app/uploaders/ci/secure_file_uploader.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

# frozen_string_literal: true

module Ci
  class SecureFileUploader < GitlabUploader
    include ObjectStorage::Concern

    storage_options Gitlab.config.ci_secure_files

    # Use Lockbox to encrypt/decrypt the stored file (registers CarrierWave callbacks)
    encrypt(key: :key)

    def key
      OpenSSL::HMAC.digest('SHA256', Gitlab::Application.secrets.db_key_base, model.project_id.to_s)
    end

    def checksum
      @checksum ||= Digest::SHA256.hexdigest(model.file.read)
    end

    def store_dir
      dynamic_segment
    end

    private

    def dynamic_segment
      Gitlab::HashedPath.new('secure_files', model.id, root_hash: model.project_id)
    end

    class << self
      # direct upload is disabled since the file
      # must always be encrypted
      def direct_upload_enabled?
        false
      end

      def background_upload_enabled?
        false
      end

      def default_store
        object_store_enabled? ? ObjectStorage::Store::REMOTE : ObjectStorage::Store::LOCAL
      end
    end
  end
end