88 lines
3.2 KiB
Ruby
88 lines
3.2 KiB
Ruby
|
# frozen_string_literal: true
|
||
|
|
||
|
class EncryptPlaintextAttributesOnApplicationSettings < ActiveRecord::Migration[5.2]
|
||
|
include Gitlab::Database::MigrationHelpers
|
||
|
|
||
|
DOWNTIME = false
|
||
|
|
||
|
PLAINTEXT_ATTRIBUTES = %w[
|
||
|
akismet_api_key
|
||
|
elasticsearch_aws_secret_access_key
|
||
|
recaptcha_private_key
|
||
|
recaptcha_site_key
|
||
|
slack_app_secret
|
||
|
slack_app_verification_token
|
||
|
].freeze
|
||
|
|
||
|
class ApplicationSetting < ActiveRecord::Base
|
||
|
self.table_name = 'application_settings'
|
||
|
|
||
|
def self.encryption_options_base_truncated_aes_256_gcm
|
||
|
{
|
||
|
mode: :per_attribute_iv,
|
||
|
key: Gitlab::Application.secrets.db_key_base[0..31],
|
||
|
algorithm: 'aes-256-gcm',
|
||
|
encode: true
|
||
|
}
|
||
|
end
|
||
|
|
||
|
attr_encrypted :akismet_api_key, encryption_options_base_truncated_aes_256_gcm
|
||
|
attr_encrypted :elasticsearch_aws_secret_access_key, encryption_options_base_truncated_aes_256_gcm
|
||
|
attr_encrypted :recaptcha_private_key, encryption_options_base_truncated_aes_256_gcm
|
||
|
attr_encrypted :recaptcha_site_key, encryption_options_base_truncated_aes_256_gcm
|
||
|
attr_encrypted :slack_app_secret, encryption_options_base_truncated_aes_256_gcm
|
||
|
attr_encrypted :slack_app_verification_token, encryption_options_base_truncated_aes_256_gcm
|
||
|
|
||
|
def akismet_api_key
|
||
|
decrypt(:akismet_api_key, self[:encrypted_akismet_api_key]) || self[:akismet_api_key]
|
||
|
end
|
||
|
|
||
|
def elasticsearch_aws_secret_access_key
|
||
|
decrypt(:elasticsearch_aws_secret_access_key, self[:encrypted_elasticsearch_aws_secret_access_key]) || self[:elasticsearch_aws_secret_access_key]
|
||
|
end
|
||
|
|
||
|
def recaptcha_private_key
|
||
|
decrypt(:recaptcha_private_key, self[:encrypted_recaptcha_private_key]) || self[:recaptcha_private_key]
|
||
|
end
|
||
|
|
||
|
def recaptcha_site_key
|
||
|
decrypt(:recaptcha_site_key, self[:encrypted_recaptcha_site_key]) || self[:recaptcha_site_key]
|
||
|
end
|
||
|
|
||
|
def slack_app_secret
|
||
|
decrypt(:slack_app_secret, self[:encrypted_slack_app_secret]) || self[:slack_app_secret]
|
||
|
end
|
||
|
|
||
|
def slack_app_verification_token
|
||
|
decrypt(:slack_app_verification_token, self[:encrypted_slack_app_verification_token]) || self[:slack_app_verification_token]
|
||
|
end
|
||
|
end
|
||
|
|
||
|
def up
|
||
|
ApplicationSetting.find_each do |application_setting|
|
||
|
# We are using the setter from attr_encrypted gem to encrypt the data.
|
||
|
# The gem updates the two columns needed to decrypt the value:
|
||
|
# - "encrypted_#{plaintext_attribute}"
|
||
|
# - "encrypted_#{plaintext_attribute}_iv"
|
||
|
application_setting.assign_attributes(
|
||
|
PLAINTEXT_ATTRIBUTES.each_with_object({}) do |plaintext_attribute, attributes|
|
||
|
attributes[plaintext_attribute] = application_setting.send(plaintext_attribute)
|
||
|
end
|
||
|
)
|
||
|
application_setting.save(validate: false)
|
||
|
end
|
||
|
end
|
||
|
|
||
|
def down
|
||
|
ApplicationSetting.find_each do |application_setting|
|
||
|
application_setting.update_columns(
|
||
|
PLAINTEXT_ATTRIBUTES.each_with_object({}) do |plaintext_attribute, attributes|
|
||
|
attributes[plaintext_attribute] = application_setting.send(plaintext_attribute)
|
||
|
attributes["encrypted_#{plaintext_attribute}"] = nil
|
||
|
attributes["encrypted_#{plaintext_attribute}_iv"] = nil
|
||
|
end
|
||
|
)
|
||
|
end
|
||
|
end
|
||
|
end
|