diff --git a/app/models/concerns/token_authenticatable_strategies/encrypted.rb b/app/models/concerns/token_authenticatable_strategies/encrypted.rb
index 672402ee4d6d342195d262b8f203ec34d9c0109e..b59396a323c7e20c6bd92a58c9e288a577246aa4 100644
--- a/app/models/concerns/token_authenticatable_strategies/encrypted.rb
+++ b/app/models/concerns/token_authenticatable_strategies/encrypted.rb
@@ -85,18 +85,12 @@ def find_by_plaintext_token(token, unscoped)
end
def find_by_encrypted_token(token, unscoped)
- nonce = Feature.enabled?(:dynamic_nonce_creation) ? find_hashed_iv(token) : Gitlab::CryptoHelper::AES256_GCM_IV_STATIC
+ nonce = Gitlab::CryptoHelper::AES256_GCM_IV_STATIC
encrypted_value = Gitlab::CryptoHelper.aes256_gcm_encrypt(token, nonce: nonce)
relation(unscoped).find_by(encrypted_field => encrypted_value)
end
- def find_hashed_iv(token)
- token_record = TokenWithIv.find_by_plaintext_token(token)
-
- token_record&.iv || Gitlab::CryptoHelper::AES256_GCM_IV_STATIC
- end
-
def insecure_strategy
@insecure_strategy ||= TokenAuthenticatableStrategies::Insecure
.new(klass, token_field, options)
diff --git a/changelogs/unreleased/322592-clean-up-a-token_with_ivs-table.yml b/changelogs/unreleased/322592-clean-up-a-token_with_ivs-table.yml
new file mode 100644
index 0000000000000000000000000000000000000000..962d42cb36db85ec8b0d77d1c69e2c5da7886e0c
--- /dev/null
+++ b/changelogs/unreleased/322592-clean-up-a-token_with_ivs-table.yml
@@ -0,0 +1,6 @@
+---
+title: Remove referencing TokenWithIv model in the codebase and dynamic nonce creation
+ feature flag
+merge_request: 55209
+author:
+type: changed
diff --git a/config/feature_flags/development/dynamic_nonce_creation.yml b/config/feature_flags/development/dynamic_nonce_creation.yml
deleted file mode 100644
index b135f28855404dd9e8383f18173cb9867a167865..0000000000000000000000000000000000000000
--- a/config/feature_flags/development/dynamic_nonce_creation.yml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-name: dynamic_nonce_creation
-introduced_by_url:
-rollout_issue_url:
-milestone: '13.9'
-type: development
-group: group::manage
-default_enabled: false
diff --git a/lib/gitlab/crypto_helper.rb b/lib/gitlab/crypto_helper.rb
index 4428354642d7f3de40d81cd667f408378731e28a..2b6a1c3c97613c561eea97f747d5c0919e6bca5d 100644
--- a/lib/gitlab/crypto_helper.rb
+++ b/lib/gitlab/crypto_helper.rb
@@ -23,16 +23,12 @@ def aes256_gcm_encrypt(value, nonce: nil)
def aes256_gcm_decrypt(value)
return unless value
- nonce = Feature.enabled?(:dynamic_nonce_creation) ? dynamic_nonce(value) : AES256_GCM_IV_STATIC
+ nonce = AES256_GCM_IV_STATIC
encrypted_token = Base64.decode64(value)
decrypted_token = Encryptor.decrypt(AES256_GCM_OPTIONS.merge(value: encrypted_token, iv: nonce))
decrypted_token
end
- def dynamic_nonce(value)
- TokenWithIv.find_nonce_by_hashed_token(value) || AES256_GCM_IV_STATIC
- end
-
def aes256_gcm_encrypt_using_static_nonce(value)
create_encrypted_token(value, AES256_GCM_IV_STATIC)
end
diff --git a/spec/lib/gitlab/crypto_helper_spec.rb b/spec/lib/gitlab/crypto_helper_spec.rb
index 024564ea2134a65c1952f359d7af847cfd0455c8..199a680921b5b17d010f8e938e46db13255c8d27 100644
--- a/spec/lib/gitlab/crypto_helper_spec.rb
+++ b/spec/lib/gitlab/crypto_helper_spec.rb
@@ -32,10 +32,6 @@
end
describe '.aes256_gcm_decrypt' do
- before do
- stub_feature_flags(dynamic_nonce_creation: false)
- end
-
context 'when token was encrypted using static nonce' do
let(:encrypted) { described_class.aes256_gcm_encrypt('some-value', nonce: described_class::AES256_GCM_IV_STATIC) }
@@ -54,50 +50,6 @@
it 'does not save hashed token with iv value in database' do
expect { described_class.aes256_gcm_decrypt(encrypted) }.not_to change { TokenWithIv.count }
end
-
- context 'with feature flag switched on' do
- before do
- stub_feature_flags(dynamic_nonce_creation: true)
- end
-
- it 'correctly decrypts encrypted string' do
- decrypted = described_class.aes256_gcm_decrypt(encrypted)
-
- expect(decrypted).to eq 'some-value'
- end
- end
end
-
- context 'when token was encrypted using random nonce' do
- let(:value) { 'random-value' }
-
- # for compatibility with tokens encrypted using dynamic nonce
- let!(:encrypted) do
- iv = create_nonce
- encrypted_token = described_class.create_encrypted_token(value, iv)
- TokenWithIv.create!(hashed_token: Digest::SHA256.digest(encrypted_token), hashed_plaintext_token: Digest::SHA256.digest(encrypted_token), iv: iv)
- encrypted_token
- end
-
- before do
- stub_feature_flags(dynamic_nonce_creation: true)
- end
-
- it 'correctly decrypts encrypted string' do
- decrypted = described_class.aes256_gcm_decrypt(encrypted)
-
- expect(decrypted).to eq value
- end
-
- it 'does not save hashed token with iv value in database' do
- expect { described_class.aes256_gcm_decrypt(encrypted) }.not_to change { TokenWithIv.count }
- end
- end
- end
-
- def create_nonce
- cipher = OpenSSL::Cipher.new('aes-256-gcm')
- cipher.encrypt # Required before '#random_iv' can be called
- cipher.random_iv # Ensures that the IV is the correct length respective to the algorithm used.
end
end
diff --git a/spec/models/concerns/token_authenticatable_strategies/encrypted_spec.rb b/spec/models/concerns/token_authenticatable_strategies/encrypted_spec.rb
index 1e1cd97e41047aa1eebd90df3407454d9173d125..1b75c52d742c35137b3d89e16f4ed96934cb61de 100644
--- a/spec/models/concerns/token_authenticatable_strategies/encrypted_spec.rb
+++ b/spec/models/concerns/token_authenticatable_strategies/encrypted_spec.rb
@@ -68,10 +68,6 @@
context 'when using optional strategy' do
let(:options) { { encrypted: :optional } }
- before do
- stub_feature_flags(dynamic_nonce_creation: false)
- end
-
it 'returns decrypted token when an encrypted token is present' do
allow(instance).to receive(:read_attribute)
.with('some_field_encrypted')