issue 61: 集成服务（jeknins k8s registry）配置信息加密存储

b9bfd72d · 徐超越 · f91fe4f3 · f91fe4f3 · b9bfd72d · b9bfd72d
15 changed file
--- a/conf/rbac_policy.csv
+++ b/conf/rbac_policy.csv
-p, admin, *, *
-p, developer, /atomci/api/v1/getCurrentUser, GET
-p, developer, /atomci/api/v1/projects, POST
-p, developer, /atomci/api/v1/projects/:id, GET
-p, developer, /atomci/api/v1/projects/:id/apps, POST
-p, developer, /atomci/api/v1/projects/:id/apps/:id/branches, POST
-p, developer, /atomci/api/v1/projects/:id/apps/:id, GET
-p, developer, /atomci/api/v1/projects/:id/arrange_env/:env/namespaces, GET
-p, developer, /atomci/api/v1/projects/:id/apps/:id/:env/arrange, GET
-p, developer, /atomci/api/v1/projects/:id/arrange_env/:env/bizclusters, GET
-p, developer, /atomci/api/v1/projects/:id/arrange_env/:env/nodes, GET
-p, developer, /atomci/api/v1/projects/:id/apps/:id/syncBranches, POST
-p, developer, /atomci/api/v1/projects/:id/apps/:id, PATCH
-p, developer, /atomci/api/v1/projects/:id/apps/:id, PUT
-p, developer, /atomci/api/v1/pipelines/flow/stages, GET
-p, developer, /atomci/api/v1/pipelines/:id/publishes/:pipeline_id/stages/:stage_id/steps/:step, GET
-p, developer, /atomci/api/v1/pipelines/:id/publishes/:pipeline_id/stages/:stage_id/steps/:step, POST
-p, developer, /atomci/api/v1/pipelines/flow/stages, GET
-p, developer, /atomci/api/v1/projects/:id/publishes, POST
-p, developer, /atomci/api/v1/projects/:id/publishes/:id/stages/:id/:step, GET
-p, developer, /atomci/api/v1/projects/:id/publishes/:id/stages/:id/:step, POST
-p, developer, /atomci/api/v1/projects/:id/stages/:id/publish-jobs/:id/deploy, POST
-p, developer, /atomci/api/v1/projects/:id/publishes/:id/audits, POST
-p, developer, /atomci/api/v1/projects/:id/publishes/:id, GET
-p, developer, /atomci/api/v1/pipelines/stages/:id/jenkins-config, GET
-p, devManager, /atomci/api/v1/init/users, POST
-p, devManager, /atomci/api/v1/init/groups, POST
-p, devManager, /atomci/api/v1/init/resource, POST
-p, devManager, /atomci/api/v1/init/gateway/:backend, POST
-p, devManager, /atomci/api/v1/getCurrentUser, GET
-p, devManager, /atomci/api/v1/projects, POST
-p, devManager, /atomci/api/v1/projects/:id, GET
-p, devManager, /atomci/api/v1/projects/:id/apps, POST
-p, devManager, /atomci/api/v1/projects/:id/apps/:id/branches, POST
-p, devManager, /atomci/api/v1/projects/:id/apps/:id, GET
-p, devManager, /atomci/api/v1/projects/:id/arrange_env/:env/namespaces, GET
-p, devManager, /atomci/api/v1/projects/:id/apps/:id/:env/arrange, GET
-p, devManager, /atomci/api/v1/projects/:id/arrange_env/:env/bizclusters, GET
-p, devManager, /atomci/api/v1/projects/:id/arrange_env/:env/nodes, GET
-p, devManager, /atomci/api/v1/projects/:id/apps/:id/syncBranches, POST
-p, devManager, /atomci/api/v1/projects/:id/apps/:id, PATCH
-p, devManager, /atomci/api/v1/projects/:id/apps/:id, PUT
-p, devManager, /atomci/api/v1/pipelines/flow/stages, GET
-p, developer, /atomci/api/v1/projects/create, POST
-p, devManager, /atomci/api/v1/projects/create, POST
-p, developer, /atomci/api/v1/projects/:project_id/apps, GET
-p, developer, /atomci/api/v1/projects/:project_id/envs, GET
-p, developer, /atomci/api/v1/projects/:project_id/envs, POST
-p, developer, /atomci/api/v1/projects/:project_id/pipelines, POST
-p, developer, /atomci/api/v1/integrate/clusters, GET
-p, developer, /atomci/api/v1/integrate/settings, GET
-p, developer, /atomci/api/v1/repos, GET
-p, developer, /atomci/api/v1/repos/:repo_id/projects, POST
-p, developer, /atomci/api/v1/integrate/compile_envs, GET
-p, developer, /atomci/api/v1/projects/:project_id/apps/create, POST
-p, devManager, /atomci/api/v1/clusters/:cluster/namespaces/:namespace/apps/:app/restart, POST
-p, devManager, /atomci/api/v1/clusters/:cluster/namespaces/:namespace/apps/:app/scale, POST
-p, devManager, /atomci/api/v1/clusters/:cluster/namespaces/:namespace/pods/:podname/containernames/:containername, GET
-p, devManager, /publishctl/api/v1/projects/:project_id/pipelines, PUT
-p, devManager, /publishctl/api/v1/projects/:project_id/apps/branches, POST
-p, devManager, /publishctl/api/v1/projects/create, POST
-p, devManager, /publishctl/api/v1/projects/:project_id/apps/create, POST
-p, devManager, /atomci/api/v1/projects/:project_id/envs/create, POST
-p, devManager, /atomci/api/v1/clusters/:cluster/namespaces/:namespace/apps/:app, DELETE
-p, devManager, /publishctl/api/v1/projects/:project_id/pipelines/:id, DELETE
-p, devManager, /publishctl/api/v1/projects/:project_id, DELETE
-p, devManager, /publishctl/api/v1/projects/:project_id/apps/:project_app_id, DELETE
-p, devManager, /publishctl/api/v1/projects/:project_id/members/:id, DELETE
-p, devManager, /atomci/api/v1/pipelines/flow/steps, GET
-p, devManager, /publishctl/api/v1/projects/:project_id/apps/:app_id/branches, POST
-p, devManager, /publishctl/api/v1/projects/:project_id/apps, POST
-p, devManager, /atomci/api/v1/clusters/:cluster/namespaces/:namespace/apps/:app/event, GET
-p, devManager, /atomci/api/v1/clusters/:cluster/namespaces/:namespace/apps/:app, GET
-p, devManager, /atomci/api/v1/clusters/:cluster/namespaces/:namespace/apps/:app/log, GET
-p, devManager, /publishctl/api/v1/projects/:project_id/apps/:app_id/:arrange_env/arrange, GET
-p, devManager, /publishctl/api/v1/projects/:project_id/arrange_env/:arrange_env/bizclusters, GET
-p, devManager, /atomci/api/v1/pipelines/stages/:stage_id/jenkins-config, GET
-p, devManager, /publishctl/api/v1/projects/:project_id/arrange_env/:arrange_env/namespaces, GET
-p, devManager, /publishctl/api/v1/projects/:project_id/arrange_env/:arrange_env/nodes, GET
-p, devManager, /publishctl/api/v1/projects/:project_id, GET
-p, devManager, /publishctl/api/v1/projects/:project_id/apps/:project_app_id, GET
-p, devManager, /publishctl/api/v1/projects/:project_id/apps, GET
-p, devManager, /atomci/api/v1/projects/:project_id/clusters/:cluster/apps, POST
-p, devManager, /atomci/api/v1/projects/:project_id/envs, GET
-p, devManager, /atomci/api/v1/projects/:project_id/envs, POST
-p, devManager, /publishctl/api/v1/projects/:project_id/members, GET
-p, devManager, /publishctl/api/v1/projects/:project_id/pipelines, GET
-p, devManager, /atomci/api/v1/projects/:project_id/pipelines, POST
-p, devManager, /atomci/api/v1/arrange/yaml/parser, POST
-p, devManager, /atomci/api/v1/projects/:project_id/pipelines/create, POST
-p, devManager, /atomci/api/v1/projects/:project_id/pipelines/:id, DELETE
-p, devManager, /atomci/api/v1/projects/:project_id/pipelines/:id, PUT
-p, devManager, /caas/api/v1/projects/:project_id/apps/stats, GET
-p, devManager, /publishctl/api/v1/projects, POST
-p, devManager, /publishctl/api/v1/projects/:project_id/pipelines/:id, GET
-p, devManager, /publishctl/api/v1/projects/:project_id/publish/stats, POST
-p, devManager, /publishctl/api/v1/projects/:project_id/apps/:app_id/:arrange_env/arrange, POST
-p, devManager, /publishctl/api/v1/projects/:project_id/apps/:project_app_id, PATCH
-p, devManager, /publishctl/api/v1/projects/:project_id/apps/:app_id/syncBranches, POST
-p, devManager, /publishctl/api/v1/projects/:project_id, PUT
-p, devManager, /publishctl/api/v1/projects/:project_id/apps/:project_app_id, PUT
-p, devManager, /atomci/api/v1/projects/:project_id/envs/:env_id, PUT
-p, devManager, /publishctl/api/v1/projects/:project_id/members, PUT
-p, devManager, /publishctl/api/v1/projects/:project_id/publishes/:publish_id/apps/create, POST
-p, devManager, /publishctl/api/v1/projects/:project_id/publishes/:publish_id, PUT
-p, devManager, /publishctl/api/v1/projects/:project_id/publishes/create, POST
-p, devManager, /publishctl/api/v1/projects/:project_id/publishes/:publish_id, DELETE
-p, devManager, /publishctl/api/v1/projects/:project_id/publishes/:publish_id/apps/:publish_app_id, DELETE
-p, devManager, /publishctl/api/v1/projects/:project_id/publishes/:publish_id/stages/:stage_id/back-to, GET
-p, devManager, /publishctl/api/v1/projects/:project_id/publishes/:publish_id/apps/can_added, GET
-p, devManager, /publishctl/api/v1/pipelines/stages/:stage_id/jenkins-config, GET
-p, devManager, /publishctl/api/v1/projects/:project_id/publishes/:publish_id/stages/:stage_id/next-stage, GET
-p, devManager, /publishctl/api/v1/projects/:project_id/publishes/:publish_id/audits, POST
-p, devManager, /publishctl/api/v1/projects/:project_id/publishes/:publish_id, GET
-p, devManager, /publishctl/api/v1/publish/setup, GET
-p, devManager, /publishctl/api/v1/pipelines/:project_id/publishes/:publish_id/stages/:stage_id/steps/:step_name, GET
-p, devManager, /publishctl/api/v1/projects/:project_id/publishes, POST
-p, devManager, /publishctl/api/v1/pipelines/:project_id/publishes/:publish_id/stages/:stage_id/steps/:step_name, POST
-p, devManager, /publishctl/api/v1/pipelines/:project_id/publishes/:publish_id/stages/:stage_id/steps/:step_name/callback, POST
-p, devManager, /publishctl/api/v1/projects/:project_id/publishes/:publish_id/stages/:stage_id/back-to, POST
-p, devManager, /publishctl/api/v1/projects/:project_id/publishes/:publish_id/stages/:stage_id/next-stage, POST
-p, devManager, /publishctl/api/v1/publish/setup, POST
-p, devManager, /publishctl/api/v1/getCurrentUser, GET
-p, devManager, /publishctl/api/v1/login, POST
-p, devManager, /publishctl/api/v1/logout, GET
-p, devManager, /publishctl/api/v1/pipelines/flow/components, GET
-p, devManager, /publishctl/api/v1/pipelines/flow/stages/create, POST
-p, devManager, /publishctl/api/v1/pipelines/flow/stages/:stage_id, DELETE
-p, devManager, /publishctl/api/v1/pipelines/flow/stages, GET
-p, devManager, /publishctl/api/v1/pipelines/flow/stages, POST
-p, devManager, /publishctl/api/v1/pipelines/flow/stages/:stage_id, PUT
-p, devManager, /publishctl/api/v1/pipelines/flow/steps/create, POST
-p, devManager, /publishctl/api/v1/pipelines/flow/steps/:step_id, DELETE
-p, devManager, /publishctl/api/v1/pipelines/flow/steps, GET
-p, devManager, /publishctl/api/v1/pipelines/flow/steps, POST
-p, devManager, /publishctl/api/v1/pipelines/flow/steps/:step_id, PUT
-p, devManager, /publishctl/api/v1/pipelines/clusters, GET
-p, devManager, /publishctl/api/v1/pipelines/:pipeline_id/setup, GET
-p, devManager, /publishctl/api/v1/pipelines/create, POST
-p, devManager, /publishctl/api/v1/pipelines/:pipeline_id, DELETE
-p, devManager, /publishctl/api/v1/pipelines, GET
-p, devManager, /publishctl/api/v1/pipelines, POST
-p, devManager, /publishctl/api/v1/pipelines/:pipeline_id, PUT
-p, devManager, /publishctl/api/v1/pipelines/reset, POST
-p, devManager, /publishctl/api/v1/pipelines/:pipeline_id/setup, PUT
-g, admin, developer
\ No newline at end of file
--- a/go.mod
+++ b/go.mod
@@ -31,15 +31,17 @@ replace (
 )

 require (
-	github.com/astaxie/beego v1.12.0
-	github.com/casbin/casbin/v2 v2.19.4
+	github.com/astaxie/beego v1.12.1
+	github.com/casbin/beego-orm-adapter/v2 v2.0.2 // indirect
+	github.com/casbin/beego-orm-adapter/v3 v3.0.2
+	github.com/casbin/casbin/v2 v2.37.4
 	github.com/colynn/go-ldap-client/v3 v3.0.0-20201016034829-4c1455a490de
 	github.com/dgrijalva/jwt-go v3.2.0+incompatible
 	github.com/drone/go-scm v1.18.0
 	github.com/ghodss/yaml v1.0.0
 	github.com/go-atomci/workflow v0.0.0-20211126090842-208f180b47ab
 	github.com/go-gomail/gomail v0.0.0-20160411212932-81ebce5c23df
-	github.com/go-sql-driver/mysql v1.5.0
+	github.com/go-sql-driver/mysql v1.6.0
 	github.com/golang/protobuf v1.4.3 // indirect
 	github.com/google/go-cmp v0.5.5 // indirect
 	github.com/google/uuid v1.2.0 // indirect
@@ -50,12 +52,9 @@ require (
 	github.com/pborman/uuid v1.2.0
 	github.com/shiena/ansicolor v0.0.0-20151119151921-a422bbe96644 // indirect
 	github.com/stretchr/testify v1.7.0
-	golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad
-	golang.org/x/net v0.0.0-20210224082022-3d97a244fca7 // indirect
+	golang.org/x/crypto v0.0.0-20210921155107-089bfa567519
 	golang.org/x/oauth2 v0.0.0-20210126194326-f9ce19ea3013 // indirect
-	golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073 // indirect
 	golang.org/x/term v0.0.0-20201210144234-2321bbc49cbf // indirect
-	golang.org/x/text v0.3.5 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
 	gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b // indirect

--- a/go.sum
+++ b/go.sum
--- a/internal/core/apps/gitapp.go
+++ b/internal/core/apps/gitapp.go
@@ -79,13 +79,13 @@ func NewScmProvider(vcsType, vcsPath, user, token string) (*scm.Client, error) {

 // SyncAppBranches ...
 func (manager *AppManager) SyncAppBranches(appID int64) error {
-	projectApp, err := manager.projectModel.GetProjectApp(appID)
+	projectApp, _ := manager.projectModel.GetProjectApp(appID)
 	repoModel, err := manager.gitAppModel.GetRepoByID(projectApp.RepoID)
 	if err != nil {
 		log.Log.Error("GetRepoByID occur error: %v", err.Error())
 		return fmt.Errorf("网络错误，请重试")
 	}
-	client, err := NewScmProvider(repoModel.Type, projectApp.Path, repoModel.User, repoModel.Token)
+	client, _ := NewScmProvider(repoModel.Type, projectApp.Path, repoModel.User, repoModel.GetToken())
 	branchList := []*scm.Reference{}
 	listOptions := scm.ListOptions{
 		Page: 1,

--- a/internal/core/apps/repo.go
+++ b/internal/core/apps/repo.go
@@ -100,19 +100,19 @@ func (manager *AppManager) SetRepoAndGetProjects(cID, repoID int64, request *Set
 		return nil, err
 	}
 	if len(request.User) > 0 && len(request.Token) > 0 {
-		repoModel.Token = request.Token
+		repoModel.SetToken(request.Token)
 		repoModel.User = request.User
 		repoModel.BaseURL = request.BaseURL
 		if err := manager.gitAppModel.UpdateRepo(repoModel); err != nil {
 			log.Log.Error("when setRepoGetprojects, update repomodel failed: %v", err.Error())
 		}
 	} else {
-		if len(repoModel.Token) == 0 {
+		if len(repoModel.GetToken()) == 0 {
 			return nil, fmt.Errorf("首次同步，麻烦输入相关验证信息")
 		}
 	}

-	scmClient, err := NewScmProvider(repoModel.Type, repoModel.BaseURL, repoModel.User, repoModel.Token)
+	scmClient, err := NewScmProvider(repoModel.Type, repoModel.BaseURL, repoModel.User, repoModel.GetToken())
 	if err != nil {
 		log.Log.Error("init scm Client occur error: %v", err.Error())
 		return nil, fmt.Errorf("网络错误，请重试")

--- a/internal/core/kuberes/deployworker.go
+++ b/internal/core/kuberes/deployworker.go
@@ -148,7 +148,7 @@ func getDefaultPullSecretAndRegistryAddr(envID int64) (string, string, error) {
 		return "", "", err
 	}
 	config := settings.Config{}
-	configJSON, err := config.Struct(integrateSettingRegistry.Config, integrateSettingRegistry.Type)
+	configJSON, err := config.Struct(integrateSettingRegistry.DecryptConfig(), integrateSettingRegistry.Type)
 	if err != nil {
 		log.Log.Error("when parse registry config error: %s", err.Error())
 		return "", "", err

--- a/internal/core/pipelinemgr/uitls.go
+++ b/internal/core/pipelinemgr/uitls.go
@@ -355,7 +355,7 @@ func (pm *PipelineManager) CreateBuildJob(creator string, projectID, publishID i
 	if strings.HasSuffix(baseURL, "/") {
 		baseURL = strings.Replace(baseURL, "/", "", -1)
 	}
-	repoConfStr := fmt.Sprintf("{\"%s\":[\"%s\",\"%s\"]}", baseURL, repoModel.User, repoModel.Token)
+	repoConfStr := fmt.Sprintf("{\"%s\":[\"%s\",\"%s\"]}", baseURL, repoModel.User, repoModel.GetToken())

 	adminToken, err := pm.getUserToken("admin")
 	if err != nil {
@@ -632,7 +632,7 @@ func (pm *PipelineManager) getAppCodeCommitByBranch(appID int64, branchName stri
 		return "", err
 	}

-	client, err := apps.NewScmProvider(repoModel.Type, repoModel.BaseURL, repoModel.User, repoModel.Token)
+	client, err := apps.NewScmProvider(repoModel.Type, repoModel.BaseURL, repoModel.User, repoModel.GetToken())
 	if err != nil {
 		return "", err
 	}

--- a/internal/core/settings/settings.go
+++ b/internal/core/settings/settings.go
@@ -190,7 +190,8 @@ func (pm *SettingManager) UpdateIntegrateSetting(request *IntegrateSettingReq, s
 		log.Log.Error("json marshal error: %s", err.Error())
 		return err
 	}
-	stageModel.Config = config
+	//stageModel.Config = config
+	stageModel.CryptoConfig(config)
 	if request.Type == KubernetesType {
 		kube := &KubeConfig{}
 		err := json.Unmarshal([]byte(config), kube)
@@ -364,7 +365,8 @@ func formatIntegrateSettingResponse(items []*models.IntegrateSetting) []*Integra
 }

 func formatSignalIntegrateSetting(item *models.IntegrateSetting, config *Config) *IntegrateSettingResponse {
-	configJSON, err := config.Struct(item.Config, item.Type)
+	item.DecryptConfig()
+	configJSON, err := config.Struct(item.DecryptConfig(), item.Type)
 	if err != nil {
 		log.Log.Error("parse config error: %s", err.Error())
 	}

--- a/internal/dao/role.go
+++ b/internal/dao/role.go
@@ -18,7 +18,6 @@ package dao

 import (
 	"fmt"
-
 	mycasbin "github.com/go-atomci/atomci/internal/middleware/casbin"
 	"github.com/go-atomci/atomci/internal/middleware/log"
 	"github.com/go-atomci/atomci/internal/models"
@@ -229,11 +228,19 @@ func GenerateCasbinrules(role string, operations []int64) error {
 			return err
 		}
 		log.Log.Debug("role: %s, casbin rules length: %v", role, len(casbinRules))
-		addFlag, err := e.AddPolicies(casbinRules)
+
+		// it seems beegormadapter doesn't implement batch adapter, replaced AddPolicies by AddPolicy
+		for _, value := range casbinRules {
+			_, err = e.AddPolicy(value)
+			if err != nil {
+				log.Log.Error("add policys error: %s", err.Error())
+			}
+		}
+		//addFlag, err := e.AddPolicies(casbinRules)
 		if err != nil {
 			log.Log.Error("add policys error: %s", err.Error())
 		}
-		log.Log.Info("add policy to casbin rule, flag: %v", addFlag)
+		//log.Log.Info("add policy to casbin rule, flag: %v", addFlag)
 		if err := e.SavePolicy(); err != nil {
 			log.Log.Error("save casbin policy error: %s", err.Error())
 			return err

--- a/internal/middleware/casbin/model.go
+++ b/internal/middleware/casbin/model.go
@@ -18,13 +18,14 @@ package mycasbin

 // CasbinRule ..
 type CasbinRule struct {
-	PType string `json:"p_type" gorm:"type:varchar(100);"`
-	V0    string `json:"v0" orm:"size(100);"`
-	V1    string `json:"v1" orm:"size(100);"`
-	V2    string `json:"v2" orm:"size(100);"`
-	V3    string `json:"v3" orm:"size(100);"`
-	V4    string `json:"v4" orm:"size(100);"`
-	V5    string `json:"v5" orm:"size(100);"`
+	ID    uint   `gorm:"primaryKey;autoIncrement"`
+	Ptype string `gorm:"size:512"`
+	V0    string `gorm:"size:512"`
+	V1    string `gorm:"size:512"`
+	V2    string `gorm:"size:512"`
+	V3    string `gorm:"size:512"`
+	V4    string `gorm:"size:512"`
+	V5    string `gorm:"size:512"`
 }

 // TableName ..

--- a/internal/middleware/casbin/mycasbin.go
+++ b/internal/middleware/casbin/mycasbin.go
@@ -17,26 +17,24 @@ limitations under the License.
 package mycasbin

 import (
-	glog "log"
-
+	"github.com/astaxie/beego"
 	"github.com/go-atomci/atomci/internal/middleware/log"
-	tools "github.com/go-atomci/atomci/utils"
+	glog "log"

+	beegoormadapter "github.com/casbin/beego-orm-adapter/v3"
 	"github.com/casbin/casbin/v2"
 	"github.com/casbin/casbin/v2/model"
-	fileadapter "github.com/casbin/casbin/v2/persist/file-adapter"
+	_ "github.com/go-sql-driver/mysql"
 )

+var casbinObj *casbin.Enforcer
+
 // NewCasbin ..
 func NewCasbin() (*casbin.Enforcer, error) {
-	// TODO: changet to csv tmp, later add mysql apter
-	// databaseURL := beego.AppConfig.String("DB::url")
-	// Apter, err := gormadapter.NewAdapter("mysql", databaseURL, true)
-	// if err != nil {
-	// 	return nil, err
-	// }
-
-	rbacModel, err := model.NewModelFromString(`
+
+	if casbinObj == nil {
+
+		rbacModel, err := model.NewModelFromString(`
 [request_definition]
 r = sub, obj, act

@@ -54,23 +52,25 @@ e = some(where (p.eft == allow))
 # m = g(r.sub, p.sub) && r.obj == p.obj && (r.act == p.act || p.act == "*") || r.sub == "admin"
 m = g(r.sub, p.sub) && keyMatch2(r.obj,p.obj) && (r.act == p.act || p.act == "*") || r.sub == "admin"
 `)
-	if err != nil {
-		glog.Fatalf("error: model: %s", err)
-	}
+		if err != nil {
+			glog.Fatalf("error: model: %s", err)
+		}

-	rbacPolicyPath := tools.EnsureAbs("conf/rbac_policy.csv")
-	rbacPolicy := fileadapter.NewAdapter(rbacPolicyPath)
+		dsn := beego.AppConfig.String("DB::url")
+		rbacPolicy, _ := beegoormadapter.NewAdapter("casbin", "mysql", dsn)

-	// TODO: change to csv tmp, enable mysql apter later
-	// e, err := casbin.NewEnforcer(rbacConf, Apter)
-	e, err := casbin.NewEnforcer(rbacModel, rbacPolicy)
-	if err != nil {
-		log.Log.Error("casbin new enforcer error: %s", err.Error())
+		e, err := casbin.NewEnforcer(rbacModel, rbacPolicy)
+		if err != nil {
+			log.Log.Error("casbin new enforcer error: %s", err.Error())
+			return nil, err
+		}
+		if err := e.LoadPolicy(); err == nil {
+			casbinObj = e
+			return e, err
+		}
+		log.Log.Error("casbin rbac_model or policy init error, message: %v", err)
 		return nil, err
 	}
-	if err := e.LoadPolicy(); err == nil {
-		return e, err
-	}
-	log.Log.Error("casbin rbac_model or policy init error, message: %v", err)
-	return nil, err
+
+	return casbinObj, nil
 }
--- a/internal/models/gitapp.go
+++ b/internal/models/gitapp.go
@@ -17,9 +17,7 @@ limitations under the License.
 package models

 import (
-	"crypto/aes"
-	"crypto/cipher"
-	"log"
+	"github.com/go-atomci/atomci/utils"
 )

 // GitApp ...
@@ -68,8 +66,8 @@ type RepoServer struct {
 	Type     string `orm:"column(type);" json:"type"`
 	BaseURL  string `orm:"column(base_url);" json:"base_url"`
 	User     string `orm:"column(user);" json:"user"`
-	Token    string `orm:"column(token);" json:"token"`
-	Password string `orm:"column(password);" json:"password"`
+	token    string `orm:"column(token);" json:"token"`
+	password string `orm:"column(password);" json:"password"`
 	CID      int64  `orm:"column(cid);" json:"cid"`
 }

@@ -78,30 +76,26 @@ func (t *RepoServer) TableName() string {
 	return "pub_repo_server"
 }

-// crypto token && password
-const (
-	AES_KEY = "12345678abcdefgh"
-	AES_IV  = "abcdefgh12345678"
-)
+func (repo *RepoServer) SetToken(token string) {
+	plainText := []byte(token)
+	repo.token = string(utils.AesEny(plainText))
+}

-func AesEny(plaintext []byte) []byte {
-	var (
-		block cipher.Block
-		err   error
-	)
-	if block, err = aes.NewCipher([]byte(AES_KEY)); err != nil {
-		log.Fatal(err)
+func (repo *RepoServer) GetToken() string {
+	if len(repo.token) == 0 {
+		return ""
 	}
-	stream := cipher.NewCTR(block, []byte(AES_IV))
-	stream.XORKeyStream(plaintext, plaintext)
-	return plaintext
+	return string(utils.AesEny([]byte(repo.token)))
 }

-func (repo *RepoServer) Crypto() {
-	plainText := []byte(repo.Token)
-	repo.Token = string(AesEny(plainText))
+func (repo *RepoServer) SetPassword(password string) {
+	plainText := []byte(password)
+	repo.password = string(utils.AesEny(plainText))
 }

-func (repo *RepoServer) DecryptoToken() {
-	repo.Token = string(AesEny([]byte(repo.Token)))
+func (repo *RepoServer) GetPassword() string {
+	if len(repo.password) == 0 {
+		return ""
+	}
+	return string(utils.AesEny([]byte(repo.password)))
 }
--- a/internal/models/integrate.go
+++ b/internal/models/integrate.go
@@ -16,6 +16,11 @@ limitations under the License.

 package models

+import (
+	"encoding/base64"
+	"github.com/go-atomci/atomci/utils"
+)
+
 // IntegrateSetting the Basic Data of stages based on commpany
 type IntegrateSetting struct {
 	Addons
@@ -30,3 +35,22 @@ type IntegrateSetting struct {
 func (t *IntegrateSetting) TableName() string {
 	return "sys_integrate_setting"
 }
+
+func (t *IntegrateSetting) CryptoConfig(raw string) {
+	t.crypto(raw)
+	t.Config = t.crypto(raw)
+}
+
+func (t *IntegrateSetting) DecryptConfig() string {
+	return t.decrypt()
+}
+
+func (t *IntegrateSetting) crypto(raw string) string {
+	plainText := []byte(raw)
+	return base64.StdEncoding.EncodeToString(utils.AesEny(plainText))
+}
+
+func (t *IntegrateSetting) decrypt() string {
+	cfg, _ := base64.StdEncoding.DecodeString(t.Config)
+	return string(utils.AesEny(cfg))
+}
--- a/utils/utils.go
+++ b/utils/utils.go
@@ -17,6 +17,9 @@ limitations under the License.
 package utils

 import (
+	"crypto/aes"
+	"crypto/cipher"
+	"log"
 	"math/rand"
 	"os"
 	"os/exec"
@@ -34,7 +37,7 @@ const (
 )

 func Krand(size int, kind int) []byte {
-	ikind, kinds, result := kind, [][]int{[]int{10, 48}, []int{26, 97}, []int{26, 65}}, make([]byte, size)
+	ikind, kinds, result := kind, [][]int{{10, 48}, {26, 97}, {26, 65}}, make([]byte, size)
 	is_all := kind > 2 || kind < 0
 	rand.Seed(time.Now().UnixNano())
 	for i := 0; i < size; i++ {
@@ -132,12 +135,12 @@ func GetRootPath(path string) string {
 // 验证字符长度
 func IsIllegalLength(s string, min int, max int) bool {
 	if min == -1 {
-		return (len(s) > max)
+		return len(s) > max
 	}
 	if max == -1 {
-		return (len(s) <= min)
+		return len(s) <= min
 	}
-	return (len(s) < min || len(s) > max)
+	return len(s) < min || len(s) > max
 }

 const (
@@ -151,3 +154,23 @@ func Restricted(s, regdata string) bool {
 	legal := validName.MatchString(s)
 	return legal
 }
+
+// crypto && decrypt
+const (
+	AES_KEY = "12345678abcdefgh"
+	AES_IV  = "abcdefgh12345678"
+)
+
+// CTR 128bit no padding
+func AesEny(plaintext []byte) []byte {
+	var (
+		block cipher.Block
+		err   error
+	)
+	if block, err = aes.NewCipher([]byte(AES_KEY)); err != nil {
+		log.Fatal(err)
+	}
+	stream := cipher.NewCTR(block, []byte(AES_IV))
+	stream.XORKeyStream(plaintext, plaintext)
+	return plaintext
+}
--- a/utils/utils_test.go
+++ b/utils/utils_test.go
+package utils
+
+import (
+	"encoding/base64"
+	"github.com/stretchr/testify/assert"
+	"log"
+	"testing"
+)
+
+func TestAesCrypto(t *testing.T) {
+	crypted := base64.StdEncoding.EncodeToString(AesEny([]byte("Hello")))
+	log.Printf("%s", crypted)
+	assert.NotEmpty(t, crypted)
+}