Fix attr_encryption key settings

attr_encrypted does different things with `key` depending on what mode you are using: 1. In `:per_attribute_iv_and_salt` mode, it generates a hash with the salt: https://github.com/attr-encrypted/encryptor/blob/c3a62c4a9e74686dd95e0548f9dc2a361fdc95d1/lib/encryptor.rb#L77. There is no need to truncate the key to 32 bytes here. 2. In `:per_attribute_iv` mode, it sets the key directly to the password, so truncation to 32 bytes is necessary. Closes #47166

Fix attr_encryption key settings
61df812a · Stan Hu · fe0ebf76 · 61df812a · 61df812a · 61df812a
Commit 61df812a authored Jun 02, 2018 by Stan Hu
4 changed files
--- a/app/models/clusters/platforms/kubernetes.rb
+++ b/app/models/clusters/platforms/kubernetes.rb
@@ -11,12 +11,12 @@ module Clusters

      attr_encrypted :password,
        mode: :per_attribute_iv,
-        key: Settings.attr_encrypted_db_key_base,
+        key: Settings.attr_encrypted_db_key_base_truncated,
        algorithm: 'aes-256-cbc'

      attr_encrypted :token,
        mode: :per_attribute_iv,
-        key: Settings.attr_encrypted_db_key_base,
+        key: Settings.attr_encrypted_db_key_base_truncated,
        algorithm: 'aes-256-cbc'

      before_validation :enforce_namespace_to_lower_case

--- a/app/models/clusters/providers/gcp.rb
+++ b/app/models/clusters/providers/gcp.rb
@@ -11,7 +11,7 @@ module Clusters

      attr_encrypted :access_token,
        mode: :per_attribute_iv,
-        key: Settings.attr_encrypted_db_key_base,
+        key: Settings.attr_encrypted_db_key_base_truncated,
        algorithm: 'aes-256-cbc'

      validates :gcp_project_id,

--- a/changelogs/unreleased/sh-fix-secrets-not-working.yml
+++ b/changelogs/unreleased/sh-fix-secrets-not-working.yml
+---
+title: Fix attr_encryption key settings
+merge_request:
+author:
+type: fixed
--- a/config/settings.rb
+++ b/config/settings.rb
@@ -85,17 +85,24 @@ class Settings < Settingslogic
      File.expand_path(path, Rails.root)
    end

-    # Returns a 256-bit key for attr_encrypted
-    def attr_encrypted_db_key_base
-      # Ruby 2.4+ requires passing in the exact required length for OpenSSL keys
-      # (https://github.com/ruby/ruby/commit/ce635262f53b760284d56bb1027baebaaec175d1).
-      # Previous versions quietly truncated the input.
-      #
-      # The default mode for the attr_encrypted gem is to use a 256-bit key.
-      # We truncate the 128-byte string to 32 bytes.
+    # Ruby 2.4+ requires passing in the exact required length for OpenSSL keys
+    # (https://github.com/ruby/ruby/commit/ce635262f53b760284d56bb1027baebaaec175d1).
+    # Previous versions quietly truncated the input.
+    #
+    # Use this when using :per_attribute_iv mode for attr_encrypted.
+    # We have to truncate the string to 32 bytes for a 256-bit cipher.
+    def attr_encrypted_db_key_base_truncated
      Gitlab::Application.secrets.db_key_base[0..31]
    end

+    # This should be used for :per_attribute_salt_and_iv mode. There is no
+    # need to truncate the key because the encryptor will use the salt to
+    # generate a hash of the password:
+    # https://github.com/attr-encrypted/encryptor/blob/c3a62c4a9e74686dd95e0548f9dc2a361fdc95d1/lib/encryptor.rb#L77
+    def attr_encrypted_db_key_base
+      Gitlab::Application.secrets.db_key_base
+    end
+
    private

    def base_url(config)