Add encryption and decryption to external service DB functions

sourcegraph · Jul 29, 2020 · 907182e · 907182e
1 parent 57815ab
commit 907182e
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 10 deletions.
diff --git a/internal/db/external_services.go b/internal/db/external_services.go
@@ -19,6 +19,7 @@ import (
 	"github.com/sourcegraph/sourcegraph/internal/db/dbutil"
 	"github.com/sourcegraph/sourcegraph/internal/extsvc"
 	"github.com/sourcegraph/sourcegraph/internal/jsonc"
+	intSecrets "github.com/sourcegraph/sourcegraph/internal/secrets"
 	"github.com/sourcegraph/sourcegraph/schema"
 	"github.com/xeipuuv/gojsonschema"
 )
@@ -280,10 +281,15 @@ func (e *ExternalServicesStore) Create(ctx context.Context, confGet func() *conf
 	externalService.CreatedAt = time.Now().UTC().Truncate(time.Microsecond)
 	externalService.UpdatedAt = externalService.CreatedAt
 
+	svcConfig, err := intSecrets.CryptObject.DecryptIfPossible(externalService.Config)
+	if err != nil {
+		return err
+	}
+
 	return dbconn.Global.QueryRowContext(
 		ctx,
 		"INSERT INTO external_services(kind, display_name, config, created_at, updated_at) VALUES($1, $2, $3, $4, $5) RETURNING id",
-		externalService.Kind, externalService.DisplayName, externalService.Config, externalService.CreatedAt, externalService.UpdatedAt,
+		externalService.Kind, externalService.DisplayName, svcConfig, externalService.CreatedAt, externalService.UpdatedAt,
 	).Scan(&externalService.ID)
 }
 
@@ -311,6 +317,12 @@ func (e *ExternalServicesStore) Update(ctx context.Context, ps []schema.AuthProv
 		if err := e.ValidateConfig(ctx, id, externalService.Kind, *update.Config, ps); err != nil {
 			return err
 		}
+
+		cfg, err := intSecrets.CryptObject.EncryptIfPossible(*update.Config)
+		if err != nil {
+			return err
+		}
+		update.Config = &cfg
 	}
 
 	execUpdate := func(ctx context.Context, tx *sql.Tx, update *sqlf.Query) error {
@@ -568,6 +580,11 @@ func (*ExternalServicesStore) list(ctx context.Context, conds []*sqlf.Query, lim
 		if err := rows.Scan(&h.ID, &h.Kind, &h.DisplayName, &h.Config, &h.CreatedAt, &h.UpdatedAt); err != nil {
 			return nil, err
 		}
+		h.Config, err = intSecrets.CryptObject.DecryptIfPossible(h.Config)
+		if err != nil {
+			return nil, err
+		}
+
 		results = append(results, &h)
 	}
 	if err = rows.Err(); err != nil {

diff --git a/internal/secrets/init.go b/internal/secrets/init.go
@@ -9,15 +9,22 @@ import (
 )
 
 var CryptObject Encrypter
+var isEncrypted bool
 
 const (
 	// #nosec G101
 	sourcegraphSecretfileEnvvar = "SOURCEGRAPH_SECRET_FILE"
 	sourcegraphCryptEnvvar      = "SOURCEGRAPH_CRYPT_KEY"
 )
 
+func ConfiguredToEncrypt() bool {
+	return isEncrypted
+}
+
 func init() {
-	cryptKey, cryptOK := os.LookupEnv(sourcegraphCryptEnvvar)
+	isEncrypted = false
+
+	envCryptKey, cryptOK := os.LookupEnv(sourcegraphCryptEnvvar)
 	var encryptionKey []byte
 
 	// set the default location if none exists
@@ -33,20 +40,23 @@ func init() {
 	if err == nil {
 		contents, readErr := ioutil.ReadFile(secretFile)
 		if readErr != nil {
-			panic(fmt.Sprintf("Couldn't read file %s", sourcegraphSecretfileEnvvar))
+			panic(fmt.Sprintf("couldn't read file %s", sourcegraphSecretfileEnvvar))
 		}
 		if len(contents) < validKeyLength {
-			panic(fmt.Sprintf("Key length of %d characters is required.", validKeyLength))
+			panic(fmt.Sprintf("key length of %d characters is required.", validKeyLength))
+		}
+		encryptionKey = contents
+		err = os.Chmod(secretFile, 0400)
+		if err != nil {
+			panic("failed to make secrets file read only.")
 		}
-		encryptionKey = []byte(contents)
 		CryptObject.EncryptionKey = encryptionKey
 		return
 	}
 
 	// environment is second order
 	if cryptOK {
-		encryptionKey = []byte(cryptKey)
-		CryptObject.EncryptionKey = encryptionKey
+		CryptObject.EncryptionKey = []byte(envCryptKey)
 		return
 	}
 
@@ -55,7 +65,7 @@ func init() {
 	if conf.IsDeployTypeSingleDockerContainer(deployType) {
 		b, err := GenerateRandomAESKey()
 		if err != nil {
-			panic(fmt.Sprintf("Unable to read from random source: %v", err))
+			panic(fmt.Sprintf("unable to read from random source: %v", err))
 		}
 		err = ioutil.WriteFile(secretFile, b, 0600)
 		if err != nil {
@@ -64,9 +74,9 @@ func init() {
 
 		err = os.Chmod(secretFile, 0400)
 		if err != nil {
-			panic("Failed to secure secrets file.")
+			panic("failed to make secrets file read only.")
 		}
-		encryptionKey = b
+		CryptObject.EncryptionKey = b
 	}
 
 	// wrapping in deploytype check so that we can still compile and test locally
@@ -77,4 +87,5 @@ func init() {
 			sourcegraphSecretfileEnvvar))
 	}
 
+	isEncrypted = true
 }