diff options
| author | Arturo Herrero <arturo.herrero@gmail.com> | 2019-11-22 14:29:53 +0000 |
|---|---|---|
| committer | Alessio Caiazza <acaiazza@gitlab.com> | 2019-11-26 14:02:55 +0100 |
| commit | aaae14c00eb7fff7c8868d6794231f12c7ca2165 (patch) | |
| tree | 58908245d1b1bcfc58981a2bcfe2ca11ac01f066 /spec/migrations | |
| parent | 9183bf943b36f7505f4ec64c2db14dc3f641b617 (diff) | |
| download | gitlab-ce-aaae14c00eb7fff7c8868d6794231f12c7ca2165.tar.gz | |
Encrypt application settings with pre and post deployments
We had concerns about the cached values on Redis with the previous two
releases strategy:
First release (this commit):
- Create new encrypted fields in the database.
- Start populating new encrypted fields, read the encrypted fields or
fallback to the plaintext fields.
- Backfill the data removing the plaintext fields to the encrypted
fields.
Second release:
- Remove the virtual attribute (created in step 2).
- Drop plaintext columns from the database (empty columns after
step 3).
We end up with a better strategy only using migration scripts in one
release:
- Pre-deployment migration: Add columns required for storing encrypted
values.
- Pre-deployment migration: Store the encrypted values in the new
columns.
- Post-deployment migration: Remove the old unencrypted columns
Diffstat (limited to 'spec/migrations')
| -rw-r--r-- | spec/migrations/encrypt_plaintext_attributes_on_application_settings_spec.rb | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/spec/migrations/encrypt_plaintext_attributes_on_application_settings_spec.rb b/spec/migrations/encrypt_plaintext_attributes_on_application_settings_spec.rb index 6435e43f38c..122da7b3d72 100644 --- a/spec/migrations/encrypt_plaintext_attributes_on_application_settings_spec.rb +++ b/spec/migrations/encrypt_plaintext_attributes_on_application_settings_spec.rb @@ -18,7 +18,7 @@ describe EncryptPlaintextAttributesOnApplicationSettings, :migration do ].freeze describe '#up' do - it 'encrypts token, saves it and removes plaintext token' do + it 'encrypts token and saves it' do application_setting = application_settings.create application_setting.update_columns( PLAINTEXT_ATTRIBUTES.each_with_object({}) do |plaintext_attribute, attributes| @@ -30,7 +30,7 @@ describe EncryptPlaintextAttributesOnApplicationSettings, :migration do application_setting.reload PLAINTEXT_ATTRIBUTES.each do |plaintext_attribute| - expect(application_setting[plaintext_attribute]).to be_nil + expect(application_setting[plaintext_attribute]).not_to be_nil expect(application_setting["encrypted_#{plaintext_attribute}"]).not_to be_nil expect(application_setting["encrypted_#{plaintext_attribute}_iv"]).not_to be_nil end |