Use plaintext token when migration is not complete

239a4f72 · Grzegorz Bizon · e9abaced · 239a4f72 · 239a4f72 · 239a4f72
Commit 239a4f72 authored Dec 03, 2018 by Grzegorz Bizon
5 changed files
--- a/app/models/concerns/token_authenticatable_strategies/encrypted.rb
+++ b/app/models/concerns/token_authenticatable_strategies/encrypted.rb
@@ -12,16 +12,18 @@ module TokenAuthenticatableStrategies

    def find_token_authenticatable(token, unscoped = false)
      return if token.blank?
-      return find_by_encrypted_token(token, unscoped) if fully_encrypted?
+
+      if fully_encrypted?
+        return find_by_encrypted_token(token, unscoped)
+      end

      if fallback?
        find_by_encrypted_token(token, unscoped) ||
          find_by_plaintext_token(token, unscoped)
      elsif migrating?
-        find_by_plaintext_token(token, unscoped) ||
-          find_by_encrypted_token(token, unscoped)
+        find_by_plaintext_token(token, unscoped)
      else
-        raise ArgumentError, 'Unknown encryption strategy!'
+        raise ArgumentError, 'Unknown encryption phase!'
      end
    end


--- a/lib/gitlab/background_migration/encrypt_columns.rb
+++ b/lib/gitlab/background_migration/encrypt_columns.rb
@@ -38,6 +38,10 @@ module Gitlab
        end
      end

+      def clear_migrated_values?
+        true
+      end
+
      private

      # Build a hash of { attribute => encrypted column name }
@@ -74,9 +78,11 @@ module Gitlab

        if instance.changed?
          instance.save!
+          if clear_migrated_values?
            instance.update_columns(to_clear)
          end
        end
+      end

      def apply_attribute!(instance, plain_column, crypt_column)
        plaintext = instance[plain_column]

--- a/lib/gitlab/background_migration/encrypt_runners_tokens.rb
+++ b/lib/gitlab/background_migration/encrypt_runners_tokens.rb
@@ -23,6 +23,10 @@ module Gitlab

        super(model, attributes, from, to)
      end
+
+      def clear_migrated_values?
+        false
+      end
    end
  end
 end
--- a/spec/lib/gitlab/background_migration/encrypt_runners_tokens_spec.rb
+++ b/spec/lib/gitlab/background_migration/encrypt_runners_tokens_spec.rb
@@ -18,7 +18,7 @@ describe Gitlab::BackgroundMigration::EncryptRunnersTokens, :migration, schema:
      decrypted_token = ::Gitlab::CryptoHelper.aes256_gcm_decrypt(encrypted_token)

      expect(decrypted_token).to eq 'plain-text-token1'
-      expect(settings.first.runners_registration_token).to be_nil
+      expect(settings.first.runners_registration_token).to eq 'plain-text-token1'
    end
  end

@@ -33,7 +33,7 @@ describe Gitlab::BackgroundMigration::EncryptRunnersTokens, :migration, schema:
      migrate!(:namespace, 11, 22)

      expect(namespaces.all.reload).to all(
-        have_attributes(runners_token: nil, runners_token_encrypted: be_a(String))
+        have_attributes(runners_token: be_a(String), runners_token_encrypted: be_a(String))
      )
    end
  end
@@ -50,7 +50,7 @@ describe Gitlab::BackgroundMigration::EncryptRunnersTokens, :migration, schema:
      migrate!(:project, 111, 116)

      expect(projects.all.reload).to all(
-        have_attributes(runners_token: nil, runners_token_encrypted: be_a(String))
+        have_attributes(runners_token: be_a(String), runners_token_encrypted: be_a(String))
      )
    end
  end
@@ -66,7 +66,7 @@ describe Gitlab::BackgroundMigration::EncryptRunnersTokens, :migration, schema:
      migrate!(:runner, 201, 203)

      expect(runners.all.reload).to all(
-        have_attributes(token: nil, token_encrypted: be_a(String))
+        have_attributes(token: be_a(String), token_encrypted: be_a(String))
      )
    end
  end

--- a/spec/models/concerns/token_authenticatable_strategies/encrypted_spec.rb
+++ b/spec/models/concerns/token_authenticatable_strategies/encrypted_spec.rb
@@ -66,26 +66,9 @@ describe TokenAuthenticatableStrategies::Encrypted do
          .with('some_field' => 'my-value')
          .and_return(nil)

-        allow(model).to receive(:find_by)
-          .with('some_field_encrypted' => encrypted)
-          .and_return(nil)
-
        expect(subject.find_token_authenticatable('my-value'))
          .to be_nil
      end
-
-      it 'finds by encrypted value if cleartext is not present' do
-        allow(model).to receive(:find_by)
-          .with('some_field' => 'my-value')
-          .and_return(nil)
-
-        allow(model).to receive(:find_by)
-          .with('some_field_encrypted' => encrypted)
-          .and_return('encrypted resource')
-
-        expect(subject.find_token_authenticatable('my-value'))
-          .to eq 'encrypted resource'
-      end
    end
  end