Add migrations needed to encrypt feature flags client tokens

Make plaintext token column not null, add new token_encrypted column and index on project_id & token_encrypted. Post deployment migration to encrypt existing tokens.
2019-06-06 21:37:49 +12:00 · 2019-06-06 21:37:49 +12:00 · 03000c8f26
commit 03000c8f26
parent 30bddd546f
6 changed files with 106 additions and 1 deletions
--- a/db/migrate/20190606054649_change_operations_feature_flags_clients_token_not_null.rb
+++ b/db/migrate/20190606054649_change_operations_feature_flags_clients_token_not_null.rb
@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+class ChangeOperationsFeatureFlagsClientsTokenNotNull < ActiveRecord::Migration[5.1]
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  def change
+    change_column_null :operations_feature_flags_clients, :token, true
+  end
+end
--- a/db/migrate/20190606054742_add_token_encrypted_to_operations_feature_flags_clients.rb
+++ b/db/migrate/20190606054742_add_token_encrypted_to_operations_feature_flags_clients.rb
@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+class AddTokenEncryptedToOperationsFeatureFlagsClients < ActiveRecord::Migration[5.1]
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  def change
+    add_column :operations_feature_flags_clients, :token_encrypted, :string
+  end
+end
--- a/db/migrate/20190606054832_add_index_to_operations_feature_flags_clients_token_encrypted.rb
+++ b/db/migrate/20190606054832_add_index_to_operations_feature_flags_clients_token_encrypted.rb
@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+class AddIndexToOperationsFeatureFlagsClientsTokenEncrypted < ActiveRecord::Migration[5.1]
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  disable_ddl_transaction!
+
+  def up
+    add_concurrent_index :operations_feature_flags_clients, [:project_id, :token_encrypted],
+      unique: true, name: "index_feature_flags_clients_on_project_id_and_token_encrypted"
+  end
+
+  def down
+    remove_concurrent_index_by_name :operations_feature_flags_clients, "index_feature_flags_clients_on_project_id_and_token_encrypted"
+  end
+end
--- a/db/post_migrate/20190606175050_encrypt_feature_flags_clients_tokens.rb
+++ b/db/post_migrate/20190606175050_encrypt_feature_flags_clients_tokens.rb
@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+class EncryptFeatureFlagsClientsTokens < ActiveRecord::Migration[5.1]
+  DOWNTIME = false
+
+  class FeatureFlagsClient < ActiveRecord::Base
+    self.table_name = 'operations_feature_flags_clients'
+  end
+
+  def up
+    say_with_time("Encrypting tokens from operations_feature_flags_clients") do
+      FeatureFlagsClient.where('token_encrypted is NULL AND token IS NOT NULL').find_each do |feature_flags_client|
+        token_encrypted = Gitlab::CryptoHelper.aes256_gcm_encrypt(feature_flags_client.token)
+        feature_flags_client.update!(token_encrypted: token_encrypted)
+      end
+    end
+  end
+
+  def down
+    say_with_time("Decrypting tokens from operations_feature_flags_clients") do
+      FeatureFlagsClient.where('token_encrypted IS NOT NULL AND token IS NULL').find_each do |feature_flags_client|
+        token = Gitlab::CryptoHelper.aes256_gcm_decrypt(feature_flags_client.token_encrypted)
+        feature_flags_client.update!(token: token)
+      end
+    end
+  end
+end
--- a/db/schema.rb
+++ b/db/schema.rb
@ -2257,8 +2257,10 @@ ActiveRecord::Schema.define(version: 20190613030606) do

  create_table "operations_feature_flags_clients", force: :cascade do |t|
    t.integer "project_id", null: false
-    t.string "token", null: false
+    t.string "token"
+    t.string "token_encrypted"
    t.index ["project_id", "token"], name: "index_operations_feature_flags_clients_on_project_id_and_token", unique: true, using: :btree
+    t.index ["project_id", "token_encrypted"], name: "index_feature_flags_clients_on_project_id_and_token_encrypted", unique: true, using: :btree
  end

  create_table "packages_maven_metadata", force: :cascade do |t|
--- a/spec/migrations/encrypt_feature_flags_clients_tokens_spec.rb
+++ b/spec/migrations/encrypt_feature_flags_clients_tokens_spec.rb
@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require Rails.root.join('db', 'post_migrate', '20190606175050_encrypt_feature_flags_clients_tokens.rb')
+
+describe EncryptFeatureFlagsClientsTokens, :migration do
+  let(:migration) { described_class.new }
+  let(:feature_flags_clients) { table(:operations_feature_flags_clients) }
+  let(:projects) { table(:projects) }
+  let(:plaintext) { "secret-token" }
+  let(:ciphertext) { Gitlab::CryptoHelper.aes256_gcm_encrypt(plaintext) }
+
+  describe '#up' do
+    it 'keeps plaintext token the same and populates token_encrypted if not present' do
+      project = projects.create!(id: 123, name: 'gitlab1', path: 'gitlab1', namespace_id: 123)
+      feature_flags_client = feature_flags_clients.create!(project_id: project.id, token: plaintext)
+
+      migration.up
+
+      expect(feature_flags_client.reload.token).to eq(plaintext)
+      expect(feature_flags_client.reload.token_encrypted).to eq(ciphertext)
+    end
+  end
+
+  describe '#down' do
+    it 'decrypts encrypted token and saves it' do
+      project = projects.create!(id: 123, name: 'gitlab1', path: 'gitlab1', namespace_id: 123)
+      feature_flags_client = feature_flags_clients.create!(project_id: project.id, token_encrypted: ciphertext)
+
+      migration.down
+
+      expect(feature_flags_client.reload.token).to eq(plaintext)
+      expect(feature_flags_client.reload.token_encrypted).to eq(ciphertext)
+    end
+  end
+end