Merge branch 'sh-bump-ruby-2.4-ee' into 'master'

Upgrade to Ruby 2.4.4 (EE port) See merge request gitlab-org/gitlab-ee!5783

Merge branch 'sh-bump-ruby-2.4-ee' into 'master'
Upgrade to Ruby 2.4.4 (EE port) See merge request gitlab-org/gitlab-ee!5783
c7eafa15 · Stan Hu · 5d538054 · eada28fb · c7eafa15 · c7eafa15
Commit c7eafa15 authored Jun 01, 2018 by Stan Hu
21 changed files
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
-image: "dev.gitlab.org:5005/gitlab/gitlab-build-images:ruby-2.3.7-golang-1.9-git-2.17-chrome-65.0-node-8.x-yarn-1.2-postgresql-9.6"
+image: "dev.gitlab.org:5005/gitlab/gitlab-build-images:ruby-2.4.4-golang-1.9-git-2.17-chrome-65.0-node-8.x-yarn-1.2-postgresql-9.6"

 .dedicated-runner: &dedicated-runner
  retry: 1
@@ -6,7 +6,7 @@ image: "dev.gitlab.org:5005/gitlab/gitlab-build-images:ruby-2.3.7-golang-1.9-git
    - gitlab-org

 .default-cache: &default-cache
-  key: "ruby-2.3.7-debian-stretch-with-yarn"
+  key: "ruby-2.4.4-debian-stretch-with-yarn"
  paths:
    - vendor/ruby
    - .yarn-cache/
@@ -701,7 +701,7 @@ static-analysis:
  script:
    - scripts/static-analysis
  cache:
-    key: "ruby-2.3.7-debian-stretch-with-yarn-and-rubocop"
+    key: "ruby-2.4.4-debian-stretch-with-yarn-and-rubocop"
    paths:
      - vendor/ruby
      - .yarn-cache/

--- a/.ruby-version
+++ b/.ruby-version
-2.3.7
+2.4.4
--- a/app/models/clusters/platforms/kubernetes.rb
+++ b/app/models/clusters/platforms/kubernetes.rb
@@ -13,12 +13,12 @@ module Clusters

      attr_encrypted :password,
        mode: :per_attribute_iv,
-        key: Gitlab::Application.secrets.db_key_base,
+        key: Settings.attr_encrypted_db_key_base,
        algorithm: 'aes-256-cbc'

      attr_encrypted :token,
        mode: :per_attribute_iv,
-        key: Gitlab::Application.secrets.db_key_base,
+        key: Settings.attr_encrypted_db_key_base,
        algorithm: 'aes-256-cbc'

      before_validation :enforce_namespace_to_lower_case

--- a/app/models/clusters/providers/gcp.rb
+++ b/app/models/clusters/providers/gcp.rb
@@ -11,7 +11,7 @@ module Clusters

      attr_encrypted :access_token,
        mode: :per_attribute_iv,
-        key: Gitlab::Application.secrets.db_key_base,
+        key: Settings.attr_encrypted_db_key_base,
        algorithm: 'aes-256-cbc'

      validates :gcp_project_id,

--- a/app/models/concerns/has_variable.rb
+++ b/app/models/concerns/has_variable.rb
@@ -13,7 +13,7 @@ module HasVariable
    attr_encrypted :value,
       mode: :per_attribute_iv_and_salt,
       insecure_mode: true,
-       key: Gitlab::Application.secrets.db_key_base,
+       key: Settings.attr_encrypted_db_key_base,
       algorithm: 'aes-256-cbc'

    def key=(new_key)

--- a/app/models/pages_domain.rb
+++ b/app/models/pages_domain.rb
@@ -19,7 +19,7 @@ class PagesDomain < ActiveRecord::Base
  attr_encrypted :key,
    mode: :per_attribute_iv_and_salt,
    insecure_mode: true,
-    key: Gitlab::Application.secrets.db_key_base,
+    key: Settings.attr_encrypted_db_key_base,
    algorithm: 'aes-256-cbc'

  after_initialize :set_verification_code

--- a/app/models/project_import_data.rb
+++ b/app/models/project_import_data.rb
@@ -5,7 +5,7 @@ class ProjectImportData < ActiveRecord::Base

  belongs_to :project, inverse_of: :import_data
  attr_encrypted :credentials,
-                 key: Gitlab::Application.secrets.db_key_base,
+                 key: Settings.attr_encrypted_db_key_base,
                 marshal: true,
                 encode: true,
                 mode: :per_attribute_iv_and_salt,

--- a/app/models/remote_mirror.rb
+++ b/app/models/remote_mirror.rb
@@ -7,7 +7,7 @@ class RemoteMirror < ActiveRecord::Base
  UNPROTECTED_BACKOFF_DELAY = 5.minutes

  attr_encrypted :credentials,
-                 key: Gitlab::Application.secrets.db_key_base,
+                 key: Settings.attr_encrypted_db_key_base,
                 marshal: true,
                 encode: true,
                 mode: :per_attribute_iv_and_salt,

--- a/config/initializers/secret_token.rb
+++ b/config/initializers/secret_token.rb
+# This file needs to be loaded BEFORE any initializers that attempt to
+# prepend modules that require access to secrets (e.g. EE's 0_as_concern.rb).
+#
 # Be sure to restart your server when you modify this file.

 require 'securerandom'

--- a/config/settings.rb
+++ b/config/settings.rb
@@ -110,6 +110,10 @@ class Settings < Settingslogic
      File.expand_path(path, Rails.root)
    end

+    def attr_encrypted_db_key_base
+      Gitlab::Application.secrets.db_key_base[0..31]
+    end
+
    private

    def base_url(config)

--- a/db/migrate/20160302152808_remove_wrong_import_url_from_projects.rb
+++ b/db/migrate/20160302152808_remove_wrong_import_url_from_projects.rb
@@ -8,7 +8,7 @@ class RemoveWrongImportUrlFromProjects < ActiveRecord::Migration
    extend AttrEncrypted
    attr_accessor :credentials
    attr_encrypted :credentials,
-                   key: Gitlab::Application.secrets.db_key_base,
+                   key: Settings.attr_encrypted_db_key_base,
                   marshal: true,
                   encode: true,
                   :mode => :per_attribute_iv_and_salt,

--- a/db/post_migrate/20171124104327_migrate_kubernetes_service_to_new_clusters_architectures.rb
+++ b/db/post_migrate/20171124104327_migrate_kubernetes_service_to_new_clusters_architectures.rb
@@ -48,7 +48,7 @@ class MigrateKubernetesServiceToNewClustersArchitectures < ActiveRecord::Migrati

    attr_encrypted :token,
      mode: :per_attribute_iv,
-      key: Gitlab::Application.secrets.db_key_base,
+      key: Settings.attr_encrypted_db_key_base,
      algorithm: 'aes-256-cbc'
  end


--- a/doc/install/installation.md
+++ b/doc/install/installation.md
@@ -133,9 +133,9 @@ Remove the old Ruby 1.8 if present:
 Download Ruby and compile it:

    mkdir /tmp/ruby && cd /tmp/ruby
-    curl --remote-name --progress https://cache.ruby-lang.org/pub/ruby/2.3/ruby-2.3.7.tar.gz
-    echo '540996fec64984ab6099e34d2f5820b14904f15a  ruby-2.3.7.tar.gz' | shasum -c - && tar xzf ruby-2.3.7.tar.gz
-    cd ruby-2.3.7
+    curl --remote-name --progress https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.4.tar.gz
+    echo 'ec82b0d53bd0adad9b19e6b45e44d54e9ec3f10c  ruby-2.4.4.tar.gz' | shasum -c - && tar xzf ruby-2.4.4.tar.gz
+    cd ruby-2.4.4

    ./configure --disable-install-rdoc
    make

--- a/ee/app/models/ee/application_setting.rb
+++ b/ee/app/models/ee/application_setting.rb
@@ -70,13 +70,13 @@ module EE

      attr_encrypted :external_auth_client_key,
                     mode: :per_attribute_iv,
-                     key: ::Gitlab::Application.secrets.db_key_base,
+                     key: Settings.attr_encrypted_db_key_base,
                     algorithm: 'aes-256-gcm',
                     encode: true

      attr_encrypted :external_auth_client_key_pass,
                     mode: :per_attribute_iv,
-                     key: ::Gitlab::Application.secrets.db_key_base,
+                     key: Settings.attr_encrypted_db_key_base,
                     algorithm: 'aes-256-gcm',
                     encode: true
    end

--- a/ee/app/models/geo_node.rb
+++ b/ee/app/models/geo_node.rb
@@ -42,7 +42,7 @@ class GeoNode < ActiveRecord::Base
  scope :with_url_prefix, ->(prefix) { where('url LIKE ?', "#{prefix}%") }

  attr_encrypted :secret_access_key,
-                 key: Gitlab::Application.secrets.db_key_base,
+                 key: Settings.attr_encrypted_db_key_base,
                 algorithm: 'aes-256-gcm',
                 mode: :per_attribute_iv,
                 encode: true

--- a/ee/app/validators/x509_certificate_credentials_validator.rb
+++ b/ee/app/validators/x509_certificate_credentials_validator.rb
@@ -48,7 +48,7 @@ class X509CertificateCredentialsValidator < ActiveModel::Validator

  def read_private_key(record)
    OpenSSL::PKey.read(pkey(record).to_s, pass(record).to_s)
-  rescue ArgumentError
+  rescue OpenSSL::PKey::PKeyError, ArgumentError
    # When the primary key could not be read, an ArgumentError is raised.
    # This hapens when the passed key is not valid or the passphrase is incorrect
    nil

--- a/ee/db/migrate/20170224075132_add_access_keys_to_geo_nodes.rb
+++ b/ee/db/migrate/20170224075132_add_access_keys_to_geo_nodes.rb
@@ -10,7 +10,7 @@ class AddAccessKeysToGeoNodes < ActiveRecord::Migration
    extend AttrEncrypted
    attr_accessor :data
    attr_encrypted :data,
-                   key: Gitlab::Application.secrets.db_key_base,
+                   key: Settings.attr_encrypted_db_key_base,
                   algorithm: 'aes-256-gcm',
                   mode: :per_attribute_iv,
                   encode: true

--- a/ee/lib/gitlab/geo/oauth_session.rb
+++ b/ee/lib/gitlab/geo/oauth_session.rb
@@ -77,12 +77,12 @@ module Gitlab
        cipher = OpenSSL::Cipher::AES.new(128, :CBC)
        cipher.__send__(operation) # rubocop:disable GitlabSecurity/PublicSend
        cipher.iv = salt
-        cipher.key = Gitlab::Application.secrets.db_key_base
+        cipher.key = Settings.attr_encrypted_db_key_base[0..15]
        cipher
      end

      def oauth_salt
-        @salt ||= SecureRandom.hex(16)
+        @salt ||= SecureRandom.hex(8)
      end

      def oauth_client

--- a/ee/spec/lib/gitlab/geo/logger_spec.rb
+++ b/ee/spec/lib/gitlab/geo/logger_spec.rb
@@ -3,8 +3,9 @@ require 'spec_helper'
 describe Gitlab::Geo::Logger do
  it 'uses the same log_level defined in Rails' do
    allow(Rails.logger).to receive(:level) { 99 }
-    expect_any_instance_of(::Gitlab::Geo::Logger).to receive(:level=).with(99)

-    described_class.build
+    logger = described_class.build
+
+    expect(logger.level).to eq(99)
  end
 end
--- a/spec/initializers/secret_token_spec.rb
+++ b/spec/initializers/secret_token_spec.rb
 require 'spec_helper'
-require_relative '../../config/initializers/secret_token'
+require_relative '../../config/initializers/01_secret_token'

 describe 'create_tokens' do
  include StubENV

--- a/spec/models/concerns/has_variable_spec.rb
+++ b/spec/models/concerns/has_variable_spec.rb
@@ -45,8 +45,10 @@ describe HasVariable do
    end

    it 'fails to decrypt if iv is incorrect' do
-      subject.encrypted_value_iv = SecureRandom.hex
+      # attr_encrypted expects the IV to be 16-bytes and base64-encoded
+      subject.encrypted_value_iv = [SecureRandom.hex(8)].pack('m')
      subject.instance_variable_set(:@value, nil)
+
      expect { subject.value }
        .to raise_error(OpenSSL::Cipher::CipherError, 'bad decrypt')
    end