This is an automated email from the ASF dual-hosted git repository.
abeizn pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/incubator-devlake.git
The following commit(s) were added to refs/heads/main by this push:
new ff51f3b76 feat: unify encKey to encryptionSecret and make .env file
readonly in… (#5365)
ff51f3b76 is described below
commit ff51f3b76b61492363e9e179b0bd370e8fbd4bd1
Author: abeizn <[email protected]>
AuthorDate: Tue Jun 6 11:13:17 2023 +0800
feat: unify encKey to encryptionSecret and make .env file readonly in…
(#5365)
* feat: unify encKey to encryptionSecret and make .env file readonly in
codebase
* fix: e2e test and ci-lint
---
.../migrationscripts/20220903_encrypt_blueprint.go | 10 ++++-----
.../migrationscripts/20220904_encrypt_pipeline.go | 8 ++++----
.../migrationscripts/20221221_encrypt_task.go | 8 ++++----
backend/core/plugin/plugin_utils.go | 24 +++++++++++-----------
backend/core/plugin/plugin_utils_test.go | 10 ++++-----
.../helpers/pluginhelper/api/connection_helper.go | 19 +++++++++--------
backend/impls/dalgorm/encdec_serializer.go | 10 ++++-----
backend/server/main.go | 17 +++------------
backend/test/helper/client.go | 18 ++++++++--------
env.example | 2 +-
10 files changed, 59 insertions(+), 67 deletions(-)
diff --git a/backend/core/models/migrationscripts/20220903_encrypt_blueprint.go
b/backend/core/models/migrationscripts/20220903_encrypt_blueprint.go
index 6f2da4e7e..187e9b8a3 100644
--- a/backend/core/models/migrationscripts/20220903_encrypt_blueprint.go
+++ b/backend/core/models/migrationscripts/20220903_encrypt_blueprint.go
@@ -36,9 +36,9 @@ type BlueprintEncryption0904 struct {
}
func (script *encryptBlueprint) Up(basicRes context.BasicRes) errors.Error {
- encKey := basicRes.GetConfig(plugin.EncodeKeyEnvStr)
- if encKey == "" {
- return errors.BadInput.New("invalid encKey")
+ encryptionSecret := basicRes.GetConfig(plugin.EncodeKeyEnvStr)
+ if encryptionSecret == "" {
+ return errors.BadInput.New("invalid encryptionSecret")
}
err := migrationhelper.TransformColumns(
basicRes,
@@ -46,11 +46,11 @@ func (script *encryptBlueprint) Up(basicRes
context.BasicRes) errors.Error {
"_devlake_blueprints",
[]string{"plan", "settings"},
func(src *BlueprintEncryption0904) (*BlueprintEncryption0904,
errors.Error) {
- plan, err := plugin.Encrypt(encKey, src.Plan)
+ plan, err := plugin.Encrypt(encryptionSecret, src.Plan)
if err != nil {
return nil, err
}
- settings, err := plugin.Encrypt(encKey, src.Settings)
+ settings, err := plugin.Encrypt(encryptionSecret,
src.Settings)
if err != nil {
return nil, err
}
diff --git a/backend/core/models/migrationscripts/20220904_encrypt_pipeline.go
b/backend/core/models/migrationscripts/20220904_encrypt_pipeline.go
index a23e3edb1..48b64aed2 100644
--- a/backend/core/models/migrationscripts/20220904_encrypt_pipeline.go
+++ b/backend/core/models/migrationscripts/20220904_encrypt_pipeline.go
@@ -35,9 +35,9 @@ type PipelineEncryption0904 struct {
}
func (script *encryptPipeline) Up(basicRes context.BasicRes) errors.Error {
- encKey := basicRes.GetConfig(plugin.EncodeKeyEnvStr)
- if encKey == "" {
- return errors.BadInput.New("invalid encKey")
+ encryptionSecret := basicRes.GetConfig(plugin.EncodeKeyEnvStr)
+ if encryptionSecret == "" {
+ return errors.BadInput.New("invalid encryptionSecret")
}
err := migrationhelper.TransformColumns(
basicRes,
@@ -45,7 +45,7 @@ func (script *encryptPipeline) Up(basicRes context.BasicRes)
errors.Error {
"_devlake_pipelines",
[]string{"plan"},
func(src *PipelineEncryption0904) (*PipelineEncryption0904,
errors.Error) {
- plan, err := plugin.Encrypt(encKey, src.Plan)
+ plan, err := plugin.Encrypt(encryptionSecret, src.Plan)
if err != nil {
return nil, err
}
diff --git a/backend/core/models/migrationscripts/20221221_encrypt_task.go
b/backend/core/models/migrationscripts/20221221_encrypt_task.go
index f1790bcc1..118ba9438 100644
--- a/backend/core/models/migrationscripts/20221221_encrypt_task.go
+++ b/backend/core/models/migrationscripts/20221221_encrypt_task.go
@@ -42,9 +42,9 @@ type dstTaskEncryption221221 struct {
}
func (script *encryptTask221221) Up(basicRes context.BasicRes) errors.Error {
- encKey := basicRes.GetConfig(plugin.EncodeKeyEnvStr)
- if encKey == "" {
- return errors.BadInput.New("invalid encKey")
+ encryptionSecret := basicRes.GetConfig(plugin.EncodeKeyEnvStr)
+ if encryptionSecret == "" {
+ return errors.BadInput.New("invalid encryptionSecret")
}
err := migrationhelper.TransformColumns(
basicRes,
@@ -52,7 +52,7 @@ func (script *encryptTask221221) Up(basicRes
context.BasicRes) errors.Error {
"_devlake_tasks",
[]string{"options"},
func(src *srcTaskEncryption221221) (*dstTaskEncryption221221,
errors.Error) {
- options, err := plugin.Encrypt(encKey,
string(src.Options))
+ options, err := plugin.Encrypt(encryptionSecret,
string(src.Options))
if err != nil {
return nil, err
}
diff --git a/backend/core/plugin/plugin_utils.go
b/backend/core/plugin/plugin_utils.go
index 02f08df4d..dd0f29ca4 100644
--- a/backend/core/plugin/plugin_utils.go
+++ b/backend/core/plugin/plugin_utils.go
@@ -29,15 +29,15 @@ import (
"github.com/apache/incubator-devlake/core/utils"
)
-const EncodeKeyEnvStr = "ENCODE_KEY"
+const EncodeKeyEnvStr = "ENCRYPTION_SECRET"
// TODO: maybe move encryption/decryption into helper?
-// AES + Base64 encryption using ENCODE_KEY in .env as key
-func Encrypt(encKey, plainText string) (string, errors.Error) {
+// AES + Base64 encryption using ENCRYPTION_SECRET in .env as key
+func Encrypt(encryptionSecret, plainText string) (string, errors.Error) {
// add suffix to the data part
inputBytes := append([]byte(plainText), 123, 110, 100, 100, 116, 102,
125)
// perform encryption
- output, err := AesEncrypt(inputBytes, []byte(encKey))
+ output, err := AesEncrypt(inputBytes, []byte(encryptionSecret))
if err != nil {
return plainText, err
}
@@ -45,12 +45,12 @@ func Encrypt(encKey, plainText string) (string,
errors.Error) {
return base64.StdEncoding.EncodeToString(output), nil
}
-// Base64 + AES decryption using ENCODE_KEY in .env as key
-func Decrypt(encKey, encryptedText string) (string, errors.Error) {
+// Base64 + AES decryption using ENCRYPTION_SECRET in .env as key
+func Decrypt(encryptionSecret, encryptedText string) (string, errors.Error) {
// when encryption key is not set
- if encKey == "" {
+ if encryptionSecret == "" {
// return error message
- return encryptedText, errors.Default.New("encKey is required")
+ return encryptedText, errors.Default.New("encryptionSecret is
required")
}
// Decode Base64
@@ -59,7 +59,7 @@ func Decrypt(encKey, encryptedText string) (string,
errors.Error) {
return encryptedText, errors.Convert(err1)
}
// perform AES decryption
- output, err2 := AesDecrypt(decodingFromBase64, []byte(encKey))
+ output, err2 := AesDecrypt(decodingFromBase64, []byte(encryptionSecret))
if err2 != nil {
return encryptedText, err2
}
@@ -75,7 +75,7 @@ func Decrypt(encKey, encryptedText string) (string,
errors.Error) {
return string(output), nil
}
}
- return "", errors.Default.New("invalid encKey")
+ return "", errors.Default.New("invalid encryptionSecret")
}
// PKCS7Padding PKCS7 padding
@@ -139,7 +139,7 @@ func AesDecrypt(crypted, key []byte) ([]byte, errors.Error)
{
return origData, nil
}
-// RandomEncKey will return a random string of length 128
-func RandomEncKey() (string, errors.Error) {
+// RandomEncryptionSecret will return a random string of length 128
+func RandomEncryptionSecret() (string, errors.Error) {
return utils.RandLetterBytes(128)
}
diff --git a/backend/core/plugin/plugin_utils_test.go
b/backend/core/plugin/plugin_utils_test.go
index dc2c86ec9..b42a4c57b 100644
--- a/backend/core/plugin/plugin_utils_test.go
+++ b/backend/core/plugin/plugin_utils_test.go
@@ -30,13 +30,13 @@ func TestEncodeAndDecode(t *testing.T) {
var TestEncode string
var TestDecode string
- encKey, _ := RandomEncKey()
+ encryptionSecret, _ := RandomEncryptionSecret()
// encryption test
- TestEncode, err = Encrypt(encKey, TestStr)
+ TestEncode, err = Encrypt(encryptionSecret, TestStr)
assert.Empty(t, err)
// decrypt test
- TestDecode, err = Decrypt(encKey, TestEncode)
+ TestDecode, err = Decrypt(encryptionSecret, TestEncode)
assert.Empty(t, err)
// Verify decryption result
@@ -44,7 +44,7 @@ func TestEncodeAndDecode(t *testing.T) {
}
func TestEncode(t *testing.T) {
- encKey, _ := RandomEncKey()
+ encryptionSecret, _ := RandomEncryptionSecret()
type args struct {
Input string
}
@@ -61,7 +61,7 @@ func TestEncode(t *testing.T) {
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
- got, err := Encrypt(encKey, tt.args.Input)
+ got, err := Encrypt(encryptionSecret, tt.args.Input)
if (err != nil) != tt.wantErr {
t.Errorf("Encode() error = %v, wantErr %v",
err, tt.wantErr)
return
diff --git a/backend/helpers/pluginhelper/api/connection_helper.go
b/backend/helpers/pluginhelper/api/connection_helper.go
index 8d7764f1c..b49f59719 100644
--- a/backend/helpers/pluginhelper/api/connection_helper.go
+++ b/backend/helpers/pluginhelper/api/connection_helper.go
@@ -18,6 +18,8 @@ limitations under the License.
package api
import (
+ "strconv"
+
"github.com/apache/incubator-devlake/core/context"
"github.com/apache/incubator-devlake/core/dal"
"github.com/apache/incubator-devlake/core/errors"
@@ -25,15 +27,14 @@ import (
"github.com/apache/incubator-devlake/core/models"
plugin "github.com/apache/incubator-devlake/core/plugin"
"github.com/go-playground/validator/v10"
- "strconv"
)
// ConnectionApiHelper is used to write the CURD of connection
type ConnectionApiHelper struct {
- encKey string
- log log.Logger
- db dal.Dal
- validator *validator.Validate
+ encryptionSecret string
+ log log.Logger
+ db dal.Dal
+ validator *validator.Validate
}
// NewConnectionHelper creates a ConnectionHelper for connection management
@@ -45,10 +46,10 @@ func NewConnectionHelper(
vld = validator.New()
}
return &ConnectionApiHelper{
- encKey: basicRes.GetConfig(plugin.EncodeKeyEnvStr),
- log: basicRes.GetLogger(),
- db: basicRes.GetDal(),
- validator: vld,
+ encryptionSecret: basicRes.GetConfig(plugin.EncodeKeyEnvStr),
+ log: basicRes.GetLogger(),
+ db: basicRes.GetDal(),
+ validator: vld,
}
}
diff --git a/backend/impls/dalgorm/encdec_serializer.go
b/backend/impls/dalgorm/encdec_serializer.go
index ca140675c..508402d34 100644
--- a/backend/impls/dalgorm/encdec_serializer.go
+++ b/backend/impls/dalgorm/encdec_serializer.go
@@ -34,7 +34,7 @@ var _ schema.SerializerInterface = (*EncDecSerializer)(nil)
// EncDecSerializer is responsible for field encryption/decryption in
Application Level
// Ref: https://gorm.io/docs/serializer.html
type EncDecSerializer struct {
- encKey string
+ encryptionSecret string
}
// Scan implements serializer interface
@@ -52,7 +52,7 @@ func (es *EncDecSerializer) Scan(ctx context.Context, field
*schema.Field, dst r
return fmt.Errorf("failed to decrypt value: %#v",
dbValue)
}
- decrypted, err := plugin.Decrypt(es.encKey, base64str)
+ decrypted, err := plugin.Decrypt(es.encryptionSecret, base64str)
if err != nil {
return err
}
