Skip to content

Migrate unique index from MD5 to SHA256 fingerprints

What does this MR do and why?

Contributes to #358722 (closed)

Problem

We want to eventually deprecate MD5 fingerprints because they are not supported by FIPS environments.

Solution

  1. Add unique index to fingerprint_sha256 fields to keys and deploy_group_keys tables
  2. Drop unique index from fingerprint fields from keys and deploy_group_keys tables.
  3. Update Rails application validation to match the new structure

Database

Migrate
== 20220412135446 AddUniqueFingerprintSha256IndexToKey: migrating =============
-- transaction_open?()
   -> 0.0000s
-- index_exists?(:keys, :fingerprint_sha256, {:unique=>true, :name=>"index_keys_on_fingerprint_sha256_unique", :algorithm=>:concurrently})
   -> 0.0051s
-- execute("SET statement_timeout TO 0")
   -> 0.0005s
-- add_index(:keys, :fingerprint_sha256, {:unique=>true, :name=>"index_keys_on_fingerprint_sha256_unique", :algorithm=>:concurrently})
   -> 0.0034s
-- execute("RESET statement_timeout")
   -> 0.0006s
-- transaction_open?()
   -> 0.0000s
-- indexes(:keys)
   -> 0.0030s
-- remove_index(:keys, {:algorithm=>:concurrently, :name=>"index_keys_on_fingerprint_sha256"})
   -> 0.0026s
== 20220412135446 AddUniqueFingerprintSha256IndexToKey: migrated (0.0244s) ====

== 20220412140446 AddUniqueFingerprintSha256IndexToGroupDeployKey: migrating ==
-- transaction_open?()
   -> 0.0000s
-- index_exists?(:group_deploy_keys, :fingerprint_sha256, {:unique=>true, :name=>"index_group_deploy_keys_on_fingerprint_sha256_unique", :algorithm=>:concurrently})
   -> 0.0020s
-- add_index(:group_deploy_keys, :fingerprint_sha256, {:unique=>true, :name=>"index_group_deploy_keys_on_fingerprint_sha256_unique", :algorithm=>:concurrently})
   -> 0.0025s
-- transaction_open?()
   -> 0.0000s
-- indexes(:group_deploy_keys)
   -> 0.0018s
-- remove_index(:group_deploy_keys, {:algorithm=>:concurrently, :name=>"index_group_deploy_keys_on_fingerprint_sha256"})
   -> 0.0017s
== 20220412140446 AddUniqueFingerprintSha256IndexToGroupDeployKey: migrated (0.0123s)

== 20220412140755 DropUniqueFingerprintMd5IndexFromKey: migrating =============
-- transaction_open?()
   -> 0.0000s
-- indexes(:keys)
   -> 0.0025s
-- remove_index(:keys, {:algorithm=>:concurrently, :name=>"index_keys_on_fingerprint"})
   -> 0.0017s
-- transaction_open?()
   -> 0.0000s
-- index_exists?(:keys, :fingerprint, {:name=>"index_keys_on_fingerprint", :algorithm=>:concurrently})
   -> 0.0023s
-- add_index(:keys, :fingerprint, {:name=>"index_keys_on_fingerprint", :algorithm=>:concurrently})
   -> 0.0018s
== 20220412140755 DropUniqueFingerprintMd5IndexFromKey: migrated (0.0125s) ====

== 20220412141020 DropUniqueFingerprintMd5IndexFromGroupDeployKey: migrating ==
-- transaction_open?()
   -> 0.0000s
-- indexes(:group_deploy_keys)
   -> 0.0016s
-- remove_index(:group_deploy_keys, {:algorithm=>:concurrently, :name=>"index_group_deploy_keys_on_fingerprint"})
   -> 0.0019s
-- transaction_open?()
   -> 0.0000s
-- index_exists?(:group_deploy_keys, :fingerprint, {:name=>"index_group_deploy_keys_on_fingerprint", :algorithm=>:concurrently})
   -> 0.0015s
-- add_index(:group_deploy_keys, :fingerprint, {:name=>"index_group_deploy_keys_on_fingerprint", :algorithm=>:concurrently})
   -> 0.0016s
== 20220412141020 DropUniqueFingerprintMd5IndexFromGroupDeployKey: migrated (0.0109s)
Rollback
== 20220412141020 DropUniqueFingerprintMd5IndexFromGroupDeployKey: reverting ==
-- transaction_open?()
   -> 0.0000s
-- indexes(:group_deploy_keys)
   -> 0.0030s
-- execute("SET statement_timeout TO 0")
   -> 0.0005s
-- remove_index(:group_deploy_keys, {:algorithm=>:concurrently, :name=>"index_group_deploy_keys_on_fingerprint"})
   -> 0.0025s
-- execute("RESET statement_timeout")
   -> 0.0005s
-- transaction_open?()
   -> 0.0000s
-- index_exists?(:group_deploy_keys, :fingerprint, {:unique=>true, :name=>"index_group_deploy_keys_on_fingerprint", :algorithm=>:concurrently})
   -> 0.0014s
-- add_index(:group_deploy_keys, :fingerprint, {:unique=>true, :name=>"index_group_deploy_keys_on_fingerprint", :algorithm=>:concurrently})
   -> 0.0033s
== 20220412141020 DropUniqueFingerprintMd5IndexFromGroupDeployKey: reverted (0.0218s)

== 20220412140755 DropUniqueFingerprintMd5IndexFromKey: reverting =============
-- transaction_open?()
   -> 0.0000s
-- indexes(:keys)
   -> 0.0030s
-- remove_index(:keys, {:algorithm=>:concurrently, :name=>"index_keys_on_fingerprint"})
   -> 0.0024s
-- transaction_open?()
   -> 0.0000s
-- index_exists?(:keys, :fingerprint, {:unique=>true, :name=>"index_keys_on_fingerprint", :algorithm=>:concurrently})
   -> 0.0022s
-- add_index(:keys, :fingerprint, {:unique=>true, :name=>"index_keys_on_fingerprint", :algorithm=>:concurrently})
   -> 0.0018s
== 20220412140755 DropUniqueFingerprintMd5IndexFromKey: reverted (0.0138s) ====

== 20220412140446 AddUniqueFingerprintSha256IndexToGroupDeployKey: reverting ==
-- transaction_open?()
   -> 0.0000s
-- index_exists?(:group_deploy_keys, :fingerprint_sha256, {:name=>"index_group_deploy_keys_on_fingerprint_sha256", :algorithm=>:concurrently})
   -> 0.0031s
-- add_index(:group_deploy_keys, :fingerprint_sha256, {:name=>"index_group_deploy_keys_on_fingerprint_sha256", :algorithm=>:concurrently})
   -> 0.0019s
-- transaction_open?()
   -> 0.0000s
-- indexes(:group_deploy_keys)
   -> 0.0018s
-- remove_index(:group_deploy_keys, {:algorithm=>:concurrently, :name=>"index_group_deploy_keys_on_fingerprint_sha256_unique"})
   -> 0.0017s
== 20220412140446 AddUniqueFingerprintSha256IndexToGroupDeployKey: reverted (0.0134s)

== 20220412135446 AddUniqueFingerprintSha256IndexToKey: reverting =============
-- transaction_open?()
   -> 0.0000s
-- index_exists?(:keys, :fingerprint_sha256, {:name=>"index_keys_on_fingerprint_sha256", :algorithm=>:concurrently})
   -> 0.0033s
-- add_index(:keys, :fingerprint_sha256, {:name=>"index_keys_on_fingerprint_sha256", :algorithm=>:concurrently})
   -> 0.0024s
-- transaction_open?()
   -> 0.0000s
-- indexes(:keys)
   -> 0.0023s
-- remove_index(:keys, {:algorithm=>:concurrently, :name=>"index_keys_on_fingerprint_sha256_unique"})
   -> 0.0023s
== 20220412135446 AddUniqueFingerprintSha256IndexToKey: reverted (0.0151s) ====

How to verify

  1. Visit Edit profile -> SSH keys page
  2. Try to add the same SSH key twice
  3. You should see an error

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Vasilii Iakliushin

Merge request reports

Loading