Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Encrypt migration credentials at rest #15895

Merged
merged 13 commits into from
May 31, 2021
Merged

Encrypt migration credentials at rest #15895

merged 13 commits into from
May 31, 2021

Conversation

noerw
Copy link
Member

@noerw noerw commented May 16, 2021
edited
Loading

Storing these credentials is a liability (or plain stupid)

  • encrypt credentials with SECRET_KEY before persisting to task queue table (they need to be persisted due to the nature of the task queue)
    • security in depth: helps when attacker has access to DB only, but not app.ini
  • delete all credentials (even encrypted) from the task table, once the migration is done, for safety
    • security in depth: minimizes leaked data if attacker gains access to snapshot of both DB and app.ini
  • delete all credentials from past non-pending migrations from the db via a migration (the other kind of migration ;)

Will backport this to 1.14, implementing the migration as a doctor task.

noerw added 4 commits May 16, 2021 03:23
@noerw
encrypt migration credentials in task persistence
d3042a4 
Not sure this is the best approach, we could encrypt the entire
`PayloadContent` instead. Also instead of clearing individual fields in
payload content, we could just delete the task once it has
(successfully) finished..?
@noerw
remove credentials of past migrations
6cb43fb
@noerw
only run DB migration for completed tasks
113d3d4
@noerw
fix binding
9d8c354
@noerw noerw requested a review from zeripath May 16, 2021 10:58
@noerw noerw added this to the 1.15.0 milestone May 16, 2021
@noerw noerw added the topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! label May 16, 2021
@GiteaBot GiteaBot added lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels May 16, 2021
@codecov-commenter
Copy link

codecov-commenter commented May 16, 2021
edited
Loading

Codecov Report

Merging #15895 (eed86d1) into main (256b1a3) will increase coverage by 0.00%.
The diff coverage is 54.05%.

Impacted file tree graph

@@           Coverage Diff           @@
##             main   #15895   +/-   ##
=======================================
  Coverage   44.08%   44.08%           
=======================================
  Files         682      682           
  Lines       82384    82420   +36     
=======================================
+ Hits        36316    36334   +18     
- Misses      40157    40170   +13     
- Partials     5911     5916    +5
Impacted Files Coverage Δ
modules/task/task.go 60.29% <53.84%> (-1.53%) ⬇️
models/task.go 39.06% <54.16%> (+3.82%) ⬆️
models/unit.go 46.57% <0.00%> (-2.74%) ⬇️
modules/queue/workerpool.go 53.81% <0.00%> (-1.15%) ⬇️
services/pull/pull.go 43.37% <0.00%> (-0.46%) ⬇️
modules/queue/unique_queue_disk_channel.go 48.63% <0.00%> (+1.36%) ⬆️
modules/util/timer.go 85.71% <0.00%> (+42.85%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 256b1a3...eed86d1. Read the comment docs.

@lunny
Copy link
Member

lunny commented May 16, 2021

You could add a doctor task and back port the doctor sub command.

@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels May 18, 2021
@noerw noerw added the topic/repo-migration Migrate repos from other platforms to Gitea, or from Gitea to them label May 20, 2021
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels May 24, 2021
@techknowlogick techknowlogick merged commit cb940c4 into go-gitea:main May 31, 2021
zeripath added a commit to zeripath/gitea that referenced this pull request Jun 17, 2021
@zeripath
Encrypt migration credentials at rest (go-gitea#15895)
fc601b1 
Backport go-gitea#15895

Storing these credentials is a liability.

* Encrypt credentials with SECRET_KEY before persisting to task queue table (they need to be persisted due to the nature of the task queue)
  - security in depth: helps when attacker has access to DB only, but not app.ini
* Delete all credentials (even encrypted) from the task table, once the migration is done, for safety
  - security in depth: minimizes leaked data if attacker gains access to snapshot of both DB and app.ini

A Doctor task needs to be created to delete finished tasks and encrypt
current tasks.
@zeripath zeripath mentioned this pull request Jun 17, 2021
Merged
@zeripath zeripath added the backport/done All backports for this PR have been created label Jun 17, 2021
6543 pushed a commit that referenced this pull request Jun 17, 2021
@zeripath
Encrypt migration credentials at rest (#15895) (#16187)
544ef7d 
Backport #15895

Storing these credentials is a liability.

* Encrypt credentials with SECRET_KEY before persisting to task queue table (they need to be persisted due to the nature of the task queue)
  - security in depth: helps when attacker has access to DB only, but not app.ini
* Delete all credentials (even encrypted) from the task table, once the migration is done, for safety
  - security in depth: minimizes leaked data if attacker gains access to snapshot of both DB and app.ini
@6543 6543 deleted the migration-credentials branch June 17, 2021 20:59
AbdulrhmnGhanem pushed a commit to kitspace/gitea that referenced this pull request Aug 10, 2021
@noerw @techknowlogick
@zeripath @lunny @AbdulrhmnGhanem
Encrypt migration credentials at rest (go-gitea#15895)
7ffd311 
* encrypt migration credentials in task persistence

Not sure this is the best approach, we could encrypt the entire
`PayloadContent` instead. Also instead of clearing individual fields in
payload content, we could just delete the task once it has
(successfully) finished..?

* remove credentials of past migrations

* only run DB migration for completed tasks

* fix binding

* add omitempty

* never serialize unencrypted credentials

* fix import order

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: zeripath <art27@cantab.net>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
@go-gitea go-gitea locked and limited conversation to collaborators Oct 19, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@zeripath zeripath zeripath approved these changes

@lunny lunny lunny approved these changes

Assignees
No one assigned
Labels
backport/done All backports for this PR have been created lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. topic/repo-migration Migrate repos from other platforms to Gitea, or from Gitea to them topic/security Something leaks user information or is otherwise vulnerable. Should be fixed!
Projects
None yet
Milestone
1.15.0
Development

Successfully merging this pull request may close these issues.
6 participants
@noerw @codecov-commenter @lunny @zeripath @techknowlogick @GiteaBot