diff --git a/.rubocop_todo/gitlab/rails/attr_encrypted.yml b/.rubocop_todo/gitlab/rails/attr_encrypted.yml index f71caaf65d3eef404b39905e7e0c2210d9240487..55a742a0ef292e817f21dd789a490f75432d8022 100644 --- a/.rubocop_todo/gitlab/rails/attr_encrypted.yml +++ b/.rubocop_todo/gitlab/rails/attr_encrypted.yml @@ -3,26 +3,6 @@ Gitlab/Rails/AttrEncrypted: Details: grace period Exclude: - - 'app/models/alert_management/http_integration.rb' - - 'app/models/alerting/project_alerting_setting.rb' - - 'app/models/application_setting.rb' - - 'app/models/atlassian/identity.rb' - - 'app/models/bulk_imports/configuration.rb' - - 'app/models/chat_name.rb' - - 'app/models/ci/trigger.rb' - - 'app/models/cloud_connector/service_access_token.rb' - - 'app/models/clusters/integrations/prometheus.rb' - - 'app/models/clusters/kubernetes_namespace.rb' - - 'app/models/clusters/platforms/kubernetes.rb' - - 'app/models/clusters/providers/aws.rb' - - 'app/models/clusters/providers/gcp.rb' - - 'app/models/concerns/ci/has_variable.rb' - - 'app/models/concerns/ci/new_has_variable.rb' - - 'app/models/concerns/integrations/base/integration.rb' - - 'app/models/concerns/packages/debian/distribution_key.rb' - - 'app/models/concerns/web_hooks/hook.rb' - - 'app/models/error_tracking/project_error_tracking_setting.rb' - - 'app/models/grafana_integration.rb' - 'app/models/incident_management/project_incident_management_setting.rb' - 'app/models/integrations/issue_tracker_data.rb' - 'app/models/integrations/jira_tracker_data.rb' diff --git a/app/models/alert_management/http_integration.rb b/app/models/alert_management/http_integration.rb index 0826a1a65cba860e8db7b2b46a571eb8aa83debd..d449a7bedbcb705be81c1a2cb3ddb50f5eff5ca6 100644 --- a/app/models/alert_management/http_integration.rb +++ b/app/models/alert_management/http_integration.rb @@ -9,10 +9,7 @@ class HttpIntegration < ApplicationRecord belongs_to :project, inverse_of: :alert_management_http_integrations - attr_encrypted :token, - mode: :per_attribute_iv, - key: :db_key_base_32, - algorithm: 'aes-256-gcm' + encrypts :token attribute :endpoint_identifier, default: -> { SecureRandom.hex(8) } diff --git a/app/models/alerting/project_alerting_setting.rb b/app/models/alerting/project_alerting_setting.rb index 1da9faa65b12c0e5f04320266a388fc4b7b95a21..39d960f6b456ea5c79019b5f81a5e4ec037dfffc 100644 --- a/app/models/alerting/project_alerting_setting.rb +++ b/app/models/alerting/project_alerting_setting.rb @@ -10,10 +10,7 @@ class ProjectAlertingSetting < ApplicationRecord validates :token, presence: true - attr_encrypted :token, - mode: :per_attribute_iv, - key: :db_key_base_32, - algorithm: 'aes-256-gcm' + encrypts :token before_validation :ensure_token after_create :create_http_integration diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb index d48b2dbcba5e39ffe35c4f5655d8c2ddaaa3f57c..734f650781bd8696c0de896bea234f378db0e99a 100644 --- a/app/models/application_setting.rb +++ b/app/models/application_setting.rb @@ -918,46 +918,37 @@ def self.kroki_formats_attributes validates :database_reindexing, json_schema: { filename: "application_setting_database_reindexing" } - attr_encrypted :external_auth_client_key, encryption_options_base_32_aes_256_gcm - attr_encrypted :external_auth_client_key_pass, encryption_options_base_32_aes_256_gcm - attr_encrypted :lets_encrypt_private_key, encryption_options_base_32_aes_256_gcm - attr_encrypted :eks_secret_access_key, encryption_options_base_32_aes_256_gcm - attr_encrypted :akismet_api_key, encryption_options_base_32_aes_256_gcm - attr_encrypted :spam_check_api_key, encryption_options_base_32_aes_256_gcm.merge(encode: false) - attr_encrypted :elasticsearch_aws_secret_access_key, encryption_options_base_32_aes_256_gcm - attr_encrypted :elasticsearch_password, encryption_options_base_32_aes_256_gcm.merge(encode: false) - attr_encrypted :recaptcha_private_key, encryption_options_base_32_aes_256_gcm - attr_encrypted :recaptcha_site_key, encryption_options_base_32_aes_256_gcm - attr_encrypted :slack_app_secret, encryption_options_base_32_aes_256_gcm - attr_encrypted :slack_app_signing_secret, - encryption_options_base_32_aes_256_gcm.merge(encode: false, encode_iv: false) - attr_encrypted :slack_app_verification_token, encryption_options_base_32_aes_256_gcm - attr_encrypted :ci_jwt_signing_key, encryption_options_base_32_aes_256_gcm - attr_encrypted :ci_job_token_signing_key, - encryption_options_base_32_aes_256_gcm.merge(encode: false, encode_iv: false) - attr_encrypted :customers_dot_jwt_signing_key, encryption_options_base_32_aes_256_gcm - attr_encrypted :secret_detection_token_revocation_token, encryption_options_base_32_aes_256_gcm - attr_encrypted :cloud_license_auth_token, encryption_options_base_32_aes_256_gcm - attr_encrypted :external_pipeline_validation_service_token, encryption_options_base_32_aes_256_gcm - attr_encrypted :mailgun_signing_key, encryption_options_base_32_aes_256_gcm.merge(encode: false) - attr_encrypted :database_grafana_api_key, - encryption_options_base_32_aes_256_gcm.merge(encode: false, encode_iv: false) - attr_encrypted :arkose_labs_client_xid, encryption_options_base_32_aes_256_gcm.merge(encode: false, encode_iv: false) - attr_encrypted :arkose_labs_client_secret, - encryption_options_base_32_aes_256_gcm.merge(encode: false, encode_iv: false) - attr_encrypted :arkose_labs_public_api_key, - encryption_options_base_32_aes_256_gcm.merge(encode: false, encode_iv: false) - attr_encrypted :arkose_labs_private_api_key, - encryption_options_base_32_aes_256_gcm.merge(encode: false, encode_iv: false) - attr_encrypted :arkose_labs_data_exchange_key, - encryption_options_base_32_aes_256_gcm.merge(encode: false, encode_iv: false) - attr_encrypted :cube_api_key, encryption_options_base_32_aes_256_gcm - attr_encrypted :telesign_customer_xid, encryption_options_base_32_aes_256_gcm.merge(encode: false, encode_iv: false) - attr_encrypted :telesign_api_key, encryption_options_base_32_aes_256_gcm.merge(encode: false, encode_iv: false) - attr_encrypted :product_analytics_configurator_connection_string, - encryption_options_base_32_aes_256_gcm.merge(encode: false, encode_iv: false) - attr_encrypted :secret_detection_service_auth_token, - encryption_options_base_32_aes_256_gcm.merge(encode: false, encode_iv: false) + encrypts :external_auth_client_key + encrypts :external_auth_client_key_pass + encrypts :lets_encrypt_private_key + encrypts :eks_secret_access_key + encrypts :akismet_api_key + encrypts :spam_check_api_key + encrypts :elasticsearch_aws_secret_access_key + encrypts :elasticsearch_password + encrypts :recaptcha_private_key + encrypts :recaptcha_site_key + encrypts :slack_app_secret + encrypts :slack_app_signing_secret + encrypts :slack_app_verification_token + encrypts :ci_jwt_signing_key + encrypts :ci_job_token_signing_key + encrypts :customers_dot_jwt_signing_key + encrypts :secret_detection_token_revocation_token + encrypts :cloud_license_auth_token + encrypts :external_pipeline_validation_service_token + encrypts :mailgun_signing_key + encrypts :database_grafana_api_key + encrypts :arkose_labs_client_xid + encrypts :arkose_labs_client_secret + encrypts :arkose_labs_public_api_key + encrypts :arkose_labs_private_api_key + encrypts :arkose_labs_data_exchange_key + encrypts :cube_api_key + encrypts :telesign_customer_xid + encrypts :telesign_api_key + encrypts :product_analytics_configurator_connection_string + encrypts :secret_detection_service_auth_token # Restricting the validation to `on: :update` only to avoid cyclical dependencies with # License <--> ApplicationSetting. This method calls a license check when we create diff --git a/app/models/atlassian/identity.rb b/app/models/atlassian/identity.rb index 3186f0c0c3a8f7150bef73a3964f9c8fcee4dea9..669ff0dcea94e9925375e5998fc0e307e42b7c7f 100644 --- a/app/models/atlassian/identity.rb +++ b/app/models/atlassian/identity.rb @@ -11,18 +11,8 @@ class Identity < ApplicationRecord validates :extern_uid, presence: true, uniqueness: true validates :user, presence: true, uniqueness: true - attr_encrypted :token, - mode: :per_attribute_iv, - key: :db_key_base_32, - algorithm: 'aes-256-gcm', - encode: false, - encode_iv: false + encrypts :token - attr_encrypted :refresh_token, - mode: :per_attribute_iv, - key: :db_key_base_32, - algorithm: 'aes-256-gcm', - encode: false, - encode_iv: false + encrypts :refresh_token end end diff --git a/app/models/bulk_imports/configuration.rb b/app/models/bulk_imports/configuration.rb index 00343cb4a3c23523e82fb8936d207e4d9c36a0ef..49092abbda3c7cde14f7cb3eec0febf37853fbc8 100644 --- a/app/models/bulk_imports/configuration.rb +++ b/app/models/bulk_imports/configuration.rb @@ -13,14 +13,8 @@ class BulkImports::Configuration < ApplicationRecord validates :url, public_url: { schemes: %w[http https], enforce_sanitization: true, ascii_only: true }, allow_nil: true - attr_encrypted :url, - key: :db_key_base_32, - mode: :per_attribute_iv, - algorithm: 'aes-256-gcm' - attr_encrypted :access_token, - key: :db_key_base_32, - mode: :per_attribute_iv, - algorithm: 'aes-256-gcm' + encrypts :url + encrypts :access_token def safe_url return '' if url.blank? diff --git a/app/models/chat_name.rb b/app/models/chat_name.rb index 435168067baf862dd4f945c6d2498ef859713d89..7412e771ce64e38dadd6632ed78840b5424affc5 100644 --- a/app/models/chat_name.rb +++ b/app/models/chat_name.rb @@ -13,12 +13,7 @@ class ChatName < ApplicationRecord validates :chat_id, uniqueness: { scope: :team_id } - attr_encrypted :token, - mode: :per_attribute_iv, - algorithm: 'aes-256-gcm', - key: :db_key_base_32, - encode: false, - encode_iv: false + encrypts :token # Updates the "last_used_timestamp" but only if it wasn't already updated # recently. diff --git a/app/models/ci/trigger.rb b/app/models/ci/trigger.rb index ce43c92f7fc1bb6782734043130c367bc835b2c8..00aad41134285082ee3bd76f98e2c0890ba41e2e 100644 --- a/app/models/ci/trigger.rb +++ b/app/models/ci/trigger.rb @@ -22,12 +22,7 @@ class Trigger < Ci::ApplicationRecord validate :expires_at_before_instance_max_expiry_date, on: :create - attr_encrypted :encrypted_token_tmp, - attribute: :encrypted_token, - mode: :per_attribute_iv, - algorithm: 'aes-256-gcm', - key: :db_key_base_32, - encode: false + encrypts :encrypted_token_tmp before_validation :set_default_values diff --git a/app/models/cloud_connector/service_access_token.rb b/app/models/cloud_connector/service_access_token.rb index 40d2b58f16a3ae36a487ac81f633a2d9565e5276..f43f4b53858760e55cf4a56cddf22f7f6c7018c2 100644 --- a/app/models/cloud_connector/service_access_token.rb +++ b/app/models/cloud_connector/service_access_token.rb @@ -9,12 +9,7 @@ class ServiceAccessToken < ApplicationRecord scope :expired, -> { where('expires_at < :now', now: Time.current) } scope :active, -> { where('expires_at > :now', now: Time.current) } - attr_encrypted :token, - mode: :per_attribute_iv, - key: :db_key_base_32, - algorithm: 'aes-256-gcm', - encode: false, - encode_iv: false + encrypts :token validates :token, :expires_at, presence: true diff --git a/app/models/clusters/integrations/prometheus.rb b/app/models/clusters/integrations/prometheus.rb index 6e47e9eab3e5e64fb717e10a4b61ffec0d6620b4..7a06d3978a5579eec0916130ed9e2fc547fc6c7f 100644 --- a/app/models/clusters/integrations/prometheus.rb +++ b/app/models/clusters/integrations/prometheus.rb @@ -22,10 +22,7 @@ class Prometheus < ApplicationRecord unhealthy: 2 } - attr_encrypted :alert_manager_token, - mode: :per_attribute_iv, - key: :db_key_base_32, - algorithm: 'aes-256-gcm' + encrypts :alert_manager_token after_initialize :set_alert_manager_token, if: :new_record? diff --git a/app/models/clusters/kubernetes_namespace.rb b/app/models/clusters/kubernetes_namespace.rb index ac80e8494c019739165b34e1835b420672d0ae9b..930d2d9c73be5af088011af80b1d42fc71f88560 100644 --- a/app/models/clusters/kubernetes_namespace.rb +++ b/app/models/clusters/kubernetes_namespace.rb @@ -22,10 +22,7 @@ class KubernetesNamespace < ApplicationRecord delegate :ca_pem, to: :platform_kubernetes, allow_nil: true delegate :api_url, to: :platform_kubernetes, allow_nil: true - attr_encrypted :service_account_token, - mode: :per_attribute_iv, - key: :db_key_base_truncated, - algorithm: 'aes-256-cbc' + encrypts :service_account_token scope :has_service_account_token, -> { where.not(encrypted_service_account_token: nil) } scope :with_environment_name, ->(name) { joins(:environment).where(environments: { name: name }) } diff --git a/app/models/clusters/platforms/kubernetes.rb b/app/models/clusters/platforms/kubernetes.rb index a44069dd742817fe2f454cbb3a55f5019014e892..daba5e647b378a5130cf9e660b779e68205b2e18 100644 --- a/app/models/clusters/platforms/kubernetes.rb +++ b/app/models/clusters/platforms/kubernetes.rb @@ -33,15 +33,9 @@ class Kubernetes < ApplicationRecord belongs_to :cluster, inverse_of: :platform_kubernetes, class_name: 'Clusters::Cluster' - attr_encrypted :password, - mode: :per_attribute_iv, - key: :db_key_base_truncated, - algorithm: 'aes-256-cbc' - - attr_encrypted :token, - mode: :per_attribute_iv, - key: :db_key_base_truncated, - algorithm: 'aes-256-cbc' + encrypts :password + + encrypts :token before_validation :enforce_namespace_to_lower_case before_validation :enforce_ca_whitespace_trimming diff --git a/app/models/clusters/providers/aws.rb b/app/models/clusters/providers/aws.rb index 04b2d8b19ab34aabb1ad8e3bebef7be0ad3a7791..114ba112ba09d24d1a5633846a2284c3c7f51502 100644 --- a/app/models/clusters/providers/aws.rb +++ b/app/models/clusters/providers/aws.rb @@ -17,10 +17,7 @@ class Aws < ApplicationRecord attribute :num_nodes, default: 3 attribute :instance_type, default: "m5.large" - attr_encrypted :secret_access_key, - mode: :per_attribute_iv, - key: :db_key_base_32, - algorithm: 'aes-256-gcm' + encrypts :secret_access_key validates :role_arn, length: 1..2048, diff --git a/app/models/clusters/providers/gcp.rb b/app/models/clusters/providers/gcp.rb index 9438f69aefe88c02dee779ef3354786457d94f49..d9e4dca034547b1232b04f4d552574cab686cdb8 100644 --- a/app/models/clusters/providers/gcp.rb +++ b/app/models/clusters/providers/gcp.rb @@ -17,10 +17,7 @@ class Gcp < ApplicationRecord scope :cloud_run, -> { where(cloud_run: true) } - attr_encrypted :access_token, - mode: :per_attribute_iv, - key: :db_key_base_truncated, - algorithm: 'aes-256-cbc' + encrypts :access_token validates :gcp_project_id, length: 1..63, diff --git a/app/models/concerns/ci/has_variable.rb b/app/models/concerns/ci/has_variable.rb index f38496223c01e29d1bfc78989fb46df024610b55..5fbd96b1d161b6a07e62c0cda51dcc6041496193 100644 --- a/app/models/concerns/ci/has_variable.rb +++ b/app/models/concerns/ci/has_variable.rb @@ -22,11 +22,7 @@ module HasVariable scope :order_key_asc, -> { reorder(key: :asc) } scope :order_key_desc, -> { reorder(key: :desc) } - attr_encrypted :value, - mode: :per_attribute_iv_and_salt, - insecure_mode: true, - key: :db_key_base, - algorithm: 'aes-256-cbc' + encrypts :value alias_method :secret_value, :value alias_method :secret_value=, :value= diff --git a/app/models/concerns/ci/new_has_variable.rb b/app/models/concerns/ci/new_has_variable.rb index 664244291c7caae222f7084096f36d768bd1ea63..3aa3f085c44cb5f2f74f0342245cddcfeabc1b53 100644 --- a/app/models/concerns/ci/new_has_variable.rb +++ b/app/models/concerns/ci/new_has_variable.rb @@ -8,11 +8,7 @@ module NewHasVariable included do include Gitlab::EncryptedAttribute - attr_encrypted :value, - mode: :per_attribute_iv, - algorithm: 'aes-256-gcm', - key: :db_key_base_32, - insecure_mode: false + encrypts :value end end end diff --git a/app/models/concerns/integrations/base/integration.rb b/app/models/concerns/integrations/base/integration.rb index 0279ebbaf59d9cd68bb778b77ae9f367c1651eb0..fe81a1423f4ebe5bdb70a97338f6d097f4394d82 100644 --- a/app/models/concerns/integrations/base/integration.rb +++ b/app/models/concerns/integrations/base/integration.rb @@ -462,14 +462,7 @@ def sorted_ancestors(scope) self.allow_legacy_sti_class = true self.inheritance_column = :type_new # rubocop:disable Database/AvoidInheritanceColumn -- existing code moved as is - attr_encrypted :properties, - mode: :per_attribute_iv, - key: :db_key_base_32, - algorithm: 'aes-256-gcm', - marshal: true, - marshaler: ::Gitlab::Json, - encode: false, - encode_iv: false + encrypts :properties alias_method :name, :title diff --git a/app/models/concerns/packages/debian/distribution_key.rb b/app/models/concerns/packages/debian/distribution_key.rb index 3f22d4886ff2f4736960509564b9b725c1040a2f..97c35c1708e9bfc4701092fb90ae248cd0956f32 100644 --- a/app/models/concerns/packages/debian/distribution_key.rb +++ b/app/models/concerns/packages/debian/distribution_key.rb @@ -19,14 +19,8 @@ module DistributionKey validate :private_key_armored, :public_key_armored - attr_encrypted :private_key, - mode: :per_attribute_iv, - key: :db_key_base_32, - algorithm: 'aes-256-gcm' - attr_encrypted :passphrase, - mode: :per_attribute_iv, - key: :db_key_base_32, - algorithm: 'aes-256-gcm' + encrypts :private_key + encrypts :passphrase private diff --git a/app/models/concerns/web_hooks/hook.rb b/app/models/concerns/web_hooks/hook.rb index d57b5b02113786ad131c69048674f72b624272b2..32eade694691ae260d45c359e1f0883db1b7ddcb 100644 --- a/app/models/concerns/web_hooks/hook.rb +++ b/app/models/concerns/web_hooks/hook.rb @@ -17,33 +17,13 @@ module Hook include WebHooks::AutoDisabling include Gitlab::EncryptedAttribute - attr_encrypted :token, - mode: :per_attribute_iv, - algorithm: 'aes-256-gcm', - key: :db_key_base_32 - - attr_encrypted :url, - mode: :per_attribute_iv, - algorithm: 'aes-256-gcm', - key: :db_key_base_32 - - attr_encrypted :url_variables, - mode: :per_attribute_iv, - key: :db_key_base_32, - algorithm: 'aes-256-gcm', - marshal: true, - marshaler: ::Gitlab::Json, - encode: false, - encode_iv: false - - attr_encrypted :custom_headers, - mode: :per_attribute_iv, - key: :db_key_base_32, - algorithm: 'aes-256-gcm', - marshal: true, - marshaler: ::Gitlab::Json, - encode: false, - encode_iv: false + encrypts :token + + encrypts :url + + encrypts :url_variables + + encrypts :custom_headers validates :url, presence: true validates :url, length: { maximum: MAX_PARAM_LENGTH } diff --git a/app/models/error_tracking/project_error_tracking_setting.rb b/app/models/error_tracking/project_error_tracking_setting.rb index 34b7641111fb2eebe4b664d3e1d694eeeb0046b1..f925bf5fe06240c03198f349d983651c2b6f89fb 100644 --- a/app/models/error_tracking/project_error_tracking_setting.rb +++ b/app/models/error_tracking/project_error_tracking_setting.rb @@ -41,10 +41,7 @@ class ProjectErrorTrackingSetting < ApplicationRecord validate :validate_api_url_path end - attr_encrypted :token, - mode: :per_attribute_iv, - key: :db_key_base_32, - algorithm: 'aes-256-gcm' + encrypts :token before_validation :reset_token diff --git a/app/models/grafana_integration.rb b/app/models/grafana_integration.rb index be157065a44d3f488d7785c45461faf26f299ceb..626b5db30b2add93ef45088fd80d0a7c15503aab 100644 --- a/app/models/grafana_integration.rb +++ b/app/models/grafana_integration.rb @@ -5,10 +5,7 @@ class GrafanaIntegration < ApplicationRecord belongs_to :project - attr_encrypted :token, - mode: :per_attribute_iv, - algorithm: 'aes-256-gcm', - key: :db_key_base_32 + encrypts :token before_validation :check_token_changes