Commit 659fc515 authored by Stan Hu's avatar Stan Hu

Upgrade to Ruby 2.4.4 (EE port)

* A change in Ruby (https://github.com/ruby/ruby/commit/ce635262f53b760284d56bb1027baebaaec175d1)
requires passing in the exact required length for OpenSSL keys and IVs.

* Ensure the secrets.yml is generated before any prepended modules are
loaded. This is done by renaming the `secret_token.rb` initializer to
`01_secret_token.rb`, which is a bit ugly but involves the least impact on
other files.

* Reading an invalid OpenSSL::PKey causes OpenSSL to throw OpenSSL::PKey::PKeyError
instead of ArgumentError (https://github.com/ruby/openssl/blob/master/History.md).
parent 5d538054
image: "dev.gitlab.org:5005/gitlab/gitlab-build-images:ruby-2.3.7-golang-1.9-git-2.17-chrome-65.0-node-8.x-yarn-1.2-postgresql-9.6" image: "dev.gitlab.org:5005/gitlab/gitlab-build-images:ruby-2.4.4-golang-1.9-git-2.17-chrome-65.0-node-8.x-yarn-1.2-postgresql-9.6"
.dedicated-runner: &dedicated-runner .dedicated-runner: &dedicated-runner
retry: 1 retry: 1
...@@ -6,7 +6,7 @@ image: "dev.gitlab.org:5005/gitlab/gitlab-build-images:ruby-2.3.7-golang-1.9-git ...@@ -6,7 +6,7 @@ image: "dev.gitlab.org:5005/gitlab/gitlab-build-images:ruby-2.3.7-golang-1.9-git
- gitlab-org - gitlab-org
.default-cache: &default-cache .default-cache: &default-cache
key: "ruby-2.3.7-debian-stretch-with-yarn" key: "ruby-2.4.4-debian-stretch-with-yarn"
paths: paths:
- vendor/ruby - vendor/ruby
- .yarn-cache/ - .yarn-cache/
...@@ -701,7 +701,7 @@ static-analysis: ...@@ -701,7 +701,7 @@ static-analysis:
script: script:
- scripts/static-analysis - scripts/static-analysis
cache: cache:
key: "ruby-2.3.7-debian-stretch-with-yarn-and-rubocop" key: "ruby-2.4.4-debian-stretch-with-yarn-and-rubocop"
paths: paths:
- vendor/ruby - vendor/ruby
- .yarn-cache/ - .yarn-cache/
...@@ -825,6 +825,7 @@ gitlab:assets:compile: ...@@ -825,6 +825,7 @@ gitlab:assets:compile:
WEBPACK_REPORT: "true" WEBPACK_REPORT: "true"
NO_COMPRESSION: "true" NO_COMPRESSION: "true"
script: script:
- ls -al config/*.yml
- date - date
- yarn install --frozen-lockfile --production --cache-folder .yarn-cache - yarn install --frozen-lockfile --production --cache-folder .yarn-cache
- date - date
......
...@@ -13,12 +13,12 @@ module Clusters ...@@ -13,12 +13,12 @@ module Clusters
attr_encrypted :password, attr_encrypted :password,
mode: :per_attribute_iv, mode: :per_attribute_iv,
key: Gitlab::Application.secrets.db_key_base, key: Settings.attr_encrypted_db_key_base,
algorithm: 'aes-256-cbc' algorithm: 'aes-256-cbc'
attr_encrypted :token, attr_encrypted :token,
mode: :per_attribute_iv, mode: :per_attribute_iv,
key: Gitlab::Application.secrets.db_key_base, key: Settings.attr_encrypted_db_key_base,
algorithm: 'aes-256-cbc' algorithm: 'aes-256-cbc'
before_validation :enforce_namespace_to_lower_case before_validation :enforce_namespace_to_lower_case
......
...@@ -11,7 +11,7 @@ module Clusters ...@@ -11,7 +11,7 @@ module Clusters
attr_encrypted :access_token, attr_encrypted :access_token,
mode: :per_attribute_iv, mode: :per_attribute_iv,
key: Gitlab::Application.secrets.db_key_base, key: Settings.attr_encrypted_db_key_base,
algorithm: 'aes-256-cbc' algorithm: 'aes-256-cbc'
validates :gcp_project_id, validates :gcp_project_id,
......
...@@ -13,7 +13,7 @@ module HasVariable ...@@ -13,7 +13,7 @@ module HasVariable
attr_encrypted :value, attr_encrypted :value,
mode: :per_attribute_iv_and_salt, mode: :per_attribute_iv_and_salt,
insecure_mode: true, insecure_mode: true,
key: Gitlab::Application.secrets.db_key_base, key: Settings.attr_encrypted_db_key_base,
algorithm: 'aes-256-cbc' algorithm: 'aes-256-cbc'
def key=(new_key) def key=(new_key)
......
