Use encrypted GitHub OAuth access tokens

Author: Turbo87

src/controllers/crate_owner_invitation.rs

@@ -166,7 +166,8 @@ async fn prepare_list(
                 // Only allow crate owners to query pending invitations for their crate.
                 let krate: Crate = Crate::by_name(&crate_name).first(conn).await?;
                 let owners = krate.owners(conn).await?;
-                if Rights::get(user, &*state.github, &owners).await? != Rights::Full {
+                let encryption = &state.config.gh_token_encryption;
+                if Rights::get(user, &*state.github, &owners, encryption).await? != Rights::Full {
                     let detail = "only crate owners can query pending invitations for their crate";
                     return Err(forbidden(detail));
                 }

src/controllers/helpers/authorization.rs

@@ -1,7 +1,6 @@
 use crate::models::{Owner, User};
+use crate::util::gh_token_encryption::GitHubTokenEncryption;
 use crates_io_github::{GitHubClient, GitHubError};
-use oauth2::AccessToken;
-use secrecy::ExposeSecret;
 
 /// Access rights to the crate (publishing and ownership management)
 /// NOTE: The order of these variants matters!
@@ -25,8 +24,11 @@ impl Rights {
         user: &User,
         gh_client: &dyn GitHubClient,
         owners: &[Owner],
+        encryption: &GitHubTokenEncryption,
     ) -> Result<Self, GitHubError> {
-        let token = AccessToken::new(user.gh_access_token.expose_secret().to_string());
+        let token = encryption
+            .decrypt(&user.gh_encrypted_token)
+            .map_err(GitHubError::Other)?;
 
         let mut best = Self::None;
         for owner in owners {

src/controllers/krate/delete.rs

@@ -72,7 +72,7 @@ pub async fn delete_crate(
     // Check that the user is an owner of the crate (team owners are not allowed to delete crates)
     let user = auth.user();
     let owners = krate.owners(&mut conn).await?;
-    match Rights::get(user, &*app.github, &owners).await? {
+    match Rights::get(user, &*app.github, &owners, &app.config.gh_token_encryption).await? {
         Rights::Full => {}
         Rights::Publish => {
             let msg = "team members don't have permission to delete crates";

src/controllers/krate/owners.rs

@@ -9,6 +9,7 @@ use crate::models::{
     krate::NewOwnerInvite, token::EndpointScope,
 };
 use crate::util::errors::{AppResult, BoxedAppError, bad_request, crate_not_found, custom};
+use crate::util::gh_token_encryption::GitHubTokenEncryption;
 use crate::views::EncodableOwner;
 use crate::{App, app::AppState};
 use crate::{auth::AuthCheck, email::EmailMessage};
@@ -199,7 +200,7 @@ async fn modify_owners(
 
                 let owners = krate.owners(conn).await?;
 
-                match Rights::get(user, &*app.github, &owners).await? {
+                match Rights::get(user, &*app.github, &owners, &app.config.gh_token_encryption).await? {
                     Rights::Full => {}
                     // Yes!
                     Rights::Publish => {
@@ -320,7 +321,8 @@ async fn add_owner(
     login: &str,
 ) -> Result<NewOwnerInvite, OwnerAddError> {
     if login.contains(':') {
-        add_team_owner(&*app.github, conn, req_user, krate, login).await
+        let encryption = &app.config.gh_token_encryption;
+        add_team_owner(&*app.github, conn, req_user, krate, login, encryption).await
     } else {
         invite_user_owner(app, conn, req_user, krate, login).await
     }
@@ -363,6 +365,7 @@ async fn add_team_owner(
     req_user: &User,
     krate: &Crate,
     login: &str,
+    encryption: &GitHubTokenEncryption,
 ) -> Result<NewOwnerInvite, OwnerAddError> {
     // github:rust-lang:owners
     let mut chunks = login.split(':');
@@ -381,9 +384,16 @@ async fn add_team_owner(
     })?;
 
     // Always recreate teams to get the most up-to-date GitHub ID
-    let team =
-        create_or_update_github_team(gh_client, conn, &login.to_lowercase(), org, team, req_user)
-            .await?;
+    let team = create_or_update_github_team(
+        gh_client,
+        conn,
+        &login.to_lowercase(),
+        org,
+        team,
+        req_user,
+        encryption,
+    )
+    .await?;
 
     // Teams are added as owners immediately, since the above call ensures
     // the user is a team member.
@@ -408,6 +418,7 @@ pub async fn create_or_update_github_team(
     org_name: &str,
     team_name: &str,
     req_user: &User,
+    encryption: &GitHubTokenEncryption,
 ) -> AppResult<Team> {
     // GET orgs/:org/teams
     // check that `team` is the `slug` in results, and grab its data
@@ -424,7 +435,14 @@ pub async fn create_or_update_github_team(
         )));
     }
 
-    let token = AccessToken::new(req_user.gh_access_token.expose_secret().to_string());
+    let token = encryption
+        .decrypt(&req_user.gh_encrypted_token)
+        .map_err(|err| {
+            custom(
+                StatusCode::INTERNAL_SERVER_ERROR,
+                format!("Failed to decrypt GitHub token: {err}"),
+            )
+        })?;
     let team = gh_client.team_by_name(org_name, team_name, &token).await
         .map_err(|_| {
             bad_request(format_args!(

src/controllers/krate/publish.rs

@@ -450,7 +450,7 @@ pub async fn publish(app: AppState, req: Parts, body: Body) -> AppResult<Json<Go
             };
 
             let owners = krate.owners(conn).await?;
-            if Rights::get(user, &*app.github, &owners).await? < Rights::Publish {
+            if Rights::get(user, &*app.github, &owners, &app.config.gh_token_encryption).await? < Rights::Publish {
                 return Err(custom(StatusCode::FORBIDDEN, MISSING_RIGHTS_ERROR_MESSAGE));
             }
 

src/controllers/trustpub/github_configs/create/mod.rs

@@ -3,7 +3,7 @@ use crate::auth::AuthCheck;
 use crate::controllers::krate::load_crate;
 use crate::controllers::trustpub::github_configs::json;
 use crate::email::EmailMessage;
-use crate::util::errors::{AppResult, bad_request, forbidden};
+use crate::util::errors::{AppResult, bad_request, forbidden, server_error};
 use anyhow::Context;
 use axum::Json;
 use crates_io_database::models::OwnerKind;
@@ -17,8 +17,6 @@ use diesel::prelude::*;
 use diesel_async::RunQueryDsl;
 use http::request::Parts;
 use minijinja::context;
-use oauth2::AccessToken;
-use secrecy::ExposeSecret;
 use tracing::warn;
 
 #[cfg(test)]
@@ -77,8 +75,15 @@ pub async fn create_trustpub_github_config(
     // Lookup `repository_owner_id` via GitHub API
 
     let owner = &json_config.repository_owner;
-    let gh_auth = &auth_user.gh_access_token;
-    let gh_auth = AccessToken::new(gh_auth.expose_secret().to_string());
+
+    let encryption = &state.config.gh_token_encryption;
+    let gh_auth = &auth_user.gh_encrypted_token;
+    let gh_auth = encryption.decrypt(gh_auth).map_err(|err| {
+        let login = &auth_user.gh_login;
+        warn!("Failed to decrypt GitHub token for user {login}: {err}");
+        server_error("Internal server error")
+    })?;
+
     let github_user = match state.github.get_user(owner, &gh_auth).await {
         Ok(user) => user,
         Err(GitHubError::NotFound(_)) => Err(bad_request("Unknown GitHub user or organization"))?,

src/controllers/version/docs.rs

@@ -36,7 +36,8 @@ pub async fn rebuild_version_docs(
     // Check that the user is an owner of the crate, or a team member (= publish rights)
     let user = auth.user();
     let owners = krate.owners(&mut conn).await?;
-    if Rights::get(user, &*app.github, &owners).await? < Rights::Publish {
+    let encryption = &app.config.gh_token_encryption;
+    if Rights::get(user, &*app.github, &owners, encryption).await? < Rights::Publish {
         return Err(custom(
             StatusCode::FORBIDDEN,
             "user doesn't have permission to trigger a docs rebuild",

src/controllers/version/update.rs

@@ -125,7 +125,8 @@ pub async fn perform_version_yank_update(
 
     let yanked = yanked.unwrap_or(version.yanked);
 
-    if Rights::get(user, &*state.github, &owners).await? < Rights::Publish {
+    let encryption = &state.config.gh_token_encryption;
+    if Rights::get(user, &*state.github, &owners, encryption).await? < Rights::Publish {
         if user.is_admin {
             let action = if yanked { "yanking" } else { "unyanking" };
             warn!(

src/tests/mod.rs

@@ -6,9 +6,11 @@ use crate::views::{
 };
 
 use crate::tests::util::github::next_gh_id;
+use crate::util::gh_token_encryption::GitHubTokenEncryption;
 use diesel::prelude::*;
 use diesel_async::AsyncPgConnection;
 use serde::{Deserialize, Serialize};
+use std::sync::LazyLock;
 
 mod account_lock;
 mod authentication;
@@ -92,11 +94,17 @@ pub struct OwnerResp {
 }
 
 fn new_user(login: &str) -> NewUser<'_> {
+    static ENCRYPTED_TOKEN: LazyLock<Vec<u8>> = LazyLock::new(|| {
+        GitHubTokenEncryption::for_testing()
+            .encrypt("some random token")
+            .unwrap()
+    });
+
     NewUser::builder()
         .gh_id(next_gh_id())
         .gh_login(login)
         .gh_access_token("some random token")
-        .gh_encrypted_token(&[])
+        .gh_encrypted_token(&ENCRYPTED_TOKEN)
         .build()
 }