From e6ac143bde0d5cbe107d48855b60ee61ee25c251 Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Sat, 12 Feb 2022 07:37:16 +0000 Subject: [PATCH 01/11] Increase the size of the webauthn_credential credential_id field Unfortunately credentialIDs in u2f are 255 bytes long which with base32 encoding becomes 408 bytes. The default size of a xorm string field is only a VARCHAR(255) This problem is not apparent on SQLite because strings get mapped to TEXT there. Fix #18727 Signed-off-by: Andrew Thornton --- models/migrations/v207.go | 2 +- models/migrations/v208.go | 2 +- models/migrations/v209.go | 48 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 50 insertions(+), 2 deletions(-) create mode 100644 models/migrations/v209.go diff --git a/models/migrations/v207.go b/models/migrations/v207.go index 4964a8435ce72..dca2902cd89cf 100644 --- a/models/migrations/v207.go +++ b/models/migrations/v207.go @@ -22,7 +22,7 @@ func addWebAuthnCred(x *xorm.Engine) error { Name string LowerName string `xorm:"unique(s)"` UserID int64 `xorm:"INDEX unique(s)"` - CredentialID string `xorm:"INDEX"` + CredentialID string `xorm:"INDEX VARCHAR(410)"` // CredentalID in U2F is at most 255bytes / 5 * 8 = 408 - add a few extra characters for safety PublicKey []byte AttestationType string AAGUID []byte diff --git a/models/migrations/v208.go b/models/migrations/v208.go index c1e656b98d84c..724b174187aa5 100644 --- a/models/migrations/v208.go +++ b/models/migrations/v208.go @@ -15,7 +15,7 @@ func useBase32HexForCredIDInWebAuthnCredential(x *xorm.Engine) error { // Create webauthnCredential table type webauthnCredential struct { ID int64 `xorm:"pk autoincr"` - CredentialID string `xorm:"INDEX"` + CredentialID string `xorm:"INDEX VARCHAR(410)"` } if err := x.Sync2(&webauthnCredential{}); err != nil { return err diff --git a/models/migrations/v209.go b/models/migrations/v209.go new file mode 100644 index 0000000000000..675651e86a739 --- /dev/null +++ b/models/migrations/v209.go @@ -0,0 +1,48 @@ +// Copyright 2022 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package migrations + +import ( + "xorm.io/xorm" + "xorm.io/xorm/schemas" +) + +func increaseCredentialIDTo410(x *xorm.Engine) error { + // Create webauthnCredential table + type webauthnCredential struct { + ID int64 `xorm:"pk autoincr"` + CredentialID string `xorm:"INDEX VARCHAR(410)"` + } + if err := x.Sync2(&webauthnCredential{}); err != nil { + return err + } + + switch x.Dialect().URI().DBType { + case schemas.MYSQL: + _, err := x.Exec("ALTER TABLE webauthn_credential MODIFY COLUMN content VARCHAR(410)") + if err != nil { + return err + } + case schemas.ORACLE: + _, err := x.Exec("ALTER TABLE webauthn_credential MODIFY content VARCHAR(410)") + if err != nil { + return err + } + case schemas.MSSQL: + _, err := x.Exec("ALTER TABLE webauthn_credential ALTER COLUMN content VARCHAR(410)") + if err != nil { + return err + } + case schemas.POSTGRES: + _, err := x.Exec("ALTER TABLE webauthn_credential ALTER COLUMN content TYPE VARCHAR(410)") + if err != nil { + return err + } + default: + // SQLite doesn't support ALTER COLUMN, and it seem to already makes String _TEXT_ by default so no migration needed + } + + return nil +} From d82a0fa86148e929ef5a2fc1e36f4b27c4ae8019 Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Sat, 12 Feb 2022 07:41:05 +0000 Subject: [PATCH 02/11] and add to the migration list... Signed-off-by: Andrew Thornton --- models/migrations/migrations.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/models/migrations/migrations.go b/models/migrations/migrations.go index 0aa9c7c7ea45f..bf0008f8790d4 100644 --- a/models/migrations/migrations.go +++ b/models/migrations/migrations.go @@ -370,6 +370,8 @@ var migrations = []Migration{ NewMigration("Add webauthn table and migrate u2f data to webauthn", addWebAuthnCred), // v208 -> v209 NewMigration("Use base32.HexEncoding instead of base64 encoding for cred ID as it is case insensitive", useBase32HexForCredIDInWebAuthnCredential), + // v209 -> v210 + NewMigration("Increase WebAuthentication CredentialID size to 410", increaseCredentialIDTo410), } // GetCurrentDBVersion returns the current db version From e5d049d3efb3bc0c06080a98358de45ab34d912a Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Sat, 