Encrypt variables with attr_encrypted

1c57a4b9 · Kamil Trzcinski · 73e3a6ad · 1c57a4b9 · 1c57a4b9 · 1c57a4b9
Commit 1c57a4b9 authored 9 years ago by Kamil Trzcinski
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -17,6 +17,7 @@ v7.13.0
  
 v7.12.2
  - Revert: Runner without tag should pick builds without tag only
+  - Encrypt variables
  
 v7.12.1
  - Runner without tag should pick builds without tag only

--- a/Gemfile
+++ b/Gemfile
@@ -70,6 +70,9 @@ gem "slack-notifier", "~> 1.0.0"
 # HipChat integration
 gem 'hipchat', '~> 1.5.0'
  
+# Encrypt variables
+gem 'attr_encrypted', '1.3.4'
+
 # Other
 gem 'rake'
 gem 'foreman'

--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -43,6 +43,8 @@ GEM
    ast (2.0.0)
    astrolabe (1.3.0)
      parser (>= 2.2.0.pre.3, < 3.0)
+    attr_encrypted (1.3.4)
+      encryptor (>= 1.3.0)
    axiom-types (0.0.5)
      descendants_tracker (~> 0.0.1)
      ice_nine (~> 0.9)
@@ -107,6 +109,7 @@ GEM
    email_spec (1.5.0)
      launchy (~> 2.1)
      mail (~> 2.2)
+    encryptor (1.3.0)
    equalizer (0.0.9)
    erubis (2.7.0)
    excon (0.45.3)
@@ -459,6 +462,7 @@ DEPENDENCIES
  activerecord-session_store
  acts-as-taggable-on (~> 3.4)
  annotate
+  attr_encrypted (= 1.3.4)
  bootstrap-sass (~> 3.0)
  brakeman
  byebug

--- a/app/models/variable.rb
+++ b/app/models/variable.rb
@@ -2,12 +2,17 @@
 #
 # Table name: variables
 #
-#  id         :integer          not null, primary key
-#  project_id :integer          not null
-#  key        :string(255)
-#  value      :text
+#  id                   :integer          not null, primary key
+#  project_id           :integer          not null
+#  key                  :string(255)
+#  value                :text
+#  encrypted_value      :string(255)
+#  encrypted_value_salt :string(255)
+#  encrypted_value_iv   :string(255)
 #
  
 class Variable < ActiveRecord::Base
  belongs_to :project
+
+  attr_encrypted :value, mode: :per_attribute_iv_and_salt, key: GitlabCi::Application.config.secret_key_base
 end
--- a/db/migrate/20150703125244_add_encrypted_value_to_variables.rb
+++ b/db/migrate/20150703125244_add_encrypted_value_to_variables.rb
+class AddEncryptedValueToVariables < ActiveRecord::Migration
+  def change
+    add_column :variables, :encrypted_value, :text
+    add_column :variables, :encrypted_value_salt, :string
+    add_column :variables, :encrypted_value_iv, :string
+  end
+end
--- a/db/migrate/20150703125325_encrypt_variables.rb
+++ b/db/migrate/20150703125325_encrypt_variables.rb
+class EncryptVariables < ActiveRecord::Migration
+  def up
+    Variable.find_each do |variable|
+      variable.update(value: variable.read_attribute(:value)) unless variable.encrypted_value
+    end
+  end
+
+  def down
+  end
+end
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -177,9 +177,12 @@ ActiveRecord::Schema.define(version: 20150707134456) do
  add_index "tags", ["name"], name: "index_tags_on_name", unique: true, using: :btree
  
  create_table "variables", force: true do |t|
-    t.integer "project_id", null: false
+    t.integer "project_id",           null: false
    t.string  "key"
    t.text    "value"
+    t.text    "encrypted_value"
+    t.string  "encrypted_value_salt"
+    t.string  "encrypted_value_iv"
  end
  
  add_index "variables", ["project_id"], name: "index_variables_on_project_id", using: :btree