SSF-130 secure gitlab secrets

author Zipeng WU <zipeng.wu@sonarsource.com>

Tue, 1 Dec 2020 13:42:05 +0000 (14:42 +0100)

committer sonartech <sonartech@sonarsource.com>

Wed, 2 Dec 2020 20:06:58 +0000 (20:06 +0000)
author Zipeng WU <zipeng.wu@sonarsource.com>
Tue, 1 Dec 2020 13:42:05 +0000 (14:42 +0100)
committer sonartech <sonartech@sonarsource.com>
Wed, 2 Dec 2020 20:06:58 +0000 (20:06 +0000)
diff --git a/server/sonar-auth-gitlab/src/main/java/org/sonar/auth/gitlab/GitLabSettings.java b/server/sonar-auth-gitlab/src/main/java/org/sonar/auth/gitlab/GitLabSettings.java

index 62d8310cff487f58fa5af0d878dcfde3d88147c3..06ce0b8f892c1a8e8df9edf8030250d0eeaf831f 100644 (file)
--- a/server/sonar-auth-gitlab/src/main/java/org/sonar/auth/gitlab/GitLabSettings.java
+++ b/server/sonar-auth-gitlab/src/main/java/org/sonar/auth/gitlab/GitLabSettings.java
@@ -33,8 +33,8 @@ public class GitLabSettings {
  
    static final String GITLAB_AUTH_ENABLED = "sonar.auth.gitlab.enabled";
    static final String GITLAB_AUTH_URL = "sonar.auth.gitlab.url";
-  static final String GITLAB_AUTH_APPLICATION_ID = "sonar.auth.gitlab.applicationId";
-  static final String GITLAB_AUTH_SECRET = "sonar.auth.gitlab.secret";
+  static final String GITLAB_AUTH_APPLICATION_ID = "sonar.auth.gitlab.applicationId.secured";
+  static final String GITLAB_AUTH_SECRET = "sonar.auth.gitlab.secret.secured";
    static final String GITLAB_AUTH_ALLOW_USERS_TO_SIGNUP = "sonar.auth.gitlab.allowUsersToSignUp";
    static final String GITLAB_AUTH_SYNC_USER_GROUPS = "sonar.auth.gitlab.groupsSync";
  
diff --git a/server/sonar-db-migration/src/main/java/org/sonar/server/platform/db/migration/version/v86/DbVersion86.java b/server/sonar-db-migration/src/main/java/org/sonar/server/platform/db/migration/version/v86/DbVersion86.java

index f4bd257b29a4aee24694821a64cea597d9a03623..cc594516c573ad7225d03a9cb9ab38039de327cf 100644 (file)
--- a/server/sonar-db-migration/src/main/java/org/sonar/server/platform/db/migration/version/v86/DbVersion86.java
+++ b/server/sonar-db-migration/src/main/java/org/sonar/server/platform/db/migration/version/v86/DbVersion86.java
@@ -56,6 +56,9 @@ public class DbVersion86 implements DbVersion {
  
        .add(4123, "Add 'reset_password' column to 'users' table", AddResetPasswordColumnToUsers.class)
        .add(4124, "Populate 'reset_password' column with default value", PopulateResetPasswordDefaultValue.class)
-      .add(4125, "Make 'reset_password' column in 'users' table not nullable", MakeResetPasswordColumnNotNull.class);
+      .add(4125, "Make 'reset_password' column in 'users' table not nullable", MakeResetPasswordColumnNotNull.class)
+
+      .add(4126, "Secure gitlab secret parameters", SecureGitlabSecretParameters.class)
+    ;
    }
  }
diff --git a/server/sonar-db-migration/src/main/java/org/sonar/server/platform/db/migration/version/v86/SecureGitlabSecretParameters.java b/server/sonar-db-migration/src/main/java/org/sonar/server/platform/db/migration/version/v86/SecureGitlabSecretParameters.java

new file mode 100644 (file)

index 0000000..6a3f02d
--- /dev/null
+++ b/server/sonar-db-migration/src/main/java/org/sonar/server/platform/db/migration/version/v86/SecureGitlabSecretParameters.java
@@ -0,0 +1,45 @@
+/*
+ * SonarQube
+ * Copyright (C) 2009-2020 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.server.platform.db.migration.version.v86;
+
+import java.sql.SQLException;
+import org.sonar.db.Database;
+import org.sonar.server.platform.db.migration.step.DataChange;
+
+public class SecureGitlabSecretParameters extends DataChange {
+
+  public SecureGitlabSecretParameters(Database db) {
+    super(db);
+  }
+
+  @Override
+  protected void execute(Context context) throws SQLException {
+    updateToSecured(context, "sonar.auth.gitlab.applicationId");
+    updateToSecured(context, "sonar.auth.gitlab.secret");
+  }
+
+  private static void updateToSecured(Context context, String property) throws SQLException {
+    context.prepareUpsert("update properties set prop_key = ? where prop_key = ?")
+      .setString(1, property + ".secured")
+      .setString(2, property)
+      .execute()
+      .commit();
+  }
+}
diff --git a/server/sonar-db-migration/src/test/java/org/sonar/server/platform/db/migration/version/v86/SecureGitlabSecretParametersTest.java b/server/sonar-db-migration/src/test/java/org/sonar/server/platform/db/migration/version/v86/SecureGitlabSecretParametersTest.java

new file mode 100644 (file)

index 0000000..f33969e
--- /dev/null
+++ b/server/sonar-db-migration/src/test/java/org/sonar/server/platform/db/migration/version/v86/SecureGitlabSecretParametersTest.java
@@ -0,0 +1,71 @@
+/*
+ * SonarQube
+ * Copyright (C) 2009-2020 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.server.platform.db.migration.version.v86;
+
+import java.sql.SQLException;
+import org.junit.Rule;
+import org.junit.Test;
+import org.sonar.api.utils.System2;
+import org.sonar.core.util.UuidFactory;
+import org.sonar.core.util.UuidFactoryFast;
+import org.sonar.db.CoreDbTester;
+import org.sonar.server.platform.db.migration.step.DataChange;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.tuple;
+
+public class SecureGitlabSecretParametersTest {
+
+  @Rule
+  public CoreDbTester db = CoreDbTester.createForSchema(SecureGitlabSecretParametersTest.class, "schema.sql");
+
+  private final UuidFactory uuidFactory = UuidFactoryFast.getInstance();
+
+  private final DataChange underTest = new SecureGitlabSecretParameters(db.database());
+
+  @Test
+  public void secure_gitlab_secret_parameters() throws SQLException {
+    insertGitlabProperties();
+
+    underTest.execute();
+
+    assertThat(db.select("select * from PROPERTIES"))
+      .extracting(r -> r.get("PROP_KEY"), r -> r.get("TEXT_VALUE"))
+      .containsExactlyInAnyOrder(
+        tuple("sonar.auth.gitlab.secret.secured", "secret secret"),
+        tuple("sonar.auth.gitlab.applicationId.secured", "secret applicationId"));
+  }
+
+  private void insertGitlabProperties() {
+    db.executeInsert("PROPERTIES",
+      "prop_key", "sonar.auth.gitlab.secret",
+      "is_empty", false,
+      "text_value", "secret secret",
+      "uuid", uuidFactory.create(),
+      "created_at", System2.INSTANCE.now());
+    db.executeInsert("PROPERTIES",
+      "prop_key", "sonar.auth.gitlab.applicationId",
+      "is_empty", false,
+      "text_value", "secret applicationId",
+      "uuid", uuidFactory.create(),
+      "created_at", System2.INSTANCE.now());
+  }
+
+}
diff --git a/server/sonar-db-migration/src/test/resources/org/sonar/server/platform/db/migration/version/v86/SecureGitlabSecretParametersTest/schema.sql b/server/sonar-db-migration/src/test/resources/org/sonar/server/platform/db/migration/version/v86/SecureGitlabSecretParametersTest/schema.sql

new file mode 100644 (file)

index 0000000..dfe931f
--- /dev/null
+++ b/server/sonar-db-migration/src/test/resources/org/sonar/server/platform/db/migration/version/v86/SecureGitlabSecretParametersTest/schema.sql
@@ -0,0 +1,12 @@
+CREATE TABLE "PROPERTIES"(
+    "PROP_KEY" VARCHAR(512) NOT NULL,
+    "IS_EMPTY" BOOLEAN NOT NULL,
+    "TEXT_VALUE" VARCHAR(4000),
+    "CLOB_VALUE" CLOB,
+    "CREATED_AT" BIGINT NOT NULL,
+    "COMPONENT_UUID" VARCHAR(40),
+    "UUID" VARCHAR(40) NOT NULL,
+    "USER_UUID" VARCHAR(255)
+);
+ALTER TABLE "PROPERTIES" ADD CONSTRAINT "PK_PROPERTIES" PRIMARY KEY("UUID");
+CREATE INDEX "PROPERTIES_KEY" ON "PROPERTIES"("PROP_KEY");
author	Zipeng WU <zipeng.wu@sonarsource.com>
	Tue, 1 Dec 2020 13:42:05 +0000 (14:42 +0100)
committer	sonartech <sonartech@sonarsource.com>
	Wed, 2 Dec 2020 20:06:58 +0000 (20:06 +0000)
server/sonar-auth-gitlab/src/main/java/org/sonar/auth/gitlab/GitLabSettings.java		patch \| blob \| history
server/sonar-db-migration/src/main/java/org/sonar/server/platform/db/migration/version/v86/DbVersion86.java		patch \| blob \| history
server/sonar-db-migration/src/main/java/org/sonar/server/platform/db/migration/version/v86/SecureGitlabSecretParameters.java	[new file with mode: 0644]	patch \| blob
server/sonar-db-migration/src/test/java/org/sonar/server/platform/db/migration/version/v86/SecureGitlabSecretParametersTest.java	[new file with mode: 0644]	patch \| blob
server/sonar-db-migration/src/test/resources/org/sonar/server/platform/db/migration/version/v86/SecureGitlabSecretParametersTest/schema.sql	[new file with mode: 0644]	patch \| blob