Added migration to encrypt token in DeployToken records

Added migrations to make token column accepting null values and to add encrypted token column.

Added migration to encrypt token in DeployToken records
3394c653 · Etienne Baqué · Stan Hu · d6b420ba · 3394c653 · 3394c653
Commit 3394c653 authored 5 years ago by Etienne Baqué Committed by Stan Hu 5 years ago
--- a/db/migrate/20190711200053_change_deploy_tokens_token_not_null.rb
+++ b/db/migrate/20190711200053_change_deploy_tokens_token_not_null.rb
+# frozen_string_literal: true
+
+class ChangeDeployTokensTokenNotNull < ActiveRecord::Migration[5.1]
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  def change
+    change_column_null :deploy_tokens, :token, true
+  end
+end
--- a/db/migrate/20190711200508_add_token_encrypted_to_deploy_tokens.rb
+++ b/db/migrate/20190711200508_add_token_encrypted_to_deploy_tokens.rb
+# frozen_string_literal: true
+
+class AddTokenEncryptedToDeployTokens < ActiveRecord::Migration[5.1]
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  def change
+    add_column :deploy_tokens, :token_encrypted, :string
+  end
+end
--- a/db/post_migrate/20190711201818_encrypt_deploy_tokens_tokens.rb
+++ b/db/post_migrate/20190711201818_encrypt_deploy_tokens_tokens.rb
+# frozen_string_literal: true
+
+class EncryptDeployTokensTokens < ActiveRecord::Migration[5.1]
+  DOWNTIME = false
+
+  class DeploymentTokens < ActiveRecord::Base
+    self.table_name = 'deploy_tokens'
+  end
+
+  def up
+    say_with_time("Encrypting tokens from deploy_tokens") do
+      DeploymentTokens.where('token_encrypted is NULL AND token IS NOT NULL').find_each do |deploy_token|
+        token_encrypted = Gitlab::CryptoHelper.aes256_gcm_encrypt(deploy_token.token)
+        deploy_token.update!(token_encrypted: token_encrypted)
+      end
+    end
+  end
+
+  def down
+    say_with_time("Decrypting tokens from deploy_tokens") do
+      DeploymentTokens.where('token_encrypted IS NOT NULL AND token IS NULL').find_each do |deploy_token|
+        token = Gitlab::CryptoHelper.aes256_gcm_decrypt(deploy_token.token_encrypted)
+        deploy_token.update!(token: token)
+      end
+    end
+  end
+end
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -1121,8 +1121,9 @@ ActiveRecord::Schema.define(version: 2019_08_20_163320) do
    t.datetime_with_timezone "expires_at", null: false
    t.datetime_with_timezone "created_at", null: false
    t.string "name", null: false
-    t.string "token", null: false
+    t.string "token"
    t.string "username"
+    t.string "token_encrypted"
    t.index ["token", "expires_at", "id"], name: "index_deploy_tokens_on_token_and_expires_at_and_id", where: "(revoked IS FALSE)"
    t.index ["token"], name: "index_deploy_tokens_on_token", unique: true
  end