1 files changed, 40 insertions, 0 deletions

diff --git a/lib/gitlab/background_migration/encrypt_ci_trigger_token.rb b/lib/gitlab/background_migration/encrypt_ci_trigger_token.rb
new file mode 100644
index 00000000000..b6e22e481fa
--- /dev/null
+++ b/lib/gitlab/background_migration/encrypt_ci_trigger_token.rb
@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module BackgroundMigration
+    # Migration to make sure that all the prevously saved tokens have their encrypted values in the db.
+    class EncryptCiTriggerToken < Gitlab::BackgroundMigration::BatchedMigrationJob
+      feature_category :continuous_integration
+      scope_to ->(relation) { relation.where(encrypted_token: nil) }
+      operation_name :update
+      # Class that is imitating Ci::Trigger
+      class CiTrigger < ::Ci::ApplicationRecord
+        ALGORITHM = 'aes-256-gcm'
+
+        self.table_name = 'ci_triggers'
+
+        attr_encrypted :encrypted_token_tmp,
+          attribute: :encrypted_token,
+          mode: :per_attribute_iv,
+          algorithm: 'aes-256-gcm',
+          key: Settings.attr_encrypted_db_key_base_32,
+          encode: false,
+          encode_vi: false
+
+        before_save :copy_token_to_encrypted_token
+
+        def copy_token_to_encrypted_token
+          self.encrypted_token_tmp = token
+        end
+      end
+
+      def perform
+        each_sub_batch do |sub_batch|
+          sub_batch.each do |trigger|
+            Gitlab::BackgroundMigration::EncryptCiTriggerToken::CiTrigger.find(trigger.id).save!
+          end
+        end
+      end
+    end
+  end
+end