Encrypt runners communication token in the database

e491df5f · Grzegorz Bizon · 478c15fa · e491df5f · e491df5f · e491df5f
5 changed file
--- a/app/models/ci/runner.rb
+++ b/app/models/ci/runner.rb
@@ -8,6 +8,9 @@ module Ci
    include RedisCacheable
    include ChronicDurationAttribute
    include FromUnion
+    include TokenAuthenticatable
+
+    add_authentication_token_field :token, encrypted: true, fallback: true

    enum access_level: {
      not_protected: 0,
@@ -39,7 +42,7 @@ module Ci

    has_one :last_build, ->() { order('id DESC') }, class_name: 'Ci::Build'

-    before_validation :set_default_values
+    before_save :ensure_token

    scope :active, -> { where(active: true) }
    scope :paused, -> { where(active: false) }
@@ -145,10 +148,6 @@ module Ci
      end
    end

-    def set_default_values
-      self.token = SecureRandom.hex(15) if self.token.blank?
-    end
-
    def assign_to(project, current_user = nil)
      if instance_type?
        self.runner_type = :project_type

--- a/db/migrate/20181120151656_add_token_encrypted_to_ci_runners.rb
+++ b/db/migrate/20181120151656_add_token_encrypted_to_ci_runners.rb
+# frozen_string_literal: true
+
+class AddTokenEncryptedToCiRunners < ActiveRecord::Migration
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  def change
+    add_column :ci_runners, :token_encrypted, :string
+    # TODO index
+  end
+end
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.

-ActiveRecord::Schema.define(version: 20181116141504) do
+ActiveRecord::Schema.define(version: 20181120151656) do

  # These are extensions that must be enabled in order to support this database
  enable_extension "plpgsql"
@@ -543,6 +543,7 @@ ActiveRecord::Schema.define(version: 20181116141504) do
    t.string "ip_address"
    t.integer "maximum_timeout"
    t.integer "runner_type", limit: 2, null: false
+    t.string "token_encrypted"
  end

  add_index "ci_runners", ["contacted_at"], name: "index_ci_runners_on_contacted_at", using: :btree

--- a/lib/gitlab/import_export/import_export.yml
+++ b/lib/gitlab/import_export/import_export.yml
@@ -158,6 +158,9 @@ excluded_attributes:
    - :encrypted_token_iv
    - :encrypted_url
    - :encrypted_url_iv
+  runners:
+    - :token
+    - :token_encrypted

 methods:
  labels:

--- a/lib/gitlab/import_export/relation_factory.rb
+++ b/lib/gitlab/import_export/relation_factory.rb
@@ -8,6 +8,7 @@ module Gitlab
                    triggers: 'Ci::Trigger',
                    pipeline_schedules: 'Ci::PipelineSchedule',
                    builds: 'Ci::Build',
+                    runners: 'Ci::Runner',
                    hooks: 'ProjectHook',
                    merge_access_levels: 'ProtectedBranch::MergeAccessLevel',
                    push_access_levels: 'ProtectedBranch::PushAccessLevel',
@@ -31,7 +32,7 @@ module Gitlab

      EXISTING_OBJECT_CHECK = %i[milestone milestones label labels project_label project_labels group_label group_labels project_feature].freeze

-      TOKEN_RESET_MODELS = %w[Project Namespace Group Ci::Trigger Ci::Build ProjectHook].freeze
+      TOKEN_RESET_MODELS = %w[Project Namespace Ci::Trigger Ci::Build Ci::Runner ProjectHook].freeze

      def self.create(*args)
        new(*args).create