Add AES GCM encryption provider

lafriks · lunny · commit 47c472a26508 · 2022-10-06T12:02:26.000+08:00
diff --git a/cmd/generate.go b/cmd/generate.go
@@ -142,10 +142,13 @@ func runGenerateMasterKey(c *cli.Context) error {
 			fmt.Printf("%s\n", base64.StdEncoding.EncodeToString(secret))
 		}
 	}
-	fmt.Println("Setting changes required:")
-	fmt.Println("[secrets]")
+
 	if providerType == secrets.MasterKeyProviderTypePlain && len(scrts) == 1 {
-		fmt.Printf("MASTER_KEY = %s\n", base64.StdEncoding.EncodeToString(scrts[0]))
+		fmt.Printf("%s", base64.StdEncoding.EncodeToString(scrts[0]))
+
+		if isatty.IsTerminal(os.Stdout.Fd()) {
+			fmt.Printf("\n")
+		}
 	}
 
 	return nil
diff --git a/services/secrets/encryption.go b/services/secrets/encryption.go
@@ -0,0 +1,16 @@
+// Copyright 2021 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package secrets
+
+// EncryptionProvider encrypts and decrypts secrets
+type EncryptionProvider interface {
+	Encrypt(secret, key []byte) ([]byte, error)
+
+	EncryptString(secret string, key []byte) (string, error)
+
+	Decrypt(enc, key []byte) ([]byte, error)
+
+	DecryptString(enc string, key []byte) (string, error)
+}
diff --git a/services/secrets/encryption_aes.go b/services/secrets/encryption_aes.go
@@ -0,0 +1,89 @@
+// Copyright 2021 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package secrets
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
+	"encoding/base64"
+	"fmt"
+	"io"
+)
+
+type aesEncryptionProvider struct {
+}
+
+func NewAesEncryptionProvider() EncryptionProvider {
+	return &aesEncryptionProvider{}
+}
+
+func (e *aesEncryptionProvider) Encrypt(secret, key []byte) ([]byte, error) {
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+
+	c, err := cipher.NewGCM(block)
+	if err != nil {
+		return nil, err
+	}
+
+	nonce := make([]byte, c.NonceSize(), c.NonceSize()+c.Overhead()+len(secret))
+	if _, err = io.ReadFull(rand.Reader, nonce); err != nil {
+		return nil, err
+	}
+	out := c.Seal(nil, nonce, secret, nil)
+
+	return append(nonce, out...), nil
+}
+
+func (e *aesEncryptionProvider) EncryptString(secret string, key []byte) (string, error) {
+	out, err := e.Encrypt([]byte(secret), key)
+	if err != nil {
+		return "", err
+	}
+	return base64.StdEncoding.EncodeToString(out), nil
+}
+
+func (e *aesEncryptionProvider) Decrypt(enc, key []byte) ([]byte, error) {
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+
+	c, err := cipher.NewGCM(block)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(enc) < c.NonceSize() {
+		return nil, fmt.Errorf("encrypted value too short")
+	}
+
+	nonce := enc[:c.NonceSize()]
+	ciphertext := enc[c.NonceSize():]
+
+	out, err := c.Open(nil, nonce, ciphertext, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	return out, nil
+}
+
+func (e *aesEncryptionProvider) DecryptString(enc string, key []byte) (string, error) {
+	encb, err := base64.StdEncoding.DecodeString(enc)
+	if err != nil {
+		return "", err
+	}
+
+	out, err := e.Encrypt(encb, key)
+	if err != nil {
+		return "", err
+	}
+
+	return string(out), nil
+}
diff --git a/services/secrets/masterkey_nop_test.go b/services/secrets/masterkey_nop_test.go
@@ -0,0 +1,12 @@
+package secrets
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestNopMasterKey_IsSealed(t *testing.T) {
+	k := NewNopMasterKeyProvider()
+	assert.False(t, k.IsSealed())
+}
diff --git a/services/secrets/secrets.go b/services/secrets/secrets.go
@@ -20,7 +20,8 @@ const (
 )
 
 var (
-	masterKey MasterKeyProvider
+	masterKey   MasterKeyProvider
+	encProvider EncryptionProvider
 )
 
 // Init initializes master key provider based on settings
@@ -33,10 +34,65 @@ func Init() error {
 	default:
 		return fmt.Errorf("invalid master key provider %v", setting.MasterKeyProvider)
 	}
+
+	encProvider = NewAesEncryptionProvider()
+
 	return nil
 }
 
 // GenerateMasterKey generates a new master key and returns secret or secrets for unsealing
 func GenerateMasterKey() ([][]byte, error) {
 	return masterKey.GenerateMasterKey()
 }
+
+func Encrypt(secret []byte) ([]byte, error) {
+	key, err := masterKey.GetMasterKey()
+	if err != nil {
+		return nil, err
+	}
+
+	if len(key) == 0 {
+		return secret, nil
+	}
+
+	return encProvider.Encrypt(secret, key)
+}
+
+func EncryptString(secret string) (string, error) {
+	key, err := masterKey.GetMasterKey()
+	if err != nil {
+		return "", err
+	}
+
+	if len(key) == 0 {
+		return secret, nil
+	}
+
+	return encProvider.EncryptString(secret, key)
+}
+
+func Decrypt(enc []byte) ([]byte, error) {
+	key, err := masterKey.GetMasterKey()
+	if err != nil {
+		return nil, err
+	}
+
+	if len(key) == 0 {
+		return enc, nil
+	}
+
+	return encProvider.Decrypt(enc, key)
+}
+
+func DecryptString(enc string) (string, error) {
+	key, err := masterKey.GetMasterKey()
+	if err != nil {
+		return "", err
+	}
+
+	if len(key) == 0 {
+		return enc, nil
+	}
+
+	return encProvider.DecryptString(enc, key)
+}

Original file line number	Diff line number	Diff line change
`@@ -142,10 +142,13 @@ func runGenerateMasterKey(c *cli.Context) error {`
`142`	`142`	`fmt.Printf("%s\n", base64.StdEncoding.EncodeToString(secret))`
`143`	`143`	`}`
`144`	`144`	`}`
`145`		`- fmt.Println("Setting changes required:")`
`146`		`- fmt.Println("[secrets]")`
	`145`	`+`
`147`	`146`	`if providerType == secrets.MasterKeyProviderTypePlain && len(scrts) == 1 {`
`148`		`- fmt.Printf("MASTER_KEY = %s\n", base64.StdEncoding.EncodeToString(scrts[0]))`
	`147`	`+ fmt.Printf("%s", base64.StdEncoding.EncodeToString(scrts[0]))`
	`148`	`+`
	`149`	`+ if isatty.IsTerminal(os.Stdout.Fd()) {`
	`150`	`+ fmt.Printf("\n")`
	`151`	`+ }`
`149`	`152`	`}`
`150`	`153`
`151`	`154`	`return nil`