12 Feb 2022 10:21:22 +0000 Subject: [PATCH 03/11] Remigrate and fix test Signed-off-by: Andrew Thornton --- models/migrations/v209.go | 66 ++++++++++++++++++++++++++++++++++++--- 1 file changed, 62 insertions(+), 4 deletions(-) diff --git a/models/migrations/v209.go b/models/migrations/v209.go index 675651e86a739..bad8e41fade00 100644 --- a/models/migrations/v209.go +++ b/models/migrations/v209.go @@ -5,6 +5,11 @@ package migrations import ( + "encoding/base32" + "fmt" + + "code.gitea.io/gitea/modules/timeutil" + "github.com/tstranex/u2f" "xorm.io/xorm" "xorm.io/xorm/schemas" ) @@ -13,6 +18,7 @@ func increaseCredentialIDTo410(x *xorm.Engine) error { // Create webauthnCredential table type webauthnCredential struct { ID int64 `xorm:"pk autoincr"` + UserID int64 `xorm:"INDEX unique(s)"` CredentialID string `xorm:"INDEX VARCHAR(410)"` } if err := x.Sync2(&webauthnCredential{}); err != nil { @@ -21,27 +27,79 @@ func increaseCredentialIDTo410(x *xorm.Engine) error { switch x.Dialect().URI().DBType { case schemas.MYSQL: - _, err := x.Exec("ALTER TABLE webauthn_credential MODIFY COLUMN content VARCHAR(410)") + _, err := x.Exec("ALTER TABLE webauthn_credential MODIFY COLUMN credential_id VARCHAR(410)") if err != nil { return err } case schemas.ORACLE: - _, err := x.Exec("ALTER TABLE webauthn_credential MODIFY content VARCHAR(410)") + _, err := x.Exec("ALTER TABLE webauthn_credential MODIFY credential_id VARCHAR(410)") if err != nil { return err } case schemas.MSSQL: - _, err := x.Exec("ALTER TABLE webauthn_credential ALTER COLUMN content VARCHAR(410)") + _, err := x.Exec("ALTER TABLE webauthn_credential ALTER COLUMN credential_id VARCHAR(410)") if err != nil { return err } case schemas.POSTGRES: - _, err := x.Exec("ALTER TABLE webauthn_credential ALTER COLUMN content TYPE VARCHAR(410)") + _, err := x.Exec("ALTER TABLE webauthn_credential ALTER COLUMN credential_id TYPE VARCHAR(410)") if err != nil { return err } default: // SQLite doesn't support ALTER COLUMN, and it seem to already makes String _TEXT_ by default so no migration needed + // nor is there any need to re-migrate + return nil + } + + // Now migrate the old u2f registrations to the new format + type u2fRegistration struct { + ID int64 `xorm:"pk autoincr"` + Name string + UserID int64 `xorm:"INDEX"` + Raw []byte + Counter uint32 `xorm:"BIGINT"` + CreatedUnix timeutil.TimeStamp `xorm:"INDEX created"` + UpdatedUnix timeutil.TimeStamp `xorm:"INDEX updated"` + } + + var start int + regs := make([]*u2fRegistration, 0, 50) + for { + err := x.OrderBy("id").Limit(50, start).Find(®s) + if err != nil { + return err + } + + for _, reg := range regs { + parsed := new(u2f.Registration) + err = parsed.UnmarshalBinary(reg.Raw) + if err != nil { + continue + } + + var cred *webauthnCredential + has, err := x.ID(reg.ID).Where("id = ? AND user_id = ?", reg.ID, reg.UserID).Get(cred) + if err != nil { + return fmt.Errorf("unable to get webauthn_credential[%d]. Error: %v", reg.ID, err) + } + if !has { + continue + } + + cred.CredentialID = base32.HexEncoding.EncodeToString(parsed.KeyHandle) + + _, err = x.Update(cred) + if err != nil { + return err + } + } + + if len(regs) < 50 { + break + } + start += 50 + regs = regs[:0] } return nil From a2c6a273f516661a5a494a2e8055768e095be7b9 Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Sat, 12 Feb 2022 10:52:01 +0000 Subject: [PATCH 04/11] mssql is annoying Signed-off-by: Andrew Thornton --- models/migrations/v209.go | 33 ++++++++++++++++++++++++++++----- 1 file changed, 28 insertions(+), 5 deletions(-) diff --git a/models/migrations/v209.go b/models/migrations/v209.go index bad8e41fade00..82ee3e9ca9a75 100644 --- a/models/migrations/v209.go +++ b/models/migrations/v209.go @@ -17,9 +17,18 @@ import ( func increaseCredentialIDTo410(x *xorm.Engine) error { // Create webauthnCredential table type webauthnCredential struct { - ID int64 `xorm:"pk autoincr"` - UserID int64 `xorm:"INDEX unique(s)"` - CredentialID string `xorm:"INDEX VARCHAR(410)"` + ID int64 `xorm:"pk autoincr"` + Name string + LowerName string `xorm:"unique(s)"` + UserID int64 `xorm:"INDEX unique(s)"` + CredentialID string `xorm:"INDEX VARCHAR(410)"` // CredentalID in U2F is at most 255bytes / 5 * 8 = 408 - add a few extra characters for safety + PublicKey []byte + AttestationType string + AAGUID []byte + SignCount uint32 `xorm:"BIGINT"` + CloneWarning bool + CreatedUnix timeutil.TimeStamp `xorm:"INDEX created"` + UpdatedUnix timeutil.TimeStamp `xorm:"INDEX updated"` } if err := x.Sync2(&webauthnCredential{}); err != nil { return err @@ -27,8 +36,22 @@ func increaseCredentialIDTo410(x *xorm.Engine) error { switch x.Dialect().URI().DBType { case schemas.MYSQL: - _, err := x.Exec("ALTER TABLE webauthn_credential MODIFY COLUMN credential_id VARCHAR(410)") - if err != nil { + // This column has an index on it. I could write all of the code to attempt to change the index OR + // I could just use recreate table. + sess := x.NewSession() + if err := sess.Begin(); err != nil { + _ = sess.Close() + return err + } + if err := recreateTable(sess, new(webauthnCredential)); err != nil { + _ = sess.Close() + return err + } + if err := sess.Commit(); err != nil { + _ = sess.Close() + return err + } + if err := sess.Close(); err != nil { return err } case schemas.ORACLE: From 4a12a3007509b5234353a0babaf984a59116d6ab Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Sat, 12 Feb 2022 11:40:51 +0000 Subject: [PATCH 05/11] restrict migration to only keys that are blank credID or are some prefix of the credID and use recreateTable Signed-off-by: Andrew Thornton --- models/migrations/v209.go | 63 ++++++++++++++++----------------------- 1 file changed, 26 insertions(+), 37 deletions(-) diff --git a/models/migrations/v209.go b/models/migrations/v209.go index 82ee3e9ca9a75..17827da6a6e51 100644 --- a/models/migrations/v209.go +++ b/models/migrations/v209.go @@ -7,6 +7,7 @@ package migrations import ( "encoding/base32" "fmt" + "strings" "code.gitea.io/gitea/modules/timeutil" "github.com/tstranex/u2f" @@ -34,47 +35,31 @@ func increaseCredentialIDTo410(x *xorm.Engine) error { return err } - switch x.Dialect().URI().DBType { - case schemas.MYSQL: - // This column has an index on it. I could write all of the code to attempt to change the index OR - // I could just use recreate table. - sess := x.NewSession() - if err := sess.Begin(); err != nil { - _ = sess.Close() - return err - } - if err := recreateTable(sess, new(webauthnCredential)); err != nil { - _ = sess.Close() - return err - } - if err := sess.Commit(); err != nil { - _ = sess.Close() - return err - } - if err := sess.Close(); err != nil { - return err - } - case schemas.ORACLE: - _, err := x.Exec("ALTER TABLE webauthn_credential MODIFY credential_id VARCHAR(410)") - if err != nil { - return err - } - case schemas.MSSQL: - _, err := x.Exec("ALTER TABLE webauthn_credential ALTER COLUMN credential_id VARCHAR(410)") - if err != nil { - return err - } - case schemas.POSTGRES: - _, err := x.Exec("ALTER TABLE webauthn_credential ALTER COLUMN credential_id TYPE VARCHAR(410)") - if err != nil { - return err - } - default: + if x.Dialect().URI().DBType == schemas.SQLITE { // SQLite doesn't support ALTER COLUMN, and it seem to already makes String _TEXT_ by default so no migration needed // nor is there any need to re-migrate return nil } + // This column has an index on it. I could write all of the code to attempt to change the index OR + // I could just use recreate table. + sess := x.NewSession() + if err := sess.Begin(); err != nil { + _ = sess.Close() + return err + } + if err := recreateTable(sess, new(webauthnCredential)); err != nil { + _ = sess.Close() + return err + } + if err := sess.Commit(); err != nil { + _ = sess.Close() + return err + } + if err := sess.Close(); err != nil { + return err + } + // Now migrate the old u2f registrations to the new format type u2fRegistration struct { ID int64 `xorm:"pk autoincr"` @@ -109,8 +94,12 @@ func increaseCredentialIDTo410(x *xorm.Engine) error { if !has { continue } + remigratedCredID := base32.HexEncoding.EncodeToString(parsed.KeyHandle) + if cred.CredentialID == remigratedCredID || (!strings.HasPrefix(remigratedCredID, cred.CredentialID) && cred.CredentialID != "") { + continue + } - cred.CredentialID = base32.HexEncoding.EncodeToString(parsed.KeyHandle) + cred.CredentialID = remigratedCredID _, err = x.Update(cred) if err != nil { From 66db70bb611b27107614fa030fc0473d4238a520 Mon Sep 17 00:00:00 2001 From: zeripath Date: Sun, 13 Feb 2022 16:29:16 +0000 Subject: [PATCH 06/11] Update models/migrations/v209.go --- models/migrations/v209.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/models/migrations/v209.go b/models/migrations/v209.go index 17827da6a6e51..ab563eb8c085f 100644 --- a/models/migrations/v209.go +++ b/models/migrations/v209.go @@ -101,7 +101,7 @@ func increaseCredentialIDTo410(x *xorm.Engine) error { cred.CredentialID = remigratedCredID - _, err = x.Update(cred) + _, err = x.ID(cred.ID).Update(cred) if err != nil { return err } From b9237bd639b0dcd47eb5c004c8ec8db3abdf83c1 Mon Sep 17 00:00:00 2001 From: zeripath Date: Sun, 13 Feb 2022 16:32:13 +0000 Subject: [PATCH 07/11] Update models/migrations/v209.go --- models/migrations/v209.go | 1 + 1 file changed, 1 insertion(+) diff --git a/models/migrations/v209.go b/models/migrations/v209.go index ab563eb8c085f..7a1123bc5579b 100644 --- a/models/migrations/v209.go +++ b/models/migrations/v209.go @@ -10,6 +10,7 @@ import ( "strings" "code.gitea.io/gitea/modules/timeutil" + "github.com/tstranex/u2f" "xorm.io/xorm" "xorm.io/xorm/schemas" From 3dff1ae5650d8b0eaf412c8dc8629e0cd3faf794 Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Sun, 13 Feb 2022 18:32:57 +0000 Subject: [PATCH 08/11] Move back to alter statements Signed-off-by: Andrew Thornton --- models/migrations/v209.go | 59 ++++++++++++++++++++++++++------------- 1 file changed, 40 insertions(+), 19 deletions(-) diff --git a/models/migrations/v209.go b/models/migrations/v209.go index 7a1123bc5579b..2757b92227b1f 100644 --- a/models/migrations/v209.go +++ b/models/migrations/v209.go @@ -37,28 +37,49 @@ func increaseCredentialIDTo410(x *xorm.Engine) error { } if x.Dialect().URI().DBType == schemas.SQLITE { - // SQLite doesn't support ALTER COLUMN, and it seem to already makes String _TEXT_ by default so no migration needed - // nor is there any need to re-migrate return nil } - // This column has an index on it. I could write all of the code to attempt to change the index OR - // I could just use recreate table. - sess := x.NewSession() - if err := sess.Begin(); err != nil { - _ = sess.Close() - return err - } - if err := recreateTable(sess, new(webauthnCredential)); err != nil { - _ = sess.Close() - return err - } - if err := sess.Commit(); err != nil { - _ = sess.Close() - return err - } - if err := sess.Close(); err != nil { - return err + switch x.Dialect().URI().DBType { + case schemas.MYSQL: + _, err := x.Exec("ALTER TABLE webauthn_credential MODIFY COLUMN content VARCHAR(410)") + if err != nil { + return err + } + case schemas.ORACLE: + _, err := x.Exec("ALTER TABLE webauthn_credential MODIFY content VARCHAR(410)") + if err != nil { + return err + } + case schemas.MSSQL: + // This column has an index on it. I could write all of the code to attempt to change the index OR + // I could just use recreate table. + sess := x.NewSession() + if err := sess.Begin(); err != nil { + _ = sess.Close() + return err + } + + if err := recreateTable(sess, new(webauthnCredential)); err != nil { + _ = sess.Close() + return err + } + if err := sess.Commit(); err != nil { + _ = sess.Close() + return err + } + if err := sess.Close(); err != nil { + return err + } + case schemas.POSTGRES: + _, err := x.Exec("ALTER TABLE webauthn_credential ALTER COLUMN content TYPE VARCHAR(410)") + if err != nil { + return err + } + default: + // SQLite doesn't support ALTER COLUMN, and it already makes String _TEXT_ by default so no migration needed + // nor is there any need to re-migrate + return nil } // Now migrate the old u2f registrations to the new format From 040de0304527e6367576abd4a9f143d7d4a96967 Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Sun, 13 Feb 2022 19:43:03 +0000 Subject: [PATCH 09/11] Add test Signed-off-by: Andrew Thornton --- Makefile | 5 ++ .../expected_webauthn_credential.yml | 9 +++ .../u2f_registration.yml | 21 ++++++ .../webauthn_credential.yml | 30 ++++++++ models/migrations/v209.go | 12 ++-- models/migrations/v209_test.go | 69 +++++++++++++++++++ 6 files changed, 138 insertions(+), 8 deletions(-) create mode 100644 