Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
To support #1896006: Encrypt stored database credentials, and any other sensitive information we may wish to store in migration or group arguments, we will add static encrypt/decrypt convenience functions to MigrationBase.
Comment | File | Size | Author |
---|---|---|---|
#15 | migrate-encryption-1901980-15.patch | 6.46 KB | mikeryan |
#11 | migrate-encryption-convenience-functions-1901980-11.patch | 3.28 KB | Anonymous (not verified) |
#1 | encryption_convenience_functions-1901980-2.patch | 880 bytes | Anonymous (not verified) |
Comments
Comment #1
Anonymous (not verified) CreditAttribution: Anonymous commentedSee attached patchfile.
Comment #2
Anonymous (not verified) CreditAttribution: Anonymous commentedComment #3
moshe weitzman CreditAttribution: moshe weitzman commentedThose look simple enough. If we ever have more advanced needs, the encrypt module is pretty solid. It is maintained by Greg Knaddison who is lead of security team. See http://groups.drupal.org/node/258513
Comment #4
Anonymous (not verified) CreditAttribution: Anonymous commentedI agree. Mike and I discussed this quickly, for now our needs our simple. I had seen the encrypt module, looked like a great way to support more advanced encryption needs without adding mcrypt library (or similar) requirements.
Comment #5
mikeryanRight - encrypt does look helpful, but I'm reluctant to add a module dependency that benefits relatively few Migrate users.
Comment #6
mikeryanComment #7
mikeryanNate and I have discussed this some more - while we don't want a hard module dependency, we do want to leverage the encrypt module when we need encryption. Also, I'd like to make the DX as simple as possible - what I'd like to do is have a standard migration/group argument 'encrypted_arguments', which would be an array of argument names that should be encrypted/decrypted. Documentation for the argument will make clear that the encrypt module is required to make use of this functionality. Thoughts?
Comment #8
moshe weitzman CreditAttribution: moshe weitzman commentedSounds good to me.
Comment #9
mikeryanI would like to get this in to Migrate 2.6 - the wizard API is going to support configuring migrations (including credentials) through the UI which will need to be saved, so we should do what we can to protect those credentials.
Comment #10
Anonymous (not verified) CreditAttribution: Anonymous commentedI'll take it - assigning to myself.
Comment #11
Anonymous (not verified) CreditAttribution: Anonymous commentedHere is a patch that provides logic for encryption as well as detecting the presence of encrypt.module (the same as from a patch for migrate_d2d.module). This patch only addresses the original issue of providing convenience functions - the functionality Mike outlined in comment #7 should probably be logged as a discrete ticket?
Relatedly, I'll be deprecating the (now) duplicate functions from this issue patch: http://drupal.org/node/1896006
Comment #13
mikeryanI would like to see the 'encrypted_arguments' support as part of this patch.
Thanks.
Comment #14
mikeryan#11: migrate-encryption-convenience-functions-1901980-11.patch queued for re-testing.
Comment #15
mikeryanOK, added automated encryption/decryption - by passing an array argument in $arguments, named 'encrypted_arguments', any arguments named in that array will be encrypted before being saved and decrypted when retrieved from the db. I also made the functions public static so the MigrateGroup class could use them as well.
Patch attached if anyone else wants to try it - I still need to test it in a real-world case (migrate_d2d_ui database credentials).
Comment #16
mikeryanDid some real-world testing and it looks OK, committed.