@@ -81,10 +81,10 @@ func (es *EncDecSerializer) Value(ctx context.Context,
field *schema.Field, dst
default:
return nil, fmt.Errorf("failed to encrypt value: %#v",
fieldValue)
}
- return plugin.Encrypt(es.encKey, target)
+ return plugin.Encrypt(es.encryptionSecret, target)
}
// Init the encdec serializer
-func Init(encKey string) {
- schema.RegisterSerializer("encdec", &EncDecSerializer{encKey: encKey})
+func Init(encryptionSecret string) {
+ schema.RegisterSerializer("encdec", &EncDecSerializer{encryptionSecret:
encryptionSecret})
}
diff --git a/backend/server/main.go b/backend/server/main.go
index 89b810ac1..2630c82d8 100644
--- a/backend/server/main.go
+++ b/backend/server/main.go
@@ -19,7 +19,6 @@ package main
import (
"github.com/apache/incubator-devlake/core/config"
- "github.com/apache/incubator-devlake/core/errors"
"github.com/apache/incubator-devlake/core/plugin"
_ "github.com/apache/incubator-devlake/core/version"
"github.com/apache/incubator-devlake/server/api"
@@ -27,19 +26,9 @@ import (
func main() {
v := config.GetConfig()
- encKey := v.GetString(plugin.EncodeKeyEnvStr)
- if encKey == "" {
- var err errors.Error
- // Randomly generate a bunch of encryption keys and set them to
config
- encKey, err = plugin.RandomEncKey()
- if err != nil {
- panic(err)
- }
- v.Set(plugin.EncodeKeyEnvStr, encKey)
- err = config.WriteConfig(v)
- if err != nil {
- panic(err)
- }
+ encryptionSecret := v.GetString(plugin.EncodeKeyEnvStr)
+ if encryptionSecret == "" {
+ panic("ENCRYPTION_SECRET must be set in .env file")
}
api.CreateApiService()
}
diff --git a/backend/test/helper/client.go b/backend/test/helper/client.go
index 1cb7ffce1..086970e11 100644
--- a/backend/test/helper/client.go
+++ b/backend/test/helper/client.go
@@ -23,10 +23,6 @@ import (
"encoding/json"
goerror "errors"
"fmt"
- "github.com/apache/incubator-devlake/core/dal"
- dora "github.com/apache/incubator-devlake/plugins/dora/impl"
- org "github.com/apache/incubator-devlake/plugins/org/impl"
- remotePlugin
"github.com/apache/incubator-devlake/server/services/remote/plugin"
"io"
"math"
"net/http"
@@ -36,6 +32,11 @@ import (
"testing"
"time"
+ "github.com/apache/incubator-devlake/core/dal"
+ dora "github.com/apache/incubator-devlake/plugins/dora/impl"
+ org "github.com/apache/incubator-devlake/plugins/org/impl"
+ remotePlugin
"github.com/apache/incubator-devlake/server/services/remote/plugin"
+
"github.com/apache/incubator-devlake/core/config"
corectx "github.com/apache/incubator-devlake/core/context"
"github.com/apache/incubator-devlake/core/errors"
@@ -215,15 +216,16 @@ func (d *DevlakeClient) RunPlugin(ctx context.Context,
pluginName string, plugin
func (d *DevlakeClient) configureEncryption() {
v := config.GetConfig()
- encKey := v.GetString(plugin.EncodeKeyEnvStr)
- if encKey == "" {
+ encryptionSecret := v.GetString(plugin.EncodeKeyEnvStr)
+ // only test environment should have this set
+ if encryptionSecret == "" {
var err errors.Error
// Randomly generate a bunch of encryption keys and set them to
config
- encKey, err = plugin.RandomEncKey()
+ encryptionSecret, err = plugin.RandomEncryptionSecret()
if err != nil {
panic(err)
}
- v.Set(plugin.EncodeKeyEnvStr, encKey)
+ v.Set(plugin.EncodeKeyEnvStr, encryptionSecret)
err = config.WriteConfig(v)
if err != nil {
panic(err)
diff --git a/env.example b/env.example
index 6c419f41b..917126c1a 100644
--- a/env.example
+++ b/env.example
@@ -40,7 +40,7 @@ DISABLED_REMOTE_PLUGINS=
##########################
# Sensitive information encryption key
##########################
-ENCODE_KEY=
+ENCRYPTION_SECRET=
##########################
# Set if skip verify and connect with out trusted certificate when use https
