Extend DastSiteProfile model with secrets columns

What does this MR do?

introduces new fields to dast_site_profiles that stores encrypted secret_key and an iv.

Why?

the purpose of this functionality is to allow us to securely store and use encrypted environment variables in on-demand dast scans.

this approach taken follows the outcomes of discussions during security review.

Related Issue(s)

• #225406 (closed)

Database

Migration

% rails db:migrate:up VERSION=20201221055856 && rails db:migrate:up VERSION=20201222032018 && rails db:migrate:down VERSION=20201222032018 && rails db:migrate:down VERSION=20201221055856                                                                                                                                                                                      ✖ ✹
== 20201221055856 AddSecretKeyAndIvToDastSiteProfile: migrating ===============
-- add_column(:dast_site_profiles, :encrypted_secret_key, :text)
   -> 0.0019s
-- add_column(:dast_site_profiles, :encrypted_secret_key_iv, :text, {:uniqueness=>true})
   -> 0.0003s
-- add_column(:dast_site_profiles, :encrypted_secret_key_salt, :text)
   -> 0.0003s
-- add_column(:dast_site_profiles, :secret_key_iv, :text)
   -> 0.0004s
== 20201221055856 AddSecretKeyAndIvToDastSiteProfile: migrated (0.0030s) ======

== 20201222032018 AddSecretKeyAndIvTextLimits: migrating ======================
-- transaction_open?()
   -> 0.0000s
-- current_schema()
   -> 0.0003s
-- execute("ALTER TABLE dast_site_profiles\nADD CONSTRAINT check_e21344120a\nCHECK ( char_length(encrypted_secret_key) <= 255 )\nNOT VALID;\n")
   -> 0.0041s
-- current_schema()
   -> 0.0002s
-- execute("SET statement_timeout TO 0")
   -> 0.0001s
-- execute("ALTER TABLE dast_site_profiles VALIDATE CONSTRAINT check_e21344120a;")
   -> 0.0010s
-- execute("RESET ALL")
   -> 0.0001s
-- transaction_open?()
   -> 0.0000s
-- current_schema()
   -> 0.0002s
-- execute("ALTER TABLE dast_site_profiles\nADD CONSTRAINT check_96b6e059c9\nCHECK ( char_length(encrypted_secret_key_iv) <= 255 )\nNOT VALID;\n")
   -> 0.0003s
-- current_schema()
   -> 0.0001s
-- execute("ALTER TABLE dast_site_profiles VALIDATE CONSTRAINT check_96b6e059c9;")
   -> 0.0004s
-- transaction_open?()
   -> 0.0000s
-- current_schema()
   -> 0.0002s
-- execute("ALTER TABLE dast_site_profiles\nADD CONSTRAINT check_5759507850\nCHECK ( char_length(encrypted_secret_key_salt) <= 255 )\nNOT VALID;\n")
   -> 0.0003s
-- current_schema()
   -> 0.0001s
-- execute("ALTER TABLE dast_site_profiles VALIDATE CONSTRAINT check_5759507850;")
   -> 0.0007s
-- transaction_open?()
   -> 0.0000s
-- current_schema()
   -> 0.0001s
-- execute("ALTER TABLE dast_site_profiles\nADD CONSTRAINT check_18f547a39f\nCHECK ( char_length(secret_key_iv) <= 255 )\nNOT VALID;\n")
   -> 0.0004s
-- current_schema()
   -> 0.0001s
-- execute("ALTER TABLE dast_site_profiles VALIDATE CONSTRAINT check_18f547a39f;")
   -> 0.0004s
== 20201222032018 AddSecretKeyAndIvTextLimits: migrated (0.0255s) =============

== 20201222032018 AddSecretKeyAndIvTextLimits: reverting ======================
-- execute("ALTER TABLE dast_site_profiles\nDROP CONSTRAINT IF EXISTS check_e21344120a\n")
   -> 0.0008s
-- execute("ALTER TABLE dast_site_profiles\nDROP CONSTRAINT IF EXISTS check_96b6e059c9\n")
   -> 0.0003s
-- execute("ALTER TABLE dast_site_profiles\nDROP CONSTRAINT IF EXISTS check_5759507850\n")
   -> 0.0003s
-- execute("ALTER TABLE dast_site_profiles\nDROP CONSTRAINT IF EXISTS check_18f547a39f\n")
   -> 0.0003s
== 20201222032018 AddSecretKeyAndIvTextLimits: reverted (0.0087s) =============

== 20201221055856 AddSecretKeyAndIvToDastSiteProfile: reverting ===============
-- remove_column(:dast_site_profiles, :secret_key_iv, :text)
   -> 0.0012s
-- remove_column(:dast_site_profiles, :encrypted_secret_key_salt, :text)
   -> 0.0003s
-- remove_column(:dast_site_profiles, :encrypted_secret_key_iv, :text, {:uniqueness=>true})
   -> 0.0003s
-- remove_column(:dast_site_profiles, :encrypted_secret_key, :text)
   -> 0.0002s
== 20201221055856 AddSecretKeyAndIvToDastSiteProfile: reverted (0.0037s) ======

Does this MR meet the acceptance criteria?

Conformity

• Changelog entry
• Documentation (if required)
• Code review guidelines
• Merge request performance guidelines
• Style guides
• Database guides
• Separation of EE specific content

Availability and Testing

• Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process.
• Tested in all supported browsers
• Informed Infrastructure department of a default or new setting change, if applicable per definition of done

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

• Label as security and @ mention @gitlab-com/gl-security/appsec
• The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
• Security reports checked/validated by a reviewer from the AppSec team