Merge branch '51021-more-attr-encrypted' into 'master'

Encrypt webhook tokens and URLs in the database

Closes #51021

See merge request gitlab-org/gitlab-ce!21645

3 files changed, 114 insertions, 0 deletions

diff --git a/lib/gitlab/background_migration/encrypt_columns.rb b/lib/gitlab/background_migration/encrypt_columns.rb
new file mode 100644
index 00000000000..0d333e47e7b
--- /dev/null
+++ b/lib/gitlab/background_migration/encrypt_columns.rb
@@ -0,0 +1,80 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module BackgroundMigration
+    # EncryptColumn migrates data from an unencrypted column - `foo`, say - to
+    # an encrypted column - `encrypted_foo`, say.
+    #
+    # For this background migration to work, the table that is migrated _has_ to
+    # have an `id` column as the primary key. Additionally, the encrypted column
+    # should be managed by attr_encrypted, and map to an attribute with the same
+    # name as the unencrypted column (i.e., the unencrypted column should be
+    # shadowed).
+    #
+    # To avoid depending on a particular version of the model in app/, add a
+    # model to `lib/gitlab/background_migration/models/encrypt_columns` and use
+    # it in the migration that enqueues the jobs, so code can be shared.
+    class EncryptColumns
+      def perform(model, attributes, from, to)
+        model = model.constantize if model.is_a?(String)
+        attributes = expand_attributes(model, Array(attributes).map(&:to_sym))
+
+        model.transaction do
+          # Use SELECT ... FOR UPDATE to prevent the value being changed while
+          # we are encrypting it
+          relation = model.where(id: from..to).lock
+
+          relation.each do |instance|
+            encrypt!(instance, attributes)
+          end
+        end
+      end
+
+      private
+
+      # Build a hash of { attribute => encrypted column name }
+      def expand_attributes(klass, attributes)
+        expanded = attributes.flat_map do |attribute|
+          attr_config = klass.encrypted_attributes[attribute]
+          crypt_column_name = attr_config&.fetch(:attribute)
+
+          raise "Couldn't determine encrypted column for #{klass}##{attribute}" if
+            crypt_column_name.nil?
+
+          [attribute, crypt_column_name]
+        end
+
+        Hash[*expanded]
+      end
+
+      # Generate ciphertext for each column and update the database
+      def encrypt!(instance, attributes)
+        to_clear = attributes
+          .map { |plain, crypt| apply_attribute!(instance, plain, crypt) }
+          .compact
+          .flat_map { |plain| [plain, nil] }
+
+        to_clear = Hash[*to_clear]
+
+        if instance.changed?
+          instance.save!
+          instance.update_columns(to_clear)
+        end
+      end
+
+      def apply_attribute!(instance, plain_column, crypt_column)
+        plaintext = instance[plain_column]
+        ciphertext = instance[crypt_column]
+
+        # No need to do anything if the plaintext is nil, or an encrypted
+        # value already exists
+        return nil unless plaintext.present? && !ciphertext.present?
+
+        # attr_encrypted will calculate and set the expected value for us
+        instance.public_send("#{plain_column}=", plaintext) # rubocop:disable GitlabSecurity/PublicSend
+
+        plain_column
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/background_migration/models/encrypt_columns/web_hook.rb b/lib/gitlab/background_migration/models/encrypt_columns/web_hook.rb
new file mode 100644
index 00000000000..bb76eb8ed48
--- /dev/null
+++ b/lib/gitlab/background_migration/models/encrypt_columns/web_hook.rb
@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module BackgroundMigration
+    module Models
+      module EncryptColumns
+        # This model is shared between synchronous and background migrations to
+        # encrypt the `token` and `url` columns
+        class WebHook < ActiveRecord::Base
+          include ::EachBatch
+
+          self.table_name = 'web_hooks'
+          self.inheritance_column = :_type_disabled
+
+          attr_encrypted :token,
+                         mode:      :per_attribute_iv,
+                         algorithm: 'aes-256-gcm',
+                         key:       Settings.attr_encrypted_db_key_base_truncated
+
+          attr_encrypted :url,
+                         mode:      :per_attribute_iv,
+                         algorithm: 'aes-256-gcm',
+                         key:       Settings.attr_encrypted_db_key_base_truncated
+        end
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/import_export/import_export.yml b/lib/gitlab/import_export/import_export.yml
index a19b3c88627..2bed470514b 100644
--- a/lib/gitlab/import_export/import_export.yml
+++ b/lib/gitlab/import_export/import_export.yml
@@ -147,6 +147,12 @@ excluded_attributes:
     - :reference
     - :reference_html
     - :epic_id
+  hooks:
+    - :token
+    - :encrypted_token
+    - :encrypted_token_iv
+    - :encrypted_url
+    - :encrypted_url_iv
 
 methods:
   labels: