Mirrors/gitea
0
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-05-21 00:24:57 +02:00
Code Issues Activity

feat(api): encrypt AWS creds (#37679)

Browse Source 
## Description

As mentioned in #37654 `AWSSecretAccessKey` are not encrypted and stored as is.

## Update

Follow the existing `AuthToken` flow of setting the `Encrypted` fields,
`Decrypting` them later and `Clearing` them at the end.

Closes #37654

---------

Signed-off-by: Kausthubh J Rao <105716675+Exgene@users.noreply.github.com>
Co-authored-by: Lauris B <lauris@nix.lv>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
This commit is contained in:
Kausthubh J Rao 2026-05-14 18:16:20 +05:30 committed by GitHub
parent 2450127c56
commit 5c887d68ca
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 15 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
models/admin/task.go
View File

@ -137,6 +137,11 @@ func (task *Task) MigrateConfig() (*migration.MigrateOptions, error) {
log.Error("Unable to decrypt AuthToken, maybe SECRET_KEY is wrong: %v", err) log.Error("Unable to decrypt AuthToken, maybe SECRET_KEY is wrong: %v", err)
} }
} }
if opts.AWSSecretAccessKeyEncrypted != "" {
if opts.AWSSecretAccessKey, err = secret.DecryptSecret(setting.SecretKey, opts.AWSSecretAccessKeyEncrypted); err != nil {
log.Error("Unable to decrypt AWSSecretAccessKey, maybe SECRET_KEY is wrong: %v", err)
}
}
return &opts, nil return &opts, nil
} }
@ -201,6 +206,8 @@ func FinishMigrateTask(ctx context.Context, task *Task) error {
conf.AuthPasswordEncrypted = "" conf.AuthPasswordEncrypted = ""
conf.AuthTokenEncrypted = "" conf.AuthTokenEncrypted = ""
conf.CloneAddrEncrypted = "" conf.CloneAddrEncrypted = ""
conf.AWSSecretAccessKey = ""
conf.AWSSecretAccessKeyEncrypted = ""
confBytes, err := json.Marshal(conf) confBytes, err := json.Marshal(conf)
if err != nil { if err != nil {
return err return err

4
modules/migration/options.go
View File

@ -40,5 +40,7 @@ type MigrateOptions struct {
MirrorInterval string `json:"mirror_interval"` MirrorInterval string `json:"mirror_interval"`
AWSAccessKeyID string AWSAccessKeyID string
AWSSecretAccessKey string AWSSecretAccessKey string `json:",omitempty"`
AWSSecretAccessKeyEncrypted string `json:"aws_secret_access_key_encrypted,omitempty"`
} }

5
services/task/task.go
View File

@ -85,6 +85,11 @@ func CreateMigrateTask(ctx context.Context, doer, u *user_model.User, opts base.
return nil, err return nil, err
} }
opts.AuthToken = "" opts.AuthToken = ""
opts.AWSSecretAccessKeyEncrypted, err = secret.EncryptSecret(setting.SecretKey, opts.AWSSecretAccessKey)
if err != nil {
return nil, err
}
opts.AWSSecretAccessKey = ""
bs, err := json.Marshal(&opts) bs, err := json.Marshal(&opts)
if err != nil { if err != nil {
return nil, err return nil, err