mirror of
https://github.com/netbirdio/netbird.git
synced 2025-01-22 22:08:39 +01:00
cf6210a6f4
* Add AES-GCM encryption Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * migrate legacy encrypted data to AES-GCM encryption Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Refactor and use transaction when migrating data Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Add events migration tests Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * fix lint Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * skip migrating record on error Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Preallocate capacity for nonce to avoid allocations in Seal Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> --------- Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
158 lines
4.0 KiB
Go
158 lines
4.0 KiB
Go
package sqlite
|
|
|
|
import (
|
|
"context"
|
|
"database/sql"
|
|
"fmt"
|
|
|
|
log "github.com/sirupsen/logrus"
|
|
)
|
|
|
|
func migrate(ctx context.Context, crypt *FieldEncrypt, db *sql.DB) error {
|
|
if _, err := db.Exec(createTableQuery); err != nil {
|
|
return err
|
|
}
|
|
|
|
if _, err := db.Exec(creatTableDeletedUsersQuery); err != nil {
|
|
return err
|
|
}
|
|
|
|
if err := updateDeletedUsersTable(ctx, db); err != nil {
|
|
return fmt.Errorf("failed to update deleted_users table: %v", err)
|
|
}
|
|
|
|
return migrateLegacyEncryptedUsersToGCM(ctx, crypt, db)
|
|
}
|
|
|
|
// updateDeletedUsersTable checks and updates the deleted_users table schema to ensure required columns exist.
|
|
func updateDeletedUsersTable(ctx context.Context, db *sql.DB) error {
|
|
exists, err := checkColumnExists(db, "deleted_users", "name")
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if !exists {
|
|
log.WithContext(ctx).Debug("Adding name column to the deleted_users table")
|
|
|
|
_, err = db.Exec(`ALTER TABLE deleted_users ADD COLUMN name TEXT;`)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
log.WithContext(ctx).Debug("Successfully added name column to the deleted_users table")
|
|
}
|
|
|
|
exists, err = checkColumnExists(db, "deleted_users", "enc_algo")
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if !exists {
|
|
log.WithContext(ctx).Debug("Adding enc_algo column to the deleted_users table")
|
|
|
|
_, err = db.Exec(`ALTER TABLE deleted_users ADD COLUMN enc_algo TEXT;`)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
log.WithContext(ctx).Debug("Successfully added enc_algo column to the deleted_users table")
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// migrateLegacyEncryptedUsersToGCM migrates previously encrypted data using,
|
|
// legacy CBC encryption with a static IV to the new GCM encryption method.
|
|
func migrateLegacyEncryptedUsersToGCM(ctx context.Context, crypt *FieldEncrypt, db *sql.DB) error {
|
|
log.WithContext(ctx).Debug("Migrating CBC encrypted deleted users to GCM")
|
|
|
|
tx, err := db.Begin()
|
|
if err != nil {
|
|
return fmt.Errorf("failed to begin transaction: %v", err)
|
|
}
|
|
defer func() {
|
|
_ = tx.Rollback()
|
|
}()
|
|
|
|
rows, err := tx.Query(fmt.Sprintf(`SELECT id, email, name FROM deleted_users where enc_algo IS NULL OR enc_algo != '%s'`, gcmEncAlgo))
|
|
if err != nil {
|
|
return fmt.Errorf("failed to execute select query: %v", err)
|
|
}
|
|
defer rows.Close()
|
|
|
|
updateStmt, err := tx.Prepare(`UPDATE deleted_users SET email = ?, name = ?, enc_algo = ? WHERE id = ?`)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to prepare update statement: %v", err)
|
|
}
|
|
defer updateStmt.Close()
|
|
|
|
if err = processUserRows(ctx, crypt, rows, updateStmt); err != nil {
|
|
return err
|
|
}
|
|
|
|
if err = tx.Commit(); err != nil {
|
|
return fmt.Errorf("failed to commit transaction: %v", err)
|
|
}
|
|
|
|
log.WithContext(ctx).Debug("Successfully migrated CBC encrypted deleted users to GCM")
|
|
return nil
|
|
}
|
|
|
|
// processUserRows processes database rows of user data, decrypts legacy encryption fields, and re-encrypts them using GCM.
|
|
func processUserRows(ctx context.Context, crypt *FieldEncrypt, rows *sql.Rows, updateStmt *sql.Stmt) error {
|
|
for rows.Next() {
|
|
var (
|
|
id, decryptedEmail, decryptedName string
|
|
email, name *string
|
|
)
|
|
|
|
err := rows.Scan(&id, &email, &name)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if email != nil {
|
|
decryptedEmail, err = crypt.LegacyDecrypt(*email)
|
|
if err != nil {
|
|
log.WithContext(ctx).Warnf("skipping migrating deleted user %s: %v",
|
|
id,
|
|
fmt.Errorf("failed to decrypt email: %w", err),
|
|
)
|
|
continue
|
|
}
|
|
}
|
|
|
|
if name != nil {
|
|
decryptedName, err = crypt.LegacyDecrypt(*name)
|
|
if err != nil {
|
|
log.WithContext(ctx).Warnf("skipping migrating deleted user %s: %v",
|
|
id,
|
|
fmt.Errorf("failed to decrypt name: %w", err),
|
|
)
|
|
continue
|
|
}
|
|
}
|
|
|
|
encryptedEmail, err := crypt.Encrypt(decryptedEmail)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to encrypt email: %w", err)
|
|
}
|
|
|
|
encryptedName, err := crypt.Encrypt(decryptedName)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to encrypt name: %w", err)
|
|
}
|
|
|
|
_, err = updateStmt.Exec(encryptedEmail, encryptedName, gcmEncAlgo, id)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
if err := rows.Err(); err != nil {
|
|
return err
|
|
}
|
|
|
|
return nil
|
|
}
|