...@@ -19,7 +19,7 @@ class PagesDomain < ActiveRecord::Base ...@@ -19,7 +19,7 @@ class PagesDomain < ActiveRecord::Base
attr_encrypted :key, attr_encrypted :key,
mode: :per_attribute_iv_and_salt, mode: :per_attribute_iv_and_salt,
insecure_mode: true, insecure_mode: true,
key: Gitlab::Application.secrets.db_key_base, key: Settings.attr_encrypted_db_key_base,
algorithm: 'aes-256-cbc' algorithm: 'aes-256-cbc'
after_initialize :set_verification_code after_initialize :set_verification_code
......
...@@ -5,7 +5,7 @@ class ProjectImportData < ActiveRecord::Base ...@@ -5,7 +5,7 @@ class ProjectImportData < ActiveRecord::Base
belongs_to :project, inverse_of: :import_data belongs_to :project, inverse_of: :import_data
attr_encrypted :credentials, attr_encrypted :credentials,
key: Gitlab::Application.secrets.db_key_base, key: Settings.attr_encrypted_db_key_base,
marshal: true, marshal: true,
encode: true, encode: true,
mode: :per_attribute_iv_and_salt, mode: :per_attribute_iv_and_salt,
......
...@@ -7,7 +7,7 @@ class RemoteMirror < ActiveRecord::Base ...@@ -7,7 +7,7 @@ class RemoteMirror < ActiveRecord::Base
UNPROTECTED_BACKOFF_DELAY = 5.minutes UNPROTECTED_BACKOFF_DELAY = 5.minutes
attr_encrypted :credentials, attr_encrypted :credentials,
key: Gitlab::Application.secrets.db_key_base, key: Settings.attr_encrypted_db_key_base,
marshal: true, marshal: true,
encode: true, encode: true,
mode: :per_attribute_iv_and_salt, mode: :per_attribute_iv_and_salt,
......
# This file needs to be loaded BEFORE any initializers that attempt to
# prepend modules that require access to secrets (e.g. EE's 0_as_concern.rb).
#
# Be sure to restart your server when you modify this file. # Be sure to restart your server when you modify this file.
require 'securerandom' require 'securerandom'
......
...@@ -110,6 +110,10 @@ class Settings < Settingslogic ...@@ -110,6 +110,10 @@ class Settings < Settingslogic
File.expand_path(path, Rails.root) File.expand_path(path, Rails.root)
end end
def attr_encrypted_db_key_base
Gitlab::Application.secrets.db_key_base[0..31]
end
private private
def base_url(config) def base_url(config)
......
...@@ -8,7 +8,7 @@ class RemoveWrongImportUrlFromProjects < ActiveRecord::Migration ...@@ -8,7 +8,7 @@ class RemoveWrongImportUrlFromProjects < ActiveRecord::Migration
extend AttrEncrypted extend AttrEncrypted
attr_accessor :credentials attr_accessor :credentials
attr_encrypted :credentials, attr_encrypted :credentials,
key: Gitlab::Application.secrets.db_key_base, key: Settings.attr_encrypted_db_key_base,
marshal: true, marshal: true,
encode: true, encode: true,
:mode => :per_attribute_iv_and_salt, :mode => :per_attribute_iv_and_salt,
......
...@@ -48,7 +48,7 @@ class MigrateKubernetesServiceToNewClustersArchitectures < ActiveRecord::Migrati ...@@ -48,7 +48,7 @@ class MigrateKubernetesServiceToNewClustersArchitectures < ActiveRecord::Migrati
attr_encrypted :token, attr_encrypted :token,
mode: :per_attribute_iv, mode: :per_attribute_iv,
key: Gitlab::Application.secrets.db_key_base, key: Settings.attr_encrypted_db_key_base,
algorithm: 'aes-256-cbc' algorithm: 'aes-256-cbc'
end end
......
...@@ -133,9 +133,9 @@ Remove the old Ruby 1.8 if present: ...@@ -133,9 +133,9 @@ Remove the old Ruby 1.8 if present:
Download Ruby and compile it: Download Ruby and compile it:
mkdir /tmp/ruby && cd /tmp/ruby mkdir /tmp/ruby && cd /tmp/ruby
curl --remote-name --progress https://cache.ruby-lang.org/pub/ruby/2.3/ruby-2.3.7.tar.gz curl --remote-name --progress https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.4.tar.gz
echo '540996fec64984ab6099e34d2f5820b14904f15a ruby-2.3.7.tar.gz' | shasum -c - && tar xzf ruby-2.3.7.tar.gz echo 'ec82b0d53bd0adad9b19e6b45e44d54e9ec3f10c ruby-2.4.4.tar.gz' | shasum -c - && tar xzf ruby-2.4.4.tar.gz
cd ruby-2.3.7 cd ruby-2.4.4
./configure --disable-install-rdoc ./configure --disable-install-rdoc
make make
......
...@@ -70,13 +70,13 @@ module EE ...@@ -70,13 +70,13 @@ module EE
attr_encrypted :external_auth_client_key, attr_encrypted :external_auth_client_key,
mode: :per_attribute_iv, mode: :per_attribute_iv,
key: ::Gitlab::Application.secrets.db_key_base, key: Settings.attr_encrypted_db_key_base,
algorithm: 'aes-256-gcm', algorithm: 'aes-256-gcm',
encode: true encode: true
attr_encrypted :external_auth_client_key_pass, attr_encrypted :external_auth_client_key_pass,
mode: :per_attribute_iv, mode: :per_attribute_iv,
key: ::Gitlab::Application.secrets.db_key_base, key: Settings.attr_encrypted_db_key_base,
algorithm: 'aes-256-gcm', algorithm: 'aes-256-gcm',
encode: true encode: true
end end
......
...@@ -42,7 +42,7 @@ class GeoNode < ActiveRecord::Base ...@@ -42,7 +42,7 @@ class GeoNode < ActiveRecord::Base
scope :with_url_prefix, ->(prefix) { where('url LIKE ?', "#{prefix}%") } scope :with_url_prefix, ->(prefix) { where('url LIKE ?', "#{prefix}%") }
attr_encrypted :secret_access_key, attr_encrypted :secret_access_key,
key: Gitlab::Application.secrets.db_key_base, key: Settings.attr_encrypted_db_key_base,
algorithm: 'aes-256-gcm', algorithm: 'aes-256-gcm',
mode: :per_attribute_iv, mode: :per_attribute_iv,
encode: true encode: true
......
...@@ -48,7 +48,7 @@ class X509CertificateCredentialsValidator < ActiveModel::Validator ...@@ -48,7 +48,7 @@ class X509CertificateCredentialsValidator < ActiveModel::Validator
def read_private_key(record) def read_private_key(record)
OpenSSL::PKey.read(pkey(record).to_s, pass(record).to_s) OpenSSL::PKey.read(pkey(record).to_s, pass(record).to_s)
rescue ArgumentError rescue OpenSSL::PKey::PKeyError, ArgumentError
# When the primary key could not be read, an ArgumentError is raised. # When the primary key could not be read, an ArgumentError is raised.
# This hapens when the passed key is not valid or the passphrase is incorrect # This hapens when the passed key is not valid or the passphrase is incorrect
nil nil
......
...@@ -10,7 +10,7 @@ class AddAccessKeysToGeoNodes < ActiveRecord::Migration ...@@ -10,7 +10,7 @@ class AddAccessKeysToGeoNodes < ActiveRecord::Migration
extend AttrEncrypted extend AttrEncrypted
attr_accessor :data attr_accessor :data
attr_encrypted :data, attr_encrypted :data,
key: Gitlab::Application.secrets.db_key_base, key: Settings.attr_encrypted_db_key_base,
algorithm: 'aes-256-gcm', algorithm: 'aes-256-gcm',
mode: :per_attribute_iv, mode: :per_attribute_iv,
encode: true encode: true
......
...@@ -77,12 +77,12 @@ module Gitlab ...@@ -77,12 +77,12 @@ module Gitlab
cipher = OpenSSL::Cipher::AES.new(128, :CBC) cipher = OpenSSL::Cipher::AES.new(128, :CBC)
cipher.__send__(operation) # rubocop:disable GitlabSecurity/PublicSend cipher.__send__(operation) # rubocop:disable GitlabSecurity/PublicSend
cipher.iv = salt cipher.iv = salt
cipher.key = Gitlab::Application.secrets.db_key_base cipher.key = Settings.attr_encrypted_db_key_base[0..15]
cipher cipher
end end
def oauth_salt def oauth_salt
@salt ||= SecureRandom.hex(16) @salt ||= SecureRandom.hex(8)
end end
def oauth_client def oauth_client
......
require 'spec_helper' require 'spec_helper'
require_relative '../../config/initializers/secret_token' require_relative '../../config/initializers/01_secret_token'
describe 'create_tokens' do describe 'create_tokens' do
include StubENV include StubENV
......
...@@ -45,8 +45,10 @@ describe HasVariable do ...@@ -45,8 +45,10 @@ describe HasVariable do
end end
it 'fails to decrypt if iv is incorrect' do it 'fails to decrypt if iv is incorrect' do
subject.encrypted_value_iv = SecureRandom.hex # attr_encrypted expects the IV to be 16-bytes and base64-encoded
subject.encrypted_value_iv = [SecureRandom.hex(8)].pack('m')
subject.instance_variable_set(:@value, nil) subject.instance_variable_set(:@value, nil)
expect { subject.value } expect { subject.value }
.to raise_error(OpenSSL::Cipher::CipherError, 'bad decrypt') .to raise_error(OpenSSL::Cipher::CipherError, 'bad decrypt')
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment