diff options
author | Stan Hu <stanhu@gmail.com> | 2018-06-02 02:32:30 -0700 |
---|---|---|
committer | Stan Hu <stanhu@gmail.com> | 2018-06-02 05:24:59 -0700 |
commit | 61df812ac688cb0848752f9f26f77d65eadf160a (patch) | |
tree | 62306bb84db245047963109401a3202010711f3d /app | |
parent | fe0ebf76c49e2512b211c5d43152275c536f7e3a (diff) | |
download | gitlab-ce-61df812ac688cb0848752f9f26f77d65eadf160a.tar.gz |
Fix attr_encryption key settings
attr_encrypted does different things with `key` depending on what mode you are using:
1. In `:per_attribute_iv_and_salt` mode, it generates a hash with the salt:
https://github.com/attr-encrypted/encryptor/blob/c3a62c4a9e74686dd95e0548f9dc2a361fdc95d1/lib/encryptor.rb#L77.
There is no need to truncate the key to 32 bytes here.
2. In `:per_attribute_iv` mode, it sets the key directly to the password, so
truncation to 32 bytes is necessary.
Closes #47166
Diffstat (limited to 'app')
-rw-r--r-- | app/models/clusters/platforms/kubernetes.rb | 4 | ||||
-rw-r--r-- | app/models/clusters/providers/gcp.rb | 2 |
2 files changed, 3 insertions, 3 deletions
diff --git a/app/models/clusters/platforms/kubernetes.rb b/app/models/clusters/platforms/kubernetes.rb index 25eac5160f1..36631d57ad1 100644 --- a/app/models/clusters/platforms/kubernetes.rb +++ b/app/models/clusters/platforms/kubernetes.rb @@ -11,12 +11,12 @@ module Clusters attr_encrypted :password, mode: :per_attribute_iv, - key: Settings.attr_encrypted_db_key_base, + key: Settings.attr_encrypted_db_key_base_truncated, algorithm: 'aes-256-cbc' attr_encrypted :token, mode: :per_attribute_iv, - key: Settings.attr_encrypted_db_key_base, + key: Settings.attr_encrypted_db_key_base_truncated, algorithm: 'aes-256-cbc' before_validation :enforce_namespace_to_lower_case diff --git a/app/models/clusters/providers/gcp.rb b/app/models/clusters/providers/gcp.rb index eb2e42fd3fe..4db1bb35c12 100644 --- a/app/models/clusters/providers/gcp.rb +++ b/app/models/clusters/providers/gcp.rb @@ -11,7 +11,7 @@ module Clusters attr_encrypted :access_token, mode: :per_attribute_iv, - key: Settings.attr_encrypted_db_key_base, + key: Settings.attr_encrypted_db_key_base_truncated, algorithm: 'aes-256-cbc' validates :gcp_project_id, |