Commit 239a4f72 authored by Grzegorz Bizon's avatar Grzegorz Bizon

Use plaintext token when migration is not complete

parent e9abaced
...@@ -12,16 +12,18 @@ module TokenAuthenticatableStrategies ...@@ -12,16 +12,18 @@ module TokenAuthenticatableStrategies
def find_token_authenticatable(token, unscoped = false) def find_token_authenticatable(token, unscoped = false)
return if token.blank? return if token.blank?
return find_by_encrypted_token(token, unscoped) if fully_encrypted?
if fully_encrypted?
return find_by_encrypted_token(token, unscoped)
end
if fallback? if fallback?
find_by_encrypted_token(token, unscoped) || find_by_encrypted_token(token, unscoped) ||
find_by_plaintext_token(token, unscoped) find_by_plaintext_token(token, unscoped)
elsif migrating? elsif migrating?
find_by_plaintext_token(token, unscoped) || find_by_plaintext_token(token, unscoped)
find_by_encrypted_token(token, unscoped)
else else
raise ArgumentError, 'Unknown encryption strategy!' raise ArgumentError, 'Unknown encryption phase!'
end end
end end
......
...@@ -38,6 +38,10 @@ module Gitlab ...@@ -38,6 +38,10 @@ module Gitlab
end end
end end
def clear_migrated_values?
true
end
private private
# Build a hash of { attribute => encrypted column name } # Build a hash of { attribute => encrypted column name }
...@@ -74,7 +78,9 @@ module Gitlab ...@@ -74,7 +78,9 @@ module Gitlab
if instance.changed? if instance.changed?
instance.save! instance.save!
instance.update_columns(to_clear) if clear_migrated_values?
instance.update_columns(to_clear)
end
end end
end end
......
...@@ -23,6 +23,10 @@ module Gitlab ...@@ -23,6 +23,10 @@ module Gitlab
super(model, attributes, from, to) super(model, attributes, from, to)
end end
def clear_migrated_values?
false
end
end end
end end
end end
...@@ -18,7 +18,7 @@ describe Gitlab::BackgroundMigration::EncryptRunnersTokens, :migration, schema: ...@@ -18,7 +18,7 @@ describe Gitlab::BackgroundMigration::EncryptRunnersTokens, :migration, schema:
decrypted_token = ::Gitlab::CryptoHelper.aes256_gcm_decrypt(encrypted_token) decrypted_token = ::Gitlab::CryptoHelper.aes256_gcm_decrypt(encrypted_token)
expect(decrypted_token).to eq 'plain-text-token1' expect(decrypted_token).to eq 'plain-text-token1'
expect(settings.first.runners_registration_token).to be_nil expect(settings.first.runners_registration_token).to eq 'plain-text-token1'
end end
end end
...@@ -33,7 +33,7 @@ describe Gitlab::BackgroundMigration::EncryptRunnersTokens, :migration, schema: ...@@ -33,7 +33,7 @@ describe Gitlab::BackgroundMigration::EncryptRunnersTokens, :migration, schema:
migrate!(:namespace, 11, 22) migrate!(:namespace, 11, 22)
expect(namespaces.all.reload).to all( expect(namespaces.all.reload).to all(
have_attributes(runners_token: nil, runners_token_encrypted: be_a(String)) have_attributes(runners_token: be_a(String), runners_token_encrypted: be_a(String))
) )
end end
end end
...@@ -50,7 +50,7 @@ describe Gitlab::BackgroundMigration::EncryptRunnersTokens, :migration, schema: ...@@ -50,7 +50,7 @@ describe Gitlab::BackgroundMigration::EncryptRunnersTokens, :migration, schema:
migrate!(:project, 111, 116) migrate!(:project, 111, 116)
expect(projects.all.reload).to all( expect(projects.all.reload).to all(
have_attributes(runners_token: nil, runners_token_encrypted: be_a(String)) have_attributes(runners_token: be_a(String), runners_token_encrypted: be_a(String))
) )
end end
end end
...@@ -66,7 +66,7 @@ describe Gitlab::BackgroundMigration::EncryptRunnersTokens, :migration, schema: ...@@ -66,7 +66,7 @@ describe Gitlab::BackgroundMigration::EncryptRunnersTokens, :migration, schema:
migrate!(:runner, 201, 203) migrate!(:runner, 201, 203)
expect(runners.all.reload).to all( expect(runners.all.reload).to all(
have_attributes(token: nil, token_encrypted: be_a(String)) have_attributes(token: be_a(String), token_encrypted: be_a(String))
) )
end end
end end
......
...@@ -66,26 +66,9 @@ describe TokenAuthenticatableStrategies::Encrypted do ...@@ -66,26 +66,9 @@ describe TokenAuthenticatableStrategies::Encrypted do
.with('some_field' => 'my-value') .with('some_field' => 'my-value')
.and_return(nil) .and_return(nil)
allow(model).to receive(:find_by)
.with('some_field_encrypted' => encrypted)
.and_return(nil)
expect(subject.find_token_authenticatable('my-value')) expect(subject.find_token_authenticatable('my-value'))
.to be_nil .to be_nil
end end
it 'finds by encrypted value if cleartext is not present' do
allow(model).to receive(:find_by)
.with('some_field' => 'my-value')
.and_return(nil)
allow(model).to receive(:find_by)
.with('some_field_encrypted' => encrypted)
.and_return('encrypted resource')
expect(subject.find_token_authenticatable('my-value'))
.to eq 'encrypted resource'
end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment