mirror of
https://github.com/overleaf/overleaf.git
synced 2024-10-17 21:05:04 -04:00
9e6a767c96
[misc] add scripts for rotating all the encrypted access-tokens GitOrigin-RevId: ce3374bb5d318a7f16a416ac1719a819c1160fb4
106 lines
2.7 KiB
JavaScript
106 lines
2.7 KiB
JavaScript
const { ReadPreference } = require('mongodb')
|
|
const _ = require('lodash')
|
|
const { formatTokenUsageStats } = require('./format-usage-stats')
|
|
|
|
const LOG_EVERY_IN_S = parseInt(process.env.LOG_EVERY_IN_S || '5', 10)
|
|
const DRY_RUN = !process.argv.includes('--dry-run=false')
|
|
|
|
/**
|
|
* @param {AccessTokenEncryptor} accessTokenEncryptor
|
|
* @param {string} encryptedJson
|
|
* @return {Promise<string>}
|
|
*/
|
|
async function reEncryptTokens(accessTokenEncryptor, encryptedJson) {
|
|
return new Promise((resolve, reject) => {
|
|
accessTokenEncryptor.decryptToJson(encryptedJson, (err, json) => {
|
|
if (err) return reject(err)
|
|
accessTokenEncryptor.encryptJson(json, (err, reEncryptedJson) => {
|
|
if (err) return reject(err)
|
|
resolve(reEncryptedJson)
|
|
})
|
|
})
|
|
})
|
|
}
|
|
|
|
/**
|
|
* @param {AccessTokenEncryptor} accessTokenEncryptor
|
|
* @param {Collection} collection
|
|
* @param {Object} paths
|
|
* @return {Promise<{}>}
|
|
*/
|
|
async function reEncryptTokensInCollection({
|
|
accessTokenEncryptor,
|
|
collection,
|
|
paths,
|
|
}) {
|
|
const { collectionName } = collection
|
|
const stats = {}
|
|
|
|
let processed = 0
|
|
let updatedNUsers = 0
|
|
let lastLog = 0
|
|
const logProgress = () => {
|
|
if (DRY_RUN) {
|
|
console.warn(
|
|
`processed ${processed} | Would have updated ${updatedNUsers} users`
|
|
)
|
|
} else {
|
|
console.warn(`processed ${processed} | Updated ${updatedNUsers} users`)
|
|
}
|
|
}
|
|
|
|
const projection = { _id: 1 }
|
|
for (const path of Object.values(paths)) {
|
|
projection[path] = 1
|
|
}
|
|
const cursor = collection.find(
|
|
{},
|
|
{
|
|
readPreference: ReadPreference.SECONDARY,
|
|
projection,
|
|
}
|
|
)
|
|
|
|
for await (const doc of cursor) {
|
|
processed++
|
|
|
|
let update = null
|
|
for (const [name, path] of Object.entries(paths)) {
|
|
const blob = _.get(doc, path)
|
|
if (!blob) continue
|
|
// Schema: LABEL:SALT:CIPHERTEXT:IV
|
|
const [label, , , iv] = blob.split(':', 4)
|
|
const version = iv ? 'v2' : 'v1'
|
|
|
|
const key = [name, version, collectionName, path, label].join(':')
|
|
stats[key] = (stats[key] || 0) + 1
|
|
|
|
if (version === 'v1') {
|
|
update = update || {}
|
|
update[path] = await reEncryptTokens(accessTokenEncryptor, blob)
|
|
}
|
|
}
|
|
|
|
if (Date.now() - lastLog >= LOG_EVERY_IN_S * 1000) {
|
|
logProgress()
|
|
lastLog = Date.now()
|
|
}
|
|
if (update) {
|
|
updatedNUsers++
|
|
|
|
const { _id } = doc
|
|
if (DRY_RUN) {
|
|
console.log('Would upgrade tokens for user', _id, Object.keys(update))
|
|
} else {
|
|
console.log('Upgrading tokens for user', _id, Object.keys(update))
|
|
await collection.updateOne({ _id }, { $set: update })
|
|
}
|
|
}
|
|
}
|
|
logProgress()
|
|
formatTokenUsageStats(stats)
|
|
}
|
|
|
|
module.exports = {
|
|
reEncryptTokensInCollection,
|
|
}
|