Skip to content
Snippets Groups Projects
Commit b5c70632 authored by Stan Hu's avatar Stan Hu
Browse files

Upgrade to Ruby 2.4.4 

Fixes that make this work:

* A change in Ruby (https://github.com/ruby/ruby/commit/ce635262f53b760284d56bb1027baebaaec175d1)
requires passing in the exact required length for OpenSSL keys and IVs.

* Ensure the secrets.yml is generated before any prepended modules are
loaded. This is done by renaming the `secret_token.rb` initializer to
`01_secret_token.rb`, which is a bit ugly but involves the least impact on
other files.
parent d3b39a83
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 27 additions and 18 deletions
.gitlab-ci.yml
+ 3
3
View file @ b5c70632
image: "dev.gitlab.org:5005/gitlab/gitlab-build-images:ruby-2.3.7-golang-1.9-git-2.17-chrome-65.0-node-8.x-yarn-1.2-postgresql-9.6"
image: "dev.gitlab.org:5005/gitlab/gitlab-build-images:ruby-2.4.4-golang-1.9-git-2.17-chrome-65.0-node-8.x-yarn-1.2-postgresql-9.6"
 
.dedicated-runner: &dedicated-runner
retry: 1
@@ -6,7 +6,7 @@ image: "dev.gitlab.org:5005/gitlab/gitlab-build-images:ruby-2.3.7-golang-1.9-git
- gitlab-org
 
.default-cache: &default-cache
key: "ruby-2.3.7-debian-stretch-with-yarn"
key: "ruby-2.4.4-debian-stretch-with-yarn"
paths:
- vendor/ruby
- .yarn-cache/
@@ -550,7 +550,7 @@ static-analysis:
script:
- scripts/static-analysis
cache:
key: "ruby-2.3.7-debian-stretch-with-yarn-and-rubocop"
key: "ruby-2.4.4-debian-stretch-with-yarn-and-rubocop"
paths:
- vendor/ruby
- .yarn-cache/
.ruby-version
+ 1
1
View file @ b5c70632
2.3.7
2.4.4
app/models/clusters/platforms/kubernetes.rb
+ 2
2
View file @ b5c70632
@@ -11,12 +11,12 @@ module Clusters
 
attr_encrypted :password,
mode: :per_attribute_iv,
key: Gitlab::Application.secrets.db_key_base,
key: Settings.attr_encrypted_db_key_base,
algorithm: 'aes-256-cbc'
 
attr_encrypted :token,
mode: :per_attribute_iv,
key: Gitlab::Application.secrets.db_key_base,
key: Settings.attr_encrypted_db_key_base,
algorithm: 'aes-256-cbc'
 
before_validation :enforce_namespace_to_lower_case
app/models/clusters/providers/gcp.rb
+ 1
1
View file @ b5c70632
@@ -11,7 +11,7 @@ module Clusters
 
attr_encrypted :access_token,
mode: :per_attribute_iv,
key: Gitlab::Application.secrets.db_key_base,
key: Settings.attr_encrypted_db_key_base,
algorithm: 'aes-256-cbc'
 
validates :gcp_project_id,
app/models/concerns/has_variable.rb
+ 1
1
View file @ b5c70632
@@ -13,7 +13,7 @@ module HasVariable
attr_encrypted :value,
mode: :per_attribute_iv_and_salt,
insecure_mode: true,
key: Gitlab::Application.secrets.db_key_base,
key: Settings.attr_encrypted_db_key_base,
algorithm: 'aes-256-cbc'
 
def key=(new_key)
app/models/pages_domain.rb
+ 1
1
View file @ b5c70632
@@ -19,7 +19,7 @@ class PagesDomain < ActiveRecord::Base
attr_encrypted :key,
mode: :per_attribute_iv_and_salt,
insecure_mode: true,
key: Gitlab::Application.secrets.db_key_base,
key: Settings.attr_encrypted_db_key_base,
algorithm: 'aes-256-cbc'
 
after_initialize :set_verification_code
app/models/project_import_data.rb
+ 1
1
View file @ b5c70632
@@ -3,7 +3,7 @@ require 'carrierwave/orm/activerecord'
class ProjectImportData < ActiveRecord::Base
belongs_to :project, inverse_of: :import_data
attr_encrypted :credentials,
key: Gitlab::Application.secrets.db_key_base,
key: Settings.attr_encrypted_db_key_base,
marshal: true,
encode: true,
mode: :per_attribute_iv_and_salt,
app/models/remote_mirror.rb
+ 1
1
View file @ b5c70632
@@ -5,7 +5,7 @@ class RemoteMirror < ActiveRecord::Base
UNPROTECTED_BACKOFF_DELAY = 5.minutes
 
attr_encrypted :credentials,
key: Gitlab::Application.secrets.db_key_base,
key: Settings.attr_encrypted_db_key_base,
marshal: true,
encode: true,
mode: :per_attribute_iv_and_salt,
config/initializers/secret_token.rb config/initializers/01_secret_token.rb
+ 3
0
View file @ b5c70632
# This file needs to be loaded BEFORE any initializers that attempt to
# prepend modules that require access to secrets (e.g. EE's 0_as_concern.rb).
#
# Be sure to restart your server when you modify this file.
 
require 'securerandom'
config/settings.rb
+ 4
0
View file @ b5c70632
@@ -85,6 +85,10 @@ class Settings < Settingslogic
File.expand_path(path, Rails.root)
end
 
def attr_encrypted_db_key_base
Gitlab::Application.secrets.db_key_base[0..31]
end
private
 
def base_url(config)
db/migrate/20160302152808_remove_wrong_import_url_from_projects.rb
+ 1
1
View file @ b5c70632
@@ -8,7 +8,7 @@ class RemoveWrongImportUrlFromProjects < ActiveRecord::Migration
extend AttrEncrypted
attr_accessor :credentials
attr_encrypted :credentials,
key: Gitlab::Application.secrets.db_key_base,
key: Settings.attr_encrypted_db_key_base,
marshal: true,
encode: true,
:mode => :per_attribute_iv_and_salt,
db/post_migrate/20171124104327_migrate_kubernetes_service_to_new_clusters_architectures.rb
+ 1
1
View file @ b5c70632
@@ -48,7 +48,7 @@ class MigrateKubernetesServiceToNewClustersArchitectures < ActiveRecord::Migrati
 
attr_encrypted :token,
mode: :per_attribute_iv,
key: Gitlab::Application.secrets.db_key_base,
key: Settings.attr_encrypted_db_key_base,
algorithm: 'aes-256-cbc'
end
 
doc/install/installation.md
+ 3
3
View file @ b5c70632
@@ -133,9 +133,9 @@ Remove the old Ruby 1.8 if present:
Download Ruby and compile it:
 
mkdir /tmp/ruby && cd /tmp/ruby
curl --remote-name --progress https://cache.ruby-lang.org/pub/ruby/2.3/ruby-2.3.7.tar.gz
echo '540996fec64984ab6099e34d2f5820b14904f15a ruby-2.3.7.tar.gz' | shasum -c - && tar xzf ruby-2.3.7.tar.gz
cd ruby-2.3.7
curl --remote-name --progress https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.4.tar.gz
echo 'ec82b0d53bd0adad9b19e6b45e44d54e9ec3f10c ruby-2.4.4.tar.gz' | shasum -c - && tar xzf ruby-2.4.4.tar.gz
cd ruby-2.4.4
 
./configure --disable-install-rdoc
make
spec/initializers/secret_token_spec.rb
+ 1
1
View file @ b5c70632
require 'spec_helper'
require_relative '../../config/initializers/secret_token'
require_relative '../../config/initializers/01_secret_token'
 
describe 'create_tokens' do
include StubENV
spec/models/concerns/has_variable_spec.rb
+ 3
1
View file @ b5c70632
@@ -45,8 +45,10 @@ describe HasVariable do
end
 
it 'fails to decrypt if iv is incorrect' do
subject.encrypted_value_iv = SecureRandom.hex
# attr_encrypted expects the IV to be 16 bytes and base64-encoded
subject.encrypted_value_iv = [SecureRandom.hex(8)].pack('m')
subject.instance_variable_set(:@value, nil)
expect { subject.value }
.to raise_error(OpenSSL::Cipher::CipherError, 'bad decrypt')
end
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment