mirrors/forgejo
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2025-10-31 06:21:11 +00:00
Code Issues Projects Releases Packages Wiki Activity
forgejo/models/forgejo_migrations/v39_test.go
Gusted 13e48ead92 feat: migrate action secrets to keying to store them more securely (#8692) 
- Use the keying module, that was introduced in forgejo/forgejo#5041, to store action secrets safely and securely in the database.
- Introduce a central function that sets the secret, `SetSecret` and let the caller do the update call. This is similar to how the twofactor (TOTP) models does it. Ref. https://codeberg.org/forgejo/forgejo/pulls/6074
- Add a relaxed migration, that is run inside a transaction. If it cannot decrypt a action secret, then it's deleted.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8692
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>
2025-07-29 01:03:36 +02:00

52 lines
1.5 KiB
Go
Raw Blame History

// Copyright 2025 The Forgejo Authors. All rights reserved.
// SPDX-License-Identifier: GPL-3.0-or-later
package forgejo_migrations
import (
"testing"
migration_tests "forgejo.org/models/migrations/test"
"forgejo.org/models/secret"
"forgejo.org/modules/keying"
"forgejo.org/modules/timeutil"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func Test_MigrateActionSecretToKeying(t *testing.T) {
type Secret struct {
ID int64
OwnerID int64 `xorm:"INDEX UNIQUE(owner_repo_name) NOT NULL"`
RepoID int64 `xorm:"INDEX UNIQUE(owner_repo_name) NOT NULL DEFAULT 0"`
Name string `xorm:"UNIQUE(owner_repo_name) NOT NULL"`
Data string `xorm:"LONGTEXT"` // encrypted data
CreatedUnix timeutil.TimeStamp `xorm:"created NOT NULL"`
}
// Prepare and load the testing database
x, deferable := migration_tests.PrepareTestEnv(t, 0, new(Secret))
defer deferable()
if x == nil || t.Failed() {
return
}
cnt, err := x.Table("secret").Count()
require.NoError(t, err)
assert.EqualValues(t, 2, cnt)
require.NoError(t, MigrateActionSecretsToKeying(x))
cnt, err = x.Table("secret").Count()
require.NoError(t, err)
assert.EqualValues(t, 1, cnt)
var secret secret.Secret
_, err = x.Table("secret").ID(1).Get(&secret)
require.NoError(t, err)
secretBytes, err := keying.DeriveKey(keying.ContextActionSecret).Decrypt(secret.Data, keying.ColumnAndID("data", secret.ID))
require.NoError(t, err)
assert.Equal(t, []byte("A deep dark secret"), secretBytes)
}
Reference in a new issue View git blame Copy permalink