Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Boxiang Sun
gitlab-ce
Commits
f1a74a65
Commit
f1a74a65
authored
Nov 15, 2018
by
Grzegorz Bizon
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Encrypt new instance runners registration tokens
parent
9a830f1e
Changes
8
Hide whitespace changes
Inline
Side-by-side
Showing
8 changed files
with
46 additions
and
15 deletions
+46
-15
app/models/application_setting.rb
app/models/application_setting.rb
+1
-1
app/models/concerns/token_authenticatable.rb
app/models/concerns/token_authenticatable.rb
+3
-1
app/models/concerns/token_authenticatable_strategies/base.rb
app/models/concerns/token_authenticatable_strategies/base.rb
+1
-0
app/models/concerns/token_authenticatable_strategies/encrypted.rb
...ls/concerns/token_authenticatable_strategies/encrypted.rb
+1
-0
db/migrate/20181115140140_add_encrypted_runners_token_to_settings.rb
...20181115140140_add_encrypted_runners_token_to_settings.rb
+11
-0
db/schema.rb
db/schema.rb
+2
-1
spec/models/concerns/token_authenticatable_spec.rb
spec/models/concerns/token_authenticatable_spec.rb
+25
-10
spec/models/concerns/token_authenticatable_strategies/encrypted_spec.rb
...ncerns/token_authenticatable_strategies/encrypted_spec.rb
+2
-2
No files found.
app/models/application_setting.rb
View file @
f1a74a65
...
...
@@ -7,7 +7,7 @@ class ApplicationSetting < ActiveRecord::Base
include
IgnorableColumn
include
ChronicDurationAttribute
add_authentication_token_field
:runners_registration_token
add_authentication_token_field
:runners_registration_token
,
encrypted:
true
,
fallback:
true
add_authentication_token_field
:health_check_access_token
DOMAIN_LIST_SEPARATOR
=
%r{
\s
*[,;]
\s
* # comma or semicolon, optionally surrounded by whitespace
...
...
app/models/concerns/token_authenticatable.rb
View file @
f1a74a65
...
...
@@ -9,7 +9,7 @@ module TokenAuthenticatable
private
# rubocop:disable Lint/UselessAccessModifier
def
add_authentication_token_field
(
token_field
,
options
=
{})
@token_fields
=
[]
unless
@token_fields
@token_fields
||=
[]
unique
=
options
.
fetch
(
:unique
,
true
)
if
@token_fields
.
include?
(
token_field
)
...
...
@@ -22,6 +22,8 @@ module TokenAuthenticatable
strategy
=
if
options
[
:digest
]
TokenAuthenticatableStrategies
::
Digest
.
new
(
self
,
token_field
,
options
)
elsif
options
[
:encrypted
]
TokenAuthenticatableStrategies
::
Encrypted
.
new
(
self
,
token_field
,
options
)
else
TokenAuthenticatableStrategies
::
Insecure
.
new
(
self
,
token_field
,
options
)
end
...
...
app/models/concerns/token_authenticatable_strategies/base.rb
View file @
f1a74a65
...
...
@@ -24,6 +24,7 @@ module TokenAuthenticatableStrategies
def
ensure_token
(
instance
)
write_new_token
(
instance
)
unless
token_set?
(
instance
)
get_token
(
instance
)
end
# Returns a token, but only saves when the database is in read & write mode
...
...
app/models/concerns/token_authenticatable_strategies/encrypted.rb
View file @
f1a74a65
...
...
@@ -28,6 +28,7 @@ module TokenAuthenticatableStrategies
raise
ArgumentError
unless
token
.
present?
instance
[
encrypted_field
]
=
Gitlab
::
CryptoHelper
.
aes256_gcm_encrypt
(
token
)
token
end
protected
...
...
db/migrate/20181115140140_add_encrypted_runners_token_to_settings.rb
0 → 100644
View file @
f1a74a65
# frozen_string_literal: true
class
AddEncryptedRunnersTokenToSettings
<
ActiveRecord
::
Migration
include
Gitlab
::
Database
::
MigrationHelpers
DOWNTIME
=
false
def
change
add_column
:application_settings
,
:runners_registration_token_encrypted
,
:string
end
end
db/schema.rb
View file @
f1a74a65
...
...
@@ -11,7 +11,7 @@
#
# It's strongly recommended that you check this file into your version control system.
ActiveRecord
::
Schema
.
define
(
version:
201811
07054254
)
do
ActiveRecord
::
Schema
.
define
(
version:
201811
15140140
)
do
# These are extensions that must be enabled in order to support this database
enable_extension
"plpgsql"
...
...
@@ -167,6 +167,7 @@ ActiveRecord::Schema.define(version: 20181107054254) do
t
.
integer
"diff_max_patch_bytes"
,
default:
102400
,
null:
false
t
.
integer
"archive_builds_in_seconds"
t
.
string
"commit_email_hostname"
t
.
string
"runners_registration_token_encrypted"
end
create_table
"audit_events"
,
force: :cascade
do
|
t
|
...
...
spec/models/concerns/token_authenticatable_spec.rb
View file @
f1a74a65
...
...
@@ -21,44 +21,59 @@ end
describe
ApplicationSetting
,
'TokenAuthenticatable'
do
let
(
:token_field
)
{
:runners_registration_token
}
let
(
:settings
)
{
described_class
.
new
}
it_behaves_like
'TokenAuthenticatable'
describe
'generating new token'
do
context
'token is not generated yet'
do
describe
'token field accessor'
do
subject
{
described_class
.
new
.
send
(
token_field
)
}
subject
{
settings
.
send
(
token_field
)
}
it
{
is_expected
.
not_to
be_blank
}
end
describe
'ensured token'
do
subject
{
described_class
.
new
.
send
(
"ensure_
#{
token_field
}
"
)
}
describe
"ensure_runners_registration_token"
do
subject
{
settings
.
send
(
"ensure_
#{
token_field
}
"
)
}
it
{
is_expected
.
to
be_a
String
}
it
{
is_expected
.
not_to
be_blank
}
it
'does not persist token'
do
expect
(
settings
).
not_to
be_persisted
end
end
describe
'ensured! token'
do
subject
{
described_class
.
new
.
send
(
"ensure_
#{
token_field
}
!"
)
}
describe
'ensure_runners_registration_token!'
do
subject
{
settings
.
send
(
"ensure_
#{
token_field
}
!"
)
}
it
'persists new token as an encrypted string'
do
expect
(
subject
).
to
eq
settings
.
reload
.
runners_registration_token
expect
(
settings
.
read_attribute
(
'runners_registration_token_encrypted'
))
.
to
eq
Gitlab
::
CryptoHelper
.
aes256_gcm_encrypt
(
subject
)
expect
(
settings
).
to
be_persisted
end
it
'persists new token'
do
expect
(
subject
).
to
eq
described_class
.
current
[
token_field
]
it
'does not persist token in a clear text'
do
expect
(
subject
).
not_to
eq
settings
.
reload
.
read_attribute
(
'runners_registration_token_encrypted'
)
end
end
end
context
'token is generated'
do
before
do
s
ubject
.
send
(
"reset_
#{
token_field
}
!"
)
s
ettings
.
send
(
"reset_
#{
token_field
}
!"
)
end
it
'persists a new token'
do
expect
(
s
ubject
.
send
(
:read_attribute
,
token_field
)
).
to
be_a
String
expect
(
s
ettings
.
runners_registration_token
).
to
be_a
String
end
end
end
describe
'setting new token'
do
subject
{
described_class
.
new
.
send
(
"set_
#{
token_field
}
"
,
'0123456789'
)
}
subject
{
settings
.
send
(
"set_
#{
token_field
}
"
,
'0123456789'
)
}
it
{
is_expected
.
to
eq
'0123456789'
}
end
...
...
spec/models/concerns/token_authenticatable_strategies/encrypted_spec.rb
View file @
f1a74a65
...
...
@@ -60,11 +60,11 @@ describe TokenAuthenticatableStrategies::Encrypted do
end
describe
'#set_token'
do
it
'writes encrypted token to a model instance'
do
it
'writes encrypted token to a model instance
and returns it
'
do
expect
(
instance
).
to
receive
(
:[]=
)
.
with
(
'some_field_encrypted'
,
encrypted
)
subject
.
set_token
(
instance
,
'my-value'
)
expect
(
subject
.
set_token
(
instance
,
'my-value'
)).
to
eq
'my-value'
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment