Dependency proxy for packages: update how the credentials are encrypted
🔥 Problem
In Maven dependency proxy (&3610 - closed), we started the implementation of the dependency proxy for packages, starting with Maven.
At that time, we needed a way to store credentials (username + password) in a secure way. For that, we used https://docs.gitlab.com/ee/development/secure_coding_guidelines.html#handling-credentials. However, that documentation pointed to #26243 where it has been discussed to move away from attr_encrypted
to ActiveRecord encryption.
The problem is that this depends on Rails 7.0 which at the time of this writing has not yet landed on the GitLab codebase.
We decided to start the dependency proxy implementation with attr_encrypted
to not block further work.
Since the implementation is behind a feature flag, we can switch to Active Record encryption once it's available but before rolling out the feature flag
🚒 Solution
- In
ee/app/models/dependency_proxy/packages/setting.rb
, switch encrypted attributes to Active Record encryption.- columns can be dropped and added as we don't have any live data on the related table.
-
⚠ Do this before rolling out the feature flag -
⚠ Be sure to port theCONSTRAINT CHECK
we have in place (length and credentials either both set or empty).