From a90e00d74d419d6b5a8ba5940ffb6d3c09c75f52 Mon Sep 17 00:00:00 2001 From: Zipeng WU Date: Tue, 1 Dec 2020 14:42:05 +0100 Subject: [PATCH] SSF-130 secure gitlab secrets --- .../org/sonar/auth/gitlab/GitLabSettings.java | 4 +- .../db/migration/version/v86/DbVersion86.java | 5 +- .../v86/SecureGitlabSecretParameters.java | 45 ++++++++++++ .../v86/SecureGitlabSecretParametersTest.java | 71 +++++++++++++++++++ .../schema.sql | 12 ++++ 5 files changed, 134 insertions(+), 3 deletions(-) create mode 100644 server/sonar-db-migration/src/main/java/org/sonar/server/platform/db/migration/version/v86/SecureGitlabSecretParameters.java create mode 100644 server/sonar-db-migration/src/test/java/org/sonar/server/platform/db/migration/version/v86/SecureGitlabSecretParametersTest.java create mode 100644 server/sonar-db-migration/src/test/resources/org/sonar/server/platform/db/migration/version/v86/SecureGitlabSecretParametersTest/schema.sql diff --git a/server/sonar-auth-gitlab/src/main/java/org/sonar/auth/gitlab/GitLabSettings.java b/server/sonar-auth-gitlab/src/main/java/org/sonar/auth/gitlab/GitLabSettings.java index 62d8310cff4..06ce0b8f892 100644 --- a/server/sonar-auth-gitlab/src/main/java/org/sonar/auth/gitlab/GitLabSettings.java +++ b/server/sonar-auth-gitlab/src/main/java/org/sonar/auth/gitlab/GitLabSettings.java @@ -33,8 +33,8 @@ public class GitLabSettings { static final String GITLAB_AUTH_ENABLED = "sonar.auth.gitlab.enabled"; static final String GITLAB_AUTH_URL = "sonar.auth.gitlab.url"; - static final String GITLAB_AUTH_APPLICATION_ID = "sonar.auth.gitlab.applicationId"; - static final String GITLAB_AUTH_SECRET = "sonar.auth.gitlab.secret"; + static final String GITLAB_AUTH_APPLICATION_ID = "sonar.auth.gitlab.applicationId.secured"; + static final String GITLAB_AUTH_SECRET = "sonar.auth.gitlab.secret.secured"; static final String GITLAB_AUTH_ALLOW_USERS_TO_SIGNUP = "sonar.auth.gitlab.allowUsersToSignUp"; static final String GITLAB_AUTH_SYNC_USER_GROUPS = "sonar.auth.gitlab.groupsSync"; diff --git a/server/sonar-db-migration/src/main/java/org/sonar/server/platform/db/migration/version/v86/DbVersion86.java b/server/sonar-db-migration/src/main/java/org/sonar/server/platform/db/migration/version/v86/DbVersion86.java index f4bd257b29a..cc594516c57 100644 --- a/server/sonar-db-migration/src/main/java/org/sonar/server/platform/db/migration/version/v86/DbVersion86.java +++ b/server/sonar-db-migration/src/main/java/org/sonar/server/platform/db/migration/version/v86/DbVersion86.java @@ -56,6 +56,9 @@ public class DbVersion86 implements DbVersion { .add(4123, "Add 'reset_password' column to 'users' table", AddResetPasswordColumnToUsers.class) .add(4124, "Populate 'reset_password' column with default value", PopulateResetPasswordDefaultValue.class) - .add(4125, "Make 'reset_password' column in 'users' table not nullable", MakeResetPasswordColumnNotNull.class); + .add(4125, "Make 'reset_password' column in 'users' table not nullable", MakeResetPasswordColumnNotNull.class) + + .add(4126, "Secure gitlab secret parameters", SecureGitlabSecretParameters.class) + ; } } diff --git a/server/sonar-db-migration/src/main/java/org/sonar/server/platform/db/migration/version/v86/SecureGitlabSecretParameters.java b/server/sonar-db-migration/src/main/java/org/sonar/server/platform/db/migration/version/v86/SecureGitlabSecretParameters.java new file mode 100644 index 00000000000..6a3f02d6150 --- /dev/null +++ b/server/sonar-db-migration/src/main/java/org/sonar/server/platform/db/migration/version/v86/SecureGitlabSecretParameters.java @@ -0,0 +1,45 @@ +/* + * SonarQube + * Copyright (C) 2009-2020 SonarSource SA + * mailto:info AT sonarsource DOT com + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 3 of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program; if not, write to the Free Software Foundation, + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ +package org.sonar.server.platform.db.migration.version.v86; + +import java.sql.SQLException; +import org.sonar.db.Database; +import org.sonar.server.platform.db.migration.step.DataChange; + +public class SecureGitlabSecretParameters extends DataChange { + + public SecureGitlabSecretParameters(Database db) { + super(db); + } + + @Override + protected void execute(Context context) throws SQLException { + updateToSecured(context, "sonar.auth.gitlab.applicationId"); + updateToSecured(context, "sonar.auth.gitlab.secret"); + } + + private static void updateToSecured(Context context, String property) throws SQLException { + context.prepareUpsert("update properties set prop_key = ? where prop_key = ?") + .setString(1, property + ".secured") + .setString(2, property) + .execute() + .commit(); + } +} diff --git a/server/sonar-db-migration/src/test/java/org/sonar/server/platform/db/migration/version/v86/SecureGitlabSecretParametersTest.java b/server/sonar-db-migration/src/test/java/org/sonar/server/platform/db/migration/version/v86/SecureGitlabSecretParametersTest.java new file mode 100644 index 00000000000..f33969eb1c9 --- /dev/null +++ b/server/sonar-db-migration/src/test/java/org/sonar/server/platform/db/migration/version/v86/SecureGitlabSecretParametersTest.java @@ -0,0 +1,71 @@ +/* + * SonarQube + * Copyright (C) 2009-2020 SonarSource SA + * mailto:info AT sonarsource DOT com + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 3 of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program; if not, write to the Free Software Foundation, + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + */ +package org.sonar.server.platform.db.migration.version.v86; + +import java.sql.SQLException; +import org.junit.Rule; +import org.junit.Test; +import org.sonar.api.utils.System2; +import org.sonar.core.util.UuidFactory; +import org.sonar.core.util.UuidFactoryFast; +import org.sonar.db.CoreDbTester; +import org.sonar.server.platform.db.migration.step.DataChange; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.tuple; + +public class SecureGitlabSecretParametersTest { + + @Rule + public CoreDbTester db = CoreDbTester.createForSchema(SecureGitlabSecretParametersTest.class, "schema.sql"); + + private final UuidFactory uuidFactory = UuidFactoryFast.getInstance(); + + private final DataChange underTest = new SecureGitlabSecretParameters(db.database()); + + @Test + public void secure_gitlab_secret_parameters() throws SQLException { + insertGitlabProperties(); + + underTest.execute(); + + assertThat(db.select("select * from PROPERTIES")) + .extracting(r -> r.get("PROP_KEY"), r -> r.get("TEXT_VALUE")) + .containsExactlyInAnyOrder( + tuple("sonar.auth.gitlab.secret.secured", "secret secret"), + tuple("sonar.auth.gitlab.applicationId.secured", "secret applicationId")); + } + + private void insertGitlabProperties() { + db.executeInsert("PROPERTIES", + "prop_key", "sonar.auth.gitlab.secret", + "is_empty", false, + "text_value", "secret secret", + "uuid", uuidFactory.create(), + "created_at", System2.INSTANCE.now()); + db.executeInsert("PROPERTIES", + "prop_key", "sonar.auth.gitlab.applicationId", + "is_empty", false, + "text_value", "secret applicationId", + "uuid", uuidFactory.create(), + "created_at", System2.INSTANCE.now()); + } + +} diff --git a/server/sonar-db-migration/src/test/resources/org/sonar/server/platform/db/migration/version/v86/SecureGitlabSecretParametersTest/schema.sql b/server/sonar-db-migration/src/test/resources/org/sonar/server/platform/db/migration/version/v86/SecureGitlabSecretParametersTest/schema.sql new file mode 100644 index 00000000000..dfe931f54d1 --- /dev/null +++ b/server/sonar-db-migration/src/test/resources/org/sonar/server/platform/db/migration/version/v86/SecureGitlabSecretParametersTest/schema.sql @@ -0,0 +1,12 @@ +CREATE TABLE "PROPERTIES"( + "PROP_KEY" VARCHAR(512) NOT NULL, + "IS_EMPTY" BOOLEAN NOT NULL, + "TEXT_VALUE" VARCHAR(4000), + "CLOB_VALUE" CLOB, + "CREATED_AT" BIGINT NOT NULL, + "COMPONENT_UUID" VARCHAR(40), + "UUID" VARCHAR(40) NOT NULL, + "USER_UUID" VARCHAR(255) +); +ALTER TABLE "PROPERTIES" ADD CONSTRAINT "PK_PROPERTIES" PRIMARY KEY("UUID"); +CREATE INDEX "PROPERTIES_KEY" ON "PROPERTIES"("PROP_KEY"); -- 2.39.5