Encrypt group / project runners registration tokens

5 files changed, 29 insertions, 3 deletions

diff --git a/app/models/group.rb b/app/models/group.rb
index adb9169cfcd..e90b28bfa02 100644
--- a/app/models/group.rb
+++ b/app/models/group.rb
@@ -55,7 +55,7 @@ class Group < Namespace
 
   validates :two_factor_grace_period, presence: true, numericality: { greater_than_or_equal_to: 0 }
 
-  add_authentication_token_field :runners_token
+  add_authentication_token_field :runners_token, encrypted: true, fallback: true
 
   after_create :post_create_hook
   after_destroy :post_destroy_hook
diff --git a/app/models/project.rb b/app/models/project.rb
index d87fc1e4b86..e2b65fab3ee 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -76,7 +76,7 @@ class Project < ActiveRecord::Base
   default_value_for :snippets_enabled, gitlab_config_features.snippets
   default_value_for :only_allow_merge_if_all_discussions_are_resolved, false
 
-  add_authentication_token_field :runners_token
+  add_authentication_token_field :runners_token, encrypted: true, fallback: true
 
   before_validation :mark_remote_mirrors_for_removal, if: -> { RemoteMirror.table_exists? }
 
diff --git a/db/migrate/20181116141415_add_encrypted_runners_token_to_namespaces.rb b/db/migrate/20181116141415_add_encrypted_runners_token_to_namespaces.rb
new file mode 100644
index 00000000000..a5a6373dd38
--- /dev/null
+++ b/db/migrate/20181116141415_add_encrypted_runners_token_to_namespaces.rb
@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+class AddEncryptedRunnersTokenToNamespaces < ActiveRecord::Migration
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  def change
+    add_column :namespaces, :runners_token_encrypted, :string
+    # TODO index
+  end
+end
diff --git a/db/migrate/20181116141504_add_encrypted_runners_token_to_projects.rb b/db/migrate/20181116141504_add_encrypted_runners_token_to_projects.rb
new file mode 100644
index 00000000000..32401629478
--- /dev/null
+++ b/db/migrate/20181116141504_add_encrypted_runners_token_to_projects.rb
@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+class AddEncryptedRunnersTokenToProjects < ActiveRecord::Migration
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  def change
+    add_column :projects, :runners_token_encrypted, :string
+    # TODO index
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index 82e9c8f28e0..9fd4e05361c 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20181115140140) do
+ActiveRecord::Schema.define(version: 20181116141504) do
 
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
@@ -1409,6 +1409,7 @@ ActiveRecord::Schema.define(version: 20181115140140) do
     t.integer "two_factor_grace_period", default: 48, null: false
     t.integer "cached_markdown_version"
     t.string "runners_token"
+    t.string "runners_token_encrypted"
   end
 
   add_index "namespaces", ["created_at"], name: "index_namespaces_on_created_at", using: :btree
@@ -1753,6 +1754,7 @@ ActiveRecord::Schema.define(version: 20181115140140) do
     t.boolean "pages_https_only", default: true
     t.boolean "remote_mirror_available_overridden"
     t.integer "pool_repository_id", limit: 8
+    t.string "runners_token_encrypted"
   end
 
   add_index "projects", ["ci_id"], name: "index_projects_on_ci_id", using: :btree