mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2026-05-12 22:10:25 +00:00
67df538958
Currently `DeriveKey` is called every time that a secret must be encoded/decoded. Since this function is deterministic, its result can be cached to allow a 250x speedup (the original took less than half a microsecond, so this more of a micro-optimization...). ``` go test -bench=. goos: linux goarch: amd64 pkg: forgejo.org/modules/keying cpu: Intel(R) Core(TM) Ultra 5 125H BenchmarkExpandPRK-18 2071627 564.2 ns/op BenchmarkExpandPRKOnce-18 541438192 2.206 ns/op PASS ok forgejo.org/modules/keying 2.369s ``` ## Other changes - Since the keys can be constructed once, it simplifies a bit the callsites (`keying.TOTP.Encrypt(...)` instead of `keying.DeriveKey(keying.ContextTOTP).Encrypt(...)`) - All `Encrypt`/`Decrypt` calls will panic forever if called before `Init` has been called (current it panics as long as `Init` has not been called) - Calling `Init` twice with different keys will trigger a panic (currently racy) - Calling `Decrypt` with a short ciphertext does not panic anymore (like when calling with long-enough garbage) Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10114 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: oliverpool <git@olivier.pfad.fr> Co-committed-by: oliverpool <git@olivier.pfad.fr>
52 lines
1.5 KiB
Go
52 lines
1.5 KiB
Go
// Copyright 2025 The Forgejo Authors. All rights reserved.
|
|
// SPDX-License-Identifier: GPL-3.0-or-later
|
|
|
|
package forgejo_migrations_legacy
|
|
|
|
import (
|
|
"testing"
|
|
|
|
migration_tests "forgejo.org/models/gitea_migrations/test"
|
|
"forgejo.org/models/secret"
|
|
"forgejo.org/modules/keying"
|
|
"forgejo.org/modules/timeutil"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func Test_MigrateActionSecretToKeying(t *testing.T) {
|
|
type Secret struct {
|
|
ID int64
|
|
OwnerID int64 `xorm:"INDEX UNIQUE(owner_repo_name) NOT NULL"`
|
|
RepoID int64 `xorm:"INDEX UNIQUE(owner_repo_name) NOT NULL DEFAULT 0"`
|
|
Name string `xorm:"UNIQUE(owner_repo_name) NOT NULL"`
|
|
Data string `xorm:"LONGTEXT"` // encrypted data
|
|
CreatedUnix timeutil.TimeStamp `xorm:"created NOT NULL"`
|
|
}
|
|
|
|
// Prepare and load the testing database
|
|
x, deferable := migration_tests.PrepareTestEnv(t, 0, new(Secret))
|
|
defer deferable()
|
|
if x == nil || t.Failed() {
|
|
return
|
|
}
|
|
|
|
cnt, err := x.Table("secret").Count()
|
|
require.NoError(t, err)
|
|
assert.EqualValues(t, 2, cnt)
|
|
|
|
require.NoError(t, MigrateActionSecretsToKeying(x))
|
|
|
|
cnt, err = x.Table("secret").Count()
|
|
require.NoError(t, err)
|
|
assert.EqualValues(t, 1, cnt)
|
|
|
|
var secret secret.Secret
|
|
_, err = x.Table("secret").ID(1).Get(&secret)
|
|
require.NoError(t, err)
|
|
|
|
secretBytes, err := keying.ActionSecret.Decrypt(secret.Data, keying.ColumnAndID("data", secret.ID))
|
|
require.NoError(t, err)
|
|
assert.Equal(t, []byte("A deep dark secret"), secretBytes)
|
|
}
|