Migrate unique index from MD5 to SHA256 fingerprints
What does this MR do and why?
Contributes to #358722 (closed)
Problem
We want to eventually deprecate MD5 fingerprints because they are not supported by FIPS environments.
Solution
- Add unique index to
fingerprint_sha256
fields tokeys
anddeploy_group_keys
tables - Drop unique index from
fingerprint
fields fromkeys
anddeploy_group_keys
tables. - Update Rails application validation to match the new structure
Database
Migrate
== 20220412135446 AddUniqueFingerprintSha256IndexToKey: migrating =============
-- transaction_open?()
-> 0.0000s
-- index_exists?(:keys, :fingerprint_sha256, {:unique=>true, :name=>"index_keys_on_fingerprint_sha256_unique", :algorithm=>:concurrently})
-> 0.0051s
-- execute("SET statement_timeout TO 0")
-> 0.0005s
-- add_index(:keys, :fingerprint_sha256, {:unique=>true, :name=>"index_keys_on_fingerprint_sha256_unique", :algorithm=>:concurrently})
-> 0.0034s
-- execute("RESET statement_timeout")
-> 0.0006s
-- transaction_open?()
-> 0.0000s
-- indexes(:keys)
-> 0.0030s
-- remove_index(:keys, {:algorithm=>:concurrently, :name=>"index_keys_on_fingerprint_sha256"})
-> 0.0026s
== 20220412135446 AddUniqueFingerprintSha256IndexToKey: migrated (0.0244s) ====
== 20220412140446 AddUniqueFingerprintSha256IndexToGroupDeployKey: migrating ==
-- transaction_open?()
-> 0.0000s
-- index_exists?(:group_deploy_keys, :fingerprint_sha256, {:unique=>true, :name=>"index_group_deploy_keys_on_fingerprint_sha256_unique", :algorithm=>:concurrently})
-> 0.0020s
-- add_index(:group_deploy_keys, :fingerprint_sha256, {:unique=>true, :name=>"index_group_deploy_keys_on_fingerprint_sha256_unique", :algorithm=>:concurrently})
-> 0.0025s
-- transaction_open?()
-> 0.0000s
-- indexes(:group_deploy_keys)
-> 0.0018s
-- remove_index(:group_deploy_keys, {:algorithm=>:concurrently, :name=>"index_group_deploy_keys_on_fingerprint_sha256"})
-> 0.0017s
== 20220412140446 AddUniqueFingerprintSha256IndexToGroupDeployKey: migrated (0.0123s)
== 20220412140755 DropUniqueFingerprintMd5IndexFromKey: migrating =============
-- transaction_open?()
-> 0.0000s
-- indexes(:keys)
-> 0.0025s
-- remove_index(:keys, {:algorithm=>:concurrently, :name=>"index_keys_on_fingerprint"})
-> 0.0017s
-- transaction_open?()
-> 0.0000s
-- index_exists?(:keys, :fingerprint, {:name=>"index_keys_on_fingerprint", :algorithm=>:concurrently})
-> 0.0023s
-- add_index(:keys, :fingerprint, {:name=>"index_keys_on_fingerprint", :algorithm=>:concurrently})
-> 0.0018s
== 20220412140755 DropUniqueFingerprintMd5IndexFromKey: migrated (0.0125s) ====
== 20220412141020 DropUniqueFingerprintMd5IndexFromGroupDeployKey: migrating ==
-- transaction_open?()
-> 0.0000s
-- indexes(:group_deploy_keys)
-> 0.0016s
-- remove_index(:group_deploy_keys, {:algorithm=>:concurrently, :name=>"index_group_deploy_keys_on_fingerprint"})
-> 0.0019s
-- transaction_open?()
-> 0.0000s
-- index_exists?(:group_deploy_keys, :fingerprint, {:name=>"index_group_deploy_keys_on_fingerprint", :algorithm=>:concurrently})
-> 0.0015s
-- add_index(:group_deploy_keys, :fingerprint, {:name=>"index_group_deploy_keys_on_fingerprint", :algorithm=>:concurrently})
-> 0.0016s
== 20220412141020 DropUniqueFingerprintMd5IndexFromGroupDeployKey: migrated (0.0109s)
Rollback
== 20220412141020 DropUniqueFingerprintMd5IndexFromGroupDeployKey: reverting ==
-- transaction_open?()
-> 0.0000s
-- indexes(:group_deploy_keys)
-> 0.0030s
-- execute("SET statement_timeout TO 0")
-> 0.0005s
-- remove_index(:group_deploy_keys, {:algorithm=>:concurrently, :name=>"index_group_deploy_keys_on_fingerprint"})
-> 0.0025s
-- execute("RESET statement_timeout")
-> 0.0005s
-- transaction_open?()
-> 0.0000s
-- index_exists?(:group_deploy_keys, :fingerprint, {:unique=>true, :name=>"index_group_deploy_keys_on_fingerprint", :algorithm=>:concurrently})
-> 0.0014s
-- add_index(:group_deploy_keys, :fingerprint, {:unique=>true, :name=>"index_group_deploy_keys_on_fingerprint", :algorithm=>:concurrently})
-> 0.0033s
== 20220412141020 DropUniqueFingerprintMd5IndexFromGroupDeployKey: reverted (0.0218s)
== 20220412140755 DropUniqueFingerprintMd5IndexFromKey: reverting =============
-- transaction_open?()
-> 0.0000s
-- indexes(:keys)
-> 0.0030s
-- remove_index(:keys, {:algorithm=>:concurrently, :name=>"index_keys_on_fingerprint"})
-> 0.0024s
-- transaction_open?()
-> 0.0000s
-- index_exists?(:keys, :fingerprint, {:unique=>true, :name=>"index_keys_on_fingerprint", :algorithm=>:concurrently})
-> 0.0022s
-- add_index(:keys, :fingerprint, {:unique=>true, :name=>"index_keys_on_fingerprint", :algorithm=>:concurrently})
-> 0.0018s
== 20220412140755 DropUniqueFingerprintMd5IndexFromKey: reverted (0.0138s) ====
== 20220412140446 AddUniqueFingerprintSha256IndexToGroupDeployKey: reverting ==
-- transaction_open?()
-> 0.0000s
-- index_exists?(:group_deploy_keys, :fingerprint_sha256, {:name=>"index_group_deploy_keys_on_fingerprint_sha256", :algorithm=>:concurrently})
-> 0.0031s
-- add_index(:group_deploy_keys, :fingerprint_sha256, {:name=>"index_group_deploy_keys_on_fingerprint_sha256", :algorithm=>:concurrently})
-> 0.0019s
-- transaction_open?()
-> 0.0000s
-- indexes(:group_deploy_keys)
-> 0.0018s
-- remove_index(:group_deploy_keys, {:algorithm=>:concurrently, :name=>"index_group_deploy_keys_on_fingerprint_sha256_unique"})
-> 0.0017s
== 20220412140446 AddUniqueFingerprintSha256IndexToGroupDeployKey: reverted (0.0134s)
== 20220412135446 AddUniqueFingerprintSha256IndexToKey: reverting =============
-- transaction_open?()
-> 0.0000s
-- index_exists?(:keys, :fingerprint_sha256, {:name=>"index_keys_on_fingerprint_sha256", :algorithm=>:concurrently})
-> 0.0033s
-- add_index(:keys, :fingerprint_sha256, {:name=>"index_keys_on_fingerprint_sha256", :algorithm=>:concurrently})
-> 0.0024s
-- transaction_open?()
-> 0.0000s
-- indexes(:keys)
-> 0.0023s
-- remove_index(:keys, {:algorithm=>:concurrently, :name=>"index_keys_on_fingerprint_sha256_unique"})
-> 0.0023s
== 20220412135446 AddUniqueFingerprintSha256IndexToKey: reverted (0.0151s) ====
How to verify
- Visit
Edit profile -> SSH keys
page - Try to add the same SSH key twice
- You should see an error
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Vasilii Iakliushin