From c7a39ffa911f06ae60cc22ac237b6e82522a93b8 Mon Sep 17 00:00:00 2001
From: Grzegorz Bizon <grzesiek.bizon@gmail.com>
Date: Wed, 21 Nov 2018 12:35:40 +0100
Subject: [PATCH] Schedule background migration for encrypting runners tokens

---
 ...11200_schedule_runners_token_encryption.rb | 38 +++++++++++++++++++
 db/schema.rb                                  |  2 +-
 .../encrypt_runners_tokens.rb                 | 20 ++++++++++
 3 files changed, 59 insertions(+), 1 deletion(-)
 create mode 100644 db/post_migrate/20181121111200_schedule_runners_token_encryption.rb
 create mode 100644 lib/gitlab/background_migration/encrypt_runners_tokens.rb

diff --git a/db/post_migrate/20181121111200_schedule_runners_token_encryption.rb b/db/post_migrate/20181121111200_schedule_runners_token_encryption.rb
new file mode 100644
index 00000000000..33403610d8e
--- /dev/null
+++ b/db/post_migrate/20181121111200_schedule_runners_token_encryption.rb
@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+class ScheduleRunnersTokenEncryption < ActiveRecord::Migration
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+  BATCH_SIZE = 10000
+  RANGE_SIZE = 100
+  MIGRATION = 'EncryptRunnersTokens'
+
+  MODELS = [
+    ::Gitlab::BackgroundMigration::Models::EncryptColumns::Settings,
+    ::Gitlab::BackgroundMigration::Models::EncryptColumns::Namespace,
+    ::Gitlab::BackgroundMigration::Models::EncryptColumns::Project,
+    ::Gitlab::BackgroundMigration::Models::EncryptColumns::Runner
+  ].freeze
+
+  disable_ddl_transaction!
+
+  def up
+    MODELS.each do |model|
+      model.each_batch(of: BATCH_SIZE) do |relation, index|
+        delay = index * 2.minutes
+
+        relation.each_batch(of: RANGE_SIZE) do |relation|
+          range = relation.pluck('MIN(id)', 'MAX(id)').first
+          args = [model, model.encrypted_attributes.keys, *range]
+
+          BackgroundMigrationWorker.perform_in(delay, MIGRATION, args)
+        end
+      end
+    end
+  end
+
+  def down
+    # no-op
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index b8875837471..43415954f18 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20181121101802) do
+ActiveRecord::Schema.define(version: 20181121111200) do
 
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
diff --git a/lib/gitlab/background_migration/encrypt_runners_tokens.rb b/lib/gitlab/background_migration/encrypt_runners_tokens.rb
new file mode 100644
index 00000000000..4647301f1a9
--- /dev/null
+++ b/lib/gitlab/background_migration/encrypt_runners_tokens.rb
@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module BackgroundMigration
+    # EncryptColumn migrates data from an unencrypted column - `foo`, say - to
+    # an encrypted column - `encrypted_foo`, say.
+    #
+    # We only create a subclass here because we want to isolate this migration
+    # (migrating unencrypted runner registration tokens to encrypted columns)
+    # from other `EncryptColumns` migration. This class name is going to be
+    # serialized and stored in Redis and later picked by Sidekiq, so we need to
+    # create a separate class name in order to isolate these migration tasks.
+    #
+    # We can solve this differently, see tech debt issue:
+    #
+    # https://gitlab.com/gitlab-org/gitlab-ce/issues/54328
+    #
+    class EncryptRunnersTokens < EncryptColumns; end
+  end
+end
-- 
GitLab