diff options
author | Douwe Maan <douwe@gitlab.com> | 2016-08-10 19:54:54 +0300 |
---|---|---|
committer | Douwe Maan <douwe@gitlab.com> | 2016-08-10 19:54:54 +0300 |
commit | b1aac0382c406b3856db90e15df8b2a9ea7ff6cd (patch) | |
tree | 2db352e89f59c6ad5fb0dd7c89c40a001c590509 /app | |
parent | 4ccba6bf2ddd48d66cd9cd8c6cee5eae19691cbb (diff) | |
parent | 2785a56e7d1968dfda03850a14af296d71b06503 (diff) |
Merge branch 'decouple-secret-keys' into 'master'
Store OTP secret key in secrets.yml
## What does this MR do?
Migrate the value of `.secret` to `config/secrets.yml` if present, so that `.secret` can be rotated without preventing all users with 2FA from logging in. (On a clean setup, generate different keys for each.)
## Are there points in the code the reviewer needs to double check?
I'm not sure we actually need `.secret` at all after this, but it seems safer not to touch it.
## Why was this MR needed?
We have some DB encryption keys in `config/secrets.yml`, and one in `.secret`. They should all be in the same place.
## What are the relevant issue numbers?
#3963, which isn't closed until I make the relevant changes in Omnibus too.
## Does this MR meet the acceptance criteria?
- [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added
- [x] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md)
- ~~API support added~~
- Tests
- [x] Added for this feature/bug
- [x] All builds are passing
- [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides)
- [x] Branch has no merge conflicts with `master` (if you do - rebase it please)
- [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits)
See merge request !5274
Diffstat (limited to 'app')
-rw-r--r-- | app/models/user.rb | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/app/models/user.rb b/app/models/user.rb index db747434959..73368be7b1b 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -23,13 +23,13 @@ class User < ActiveRecord::Base default_value_for :theme_id, gitlab_config.default_theme attr_encrypted :otp_secret, - key: Gitlab::Application.config.secret_key_base, + key: Gitlab::Application.secrets.otp_key_base, mode: :per_attribute_iv_and_salt, insecure_mode: true, algorithm: 'aes-256-cbc' devise :two_factor_authenticatable, - otp_secret_encryption_key: Gitlab::Application.config.secret_key_base + otp_secret_encryption_key: Gitlab::Application.secrets.otp_key_base devise :two_factor_backupable, otp_number_of_backup_codes: 10 serialize :otp_backup_codes, JSON |