jojo/models/forgejo_migrations/v14a_migrate_task_secrets_test.go

// Copyright 2025 The Forgejo Authors. All rights reserved.
// SPDX-License-Identifier: GPL-3.0-or-later

package forgejo_migrations

import (
	"encoding/base64"
	"testing"

	migration_tests "forgejo.org/models/gitea_migrations/test"
	"forgejo.org/modules/json"
	"forgejo.org/modules/keying"
	"forgejo.org/modules/migration"
	"forgejo.org/modules/structs"
	"forgejo.org/modules/timeutil"

	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
)

func Test_MigrateTaskSecretsToKeying(t *testing.T) {
	type Task struct {
		ID             int64
		DoerID         int64 `xorm:"index"`
		OwnerID        int64 `xorm:"index"`
		RepoID         int64 `xorm:"index"`
		Type           structs.TaskType
		Status         structs.TaskStatus `xorm:"index"`
		StartTime      timeutil.TimeStamp
		EndTime        timeutil.TimeStamp
		PayloadContent string             `xorm:"TEXT"`
		Message        string             `xorm:"TEXT"`
		Created        timeutil.TimeStamp `xorm:"created"`
	}

	// Prepare and load the testing database
	x, deferable := migration_tests.PrepareTestEnv(t, 0, new(Task))
	defer deferable()
	if x == nil || t.Failed() {
		return
	}

	cnt, err := x.Table("task").Count()
	require.NoError(t, err)
	assert.EqualValues(t, 3, cnt)

	require.NoError(t, migrateTaskSecrets(x))

	cnt, err = x.Table("task").Count()
	require.NoError(t, err)
	assert.EqualValues(t, 1, cnt)

	var task Task
	_, err = x.Table("task").ID(1).Get(&task)
	require.NoError(t, err)

	var opts migration.MigrateOptions
	require.NoError(t, json.Unmarshal([]byte(task.PayloadContent), &opts))
	key := keying.MigrateTask

	encryptedCloneAddr, err := base64.RawStdEncoding.DecodeString(opts.CloneAddrEncrypted)
	require.NoError(t, err)
	cloneAddr, err := key.Decrypt(encryptedCloneAddr, keying.ColumnAndJSONSelectorAndID("payload_content", "clone_addr_encrypted", task.ID))
	require.NoError(t, err)
	assert.Equal(t, "https://admin:password@example.com", string(cloneAddr))

	encryptedAuthPassword, err := base64.RawStdEncoding.DecodeString(opts.AuthPasswordEncrypted)
	require.NoError(t, err)
	authPassword, err := key.Decrypt(encryptedAuthPassword, keying.ColumnAndJSONSelectorAndID("payload_content", "auth_password_encrypted", task.ID))
	require.NoError(t, err)
	assert.Equal(t, "password", string(authPassword))

	encryptedAuthToken, err := base64.RawStdEncoding.DecodeString(opts.AuthTokenEncrypted)
	require.NoError(t, err)
	authToken, err := key.Decrypt(encryptedAuthToken, keying.ColumnAndJSONSelectorAndID("payload_content", "auth_token_encrypted", task.ID))
	require.NoError(t, err)
	assert.Equal(t, "token", string(authToken))
}
feat: use `keying` for task secrets (#9923) - Follow up of forgejo/forgejo!5041, forgejo/forgejo!6074, forgejo/forgejo!8692 - The `task` table contains three secrets: clone address (with credentials), auth password and auth token. These secrets are stored for migrating repositories (also the only usage of this table, although it allows for more usages). - Use `keying` to safely store these secrets and bound them to the table, column, row id and JSON field name. - The migration isn't spectacular but does closely follow what we learned in the previous two migrations: use a transaction and delete records when you can't decrypt them. We also learned about `db.Iterate` not being happy when updating records but it has since been fixed. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9923 Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org> Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org> Co-authored-by: Gusted <postmaster@gusted.xyz> Co-committed-by: Gusted <postmaster@gusted.xyz> 2025-11-03 13:42:32 +01:00			`// Copyright 2025 The Forgejo Authors. All rights reserved.`
			`// SPDX-License-Identifier: GPL-3.0-or-later`

			`package forgejo_migrations`

			`import (`
			`"encoding/base64"`
			`"testing"`

			`migration_tests "forgejo.org/models/gitea_migrations/test"`
			`"forgejo.org/modules/json"`
			`"forgejo.org/modules/keying"`
			`"forgejo.org/modules/migration"`
			`"forgejo.org/modules/structs"`
			`"forgejo.org/modules/timeutil"`

			`"github.com/stretchr/testify/assert"`
			`"github.com/stretchr/testify/require"`
			`)`

			`func Test_MigrateTaskSecretsToKeying(t *testing.T) {`
			`type Task struct {`
			`ID int64`
			DoerID int64 `xorm:"index"`
			OwnerID int64 `xorm:"index"`
			RepoID int64 `xorm:"index"`
			`Type structs.TaskType`
			Status structs.TaskStatus `xorm:"index"`
			`StartTime timeutil.TimeStamp`
			`EndTime timeutil.TimeStamp`
			PayloadContent string `xorm:"TEXT"`
			Message string `xorm:"TEXT"`
			Created timeutil.TimeStamp `xorm:"created"`
			`}`

			`// Prepare and load the testing database`
			`x, deferable := migration_tests.PrepareTestEnv(t, 0, new(Task))`
			`defer deferable()`
			`if x == nil \|\| t.Failed() {`
			`return`
			`}`

			`cnt, err := x.Table("task").Count()`
			`require.NoError(t, err)`
			`assert.EqualValues(t, 3, cnt)`

			`require.NoError(t, migrateTaskSecrets(x))`

			`cnt, err = x.Table("task").Count()`
			`require.NoError(t, err)`
			`assert.EqualValues(t, 1, cnt)`

			`var task Task`
			`_, err = x.Table("task").ID(1).Get(&task)`
			`require.NoError(t, err)`

			`var opts migration.MigrateOptions`
			`require.NoError(t, json.Unmarshal([]byte(task.PayloadContent), &opts))`
feat: cache derived keys for faster keying (#10114) Currently `DeriveKey` is called every time that a secret must be encoded/decoded. Since this function is deterministic, its result can be cached to allow a 250x speedup (the original took less than half a microsecond, so this more of a micro-optimization...). ``` go test -bench=. goos: linux goarch: amd64 pkg: forgejo.org/modules/keying cpu: Intel(R) Core(TM) Ultra 5 125H BenchmarkExpandPRK-18 2071627 564.2 ns/op BenchmarkExpandPRKOnce-18 541438192 2.206 ns/op PASS ok forgejo.org/modules/keying 2.369s ``` ## Other changes - Since the keys can be constructed once, it simplifies a bit the callsites (`keying.TOTP.Encrypt(...)` instead of `keying.DeriveKey(keying.ContextTOTP).Encrypt(...)`) - All `Encrypt`/`Decrypt` calls will panic forever if called before `Init` has been called (current it panics as long as `Init` has not been called) - Calling `Init` twice with different keys will trigger a panic (currently racy) - Calling `Decrypt` with a short ciphertext does not panic anymore (like when calling with long-enough garbage) Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10114 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: oliverpool <git@olivier.pfad.fr> Co-committed-by: oliverpool <git@olivier.pfad.fr> 2025-11-16 14:29:14 +01:00			`key := keying.MigrateTask`
feat: use `keying` for task secrets (#9923) - Follow up of forgejo/forgejo!5041, forgejo/forgejo!6074, forgejo/forgejo!8692 - The `task` table contains three secrets: clone address (with credentials), auth password and auth token. These secrets are stored for migrating repositories (also the only usage of this table, although it allows for more usages). - Use `keying` to safely store these secrets and bound them to the table, column, row id and JSON field name. - The migration isn't spectacular but does closely follow what we learned in the previous two migrations: use a transaction and delete records when you can't decrypt them. We also learned about `db.Iterate` not being happy when updating records but it has since been fixed. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9923 Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org> Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org> Co-authored-by: Gusted <postmaster@gusted.xyz> Co-committed-by: Gusted <postmaster@gusted.xyz> 2025-11-03 13:42:32 +01:00
			`encryptedCloneAddr, err := base64.RawStdEncoding.DecodeString(opts.CloneAddrEncrypted)`
			`require.NoError(t, err)`
			`cloneAddr, err := key.Decrypt(encryptedCloneAddr, keying.ColumnAndJSONSelectorAndID("payload_content", "clone_addr_encrypted", task.ID))`
			`require.NoError(t, err)`
			`assert.Equal(t, "https://admin:password@example.com", string(cloneAddr))`

			`encryptedAuthPassword, err := base64.RawStdEncoding.DecodeString(opts.AuthPasswordEncrypted)`
			`require.NoError(t, err)`
			`authPassword, err := key.Decrypt(encryptedAuthPassword, keying.ColumnAndJSONSelectorAndID("payload_content", "auth_password_encrypted", task.ID))`
			`require.NoError(t, err)`
			`assert.Equal(t, "password", string(authPassword))`

			`encryptedAuthToken, err := base64.RawStdEncoding.DecodeString(opts.AuthTokenEncrypted)`
			`require.NoError(t, err)`
			`authToken, err := key.Decrypt(encryptedAuthToken, keying.ColumnAndJSONSelectorAndID("payload_content", "auth_token_encrypted", task.ID))`
			`require.NoError(t, err)`
			`assert.Equal(t, "token", string(authToken))`
			`}`