peezy-tech/jojo
2
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2026-05-12 22:10:25 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
jojo/models/forgejo_migrations/v14a_migrate_task_secrets_test.go
oliverpool 67df538958 feat: cache derived keys for faster keying (#10114) 
Currently `DeriveKey` is called every time that a secret must be encoded/decoded. Since this function is deterministic, its result can be cached to allow a 250x speedup (the original took less than half a microsecond, so this more of a micro-optimization...).

```
go test -bench=.
goos: linux
goarch: amd64
pkg: forgejo.org/modules/keying
cpu: Intel(R) Core(TM) Ultra 5 125H
BenchmarkExpandPRK-18            2071627               564.2 ns/op
BenchmarkExpandPRKOnce-18       541438192                2.206 ns/op
PASS
ok      forgejo.org/modules/keying      2.369s
```

## Other changes

- Since the keys can be constructed once, it simplifies a bit the callsites (`keying.TOTP.Encrypt(...)` instead of `keying.DeriveKey(keying.ContextTOTP).Encrypt(...)`)
- All `Encrypt`/`Decrypt` calls will panic forever if called before `Init` has been called (current it panics as long as `Init` has not been called)
- Calling `Init` twice with different keys will trigger a panic (currently racy)
- Calling `Decrypt` with a short ciphertext does not panic anymore (like when calling with long-enough garbage)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10114
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: oliverpool <git@olivier.pfad.fr>
Co-committed-by: oliverpool <git@olivier.pfad.fr>
2025-11-16 14:29:14 +01:00

78 lines
2.6 KiB
Go
Raw Blame History

// Copyright 2025 The Forgejo Authors. All rights reserved.
// SPDX-License-Identifier: GPL-3.0-or-later
package forgejo_migrations
import (
"encoding/base64"
"testing"
migration_tests "forgejo.org/models/gitea_migrations/test"
"forgejo.org/modules/json"
"forgejo.org/modules/keying"
"forgejo.org/modules/migration"
"forgejo.org/modules/structs"
"forgejo.org/modules/timeutil"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func Test_MigrateTaskSecretsToKeying(t *testing.T) {
type Task struct {
ID int64
DoerID int64 `xorm:"index"`
OwnerID int64 `xorm:"index"`
RepoID int64 `xorm:"index"`
Type structs.TaskType
Status structs.TaskStatus `xorm:"index"`
StartTime timeutil.TimeStamp
EndTime timeutil.TimeStamp
PayloadContent string `xorm:"TEXT"`
Message string `xorm:"TEXT"`
Created timeutil.TimeStamp `xorm:"created"`
}
// Prepare and load the testing database
x, deferable := migration_tests.PrepareTestEnv(t, 0, new(Task))
defer deferable()
if x == nil || t.Failed() {
return
}
cnt, err := x.Table("task").Count()
require.NoError(t, err)
assert.EqualValues(t, 3, cnt)
require.NoError(t, migrateTaskSecrets(x))
cnt, err = x.Table("task").Count()
require.NoError(t, err)
assert.EqualValues(t, 1, cnt)
var task Task
_, err = x.Table("task").ID(1).Get(&task)
require.NoError(t, err)
var opts migration.MigrateOptions
require.NoError(t, json.Unmarshal([]byte(task.PayloadContent), &opts))
key := keying.MigrateTask
encryptedCloneAddr, err := base64.RawStdEncoding.DecodeString(opts.CloneAddrEncrypted)
require.NoError(t, err)
cloneAddr, err := key.Decrypt(encryptedCloneAddr, keying.ColumnAndJSONSelectorAndID("payload_content", "clone_addr_encrypted", task.ID))
require.NoError(t, err)
assert.Equal(t, "https://admin:password@example.com", string(cloneAddr))
encryptedAuthPassword, err := base64.RawStdEncoding.DecodeString(opts.AuthPasswordEncrypted)
require.NoError(t, err)
authPassword, err := key.Decrypt(encryptedAuthPassword, keying.ColumnAndJSONSelectorAndID("payload_content", "auth_password_encrypted", task.ID))
require.NoError(t, err)
assert.Equal(t, "password", string(authPassword))
encryptedAuthToken, err := base64.RawStdEncoding.DecodeString(opts.AuthTokenEncrypted)
require.NoError(t, err)
authToken, err := key.Decrypt(encryptedAuthToken, keying.ColumnAndJSONSelectorAndID("payload_content", "auth_token_encrypted", task.ID))
require.NoError(t, err)
assert.Equal(t, "token", string(authToken))
}
Reference in a new issue View git blame Copy permalink