models/migrations/fixtures/Test_increaseCredentialIDTo410/expected_webauthn_credential.yml create mode 100644 models/migrations/fixtures/Test_increaseCredentialIDTo410/u2f_registration.yml create mode 100644 models/migrations/fixtures/Test_increaseCredentialIDTo410/webauthn_credential.yml create mode 100644 models/migrations/v209_test.go diff --git a/Makefile b/Makefile index da3901cc42a12..7d1ed51c9161c 100644 --- a/Makefile +++ b/Makefile @@ -405,6 +405,11 @@ test-sqlite-migration: migrations.sqlite.test migrations.individual.sqlite.test GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/sqlite.ini ./migrations.sqlite.test GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/sqlite.ini ./migrations.individual.sqlite.test +.PHONY: test-sqlite-migration\#% +test-sqlite-migration\#%: migrations.sqlite.test migrations.individual.sqlite.test generate-ini-sqlite + GITEA_ROOT="$(CURDIR)" GITEA_CONF=integrations/sqlite.ini ./migrations.individual.sqlite.test -test.run $(subst .,/,$*) + + generate-ini-mysql: sed -e 's|{{TEST_MYSQL_HOST}}|${TEST_MYSQL_HOST}|g' \ -e 's|{{TEST_MYSQL_DBNAME}}|${TEST_MYSQL_DBNAME}|g' \ diff --git a/models/migrations/fixtures/Test_increaseCredentialIDTo410/expected_webauthn_credential.yml b/models/migrations/fixtures/Test_increaseCredentialIDTo410/expected_webauthn_credential.yml new file mode 100644 index 0000000000000..36b011a9d3da5 --- /dev/null +++ b/models/migrations/fixtures/Test_increaseCredentialIDTo410/expected_webauthn_credential.yml @@ -0,0 +1,9 @@ +- + id: 1 + credential_id: "TVHE44TOH7DF7V48SEAIT3EMMJ7TGBOQ289E5AQB34S98LFCUFJ7U2NAVI8RJG6K2F4TC8AQ8KBNO7AGEOQOL9NE43GR63HTEHJSLOG=" +- + id: 2 + credential_id: "TVHE44TOH7DF7V48SEAIT3EMMJ7TGBOQ289E5AQB34S98LFCUFJ7U2NAVI8RJG6K2F4TC8AQ8KBNO7AGEOQOL9NE43GR63HTEHJSLOG=" +- + id: 4 + credential_id: "THIS SHOULD NOT CHAGNGE" diff --git a/models/migrations/fixtures/Test_increaseCredentialIDTo410/u2f_registration.yml b/models/migrations/fixtures/Test_increaseCredentialIDTo410/u2f_registration.yml new file mode 100644 index 0000000000000..5a7b70fd6a244 --- /dev/null +++ b/models/migrations/fixtures/Test_increaseCredentialIDTo410/u2f_registration.yml @@ -0,0 +1,21 @@ +- + id: 1 + name: "u2fkey-correctly-migrated" + user_id: 1 + raw: 0x05040d0967a2cad045011631187576492a0beb5b377954b4f694c5afc8bdf25270f87f09a9ab6ce9c282f447ba71b2f2bae2105b32b847e0704f310f48644e3eddf240efe2e213b889daf3fc88e3952e8dd6b4cfd82f1a1212e2ab4b19389455ecf3e67f0aeafc91b9c0d413c9d6215a45177c1d5076358aa6ee20e1b30e3d7467cae2308202bd308201a5a00302010202041e8f8734300d06092a864886f70d01010b0500302e312c302a0603550403132359756269636f2055324620526f6f742043412053657269616c203435373230303633313020170d3134303830313030303030305a180f32303530303930343030303030305a306e310b300906035504061302534531123010060355040a0c0959756269636f20414231223020060355040b0c1941757468656e74696361746f72204174746573746174696f6e3127302506035504030c1e59756269636f205532462045452053657269616c203531323732323734303059301306072a8648ce3d020106082a8648ce3d03010703420004a879f82338ed1494bac0704bcc7fc663d1b271715976243101c7605115d7c1529e281c1c67322d384b5cd55dd3e9818d5fd85c22af326e0c64fc20afe33f2366a36c306a302206092b0601040182c40a020415312e332e362e312e342e312e34313438322e312e373013060b2b0601040182e51c0201010404030204303021060b2b0601040182e51c010104041204102fc0579f811347eab116bb5a8db9202a300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101008693ff62df0d5779d4748d7fc8d10227318a8e580e6a3a57c108e94e03c38568b366894fce5624be4a3efd7f34118b3d993743f792a1989160c8fc9ae0b04e3df9ee15e3e88c04fc82a8dcbf5818e108dcc2968577ae79ff662b94734e3dec4597305d73e6e55ee2beb9cd9678ca0935e533eb638f8e26fabb817cda441fbe9831832ae5f6e2ad992f9ebbdb4c62238b8f8d7ab481d6d3263bcdbf9e4a57550370988ad5813440fa032cadb6723cadd8f8d7ba809f75b43cffa0a5b9add14232ef9d9e14812638233c4ca4a873b9f8ac98e32ba19167606e15909fcddb4a2dffbdae4620249f9a6646ac81e4832d1119febfaa731a882da25a77827d46d190173046022100b579338a44c236d3f214b2e150011a08cf251193ecfae2244edb0a5794e9b301022100fab468862c47d98204d437cf2be8c54a5a4ecd1ebb1c61a6c23da7b9c75f6841 + counter: 0 +- id: 2 + name: "u2fkey-incorrectly-migrated" + user_id: 1 + raw: 0x05040d0967a2cad045011631187576492a0beb5b377954b4f694c5afc8bdf25270f87f09a9ab6ce9c282f447ba71b2f2bae2105b32b847e0704f310f48644e3eddf240efe2e213b889daf3fc88e3952e8dd6b4cfd82f1a1212e2ab4b19389455ecf3e67f0aeafc91b9c0d413c9d6215a45177c1d5076358aa6ee20e1b30e3d7467cae2308202bd308201a5a00302010202041e8f8734300d06092a864886f70d01010b0500302e312c302a0603550403132359756269636f2055324620526f6f742043412053657269616c203435373230303633313020170d3134303830313030303030305a180f32303530303930343030303030305a306e310b300906035504061302534531123010060355040a0c0959756269636f20414231223020060355040b0c1941757468656e74696361746f72204174746573746174696f6e3127302506035504030c1e59756269636f205532462045452053657269616c203531323732323734303059301306072a8648ce3d020106082a8648ce3d03010703420004a879f82338ed1494bac0704bcc7fc663d1b271715976243101c7605115d7c1529e281c1c67322d384b5cd55dd3e9818d5fd85c22af326e0c64fc20afe33f2366a36c306a302206092b0601040182c40a020415312e332e362e312e342e312e34313438322e312e373013060b2b0601040182e51c0201010404030204303021060b2b0601040182e51c010104041204102fc0579f811347eab116bb5a8db9202a300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101008693ff62df0d5779d4748d7fc8d10227318a8e580e6a3a57c108e94e03c38568b366894fce5624be4a3efd7f34118b3d993743f792a1989160c8fc9ae0b04e3df9ee15e3e88c04fc82a8dcbf5818e108dcc2968577ae79ff662b94734e3dec4597305d73e6e55ee2beb9cd9678ca0935e533eb638f8e26fabb817cda441fbe9831832ae5f6e2ad992f9ebbdb4c62238b8f8d7ab481d6d3263bcdbf9e4a57550370988ad5813440fa032cadb6723cadd8f8d7ba809f75b43cffa0a5b9add14232ef9d9e14812638233c4ca4a873b9f8ac98e32ba19167606e15909fcddb4a2dffbdae4620249f9a6646ac81e4832d1119febfaa731a882da25a77827d46d190173046022100b579338a44c236d3f214b2e150011a08cf251193ecfae2244edb0a5794e9b301022100fab468862c47d98204d437cf2be8c54a5a4ecd1ebb1c61a6c23da7b9c75f6841 + counter: 0 +- id: 3 + name: "u2fkey-deleted" + user_id: 1 + raw: 0x05040d0967a2cad045011631187576492a0beb5b377954b4f694c5afc8bdf25270f87f09a9ab6ce9c282f447ba71b2f2bae2105b32b847e0704f310f48644e3eddf240efe2e213b889daf3fc88e3952e8dd6b4cfd82f1a1212e2ab4b19389455ecf3e67f0aeafc91b9c0d413c9d6215a45177c1d5076358aa6ee20e1b30e3d7467cae2308202bd308201a5a00302010202041e8f8734300d06092a864886f70d01010b0500302e312c302a0603550403132359756269636f2055324620526f6f742043412053657269616c203435373230303633313020170d3134303830313030303030305a180f32303530303930343030303030305a306e310b300906035504061302534531123010060355040a0c0959756269636f20414231223020060355040b0c1941757468656e74696361746f72204174746573746174696f6e3127302506035504030c1e59756269636f205532462045452053657269616c203531323732323734303059301306072a8648ce3d020106082a8648ce3d03010703420004a879f82338ed1494bac0704bcc7fc663d1b271715976243101c7605115d7c1529e281c1c67322d384b5cd55dd3e9818d5fd85c22af326e0c64fc20afe33f2366a36c306a302206092b0601040182c40a020415312e332e362e312e342e312e34313438322e312e373013060b2b0601040182e51c0201010404030204303021060b2b0601040182e51c010104041204102fc0579f811347eab116bb5a8db9202a300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101008693ff62df0d5779d4748d7fc8d10227318a8e580e6a3a57c108e94e03c38568b366894fce5624be4a3efd7f34118b3d993743f792a1989160c8fc9ae0b04e3df9ee15e3e88c04fc82a8dcbf5818e108dcc2968577ae79ff662b94734e3dec4597305d73e6e55ee2beb9cd9678ca0935e533eb638f8e26fabb817cda441fbe9831832ae5f6e2ad992f9ebbdb4c62238b8f8d7ab481d6d3263bcdbf9e4a57550370988ad5813440fa032cadb6723cadd8f8d7ba809f75b43cffa0a5b9add14232ef9d9e14812638233c4ca4a873b9f8ac98e32ba19167606e15909fcddb4a2dffbdae4620249f9a6646ac81e4832d1119febfaa731a882da25a77827d46d190173046022100b579338a44c236d3f214b2e150011a08cf251193ecfae2244edb0a5794e9b301022100fab468862c47d98204d437cf2be8c54a5a4ecd1ebb1c61a6c23da7b9c75f6841 + counter: 0 +- id: 4 + name: "u2fkey-wrong-user-id" + user_id: 2 + raw: 