From fcf857be1c4d7a823374e93d22de7544699376e6 Mon Sep 17 00:00:00 2001 From: Don Browne Date: Tue, 14 May 2024 21:46:14 +0100 Subject: [PATCH] Add new column for new encyrption format (#3331) --- .../000056_encrypted_column.down.sql | 16 ++++++++ .../migrations/000056_encrypted_column.up.sql | 18 +++++++++ database/mock/store.go | 14 ------- database/query/provider_access_tokens.sql | 7 ++-- database/query/session_store.sql | 3 -- internal/db/models.go | 38 ++++++++++--------- internal/db/provider_access_tokens.sql.go | 37 +++++++++++------- internal/db/querier.go | 1 - internal/db/session_store.sql.go | 12 +----- internal/verifier/verifyif/mock/verifyif.go | 16 ++++---- pkg/api/protobuf/go/minder/v1/minder.pb.go | 2 +- 11 files changed, 92 insertions(+), 72 deletions(-) create mode 100644 database/migrations/000056_encrypted_column.down.sql create mode 100644 database/migrations/000056_encrypted_column.up.sql diff --git a/database/migrations/000056_encrypted_column.down.sql b/database/migrations/000056_encrypted_column.down.sql new file mode 100644 index 0000000000..bf3bc084a3 --- /dev/null +++ b/database/migrations/000056_encrypted_column.down.sql @@ -0,0 +1,16 @@ +-- Copyright 2024 Stacklok, Inc +-- +-- Licensed under the Apache License, Version 2.0 (the "License"); +-- you may not use this file except in compliance with the License. +-- You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. + +ALTER TABLE provider_access_tokens DROP COLUMN encrypted_access_token; +ALTER TABLE session_store DROP COLUMN encrypted_redirect; \ No newline at end of file diff --git a/database/migrations/000056_encrypted_column.up.sql b/database/migrations/000056_encrypted_column.up.sql new file mode 100644 index 0000000000..e842ad0369 --- /dev/null +++ b/database/migrations/000056_encrypted_column.up.sql @@ -0,0 +1,18 @@ +-- Copyright 2024 Stacklok, Inc +-- +-- Licensed under the Apache License, Version 2.0 (the "License"); +-- you may not use this file except in compliance with the License. +-- You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. + +-- add columns for new encrypted data format + +ALTER TABLE provider_access_tokens ADD COLUMN encrypted_access_token JSONB; +ALTER TABLE session_store ADD COLUMN encrypted_redirect TEXT; \ No newline at end of file diff --git a/database/mock/store.go b/database/mock/store.go index a8a28b364e..4fffb40ee8 100644 --- a/database/mock/store.go +++ b/database/mock/store.go @@ -480,20 +480,6 @@ func (mr *MockStoreMockRecorder) DeleteRuleType(arg0, arg1 any) *gomock.Call { return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteRuleType", reflect.TypeOf((*MockStore)(nil).DeleteRuleType), arg0, arg1) } -// DeleteSessionState mocks base method. -func (m *MockStore) DeleteSessionState(arg0 context.Context, arg1 int32) error { - m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "DeleteSessionState", arg0, arg1) - ret0, _ := ret[0].(error) - return ret0 -} - -// DeleteSessionState indicates an expected call of DeleteSessionState. -func (mr *MockStoreMockRecorder) DeleteSessionState(arg0, arg1 any) *gomock.Call { - mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteSessionState", reflect.TypeOf((*MockStore)(nil).DeleteSessionState), arg0, arg1) -} - // DeleteSessionStateByProjectID mocks base method. func (m *MockStore) DeleteSessionStateByProjectID(arg0 context.Context, arg1 db.DeleteSessionStateByProjectIDParams) error { m.ctrl.T.Helper() diff --git a/database/query/provider_access_tokens.sql b/database/query/provider_access_tokens.sql index 9e5ebab1fa..4ab033b5ea 100644 --- a/database/query/provider_access_tokens.sql +++ b/database/query/provider_access_tokens.sql @@ -9,16 +9,17 @@ SELECT * FROM provider_access_tokens WHERE provider = $1 AND project_id = $2 AND -- name: UpsertAccessToken :one INSERT INTO provider_access_tokens -(project_id, provider, encrypted_token, expiration_time, owner_filter, enrollment_nonce) +(project_id, provider, encrypted_token, expiration_time, owner_filter, enrollment_nonce, encrypted_access_token) VALUES - ($1, $2, $3, $4, $5, $6) + ($1, $2, $3, $4, $5, $6, $7) ON CONFLICT (project_id, provider) DO UPDATE SET encrypted_token = $3, expiration_time = $4, owner_filter = $5, enrollment_nonce = $6, - updated_at = NOW() + updated_at = NOW(), + encrypted_access_token = $7 WHERE provider_access_tokens.project_id = $1 AND provider_access_tokens.provider = $2 RETURNING *; diff --git a/database/query/session_store.sql b/database/query/session_store.sql index d7d216f58d..f92e09a214 100644 --- a/database/query/session_store.sql +++ b/database/query/session_store.sql @@ -4,9 +4,6 @@ INSERT INTO session_store (provider, project_id, remote_user, session_state, own -- name: GetProjectIDBySessionState :one SELECT provider, project_id, remote_user, owner_filter, redirect_url FROM session_store WHERE session_state = $1; --- name: DeleteSessionState :exec -DELETE FROM session_store WHERE id = $1; - -- name: DeleteSessionStateByProjectID :exec DELETE FROM session_store WHERE provider = $1 AND project_id = $2; diff --git a/internal/db/models.go b/internal/db/models.go index 2870414327..984bc3cc48 100644 --- a/internal/db/models.go +++ b/internal/db/models.go @@ -548,15 +548,16 @@ type Provider struct { } type ProviderAccessToken struct { - ID int32 `json:"id"` - Provider string `json:"provider"` - ProjectID uuid.UUID `json:"project_id"` - OwnerFilter sql.NullString `json:"owner_filter"` - EncryptedToken string `json:"encrypted_token"` - ExpirationTime time.Time `json:"expiration_time"` - CreatedAt time.Time `json:"created_at"` - UpdatedAt time.Time `json:"updated_at"` - EnrollmentNonce sql.NullString `json:"enrollment_nonce"` + ID int32 `json:"id"` + Provider string `json:"provider"` + ProjectID uuid.UUID `json:"project_id"` + OwnerFilter sql.NullString `json:"owner_filter"` + EncryptedToken string `json:"encrypted_token"` + ExpirationTime time.Time `json:"expiration_time"` + CreatedAt time.Time `json:"created_at"` + UpdatedAt time.Time `json:"updated_at"` + EnrollmentNonce sql.NullString `json:"enrollment_nonce"` + EncryptedAccessToken pqtype.NullRawMessage `json:"encrypted_access_token"` } type ProviderGithubAppInstallation struct { @@ -653,15 +654,16 @@ type RuleType struct { } type SessionStore struct { - ID int32 `json:"id"` - Provider string `json:"provider"` - ProjectID uuid.UUID `json:"project_id"` - Port sql.NullInt32 `json:"port"` - OwnerFilter sql.NullString `json:"owner_filter"` - SessionState string `json:"session_state"` - CreatedAt time.Time `json:"created_at"` - RedirectUrl sql.NullString `json:"redirect_url"` - RemoteUser sql.NullString `json:"remote_user"` + ID int32 `json:"id"` + Provider string `json:"provider"` + ProjectID uuid.UUID `json:"project_id"` + Port sql.NullInt32 `json:"port"` + OwnerFilter sql.NullString `json:"owner_filter"` + SessionState string `json:"session_state"` + CreatedAt time.Time `json:"created_at"` + RedirectUrl sql.NullString `json:"redirect_url"` + RemoteUser sql.NullString `json:"remote_user"` + EncryptedRedirect sql.NullString `json:"encrypted_redirect"` } type Subscription struct { diff --git a/internal/db/provider_access_tokens.sql.go b/internal/db/provider_access_tokens.sql.go index 19be8682ca..00767d68f5 100644 --- a/internal/db/provider_access_tokens.sql.go +++ b/internal/db/provider_access_tokens.sql.go @@ -11,10 +11,11 @@ import ( "time" "github.com/google/uuid" + "github.com/sqlc-dev/pqtype" ) const getAccessTokenByEnrollmentNonce = `-- name: GetAccessTokenByEnrollmentNonce :one -SELECT id, provider, project_id, owner_filter, encrypted_token, expiration_time, created_at, updated_at, enrollment_nonce FROM provider_access_tokens WHERE project_id = $1 AND enrollment_nonce = $2 +SELECT id, provider, project_id, owner_filter, encrypted_token, expiration_time, created_at, updated_at, enrollment_nonce, encrypted_access_token FROM provider_access_tokens WHERE project_id = $1 AND enrollment_nonce = $2 ` type GetAccessTokenByEnrollmentNonceParams struct { @@ -35,12 +36,13 @@ func (q *Queries) GetAccessTokenByEnrollmentNonce(ctx context.Context, arg GetAc &i.CreatedAt, &i.UpdatedAt, &i.EnrollmentNonce, + &i.EncryptedAccessToken, ) return i, err } const getAccessTokenByProjectID = `-- name: GetAccessTokenByProjectID :one -SELECT id, provider, project_id, owner_filter, encrypted_token, expiration_time, created_at, updated_at, enrollment_nonce FROM provider_access_tokens WHERE provider = $1 AND project_id = $2 +SELECT id, provider, project_id, owner_filter, encrypted_token, expiration_time, created_at, updated_at, enrollment_nonce, encrypted_access_token FROM provider_access_tokens WHERE provider = $1 AND project_id = $2 ` type GetAccessTokenByProjectIDParams struct { @@ -61,12 +63,13 @@ func (q *Queries) GetAccessTokenByProjectID(ctx context.Context, arg GetAccessTo &i.CreatedAt, &i.UpdatedAt, &i.EnrollmentNonce, + &i.EncryptedAccessToken, ) return i, err } const getAccessTokenByProvider = `-- name: GetAccessTokenByProvider :many -SELECT id, provider, project_id, owner_filter, encrypted_token, expiration_time, created_at, updated_at, enrollment_nonce FROM provider_access_tokens WHERE provider = $1 +SELECT id, provider, project_id, owner_filter, encrypted_token, expiration_time, created_at, updated_at, enrollment_nonce, encrypted_access_token FROM provider_access_tokens WHERE provider = $1 ` func (q *Queries) GetAccessTokenByProvider(ctx context.Context, provider string) ([]ProviderAccessToken, error) { @@ -88,6 +91,7 @@ func (q *Queries) GetAccessTokenByProvider(ctx context.Context, provider string) &i.CreatedAt, &i.UpdatedAt, &i.EnrollmentNonce, + &i.EncryptedAccessToken, ); err != nil { return nil, err } @@ -103,7 +107,7 @@ func (q *Queries) GetAccessTokenByProvider(ctx context.Context, provider string) } const getAccessTokenSinceDate = `-- name: GetAccessTokenSinceDate :one -SELECT id, provider, project_id, owner_filter, encrypted_token, expiration_time, created_at, updated_at, enrollment_nonce FROM provider_access_tokens WHERE provider = $1 AND project_id = $2 AND updated_at >= $3 +SELECT id, provider, project_id, owner_filter, encrypted_token, expiration_time, created_at, updated_at, enrollment_nonce, encrypted_access_token FROM provider_access_tokens WHERE provider = $1 AND project_id = $2 AND updated_at >= $3 ` type GetAccessTokenSinceDateParams struct { @@ -125,33 +129,36 @@ func (q *Queries) GetAccessTokenSinceDate(ctx context.Context, arg GetAccessToke &i.CreatedAt, &i.UpdatedAt, &i.EnrollmentNonce, + &i.EncryptedAccessToken, ) return i, err } const upsertAccessToken = `-- name: UpsertAccessToken :one INSERT INTO provider_access_tokens -(project_id, provider, encrypted_token, expiration_time, owner_filter, enrollment_nonce) +(project_id, provider, encrypted_token, expiration_time, owner_filter, enrollment_nonce, encrypted_access_token) VALUES - ($1, $2, $3, $4, $5, $6) + ($1, $2, $3, $4, $5, $6, $7) ON CONFLICT (project_id, provider) DO UPDATE SET encrypted_token = $3, expiration_time = $4, owner_filter = $5, enrollment_nonce = $6, - updated_at = NOW() + updated_at = NOW(), + encrypted_access_token = $7 WHERE provider_access_tokens.project_id = $1 AND provider_access_tokens.provider = $2 -RETURNING id, provider, project_id, owner_filter, encrypted_token, expiration_time, created_at, updated_at, enrollment_nonce +RETURNING id, provider, project_id, owner_filter, encrypted_token, expiration_time, created_at, updated_at, enrollment_nonce, encrypted_access_token ` type UpsertAccessTokenParams struct { - ProjectID uuid.UUID `json:"project_id"` - Provider string `json:"provider"` - EncryptedToken string `json:"encrypted_token"` - ExpirationTime time.Time `json:"expiration_time"` - OwnerFilter sql.NullString `json:"owner_filter"` - EnrollmentNonce sql.NullString `json:"enrollment_nonce"` + ProjectID uuid.UUID `json:"project_id"` + Provider string `json:"provider"` + EncryptedToken string `json:"encrypted_token"` + ExpirationTime time.Time `json:"expiration_time"` + OwnerFilter sql.NullString `json:"owner_filter"` + EnrollmentNonce sql.NullString `json:"enrollment_nonce"` + EncryptedAccessToken pqtype.NullRawMessage `json:"encrypted_access_token"` } func (q *Queries) UpsertAccessToken(ctx context.Context, arg UpsertAccessTokenParams) (ProviderAccessToken, error) { @@ -162,6 +169,7 @@ func (q *Queries) UpsertAccessToken(ctx context.Context, arg UpsertAccessTokenPa arg.ExpirationTime, arg.OwnerFilter, arg.EnrollmentNonce, + arg.EncryptedAccessToken, ) var i ProviderAccessToken err := row.Scan( @@ -174,6 +182,7 @@ func (q *Queries) UpsertAccessToken(ctx context.Context, arg UpsertAccessTokenPa &i.CreatedAt, &i.UpdatedAt, &i.EnrollmentNonce, + &i.EncryptedAccessToken, ) return i, err } diff --git a/internal/db/querier.go b/internal/db/querier.go index 43579a968b..b8388fe365 100644 --- a/internal/db/querier.go +++ b/internal/db/querier.go @@ -43,7 +43,6 @@ type Querier interface { // but locks the table before doing so. DeleteRuleStatusesForProfileAndRuleType(ctx context.Context, arg DeleteRuleStatusesForProfileAndRuleTypeParams) error DeleteRuleType(ctx context.Context, id uuid.UUID) error - DeleteSessionState(ctx context.Context, id int32) error DeleteSessionStateByProjectID(ctx context.Context, arg DeleteSessionStateByProjectIDParams) error DeleteUser(ctx context.Context, id int32) error EnqueueFlush(ctx context.Context, arg EnqueueFlushParams) (FlushCache, error) diff --git a/internal/db/session_store.sql.go b/internal/db/session_store.sql.go index d7f7ad2c70..043d1e3979 100644 --- a/internal/db/session_store.sql.go +++ b/internal/db/session_store.sql.go @@ -13,7 +13,7 @@ import ( ) const createSessionState = `-- name: CreateSessionState :one -INSERT INTO session_store (provider, project_id, remote_user, session_state, owner_filter, redirect_url) VALUES ($1, $2, $3, $4, $5, $6) RETURNING id, provider, project_id, port, owner_filter, session_state, created_at, redirect_url, remote_user +INSERT INTO session_store (provider, project_id, remote_user, session_state, owner_filter, redirect_url) VALUES ($1, $2, $3, $4, $5, $6) RETURNING id, provider, project_id, port, owner_filter, session_state, created_at, redirect_url, remote_user, encrypted_redirect ` type CreateSessionStateParams struct { @@ -45,6 +45,7 @@ func (q *Queries) CreateSessionState(ctx context.Context, arg CreateSessionState &i.CreatedAt, &i.RedirectUrl, &i.RemoteUser, + &i.EncryptedRedirect, ) return i, err } @@ -58,15 +59,6 @@ func (q *Queries) DeleteExpiredSessionStates(ctx context.Context) error { return err } -const deleteSessionState = `-- name: DeleteSessionState :exec -DELETE FROM session_store WHERE id = $1 -` - -func (q *Queries) DeleteSessionState(ctx context.Context, id int32) error { - _, err := q.db.ExecContext(ctx, deleteSessionState, id) - return err -} - const deleteSessionStateByProjectID = `-- name: DeleteSessionStateByProjectID :exec DELETE FROM session_store WHERE provider = $1 AND project_id = $2 ` diff --git a/internal/verifier/verifyif/mock/verifyif.go b/internal/verifier/verifyif/mock/verifyif.go index 4d24f399d2..9b78126c06 100644 --- a/internal/verifier/verifyif/mock/verifyif.go +++ b/internal/verifier/verifyif/mock/verifyif.go @@ -41,31 +41,31 @@ func (m *MockArtifactVerifier) EXPECT() *MockArtifactVerifierMockRecorder { } // Verify mocks base method. -func (m *MockArtifactVerifier) Verify(ctx context.Context, artifactType verifyif.ArtifactType, owner, name, version string) ([]verifyif.Result, error) { +func (m *MockArtifactVerifier) Verify(ctx context.Context, artifactType verifyif.ArtifactType, owner, name, checksumref string) ([]verifyif.Result, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "Verify", ctx, artifactType, owner, name, version) + ret := m.ctrl.Call(m, "Verify", ctx, artifactType, owner, name, checksumref) ret0, _ := ret[0].([]verifyif.Result) ret1, _ := ret[1].(error) return ret0, ret1 } // Verify indicates an expected call of Verify. -func (mr *MockArtifactVerifierMockRecorder) Verify(ctx, artifactType, owner, name, version any) *gomock.Call { +func (mr *MockArtifactVerifierMockRecorder) Verify(ctx, artifactType, owner, name, checksumref any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Verify", reflect.TypeOf((*MockArtifactVerifier)(nil).Verify), ctx, artifactType, owner, name, version) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Verify", reflect.TypeOf((*MockArtifactVerifier)(nil).Verify), ctx, artifactType, owner, name, checksumref) } // VerifyContainer mocks base method. -func (m *MockArtifactVerifier) VerifyContainer(ctx context.Context, owner, artifact, version string) ([]verifyif.Result, error) { +func (m *MockArtifactVerifier) VerifyContainer(ctx context.Context, owner, artifact, checksumref string) ([]verifyif.Result, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "VerifyContainer", ctx, owner, artifact, version) + ret := m.ctrl.Call(m, "VerifyContainer", ctx, owner, artifact, checksumref) ret0, _ := ret[0].([]verifyif.Result) ret1, _ := ret[1].(error) return ret0, ret1 } // VerifyContainer indicates an expected call of VerifyContainer. -func (mr *MockArtifactVerifierMockRecorder) VerifyContainer(ctx, owner, artifact, version any) *gomock.Call { +func (mr *MockArtifactVerifierMockRecorder) VerifyContainer(ctx, owner, artifact, checksumref any) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "VerifyContainer", reflect.TypeOf((*MockArtifactVerifier)(nil).VerifyContainer), ctx, owner, artifact, version) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "VerifyContainer", reflect.TypeOf((*MockArtifactVerifier)(nil).VerifyContainer), ctx, owner, artifact, checksumref) } diff --git a/pkg/api/protobuf/go/minder/v1/minder.pb.go b/pkg/api/protobuf/go/minder/v1/minder.pb.go index 372c210acd..ef6e857d6b 100644 --- a/pkg/api/protobuf/go/minder/v1/minder.pb.go +++ b/pkg/api/protobuf/go/minder/v1/minder.pb.go @@ -15,7 +15,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.34.0 +// protoc-gen-go v1.34.1 // protoc (unknown) // source: minder/v1/minder.proto