app/models/concerns/integrations/reset_secret_fields.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

# frozen_string_literal: true

# Integrations should reset their "secret" fields (type: 'password') when certain "exposing"
# fields are changed (e.g. URLs), to avoid leaking secrets to unauthorized parties.
# The result of this is that users have to reenter the secrets to confirm the change.
module Integrations
  module ResetSecretFields
    extend ActiveSupport::Concern

    included do
      before_validation :reset_secret_fields!, if: :reset_secret_fields?
    end

    def exposing_secrets_fields
      # TODO: Once all integrations use `Integrations::Field` we can remove the `.try` here.
      # See: https://gitlab.com/groups/gitlab-org/-/epics/7652
      fields.select { _1.try(:exposes_secrets) }.pluck(:name)
    end

    private

    def reset_secret_fields?
      exposing_secrets_fields.any? do |field|
        public_send("#{field}_changed?") # rubocop:disable GitlabSecurity/PublicSend
      end
    end

    def reset_secret_fields!
      secret_fields.each do |field|
        next if public_send("#{field}_touched?") # rubocop:disable GitlabSecurity/PublicSend

        public_send("#{field}=", nil) # rubocop:disable GitlabSecurity/PublicSend

        # NOTE: Some of our specs also write to properties in addition to data fields,
        # in order to test backwards compatibility. So in those cases we also need to
        # clear the field in properties, since the setter above will only affect the data field.
        self.properties = properties.except(field) if properties.present?
      end
    end
  end
end