Secrets encryption in database (#1475)

closes #101

Added secrets encryption in database

- Google TINK or simple AES as encryption mechanisms
- Keys rotation support on TINK
- Existing SecretService is wrapped by encryption layer
- Encryption can be enabled and disabled at any time

Co-authored-by: Kuzmin Ilya <ilia.kuzmin@indrive.com>
Co-authored-by: 6543 <6543@obermui.de>

cmd/server/flags.go

@@ -525,4 +525,23 @@ var flags = []cli.Flag{
 		Hidden:  true,
 		// TODO(485) temporary workaround to not hit api rate limits
 	},
+	//
+	// secrets encryption in DB
+	//
+	&cli.StringFlag{
+		EnvVars:  []string{"WOODPECKER_ENCRYPTION_KEY"},
+		Name:     "encryption-raw-key",
+		Usage:    "Raw encryption key",
+		FilePath: os.Getenv("WOODPECKER_ENCRYPTION_KEY_FILE"),
+	},
+	&cli.StringFlag{
+		EnvVars: []string{"WOODPECKER_ENCRYPTION_TINK_KEYSET_FILE"},
+		Name:    "encryption-tink-keyset",
+		Usage:   "Google tink AEAD-compatible keyset file to encrypt secrets in DB",
+	},
+	&cli.BoolFlag{
+		EnvVars: []string{"WOODPECKER_ENCRYPTION_DISABLE"},
+		Name:    "encryption-disable-flag",
+		Usage:   "Flag to decrypt all encrypted data and disable encryption on server",
+	},
 }

cmd/server/server.go

@@ -44,6 +44,8 @@ import (
 	"github.com/woodpecker-ci/woodpecker/server/logging"
 	"github.com/woodpecker-ci/woodpecker/server/model"
 	"github.com/woodpecker-ci/woodpecker/server/plugins/config"
+	"github.com/woodpecker-ci/woodpecker/server/plugins/encryption"
+	encryptedStore "github.com/woodpecker-ci/woodpecker/server/plugins/encryption/wrapper/store"
 	"github.com/woodpecker-ci/woodpecker/server/pubsub"
 	"github.com/woodpecker-ci/woodpecker/server/router"
 	"github.com/woodpecker-ci/woodpecker/server/router/middleware"
@@ -260,6 +262,13 @@ func setupEvilGlobals(c *cli.Context, v store.Store, f forge.Forge) {
 	// forge
 	server.Config.Services.Forge = f
 
+	// encryption
+	encryptedSecretStore := encryptedStore.NewSecretStore(v)
+	err := encryption.Encryption(c, v).WithClient(encryptedSecretStore).Build()
+	if err != nil {
+		log.Fatal().Err(err).Msg("could not create encryption service")
+	}
+
 	// services
 	server.Config.Services.Queue = setupQueue(c, v)
 	server.Config.Services.Logs = logging.New()
@@ -268,7 +277,7 @@ func setupEvilGlobals(c *cli.Context, v store.Store, f forge.Forge) {
 		log.Error().Err(err).Msg("could not create pubsub service")
 	}
 	server.Config.Services.Registries = setupRegistryService(c, v)
-	server.Config.Services.Secrets = setupSecretService(c, v)
+	server.Config.Services.Secrets = setupSecretService(c, encryptedSecretStore)
 	server.Config.Services.Environ = setupEnvironService(c, v)
 	server.Config.Services.Membership = setupMembershipService(c, f)
 

cmd/server/setup.go

@@ -164,7 +164,7 @@ func setupQueue(c *cli.Context, s store.Store) queue.Queue {
 	return queue.WithTaskStore(queue.New(c.Context), s)
 }
 
-func setupSecretService(c *cli.Context, s store.Store) model.SecretService {
+func setupSecretService(c *cli.Context, s model.SecretStore) model.SecretService {
 	return secrets.New(c.Context, s)
 }