diff options
author | Kamil Trzciński <ayufan@ayufan.eu> | 2015-07-13 10:37:04 +0000 |
---|---|---|
committer | Kamil Trzciński <ayufan@ayufan.eu> | 2015-07-13 10:37:04 +0000 |
commit | c48a043c0fee94a33ef0c3bc1d74c2a494ba71e9 (patch) | |
tree | 78996b9a61529075fe77b4a426fac69f27b8025a | |
parent | 73e3a6ad5944a1b4ead4a6d6a5c3cee45a5449e1 (diff) | |
parent | 5267e8774ada6a38ab9fe644248c0269000c2841 (diff) | |
download | gitlab-ci-c48a043c0fee94a33ef0c3bc1d74c2a494ba71e9.tar.gz |
Merge branch 'encrypt-variables' into 'master'
Encrypt variables
/cc @dzaporozhets @jacobvosmaer @vsizov
See merge request !187
-rw-r--r-- | CHANGELOG | 1 | ||||
-rw-r--r-- | Gemfile | 3 | ||||
-rw-r--r-- | Gemfile.lock | 4 | ||||
-rw-r--r-- | app/models/variable.rb | 13 | ||||
-rw-r--r-- | db/migrate/20150703125244_add_encrypted_value_to_variables.rb | 7 | ||||
-rw-r--r-- | db/migrate/20150703125325_encrypt_variables.rb | 10 | ||||
-rw-r--r-- | db/schema.rb | 5 | ||||
-rw-r--r-- | spec/models/variable_spec.rb | 44 |
8 files changed, 82 insertions, 5 deletions
@@ -14,6 +14,7 @@ v7.13.0 - Make the builds path configurable - Disable link to runner if it's not assigned to specific project - Store all secrets in config/secrets.yml + - Encrypt variables v7.12.2 - Revert: Runner without tag should pick builds without tag only @@ -70,6 +70,9 @@ gem "slack-notifier", "~> 1.0.0" # HipChat integration gem 'hipchat', '~> 1.5.0' +# Encrypt variables +gem 'attr_encrypted', '1.3.4' + # Other gem 'rake' gem 'foreman' diff --git a/Gemfile.lock b/Gemfile.lock index 0c8adab..23eff90 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -43,6 +43,8 @@ GEM ast (2.0.0) astrolabe (1.3.0) parser (>= 2.2.0.pre.3, < 3.0) + attr_encrypted (1.3.4) + encryptor (>= 1.3.0) axiom-types (0.0.5) descendants_tracker (~> 0.0.1) ice_nine (~> 0.9) @@ -107,6 +109,7 @@ GEM email_spec (1.5.0) launchy (~> 2.1) mail (~> 2.2) + encryptor (1.3.0) equalizer (0.0.9) erubis (2.7.0) excon (0.45.3) @@ -459,6 +462,7 @@ DEPENDENCIES activerecord-session_store acts-as-taggable-on (~> 3.4) annotate + attr_encrypted (= 1.3.4) bootstrap-sass (~> 3.0) brakeman byebug diff --git a/app/models/variable.rb b/app/models/variable.rb index ebd3a44..b40fcbf 100644 --- a/app/models/variable.rb +++ b/app/models/variable.rb @@ -2,12 +2,17 @@ # # Table name: variables # -# id :integer not null, primary key -# project_id :integer not null -# key :string(255) -# value :text +# id :integer not null, primary key +# project_id :integer not null +# key :string(255) +# value :text +# encrypted_value :text +# encrypted_value_salt :string(255) +# encrypted_value_iv :string(255) # class Variable < ActiveRecord::Base belongs_to :project + + attr_encrypted :value, mode: :per_attribute_iv_and_salt, key: GitlabCi::Application.secrets.db_key_base end diff --git a/db/migrate/20150703125244_add_encrypted_value_to_variables.rb b/db/migrate/20150703125244_add_encrypted_value_to_variables.rb new file mode 100644 index 0000000..0adf31a --- /dev/null +++ b/db/migrate/20150703125244_add_encrypted_value_to_variables.rb @@ -0,0 +1,7 @@ +class AddEncryptedValueToVariables < ActiveRecord::Migration + def change + add_column :variables, :encrypted_value, :text + add_column :variables, :encrypted_value_salt, :string + add_column :variables, :encrypted_value_iv, :string + end +end diff --git a/db/migrate/20150703125325_encrypt_variables.rb b/db/migrate/20150703125325_encrypt_variables.rb new file mode 100644 index 0000000..c5f9d04 --- /dev/null +++ b/db/migrate/20150703125325_encrypt_variables.rb @@ -0,0 +1,10 @@ +class EncryptVariables < ActiveRecord::Migration + def up + Variable.find_each do |variable| + variable.update(value: variable.read_attribute(:value)) unless variable.encrypted_value + end + end + + def down + end +end diff --git a/db/schema.rb b/db/schema.rb index 6b88c7f..6686465 100644 --- a/db/schema.rb +++ b/db/schema.rb @@ -177,9 +177,12 @@ ActiveRecord::Schema.define(version: 20150707134456) do add_index "tags", ["name"], name: "index_tags_on_name", unique: true, using: :btree create_table "variables", force: true do |t| - t.integer "project_id", null: false + t.integer "project_id", null: false t.string "key" t.text "value" + t.text "encrypted_value" + t.string "encrypted_value_salt" + t.string "encrypted_value_iv" end add_index "variables", ["project_id"], name: "index_variables_on_project_id", using: :btree diff --git a/spec/models/variable_spec.rb b/spec/models/variable_spec.rb new file mode 100644 index 0000000..4575115 --- /dev/null +++ b/spec/models/variable_spec.rb @@ -0,0 +1,44 @@ +# == Schema Information +# +# Table name: variables +# +# id :integer not null, primary key +# project_id :integer not null +# key :string(255) +# value :text +# encrypted_value :text +# encrypted_value_salt :string(255) +# encrypted_value_iv :string(255) +# + +require 'spec_helper' + +describe Variable do + subject { Variable.new } + + let(:secret_value) { 'secret' } + + before :each do + subject.value = secret_value + end + + describe :value do + it 'stores the encrypted value' do + subject.encrypted_value.should_not be_nil + end + + it 'stores an iv for value' do + subject.encrypted_value_iv.should_not be_nil + end + + it 'stores a salt for value' do + subject.encrypted_value_salt.should_not be_nil + end + + it 'fails to decrypt if iv is incorrect' do + subject.encrypted_value_iv = nil + subject.instance_variable_set(:@value, nil) + expect { subject.value }.to raise_error + end + end +end |