jro_apps/redmine Commit - r4830:a78d5659593d

Adds support for SCM/LDAP passwords encryption in the database (#7411)....

Jean-Philippe Lang -

r4830:a78d5659593d

parent child

Context file:

r4830:a78d5659593d

Collapse all files

db/migrate/20110226120112_change_repositories_password_limit.rb created 644 +9 0

@@ -0,0 +1,9
	1	class ChangeRepositoriesPasswordLimit < ActiveRecord::Migration
	2	def self.up
	3	change_column :repositories, :password, :string, :limit => nil, :default => ''
	4	end
	5
	6	def self.down
	7	change_column :repositories, :password, :string, :limit => 60, :default => ''
	8	end
	9	end

db/migrate/20110226120132_change_auth_sources_account_password_limit.rb created 644 +9 0

@@ -0,0 +1,9
	1	class ChangeAuthSourcesAccountPasswordLimit < ActiveRecord::Migration
	2	def self.up
	3	change_column :auth_sources, :account_password, :string, :limit => nil, :default => ''
	4	end
	5
	6	def self.down
	7	change_column :auth_sources, :account_password, :string, :limit => 60, :default => ''
	8	end
	9	end

lib/redmine/ciphering.rb created 644 +95 0

@@ -0,0 +1,95
	1	# Redmine - project management software
	2	# Copyright (C) 2006-2011 Jean-Philippe Lang
	3	#
	4	# This program is free software; you can redistribute it and/or
	5	# modify it under the terms of the GNU General Public License
	6	# as published by the Free Software Foundation; either version 2
	7	# of the License, or (at your option) any later version.
	8	#
	9	# This program is distributed in the hope that it will be useful,
	10	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	11	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	12	# GNU General Public License for more details.
	13	#
	14	# You should have received a copy of the GNU General Public License
	15	# along with this program; if not, write to the Free Software
	16	# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
	17
	18	module Redmine
	19	module Ciphering
	20	def self.included(base)
	21	base.extend ClassMethods
	22	end
	23
	24	class << self
	25	def encrypt_text(text)
	26	if cipher_key.blank?
	27	text
	28	else
	29	c = OpenSSL::Cipher::Cipher.new("aes-256-cbc")
	30	iv = c.random_iv
	31	c.encrypt
	32	c.key = cipher_key
	33	c.iv = iv
	34	e = c.update(text.to_s)
	35	e << c.final
	36	"aes-256-cbc:" + [e, iv].map {\|v\| Base64.encode64(v).strip}.join('--')
	37	end
	38	end
	39
	40	def decrypt_text(text)
	41	if text && match = text.match(/\Aaes-256-cbc:(.+)\Z/)
	42	text = match[1]
	43	c = OpenSSL::Cipher::Cipher.new("aes-256-cbc")
	44	e, iv = text.split("--").map {\|s\| Base64.decode64(s)}
	45	c.decrypt
	46	c.key = cipher_key
	47	c.iv = iv
	48	d = c.update(e)
	49	d << c.final
	50	else
	51	text
	52	end
	53	end
	54
	55	def cipher_key
	56	key = Redmine::Configuration['database_cipher_key'].to_s
	57	key.blank? ? nil : Digest::SHA256.hexdigest(key)
	58	end
	59	end
	60
	61	module ClassMethods
	62	def encrypt_all(attribute)
	63	transaction do
	64	all.each do \|object\|
	65	clear = object.send(attribute)
	66	object.send "#{attribute}=", clear
	67	raise(ActiveRecord::Rollback) unless object.save(false)
	68	end
	69	end ? true : false
	70	end
	71
	72	def decrypt_all(attribute)
	73	transaction do
	74	all.each do \|object\|
	75	clear = object.send(attribute)
	76	object.write_attribute attribute, clear
	77	raise(ActiveRecord::Rollback) unless object.save(false)
	78	end
	79	end
	80	end ? true : false
	81	end
	82
	83	private
	84
	85	# Returns the value of the given ciphered attribute
	86	def read_ciphered_attribute(attribute)
	87	Redmine::Ciphering.decrypt_text(read_attribute(attribute))
	88	end
	89
	90	# Sets the value of the given ciphered attribute
	91	def write_ciphered_attribute(attribute, value)
	92	write_attribute(attribute, Redmine::Ciphering.encrypt_text(value))
	93	end
	94	end
	95	end

lib/tasks/ciphering.rake created 644 +35 0

@@ -0,0 +1,35
	1	# Redmine - project management software
	2	# Copyright (C) 2006-2011 Jean-Philippe Lang
	3	#
	4	# This program is free software; you can redistribute it and/or
	5	# modify it under the terms of the GNU General Public License
	6	# as published by the Free Software Foundation; either version 2
	7	# of the License, or (at your option) any later version.
	8	#
	9	# This program is distributed in the hope that it will be useful,
	10	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	11	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	12	# GNU General Public License for more details.
	13	#
	14	# You should have received a copy of the GNU General Public License
	15	# along with this program; if not, write to the Free Software
	16	# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
	17
	18
	19	namespace :db do
	20	desc 'Encrypts SCM and LDAP passwords in the database.'
	21	task :encrypt => :environment do
	22	unless (Repository.encrypt_all(:password) &&
	23	AuthSource.encrypt_all(:account_password))
	24	raise "Some objects could not be saved after encryption, update was rollback'ed."
	25	end
	26	end
	27
	28	desc 'Decrypts SCM and LDAP passwords in the database.'
	29	task :decrypt => :environment do
	30	unless (Repository.decrypt_all(:password) &&
	31	AuthSource.decrypt_all(:account_password))
	32	raise "Some objects could not be saved after decryption, update was rollback'ed."
	33	end
	34	end
	35	end

test/unit/lib/redmine/ciphering_test.rb created 644 +84 0

@@ -0,0 +1,84
	1	# Redmine - project management software
	2	# Copyright (C) 2006-2011 Jean-Philippe Lang
	3	#
	4	# This program is free software; you can redistribute it and/or
	5	# modify it under the terms of the GNU General Public License
	6	# as published by the Free Software Foundation; either version 2
	7	# of the License, or (at your option) any later version.
	8	#
	9	# This program is distributed in the hope that it will be useful,
	10	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	11	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	12	# GNU General Public License for more details.
	13	#
	14	# You should have received a copy of the GNU General Public License
	15	# along with this program; if not, write to the Free Software
	16	# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
	17
	18	require File.expand_path('../../../../test_helper', __FILE__)
	19
	20	class Redmine::CipheringTest < ActiveSupport::TestCase
	21
	22	def test_password_should_be_encrypted
	23	Redmine::Configuration.with 'database_cipher_key' => 'secret' do
	24	r = Repository::Subversion.generate!(:password => 'foo')
	25	assert_equal 'foo', r.password
	26	assert r.read_attribute(:password).match(/\Aaes-256-cbc:.+\Z/)
	27	end
	28	end
	29
	30	def test_password_should_be_clear_with_blank_key
	31	Redmine::Configuration.with 'database_cipher_key' => '' do
	32	r = Repository::Subversion.generate!(:password => 'foo')
	33	assert_equal 'foo', r.password
	34	assert_equal 'foo', r.read_attribute(:password)
	35	end
	36	end
	37
	38	def test_password_should_be_clear_with_nil_key
	39	Redmine::Configuration.with 'database_cipher_key' => nil do
	40	r = Repository::Subversion.generate!(:password => 'foo')
	41	assert_equal 'foo', r.password
	42	assert_equal 'foo', r.read_attribute(:password)
	43	end
	44	end
	45
	46	def test_unciphered_password_should_be_readable
	47	Redmine::Configuration.with 'database_cipher_key' => nil do
	48	r = Repository::Subversion.generate!(:password => 'clear')
	49	end
	50
	51	Redmine::Configuration.with 'database_cipher_key' => 'secret' do
	52	r = Repository.first(:order => 'id DESC')
	53	assert_equal 'clear', r.password
	54	end
	55	end
	56
	57	def test_encrypt_all
	58	Repository.delete_all
	59	Redmine::Configuration.with 'database_cipher_key' => nil do
	60	Repository::Subversion.generate!(:password => 'foo')
	61	Repository::Subversion.generate!(:password => 'bar')
	62	end
	63
	64	Redmine::Configuration.with 'database_cipher_key' => 'secret' do
	65	assert Repository.encrypt_all(:password)
	66	r = Repository.first(:order => 'id DESC')
	67	assert_equal 'bar', r.password
	68	assert r.read_attribute(:password).match(/\Aaes-256-cbc:.+\Z/)
	69	end
	70	end
	71
	72	def test_decrypt_all
	73	Repository.delete_all
	74	Redmine::Configuration.with 'database_cipher_key' => 'secret' do
	75	Repository::Subversion.generate!(:password => 'foo')
	76	Repository::Subversion.generate!(:password => 'bar')
	77
	78	assert Repository.decrypt_all(:password)
	79	r = Repository.first(:order => 'id DESC')
	80	assert_equal 'bar', r.password
	81	assert_equal 'bar', r.read_attribute(:password)
	82	end
	83	end
	84	end

app/models/auth_source.rb +10 0

             # redMine - project management software
             # Copyright (C) 2006  Jean-Philippe Lang
             #
             # This program is free software; you can redistribute it and/or
             # modify it under the terms of the GNU General Public License
             # as published by the Free Software Foundation; either version 2
             # of the License, or (at your option) any later version.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU General Public License
             # along with this program; if not, write to the Free Software
             # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
             class AuthSource < ActiveRecord::Base
+              include Redmine::Ciphering
               has_many :users
               validates_presence_of :name
               validates_uniqueness_of :name
               validates_length_of :name, :maximum => 60
               def authenticate(login, password)
               end
               def test_connection
               end
               def auth_method_name
                 "Abstract"
               end
+              def account_password
+                read_ciphered_attribute(:account_password)
+              end
+              def account_password=(arg)
+                write_ciphered_attribute(:account_password, arg)
+              end
               def allow_password_changes?
                 self.class.allow_password_changes?
               end
               # Does this auth source backend allow password changes?
               def self.allow_password_changes?
                 false
               end
               # Try to authenticate a user not yet registered against available sources
               def self.authenticate(login, password)
                 AuthSource.find(:all, :conditions => ["onthefly_register=?", true]).each do |source|
                   begin
                     logger.debug "Authenticating '#{login}' against '#{source.name}'" if logger && logger.debug?
                     attrs = source.authenticate(login, password)
                   rescue => e
                     logger.error "Error during authentication: #{e.message}"
                     attrs = nil
                   end
                   return attrs if attrs
                 end
                 return nil
               end
             end

app/models/auth_source_ldap.rb +2 -2

             # redMine - project management software
             # Copyright (C) 2006  Jean-Philippe Lang
             #
             # This program is free software; you can redistribute it and/or
             # modify it under the terms of the GNU General Public License
             # as published by the Free Software Foundation; either version 2
             # of the License, or (at your option) any later version.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU General Public License
             # along with this program; if not, write to the Free Software
             # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
             require 'net/ldap'
             require 'iconv'
             class AuthSourceLdap < AuthSource
               validates_presence_of :host, :port, :attr_login
-              validates_length_of :name, :host, :account_password, :maximum => 60, :allow_nil => true
+              validates_length_of :name, :host, :maximum => 60, :allow_nil => true
-              validates_length_of :account, :base_dn, :maximum => 255, :allow_nil => true
+              validates_length_of :account, :account_password, :base_dn, :maximum => 255, :allow_nil => true
               validates_length_of :attr_login, :attr_firstname, :attr_lastname, :attr_mail, :maximum => 30, :allow_nil => true
               validates_numericality_of :port, :only_integer => true
               before_validation :strip_ldap_attributes
               def after_initialize
                 self.port = 389 if self.port == 0
               end
               def authenticate(login, password)
                 return nil if login.blank? || password.blank?
                 attrs = get_user_dn(login)
                 if attrs && attrs[:dn] && authenticate_dn(attrs[:dn], password)
                   logger.debug "Authentication successful for '#{login}'" if logger && logger.debug?
                   return attrs.except(:dn)
                 end
               rescue  Net::LDAP::LdapError => text
                 raise "LdapError: " + text
               end
               # test the connection to the LDAP
               def test_connection
                 ldap_con = initialize_ldap_con(self.account, self.account_password)
                 ldap_con.open { }
               rescue  Net::LDAP::LdapError => text
                 raise "LdapError: " + text
               end
               def auth_method_name
                 "LDAP"
               end
               private
               def strip_ldap_attributes
                 [:attr_login, :attr_firstname, :attr_lastname, :attr_mail].each do |attr|
                   write_attribute(attr, read_attribute(attr).strip) unless read_attribute(attr).nil?
                 end
               end
               def initialize_ldap_con(ldap_user, ldap_password)
                 options = { :host => self.host,
                             :port => self.port,
                             :encryption => (self.tls ? :simple_tls : nil)
                           }
                 options.merge!(:auth => { :method => :simple, :username => ldap_user, :password => ldap_password }) unless ldap_user.blank? && ldap_password.blank?
                 Net::LDAP.new options
               end
               def get_user_attributes_from_ldap_entry(entry)
                 {
                  :dn => entry.dn,
                  :firstname => AuthSourceLdap.get_attr(entry, self.attr_firstname),
                  :lastname => AuthSourceLdap.get_attr(entry, self.attr_lastname),
                  :mail => AuthSourceLdap.get_attr(entry, self.attr_mail),
                  :auth_source_id => self.id
                 }
               end
               # Return the attributes needed for the LDAP search.  It will only
               # include the user attributes if on-the-fly registration is enabled
               def search_attributes
                 if onthefly_register?
                   ['dn', self.attr_firstname, self.attr_lastname, self.attr_mail]
                 else
                   ['dn']
                 end
               end
               # Check if a DN (user record) authenticates with the password
               def authenticate_dn(dn, password)
                 if dn.present? && password.present?
                   initialize_ldap_con(dn, password).bind
                 end
               end
               # Get the user's dn and any attributes for them, given their login
               def get_user_dn(login)
                 ldap_con = initialize_ldap_con(self.account, self.account_password)
                 login_filter = Net::LDAP::Filter.eq( self.attr_login, login )
                 object_filter = Net::LDAP::Filter.eq( "objectClass", "*" )
                 attrs = {}
                 ldap_con.search( :base => self.base_dn,
                                  :filter => object_filter & login_filter,
                                  :attributes=> search_attributes) do |entry|
                   if onthefly_register?
                     attrs = get_user_attributes_from_ldap_entry(entry)
                   else
                     attrs = {:dn => entry.dn}
                   end
                   logger.debug "DN found for #{login}: #{attrs[:dn]}" if logger && logger.debug?
                 end
                 attrs
               end
               def self.get_attr(entry, attr_name)
                 if !attr_name.blank?
                   entry[attr_name].is_a?(Array) ? entry[attr_name].first : entry[attr_name]
                 end
               end
             end

app/models/repository.rb +11 0

             # redMine - project management software
             # Copyright (C) 2006-2007  Jean-Philippe Lang
             #
             # This program is free software; you can redistribute it and/or
             # modify it under the terms of the GNU General Public License
             # as published by the Free Software Foundation; either version 2
             # of the License, or (at your option) any later version.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU General Public License
             # along with this program; if not, write to the Free Software
             # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
             class Repository < ActiveRecord::Base
+              include Redmine::Ciphering
               belongs_to :project
               has_many :changesets, :order => "#{Changeset.table_name}.committed_on DESC, #{Changeset.table_name}.id DESC"
               has_many :changes, :through => :changesets
               # Raw SQL to delete changesets and changes in the database
               # has_many :changesets, :dependent => :destroy is too slow for big repositories
               before_destroy :clear_changesets
+              validates_length_of :password, :maximum => 255, :allow_nil => true
               # Checks if the SCM is enabled when creating a repository
               validate_on_create { |r| r.errors.add(:type, :invalid) unless Setting.enabled_scm.include?(r.class.name.demodulize) }
               # Removes leading and trailing whitespace
               def url=(arg)
                 write_attribute(:url, arg ? arg.to_s.strip : nil)
               end
               # Removes leading and trailing whitespace
               def root_url=(arg)
                 write_attribute(:root_url, arg ? arg.to_s.strip : nil)
               end
+              def password
+                read_ciphered_attribute(:password)
+              end
+              def password=(arg)
+                write_ciphered_attribute(:password, arg)
+              end
               def scm_adapter
                 self.class.scm_adapter_class
               end
               def scm
                 @scm ||= self.scm_adapter.new(url, root_url,
                                               login, password, path_encoding)
                 update_attribute(:root_url, @scm.root_url) if root_url.blank?
                 @scm
               end
               def scm_name
                 self.class.scm_name
               end
               def supports_cat?
                 scm.supports_cat?
               end
               def supports_annotate?
                 scm.supports_annotate?
               end
               def entry(path=nil, identifier=nil)
                 scm.entry(path, identifier)
               end
               def entries(path=nil, identifier=nil)
                 scm.entries(path, identifier)
               end
               def branches
                 scm.branches
               end
               def tags
                 scm.tags
               end
               def default_branch
                 scm.default_branch
               end
               def properties(path, identifier=nil)
                 scm.properties(path, identifier)
               end
               def cat(path, identifier=nil)
                 scm.cat(path, identifier)
               end
               def diff(path, rev, rev_to)
                 scm.diff(path, rev, rev_to)
               end
               def diff_format_revisions(cs, cs_to, sep=':')
                 text = ""
                 text << cs_to.format_identifier + sep if cs_to
                 text << cs.format_identifier if cs
                 text
               end
               # Returns a path relative to the url of the repository
               def relative_path(path)
                 path
               end
               # Finds and returns a revision with a number or the beginning of a hash
               def find_changeset_by_name(name)
                 return nil if name.blank?
                 changesets.find(:first, :conditions => (name.match(/^\d*$/) ? ["revision = ?", name.to_s] : ["revision LIKE ?", name + '%']))
               end
               def latest_changeset
                 @latest_changeset ||= changesets.find(:first)
               end
               # Returns the latest changesets for +path+
               # Default behaviour is to search in cached changesets
               def latest_changesets(path, rev, limit=10)
                 if path.blank?
                   changesets.find(:all, :include => :user,
                                         :order => "#{Changeset.table_name}.committed_on DESC, #{Changeset.table_name}.id DESC",
                                         :limit => limit)
                 else
                   changes.find(:all, :include => {:changeset => :user},
                                      :conditions => ["path = ?", path.with_leading_slash],
                                      :order => "#{Changeset.table_name}.committed_on DESC, #{Changeset.table_name}.id DESC",
                                      :limit => limit).collect(&:changeset)
                 end
               end
               def scan_changesets_for_issue_ids
                 self.changesets.each(&:scan_comment_for_issue_ids)
               end
               # Returns an array of committers usernames and associated user_id
               def committers
                 @committers ||= Changeset.connection.select_rows("SELECT DISTINCT committer, user_id FROM #{Changeset.table_name} WHERE repository_id = #{id}")
               end
               # Maps committers username to a user ids
               def committer_ids=(h)
                 if h.is_a?(Hash)
                   committers.each do |committer, user_id|
                     new_user_id = h[committer]
                     if new_user_id && (new_user_id.to_i != user_id.to_i)
                       new_user_id = (new_user_id.to_i > 0 ? new_user_id.to_i : nil)
                       Changeset.update_all("user_id = #{ new_user_id.nil? ? 'NULL' : new_user_id }", ["repository_id = ? AND committer = ?", id, committer])
                     end
                   end
                   @committers = nil
                   @found_committer_users = nil
                   true
                 else
                   false
                 end
               end
               # Returns the Redmine User corresponding to the given +committer+
               # It will return nil if the committer is not yet mapped and if no User
               # with the same username or email was found
               def find_committer_user(committer)
                 unless committer.blank?
                   @found_committer_users ||= {}
                   return @found_committer_users[committer] if @found_committer_users.has_key?(committer)
                   user = nil
                   c = changesets.find(:first, :conditions => {:committer => committer}, :include => :user)
                   if c && c.user
                     user = c.user
                   elsif committer.strip =~ /^([^<]+)(<(.*)>)?$/
                     username, email = $1.strip, $3
                     u = User.find_by_login(username)
                     u ||= User.find_by_mail(email) unless email.blank?
                     user = u
                   end
                   @found_committer_users[committer] = user
                   user
                 end
               end
               # Fetches new changesets for all repositories of active projects
               # Can be called periodically by an external script
               # eg. ruby script/runner "Repository.fetch_changesets"
               def self.fetch_changesets
                 Project.active.has_module(:repository).find(:all, :include => :repository).each do |project|
                   if project.repository
                     begin
                       project.repository.fetch_changesets
                     rescue Redmine::Scm::Adapters::CommandFailed => e
                       logger.error "scm: error during fetching changesets: #{e.message}"
                     end
                   end
                 end
               end
               # scan changeset comments to find related and fixed issues for all repositories
               def self.scan_changesets_for_issue_ids
                 find(:all).each(&:scan_changesets_for_issue_ids)
               end
               def self.scm_name
                 'Abstract'
               end
               def self.available_scm
                 subclasses.collect {|klass| [klass.scm_name, klass.name]}
               end
               def self.factory(klass_name, *args)
                 klass = "Repository::#{klass_name}".constantize
                 klass.new(*args)
               rescue
                 nil
               end
               def self.scm_adapter_class
                 nil
               end
               def self.scm_command
                 ret = ""
                 begin
                   ret = self.scm_adapter_class.client_command if self.scm_adapter_class
                 rescue Redmine::Scm::Adapters::CommandFailed => e
                   logger.error "scm: error during get command: #{e.message}"
                 end
                 ret
               end
               def self.scm_version_string
                 ret = ""
                 begin
                   ret = self.scm_adapter_class.client_version_string if self.scm_adapter_class
                 rescue Redmine::Scm::Adapters::CommandFailed => e
                   logger.error "scm: error during get version string: #{e.message}"
                 end
                 ret
               end
               def self.scm_available
                 ret = false
                 begin
                   ret = self.scm_adapter_class.client_available if self.scm_adapter_class
                 rescue Redmine::Scm::Adapters::CommandFailed => e
                   logger.error "scm: error during get scm available: #{e.message}"
                 end
                 ret
               end
               private
               def before_save
                 # Strips url and root_url
                 url.strip!
                 root_url.strip!
                 true
               end
               def clear_changesets
                 cs, ch, ci = Changeset.table_name, Change.table_name, "#{table_name_prefix}changesets_issues#{table_name_suffix}"
                 connection.delete("DELETE FROM #{ch} WHERE #{ch}.changeset_id IN (SELECT #{cs}.id FROM #{cs} WHERE #{cs}.repository_id = #{id})")
                 connection.delete("DELETE FROM #{ci} WHERE #{ci}.changeset_id IN (SELECT #{cs}.id FROM #{cs} WHERE #{cs}.repository_id = #{id})")
                 connection.delete("DELETE FROM #{cs} WHERE #{cs}.repository_id = #{id}")
               end
             end

config/configuration.yml.example +14 0

             # = Redmine configuration file
             #
             # Each environment has it's own configuration options.  If you are only
             # running in production, only the production block needs to be configured.
             # Environment specific configuration options override the default ones.
             #
             # Note that this file needs to be a valid YAML file.
             #
             # == Outgoing email settings (email_delivery setting)
             #
             # === Common configurations
             #
             # ==== Sendmail command
             #
             # production:
             #   email_delivery:
             #     delivery_method: :sendmail
             #
             # ==== Simple SMTP server at localhost
             #
             # production:
             #   email_delivery:
             #     delivery_method: :smtp
             #     smtp_settings:
             #       address: "localhost"
             #       port: 25
             #
             # ==== SMTP server at example.com using LOGIN authentication and checking HELO for foo.com
             #
             # production:
             #   email_delivery:
             #     delivery_method: :smtp
             #     smtp_settings:
             #       address: "example.com"
             #       port: 25
             #       authentication: :login
             #       domain: 'foo.com'
             #       user_name: 'myaccount'
             #       password: 'password'
             #
             # ==== SMTP server at example.com using PLAIN authentication
             #
             # production:
             #   email_delivery:
             #     delivery_method: :smtp
             #     smtp_settings:
             #       address: "example.com"
             #       port: 25
             #       authentication: :plain
             #       domain: 'example.com'
             #       user_name: 'myaccount'
             #       password: 'password'
             #
             # ==== SMTP server at using TLS (GMail)
             #
             # This requires some additional configuration.  See the article at:
             # http://redmineblog.com/articles/setup-redmine-to-send-email-using-gmail/
             #
             # production:
             #   email_delivery:
             #     delivery_method: :smtp
             #     smtp_settings:
             #       tls: true
             #       address: "smtp.gmail.com"
             #       port: 587
             #       domain: "smtp.gmail.com" # 'your.domain.com' for GoogleApps
             #       authentication: :plain
             #       user_name: "your_email@gmail.com"
             #       password: "your_password"
             #
             #
             # === More configuration options
             #
             # See the "Configuration options" at the following website for a list of the
             # full options allowed:
             #
             # http://wiki.rubyonrails.org/rails/pages/HowToSendEmailsWithActionMailer
             # default configuration options for all environments
             default:
               # Outgoing emails configuration (see examples above)
               email_delivery:
                 delivery_method: :smtp
                 smtp_settings:
                   address: smtp.example.net
                   port: 25
                   domain: example.net
                   authentication: :login
                   user_name: "redmine@example.net"
                   password: "redmine"
               # Absolute path to the directory where attachments are stored.
               # The default is the 'files' directory in your Redmine instance.
               # Your Redmine instance needs to have write permission on this
               # directory.
               # Examples:
               # attachments_storage_path: /var/redmine/files
               # attachments_storage_path: D:/redmine/files
               attachments_storage_path:
               # Configuration of the autologin cookie.
               # autologin_cookie_name: the name of the cookie (default: autologin)
               # autologin_cookie_path: the cookie path (default: /)
               # autologin_cookie_secure: true sets the cookie secure flag (default: false)
               autologin_cookie_name:
               autologin_cookie_path:
               autologin_cookie_secure:
               # Configuration of SCM executable command.
               # Absolute path (e.g. /usr/local/bin/hg) or command name (e.g. hg.exe, bzr.exe)
               # On Windows, *.cmd, *.bat (e.g. hg.cmd, bzr.bat) does not work.
               # Examples:
               # scm_subversion_command: svn                                       # (default: svn)
               # scm_mercurial_command:  C:\Program Files\TortoiseHg\hg.exe        # (default: hg)
               # scm_git_command:        /usr/local/bin/git                        # (default: git)
               # scm_cvs_command:        cvs                                       # (default: cvs)
               # scm_bazaar_command:     bzr.exe                                   # (default: bzr)
               # scm_darcs_command:      darcs-1.0.9-i386-linux                    # (default: darcs)
               scm_subversion_command:
               scm_mercurial_command:
               scm_git_command:
               scm_cvs_command:
               scm_bazaar_command:
               scm_darcs_command:
+              # Key used to encrypt sensitive data in the database (SCM and LDAP passwords).
+              # If you don't want to enable data encryption, just leave it blank.
+              # WARNING: losing/changing this key will make encrypted data unreadable.
+              #
+              # If you want to encrypt existing passwords in your database:
+              # * set the cipher key here in your configuration file
+              # * encrypt data using 'rake db:encrypt RAILS_ENV=production'
+              #
+              # If you have encrypted data and want to change this key, you have to:
+              # * decrypt data using 'rake db:decrypt RAILS_ENV=production' first
+              # * change the cipher key here in your configuration file
+              # * encrypt data using 'rake db:encrypt RAILS_ENV=production'
+              database_cipher_key:
             # specific configuration options for production environment
             # that overrides the default ones
             production:
             # specific configuration options for development environment
             # that overrides the default ones
             development:

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages