From 03000c8f26e85f5bc8bbfe292af7ffd1bcc38d29 Mon Sep 17 00:00:00 2001
From: Krasimir Angelov <kangelov@gitlab.com>
Date: Thu, 6 Jun 2019 21:37:49 +1200
Subject: Add migrations needed to encrypt feature flags client tokens

Make plaintext token column not null, add new token_encrypted column and
index on project_id & token_encrypted.

Post deployment migration to encrypt existing tokens.
---
 .../encrypt_feature_flags_clients_tokens_spec.rb   | 36 ++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 spec/migrations/encrypt_feature_flags_clients_tokens_spec.rb

(limited to 'spec')

diff --git a/spec/migrations/encrypt_feature_flags_clients_tokens_spec.rb b/spec/migrations/encrypt_feature_flags_clients_tokens_spec.rb
new file mode 100644
index 00000000000..95b02d20594
--- /dev/null
+++ b/spec/migrations/encrypt_feature_flags_clients_tokens_spec.rb
@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require Rails.root.join('db', 'post_migrate', '20190606175050_encrypt_feature_flags_clients_tokens.rb')
+
+describe EncryptFeatureFlagsClientsTokens, :migration do
+  let(:migration) { described_class.new }
+  let(:feature_flags_clients) { table(:operations_feature_flags_clients) }
+  let(:projects) { table(:projects) }
+  let(:plaintext) { "secret-token" }
+  let(:ciphertext) { Gitlab::CryptoHelper.aes256_gcm_encrypt(plaintext) }
+
+  describe '#up' do
+    it 'keeps plaintext token the same and populates token_encrypted if not present' do
+      project = projects.create!(id: 123, name: 'gitlab1', path: 'gitlab1', namespace_id: 123)
+      feature_flags_client = feature_flags_clients.create!(project_id: project.id, token: plaintext)
+
+      migration.up
+
+      expect(feature_flags_client.reload.token).to eq(plaintext)
+      expect(feature_flags_client.reload.token_encrypted).to eq(ciphertext)
+    end
+  end
+
+  describe '#down' do
+    it 'decrypts encrypted token and saves it' do
+      project = projects.create!(id: 123, name: 'gitlab1', path: 'gitlab1', namespace_id: 123)
+      feature_flags_client = feature_flags_clients.create!(project_id: project.id, token_encrypted: ciphertext)
+
+      migration.down
+
+      expect(feature_flags_client.reload.token).to eq(plaintext)
+      expect(feature_flags_client.reload.token_encrypted).to eq(ciphertext)
+    end
+  end
+end
-- 
cgit v1.2.1