Commit 3394c653 authored by Etienne Baqué's avatar Etienne Baqué Committed by Stan Hu

Added migration to encrypt token in DeployToken records

Added migrations to make token column accepting null values and to add
encrypted token column.
parent d6b420ba
# frozen_string_literal: true
class ChangeDeployTokensTokenNotNull < ActiveRecord::Migration[5.1]
include Gitlab::Database::MigrationHelpers
DOWNTIME = false
def change
change_column_null :deploy_tokens, :token, true
end
end
# frozen_string_literal: true
class AddTokenEncryptedToDeployTokens < ActiveRecord::Migration[5.1]
include Gitlab::Database::MigrationHelpers
DOWNTIME = false
def change
add_column :deploy_tokens, :token_encrypted, :string
end
end
# frozen_string_literal: true
class EncryptDeployTokensTokens < ActiveRecord::Migration[5.1]
DOWNTIME = false
class DeploymentTokens < ActiveRecord::Base
self.table_name = 'deploy_tokens'
end
def up
say_with_time("Encrypting tokens from deploy_tokens") do
DeploymentTokens.where('token_encrypted is NULL AND token IS NOT NULL').find_each do |deploy_token|
token_encrypted = Gitlab::CryptoHelper.aes256_gcm_encrypt(deploy_token.token)
deploy_token.update!(token_encrypted: token_encrypted)
end
end
end
def down
say_with_time("Decrypting tokens from deploy_tokens") do
DeploymentTokens.where('token_encrypted IS NOT NULL AND token IS NULL').find_each do |deploy_token|
token = Gitlab::CryptoHelper.aes256_gcm_decrypt(deploy_token.token_encrypted)
deploy_token.update!(token: token)
end
end
end
end
...@@ -1121,8 +1121,9 @@ ActiveRecord::Schema.define(version: 2019_08_20_163320) do ...@@ -1121,8 +1121,9 @@ ActiveRecord::Schema.define(version: 2019_08_20_163320) do
t.datetime_with_timezone "expires_at", null: false t.datetime_with_timezone "expires_at", null: false
t.datetime_with_timezone "created_at", null: false t.datetime_with_timezone "created_at", null: false
t.string "name", null: false t.string "name", null: false
t.string "token", null: false t.string "token"
t.string "username" t.string "username"
t.string "token_encrypted"
t.index ["token", "expires_at", "id"], name: "index_deploy_tokens_on_token_and_expires_at_and_id", where: "(revoked IS FALSE)" t.index ["token", "expires_at", "id"], name: "index_deploy_tokens_on_token_and_expires_at_and_id", where: "(revoked IS FALSE)"
t.index ["token"], name: "index_deploy_tokens_on_token", unique: true t.index ["token"], name: "index_deploy_tokens_on_token", unique: true
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment