diff options
author | Krasimir Angelov <kangelov@gitlab.com> | 2019-06-06 21:37:49 +1200 |
---|---|---|
committer | Krasimir Angelov <kangelov@gitlab.com> | 2019-06-18 11:09:15 +1200 |
commit | 03000c8f26e85f5bc8bbfe292af7ffd1bcc38d29 (patch) | |
tree | 066683f2351ad7bc56fe02fbdd2765f4be252326 /db/post_migrate | |
parent | 30bddd546f117043f2b7389ad06ba5257184c148 (diff) | |
download | gitlab-ce-03000c8f26e85f5bc8bbfe292af7ffd1bcc38d29.tar.gz |
Add migrations needed to encrypt feature flags client tokens57918-encrypt-feature-flags-tokens
Make plaintext token column not null, add new token_encrypted column and
index on project_id & token_encrypted.
Post deployment migration to encrypt existing tokens.
Diffstat (limited to 'db/post_migrate')
-rw-r--r-- | db/post_migrate/20190606175050_encrypt_feature_flags_clients_tokens.rb | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/db/post_migrate/20190606175050_encrypt_feature_flags_clients_tokens.rb b/db/post_migrate/20190606175050_encrypt_feature_flags_clients_tokens.rb new file mode 100644 index 00000000000..cb7d723670f --- /dev/null +++ b/db/post_migrate/20190606175050_encrypt_feature_flags_clients_tokens.rb @@ -0,0 +1,27 @@ +# frozen_string_literal: true + +class EncryptFeatureFlagsClientsTokens < ActiveRecord::Migration[5.1] + DOWNTIME = false + + class FeatureFlagsClient < ActiveRecord::Base + self.table_name = 'operations_feature_flags_clients' + end + + def up + say_with_time("Encrypting tokens from operations_feature_flags_clients") do + FeatureFlagsClient.where('token_encrypted is NULL AND token IS NOT NULL').find_each do |feature_flags_client| + token_encrypted = Gitlab::CryptoHelper.aes256_gcm_encrypt(feature_flags_client.token) + feature_flags_client.update!(token_encrypted: token_encrypted) + end + end + end + + def down + say_with_time("Decrypting tokens from operations_feature_flags_clients") do + FeatureFlagsClient.where('token_encrypted IS NOT NULL AND token IS NULL').find_each do |feature_flags_client| + token = Gitlab::CryptoHelper.aes256_gcm_decrypt(feature_flags_client.token_encrypted) + feature_flags_client.update!(token: token) + end + end + end +end |