Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vcs: Derive per tenant key #3293

Merged
merged 1 commit into from May 13, 2024
Merged

vcs: Derive per tenant key #3293

merged 1 commit into from May 13, 2024

Conversation

simonswine
Copy link
Contributor

@simonswine simonswine commented May 10, 2024
edited

Currently we use the same global session encryption secret, for each tenant. In order to ensure tenant isolation, this change will derive a custom secret per tenant.

By using sha256 we also increase the secret used for encryption from 128bit to 256bit, while allowing to get an arbitrary secret specified.

Note: This change will require all users to re-authenticate, as the the previous GitSession won't be decrypted by this. It is possible to implement this without this breaking change, but given session length is 8 hours, I rather would re-authenticate instead.

@simonswine
vcs: Derive per tenant key
98efb42 
Curretnly we use the same global session encryption secret, for each
teant. In order to ensure tenant isolation, this change will derive a
custom secret per tenant.

Note: This change will require all users to reauthenticate, as the the
previous secret won't be able to be decrypted anymore.
@simonswine simonswine force-pushed the 20240510_derive-a-per-tenant-token-for-github-session-secret branch from 73a04ca to 98efb42 Compare May 10, 2024 16:02
@simonswine simonswine changed the title 20240510 derive a per tenant token for github session secret vcs: Derive per tenant key May 10, 2024
@simonswine simonswine marked this pull request as ready for review May 10, 2024 16:06
@simonswine simonswine requested a review from a team as a code owner May 10, 2024 16:06
bryanhuhta
bryanhuhta approved these changes May 10, 2024
View reviewed changes
Copy link
Contributor

@bryanhuhta bryanhuhta left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, this looks good!

@simonswine simonswine merged commit 9e2bb77 into grafana:main May 13, 2024
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bryanhuhta bryanhuhta bryanhuhta approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@simonswine @bryanhuhta