From 1c57a4b92b66b91f4defd569666bed6f2d7a4428 Mon Sep 17 00:00:00 2001 From: Kamil Trzcinski Date: Fri, 3 Jul 2015 15:30:22 +0200 Subject: Encrypt variables with attr_encrypted --- CHANGELOG | 1 + Gemfile | 3 +++ Gemfile.lock | 4 ++++ app/models/variable.rb | 13 +++++++++---- .../20150703125244_add_encrypted_value_to_variables.rb | 7 +++++++ db/migrate/20150703125325_encrypt_variables.rb | 10 ++++++++++ db/schema.rb | 5 ++++- 7 files changed, 38 insertions(+), 5 deletions(-) create mode 100644 db/migrate/20150703125244_add_encrypted_value_to_variables.rb create mode 100644 db/migrate/20150703125325_encrypt_variables.rb diff --git a/CHANGELOG b/CHANGELOG index a9946d0..b6ff007 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -17,6 +17,7 @@ v7.13.0 v7.12.2 - Revert: Runner without tag should pick builds without tag only + - Encrypt variables v7.12.1 - Runner without tag should pick builds without tag only diff --git a/Gemfile b/Gemfile index 94e06a8..1ceb7dd 100644 --- a/Gemfile +++ b/Gemfile @@ -70,6 +70,9 @@ gem "slack-notifier", "~> 1.0.0" # HipChat integration gem 'hipchat', '~> 1.5.0' +# Encrypt variables +gem 'attr_encrypted', '1.3.4' + # Other gem 'rake' gem 'foreman' diff --git a/Gemfile.lock b/Gemfile.lock index 0c8adab..23eff90 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -43,6 +43,8 @@ GEM ast (2.0.0) astrolabe (1.3.0) parser (>= 2.2.0.pre.3, < 3.0) + attr_encrypted (1.3.4) + encryptor (>= 1.3.0) axiom-types (0.0.5) descendants_tracker (~> 0.0.1) ice_nine (~> 0.9) @@ -107,6 +109,7 @@ GEM email_spec (1.5.0) launchy (~> 2.1) mail (~> 2.2) + encryptor (1.3.0) equalizer (0.0.9) erubis (2.7.0) excon (0.45.3) @@ -459,6 +462,7 @@ DEPENDENCIES activerecord-session_store acts-as-taggable-on (~> 3.4) annotate + attr_encrypted (= 1.3.4) bootstrap-sass (~> 3.0) brakeman byebug diff --git a/app/models/variable.rb b/app/models/variable.rb index ebd3a44..76a2c65 100644 --- a/app/models/variable.rb +++ b/app/models/variable.rb @@ -2,12 +2,17 @@ # # Table name: variables # -# id :integer not null, primary key -# project_id :integer not null -# key :string(255) -# value :text +# id :integer not null, primary key +# project_id :integer not null +# key :string(255) +# value :text +# encrypted_value :string(255) +# encrypted_value_salt :string(255) +# encrypted_value_iv :string(255) # class Variable < ActiveRecord::Base belongs_to :project + + attr_encrypted :value, mode: :per_attribute_iv_and_salt, key: GitlabCi::Application.config.secret_key_base end diff --git a/db/migrate/20150703125244_add_encrypted_value_to_variables.rb b/db/migrate/20150703125244_add_encrypted_value_to_variables.rb new file mode 100644 index 0000000..0adf31a --- /dev/null +++ b/db/migrate/20150703125244_add_encrypted_value_to_variables.rb @@ -0,0 +1,7 @@ +class AddEncryptedValueToVariables < ActiveRecord::Migration + def change + add_column :variables, :encrypted_value, :text + add_column :variables, :encrypted_value_salt, :string + add_column :variables, :encrypted_value_iv, :string + end +end diff --git a/db/migrate/20150703125325_encrypt_variables.rb b/db/migrate/20150703125325_encrypt_variables.rb new file mode 100644 index 0000000..c5f9d04 --- /dev/null +++ b/db/migrate/20150703125325_encrypt_variables.rb @@ -0,0 +1,10 @@ +class EncryptVariables < ActiveRecord::Migration + def up + Variable.find_each do |variable| + variable.update(value: variable.read_attribute(:value)) unless variable.encrypted_value + end + end + + def down + end +end diff --git a/db/schema.rb b/db/schema.rb index 6b88c7f..6686465 100644 --- a/db/schema.rb +++ b/db/schema.rb @@ -177,9 +177,12 @@ ActiveRecord::Schema.define(version: 20150707134456) do add_index "tags", ["name"], name: "index_tags_on_name", unique: true, using: :btree create_table "variables", force: true do |t| - t.integer "project_id", null: false + t.integer "project_id", null: false t.string "key" t.text "value" + t.text "encrypted_value" + t.string "encrypted_value_salt" + t.string "encrypted_value_iv" end add_index "variables", ["project_id"], name: "index_variables_on_project_id", using: :btree -- cgit v1.2.1