Commit 03000c8f authored by Krasimir Angelov's avatar Krasimir Angelov

Add migrations needed to encrypt feature flags client tokens

Make plaintext token column not null, add new token_encrypted column and
index on project_id & token_encrypted.

Post deployment migration to encrypt existing tokens.
parent 30bddd54
# frozen_string_literal: true
class ChangeOperationsFeatureFlagsClientsTokenNotNull < ActiveRecord::Migration[5.1]
include Gitlab::Database::MigrationHelpers
DOWNTIME = false
def change
change_column_null :operations_feature_flags_clients, :token, true
end
end
# frozen_string_literal: true
class AddTokenEncryptedToOperationsFeatureFlagsClients < ActiveRecord::Migration[5.1]
include Gitlab::Database::MigrationHelpers
DOWNTIME = false
def change
add_column :operations_feature_flags_clients, :token_encrypted, :string
end
end
# frozen_string_literal: true
class AddIndexToOperationsFeatureFlagsClientsTokenEncrypted < ActiveRecord::Migration[5.1]
include Gitlab::Database::MigrationHelpers
DOWNTIME = false
disable_ddl_transaction!
def up
add_concurrent_index :operations_feature_flags_clients, [:project_id, :token_encrypted],
unique: true, name: "index_feature_flags_clients_on_project_id_and_token_encrypted"
end
def down
remove_concurrent_index_by_name :operations_feature_flags_clients, "index_feature_flags_clients_on_project_id_and_token_encrypted"
end
end
# frozen_string_literal: true
class EncryptFeatureFlagsClientsTokens < ActiveRecord::Migration[5.1]
DOWNTIME = false
class FeatureFlagsClient < ActiveRecord::Base
self.table_name = 'operations_feature_flags_clients'
end
def up
say_with_time("Encrypting tokens from operations_feature_flags_clients") do
FeatureFlagsClient.where('token_encrypted is NULL AND token IS NOT NULL').find_each do |feature_flags_client|
token_encrypted = Gitlab::CryptoHelper.aes256_gcm_encrypt(feature_flags_client.token)
feature_flags_client.update!(token_encrypted: token_encrypted)
end
end
end
def down
say_with_time("Decrypting tokens from operations_feature_flags_clients") do
FeatureFlagsClient.where('token_encrypted IS NOT NULL AND token IS NULL').find_each do |feature_flags_client|
token = Gitlab::CryptoHelper.aes256_gcm_decrypt(feature_flags_client.token_encrypted)
feature_flags_client.update!(token: token)
end
end
end
end
...@@ -2257,8 +2257,10 @@ ActiveRecord::Schema.define(version: 20190613030606) do ...@@ -2257,8 +2257,10 @@ ActiveRecord::Schema.define(version: 20190613030606) do
create_table "operations_feature_flags_clients", force: :cascade do |t| create_table "operations_feature_flags_clients", force: :cascade do |t|
t.integer "project_id", null: false t.integer "project_id", null: false
t.string "token", null: false t.string "token"
t.string "token_encrypted"
t.index ["project_id", "token"], name: "index_operations_feature_flags_clients_on_project_id_and_token", unique: true, using: :btree t.index ["project_id", "token"], name: "index_operations_feature_flags_clients_on_project_id_and_token", unique: true, using: :btree
t.index ["project_id", "token_encrypted"], name: "index_feature_flags_clients_on_project_id_and_token_encrypted", unique: true, using: :btree
end end
create_table "packages_maven_metadata", force: :cascade do |t| create_table "packages_maven_metadata", force: :cascade do |t|
......
# frozen_string_literal: true
require 'spec_helper'
require Rails.root.join('db', 'post_migrate', '20190606175050_encrypt_feature_flags_clients_tokens.rb')
describe EncryptFeatureFlagsClientsTokens, :migration do
let(:migration) { described_class.new }
let(:feature_flags_clients) { table(:operations_feature_flags_clients) }
let(:projects) { table(:projects) }
let(:plaintext) { "secret-token" }
let(:ciphertext) { Gitlab::CryptoHelper.aes256_gcm_encrypt(plaintext) }
describe '#up' do
it 'keeps plaintext token the same and populates token_encrypted if not present' do
project = projects.create!(id: 123, name: 'gitlab1', path: 'gitlab1', namespace_id: 123)
feature_flags_client = feature_flags_clients.create!(project_id: project.id, token: plaintext)
migration.up
expect(feature_flags_client.reload.token).to eq(plaintext)
expect(feature_flags_client.reload.token_encrypted).to eq(ciphertext)
end
end
describe '#down' do
it 'decrypts encrypted token and saves it' do
project = projects.create!(id: 123, name: 'gitlab1', path: 'gitlab1', namespace_id: 123)
feature_flags_client = feature_flags_clients.create!(project_id: project.id, token_encrypted: ciphertext)
migration.down
expect(feature_flags_client.reload.token).to eq(plaintext)
expect(feature_flags_client.reload.token_encrypted).to eq(ciphertext)
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment