Skip to content

Encrypt plaintext static_objects_external_storage_auth_token fields

What does this MR do and why?

Contributes to #199716 (closed)

Roadmap

  1. Add database fields for encrypted tokens - !75334 (merged)
  2. Migrate old tokens to encrypted version and start using them <- This MR
  3. Drop plaintext token fields #348307 (closed)

Problem

We store static_objects_external_storage_auth_token values in plaintext.

Solution

  • Fill static_objects_external_storage_auth_token_encrypted fields
  • Use optional (encrypted first, plaintext is a fallback) strategy
  • Store encrypted version of the token when user updates it

Screenshots or screen recordings

These are strongly recommended to assist reviewers and reduce the time to merge your change.

How to set up and validate locally

  1. Visit http://localhost:3000/admin/application_settings/repository#js-repository-static-objects-settings page
  2. Populate external storage authentication token field
  3. Verify that the value is visible after update
  4. Check database state after update

Expected result

gitlabhq_development=# SELECT static_objects_external_storage_auth_token, static_objects_external_storage_auth_token_encrypted FROM application_settings;

 static_objects_external_storage_auth_token | static_objects_external_storage_auth_token_encrypted
--------------------------------------------+------------------------------------------------------
                                            | <encoded_value>

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Vasilii Iakliushin

Merge request reports

Loading