Commit e491df5f authored by Grzegorz Bizon's avatar Grzegorz Bizon

Encrypt runners communication token in the database

parent 478c15fa
...@@ -8,6 +8,9 @@ module Ci ...@@ -8,6 +8,9 @@ module Ci
include RedisCacheable include RedisCacheable
include ChronicDurationAttribute include ChronicDurationAttribute
include FromUnion include FromUnion
include TokenAuthenticatable
add_authentication_token_field :token, encrypted: true, fallback: true
enum access_level: { enum access_level: {
not_protected: 0, not_protected: 0,
...@@ -39,7 +42,7 @@ module Ci ...@@ -39,7 +42,7 @@ module Ci
has_one :last_build, ->() { order('id DESC') }, class_name: 'Ci::Build' has_one :last_build, ->() { order('id DESC') }, class_name: 'Ci::Build'
before_validation :set_default_values before_save :ensure_token
scope :active, -> { where(active: true) } scope :active, -> { where(active: true) }
scope :paused, -> { where(active: false) } scope :paused, -> { where(active: false) }
...@@ -145,10 +148,6 @@ module Ci ...@@ -145,10 +148,6 @@ module Ci
end end
end end
def set_default_values
self.token = SecureRandom.hex(15) if self.token.blank?
end
def assign_to(project, current_user = nil) def assign_to(project, current_user = nil)
if instance_type? if instance_type?
self.runner_type = :project_type self.runner_type = :project_type
......
# frozen_string_literal: true
class AddTokenEncryptedToCiRunners < ActiveRecord::Migration
include Gitlab::Database::MigrationHelpers
DOWNTIME = false
def change
add_column :ci_runners, :token_encrypted, :string
# TODO index
end
end
...@@ -11,7 +11,7 @@ ...@@ -11,7 +11,7 @@
# #
# It's strongly recommended that you check this file into your version control system. # It's strongly recommended that you check this file into your version control system.
ActiveRecord::Schema.define(version: 20181116141504) do ActiveRecord::Schema.define(version: 20181120151656) do
# These are extensions that must be enabled in order to support this database # These are extensions that must be enabled in order to support this database
enable_extension "plpgsql" enable_extension "plpgsql"
...@@ -543,6 +543,7 @@ ActiveRecord::Schema.define(version: 20181116141504) do ...@@ -543,6 +543,7 @@ ActiveRecord::Schema.define(version: 20181116141504) do
t.string "ip_address" t.string "ip_address"
t.integer "maximum_timeout" t.integer "maximum_timeout"
t.integer "runner_type", limit: 2, null: false t.integer "runner_type", limit: 2, null: false
t.string "token_encrypted"
end end
add_index "ci_runners", ["contacted_at"], name: "index_ci_runners_on_contacted_at", using: :btree add_index "ci_runners", ["contacted_at"], name: "index_ci_runners_on_contacted_at", using: :btree
......
...@@ -158,6 +158,9 @@ excluded_attributes: ...@@ -158,6 +158,9 @@ excluded_attributes:
- :encrypted_token_iv - :encrypted_token_iv
- :encrypted_url - :encrypted_url
- :encrypted_url_iv - :encrypted_url_iv
runners:
- :token
- :token_encrypted
methods: methods:
labels: labels:
......
...@@ -8,6 +8,7 @@ module Gitlab ...@@ -8,6 +8,7 @@ module Gitlab
triggers: 'Ci::Trigger', triggers: 'Ci::Trigger',
pipeline_schedules: 'Ci::PipelineSchedule', pipeline_schedules: 'Ci::PipelineSchedule',
builds: 'Ci::Build', builds: 'Ci::Build',
runners: 'Ci::Runner',
hooks: 'ProjectHook', hooks: 'ProjectHook',
merge_access_levels: 'ProtectedBranch::MergeAccessLevel', merge_access_levels: 'ProtectedBranch::MergeAccessLevel',
push_access_levels: 'ProtectedBranch::PushAccessLevel', push_access_levels: 'ProtectedBranch::PushAccessLevel',
...@@ -31,7 +32,7 @@ module Gitlab ...@@ -31,7 +32,7 @@ module Gitlab
EXISTING_OBJECT_CHECK = %i[milestone milestones label labels project_label project_labels group_label group_labels project_feature].freeze EXISTING_OBJECT_CHECK = %i[milestone milestones label labels project_label project_labels group_label group_labels project_feature].freeze
TOKEN_RESET_MODELS = %w[Project Namespace Group Ci::Trigger Ci::Build ProjectHook].freeze TOKEN_RESET_MODELS = %w[Project Namespace Ci::Trigger Ci::Build Ci::Runner ProjectHook].freeze
def self.create(*args) def self.create(*args)
new(*args).create new(*args).create
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment