Set all trusted OAuth apps as confidential

Migrate all trusted apps to confidential to avoid
potential access token leak abusing implicit flow

changelogs/unreleased/security-trusted-confidential-apps.yml

+---
+title: Update trusted OAuth applications to set them as confidential
+merge_request:
+author:
+type: security

db/migrate/20201222151823_update_trusted_apps_to_confidential.rb

+# frozen_string_literal: true
+
+class UpdateTrustedAppsToConfidential < ActiveRecord::Migration[6.0]
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+  INDEX_NAME = 'tmp_index_oauth_applications_on_id_where_trusted'
+
+  disable_ddl_transaction!
+
+  def up
+    add_concurrent_index :oauth_applications, :id, where: 'trusted = true', name: INDEX_NAME
+
+    execute('UPDATE oauth_applications SET confidential = true WHERE trusted = true')
+  end
+
+  def down
+    # We won't be able to tell which trusted applications weren't confidential before the migration
+    # and setting all trusted applications are not confidential would introduce security issues
+
+    remove_concurrent_index_by_name :oauth_applications, INDEX_NAME
+  end
+end

db/schema_migrations/20201222151823

+d3af120a74b4c55345ac7fb524395251cd3c1b3cd9685f711196a134f427845c
\ No newline at end of file

db/structure.sql

@@ -23097,6 +23097,8 @@ CREATE INDEX tmp_build_stage_position_index ON ci_builds USING btree (stage_id,
 
 CREATE INDEX tmp_index_for_email_unconfirmation_migration ON emails USING btree (id) WHERE (confirmed_at IS NOT NULL);
 
+CREATE INDEX tmp_index_oauth_applications_on_id_where_trusted ON oauth_applications USING btree (id) WHERE (trusted = true);
+
 CREATE INDEX tmp_index_on_vulnerabilities_non_dismissed ON vulnerabilities USING btree (id) WHERE (state <> 2);
 
 CREATE UNIQUE INDEX unique_merge_request_metrics_by_merge_request_id ON merge_request_metrics USING btree (merge_request_id);