From 83e186c00cd71c7acd3e9970f79770dbbf25cdf4 Mon Sep 17 00:00:00 2001 From: Earl Warren Date: Mon, 17 Mar 2025 16:25:37 +0000 Subject: [PATCH] fix: discard v25 secrets migrations errors instead of failing (#7251) Failing the migration when a corrupted record is found is problematic because there is no transaction and the database may need to be restored from a backup to attempt the migration again, after deleting the corrupted records. Each documented case of failed migration was resolved by removing the corrupted records. There is no instance of a failed migration that was caused by non corrupted record. In the unlikely event of a false negative where a two_factor record is discarded although it is in use, the only consequence is that the user will have to enroll again. Detailed logs are displayed so the Forgejo admin can file a bug report if that happens. Refs: https://codeberg.org/forgejo/forgejo/issues/6637 ## Release notes - Bug fixes - [PR](https://codeberg.org/forgejo/forgejo/pulls/7251): When migrating to Forgejo v10, the TOTP secrets found to be corrupted are now transparently removed from the database instead of failing the migration. TOTP is no longer required to login with the associated users. They should be informed because they will need to visit their security settings and configure TOTP again. No other action is required. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7251 Reviewed-by: Gusted Co-authored-by: Earl Warren Co-committed-by: Earl Warren --- models/forgejo_migrations/v25.go | 27 ++++++++++++++++--- models/forgejo_migrations/v25_test.go | 6 ++++- .../two_factor.yml | 9 +++++++ release-notes/7251.md | 1 + 4 files changed, 39 insertions(+), 4 deletions(-) create mode 100644 release-notes/7251.md diff --git a/models/forgejo_migrations/v25.go b/models/forgejo_migrations/v25.go index e2316007cf..5e3dff80b3 100644 --- a/models/forgejo_migrations/v25.go +++ b/models/forgejo_migrations/v25.go @@ -7,9 +7,11 @@ import ( "context" "crypto/md5" "encoding/base64" + "fmt" "code.gitea.io/gitea/models/auth" "code.gitea.io/gitea/models/db" + "code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/secret" "code.gitea.io/gitea/modules/setting" @@ -57,19 +59,38 @@ func MigrateTwoFactorToKeying(x *xorm.Engine) error { oldEncryptionKey := md5.Sum([]byte(setting.SecretKey)) - return db.Iterate(context.Background(), nil, func(ctx context.Context, bean *auth.TwoFactor) error { + messages := make([]string, 0, 100) + ids := make([]int64, 0, 100) + + err = db.Iterate(context.Background(), nil, func(ctx context.Context, bean *auth.TwoFactor) error { decodedStoredSecret, err := base64.StdEncoding.DecodeString(string(bean.Secret)) if err != nil { - return err + messages = append(messages, fmt.Sprintf("two_factor.id=%d, two_factor.uid=%d: base64.StdEncoding.DecodeString: %v", bean.ID, bean.UID, err)) + ids = append(ids, bean.ID) + return nil } secretBytes, err := secret.AesDecrypt(oldEncryptionKey[:], decodedStoredSecret) if err != nil { - return err + messages = append(messages, fmt.Sprintf("two_factor.id=%d, two_factor.uid=%d: secret.AesDecrypt: %v", bean.ID, bean.UID, err)) + ids = append(ids, bean.ID) + return nil } bean.SetSecret(string(secretBytes)) _, err = db.GetEngine(ctx).Cols("secret").ID(bean.ID).Update(bean) return err }) + if err == nil { + if len(ids) > 0 { + log.Error("Forgejo migration[25]: The following TOTP secrets were found to be corrupted and removed from the database. TOTP is no longer required to login with the associated users. They should be informed because they will need to visit their security settings and configure TOTP again. No other action is required. See https://codeberg.org/forgejo/forgejo/issues/6637 for more context on the various causes for such a corruption.") + for _, message := range messages { + log.Error("Forgejo migration[25]: %s", message) + } + + _, err = db.GetEngine(context.Background()).In("id", ids).NoAutoCondition().NoAutoTime().Delete(&auth.TwoFactor{}) + } + } + + return err } diff --git a/models/forgejo_migrations/v25_test.go b/models/forgejo_migrations/v25_test.go index 43c5885c39..73b97f7a35 100644 --- a/models/forgejo_migrations/v25_test.go +++ b/models/forgejo_migrations/v25_test.go @@ -36,10 +36,14 @@ func Test_MigrateTwoFactorToKeying(t *testing.T) { cnt, err := x.Table("two_factor").Count() require.NoError(t, err) - assert.EqualValues(t, 1, cnt) + assert.EqualValues(t, 2, cnt) require.NoError(t, MigrateTwoFactorToKeying(x)) + cnt, err = x.Table("two_factor").Count() + require.NoError(t, err) + assert.EqualValues(t, 1, cnt) + var twofactor auth.TwoFactor _, err = x.Table("two_factor").ID(1).Get(&twofactor) require.NoError(t, err) diff --git a/models/migrations/fixtures/Test_MigrateTwoFactorToKeying/two_factor.yml b/models/migrations/fixtures/Test_MigrateTwoFactorToKeying/two_factor.yml index ef6c158659..91aa420340 100644 --- a/models/migrations/fixtures/Test_MigrateTwoFactorToKeying/two_factor.yml +++ b/models/migrations/fixtures/Test_MigrateTwoFactorToKeying/two_factor.yml @@ -7,3 +7,12 @@ last_used_passcode: created_unix: 1564253724 updated_unix: 1564253724 +- + id: 2 + uid: 23 + secret: badbad + scratch_salt: badbad + scratch_hash: badbad + last_used_passcode: + created_unix: 1564253724 + updated_unix: 1564253724 diff --git a/release-notes/7251.md b/release-notes/7251.md new file mode 100644 index 0000000000..9c35603981 --- /dev/null +++ b/release-notes/7251.md @@ -0,0 +1 @@ +When migrating from a Forgejo version lower than v10, the TOTP secrets found to be corrupted are now transparently removed from the database instead of failing the migration. TOTP is no longer required to login with the associated users. They should be informed because they will need to visit their security settings and configure TOTP again. No other action is required.