access_token: encrypt access token with SHA256 (#7008)

* access_token: encrypt access token with SHA256

* revert list access token

* fix lint

* generate schemadoc

* add database migrations

* fix tests

* fix tests

* add test case for access token golden

* fix test in postgres

* `Sha256` -> `SHA256`

* Use GORM for migration

* task generate-schemadoc

* Use unique

* change migration name

* allow read

* task generate-schemadoc

* add changelog

* fix lint error

* update changelog

* remove Debug

* add comments

Co-authored-by: Joe Chen <jc@unknwon.io>

2 files changed, 66 insertions, 8 deletions

diff --git a/internal/db/migrations/migrations.go b/internal/db/migrations/migrations.go
index ad62fb15..1e89883f 100644
--- a/internal/db/migrations/migrations.go
+++ b/internal/db/migrations/migrations.go
@@ -7,6 +7,7 @@ package migrations
 import (
 	"fmt"
 
+	"gorm.io/gorm"
 	log "unknwon.dev/clog/v2"
 	"xorm.io/xorm"
 )
@@ -15,15 +16,15 @@ const minDBVersion = 19
 
 type Migration interface {
 	Description() string
-	Migrate(*xorm.Engine) error
+	Migrate(*gorm.DB) error
 }
 
 type migration struct {
 	description string
-	migrate     func(*xorm.Engine) error
+	migrate     func(*gorm.DB) error
 }
 
-func NewMigration(desc string, fn func(*xorm.Engine) error) Migration {
+func NewMigration(desc string, fn func(*gorm.DB) error) Migration {
 	return &migration{desc, fn}
 }
 
@@ -31,11 +32,11 @@ func (m *migration) Description() string {
 	return m.description
 }
 
-func (m *migration) Migrate(x *xorm.Engine) error {
-	return m.migrate(x)
+func (m *migration) Migrate(db *gorm.DB) error {
+	return m.migrate(db)
 }
 
-// The version table. Should have only one row with id==1
+// Version represents the version table. It should have only one row with `id == 1`.
 type Version struct {
 	ID      int64
 	Version int64
@@ -52,10 +53,13 @@ var migrations = []Migration{
 	// Add new migration here, example:
 	// v18 -> v19:v0.11.55
 	// NewMigration("clean unlinked webhook and hook_tasks", cleanUnlinkedWebhookAndHookTasks),
+
+	// v19 -> v20:v0.13.0
+	NewMigration("migrate access tokens to store SHA56", migrateAccessTokenToSHA256),
 }
 
 // Migrate database to current version
-func Migrate(x *xorm.Engine) error {
+func Migrate(x *xorm.Engine, db *gorm.DB) error {
 	if err := x.Sync(new(Version)); err != nil {
 		return fmt.Errorf("sync: %v", err)
 	}
@@ -112,7 +116,7 @@ In case you're stilling getting this notice, go through instructions again until
 	}
 	for i, m := range migrations[v-minDBVersion:] {
 		log.Info("Migration: %s", m.Description())
-		if err = m.Migrate(x); err != nil {
+		if err = m.Migrate(db); err != nil {
 			return fmt.Errorf("do migrate: %v", err)
 		}
 		currentVersion.Version = v + int64(i) + 1
diff --git a/internal/db/migrations/v20.go b/internal/db/migrations/v20.go
new file mode 100644
index 00000000..28f406bb
--- /dev/null
+++ b/internal/db/migrations/v20.go
@@ -0,0 +1,54 @@
+// Copyright 2022 The Gogs Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package migrations
+
+import (
+	"github.com/pkg/errors"
+	"gorm.io/gorm"
+
+	"gogs.io/gogs/internal/cryptoutil"
+)
+
+func migrateAccessTokenToSHA256(db *gorm.DB) error {
+	return db.Transaction(func(tx *gorm.DB) error {
+		// 1. Add column without constraints because all rows have NULL values for the
+		// "sha256" column.
+		type accessToken struct {
+			ID     int64
+			Sha1   string
+			SHA256 string `gorm:"TYPE:VARCHAR(64)"`
+		}
+		err := tx.Migrator().AddColumn(&accessToken{}, "SHA256")
+		if err != nil {
+			return errors.Wrap(err, "add column")
+		}
+
+		// 2. Generate SHA256 for existing rows from their values in the "sha1" column.
+		var accessTokens []*accessToken
+		err = tx.Where("sha256 IS NULL").Find(&accessTokens).Error
+		if err != nil {
+			return errors.Wrap(err, "list")
+		}
+
+		for _, t := range accessTokens {
+			sha256 := cryptoutil.SHA256(t.Sha1)
+			err = tx.Model(&accessToken{}).Where("id = ?", t.ID).Update("sha256", sha256).Error
+			if err != nil {
+				return errors.Wrap(err, "update")
+			}
+		}
+
+		// 3. We are now safe to apply constraints to the "sha256" column.
+		type accessTokenWithConstraint struct {
+			SHA256 string `gorm:"type:VARCHAR(64);unique;not null"`
+		}
+		err = tx.Table("access_token").AutoMigrate(&accessTokenWithConstraint{})
+		if err != nil {
+			return errors.Wrap(err, "auto migrate")
+		}
+
+		return nil
+	})
+}