Steal MigrateU2fWebauthn background migration

86021d06 · Jan Beckmann · Imre Farkas · e67656f5 · 86021d06 · 86021d06
Commit 86021d06 authored Nov 24, 2020 by Jan Beckmann Committed by Imre Farkas Nov 24, 2020
7 changed files
--- a/changelogs/unreleased/232670-steal-webauthn-background-migration.yml
+++ b/changelogs/unreleased/232670-steal-webauthn-background-migration.yml
+---
+title: Cleanup webauthn background migration
+merge_request: 46179
+author: Jan Beckmann
+type: added
--- a/db/migrate/20201117075742_change_webauthn_xid_length.rb
+++ b/db/migrate/20201117075742_change_webauthn_xid_length.rb
+# frozen_string_literal: true
+
+class ChangeWebauthnXidLength < ActiveRecord::Migration[6.0]
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  disable_ddl_transaction!
+
+  def up
+    add_text_limit :webauthn_registrations, :credential_xid, 340, constraint_name: check_constraint_name(:webauthn_registrations, :credential_xid, 'max_length_v2')
+    remove_text_limit :webauthn_registrations, :credential_xid, constraint_name: check_constraint_name(:webauthn_registrations, :credential_xid, 'max_length')
+  end
+
+  def down
+    # no-op: Danger of failling if there are records with length(credential_xid) > 255
+  end
+end
--- a/db/post_migrate/20201026185514_ensure_u2f_registrations_migrated.rb
+++ b/db/post_migrate/20201026185514_ensure_u2f_registrations_migrated.rb
+# frozen_string_literal: true
+
+class EnsureU2fRegistrationsMigrated < ActiveRecord::Migration[6.0]
+  include Gitlab::Database::MigrationHelpers
+
+  BACKGROUND_MIGRATION_CLASS = 'MigrateU2fWebauthn'
+  BATCH_SIZE = 100
+  DOWNTIME = false
+
+  disable_ddl_transaction!
+
+  class U2fRegistration < ActiveRecord::Base
+    include EachBatch
+
+    self.table_name = 'u2f_registrations'
+  end
+
+  def up
+    Gitlab::BackgroundMigration.steal(BACKGROUND_MIGRATION_CLASS)
+
+    # Do a manual update in case we lost BG jobs. The expected record count should be 0 or very low.
+    U2fRegistration
+        .joins("LEFT JOIN webauthn_registrations ON webauthn_registrations.u2f_registration_id = u2f_registrations.id")
+        .where("webauthn_registrations.u2f_registration_id IS NULL")
+        .each_batch(of: BATCH_SIZE) do |batch, index|
+      batch.each do |record|
+        Gitlab::BackgroundMigration::MigrateU2fWebauthn.new.perform(record.id, record.id)
+      rescue => e
+        Gitlab::ErrorTracking.track_exception(e, u2f_registration_id: record.id)
+      end
+    end
+  end
+
+  def down
+    # no-op (we can't "unsteal" migrations)
+  end
+end
--- a/db/schema_migrations/20201026185514
+++ b/db/schema_migrations/20201026185514
+a9ae0161c40b9c72371d6eb992bd0da8c3698e7784357faac0821e3f513e48d2
\ No newline at end of file
--- a/db/schema_migrations/20201117075742
+++ b/db/schema_migrations/20201117075742
+a39bad8b213833c84370cf64188a3ce444fd8aeeff239c29f5f2f633d94ac6bb
\ No newline at end of file
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -17571,8 +17571,8 @@ CREATE TABLE webauthn_registrations (
    name text NOT NULL,
    public_key text NOT NULL,
    u2f_registration_id integer,
-    CONSTRAINT check_242f0cc65c CHECK ((char_length(credential_xid) <= 255)),
-    CONSTRAINT check_2f02e74321 CHECK ((char_length(name) <= 255))
+    CONSTRAINT check_2f02e74321 CHECK ((char_length(name) <= 255)),
+    CONSTRAINT check_e54008d9ce CHECK ((char_length(credential_xid) <= 340))
 );

 CREATE SEQUENCE webauthn_registrations_id_seq

--- a/spec/migrations/ensure_u2f_registrations_migrated_spec.rb
+++ b/spec/migrations/ensure_u2f_registrations_migrated_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+require Rails.root.join('db', 'post_migrate', '20201026185514_ensure_u2f_registrations_migrated.rb')
+
+RSpec.describe EnsureU2fRegistrationsMigrated, schema: 20201022144501 do
+  let(:u2f_registrations) { table(:u2f_registrations) }
+  let(:webauthn_registrations) { table(:webauthn_registrations) }
+  let(:users) { table(:users) }
+
+  let(:user) { users.create!(email: 'email@email.com', name: 'foo', username: 'foo', projects_limit: 0) }
+
+  before do
+    create_u2f_registration(1, 'reg1')
+    create_u2f_registration(2, 'reg2')
+    webauthn_registrations.create!({ name: 'reg1', u2f_registration_id: 1, credential_xid: '', public_key: '', user_id: user.id })
+  end
+
+  it 'correctly migrates u2f registrations previously not migrated' do
+    expect { migrate! }.to change { webauthn_registrations.count }.from(1).to(2)
+  end
+
+  it 'migrates all valid u2f registrations depite errors' do
+    create_u2f_registration(3, 'reg3', 'invalid!')
+    create_u2f_registration(4, 'reg4')
+
+    expect { migrate! }.to change { webauthn_registrations.count }.from(1).to(3)
+  end
+
+  def create_u2f_registration(id, name, public_key = nil)
+    device = U2F::FakeU2F.new(FFaker::BaconIpsum.characters(5), { key_handle: SecureRandom.random_bytes(255) })
+    public_key ||= Base64.strict_encode64(device.origin_public_key_raw)
+    u2f_registrations.create!({ id: id,
+                               certificate: Base64.strict_encode64(device.cert_raw),
+                               key_handle: U2F.urlsafe_encode64(device.key_handle_raw),
+                               public_key: public_key,
+                               counter: 5,
+                               name: name,
+                               user_id: user.id })
+  end
+end