SSF-130 secure gitlab secrets

4 files changed, 132 insertions, 1 deletions

diff --git a/server/sonar-db-migration/src/main/java/org/sonar/server/platform/db/migration/version/v86/DbVersion86.java b/server/sonar-db-migration/src/main/java/org/sonar/server/platform/db/migration/version/v86/DbVersion86.java
index f4bd257b29a..cc594516c57 100644
--- a/server/sonar-db-migration/src/main/java/org/sonar/server/platform/db/migration/version/v86/DbVersion86.java
+++ b/server/sonar-db-migration/src/main/java/org/sonar/server/platform/db/migration/version/v86/DbVersion86.java
@@ -56,6 +56,9 @@ public class DbVersion86 implements DbVersion {
 
       .add(4123, "Add 'reset_password' column to 'users' table", AddResetPasswordColumnToUsers.class)
       .add(4124, "Populate 'reset_password' column with default value", PopulateResetPasswordDefaultValue.class)
-      .add(4125, "Make 'reset_password' column in 'users' table not nullable", MakeResetPasswordColumnNotNull.class);
+      .add(4125, "Make 'reset_password' column in 'users' table not nullable", MakeResetPasswordColumnNotNull.class)
+
+      .add(4126, "Secure gitlab secret parameters", SecureGitlabSecretParameters.class)
+    ;
   }
 }
diff --git a/server/sonar-db-migration/src/main/java/org/sonar/server/platform/db/migration/version/v86/SecureGitlabSecretParameters.java b/server/sonar-db-migration/src/main/java/org/sonar/server/platform/db/migration/version/v86/SecureGitlabSecretParameters.java
new file mode 100644
index 00000000000..6a3f02d6150
--- /dev/null
+++ b/server/sonar-db-migration/src/main/java/org/sonar/server/platform/db/migration/version/v86/SecureGitlabSecretParameters.java
@@ -0,0 +1,45 @@
+/*
+ * SonarQube
+ * Copyright (C) 2009-2020 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.server.platform.db.migration.version.v86;
+
+import java.sql.SQLException;
+import org.sonar.db.Database;
+import org.sonar.server.platform.db.migration.step.DataChange;
+
+public class SecureGitlabSecretParameters extends DataChange {
+
+  public SecureGitlabSecretParameters(Database db) {
+    super(db);
+  }
+
+  @Override
+  protected void execute(Context context) throws SQLException {
+    updateToSecured(context, "sonar.auth.gitlab.applicationId");
+    updateToSecured(context, "sonar.auth.gitlab.secret");
+  }
+
+  private static void updateToSecured(Context context, String property) throws SQLException {
+    context.prepareUpsert("update properties set prop_key = ? where prop_key = ?")
+      .setString(1, property + ".secured")
+      .setString(2, property)
+      .execute()
+      .commit();
+  }
+}
diff --git a/server/sonar-db-migration/src/test/java/org/sonar/server/platform/db/migration/version/v86/SecureGitlabSecretParametersTest.java b/server/sonar-db-migration/src/test/java/org/sonar/server/platform/db/migration/version/v86/SecureGitlabSecretParametersTest.java
new file mode 100644
index 00000000000..f33969eb1c9
--- /dev/null
+++ b/server/sonar-db-migration/src/test/java/org/sonar/server/platform/db/migration/version/v86/SecureGitlabSecretParametersTest.java
@@ -0,0 +1,71 @@
+/*
+ * SonarQube
+ * Copyright (C) 2009-2020 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.server.platform.db.migration.version.v86;
+
+import java.sql.SQLException;
+import org.junit.Rule;
+import org.junit.Test;
+import org.sonar.api.utils.System2;
+import org.sonar.core.util.UuidFactory;
+import org.sonar.core.util.UuidFactoryFast;
+import org.sonar.db.CoreDbTester;
+import org.sonar.server.platform.db.migration.step.DataChange;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.tuple;
+
+public class SecureGitlabSecretParametersTest {
+
+  @Rule
+  public CoreDbTester db = CoreDbTester.createForSchema(SecureGitlabSecretParametersTest.class, "schema.sql");
+
+  private final UuidFactory uuidFactory = UuidFactoryFast.getInstance();
+
+  private final DataChange underTest = new SecureGitlabSecretParameters(db.database());
+
+  @Test
+  public void secure_gitlab_secret_parameters() throws SQLException {
+    insertGitlabProperties();
+
+    underTest.execute();
+
+    assertThat(db.select("select * from PROPERTIES"))
+      .extracting(r -> r.get("PROP_KEY"), r -> r.get("TEXT_VALUE"))
+      .containsExactlyInAnyOrder(
+        tuple("sonar.auth.gitlab.secret.secured", "secret secret"),
+        tuple("sonar.auth.gitlab.applicationId.secured", "secret applicationId"));
+  }
+
+  private void insertGitlabProperties() {
+    db.executeInsert("PROPERTIES",
+      "prop_key", "sonar.auth.gitlab.secret",
+      "is_empty", false,
+      "text_value", "secret secret",
+      "uuid", uuidFactory.create(),
+      "created_at", System2.INSTANCE.now());
+    db.executeInsert("PROPERTIES",
+      "prop_key", "sonar.auth.gitlab.applicationId",
+      "is_empty", false,
+      "text_value", "secret applicationId",
+      "uuid", uuidFactory.create(),
+      "created_at", System2.INSTANCE.now());
+  }
+
+}
diff --git a/server/sonar-db-migration/src/test/resources/org/sonar/server/platform/db/migration/version/v86/SecureGitlabSecretParametersTest/schema.sql b/server/sonar-db-migration/src/test/resources/org/sonar/server/platform/db/migration/version/v86/SecureGitlabSecretParametersTest/schema.sql
new file mode 100644
index 00000000000..dfe931f54d1
--- /dev/null
+++ b/server/sonar-db-migration/src/test/resources/org/sonar/server/platform/db/migration/version/v86/SecureGitlabSecretParametersTest/schema.sql
@@ -0,0 +1,12 @@
+CREATE TABLE "PROPERTIES"(
+    "PROP_KEY" VARCHAR(512) NOT NULL,
+    "IS_EMPTY" BOOLEAN NOT NULL,
+    "TEXT_VALUE" VARCHAR(4000),
+    "CLOB_VALUE" CLOB,
+    "CREATED_AT" BIGINT NOT NULL,
+    "COMPONENT_UUID" VARCHAR(40),
+    "UUID" VARCHAR(40) NOT NULL,
+    "USER_UUID" VARCHAR(255)
+);
+ALTER TABLE "PROPERTIES" ADD CONSTRAINT "PK_PROPERTIES" PRIMARY KEY("UUID");
+CREATE INDEX "PROPERTIES_KEY" ON "PROPERTIES"("PROP_KEY");