2019-10-12 21:52:04 +05:30
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2019-02-15 15:39:39 +05:30
|
|
|
require 'spec_helper'
|
|
|
|
|
2020-07-28 23:09:34 +05:30
|
|
|
RSpec.describe Gitlab::CryptoHelper do
|
2019-02-15 15:39:39 +05:30
|
|
|
describe '.sha256' do
|
|
|
|
it 'generates SHA256 digest Base46 encoded' do
|
|
|
|
digest = described_class.sha256('some-value')
|
|
|
|
|
|
|
|
expect(digest).to match %r{\A[A-Za-z0-9+/=]+\z}
|
|
|
|
expect(digest).to eq digest.strip
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe '.aes256_gcm_encrypt' do
|
|
|
|
it 'is Base64 encoded string without new line character' do
|
|
|
|
encrypted = described_class.aes256_gcm_encrypt('some-value')
|
|
|
|
|
|
|
|
expect(encrypted).to match %r{\A[A-Za-z0-9+/=]+\z}
|
|
|
|
expect(encrypted).not_to include "\n"
|
|
|
|
end
|
2021-03-11 19:13:27 +05:30
|
|
|
|
|
|
|
it 'does not save hashed token with iv value in database' do
|
|
|
|
expect { described_class.aes256_gcm_encrypt('some-value') }.not_to change { TokenWithIv.count }
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'encrypts using static iv' do
|
|
|
|
expect(Encryptor).to receive(:encrypt).with(described_class::AES256_GCM_OPTIONS.merge(value: 'some-value', iv: described_class::AES256_GCM_IV_STATIC)).and_return('hashed_value')
|
|
|
|
|
|
|
|
described_class.aes256_gcm_encrypt('some-value')
|
|
|
|
end
|
2019-02-15 15:39:39 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
describe '.aes256_gcm_decrypt' do
|
2021-03-11 19:13:27 +05:30
|
|
|
before do
|
|
|
|
stub_feature_flags(dynamic_nonce_creation: false)
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when token was encrypted using static nonce' do
|
|
|
|
let(:encrypted) { described_class.aes256_gcm_encrypt('some-value', nonce: described_class::AES256_GCM_IV_STATIC) }
|
|
|
|
|
|
|
|
it 'correctly decrypts encrypted string' do
|
|
|
|
decrypted = described_class.aes256_gcm_decrypt(encrypted)
|
|
|
|
|
|
|
|
expect(decrypted).to eq 'some-value'
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'decrypts a value when it ends with a new line character' do
|
|
|
|
decrypted = described_class.aes256_gcm_decrypt(encrypted + "\n")
|
2019-02-15 15:39:39 +05:30
|
|
|
|
2021-03-11 19:13:27 +05:30
|
|
|
expect(decrypted).to eq 'some-value'
|
|
|
|
end
|
2019-02-15 15:39:39 +05:30
|
|
|
|
2021-03-11 19:13:27 +05:30
|
|
|
it 'does not save hashed token with iv value in database' do
|
|
|
|
expect { described_class.aes256_gcm_decrypt(encrypted) }.not_to change { TokenWithIv.count }
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'with feature flag switched on' do
|
|
|
|
before do
|
|
|
|
stub_feature_flags(dynamic_nonce_creation: true)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'correctly decrypts encrypted string' do
|
|
|
|
decrypted = described_class.aes256_gcm_decrypt(encrypted)
|
|
|
|
|
|
|
|
expect(decrypted).to eq 'some-value'
|
|
|
|
end
|
|
|
|
end
|
2019-02-15 15:39:39 +05:30
|
|
|
end
|
|
|
|
|
2021-03-11 19:13:27 +05:30
|
|
|
context 'when token was encrypted using random nonce' do
|
|
|
|
let(:value) { 'random-value' }
|
|
|
|
|
|
|
|
# for compatibility with tokens encrypted using dynamic nonce
|
|
|
|
let!(:encrypted) do
|
|
|
|
iv = create_nonce
|
|
|
|
encrypted_token = described_class.create_encrypted_token(value, iv)
|
|
|
|
TokenWithIv.create!(hashed_token: Digest::SHA256.digest(encrypted_token), hashed_plaintext_token: Digest::SHA256.digest(encrypted_token), iv: iv)
|
|
|
|
encrypted_token
|
|
|
|
end
|
|
|
|
|
|
|
|
before do
|
|
|
|
stub_feature_flags(dynamic_nonce_creation: true)
|
|
|
|
end
|
2019-02-15 15:39:39 +05:30
|
|
|
|
2021-03-11 19:13:27 +05:30
|
|
|
it 'correctly decrypts encrypted string' do
|
|
|
|
decrypted = described_class.aes256_gcm_decrypt(encrypted)
|
|
|
|
|
|
|
|
expect(decrypted).to eq value
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'does not save hashed token with iv value in database' do
|
|
|
|
expect { described_class.aes256_gcm_decrypt(encrypted) }.not_to change { TokenWithIv.count }
|
|
|
|
end
|
2019-02-15 15:39:39 +05:30
|
|
|
end
|
|
|
|
end
|
2021-03-11 19:13:27 +05:30
|
|
|
|
|
|
|
def create_nonce
|
|
|
|
cipher = OpenSSL::Cipher.new('aes-256-gcm')
|
|
|
|
cipher.encrypt # Required before '#random_iv' can be called
|
|
|
|
cipher.random_iv # Ensures that the IV is the correct length respective to the algorithm used.
|
|
|
|
end
|
2019-02-15 15:39:39 +05:30
|
|
|
end
|