0x05040d0967a2cad045011631187576492a0beb5b377954b4f694c5afc8bdf25270f87f09a9ab6ce9c282f447ba71b2f2bae2105b32b847e0704f310f48644e3eddf240efe2e213b889daf3fc88e3952e8dd6b4cfd82f1a1212e2ab4b19389455ecf3e67f0aeafc91b9c0d413c9d6215a45177c1d5076358aa6ee20e1b30e3d7467cae2308202bd308201a5a00302010202041e8f8734300d06092a864886f70d01010b0500302e312c302a0603550403132359756269636f2055324620526f6f742043412053657269616c203435373230303633313020170d3134303830313030303030305a180f32303530303930343030303030305a306e310b300906035504061302534531123010060355040a0c0959756269636f20414231223020060355040b0c1941757468656e74696361746f72204174746573746174696f6e3127302506035504030c1e59756269636f205532462045452053657269616c203531323732323734303059301306072a8648ce3d020106082a8648ce3d03010703420004a879f82338ed1494bac0704bcc7fc663d1b271715976243101c7605115d7c1529e281c1c67322d384b5cd55dd3e9818d5fd85c22af326e0c64fc20afe33f2366a36c306a302206092b0601040182c40a020415312e332e362e312e342e312e34313438322e312e373013060b2b0601040182e51c0201010404030204303021060b2b0601040182e51c010104041204102fc0579f811347eab116bb5a8db9202a300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101008693ff62df0d5779d4748d7fc8d10227318a8e580e6a3a57c108e94e03c38568b366894fce5624be4a3efd7f34118b3d993743f792a1989160c8fc9ae0b04e3df9ee15e3e88c04fc82a8dcbf5818e108dcc2968577ae79ff662b94734e3dec4597305d73e6e55ee2beb9cd9678ca0935e533eb638f8e26fabb817cda441fbe9831832ae5f6e2ad992f9ebbdb4c62238b8f8d7ab481d6d3263bcdbf9e4a57550370988ad5813440fa032cadb6723cadd8f8d7ba809f75b43cffa0a5b9add14232ef9d9e14812638233c4ca4a873b9f8ac98e32ba19167606e15909fcddb4a2dffbdae4620249f9a6646ac81e4832d1119febfaa731a882da25a77827d46d190173046022100b579338a44c236d3f214b2e150011a08cf251193ecfae2244edb0a5794e9b301022100fab468862c47d98204d437cf2be8c54a5a4ecd1ebb1c61a6c23da7b9c75f6841 + counter: 0 diff --git a/models/migrations/fixtures/Test_increaseCredentialIDTo410/webauthn_credential.yml b/models/migrations/fixtures/Test_increaseCredentialIDTo410/webauthn_credential.yml new file mode 100644 index 0000000000000..0adf1bc8e2aa2 --- /dev/null +++ b/models/migrations/fixtures/Test_increaseCredentialIDTo410/webauthn_credential.yml @@ -0,0 +1,30 @@ +- + id: 1 + lower_name: "u2fkey-correctly-migrated" + name: "u2fkey-correctly-migrated" + user_id: 1 + credential_id: "TVHE44TOH7DF7V48SEAIT3EMMJ7TGBOQ289E5AQB34S98LFCUFJ7U2NAVI8RJG6K2F4TC8AQ8KBNO7AGEOQOL9NE43GR63HTEHJSLOG=" + public_key: 0x040d0967a2cad045011631187576492a0beb5b377954b4f694c5afc8bdf25270f87f09a9ab6ce9c282f447ba71b2f2bae2105b32b847e0704f310f48644e3eddf2 + attestation_type: 'fido-u2f' + sign_count: 1 + clone_warning: false +- + id: 2 + lower_name: "u2fkey-incorrectly-migrated" + name: "u2fkey-incorrectly-migrated" + user_id: 1 + credential_id: "TVHE44TOH7DF7V48SEAIT3EMMJ7TGBOQ289E5AQB34S98LFCUFJ7U2NAVI8RJG6K2F4TC8A" + public_key: 0x040d0967a2cad045011631187576492a0beb5b377954b4f694c5afc8bdf25270f87f09a9ab6ce9c282f447ba71b2f2bae2105b32b847e0704f310f48644e3eddf2 + attestation_type: 'fido-u2f' + sign_count: 1 + clone_warning: false +- + id: 4 + lower_name: "u2fkey-wrong-user-id" + name: "u2fkey-wrong-user-id" + user_id: 1 + credential_id: "THIS SHOULD NOT CHAGNGE" + public_key: 0x040d0967a2cad045011631187576492a0beb5b377954b4f694c5afc8bdf25270f87f09a9ab6ce9c282f447ba71b2f2bae2105b32b847e0704f310f48644e3eddf2 + attestation_type: 'fido-u2f' + sign_count: 1 + clone_warning: false diff --git a/models/migrations/v209.go b/models/migrations/v209.go index 2757b92227b1f..c42aba245b93a 100644 --- a/models/migrations/v209.go +++ b/models/migrations/v209.go @@ -36,18 +36,14 @@ func increaseCredentialIDTo410(x *xorm.Engine) error { return err } - if x.Dialect().URI().DBType == schemas.SQLITE { - return nil - } - switch x.Dialect().URI().DBType { case schemas.MYSQL: - _, err := x.Exec("ALTER TABLE webauthn_credential MODIFY COLUMN content VARCHAR(410)") + _, err := x.Exec("ALTER TABLE webauthn_credential MODIFY COLUMN credential_id VARCHAR(410)") if err != nil { return err } case schemas.ORACLE: - _, err := x.Exec("ALTER TABLE webauthn_credential MODIFY content VARCHAR(410)") + _, err := x.Exec("ALTER TABLE webauthn_credential MODIFY credential_id VARCHAR(410)") if err != nil { return err } @@ -72,7 +68,7 @@ func increaseCredentialIDTo410(x *xorm.Engine) error { return err } case schemas.POSTGRES: - _, err := x.Exec("ALTER TABLE webauthn_credential ALTER COLUMN content TYPE VARCHAR(410)") + _, err := x.Exec("ALTER TABLE webauthn_credential ALTER COLUMN credential_id TYPE VARCHAR(410)") if err != nil { return err } @@ -108,7 +104,7 @@ func increaseCredentialIDTo410(x *xorm.Engine) error { continue } - var cred *webauthnCredential + cred := &webauthnCredential{} has, err := x.ID(reg.ID).Where("id = ? AND user_id = ?", reg.ID, reg.UserID).Get(cred) if err != nil { return fmt.Errorf("unable to get webauthn_credential[%d]. Error: %v", reg.ID, err) diff --git a/models/migrations/v209_test.go b/models/migrations/v209_test.go new file mode 100644 index 0000000000000..0269db62511ae --- /dev/null +++ b/models/migrations/v209_test.go @@ -0,0 +1,69 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package migrations + +import ( + "testing" + + "code.gitea.io/gitea/modules/timeutil" + "github.com/stretchr/testify/assert" +) + +func Test_increaseCredentialIDTo410(t *testing.T) { + // Create webauthnCredential table + type WebauthnCredential struct { + ID int64 `xorm:"pk autoincr"` + Name string + LowerName string `xorm:"unique(s)"` + UserID int64 `xorm:"INDEX unique(s)"` + CredentialID string `xorm:"INDEX VARCHAR(410)"` // CredentalID in U2F is at most 255bytes / 5 * 8 = 408 - add a few extra characters for safety + PublicKey []byte + AttestationType string + SignCount uint32 `xorm:"BIGINT"` + CloneWarning bool + } + + // Now migrate the old u2f registrations to the new format + type U2fRegistration struct { + ID int64 `xorm:"pk autoincr"` + Name string + UserID int64 `xorm:"INDEX"` + Raw []byte + Counter uint32 `xorm:"BIGINT"` + CreatedUnix timeutil.TimeStamp `xorm:"INDEX created"` + UpdatedUnix timeutil.TimeStamp `xorm:"INDEX updated"` + } + + type ExpectedWebauthnCredential struct { + ID int64 `xorm:"pk autoincr"` + CredentialID string `xorm:"INDEX VARCHAR(410)"` // CredentalID in U2F is at most 255bytes / 5 * 8 = 408 - add a few extra characters for safety + } + + // Prepare and load the testing database + x, deferable := prepareTestEnv(t, 0, new(WebauthnCredential), new(U2fRegistration), new(ExpectedWebauthnCredential)) + if x == nil || t.Failed() { + defer deferable() + return + } + defer deferable() + + // Run the migration + if err := increaseCredentialIDTo410(x); err != nil { + assert.NoError(t, err) + return + } + + expected := []ExpectedWebauthnCredential{} + if err := x.Table("expected_webauthn_credential").Asc("ID").Find(&expected); !assert.NoError(t, err) { + return + } + + got := []ExpectedWebauthnCredential{} + if err := x.Table("webauthn_credential").Select("id, credential_id").Asc("ID").Find(&got); !assert.NoError(t, err) { + return + } + + assert.EqualValues(t, expected, got) +} From ba6f87b35e4169f378c08c5d1b84ada1361eb414 Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Sun, 13 Feb 2022 20:17:42 +0000 Subject: [PATCH 10/11] skip sqlite Signed-off-by: Andrew Thornton --- models/migrations/v209_test.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/models/migrations/v209_test.go b/models/migrations/v209_test.go index 0269db62511ae..6931b55fac6f4 100644 --- a/models/migrations/v209_test.go +++ b/models/migrations/v209_test.go @@ -9,6 +9,7 @@ import ( "code.gitea.io/gitea/modules/timeutil" "github.com/stretchr/testify/assert" + "xorm.io/xorm/schemas" ) func Test_increaseCredentialIDTo410(t *testing.T) { @@ -49,6 +50,10 @@ func Test_increaseCredentialIDTo410(t *testing.T) { } defer deferable() + if x.Dialect().URI().DBType == schemas.SQLITE { + return + } + // Run the migration if err := increaseCredentialIDTo410(x); err != nil { assert.NoError(t, err) From 5ca70f7cf88954161192e97b2041282fe811c78b Mon Sep 17 00:00:00 2001 From: Andrew Thornton Date: Sun, 13 Feb 2022 20:18:49 +0000 Subject: [PATCH 11/11] fix postgres test Signed-off-by: Andrew Thornton --- models/migrations/v209_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/models/migrations/v209_test.go b/models/migrations/v209_test.go index 6931b55fac6f4..a929f95adc9c1 100644 --- a/models/migrations/v209_test.go +++ b/models/migrations/v209_test.go @@ -61,12 +61,12 @@ func Test_increaseCredentialIDTo410(t *testing.T) { } expected := []ExpectedWebauthnCredential{} - if err := x.Table("expected_webauthn_credential").Asc("ID").Find(&expected); !assert.NoError(t, err) { + if err := x.Table("expected_webauthn_credential").Asc("id").Find(&expected); !assert.NoError(t, err) { return } got := []ExpectedWebauthnCredential{} - if err := x.Table("webauthn_credential").Select("id, credential_id").Asc("ID").Find(&got); !assert.NoError(t, err) { + if err := x.Table("webauthn_credential").Select("id, credential_id").Asc("id").Find(&got); !assert.NoError(t, err) { return }