Add migratable models for runners tokens migration

author: Grzegorz Bizon <grzesiek.bizon@gmail.com> 2018-11-21 11:46:36 +0100
committer: Grzegorz Bizon <grzesiek.bizon@gmail.com> 2018-11-21 12:35:25 +0100
commit: 64c23778547b14a6a8063280d07051eddf475e48 (patch)
tree: 3c5c884f94ec03e4537c99527f23ad84733a1db8
parent: 3578eb45f940ed3ddab742538bd1910b0bd8834f (diff)
download: gitlab-ce-64c23778547b14a6a8063280d07051eddf475e48.tar.gz
6 files changed, 120 insertions, 6 deletions
diff --git a/lib/gitlab/background_migration/encrypt_columns.rb b/lib/gitlab/background_migration/encrypt_columns.rb
index 0d333e47e7b..ba806c869c9 100644
--- a/lib/gitlab/background_migration/encrypt_columns.rb
+++ b/lib/gitlab/background_migration/encrypt_columns.rb
@@ -5,15 +5,17 @@ module Gitlab
     # EncryptColumn migrates data from an unencrypted column - `foo`, say - to
     # an encrypted column - `encrypted_foo`, say.
     #
+    # To avoid depending on a particular version of the model in app/, add a
+    # model to `lib/gitlab/background_migration/models/encrypt_columns` and use
+    # it in the migration that enqueues the jobs, so code can be shared.
+    #
     # For this background migration to work, the table that is migrated _has_ to
     # have an `id` column as the primary key. Additionally, the encrypted column
     # should be managed by attr_encrypted, and map to an attribute with the same
     # name as the unencrypted column (i.e., the unencrypted column should be
-    # shadowed).
+    # shadowed), unless you want to define specific methods / accessors in the
+    # temporary model in `/models/encrypt_columns/your_model.rb`.
     #
-    # To avoid depending on a particular version of the model in app/, add a
-    # model to `lib/gitlab/background_migration/models/encrypt_columns` and use
-    # it in the migration that enqueues the jobs, so code can be shared.
     class EncryptColumns
       def perform(model, attributes, from, to)
         model = model.constantize if model.is_a?(String)
diff --git a/lib/gitlab/background_migration/models/encrypt_columns/namespace.rb b/lib/gitlab/background_migration/models/encrypt_columns/namespace.rb
new file mode 100644
index 00000000000..41f18979d76
--- /dev/null
+++ b/lib/gitlab/background_migration/models/encrypt_columns/namespace.rb
@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module BackgroundMigration
+    module Models
+      module EncryptColumns
+        # This model is shared between synchronous and background migrations to
+        # encrypt the `runners_token` column in `namespaces` table.
+        #
+        class Namespace < ActiveRecord::Base
+          include ::EachBatch
+
+          self.table_name = 'namespaces'
+          self.inheritance_column = :_type_disabled
+
+          def runners_token=(value)
+            self.runners_token_encrypted =
+              ::Gitlab::CryptoHelper.aes256_gcm_encrypt(value)
+          end
+
+          def self.encrypted_attributes
+            { runners_token: { attribute: :runners_token_encrypted } }
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/background_migration/models/encrypt_columns/project.rb b/lib/gitlab/background_migration/models/encrypt_columns/project.rb
new file mode 100644
index 00000000000..bfeae14584d
--- /dev/null
+++ b/lib/gitlab/background_migration/models/encrypt_columns/project.rb
@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module BackgroundMigration
+    module Models
+      module EncryptColumns
+        # This model is shared between synchronous and background migrations to
+        # encrypt the `runners_token` column in `projects` table.
+        #
+        class Project < ActiveRecord::Base
+          include ::EachBatch
+
+          self.table_name = 'projects'
+          self.inheritance_column = :_type_disabled
+
+          def runners_token=(value)
+            self.runners_token_encrypted =
+              ::Gitlab::CryptoHelper.aes256_gcm_encrypt(value)
+          end
+
+          def self.encrypted_attributes
+            { runners_token: { attribute: :runners_token_encrypted } }
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/background_migration/models/encrypt_columns/runner.rb b/lib/gitlab/background_migration/models/encrypt_columns/runner.rb
new file mode 100644
index 00000000000..425f9f6c346
--- /dev/null
+++ b/lib/gitlab/background_migration/models/encrypt_columns/runner.rb
@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module BackgroundMigration
+    module Models
+      module EncryptColumns
+        # This model is shared between synchronous and background migrations to
+        # encrypt the `token` column in `ci_runners` table.
+        #
+        class Runner < ActiveRecord::Base
+          include ::EachBatch
+
+          self.table_name = 'ci_runners'
+          self.inheritance_column = :_type_disabled
+
+          def runners_token=(value)
+            self.token_encrypted =
+              ::Gitlab::CryptoHelper.aes256_gcm_encrypt(value)
+          end
+
+          def self.encrypted_attributes
+            { token: { attribute: :token_encrypted } }
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/background_migration/models/encrypt_columns/settings.rb b/lib/gitlab/background_migration/models/encrypt_columns/settings.rb
new file mode 100644
index 00000000000..458f1202929
--- /dev/null
+++ b/lib/gitlab/background_migration/models/encrypt_columns/settings.rb
@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module BackgroundMigration
+    module Models
+      module EncryptColumns
+        # This model is shared between synchronous and background migrations to
+        # encrypt the `runners_token` column in `application_settings` table.
+        #
+        class Settings < ActiveRecord::Base
+          include ::EachBatch
+
+          self.table_name = 'application_settings'
+          self.inheritance_column = :_type_disabled
+
+          def runners_token=(value)
+            self.runners_token_encrypted =
+              ::Gitlab::CryptoHelper.aes256_gcm_encrypt(value)
+          end
+
+          def self.encrypted_attributes
+            { runners_token: { attribute: :runners_token_encrypted } }
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/background_migration/models/encrypt_columns/web_hook.rb b/lib/gitlab/background_migration/models/encrypt_columns/web_hook.rb
index bb76eb8ed48..ccd9d4c6d44 100644
--- a/lib/gitlab/background_migration/models/encrypt_columns/web_hook.rb
+++ b/lib/gitlab/background_migration/models/encrypt_columns/web_hook.rb
@@ -15,12 +15,12 @@ module Gitlab
           attr_encrypted :token,
                          mode:      :per_attribute_iv,
                          algorithm: 'aes-256-gcm',
-                         key:       Settings.attr_encrypted_db_key_base_truncated
+                         key:       ::Settings.attr_encrypted_db_key_base_truncated
 
           attr_encrypted :url,
                          mode:      :per_attribute_iv,
                          algorithm: 'aes-256-gcm',
-                         key:       Settings.attr_encrypted_db_key_base_truncated
+                         key:       ::Settings.attr_encrypted_db_key_base_truncated
         end
       end
     end
author	Grzegorz Bizon <grzesiek.bizon@gmail.com>	2018-11-21 11:46:36 +0100
committer	Grzegorz Bizon <grzesiek.bizon@gmail.com>	2018-11-21 12:35:25 +0100
commit	64c23778547b14a6a8063280d07051eddf475e48 (patch)
tree	3c5c884f94ec03e4537c99527f23ad84733a1db8
parent	3578eb45f940ed3ddab742538bd1910b0bd8834f (diff)
download	gitlab-ce-64c23778547b14a6a8063280d07051eddf475e48.tar.gz