Create migration for token-iv pair

And new model

Add index to new table

Add saving token with iv

Add changelog entry

Add new column to new table

WIP

Change method to look for iv

Fix rubocop offences

Fix some rubocop offences

Fix more specs

Fix migration file and spec

Fix specs in migrations

WiP on specs

Add specs for model

WIP

Add spec for new method behauviour

Fix rubocop offences

Add cr remarks

Fix migration file

Add cr remark

Simplify one method

Add option for read only db

Add cr remarks

Add cr remarks

Add cr remarks

app/models/concerns/token_authenticatable_strategies/encrypted.rb

@@ -85,10 +85,17 @@ module TokenAuthenticatableStrategies
     end
 
     def find_by_encrypted_token(token, unscoped)
-      encrypted_value = Gitlab::CryptoHelper.aes256_gcm_encrypt(token)
+      encrypted_value = Gitlab::CryptoHelper.aes256_gcm_encrypt(token, nonce: find_hashed_iv(token) || Gitlab::CryptoHelper::AES256_GCM_IV_STATIC)
+
       relation(unscoped).find_by(encrypted_field => encrypted_value)
     end
 
+    def find_hashed_iv(token)
+      token_record = TokenWithIv.find_by_plaintext_token(token)
+
+      token_record&.iv
+    end
+
     def insecure_strategy
       @insecure_strategy ||= TokenAuthenticatableStrategies::Insecure
         .new(klass, token_field, options)

app/models/token_with_iv.rb

+# frozen_string_literal: true
+
+# rubocop: todo Gitlab/NamespacedClass
+class TokenWithIv < ApplicationRecord
+  validates :hashed_token, presence: true
+  validates :iv, presence: true
+  validates :hashed_plaintext_token, presence: true
+
+  def self.find_by_hashed_token(value)
+    find_by(hashed_token: ::Digest::SHA256.digest(value))
+  end
+
+  def self.find_by_plaintext_token(value)
+    find_by(hashed_plaintext_token: ::Digest::SHA256.digest(value))
+  end
+end

changelogs/unreleased/security-299-crypto-helper.yml

+---
+title: Fix AES-GCM issues in lib/gitlab/crypto_helper.rb
+merge_request:
+author:
+type: security

db/migrate/20201120144823_create_tokens_with_iv.rb

+# frozen_string_literal: true
+
+class CreateTokensWithIv < ActiveRecord::Migration[6.0]
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  def change
+    create_table :token_with_ivs do |t|
+      t.binary :hashed_token, null: false
+      t.binary :hashed_plaintext_token, null: false
+      t.binary :iv, null: false
+
+      t.index :hashed_token, name: 'index_token_with_ivs_on_hashed_token', unique: true, using: :btree
+      t.index :hashed_plaintext_token, name: 'index_token_with_ivs_on_hashed_plaintext_token', unique: true, using: :btree
+    end
+  end
+end

db/post_migrate/20190606175050_encrypt_feature_flags_clients_tokens.rb

@@ -10,7 +10,7 @@ class EncryptFeatureFlagsClientsTokens < ActiveRecord::Migration[5.1]
   def up
     say_with_time("Encrypting tokens from operations_feature_flags_clients") do
       FeatureFlagsClient.where('token_encrypted is NULL AND token IS NOT NULL').find_each do |feature_flags_client|
-        token_encrypted = Gitlab::CryptoHelper.aes256_gcm_encrypt(feature_flags_client.token)
+        token_encrypted = Gitlab::CryptoHelper.aes256_gcm_encrypt(feature_flags_client.token, nonce: Gitlab::CryptoHelper::AES256_GCM_IV_STATIC)
         feature_flags_client.update!(token_encrypted: token_encrypted)
       end
     end

db/post_migrate/20190711201818_encrypt_deploy_tokens_tokens.rb

@@ -10,7 +10,7 @@ class EncryptDeployTokensTokens < ActiveRecord::Migration[5.1]
   def up
     say_with_time("Encrypting tokens from deploy_tokens") do
       DeploymentTokens.where('token_encrypted is NULL AND token IS NOT NULL').find_each(batch_size: 10000) do |deploy_token|
-        token_encrypted = Gitlab::CryptoHelper.aes256_gcm_encrypt(deploy_token.token)
+        token_encrypted = Gitlab::CryptoHelper.aes256_gcm_encrypt(deploy_token.token, nonce: Gitlab::CryptoHelper::AES256_GCM_IV_STATIC)
         deploy_token.update!(token_encrypted: token_encrypted)
       end
     end

db/schema_migrations/20201120144823

+dde424c434c78e22087123fa30eec75c07268a9079fea44339915747aae235e0
\ No newline at end of file

db/structure.sql

@@ -17372,6 +17372,22 @@ CREATE SEQUENCE todos_id_seq
 
 ALTER SEQUENCE todos_id_seq OWNED BY todos.id;
 
+CREATE TABLE token_with_ivs (
+    id bigint NOT NULL,
+    hashed_token bytea NOT NULL,
+    hashed_plaintext_token bytea NOT NULL,
+    iv bytea NOT NULL
+);
+
+CREATE SEQUENCE token_with_ivs_id_seq
+    START WITH 1
+    INCREMENT BY 1
+    NO MINVALUE
+    NO MAXVALUE
+    CACHE 1;
+
+ALTER SEQUENCE token_with_ivs_id_seq OWNED BY token_with_ivs.id;
+
 CREATE TABLE trending_projects (
     id integer NOT NULL,
     project_id integer NOT NULL
@@ -19087,6 +19103,8 @@ ALTER TABLE ONLY timelogs ALTER COLUMN id SET DEFAULT nextval('timelogs_id_seq':
 
 ALTER TABLE ONLY todos ALTER COLUMN id SET DEFAULT nextval('todos_id_seq'::regclass);
 
+ALTER TABLE ONLY token_with_ivs ALTER COLUMN id SET DEFAULT nextval('token_with_ivs_id_seq'::regclass);
+
 ALTER TABLE ONLY trending_projects ALTER COLUMN id SET DEFAULT nextval('trending_projects_id_seq'::regclass);
 
 ALTER TABLE ONLY u2f_registrations ALTER COLUMN id SET DEFAULT nextval('u2f_registrations_id_seq'::regclass);
@@ -20606,6 +20624,9 @@ ALTER TABLE ONLY timelogs
 ALTER TABLE ONLY todos
     ADD CONSTRAINT todos_pkey PRIMARY KEY (id);
 
+ALTER TABLE ONLY token_with_ivs
+    ADD CONSTRAINT token_with_ivs_pkey PRIMARY KEY (id);
+
 ALTER TABLE ONLY trending_projects
     ADD CONSTRAINT trending_projects_pkey PRIMARY KEY (id);
 
@@ -23124,6 +23145,10 @@ CREATE INDEX index_todos_on_user_id_and_id_done ON todos USING btree (user_id, i
 
 CREATE INDEX index_todos_on_user_id_and_id_pending ON todos USING btree (user_id, id) WHERE ((state)::text = 'pending'::text);
 
+CREATE UNIQUE INDEX index_token_with_ivs_on_hashed_plaintext_token ON token_with_ivs USING btree (hashed_plaintext_token);
+
+CREATE UNIQUE INDEX index_token_with_ivs_on_hashed_token ON token_with_ivs USING btree (hashed_token);
+
 CREATE UNIQUE INDEX index_trending_projects_on_project_id ON trending_projects USING btree (project_id);
 
 CREATE INDEX index_u2f_registrations_on_key_handle ON u2f_registrations USING btree (key_handle);

ee/spec/features/read_only_spec.rb

@@ -23,7 +23,7 @@ RSpec.describe 'Geo read-only message', :geo do
 
   context 'when in maintenance mode' do
     before do
-      stub_application_setting(maintenance_mode: true)
+      stub_maintenance_mode_setting(true)
     end
 
     it_behaves_like 'Read-only instance', /This GitLab instance is undergoing maintenance and is operating in read\-only mode./

ee/spec/helpers/application_helper_spec.rb

@@ -22,7 +22,7 @@ RSpec.describe ApplicationHelper do
       context 'maintenance mode' do
         context 'enabled' do
           before do
-            stub_application_setting(maintenance_mode: true)
+            stub_maintenance_mode_setting(true)
           end
 
           it 'returns default message' do
@@ -48,7 +48,7 @@ RSpec.describe ApplicationHelper do
 
         context 'disabled' do
           it 'returns nil' do
-            stub_application_setting(maintenance_mode: false)
+            stub_maintenance_mode_setting(false)
 
             expect(helper.read_only_message).to be_nil
           end
@@ -60,7 +60,7 @@ RSpec.describe ApplicationHelper do
       context 'maintenance mode on' do
         it 'returns messages for both' do
           expect(Gitlab::Geo).to receive(:secondary?).twice { true }
-          stub_application_setting(maintenance_mode: true)
+          stub_maintenance_mode_setting(true)
 
           expect(helper.read_only_message).to match(/you must visit the primary site/)
           expect(helper.read_only_message).to match(/#{default_maintenance_mode_message}/)

ee/spec/lib/ee/gitlab/crypto_helper_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::CryptoHelper do
+  include ::EE::GeoHelpers
+
+  describe '.read_only?' do
+    context 'with Geo enabled' do
+      before do
+        allow(Gitlab::Geo).to receive(:enabled?) { true }
+        allow(Gitlab::Geo).to receive(:current_node) { geo_node }
+      end
+
+      context 'is Geo secondary node' do
+        let(:geo_node) { create(:geo_node) }
+
+        it 'returns true' do
+          expect(described_class.read_only?).to be_truthy
+        end
+      end
+
+      context 'is Geo primary node' do
+        let(:geo_node) { create(:geo_node, :primary) }
+
+        it 'returns false when is Geo primary node' do
+          expect(described_class.read_only?).to be_falsey
+        end
+      end
+    end
+  end
+end

ee/spec/lib/ee/gitlab/database_spec.rb

@@ -37,7 +37,7 @@ RSpec.describe Gitlab::Database do
 
     context 'in maintenance mode' do
       before do
-        stub_application_setting(maintenance_mode: true)
+        stub_maintenance_mode_setting(true)
       end
 
       it 'returns true' do

ee/spec/lib/ee/gitlab/middleware/read_only_spec.rb

@@ -5,7 +5,7 @@ require 'spec_helper'
 RSpec.describe Gitlab::Middleware::ReadOnly do
   context 'when maintenance mode is on' do
     before do
-      stub_application_setting(maintenance_mode: true)
+      stub_maintenance_mode_setting(true)
     end
 
     it_behaves_like 'write access for a read-only GitLab (EE) instance in maintenance mode'
@@ -13,7 +13,7 @@ RSpec.describe Gitlab::Middleware::ReadOnly do
 
   context 'when maintenance mode is not on' do
     before do
-      stub_application_setting(maintenance_mode: false)
+      stub_maintenance_mode_setting(false)
     end
 
     it_behaves_like 'write access for a read-only GitLab (EE) instance'

ee/spec/lib/gitlab/git_access_spec.rb

@@ -758,7 +758,7 @@ RSpec.describe Gitlab::GitAccess do
 
     context 'when maintenance mode is enabled' do
       before do
-        stub_application_setting(maintenance_mode: true)
+        stub_maintenance_mode_setting(true)
       end
 
       it 'blocks git push' do
@@ -770,7 +770,7 @@ RSpec.describe Gitlab::GitAccess do
 
     context 'when maintenance mode is disabled' do
       before do
-        stub_application_setting(maintenance_mode: false)
+        stub_maintenance_mode_setting(false)
       end
 
       it 'allows git push' do

ee/spec/migrations/nullify_feature_flag_plaintext_tokens_spec.rb

@@ -12,8 +12,8 @@ RSpec.describe NullifyFeatureFlagPlaintextTokens do
   let!(:project1) { projects.create!(namespace_id: namespace.id, name: 'Project 1') }
   let!(:project2) { projects.create!(namespace_id: namespace.id, name: 'Project 2') }
 
-  let(:secret1_encrypted) { Gitlab::CryptoHelper.aes256_gcm_encrypt('secret1') }
-  let(:secret2_encrypted) { Gitlab::CryptoHelper.aes256_gcm_encrypt('secret2') }
+  let(:secret1_encrypted) { Gitlab::CryptoHelper.aes256_gcm_encrypt('secret1', nonce: Gitlab::CryptoHelper::AES256_GCM_IV_STATIC) }
+  let(:secret2_encrypted) { Gitlab::CryptoHelper.aes256_gcm_encrypt('secret2', nonce: Gitlab::CryptoHelper::AES256_GCM_IV_STATIC) }
 
   before do
     feature_flags_clients.create!(token: 'secret1', token_encrypted: secret1_encrypted, project_id: project1.id)

ee/spec/requests/api/internal/base_spec.rb

@@ -248,7 +248,7 @@ RSpec.describe API::Internal::Base do
       let_it_be(:project) { create(:project, :repository) }
 
       before do
-        stub_application_setting(maintenance_mode: true)
+        stub_maintenance_mode_setting(true)
 
         project.add_developer(user)
       end

ee/spec/services/ee/auth/container_registry_authentication_service_spec.rb

@@ -19,7 +19,7 @@ RSpec.describe Auth::ContainerRegistryAuthenticationService do
     end
 
     before do
-      stub_application_setting(maintenance_mode: true)
+      stub_maintenance_mode_setting(true)
       project.add_developer(current_user)
     end
 

ee/spec/support/shared_examples/lib/gitlab/middleware/maintenance_mode_gitlab_ee_instance_shared_examples.rb

@@ -7,7 +7,7 @@ RSpec.shared_examples 'write access for a read-only GitLab (EE) instance in main
   include_context 'with a mocked GitLab instance'
 
   before do
-    stub_application_setting(maintenance_mode: true)
+    stub_maintenance_mode_setting(true)
   end
 
   context 'normal requests to a read-only GitLab instance' do

lib/gitlab.rb

@@ -118,6 +118,7 @@ module Gitlab
 
   def self.maintenance_mode?
     return false unless ::Feature.enabled?(:maintenance_mode)
+    return false unless ::Gitlab::CurrentSettings.current_application_settings?
 
     ::Gitlab::CurrentSettings.maintenance_mode
   end

lib/gitlab/crypto_helper.rb

@@ -6,25 +6,74 @@ module Gitlab
 
     AES256_GCM_OPTIONS = {
       algorithm: 'aes-256-gcm',
-      key: Settings.attr_encrypted_db_key_base_32,
-      iv: Settings.attr_encrypted_db_key_base_12
+      key: Settings.attr_encrypted_db_key_base_32
     }.freeze
 
+    AES256_GCM_IV_STATIC = Settings.attr_encrypted_db_key_base_12
+
     def sha256(value)
       salt = Settings.attr_encrypted_db_key_base_truncated
       ::Digest::SHA256.base64digest("#{value}#{salt}")
     end
 
-    def aes256_gcm_encrypt(value)
-      encrypted_token = Encryptor.encrypt(AES256_GCM_OPTIONS.merge(value: value))
-      Base64.strict_encode64(encrypted_token)
+    def aes256_gcm_encrypt(value, nonce: nil)
+      return aes256_gcm_encrypt_for_non_read_db(value) if read_only?
+
+      found_nonce = nonce || find_nonce_by_token(value)
+      iv = found_nonce || create_nonce
+
+      encrypted_token = create_encrypted_token(value, iv)
+      save_token_with_nonce!(encrypted_token, value, iv) unless found_nonce
+      encrypted_token
     end
 
     def aes256_gcm_decrypt(value)
       return unless value
 
+      nonce = find_nonce_by_hashed_token(value)
       encrypted_token = Base64.decode64(value)
-      Encryptor.decrypt(AES256_GCM_OPTIONS.merge(value: encrypted_token))
+      decrypted_token = Encryptor.decrypt(AES256_GCM_OPTIONS.merge(value: encrypted_token, iv: nonce || AES256_GCM_IV_STATIC))
+      aes256_gcm_encrypt(value) unless nonce
+      decrypted_token
+    end
+
+    def read_only?
+      Gitlab::Database.read_only?
+    end
+
+    def aes256_gcm_encrypt_for_non_read_db(value)
+      create_encrypted_token(value, AES256_GCM_IV_STATIC)
+    end
+
+    def create_encrypted_token(value, iv)
+      encrypted_token = Encryptor.encrypt(AES256_GCM_OPTIONS.merge(value: value, iv: iv))
+      Base64.strict_encode64(encrypted_token)
+    end
+
+    def save_token_with_nonce!(encrypted_token, plaintext_token, nonce)
+      return unless TokenWithIv.table_exists?
+
+      TokenWithIv.create!(hashed_token: Digest::SHA256.digest(encrypted_token), hashed_plaintext_token: Digest::SHA256.digest(plaintext_token), iv: nonce)
+    end
+
+    def create_nonce
+      cipher = OpenSSL::Cipher.new('aes-256-gcm')
+      cipher.encrypt # Required before '#random_iv' can be called
+      cipher.random_iv # Ensures that the IV is the correct length respective to the algorithm used.
+    end
+
+    def find_nonce_by_hashed_token(value)
+      return unless TokenWithIv.table_exists?
+
+      token_record = TokenWithIv.find_by_hashed_token(value)
+      token_record&.iv
+    end
+
+    def find_nonce_by_token(value)
+      return unless TokenWithIv.table_exists?
+
+      token_record = TokenWithIv.find_by_plaintext_token(value)
+      token_record&.iv
     end
   end
 end

lib/gitlab/current_settings.rb

@@ -7,6 +7,10 @@ module Gitlab
         Gitlab::SafeRequestStore.fetch(:current_application_settings) { ensure_application_settings! }
       end
 
+      def current_application_settings?
+        Gitlab::SafeRequestStore.exist?(:current_application_settings) || ::ApplicationSetting.current.present?
+      end
+
       def expire_current_application_settings
         ::ApplicationSetting.expire
         Gitlab::SafeRequestStore.delete(:current_application_settings)

spec/controllers/admin/runners_controller_spec.rb

@@ -27,7 +27,8 @@ RSpec.describe Admin::RunnersController do
 
       # There is still an N+1 query for `runner.builds.count`
       # We also need to add 1 because it takes 2 queries to preload tags
-      expect { get :index }.not_to exceed_query_limit(control_count + 6)
+      # also looking for token nonce requires database queries
+      expect { get :index }.not_to exceed_query_limit(control_count + 16)
 
       expect(response).to have_gitlab_http_status(:ok)
       expect(response.body).to have_content('tag1')

spec/factories/token_with_ivs.rb

+# frozen_string_literal: true
+
+FactoryBot.define do
+  factory :token_with_iv do
+    hashed_token { ::Digest::SHA256.digest(SecureRandom.hex(50)) }
+    iv { ::Digest::SHA256.digest(SecureRandom.hex(50)) }
+    hashed_plaintext_token { ::Digest::SHA256.digest(SecureRandom.hex(50)) }
+  end
+end

spec/lib/gitlab/crypto_helper_spec.rb

@@ -19,21 +19,83 @@ RSpec.describe Gitlab::CryptoHelper do
       expect(encrypted).to match %r{\A[A-Za-z0-9+/=]+\z}
       expect(encrypted).not_to include "\n"
     end
+
+    it 'saves hashed token with iv value in database' do
+      expect { described_class.aes256_gcm_encrypt('some-value') }.to change { TokenWithIv.count }.by(1)
+    end
+
+    it 'saves hashed token in database' do
+      encrypted_token = described_class.aes256_gcm_encrypt('some-value')
+
+      expect(TokenWithIv.last.hashed_token).to eq(Digest::SHA256.digest(encrypted_token))
+    end
+
+    it 'saves digested plaintext token in database' do
+      described_class.aes256_gcm_encrypt('some-value')
+
+      expect(TokenWithIv.last.hashed_plaintext_token).to eq(Digest::SHA256.digest('some-value'))
+    end
+
+    context 'when we are encrypting the same token for a second time' do
+      before do
+        described_class.aes256_gcm_encrypt('some-value')
+      end
+
+      it 'does not save digested plaintext token in database' do
+        expect { described_class.aes256_gcm_encrypt('some-value') }.not_to change { TokenWithIv.count }
+      end
+    end
+
+    context 'when read only is true' do
+      before do
+        allow(described_class).to receive(:read_only?).and_return(true)
+      end
+
+      it 'does not save tokens in database' do
+        expect { described_class.aes256_gcm_encrypt('some-value') }.not_to change { TokenWithIv.count }
+      end
+
+      it 'encrypts using static iv' do
+        expect(Encryptor).to receive(:encrypt).with(described_class::AES256_GCM_OPTIONS.merge(value: 'some-value', iv: described_class::AES256_GCM_IV_STATIC)).and_return('hashed_value')
+
+        described_class.aes256_gcm_encrypt('some-value')
+      end
+    end
   end
 
   describe '.aes256_gcm_decrypt' do
-    let(:encrypted) { described_class.aes256_gcm_encrypt('some-value') }
+    context 'when token was encrypted using static nonce' do
+      let(:encrypted) { described_class.aes256_gcm_encrypt('some-value', nonce: described_class::AES256_GCM_IV_STATIC) }
 
-    it 'correctly decrypts encrypted string' do
-      decrypted = described_class.aes256_gcm_decrypt(encrypted)
+      it 'correctly decrypts encrypted string' do
+        decrypted = described_class.aes256_gcm_decrypt(encrypted)
 
-      expect(decrypted).to eq 'some-value'
+        expect(decrypted).to eq 'some-value'
+      end
+
+      it 'decrypts a value when it ends with a new line character' do
+        decrypted = described_class.aes256_gcm_decrypt(encrypted + "\n")
+
+        expect(decrypted).to eq 'some-value'
+      end
+
+      it 'saves hashed token with iv value in database' do
+        expect { described_class.aes256_gcm_decrypt(encrypted) }.to change { TokenWithIv.count }.by(1)
+      end
     end
 
-    it 'decrypts a value when it ends with a new line character' do
-      decrypted = described_class.aes256_gcm_decrypt(encrypted + "\n")
+    context 'when token was encrypted using random nonce' do
+      let!(:encrypted) { described_class.aes256_gcm_encrypt('some-value') }
+
+      it 'correctly decrypts encrypted string' do
+        decrypted = described_class.aes256_gcm_decrypt(encrypted)
+
+        expect(decrypted).to eq 'some-value'
+      end
 
-      expect(decrypted).to eq 'some-value'
+      it 'does not save hashed token with iv value in database' do
+        expect { described_class.aes256_gcm_decrypt(encrypted) }.not_to change { TokenWithIv.count }
+      end
     end
   end
 end

spec/lib/gitlab/current_settings_spec.rb

@@ -194,4 +194,32 @@ RSpec.describe Gitlab::CurrentSettings do
       end
     end
   end
+
+  describe '#current_application_settings?', :use_clean_rails_memory_store_caching do
+    before do
+      allow(Gitlab::CurrentSettings).to receive(:current_application_settings?).and_call_original
+    end
+
+    it 'returns true when settings exist' do
+      create(:application_setting,
+        home_page_url: 'http://mydomain.com',
+        signup_enabled: false)
+
+      expect(described_class.current_application_settings?).to eq(true)
+    end
+
+    it 'returns false when settings do not exist' do
+      expect(described_class.current_application_settings?).to eq(false)
+    end
+
+    context 'with cache', :request_store do
+      include_context 'with settings in cache'
+
+      it 'returns an in-memory ApplicationSetting object' do
+        expect(ApplicationSetting).not_to receive(:current)
+
+        expect(described_class.current_application_settings?).to eq(true)
+      end
+    end
+  end
 end

spec/lib/gitlab_spec.rb

@@ -332,13 +332,13 @@ RSpec.describe Gitlab do
 
   describe '.maintenance_mode?' do
     it 'returns true when maintenance mode is enabled' do
-      stub_application_setting(maintenance_mode: true)
+      stub_maintenance_mode_setting(true)
 
       expect(described_class.maintenance_mode?).to eq(true)
     end
 
     it 'returns false when maintenance mode is disabled' do
-      stub_application_setting(maintenance_mode: false)
+      stub_maintenance_mode_setting(false)
 
       expect(described_class.maintenance_mode?).to eq(false)
     end

spec/migrations/encrypt_feature_flags_clients_tokens_spec.rb

@@ -8,7 +8,7 @@ RSpec.describe EncryptFeatureFlagsClientsTokens do
   let(:feature_flags_clients) { table(:operations_feature_flags_clients) }
   let(:projects) { table(:projects) }
   let(:plaintext) { "secret-token" }
-  let(:ciphertext) { Gitlab::CryptoHelper.aes256_gcm_encrypt(plaintext) }
+  let(:ciphertext) { Gitlab::CryptoHelper.aes256_gcm_encrypt(plaintext, nonce: Gitlab::CryptoHelper::AES256_GCM_IV_STATIC) }
 
   describe '#up' do
     it 'keeps plaintext token the same and populates token_encrypted if not present' do

spec/models/active_session_spec.rb

@@ -358,7 +358,7 @@ RSpec.describe ActiveSession, :clean_gitlab_redis_shared_state do
       it 'calls .destroy_sessions' do
         expect(ActiveSession).to(
           receive(:destroy_sessions)
-            .with(anything, user, [active_session.public_id, rack_session.public_id, rack_session.private_id]))
+            .with(anything, user, [encrypted_active_session_id, rack_session.public_id, rack_session.private_id]))
 
         subject
       end

spec/models/concerns/token_authenticatable_spec.rb

@@ -53,8 +53,9 @@ RSpec.describe ApplicationSetting, 'TokenAuthenticatable' do
 
         it 'persists new token as an encrypted string' do
           expect(subject).to eq settings.reload.runners_registration_token
+          nonce = TokenWithIv.find_by_hashed_token(settings.read_attribute('runners_registration_token_encrypted')).iv
           expect(settings.read_attribute('runners_registration_token_encrypted'))
-            .to eq Gitlab::CryptoHelper.aes256_gcm_encrypt(subject)
+            .to eq Gitlab::CryptoHelper.aes256_gcm_encrypt(subject, nonce: nonce)
           expect(settings).to be_persisted
         end
 
@@ -243,7 +244,8 @@ RSpec.describe Ci::Build, 'TokenAuthenticatable' do
         it 'persists new token as an encrypted string' do
           build.ensure_token!
 
-          encrypted = Gitlab::CryptoHelper.aes256_gcm_encrypt(build.token)
+          nonce = TokenWithIv.find_by_hashed_token(build.token_encrypted).iv
+          encrypted = Gitlab::CryptoHelper.aes256_gcm_encrypt(build.token, nonce: nonce)
 
           expect(build.read_attribute('token_encrypted')).to eq encrypted
         end

spec/models/concerns/token_authenticatable_strategies/encrypted_spec.rb

@@ -124,7 +124,7 @@ RSpec.describe TokenAuthenticatableStrategies::Encrypted do
 
       it 'writes encrypted token and removes plaintext token and returns it' do
         expect(instance).to receive(:[]=)
-          .with('some_field_encrypted', encrypted)
+          .with('some_field_encrypted', any_args)
         expect(instance).to receive(:[]=)
           .with('some_field', nil)
 
@@ -137,7 +137,7 @@ RSpec.describe TokenAuthenticatableStrategies::Encrypted do
 
       it 'writes encrypted token and writes plaintext token' do
         expect(instance).to receive(:[]=)
-          .with('some_field_encrypted', encrypted)
+          .with('some_field_encrypted', any_args)
         expect(instance).to receive(:[]=)
           .with('some_field', 'my-value')
 

spec/models/token_with_iv_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe TokenWithIv do
+  describe 'validations' do
+    it { is_expected.to validate_presence_of :hashed_token }
+    it { is_expected.to validate_presence_of :iv }
+    it { is_expected.to validate_presence_of :hashed_plaintext_token }
+  end
+
+  describe '.find_by_hashed_token' do
+    it 'only includes matching record' do
+      matching_record = create(:token_with_iv, hashed_token: ::Digest::SHA256.digest('hashed-token'))
+      create(:token_with_iv)
+
+      expect(described_class.find_by_hashed_token('hashed-token')).to eq(matching_record)
+    end
+  end
+
+  describe '.find_by_plaintext_token' do
+    it 'only includes matching record' do
+      matching_record = create(:token_with_iv, hashed_plaintext_token: ::Digest::SHA256.digest('hashed-token'))
+      create(:token_with_iv)
+
+      expect(described_class.find_by_plaintext_token('hashed-token')).to eq(matching_record)
+    end
+  end
+end

spec/spec_helper.rb

@@ -289,6 +289,8 @@ RSpec.configure do |config|
         current_user_mode.send(:user)&.admin?
       end
     end
+
+    allow(Gitlab::CurrentSettings).to receive(:current_application_settings?).and_return(false)
   end
 
   config.around(:example, :quarantine) do |example|

spec/support/helpers/stub_configuration.rb

@@ -121,6 +121,12 @@ module StubConfiguration
     allow(::Gitlab.config.packages).to receive_messages(to_settings(messages))
   end
 
+  def stub_maintenance_mode_setting(value)
+    allow(Gitlab::CurrentSettings).to receive(:current_application_settings?).and_return(true)
+
+    stub_application_setting(maintenance_mode: value)
+  end
+
   private
 
   # Modifies stubbed messages to also stub possible predicate versions