Rake tasks to verify encrypted data through secrets
What does this MR do?
Introduces one rake tasks: gitlab:doctor:secrets
that scan all columns across all models that use attr_encrypted
or our TokenAuthenticatable
class and verifies if they can be decrypted, respectively "fixes" them (re-encrypts if the token is still available, or clears the value if not).
/cc @stanhu @nick.thomas @dblessing @dstanley @lbot @ashmckenzie for thoughts based on the discussion in #20069 (closed)
Possible discussions:
-
Should we also have specific data (or at least a --debug or some parameter that would show it) like IDs for
bad
values?Later edit: this was added through a VERBOSE flag consistent with other rake tasks.
-
I've also considered Stan's thought about HA/Geo setups:
Perhaps we need to do something similar where the first node stores a known encrypted value into a column, and all nodes should be able to decrypt it.
As a first iteration, I think this should replace the scripts we're currently using in Support that are getting outdated (due to new/different columns with encrypted values).
For HA/Geo I'd say we can add a new task that does exactly the above, store a key in Redis with ~1 hour or so expiration time if it doesn't exist, and then if it exists, attempt to decrypt it - so the rake task can be ran on all nodes in an HA/Geo setup, the first of them setting the key initially - if that makes sense I can create a new issue.
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team