Merge branch 'sh-fix-secrets-not-working' into 'master'
Fix attr_encryption key settings Closes #47166 See merge request gitlab-org/gitlab-ce!19341
This commit is contained in:
commit
414daf34e9
|
@ -11,12 +11,12 @@ module Clusters
|
||||||
|
|
||||||
attr_encrypted :password,
|
attr_encrypted :password,
|
||||||
mode: :per_attribute_iv,
|
mode: :per_attribute_iv,
|
||||||
key: Settings.attr_encrypted_db_key_base,
|
key: Settings.attr_encrypted_db_key_base_truncated,
|
||||||
algorithm: 'aes-256-cbc'
|
algorithm: 'aes-256-cbc'
|
||||||
|
|
||||||
attr_encrypted :token,
|
attr_encrypted :token,
|
||||||
mode: :per_attribute_iv,
|
mode: :per_attribute_iv,
|
||||||
key: Settings.attr_encrypted_db_key_base,
|
key: Settings.attr_encrypted_db_key_base_truncated,
|
||||||
algorithm: 'aes-256-cbc'
|
algorithm: 'aes-256-cbc'
|
||||||
|
|
||||||
before_validation :enforce_namespace_to_lower_case
|
before_validation :enforce_namespace_to_lower_case
|
||||||
|
|
|
@ -11,7 +11,7 @@ module Clusters
|
||||||
|
|
||||||
attr_encrypted :access_token,
|
attr_encrypted :access_token,
|
||||||
mode: :per_attribute_iv,
|
mode: :per_attribute_iv,
|
||||||
key: Settings.attr_encrypted_db_key_base,
|
key: Settings.attr_encrypted_db_key_base_truncated,
|
||||||
algorithm: 'aes-256-cbc'
|
algorithm: 'aes-256-cbc'
|
||||||
|
|
||||||
validates :gcp_project_id,
|
validates :gcp_project_id,
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
title: Fix attr_encryption key settings
|
||||||
|
merge_request:
|
||||||
|
author:
|
||||||
|
type: fixed
|
|
@ -85,17 +85,24 @@ class Settings < Settingslogic
|
||||||
File.expand_path(path, Rails.root)
|
File.expand_path(path, Rails.root)
|
||||||
end
|
end
|
||||||
|
|
||||||
# Returns a 256-bit key for attr_encrypted
|
# Ruby 2.4+ requires passing in the exact required length for OpenSSL keys
|
||||||
def attr_encrypted_db_key_base
|
# (https://github.com/ruby/ruby/commit/ce635262f53b760284d56bb1027baebaaec175d1).
|
||||||
# Ruby 2.4+ requires passing in the exact required length for OpenSSL keys
|
# Previous versions quietly truncated the input.
|
||||||
# (https://github.com/ruby/ruby/commit/ce635262f53b760284d56bb1027baebaaec175d1).
|
#
|
||||||
# Previous versions quietly truncated the input.
|
# Use this when using :per_attribute_iv mode for attr_encrypted.
|
||||||
#
|
# We have to truncate the string to 32 bytes for a 256-bit cipher.
|
||||||
# The default mode for the attr_encrypted gem is to use a 256-bit key.
|
def attr_encrypted_db_key_base_truncated
|
||||||
# We truncate the 128-byte string to 32 bytes.
|
|
||||||
Gitlab::Application.secrets.db_key_base[0..31]
|
Gitlab::Application.secrets.db_key_base[0..31]
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# This should be used for :per_attribute_salt_and_iv mode. There is no
|
||||||
|
# need to truncate the key because the encryptor will use the salt to
|
||||||
|
# generate a hash of the password:
|
||||||
|
# https://github.com/attr-encrypted/encryptor/blob/c3a62c4a9e74686dd95e0548f9dc2a361fdc95d1/lib/encryptor.rb#L77
|
||||||
|
def attr_encrypted_db_key_base
|
||||||
|
Gitlab::Application.secrets.db_key_base
|
||||||
|
end
|
||||||
|
|
||||||
private
|
private
|
||||||
|
|
||||||
def base_url(config)
|
def base_url(config)
|
||||||
|
|
|
@ -48,7 +48,7 @@ class MigrateKubernetesServiceToNewClustersArchitectures < ActiveRecord::Migrati
|
||||||
|
|
||||||
attr_encrypted :token,
|
attr_encrypted :token,
|
||||||
mode: :per_attribute_iv,
|
mode: :per_attribute_iv,
|
||||||
key: Settings.attr_encrypted_db_key_base,
|
key: Settings.attr_encrypted_db_key_base_truncated,
|
||||||
algorithm: 'aes-256-cbc'
|
algorithm: 'aes-256-cbc'
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue