Use plaintext token when migration is not complete

5 files changed, 21 insertions, 26 deletions

diff --git a/app/models/concerns/token_authenticatable_strategies/encrypted.rb b/app/models/concerns/token_authenticatable_strategies/encrypted.rb
index 1f752850aad..2e65a2b6b22 100644
--- a/app/models/concerns/token_authenticatable_strategies/encrypted.rb
+++ b/app/models/concerns/token_authenticatable_strategies/encrypted.rb
@@ -12,16 +12,18 @@ module TokenAuthenticatableStrategies
 
     def find_token_authenticatable(token, unscoped = false)
       return if token.blank?
-      return find_by_encrypted_token(token, unscoped) if fully_encrypted?
+
+      if fully_encrypted?
+        return find_by_encrypted_token(token, unscoped)
+      end
 
       if fallback?
         find_by_encrypted_token(token, unscoped) ||
           find_by_plaintext_token(token, unscoped)
       elsif migrating?
-        find_by_plaintext_token(token, unscoped) ||
-          find_by_encrypted_token(token, unscoped)
+        find_by_plaintext_token(token, unscoped)
       else
-        raise ArgumentError, 'Unknown encryption strategy!'
+        raise ArgumentError, 'Unknown encryption phase!'
       end
     end
 
diff --git a/lib/gitlab/background_migration/encrypt_columns.rb b/lib/gitlab/background_migration/encrypt_columns.rb
index c7549da96a8..6ec021df6fb 100644
--- a/lib/gitlab/background_migration/encrypt_columns.rb
+++ b/lib/gitlab/background_migration/encrypt_columns.rb
@@ -38,6 +38,10 @@ module Gitlab
         end
       end
 
+      def clear_migrated_values?
+        true
+      end
+
       private
 
       # Build a hash of { attribute => encrypted column name }
@@ -74,7 +78,9 @@ module Gitlab
 
         if instance.changed?
           instance.save!
-          instance.update_columns(to_clear)
+          if clear_migrated_values?
+            instance.update_columns(to_clear)
+          end
         end
       end
 
diff --git a/lib/gitlab/background_migration/encrypt_runners_tokens.rb b/lib/gitlab/background_migration/encrypt_runners_tokens.rb
index cb7a4c4d52e..91e559a8765 100644
--- a/lib/gitlab/background_migration/encrypt_runners_tokens.rb
+++ b/lib/gitlab/background_migration/encrypt_runners_tokens.rb
@@ -23,6 +23,10 @@ module Gitlab
 
         super(model, attributes, from, to)
       end
+
+      def clear_migrated_values?
+        false
+      end
     end
   end
 end
diff --git a/spec/lib/gitlab/background_migration/encrypt_runners_tokens_spec.rb b/spec/lib/gitlab/background_migration/encrypt_runners_tokens_spec.rb
index fc95f51a822..9d4921968b3 100644
--- a/spec/lib/gitlab/background_migration/encrypt_runners_tokens_spec.rb
+++ b/spec/lib/gitlab/background_migration/encrypt_runners_tokens_spec.rb
@@ -18,7 +18,7 @@ describe Gitlab::BackgroundMigration::EncryptRunnersTokens, :migration, schema:
       decrypted_token = ::Gitlab::CryptoHelper.aes256_gcm_decrypt(encrypted_token)
 
       expect(decrypted_token).to eq 'plain-text-token1'
-      expect(settings.first.runners_registration_token).to be_nil
+      expect(settings.first.runners_registration_token).to eq 'plain-text-token1'
     end
   end
 
@@ -33,7 +33,7 @@ describe Gitlab::BackgroundMigration::EncryptRunnersTokens, :migration, schema:
       migrate!(:namespace, 11, 22)
 
       expect(namespaces.all.reload).to all(
-        have_attributes(runners_token: nil, runners_token_encrypted: be_a(String))
+        have_attributes(runners_token: be_a(String), runners_token_encrypted: be_a(String))
       )
     end
   end
@@ -50,7 +50,7 @@ describe Gitlab::BackgroundMigration::EncryptRunnersTokens, :migration, schema:
       migrate!(:project, 111, 116)
 
       expect(projects.all.reload).to all(
-        have_attributes(runners_token: nil, runners_token_encrypted: be_a(String))
+        have_attributes(runners_token: be_a(String), runners_token_encrypted: be_a(String))
       )
     end
   end
@@ -66,7 +66,7 @@ describe Gitlab::BackgroundMigration::EncryptRunnersTokens, :migration, schema:
       migrate!(:runner, 201, 203)
 
       expect(runners.all.reload).to all(
-        have_attributes(token: nil, token_encrypted: be_a(String))
+        have_attributes(token: be_a(String), token_encrypted: be_a(String))
       )
     end
   end
diff --git a/spec/models/concerns/token_authenticatable_strategies/encrypted_spec.rb b/spec/models/concerns/token_authenticatable_strategies/encrypted_spec.rb
index f1e5810fa6a..93cab80cb1f 100644
--- a/spec/models/concerns/token_authenticatable_strategies/encrypted_spec.rb
+++ b/spec/models/concerns/token_authenticatable_strategies/encrypted_spec.rb
@@ -66,26 +66,9 @@ describe TokenAuthenticatableStrategies::Encrypted do
           .with('some_field' => 'my-value')
           .and_return(nil)
 
-        allow(model).to receive(:find_by)
-          .with('some_field_encrypted' => encrypted)
-          .and_return(nil)
-
         expect(subject.find_token_authenticatable('my-value'))
           .to be_nil
       end
-
-      it 'finds by encrypted value if cleartext is not present' do
-        allow(model).to receive(:find_by)
-          .with('some_field' => 'my-value')
-          .and_return(nil)
-
-        allow(model).to receive(:find_by)
-          .with('some_field_encrypted' => encrypted)
-          .and_return('encrypted resource')
-
-        expect(subject.find_token_authenticatable('my-value'))
-          .to eq 'encrypted resource'
-      end
     end
   end