forgejo/models/forgejo_migrations/v39.go

// Copyright 2025 The Forgejo Authors. All rights reserved.
// SPDX-License-Identifier: GPL-3.0-or-later

package forgejo_migrations

import (
	"context"
	"fmt"

	"forgejo.org/models/db"
	secret_model "forgejo.org/models/secret"
	"forgejo.org/modules/log"
	"forgejo.org/modules/secret"
	"forgejo.org/modules/setting"

	"xorm.io/xorm"
	"xorm.io/xorm/schemas"
)

func MigrateActionSecretsToKeying(x *xorm.Engine) error {
	return db.WithTx(db.DefaultContext, func(ctx context.Context) error {
		sess := db.GetEngine(ctx)

		switch x.Dialect().URI().DBType {
		case schemas.MYSQL:
			if _, err := sess.Exec("ALTER TABLE `secret` MODIFY `data` BLOB"); err != nil {
				return err
			}
		case schemas.SQLITE:
			if _, err := sess.Exec("ALTER TABLE `secret` RENAME COLUMN `data` TO `data_backup`"); err != nil {
				return err
			}
			if _, err := sess.Exec("ALTER TABLE `secret` ADD COLUMN `data` BLOB"); err != nil {
				return err
			}
			if _, err := sess.Exec("UPDATE `secret` SET `data` = `data_backup`"); err != nil {
				return err
			}
			if _, err := sess.Exec("ALTER TABLE `secret` DROP COLUMN `data_backup`"); err != nil {
				return err
			}
		case schemas.POSTGRES:
			if _, err := sess.Exec("ALTER TABLE `secret` ALTER COLUMN `data` SET DATA TYPE bytea USING data::text::bytea"); err != nil {
				return err
			}
		}

		oldEncryptionKey := setting.SecretKey

		messages := make([]string, 0, 100)
		ids := make([]int64, 0, 100)

		err := db.Iterate(ctx, nil, func(ctx context.Context, bean *secret_model.Secret) error {
			secretBytes, err := secret.DecryptSecret(oldEncryptionKey, string(bean.Data))
			if err != nil {
				messages = append(messages, fmt.Sprintf("secret.id=%d, secret.name=%q, secret.repo_id=%d, secret.owner_id=%d: secret.DecryptSecret(): %v", bean.ID, bean.Name, bean.RepoID, bean.OwnerID, err))
				ids = append(ids, bean.ID)
				return nil
			}

			bean.SetSecret(secretBytes)
			_, err = sess.Cols("data").ID(bean.ID).Update(bean)
			return err
		})

		if err == nil {
			if len(ids) > 0 {
				log.Error("Forgejo migration[37]: The following action secrets were found to be corrupted and removed from the database.")
				for _, message := range messages {
					log.Error("Forgejo migration[37]: %s", message)
				}

				_, err = sess.In("id", ids).NoAutoCondition().NoAutoTime().Delete(&secret_model.Secret{})
			}
		}
		return err
	})
}
feat: migrate action secrets to `keying` to store them more securely (#8692) - Use the keying module, that was introduced in forgejo/forgejo#5041, to store action secrets safely and securely in the database. - Introduce a central function that sets the secret, `SetSecret` and let the caller do the update call. This is similar to how the twofactor (TOTP) models does it. Ref. https://codeberg.org/forgejo/forgejo/pulls/6074 - Add a relaxed migration, that is run inside a transaction. If it cannot decrypt a action secret, then it's deleted. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8692 Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org> Co-authored-by: Gusted <postmaster@gusted.xyz> Co-committed-by: Gusted <postmaster@gusted.xyz> 2025-07-29 01:03:36 +02:00			`// Copyright 2025 The Forgejo Authors. All rights reserved.`
			`// SPDX-License-Identifier: GPL-3.0-or-later`

			`package forgejo_migrations`

			`import (`
			`"context"`
			`"fmt"`

			`"forgejo.org/models/db"`
			`secret_model "forgejo.org/models/secret"`
			`"forgejo.org/modules/log"`
			`"forgejo.org/modules/secret"`
			`"forgejo.org/modules/setting"`

			`"xorm.io/xorm"`
			`"xorm.io/xorm/schemas"`
			`)`

			`func MigrateActionSecretsToKeying(x *xorm.Engine) error {`
			`return db.WithTx(db.DefaultContext, func(ctx context.Context) error {`
			`sess := db.GetEngine(ctx)`

			`switch x.Dialect().URI().DBType {`
			`case schemas.MYSQL:`
			if _, err := sess.Exec("ALTER TABLE `secret` MODIFY `data` BLOB"); err != nil {
			`return err`
			`}`
			`case schemas.SQLITE:`
			if _, err := sess.Exec("ALTER TABLE `secret` RENAME COLUMN `data` TO `data_backup`"); err != nil {
			`return err`
			`}`
			if _, err := sess.Exec("ALTER TABLE `secret` ADD COLUMN `data` BLOB"); err != nil {
			`return err`
			`}`
			if _, err := sess.Exec("UPDATE `secret` SET `data` = `data_backup`"); err != nil {
			`return err`
			`}`
			if _, err := sess.Exec("ALTER TABLE `secret` DROP COLUMN `data_backup`"); err != nil {
			`return err`
			`}`
			`case schemas.POSTGRES:`
			if _, err := sess.Exec("ALTER TABLE `secret` ALTER COLUMN `data` SET DATA TYPE bytea USING data::text::bytea"); err != nil {
			`return err`
			`}`
			`}`

			`oldEncryptionKey := setting.SecretKey`

			`messages := make([]string, 0, 100)`
			`ids := make([]int64, 0, 100)`

			`err := db.Iterate(ctx, nil, func(ctx context.Context, bean *secret_model.Secret) error {`
			`secretBytes, err := secret.DecryptSecret(oldEncryptionKey, string(bean.Data))`
			`if err != nil {`
			`messages = append(messages, fmt.Sprintf("secret.id=%d, secret.name=%q, secret.repo_id=%d, secret.owner_id=%d: secret.DecryptSecret(): %v", bean.ID, bean.Name, bean.RepoID, bean.OwnerID, err))`
			`ids = append(ids, bean.ID)`
			`return nil`
			`}`

			`bean.SetSecret(secretBytes)`
			`_, err = sess.Cols("data").ID(bean.ID).Update(bean)`
			`return err`
			`})`

			`if err == nil {`
			`if len(ids) > 0 {`
			`log.Error("Forgejo migration[37]: The following action secrets were found to be corrupted and removed from the database.")`
			`for _, message := range messages {`
			`log.Error("Forgejo migration[37]: %s", message)`
			`}`

			`_, err = sess.In("id", ids).NoAutoCondition().NoAutoTime().Delete(&secret_model.Secret{})`
			`}`
			`}`
			`return err`
			`})`
			`}`