From 027af707c4f339e9d78e2850b64c7a908d080448 Mon Sep 17 00:00:00 2001 From: GitLab Housekeeping Bot Date: Tue, 29 Jul 2025 07:53:31 +0000 Subject: [PATCH] Fix 20 rubocop violations for Gitlab/Rails/AttrEncrypted Fixes the 20 violations for the rubocop rule `Gitlab/Rails/AttrEncrypted` that were previously excluded in `.rubocop_todo/gitlab/rails/attr_encrypted.yml`. The exclusions have now been removed. This change was generated by [gitlab-housekeeper](https://gitlab.com/gitlab-org/gitlab/-/tree/master/gems/gitlab-housekeeper) in [CI](https://gitlab.com/gitlab-org/quality/engineering-productivity/team/-/jobs/10831918737) using the `Keeps::RubocopFixer` keep. To provide feedback on your experience with `gitlab-housekeeper` please create an issue with the label ~"GitLab Housekeeper" and consider pinging the author of this keep. Changelog: other --- .rubocop_todo/gitlab/rails/attr_encrypted.yml | 20 ------ .../alert_management/http_integration.rb | 5 +- .../alerting/project_alerting_setting.rb | 5 +- app/models/application_setting.rb | 71 ++++++++----------- app/models/atlassian/identity.rb | 14 +--- app/models/bulk_imports/configuration.rb | 10 +-- app/models/chat_name.rb | 7 +- app/models/ci/trigger.rb | 7 +- .../cloud_connector/service_access_token.rb | 7 +- .../clusters/integrations/prometheus.rb | 5 +- app/models/clusters/kubernetes_namespace.rb | 5 +- app/models/clusters/platforms/kubernetes.rb | 12 +--- app/models/clusters/providers/aws.rb | 5 +- app/models/clusters/providers/gcp.rb | 5 +- app/models/concerns/ci/has_variable.rb | 6 +- app/models/concerns/ci/new_has_variable.rb | 6 +- .../concerns/integrations/base/integration.rb | 9 +-- .../packages/debian/distribution_key.rb | 10 +-- app/models/concerns/web_hooks/hook.rb | 34 ++------- .../project_error_tracking_setting.rb | 5 +- app/models/grafana_integration.rb | 5 +- 21 files changed, 61 insertions(+), 192 deletions(-) diff --git a/.rubocop_todo/gitlab/rails/attr_encrypted.yml b/.rubocop_todo/gitlab/rails/attr_encrypted.yml index f71caaf65d3eef..55a742a0ef292e 100644 --- a/.rubocop_todo/gitlab/rails/attr_encrypted.yml +++ b/.rubocop_todo/gitlab/rails/attr_encrypted.yml @@ -3,26 +3,6 @@ Gitlab/Rails/AttrEncrypted: Details: grace period Exclude: - - 'app/models/alert_management/http_integration.rb' - - 'app/models/alerting/project_alerting_setting.rb' - - 'app/models/application_setting.rb' - - 'app/models/atlassian/identity.rb' - - 'app/models/bulk_imports/configuration.rb' - - 'app/models/chat_name.rb' - - 'app/models/ci/trigger.rb' - - 'app/models/cloud_connector/service_access_token.rb' - - 'app/models/clusters/integrations/prometheus.rb' - - 'app/models/clusters/kubernetes_namespace.rb' - - 'app/models/clusters/platforms/kubernetes.rb' - - 'app/models/clusters/providers/aws.rb' - - 'app/models/clusters/providers/gcp.rb' - - 'app/models/concerns/ci/has_variable.rb' - - 'app/models/concerns/ci/new_has_variable.rb' - - 'app/models/concerns/integrations/base/integration.rb' - - 'app/models/concerns/packages/debian/distribution_key.rb' - - 'app/models/concerns/web_hooks/hook.rb' - - 'app/models/error_tracking/project_error_tracking_setting.rb' - - 'app/models/grafana_integration.rb' - 'app/models/incident_management/project_incident_management_setting.rb' - 'app/models/integrations/issue_tracker_data.rb' - 'app/models/integrations/jira_tracker_data.rb' diff --git a/app/models/alert_management/http_integration.rb b/app/models/alert_management/http_integration.rb index 0826a1a65cba86..d449a7bedbcb70 100644 --- a/app/models/alert_management/http_integration.rb +++ b/app/models/alert_management/http_integration.rb @@ -9,10 +9,7 @@ class HttpIntegration < ApplicationRecord belongs_to :project, inverse_of: :alert_management_http_integrations - attr_encrypted :token, - mode: :per_attribute_iv, - key: :db_key_base_32, - algorithm: 'aes-256-gcm' + encrypts :token attribute :endpoint_identifier, default: -> { SecureRandom.hex(8) } diff --git a/app/models/alerting/project_alerting_setting.rb b/app/models/alerting/project_alerting_setting.rb index 1da9faa65b12c0..39d960f6b456ea 100644 --- a/app/models/alerting/project_alerting_setting.rb +++ b/app/models/alerting/project_alerting_setting.rb @@ -10,10 +10,7 @@ class ProjectAlertingSetting < ApplicationRecord validates :token, presence: true - attr_encrypted :token, - mode: :per_attribute_iv, - key: :db_key_base_32, - algorithm: 'aes-256-gcm' + encrypts :token before_validation :ensure_token after_create :create_http_integration diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb index 80d43c0e74914b..2abe55b0240ffe 100644 --- a/app/models/application_setting.rb +++ b/app/models/application_setting.rb @@ -918,46 +918,37 @@ def self.kroki_formats_attributes validates :database_reindexing, json_schema: { filename: "application_setting_database_reindexing" } - attr_encrypted :external_auth_client_key, encryption_options_base_32_aes_256_gcm - attr_encrypted :external_auth_client_key_pass, encryption_options_base_32_aes_256_gcm - attr_encrypted :lets_encrypt_private_key, encryption_options_base_32_aes_256_gcm - attr_encrypted :eks_secret_access_key, encryption_options_base_32_aes_256_gcm - attr_encrypted :akismet_api_key, encryption_options_base_32_aes_256_gcm - attr_encrypted :spam_check_api_key, encryption_options_base_32_aes_256_gcm.merge(encode: false) - attr_encrypted :elasticsearch_aws_secret_access_key, encryption_options_base_32_aes_256_gcm - attr_encrypted :elasticsearch_password, encryption_options_base_32_aes_256_gcm.merge(encode: false) - attr_encrypted :recaptcha_private_key, encryption_options_base_32_aes_256_gcm - attr_encrypted :recaptcha_site_key, encryption_options_base_32_aes_256_gcm - attr_encrypted :slack_app_secret, encryption_options_base_32_aes_256_gcm - attr_encrypted :slack_app_signing_secret, - encryption_options_base_32_aes_256_gcm.merge(encode: false, encode_iv: false) - attr_encrypted :slack_app_verification_token, encryption_options_base_32_aes_256_gcm - attr_encrypted :ci_jwt_signing_key, encryption_options_base_32_aes_256_gcm - attr_encrypted :ci_job_token_signing_key, - encryption_options_base_32_aes_256_gcm.merge(encode: false, encode_iv: false) - attr_encrypted :customers_dot_jwt_signing_key, encryption_options_base_32_aes_256_gcm - attr_encrypted :secret_detection_token_revocation_token, encryption_options_base_32_aes_256_gcm - attr_encrypted :cloud_license_auth_token, encryption_options_base_32_aes_256_gcm - attr_encrypted :external_pipeline_validation_service_token, encryption_options_base_32_aes_256_gcm - attr_encrypted :mailgun_signing_key, encryption_options_base_32_aes_256_gcm.merge(encode: false) - attr_encrypted :database_grafana_api_key, - encryption_options_base_32_aes_256_gcm.merge(encode: false, encode_iv: false) - attr_encrypted :arkose_labs_client_xid, encryption_options_base_32_aes_256_gcm.merge(encode: false, encode_iv: false) - attr_encrypted :arkose_labs_client_secret, - encryption_options_base_32_aes_256_gcm.merge(encode: false, encode_iv: false) - attr_encrypted :arkose_labs_public_api_key, - encryption_options_base_32_aes_256_gcm.merge(encode: false, encode_iv: false) - attr_encrypted :arkose_labs_private_api_key, - encryption_options_base_32_aes_256_gcm.merge(encode: false, encode_iv: false) - attr_encrypted :arkose_labs_data_exchange_key, - encryption_options_base_32_aes_256_gcm.merge(encode: false, encode_iv: false) - attr_encrypted :cube_api_key, encryption_options_base_32_aes_256_gcm - attr_encrypted :telesign_customer_xid, encryption_options_base_32_aes_256_gcm.merge(encode: false, encode_iv: false) - attr_encrypted :telesign_api_key, encryption_options_base_32_aes_256_gcm.merge(encode: false, encode_iv: false) - attr_encrypted :product_analytics_configurator_connection_string, - encryption_options_base_32_aes_256_gcm.merge(encode: false, encode_iv: false) - attr_encrypted :secret_detection_service_auth_token, - encryption_options_base_32_aes_256_gcm.merge(encode: false, encode_iv: false) + encrypts :external_auth_client_key + encrypts :external_auth_client_key_pass + encrypts :lets_encrypt_private_key + encrypts :eks_secret_access_key + encrypts :akismet_api_key + encrypts :spam_check_api_key + encrypts :elasticsearch_aws_secret_access_key + encrypts :elasticsearch_password + encrypts :recaptcha_private_key + encrypts :recaptcha_site_key + encrypts :slack_app_secret + encrypts :slack_app_signing_secret + encrypts :slack_app_verification_token + encrypts :ci_jwt_signing_key + encrypts :ci_job_token_signing_key + encrypts :customers_dot_jwt_signing_key + encrypts :secret_detection_token_revocation_token + encrypts :cloud_license_auth_token + encrypts :external_pipeline_validation_service_token + encrypts :mailgun_signing_key + encrypts :database_grafana_api_key + encrypts :arkose_labs_client_xid + encrypts :arkose_labs_client_secret + encrypts :arkose_labs_public_api_key + encrypts :arkose_labs_private_api_key + encrypts :arkose_labs_data_exchange_key + encrypts :cube_api_key + encrypts :telesign_customer_xid + encrypts :telesign_api_key + encrypts :product_analytics_configurator_connection_string + encrypts :secret_detection_service_auth_token # Restricting the validation to `on: :update` only to avoid cyclical dependencies with # License <--> ApplicationSetting. This method calls a license check when we create diff --git a/app/models/atlassian/identity.rb b/app/models/atlassian/identity.rb index 3186f0c0c3a8f7..669ff0dcea94e9 100644 --- a/app/models/atlassian/identity.rb +++ b/app/models/atlassian/identity.rb @@ -11,18 +11,8 @@ class Identity < ApplicationRecord validates :extern_uid, presence: true, uniqueness: true validates :user, presence: true, uniqueness: true - attr_encrypted :token, - mode: :per_attribute_iv, - key: :db_key_base_32, - algorithm: 'aes-256-gcm', - encode: false, - encode_iv: false + encrypts :token - attr_encrypted :refresh_token, - mode: :per_attribute_iv, - key: :db_key_base_32, - algorithm: 'aes-256-gcm', - encode: false, - encode_iv: false + encrypts :refresh_token end end diff --git a/app/models/bulk_imports/configuration.rb b/app/models/bulk_imports/configuration.rb index 00343cb4a3c235..49092abbda3c7c 100644 --- a/app/models/bulk_imports/configuration.rb +++ b/app/models/bulk_imports/configuration.rb @@ -13,14 +13,8 @@ class BulkImports::Configuration < ApplicationRecord validates :url, public_url: { schemes: %w[http https], enforce_sanitization: true, ascii_only: true }, allow_nil: true - attr_encrypted :url, - key: :db_key_base_32, - mode: :per_attribute_iv, - algorithm: 'aes-256-gcm' - attr_encrypted :access_token, - key: :db_key_base_32, - mode: :per_attribute_iv, - algorithm: 'aes-256-gcm' + encrypts :url + encrypts :access_token def safe_url return '' if url.blank? diff --git a/app/models/chat_name.rb b/app/models/chat_name.rb index 435168067baf86..7412e771ce64e3 100644 --- a/app/models/chat_name.rb +++ b/app/models/chat_name.rb @@ -13,12 +13,7 @@ class ChatName < ApplicationRecord validates :chat_id, uniqueness: { scope: :team_id } - attr_encrypted :token, - mode: :per_attribute_iv, - algorithm: 'aes-256-gcm', - key: :db_key_base_32, - encode: false, - encode_iv: false + encrypts :token # Updates the "last_used_timestamp" but only if it wasn't already updated # recently. diff --git a/app/models/ci/trigger.rb b/app/models/ci/trigger.rb index ce43c92f7fc1bb..00aad411342850 100644 --- a/app/models/ci/trigger.rb +++ b/app/models/ci/trigger.rb @@ -22,12 +22,7 @@ class Trigger < Ci::ApplicationRecord validate :expires_at_before_instance_max_expiry_date, on: :create - attr_encrypted :encrypted_token_tmp, - attribute: :encrypted_token, - mode: :per_attribute_iv, - algorithm: 'aes-256-gcm', - key: :db_key_base_32, - encode: false + encrypts :encrypted_token_tmp before_validation :set_default_values diff --git a/app/models/cloud_connector/service_access_token.rb b/app/models/cloud_connector/service_access_token.rb index 40d2b58f16a3ae..f43f4b53858760 100644 --- a/app/models/cloud_connector/service_access_token.rb +++ b/app/models/cloud_connector/service_access_token.rb @@ -9,12 +9,7 @@ class ServiceAccessToken < ApplicationRecord scope :expired, -> { where('expires_at < :now', now: Time.current) } scope :active, -> { where('expires_at > :now', now: Time.current) } - attr_encrypted :token, - mode: :per_attribute_iv, - key: :db_key_base_32, - algorithm: 'aes-256-gcm', - encode: false, - encode_iv: false + encrypts :token validates :token, :expires_at, presence: true diff --git a/app/models/clusters/integrations/prometheus.rb b/app/models/clusters/integrations/prometheus.rb index 6e47e9eab3e5e6..7a06d3978a5579 100644 --- a/app/models/clusters/integrations/prometheus.rb +++ b/app/models/clusters/integrations/prometheus.rb @@ -22,10 +22,7 @@ class Prometheus < ApplicationRecord unhealthy: 2 } - attr_encrypted :alert_manager_token, - mode: :per_attribute_iv, - key: :db_key_base_32, - algorithm: 'aes-256-gcm' + encrypts :alert_manager_token after_initialize :set_alert_manager_token, if: :new_record? diff --git a/app/models/clusters/kubernetes_namespace.rb b/app/models/clusters/kubernetes_namespace.rb index ac80e8494c0197..930d2d9c73be5a 100644 --- a/app/models/clusters/kubernetes_namespace.rb +++ b/app/models/clusters/kubernetes_namespace.rb @@ -22,10 +22,7 @@ class KubernetesNamespace < ApplicationRecord delegate :ca_pem, to: :platform_kubernetes, allow_nil: true delegate :api_url, to: :platform_kubernetes, allow_nil: true - attr_encrypted :service_account_token, - mode: :per_attribute_iv, - key: :db_key_base_truncated, - algorithm: 'aes-256-cbc' + encrypts :service_account_token scope :has_service_account_token, -> { where.not(encrypted_service_account_token: nil) } scope :with_environment_name, ->(name) { joins(:environment).where(environments: { name: name }) } diff --git a/app/models/clusters/platforms/kubernetes.rb b/app/models/clusters/platforms/kubernetes.rb index a44069dd742817..daba5e647b378a 100644 --- a/app/models/clusters/platforms/kubernetes.rb +++ b/app/models/clusters/platforms/kubernetes.rb @@ -33,15 +33,9 @@ class Kubernetes < ApplicationRecord belongs_to :cluster, inverse_of: :platform_kubernetes, class_name: 'Clusters::Cluster' - attr_encrypted :password, - mode: :per_attribute_iv, - key: :db_key_base_truncated, - algorithm: 'aes-256-cbc' - - attr_encrypted :token, - mode: :per_attribute_iv, - key: :db_key_base_truncated, - algorithm: 'aes-256-cbc' + encrypts :password + + encrypts :token before_validation :enforce_namespace_to_lower_case before_validation :enforce_ca_whitespace_trimming diff --git a/app/models/clusters/providers/aws.rb b/app/models/clusters/providers/aws.rb index 04b2d8b19ab34a..114ba112ba09d2 100644 --- a/app/models/clusters/providers/aws.rb +++ b/app/models/clusters/providers/aws.rb @@ -17,10 +17,7 @@ class Aws < ApplicationRecord attribute :num_nodes, default: 3 attribute :instance_type, default: "m5.large" - attr_encrypted :secret_access_key, - mode: :per_attribute_iv, - key: :db_key_base_32, - algorithm: 'aes-256-gcm' + encrypts :secret_access_key validates :role_arn, length: 1..2048, diff --git a/app/models/clusters/providers/gcp.rb b/app/models/clusters/providers/gcp.rb index 9438f69aefe88c..d9e4dca034547b 100644 --- a/app/models/clusters/providers/gcp.rb +++ b/app/models/clusters/providers/gcp.rb @@ -17,10 +17,7 @@ class Gcp < ApplicationRecord scope :cloud_run, -> { where(cloud_run: true) } - attr_encrypted :access_token, - mode: :per_attribute_iv, - key: :db_key_base_truncated, - algorithm: 'aes-256-cbc' + encrypts :access_token validates :gcp_project_id, length: 1..63, diff --git a/app/models/concerns/ci/has_variable.rb b/app/models/concerns/ci/has_variable.rb index f38496223c01e2..5fbd96b1d161b6 100644 --- a/app/models/concerns/ci/has_variable.rb +++ b/app/models/concerns/ci/has_variable.rb @@ -22,11 +22,7 @@ module HasVariable scope :order_key_asc, -> { reorder(key: :asc) } scope :order_key_desc, -> { reorder(key: :desc) } - attr_encrypted :value, - mode: :per_attribute_iv_and_salt, - insecure_mode: true, - key: :db_key_base, - algorithm: 'aes-256-cbc' + encrypts :value alias_method :secret_value, :value alias_method :secret_value=, :value= diff --git a/app/models/concerns/ci/new_has_variable.rb b/app/models/concerns/ci/new_has_variable.rb index 664244291c7caa..3aa3f085c44cb5 100644 --- a/app/models/concerns/ci/new_has_variable.rb +++ b/app/models/concerns/ci/new_has_variable.rb @@ -8,11 +8,7 @@ module NewHasVariable included do include Gitlab::EncryptedAttribute - attr_encrypted :value, - mode: :per_attribute_iv, - algorithm: 'aes-256-gcm', - key: :db_key_base_32, - insecure_mode: false + encrypts :value end end end diff --git a/app/models/concerns/integrations/base/integration.rb b/app/models/concerns/integrations/base/integration.rb index 0279ebbaf59d9c..fe81a1423f4ebe 100644 --- a/app/models/concerns/integrations/base/integration.rb +++ b/app/models/concerns/integrations/base/integration.rb @@ -462,14 +462,7 @@ def sorted_ancestors(scope) self.allow_legacy_sti_class = true self.inheritance_column = :type_new # rubocop:disable Database/AvoidInheritanceColumn -- existing code moved as is - attr_encrypted :properties, - mode: :per_attribute_iv, - key: :db_key_base_32, - algorithm: 'aes-256-gcm', - marshal: true, - marshaler: ::Gitlab::Json, - encode: false, - encode_iv: false + encrypts :properties alias_method :name, :title diff --git a/app/models/concerns/packages/debian/distribution_key.rb b/app/models/concerns/packages/debian/distribution_key.rb index 3f22d4886ff2f4..97c35c1708e9bf 100644 --- a/app/models/concerns/packages/debian/distribution_key.rb +++ b/app/models/concerns/packages/debian/distribution_key.rb @@ -19,14 +19,8 @@ module DistributionKey validate :private_key_armored, :public_key_armored - attr_encrypted :private_key, - mode: :per_attribute_iv, - key: :db_key_base_32, - algorithm: 'aes-256-gcm' - attr_encrypted :passphrase, - mode: :per_attribute_iv, - key: :db_key_base_32, - algorithm: 'aes-256-gcm' + encrypts :private_key + encrypts :passphrase private diff --git a/app/models/concerns/web_hooks/hook.rb b/app/models/concerns/web_hooks/hook.rb index d57b5b02113786..32eade694691ae 100644 --- a/app/models/concerns/web_hooks/hook.rb +++ b/app/models/concerns/web_hooks/hook.rb @@ -17,33 +17,13 @@ module Hook include WebHooks::AutoDisabling include Gitlab::EncryptedAttribute - attr_encrypted :token, - mode: :per_attribute_iv, - algorithm: 'aes-256-gcm', - key: :db_key_base_32 - - attr_encrypted :url, - mode: :per_attribute_iv, - algorithm: 'aes-256-gcm', - key: :db_key_base_32 - - attr_encrypted :url_variables, - mode: :per_attribute_iv, - key: :db_key_base_32, - algorithm: 'aes-256-gcm', - marshal: true, - marshaler: ::Gitlab::Json, - encode: false, - encode_iv: false - - attr_encrypted :custom_headers, - mode: :per_attribute_iv, - key: :db_key_base_32, - algorithm: 'aes-256-gcm', - marshal: true, - marshaler: ::Gitlab::Json, - encode: false, - encode_iv: false + encrypts :token + + encrypts :url + + encrypts :url_variables + + encrypts :custom_headers validates :url, presence: true validates :url, length: { maximum: MAX_PARAM_LENGTH } diff --git a/app/models/error_tracking/project_error_tracking_setting.rb b/app/models/error_tracking/project_error_tracking_setting.rb index 34b7641111fb2e..f925bf5fe06240 100644 --- a/app/models/error_tracking/project_error_tracking_setting.rb +++ b/app/models/error_tracking/project_error_tracking_setting.rb @@ -41,10 +41,7 @@ class ProjectErrorTrackingSetting < ApplicationRecord validate :validate_api_url_path end - attr_encrypted :token, - mode: :per_attribute_iv, - key: :db_key_base_32, - algorithm: 'aes-256-gcm' + encrypts :token before_validation :reset_token diff --git a/app/models/grafana_integration.rb b/app/models/grafana_integration.rb index be157065a44d3f..626b5db30b2add 100644 --- a/app/models/grafana_integration.rb +++ b/app/models/grafana_integration.rb @@ -5,10 +5,7 @@ class GrafanaIntegration < ApplicationRecord belongs_to :project - attr_encrypted :token, - mode: :per_attribute_iv, - algorithm: 'aes-256-gcm', - key: :db_key_base_32 + encrypts :token before_validation :check_token_changes -- GitLab