Added migration to encrypt token in DeployToken records

Added migrations to make token column accepting null values and to add
encrypted token column.

4 files changed, 51 insertions, 1 deletions

diff --git a/db/migrate/20190711200053_change_deploy_tokens_token_not_null.rb b/db/migrate/20190711200053_change_deploy_tokens_token_not_null.rb
new file mode 100644
index 00000000000..14ccf544d0b
--- /dev/null
+++ b/db/migrate/20190711200053_change_deploy_tokens_token_not_null.rb
@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+class ChangeDeployTokensTokenNotNull < ActiveRecord::Migration[5.1]
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  def change
+    change_column_null :deploy_tokens, :token, true
+  end
+end
diff --git a/db/migrate/20190711200508_add_token_encrypted_to_deploy_tokens.rb b/db/migrate/20190711200508_add_token_encrypted_to_deploy_tokens.rb
new file mode 100644
index 00000000000..3c352441057
--- /dev/null
+++ b/db/migrate/20190711200508_add_token_encrypted_to_deploy_tokens.rb
@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+class AddTokenEncryptedToDeployTokens < ActiveRecord::Migration[5.1]
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  def change
+    add_column :deploy_tokens, :token_encrypted, :string
+  end
+end
diff --git a/db/post_migrate/20190711201818_encrypt_deploy_tokens_tokens.rb b/db/post_migrate/20190711201818_encrypt_deploy_tokens_tokens.rb
new file mode 100644
index 00000000000..6245a87dc62
--- /dev/null
+++ b/db/post_migrate/20190711201818_encrypt_deploy_tokens_tokens.rb
@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+class EncryptDeployTokensTokens < ActiveRecord::Migration[5.1]
+  DOWNTIME = false
+
+  class DeploymentTokens < ActiveRecord::Base
+    self.table_name = 'deploy_tokens'
+  end
+
+  def up
+    say_with_time("Encrypting tokens from deploy_tokens") do
+      DeploymentTokens.where('token_encrypted is NULL AND token IS NOT NULL').find_each do |deploy_token|
+        token_encrypted = Gitlab::CryptoHelper.aes256_gcm_encrypt(deploy_token.token)
+        deploy_token.update!(token_encrypted: token_encrypted)
+      end
+    end
+  end
+
+  def down
+    say_with_time("Decrypting tokens from deploy_tokens") do
+      DeploymentTokens.where('token_encrypted IS NOT NULL AND token IS NULL').find_each do |deploy_token|
+        token = Gitlab::CryptoHelper.aes256_gcm_decrypt(deploy_token.token_encrypted)
+        deploy_token.update!(token: token)
+      end
+    end
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index 36bf2371994..f36ee372382 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -1121,8 +1121,9 @@ ActiveRecord::Schema.define(version: 2019_08_20_163320) do
     t.datetime_with_timezone "expires_at", null: false
     t.datetime_with_timezone "created_at", null: false
     t.string "name", null: false
-    t.string "token", null: false
+    t.string "token"
     t.string "username"
+    t.string "token_encrypted"
     t.index ["token", "expires_at", "id"], name: "index_deploy_tokens_on_token_and_expires_at_and_id", where: "(revoked IS FALSE)"
     t.index ["token"], name: "index_deploy_tokens_on_token", unique: true
   end