To support #1896006: Encrypt stored database credentials, and any other sensitive information we may wish to store in migration or group arguments, we will add static encrypt/decrypt convenience functions to MigrationBase.

Files: 
CommentFileSizeAuthor
#15 migrate-encryption-1901980-15.patch6.46 KBmikeryan
PASSED: [[SimpleTest]]: [MySQL] 149 pass(es).
[ View ]
#11 migrate-encryption-convenience-functions-1901980-11.patch3.28 KBnateswart
PASSED: [[SimpleTest]]: [MySQL] 149 pass(es).
[ View ]
#1 encryption_convenience_functions-1901980-2.patch880 bytesnateswart
PASSED: [[SimpleTest]]: [MySQL] 149 pass(es).
[ View ]

Comments

StatusFileSize
new880 bytes
PASSED: [[SimpleTest]]: [MySQL] 149 pass(es).
[ View ]

See attached patchfile.

Status:Active» Needs review

Those look simple enough. If we ever have more advanced needs, the encrypt module is pretty solid. It is maintained by Greg Knaddison who is lead of security team. See http://groups.drupal.org/node/258513

I agree. Mike and I discussed this quickly, for now our needs our simple. I had seen the encrypt module, looked like a great way to support more advanced encryption needs without adding mcrypt library (or similar) requirements.

Status:Needs review» Active

Right - encrypt does look helpful, but I'm reluctant to add a module dependency that benefits relatively few Migrate users.

Status:Active» Needs review

Status:Needs review» Needs work

Nate and I have discussed this some more - while we don't want a hard module dependency, we do want to leverage the encrypt module when we need encryption. Also, I'd like to make the DX as simple as possible - what I'd like to do is have a standard migration/group argument 'encrypted_arguments', which would be an array of argument names that should be encrypted/decrypted. Documentation for the argument will make clear that the encrypt module is required to make use of this functionality. Thoughts?

Sounds good to me.

Issue tags:+Migrate 2.6

I would like to get this in to Migrate 2.6 - the wizard API is going to support configuring migrations (including credentials) through the UI which will need to be saved, so we should do what we can to protect those credentials.

Assigned:Unassigned» nateswart

I'll take it - assigning to myself.

Status:Needs work» Needs review
StatusFileSize
new3.28 KB
PASSED: [[SimpleTest]]: [MySQL] 149 pass(es).
[ View ]

Here is a patch that provides logic for encryption as well as detecting the presence of encrypt.module (the same as from a patch for migrate_d2d.module). This patch only addresses the original issue of providing convenience functions - the functionality Mike outlined in comment #7 should probably be logged as a discrete ticket?

Relatedly, I'll be deprecating the (now) duplicate functions from this issue patch: http://drupal.org/node/1896006

Status:Needs review» Needs work

The last submitted patch, migrate-encryption-convenience-functions-1901980-11.patch, failed testing.

I would like to see the 'encrypted_arguments' support as part of this patch.

Thanks.

Status:Needs work» Needs review

StatusFileSize
new6.46 KB
PASSED: [[SimpleTest]]: [MySQL] 149 pass(es).
[ View ]

OK, added automated encryption/decryption - by passing an array argument in $arguments, named 'encrypted_arguments', any arguments named in that array will be encrypted before being saved and decrypted when retrieved from the db. I also made the functions public static so the MigrateGroup class could use them as well.

Patch attached if anyone else wants to try it - I still need to test it in a real-world case (migrate_d2d_ui database credentials).

Status:Needs review» Fixed

Did some real-world testing and it looks OK, committed.

Automatically closed -- issue fixed for 2 weeks with no activity.