts.AuthPasswordEncrypted, err = secret.EncryptSecret(setting.SecretKey, opts.AuthPassword)
if err != nil {
return nil, err
}
opts.AuthPassword = ""
opts.AuthTokenEncrypted, err = secret.EncryptSecret(setting.SecretKey, opts.AuthToken)
if err != nil {
return nil, err
}
opts.AuthToken = ""
json := jsoniter.ConfigCompatibleWithStandardLibrary json := jsoniter.ConfigCompatibleWithStandardLibrary
bs, err := json.Marshal(&opts) bs, err := json.Marshal(&opts)
if err != nil { if err != nil {