Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
48eaed2c
Commit
48eaed2c
authored
Jan 07, 2020
by
Roger Meier
Committed by
Andreas Brandl
Jan 07, 2020
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
feat: fingerprint_sha256 for SSH keys background migration
Closes gitlab-org/gitlab#39455
parent
297cf2c9
Changes
6
Show whitespace changes
Inline
Side-by-side
Showing
6 changed files
with
191 additions
and
1 deletion
+191
-1
changelogs/unreleased/feat-ssh-sha256-migration.yml
changelogs/unreleased/feat-ssh-sha256-migration.yml
+5
-0
db/post_migrate/20200106071113_update_fingerprint_sha256_within_keys.rb
...e/20200106071113_update_fingerprint_sha256_within_keys.rb
+22
-0
db/schema.rb
db/schema.rb
+1
-1
lib/gitlab/background_migration/migrate_fingerprint_sha256_within_keys.rb
...round_migration/migrate_fingerprint_sha256_within_keys.rb
+59
-0
spec/lib/gitlab/background_migration/migrate_fingerprint_sha256_within_keys_spec.rb
..._migration/migrate_fingerprint_sha256_within_keys_spec.rb
+74
-0
spec/migrations/update_fingerprint_sha256_within_keys_spec.rb
.../migrations/update_fingerprint_sha256_within_keys_spec.rb
+30
-0
No files found.
changelogs/unreleased/feat-ssh-sha256-migration.yml
0 → 100644
View file @
48eaed2c
---
title
:
add background migration for sha256 fingerprints of ssh keys
merge_request
:
21579
author
:
Roger Meier
type
:
added
db/post_migrate/20200106071113_update_fingerprint_sha256_within_keys.rb
0 → 100644
View file @
48eaed2c
# frozen_string_literal: true
class
UpdateFingerprintSha256WithinKeys
<
ActiveRecord
::
Migration
[
5.0
]
include
Gitlab
::
Database
::
MigrationHelpers
class
Key
<
ActiveRecord
::
Base
include
EachBatch
self
.
table_name
=
'keys'
self
.
inheritance_column
=
:_type_disabled
end
disable_ddl_transaction!
def
up
queue_background_migration_jobs_by_range_at_intervals
(
Key
,
'MigrateFingerprintSha256WithinKeys'
,
5
.
minutes
)
end
def
down
# no-op
end
end
db/schema.rb
View file @
48eaed2c
...
...
@@ -10,7 +10,7 @@
#
# It's strongly recommended that you check this file into your version control system.
ActiveRecord
::
Schema
.
define
(
version:
2020_01_0
2_170221
)
do
ActiveRecord
::
Schema
.
define
(
version:
2020_01_0
6_071113
)
do
# These are extensions that must be enabled in order to support this database
enable_extension
"pg_trgm"
...
...
lib/gitlab/background_migration/migrate_fingerprint_sha256_within_keys.rb
0 → 100644
View file @
48eaed2c
# frozen_string_literal: true
module
Gitlab
module
BackgroundMigration
# This class is responsible to update all sha256 fingerprints within the keys table
class
MigrateFingerprintSha256WithinKeys
# Temporary AR table for keys
class
Key
<
ActiveRecord
::
Base
include
EachBatch
self
.
table_name
=
'keys'
self
.
inheritance_column
=
:_type_disabled
end
TEMP_TABLE
=
'tmp_fingerprint_sha256_migration'
def
perform
(
start_id
,
stop_id
)
ActiveRecord
::
Base
.
transaction
do
execute
(
<<~
SQL
)
CREATE TEMPORARY TABLE
#{
TEMP_TABLE
}
(id bigint primary key, fingerprint_sha256 bytea not null)
ON COMMIT DROP
SQL
fingerprints
=
[]
Key
.
where
(
id:
start_id
..
stop_id
,
fingerprint_sha256:
nil
).
find_each
do
|
regular_key
|
fingerprint
=
Base64
.
decode64
(
generate_ssh_public_key
(
regular_key
.
key
))
fingerprints
<<
{
id:
regular_key
.
id
,
fingerprint_sha256:
ActiveRecord
::
Base
.
connection
.
escape_bytea
(
fingerprint
)
}
end
Gitlab
::
Database
.
bulk_insert
(
TEMP_TABLE
,
fingerprints
)
execute
(
"ANALYZE
#{
TEMP_TABLE
}
"
)
execute
(
<<~
SQL
)
UPDATE keys
SET fingerprint_sha256 = t.fingerprint_sha256
FROM
#{
TEMP_TABLE
}
t
WHERE keys.id = t.id
SQL
end
end
private
def
generate_ssh_public_key
(
regular_key
)
Gitlab
::
SSHPublicKey
.
new
(
regular_key
).
fingerprint
(
"SHA256"
).
gsub
(
"SHA256:"
,
""
)
end
def
execute
(
query
)
ActiveRecord
::
Base
.
connection
.
execute
(
query
)
end
end
end
end
spec/lib/gitlab/background_migration/migrate_fingerprint_sha256_within_keys_spec.rb
0 → 100644
View file @
48eaed2c
# frozen_string_literal: true
require
'spec_helper'
describe
Gitlab
::
BackgroundMigration
::
MigrateFingerprintSha256WithinKeys
,
:migration
,
schema:
20200106071113
do
subject
(
:fingerprint_migrator
)
{
described_class
.
new
}
let
(
:key_table
)
{
table
(
:keys
)
}
before
do
generate_fingerprints!
end
it
'correctly creates a sha256 fingerprint for a key'
do
key_1
=
Key
.
find
(
1017
)
key_2
=
Key
.
find
(
1027
)
expect
(
key_1
.
fingerprint_md5
).
to
eq
(
'ba:81:59:68:d7:6c:cd:02:02:bf:6a:9b:55:4e:af:d1'
)
expect
(
key_1
.
fingerprint_sha256
).
to
eq
(
nil
)
expect
(
key_2
.
fingerprint_md5
).
to
eq
(
'39:e3:64:a6:24:ea:45:a2:8c:55:2a:e9:4d:4f:1f:b4'
)
expect
(
key_2
.
fingerprint_sha256
).
to
eq
(
nil
)
query_count
=
ActiveRecord
::
QueryRecorder
.
new
do
fingerprint_migrator
.
perform
(
1
,
10000
)
end
.
count
expect
(
query_count
).
to
eq
(
8
)
key_1
.
reload
key_2
.
reload
expect
(
key_1
.
fingerprint_md5
).
to
eq
(
'ba:81:59:68:d7:6c:cd:02:02:bf:6a:9b:55:4e:af:d1'
)
expect
(
key_1
.
fingerprint_sha256
).
to
eq
(
'nUhzNyftwADy8AH3wFY31tAKs7HufskYTte2aXo/lCg'
)
expect
(
key_2
.
fingerprint_md5
).
to
eq
(
'39:e3:64:a6:24:ea:45:a2:8c:55:2a:e9:4d:4f:1f:b4'
)
expect
(
key_2
.
fingerprint_sha256
).
to
eq
(
'zMNbLekgdjtcgDv8VSC0z5lpdACMG3Q4PUoIz5+H2jM'
)
end
it
'migrates all keys'
do
expect
(
Key
.
where
(
fingerprint_sha256:
nil
).
count
).
to
eq
(
Key
.
all
.
count
)
fingerprint_migrator
.
perform
(
1
,
10000
)
expect
(
Key
.
where
(
fingerprint_sha256:
nil
).
count
).
to
eq
(
0
)
end
def
generate_fingerprints!
values
=
""
(
1000
..
2000
).
to_a
.
each
do
|
record
|
key
=
base_key_for
(
record
)
fingerprint
=
fingerprint_for
(
key
)
values
+=
"(
#{
record
}
,
#{
record
}
, 'test-
#{
record
}
', '
#{
key
}
', '
#{
fingerprint
}
'),"
end
update_query
=
<<~
SQL
INSERT INTO keys ( id, user_id, title, key, fingerprint )
VALUES
#{
values
.
chomp
(
","
)
}
;
SQL
ActiveRecord
::
Base
.
connection
.
execute
(
update_query
)
end
def
base_key_for
(
record
)
'ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAiPWx6WM4lhHNedGfBpPJNPpZ7yKu+dnn1SJejgt0000k6YjzGGphH2TUxwKzxcKDKKezwkpfnxPkSMkuEspGRt/aZZ9wa++Oi7Qkr8prgHc4soW6NUlfDzpvZK2H5E7eQaSeP3SAwGmQKUFHCddNaP0L+hM7zhFNzjFvpaMgJw0='
.
gsub
(
"0000"
,
"%04d"
%
(
record
-
1
))
# generate arbitrary keys with placeholder 0000 within the key above
end
def
fingerprint_for
(
key
)
Gitlab
::
SSHPublicKey
.
new
(
key
).
fingerprint
(
"md5"
)
end
end
spec/migrations/update_fingerprint_sha256_within_keys_spec.rb
0 → 100644
View file @
48eaed2c
# frozen_string_literal: true
require
'spec_helper'
require
Rails
.
root
.
join
(
'db'
,
'post_migrate'
,
'20200106071113_update_fingerprint_sha256_within_keys.rb'
)
describe
UpdateFingerprintSha256WithinKeys
,
:sidekiq
,
:migration
do
let
(
:key_table
)
{
table
(
:keys
)
}
describe
'#up'
do
it
'the BackgroundMigrationWorker will be triggered and fingerprint_sha256 populated'
do
key_table
.
create!
(
id:
1
,
user_id:
1
,
title:
'test'
,
key:
'ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAiPWx6WM4lhHNedGfBpPJNPpZ7yKu+dnn1SJejgt1016k6YjzGGphH2TUxwKzxcKDKKezwkpfnxPkSMkuEspGRt/aZZ9wa++Oi7Qkr8prgHc4soW6NUlfDzpvZK2H5E7eQaSeP3SAwGmQKUFHCddNaP0L+hM7zhFNzjFvpaMgJw0='
,
fingerprint:
'ba:81:59:68:d7:6c:cd:02:02:bf:6a:9b:55:4e:af:d1'
,
fingerprint_sha256:
nil
)
expect
(
Key
.
first
.
fingerprint_sha256
).
to
eq
(
nil
)
described_class
.
new
.
up
expect
(
BackgroundMigrationWorker
.
jobs
.
size
).
to
eq
(
1
)
expect
(
BackgroundMigrationWorker
.
jobs
.
first
[
"args"
][
0
]).
to
eq
(
"MigrateFingerprintSha256WithinKeys"
)
expect
(
BackgroundMigrationWorker
.
jobs
.
first
[
"args"
][
1
]).
to
eq
([
1
,
1
])
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment