1 files changed, 29 insertions, 0 deletions

diff --git a/db/migrate/20211126115449_encrypt_static_objects_external_storage_auth_token.rb b/db/migrate/20211126115449_encrypt_static_objects_external_storage_auth_token.rb
new file mode 100644
index 00000000000..9ce034b0065
--- /dev/null
+++ b/db/migrate/20211126115449_encrypt_static_objects_external_storage_auth_token.rb
@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+class EncryptStaticObjectsExternalStorageAuthToken < Gitlab::Database::Migration[1.0]
+  class ApplicationSetting < ActiveRecord::Base
+    self.table_name = 'application_settings'
+
+    scope :encrypted_token_is_null, -> { where(static_objects_external_storage_auth_token_encrypted: nil) }
+    scope :encrypted_token_is_not_null, -> { where.not(static_objects_external_storage_auth_token_encrypted: nil) }
+    scope :plaintext_token_is_not_null, -> { where.not(static_objects_external_storage_auth_token: nil) }
+  end
+
+  def up
+    ApplicationSetting.reset_column_information
+
+    ApplicationSetting.encrypted_token_is_null.plaintext_token_is_not_null.find_each do |application_setting|
+      token_encrypted = Gitlab::CryptoHelper.aes256_gcm_encrypt(application_setting.static_objects_external_storage_auth_token)
+      application_setting.update!(static_objects_external_storage_auth_token_encrypted: token_encrypted)
+    end
+  end
+
+  def down
+    ApplicationSetting.reset_column_information
+
+    ApplicationSetting.encrypted_token_is_not_null.find_each do |application_setting|
+      token = Gitlab::CryptoHelper.aes256_gcm_decrypt(application_setting.static_objects_external_storage_auth_token_encrypted)
+      application_setting.update!(static_objects_external_storage_auth_token: token, static_objects_external_storage_auth_token_encrypted: nil)
+    end
+  end
+end