diff options
author | Arturo Herrero <arturo.herrero@gmail.com> | 2019-11-22 17:29:53 +0300 |
---|---|---|
committer | Arturo Herrero <arturo.herrero@gmail.com> | 2019-11-25 14:21:51 +0300 |
commit | 4cb930236377c9970bc46d877b13fab78b03aa2d (patch) | |
tree | 8ba7de5feb4ff77d208a3f37ca546447092abc16 /app | |
parent | a8855e2115dee85c7bc0056f538a770f6fabad27 (diff) |
Encrypt application settings with pre and post deployments
We had concerns about the cached values on Redis with the previous two
releases strategy:
First release (this commit):
- Create new encrypted fields in the database.
- Start populating new encrypted fields, read the encrypted fields or
fallback to the plaintext fields.
- Backfill the data removing the plaintext fields to the encrypted
fields.
Second release:
- Remove the virtual attribute (created in step 2).
- Drop plaintext columns from the database (empty columns after
step 3).
We end up with a better strategy only using migration scripts in one
release:
- Pre-deployment migration: Add columns required for storing encrypted
values.
- Pre-deployment migration: Store the encrypted values in the new
columns.
- Post-deployment migration: Remove the old unencrypted columns
Diffstat (limited to 'app')
-rw-r--r-- | app/models/application_setting.rb | 24 |
1 files changed, 0 insertions, 24 deletions
diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb index d18f96d82f7..fb702b3898e 100644 --- a/app/models/application_setting.rb +++ b/app/models/application_setting.rb @@ -322,30 +322,6 @@ class ApplicationSetting < ApplicationRecord Gitlab::ThreadMemoryCache.cache_backend end - def akismet_api_key - decrypt(:akismet_api_key, self[:encrypted_akismet_api_key]) || self[:akismet_api_key] - end - - def elasticsearch_aws_secret_access_key - decrypt(:elasticsearch_aws_secret_access_key, self[:encrypted_elasticsearch_aws_secret_access_key]) || self[:elasticsearch_aws_secret_access_key] - end - - def recaptcha_private_key - decrypt(:recaptcha_private_key, self[:encrypted_recaptcha_private_key]) || self[:recaptcha_private_key] - end - - def recaptcha_site_key - decrypt(:recaptcha_site_key, self[:encrypted_recaptcha_site_key]) || self[:recaptcha_site_key] - end - - def slack_app_secret - decrypt(:slack_app_secret, self[:encrypted_slack_app_secret]) || self[:slack_app_secret] - end - - def slack_app_verification_token - decrypt(:slack_app_verification_token, self[:encrypted_slack_app_verification_token]) || self[:slack_app_verification_token] - end - def recaptcha_or_login_protection_enabled recaptcha_enabled || login_recaptcha_protection_enabled end |