Merge branch 'encrypt-variables' into 'master'

Encrypt variables

/cc @dzaporozhets @jacobvosmaer @vsizov

See merge request !187

8 files changed, 82 insertions, 5 deletions

diff --git a/CHANGELOG b/CHANGELOG
index a9946d0..1d009e2 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -14,6 +14,7 @@ v7.13.0
   - Make the builds path configurable
   - Disable link to runner if it's not assigned to specific project
   - Store all secrets in config/secrets.yml
+  - Encrypt variables
 
 v7.12.2
   - Revert: Runner without tag should pick builds without tag only
diff --git a/Gemfile b/Gemfile
index 94e06a8..1ceb7dd 100644
--- a/Gemfile
+++ b/Gemfile
@@ -70,6 +70,9 @@ gem "slack-notifier", "~> 1.0.0"
 # HipChat integration
 gem 'hipchat', '~> 1.5.0'
 
+# Encrypt variables
+gem 'attr_encrypted', '1.3.4'
+
 # Other
 gem 'rake'
 gem 'foreman'
diff --git a/Gemfile.lock b/Gemfile.lock
index 0c8adab..23eff90 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -43,6 +43,8 @@ GEM
     ast (2.0.0)
     astrolabe (1.3.0)
       parser (>= 2.2.0.pre.3, < 3.0)
+    attr_encrypted (1.3.4)
+      encryptor (>= 1.3.0)
     axiom-types (0.0.5)
       descendants_tracker (~> 0.0.1)
       ice_nine (~> 0.9)
@@ -107,6 +109,7 @@ GEM
     email_spec (1.5.0)
       launchy (~> 2.1)
       mail (~> 2.2)
+    encryptor (1.3.0)
     equalizer (0.0.9)
     erubis (2.7.0)
     excon (0.45.3)
@@ -459,6 +462,7 @@ DEPENDENCIES
   activerecord-session_store
   acts-as-taggable-on (~> 3.4)
   annotate
+  attr_encrypted (= 1.3.4)
   bootstrap-sass (~> 3.0)
   brakeman
   byebug
diff --git a/app/models/variable.rb b/app/models/variable.rb
index ebd3a44..b40fcbf 100644
--- a/app/models/variable.rb
+++ b/app/models/variable.rb
@@ -2,12 +2,17 @@
 #
 # Table name: variables
 #
-#  id         :integer          not null, primary key
-#  project_id :integer          not null
-#  key        :string(255)
-#  value      :text
+#  id                   :integer          not null, primary key
+#  project_id           :integer          not null
+#  key                  :string(255)
+#  value                :text
+#  encrypted_value      :text
+#  encrypted_value_salt :string(255)
+#  encrypted_value_iv   :string(255)
 #
 
 class Variable < ActiveRecord::Base
   belongs_to :project
+
+  attr_encrypted :value, mode: :per_attribute_iv_and_salt, key: GitlabCi::Application.secrets.db_key_base
 end
diff --git a/db/migrate/20150703125244_add_encrypted_value_to_variables.rb b/db/migrate/20150703125244_add_encrypted_value_to_variables.rb
new file mode 100644
index 0000000..0adf31a
--- /dev/null
+++ b/db/migrate/20150703125244_add_encrypted_value_to_variables.rb
@@ -0,0 +1,7 @@
+class AddEncryptedValueToVariables < ActiveRecord::Migration
+  def change
+    add_column :variables, :encrypted_value, :text
+    add_column :variables, :encrypted_value_salt, :string
+    add_column :variables, :encrypted_value_iv, :string
+  end
+end
diff --git a/db/migrate/20150703125325_encrypt_variables.rb b/db/migrate/20150703125325_encrypt_variables.rb
new file mode 100644
index 0000000..c5f9d04
--- /dev/null
+++ b/db/migrate/20150703125325_encrypt_variables.rb
@@ -0,0 +1,10 @@
+class EncryptVariables < ActiveRecord::Migration
+  def up
+    Variable.find_each do |variable|
+      variable.update(value: variable.read_attribute(:value)) unless variable.encrypted_value
+    end
+  end
+
+  def down
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index 6b88c7f..6686465 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -177,9 +177,12 @@ ActiveRecord::Schema.define(version: 20150707134456) do
   add_index "tags", ["name"], name: "index_tags_on_name", unique: true, using: :btree
 
   create_table "variables", force: true do |t|
-    t.integer "project_id", null: false
+    t.integer "project_id",           null: false
     t.string  "key"
     t.text    "value"
+    t.text    "encrypted_value"
+    t.string  "encrypted_value_salt"
+    t.string  "encrypted_value_iv"
   end
 
   add_index "variables", ["project_id"], name: "index_variables_on_project_id", using: :btree
diff --git a/spec/models/variable_spec.rb b/spec/models/variable_spec.rb
new file mode 100644
index 0000000..4575115
--- /dev/null
+++ b/spec/models/variable_spec.rb
@@ -0,0 +1,44 @@
+# == Schema Information
+#
+# Table name: variables
+#
+#  id                   :integer          not null, primary key
+#  project_id           :integer          not null
+#  key                  :string(255)
+#  value                :text
+#  encrypted_value      :text
+#  encrypted_value_salt :string(255)
+#  encrypted_value_iv   :string(255)
+#
+
+require 'spec_helper'
+
+describe Variable do
+  subject { Variable.new }
+
+  let(:secret_value) { 'secret' }
+
+  before :each do
+    subject.value = secret_value
+  end
+
+  describe :value do
+    it 'stores the encrypted value' do
+      subject.encrypted_value.should_not be_nil
+    end
+
+    it 'stores an iv for value' do
+      subject.encrypted_value_iv.should_not be_nil
+    end
+
+    it 'stores a salt for value' do
+      subject.encrypted_value_salt.should_not be_nil
+    end
+
+    it 'fails to decrypt if iv is incorrect' do
+      subject.encrypted_value_iv = nil
+      subject.instance_variable_set(:@value, nil)
+      expect { subject.value }.to raise_error
+    end
+  end
+end