Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
fc2b282a
Commit
fc2b282a
authored
Aug 27, 2019
by
GitLab Bot
Browse files
Options
Browse Files
Download
Plain Diff
Automatic merge of gitlab-org/gitlab-ce master
parents
40c027d4
8b47dfae
Changes
10
Hide whitespace changes
Inline
Side-by-side
Showing
10 changed files
with
125 additions
and
7 deletions
+125
-7
app/models/deploy_token.rb
app/models/deploy_token.rb
+1
-1
changelogs/unreleased/63502-encrypt-deploy-token.yml
changelogs/unreleased/63502-encrypt-deploy-token.yml
+5
-0
db/migrate/20190711200053_change_deploy_tokens_token_not_null.rb
...ate/20190711200053_change_deploy_tokens_token_not_null.rb
+11
-0
db/migrate/20190711200508_add_token_encrypted_to_deploy_tokens.rb
...te/20190711200508_add_token_encrypted_to_deploy_tokens.rb
+11
-0
db/migrate/20190719174505_add_index_to_deploy_tokens_token_encrypted.rb
...90719174505_add_index_to_deploy_tokens_token_encrypted.rb
+17
-0
db/post_migrate/20190711201818_encrypt_deploy_tokens_tokens.rb
...st_migrate/20190711201818_encrypt_deploy_tokens_tokens.rb
+27
-0
db/schema.rb
db/schema.rb
+3
-1
lib/gitlab/auth.rb
lib/gitlab/auth.rb
+1
-4
spec/factories/deploy_tokens.rb
spec/factories/deploy_tokens.rb
+2
-1
spec/migrations/encrypt_deploy_tokens_tokens_spec.rb
spec/migrations/encrypt_deploy_tokens_tokens_spec.rb
+47
-0
No files found.
app/models/deploy_token.rb
View file @
fc2b282a
...
@@ -5,7 +5,7 @@ class DeployToken < ApplicationRecord
...
@@ -5,7 +5,7 @@ class DeployToken < ApplicationRecord
include
TokenAuthenticatable
include
TokenAuthenticatable
include
PolicyActor
include
PolicyActor
include
Gitlab
::
Utils
::
StrongMemoize
include
Gitlab
::
Utils
::
StrongMemoize
add_authentication_token_field
:token
add_authentication_token_field
:token
,
encrypted: :optional
AVAILABLE_SCOPES
=
%i(read_repository read_registry)
.
freeze
AVAILABLE_SCOPES
=
%i(read_repository read_registry)
.
freeze
GITLAB_DEPLOY_TOKEN_NAME
=
'gitlab-deploy-token'
.
freeze
GITLAB_DEPLOY_TOKEN_NAME
=
'gitlab-deploy-token'
.
freeze
...
...
changelogs/unreleased/63502-encrypt-deploy-token.yml
0 → 100644
View file @
fc2b282a
---
title
:
Encrypt existing and new deploy tokens
merge_request
:
30679
author
:
type
:
other
db/migrate/20190711200053_change_deploy_tokens_token_not_null.rb
0 → 100644
View file @
fc2b282a
# frozen_string_literal: true
class
ChangeDeployTokensTokenNotNull
<
ActiveRecord
::
Migration
[
5.1
]
include
Gitlab
::
Database
::
MigrationHelpers
DOWNTIME
=
false
def
change
change_column_null
:deploy_tokens
,
:token
,
true
end
end
db/migrate/20190711200508_add_token_encrypted_to_deploy_tokens.rb
0 → 100644
View file @
fc2b282a
# frozen_string_literal: true
class
AddTokenEncryptedToDeployTokens
<
ActiveRecord
::
Migration
[
5.1
]
include
Gitlab
::
Database
::
MigrationHelpers
DOWNTIME
=
false
def
change
add_column
:deploy_tokens
,
:token_encrypted
,
:string
,
limit:
255
end
end
db/migrate/20190719174505_add_index_to_deploy_tokens_token_encrypted.rb
0 → 100644
View file @
fc2b282a
# frozen_string_literal: true
class
AddIndexToDeployTokensTokenEncrypted
<
ActiveRecord
::
Migration
[
5.1
]
include
Gitlab
::
Database
::
MigrationHelpers
DOWNTIME
=
false
disable_ddl_transaction!
def
up
add_concurrent_index
:deploy_tokens
,
:token_encrypted
,
unique:
true
,
name:
"index_deploy_tokens_on_token_encrypted"
end
def
down
remove_concurrent_index_by_name
:deploy_tokens
,
"index_deploy_tokens_on_token_encrypted"
end
end
db/post_migrate/20190711201818_encrypt_deploy_tokens_tokens.rb
0 → 100644
View file @
fc2b282a
# frozen_string_literal: true
class
EncryptDeployTokensTokens
<
ActiveRecord
::
Migration
[
5.1
]
DOWNTIME
=
false
class
DeploymentTokens
<
ActiveRecord
::
Base
self
.
table_name
=
'deploy_tokens'
end
def
up
say_with_time
(
"Encrypting tokens from deploy_tokens"
)
do
DeploymentTokens
.
where
(
'token_encrypted is NULL AND token IS NOT NULL'
).
find_each
(
batch_size:
10000
)
do
|
deploy_token
|
token_encrypted
=
Gitlab
::
CryptoHelper
.
aes256_gcm_encrypt
(
deploy_token
.
token
)
deploy_token
.
update!
(
token_encrypted:
token_encrypted
)
end
end
end
def
down
say_with_time
(
"Decrypting tokens from deploy_tokens"
)
do
DeploymentTokens
.
where
(
'token_encrypted IS NOT NULL AND token IS NULL'
).
find_each
(
batch_size:
10000
)
do
|
deploy_token
|
token
=
Gitlab
::
CryptoHelper
.
aes256_gcm_decrypt
(
deploy_token
.
token_encrypted
)
deploy_token
.
update!
(
token:
token
)
end
end
end
end
db/schema.rb
View file @
fc2b282a
...
@@ -1121,10 +1121,12 @@ ActiveRecord::Schema.define(version: 2019_08_20_163320) do
...
@@ -1121,10 +1121,12 @@ ActiveRecord::Schema.define(version: 2019_08_20_163320) do
t
.
datetime_with_timezone
"expires_at"
,
null:
false
t
.
datetime_with_timezone
"expires_at"
,
null:
false
t
.
datetime_with_timezone
"created_at"
,
null:
false
t
.
datetime_with_timezone
"created_at"
,
null:
false
t
.
string
"name"
,
null:
false
t
.
string
"name"
,
null:
false
t
.
string
"token"
,
null:
false
t
.
string
"token"
t
.
string
"username"
t
.
string
"username"
t
.
string
"token_encrypted"
,
limit:
255
t
.
index
[
"token"
,
"expires_at"
,
"id"
],
name:
"index_deploy_tokens_on_token_and_expires_at_and_id"
,
where:
"(revoked IS FALSE)"
t
.
index
[
"token"
,
"expires_at"
,
"id"
],
name:
"index_deploy_tokens_on_token_and_expires_at_and_id"
,
where:
"(revoked IS FALSE)"
t
.
index
[
"token"
],
name:
"index_deploy_tokens_on_token"
,
unique:
true
t
.
index
[
"token"
],
name:
"index_deploy_tokens_on_token"
,
unique:
true
t
.
index
[
"token_encrypted"
],
name:
"index_deploy_tokens_on_token_encrypted"
,
unique:
true
end
end
create_table
"deployments"
,
id: :serial
,
force: :cascade
do
|
t
|
create_table
"deployments"
,
id: :serial
,
force: :cascade
do
|
t
|
...
...
lib/gitlab/auth.rb
View file @
fc2b282a
...
@@ -200,12 +200,10 @@ module Gitlab
...
@@ -200,12 +200,10 @@ module Gitlab
end
.
uniq
end
.
uniq
end
end
# rubocop: disable CodeReuse/ActiveRecord
def
deploy_token_check
(
login
,
password
)
def
deploy_token_check
(
login
,
password
)
return
unless
password
.
present?
return
unless
password
.
present?
token
=
token
=
DeployToken
.
active
.
find_by_token
(
password
)
DeployToken
.
active
.
find_by
(
token:
password
)
return
unless
token
&&
login
return
unless
token
&&
login
return
if
login
!=
token
.
username
return
if
login
!=
token
.
username
...
@@ -216,7 +214,6 @@ module Gitlab
...
@@ -216,7 +214,6 @@ module Gitlab
Gitlab
::
Auth
::
Result
.
new
(
token
,
token
.
project
,
:deploy_token
,
scopes
)
Gitlab
::
Auth
::
Result
.
new
(
token
,
token
.
project
,
:deploy_token
,
scopes
)
end
end
end
end
# rubocop: enable CodeReuse/ActiveRecord
def
lfs_token_check
(
login
,
encoded_token
,
project
)
def
lfs_token_check
(
login
,
encoded_token
,
project
)
deploy_key_matches
=
login
.
match
(
/\Alfs\+deploy-key-(\d+)\z/
)
deploy_key_matches
=
login
.
match
(
/\Alfs\+deploy-key-(\d+)\z/
)
...
...
spec/factories/deploy_tokens.rb
View file @
fc2b282a
...
@@ -2,7 +2,8 @@
...
@@ -2,7 +2,8 @@
FactoryBot
.
define
do
FactoryBot
.
define
do
factory
:deploy_token
do
factory
:deploy_token
do
token
{
SecureRandom
.
hex
(
50
)
}
token
nil
token_encrypted
{
Gitlab
::
CryptoHelper
.
aes256_gcm_encrypt
(
SecureRandom
.
hex
(
50
)
)
}
sequence
(
:name
)
{
|
n
|
"PDT
#{
n
}
"
}
sequence
(
:name
)
{
|
n
|
"PDT
#{
n
}
"
}
read_repository
true
read_repository
true
read_registry
true
read_registry
true
...
...
spec/migrations/encrypt_deploy_tokens_tokens_spec.rb
0 → 100644
View file @
fc2b282a
# frozen_string_literal: true
require
'spec_helper'
require
Rails
.
root
.
join
(
'db'
,
'post_migrate'
,
'20190711201818_encrypt_deploy_tokens_tokens.rb'
)
describe
EncryptDeployTokensTokens
,
:migration
do
let
(
:migration
)
{
described_class
.
new
}
let
(
:deployment_tokens
)
{
table
(
:deploy_tokens
)
}
let
(
:plaintext
)
{
"secret-token"
}
let
(
:expires_at
)
{
DateTime
.
now
+
1
.
year
}
let
(
:ciphertext
)
{
Gitlab
::
CryptoHelper
.
aes256_gcm_encrypt
(
plaintext
)
}
describe
'#up'
do
it
'keeps plaintext token the same and populates token_encrypted if not present'
do
deploy_token
=
deployment_tokens
.
create!
(
name:
'test_token'
,
read_repository:
true
,
expires_at:
expires_at
,
username:
'gitlab-token-1'
,
token:
plaintext
)
migration
.
up
expect
(
deploy_token
.
reload
.
token
).
to
eq
(
plaintext
)
expect
(
deploy_token
.
reload
.
token_encrypted
).
to
eq
(
ciphertext
)
end
end
describe
'#down'
do
it
'decrypts encrypted token and saves it'
do
deploy_token
=
deployment_tokens
.
create!
(
name:
'test_token'
,
read_repository:
true
,
expires_at:
expires_at
,
username:
'gitlab-token-1'
,
token_encrypted:
ciphertext
)
migration
.
down
expect
(
deploy_token
.
reload
.
token
).
to
eq
(
plaintext
)
expect
(
deploy_token
.
reload
.
token_encrypted
).
to
eq
(
ciphertext
)
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment