From 28dd747fc6e54dd07a5897d1936d97f976a5fef1 Mon Sep 17 00:00:00 2001
From: Go MAEDA <maeda@farend.jp>
Date: Sat, 5 Sep 2020 06:24:37 +0000
Subject: [PATCH] Rake tasks db:encrypt and db:decrypt now supports TOTP secret
 keys (#1237, #33929).

git-svn-id: http://svn.redmine.org/redmine/trunk@20005 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 config/configuration.yml.example | 7 ++++---
 lib/tasks/ciphering.rake         | 6 ++++--
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/config/configuration.yml.example b/config/configuration.yml.example
index 5dbb7170c..4001c5aba 100644
--- a/config/configuration.yml.example
+++ b/config/configuration.yml.example
@@ -138,11 +138,12 @@ default:
   # scm_stderr_log_file: /var/log/redmine_scm_stderr.log
   scm_stderr_log_file:
 
-  # Key used to encrypt sensitive data in the database (SCM and LDAP passwords).
+  # Key used to encrypt sensitive data in the database (SCM passwords,
+  # LDAP passwords, and TOTP (two-factor authentication) secret keys).
   # If you don't want to enable data encryption, just leave it blank.
   # WARNING: losing/changing this key will make encrypted data unreadable.
   #
-  # If you want to encrypt existing passwords in your database:
+  # If you want to encrypt existing data in your database:
   # * set the cipher key here in your configuration file
   # * encrypt data using 'rake db:encrypt RAILS_ENV=production'
   #
@@ -150,7 +151,7 @@ default:
   # * decrypt data using 'rake db:decrypt RAILS_ENV=production' first
   # * change the cipher key here in your configuration file
   # * encrypt data using 'rake db:encrypt RAILS_ENV=production'
-  database_cipher_key:
+  database_cipher_key: 'foo'
 
   # Set this to false to disable plugins' assets mirroring on startup.
   # You can use `rake redmine:plugins:assets` to manually mirror assets
diff --git a/lib/tasks/ciphering.rake b/lib/tasks/ciphering.rake
index 07e96b5d6..fb97cde30 100644
--- a/lib/tasks/ciphering.rake
+++ b/lib/tasks/ciphering.rake
@@ -20,7 +20,8 @@ namespace :db do
   desc 'Encrypts SCM and LDAP passwords in the database.'
   task :encrypt => :environment do
     unless (Repository.encrypt_all(:password) &&
-      AuthSource.encrypt_all(:account_password))
+      AuthSource.encrypt_all(:account_password) &&
+      User.encrypt_all(:twofa_totp_key))
       raise "Some objects could not be saved after encryption, update was rolled back."
     end
   end
@@ -28,7 +29,8 @@ namespace :db do
   desc 'Decrypts SCM and LDAP passwords in the database.'
   task :decrypt => :environment do
     unless (Repository.decrypt_all(:password) &&
-      AuthSource.decrypt_all(:account_password))
+      AuthSource.decrypt_all(:account_password) &&
+      User.decrypt_all(:twofa_totp_key))
       raise "Some objects could not be saved after decryption, update was rolled back."
     end
   end