Commit 4468104f authored by Douwe Maan's avatar Douwe Maan

Merge branch 'fix/import-encrypt-atts' into 'master'

Ignore encrypted attributes in Import/Export

Closes #24458

See merge request !8739
parents 7f27a35e 017a5068
...@@ -183,6 +183,8 @@ ...@@ -183,6 +183,8 @@
%li Build traces and artifacts %li Build traces and artifacts
%li LFS objects %li LFS objects
%li Container registry images %li Container registry images
%li CI variables
%li Any encrypted tokens
%hr %hr
- if can? current_user, :archive_project, @project - if can? current_user, :archive_project, @project
.row.prepend-top-default .row.prepend-top-default
......
---
title: Ignore encrypted attributes in Import/Export
merge_request:
author:
...@@ -22,7 +22,8 @@ with all their related data and be moved into a new GitLab instance. ...@@ -22,7 +22,8 @@ with all their related data and be moved into a new GitLab instance.
| GitLab version | Import/Export version | | GitLab version | Import/Export version |
| -------- | -------- | | -------- | -------- |
| 8.13.0 to current | 0.1.5 | | 8.16.2 to current | 0.1.6 |
| 8.13.0 | 0.1.5 |
| 8.12.0 | 0.1.4 | | 8.12.0 | 0.1.4 |
| 8.10.3 | 0.1.3 | | 8.10.3 | 0.1.3 |
| 8.10.0 | 0.1.2 | | 8.10.0 | 0.1.2 |
...@@ -47,6 +48,9 @@ The following items will NOT be exported: ...@@ -47,6 +48,9 @@ The following items will NOT be exported:
- Build traces and artifacts - Build traces and artifacts
- LFS objects - LFS objects
- Container registry images
- CI variables
- Any encrypted tokens
## Exporting a project and its data ## Exporting a project and its data
......
...@@ -3,7 +3,7 @@ module Gitlab ...@@ -3,7 +3,7 @@ module Gitlab
extend self extend self
# For every version update, the version history in import_export.md has to be kept up to date. # For every version update, the version history in import_export.md has to be kept up to date.
VERSION = '0.1.5' VERSION = '0.1.6'
FILENAME_LIMIT = 50 FILENAME_LIMIT = 50
def export_path(relative_path:) def export_path(relative_path:)
......
...@@ -39,7 +39,6 @@ project_tree: ...@@ -39,7 +39,6 @@ project_tree:
- :author - :author
- :events - :events
- :statuses - :statuses
- :variables
- :triggers - :triggers
- :deploy_keys - :deploy_keys
- :services - :services
......
...@@ -4,7 +4,6 @@ module Gitlab ...@@ -4,7 +4,6 @@ module Gitlab
OVERRIDES = { snippets: :project_snippets, OVERRIDES = { snippets: :project_snippets,
pipelines: 'Ci::Pipeline', pipelines: 'Ci::Pipeline',
statuses: 'commit_status', statuses: 'commit_status',
variables: 'Ci::Variable',
triggers: 'Ci::Trigger', triggers: 'Ci::Trigger',
builds: 'Ci::Build', builds: 'Ci::Build',
hooks: 'ProjectHook', hooks: 'ProjectHook',
...@@ -24,6 +23,8 @@ module Gitlab ...@@ -24,6 +23,8 @@ module Gitlab
EXISTING_OBJECT_CHECK = %i[milestone milestones label labels project_label project_labels group_label group_labels].freeze EXISTING_OBJECT_CHECK = %i[milestone milestones label labels project_label project_labels group_label group_labels].freeze
TOKEN_RESET_MODELS = %w[Ci::Trigger Ci::Build ProjectHook].freeze
def self.create(*args) def self.create(*args)
new(*args).create new(*args).create
end end
...@@ -61,7 +62,9 @@ module Gitlab ...@@ -61,7 +62,9 @@ module Gitlab
update_project_references update_project_references
handle_group_label if group_label? handle_group_label if group_label?
reset_ci_tokens if @relation_name == 'Ci::Trigger' reset_tokens!
remove_encrypted_attributes!
@relation_hash['data'].deep_symbolize_keys! if @relation_name == :events && @relation_hash['data'] @relation_hash['data'].deep_symbolize_keys! if @relation_name == :events && @relation_hash['data']
set_st_diffs if @relation_name == :merge_request_diff set_st_diffs if @relation_name == :merge_request_diff
end end
...@@ -140,11 +143,22 @@ module Gitlab ...@@ -140,11 +143,22 @@ module Gitlab
end end
end end
def reset_ci_tokens def reset_tokens!
return unless Gitlab::ImportExport.reset_tokens? return unless Gitlab::ImportExport.reset_tokens? && TOKEN_RESET_MODELS.include?(@relation_name.to_s)
# If we import/export a project to the same instance, tokens will have to be reset. # If we import/export a project to the same instance, tokens will have to be reset.
@relation_hash['token'] = nil # We also have to reset them to avoid issues when the gitlab secrets file cannot be copied across.
relation_class.attribute_names.select { |name| name.include?('token') }.each do |token|
@relation_hash[token] = nil
end
end
def remove_encrypted_attributes!
return unless relation_class.respond_to?(:encrypted_attributes) && relation_class.encrypted_attributes.any?
relation_class.encrypted_attributes.each_key do |key|
@relation_hash[key.to_s] = nil
end
end end
def relation_class def relation_class
......
...@@ -74,6 +74,9 @@ feature 'Import/Export - project export integration test', feature: true, js: tr ...@@ -74,6 +74,9 @@ feature 'Import/Export - project export integration test', feature: true, js: tr
Otherwise, please add the exception to +safe_list+ in CURRENT_SPEC using #{sensitive_word} as the key and the Otherwise, please add the exception to +safe_list+ in CURRENT_SPEC using #{sensitive_word} as the key and the
correspondent hash or model as the value. correspondent hash or model as the value.
Also, if the attribute is a generated unique token, please add it to RelationFactory::TOKEN_RESET_MODELS if it needs to be
reset (to prevent duplicate column problems while importing to the same instance).
IMPORT_EXPORT_CONFIG: #{Gitlab::ImportExport.config_file} IMPORT_EXPORT_CONFIG: #{Gitlab::ImportExport.config_file}
CURRENT_SPEC: #{__FILE__} CURRENT_SPEC: #{__FILE__}
MSG MSG
......
...@@ -6980,12 +6980,17 @@ ...@@ -6980,12 +6980,17 @@
} }
] ]
} }
],
"variables": [
], ],
"triggers": [ "triggers": [
{
"id": 123,
"token": "cdbfasdf44a5958c83654733449e585",
"project_id": null,
"deleted_at": null,
"created_at": "2017-01-16T15:25:28.637Z",
"updated_at": "2017-01-16T15:25:28.637Z",
"gl_project_id": 123
}
], ],
"deploy_keys": [ "deploy_keys": [
......
...@@ -197,6 +197,20 @@ describe Gitlab::ImportExport::ProjectTreeRestorer, services: true do ...@@ -197,6 +197,20 @@ describe Gitlab::ImportExport::ProjectTreeRestorer, services: true do
expect(restored_project_json).to be true expect(restored_project_json).to be true
end end
end end
context 'tokens are regenerated' do
before do
restored_project_json
end
it 'has a new CI trigger token' do
expect(Ci::Trigger.where(token: 'cdbfasdf44a5958c83654733449e585')).to be_empty
end
it 'has a new CI build token' do
expect(Ci::Build.where(token: 'abcd')).to be_empty
end
end
end end
end end
end end
...@@ -55,8 +55,8 @@ describe Gitlab::ImportExport::RelationFactory, lib: true do ...@@ -55,8 +55,8 @@ describe Gitlab::ImportExport::RelationFactory, lib: true do
expect(created_object.project_id).to eq(project.id) expect(created_object.project_id).to eq(project.id)
end end
it 'has a token' do it 'has a nil token' do
expect(created_object.token).to eq(token) expect(created_object.token).to eq(nil)
end end
context 'original service exists' do context 'original service exists' do
...@@ -178,4 +178,15 @@ describe Gitlab::ImportExport::RelationFactory, lib: true do ...@@ -178,4 +178,15 @@ describe Gitlab::ImportExport::RelationFactory, lib: true do
expect(created_object.author).to eq(new_user) expect(created_object.author).to eq(new_user)
end end
end end
context 'encrypted attributes' do
let(:relation_sym) { 'Ci::Variable' }
let(:relation_hash) do
create(:ci_variable).as_json
end
it 'has no value for the encrypted attribute' do
expect(created_object.value).to be_nil
end
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment