From 0b50397b4700f538756382355cc99ddf6c6fa1fb Mon Sep 17 00:00:00 2001
From: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
Date: Tue, 6 Dec 2022 15:15:46 +0000
Subject: [PATCH] Make sure to decode token

Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
---
 database/sql/enterprise.go    |  7 +++++++
 database/sql/instances.go     | 36 ++++++++++++++++++++++++++++++++++-
 database/sql/organizations.go |  7 +++++++
 database/sql/repositories.go  |  7 +++++++
 runner/pool/pool.go           | 29 +++++++++++++++-------------
 5 files changed, 72 insertions(+), 14 deletions(-)

diff --git a/database/sql/enterprise.go b/database/sql/enterprise.go
index 9d8eb1ca..a23d408c 100644
--- a/database/sql/enterprise.go
+++ b/database/sql/enterprise.go
@@ -250,6 +250,13 @@ func (s *sqlDatabase) ListEnterpriseInstances(ctx context.Context, enterpriseID
 	ret := []params.Instance{}
 	for _, pool := range pools {
 		for _, instance := range pool.Instances {
+			if instance.GithubRegistrationToken != nil {
+				decodedTk, err := util.Aes256DecodeString(instance.GithubRegistrationToken, s.cfg.Passphrase)
+				if err != nil {
+					return nil, errors.Wrap(err, "decrypting GithubRegistrationToken")
+				}
+				instance.GithubRegistrationToken = []byte(decodedTk)
+			}
 			ret = append(ret, s.sqlToParamsInstance(instance))
 		}
 	}
diff --git a/database/sql/instances.go b/database/sql/instances.go
index eb1ee67b..2bf7b5b1 100644
--- a/database/sql/instances.go
+++ b/database/sql/instances.go
@@ -55,6 +55,13 @@ func (s *sqlDatabase) CreateInstance(ctx context.Context, poolID string, param p
 		return params.Instance{}, errors.Wrap(q.Error, "creating instance")
 	}
 
+	if newInstance.GithubRegistrationToken != nil {
+		decodedTk, err := util.Aes256DecodeString(newInstance.GithubRegistrationToken, s.cfg.Passphrase)
+		if err != nil {
+			return params.Instance{}, errors.Wrap(err, "decrypting GithubRegistrationToken")
+		}
+		newInstance.GithubRegistrationToken = []byte(decodedTk)
+	}
 	return s.sqlToParamsInstance(newInstance), nil
 }
 
@@ -131,7 +138,13 @@ func (s *sqlDatabase) GetPoolInstanceByName(ctx context.Context, poolID string,
 		}
 		instance.GithubRegistrationToken = []byte(token)
 	}
-
+	if instance.GithubRegistrationToken != nil {
+		decodedTk, err := util.Aes256DecodeString(instance.GithubRegistrationToken, s.cfg.Passphrase)
+		if err != nil {
+			return params.Instance{}, errors.Wrap(err, "decrypting GithubRegistrationToken")
+		}
+		instance.GithubRegistrationToken = []byte(decodedTk)
+	}
 	return s.sqlToParamsInstance(instance), nil
 }
 
@@ -233,6 +246,13 @@ func (s *sqlDatabase) UpdateInstance(ctx context.Context, instanceID string, par
 			return params.Instance{}, errors.Wrap(err, "updating addresses")
 		}
 	}
+	if instance.GithubRegistrationToken != nil {
+		decodedTk, err := util.Aes256DecodeString(instance.GithubRegistrationToken, s.cfg.Passphrase)
+		if err != nil {
+			return params.Instance{}, errors.Wrap(err, "decrypting GithubRegistrationToken")
+		}
+		instance.GithubRegistrationToken = []byte(decodedTk)
+	}
 	return s.sqlToParamsInstance(instance), nil
 }
 
@@ -244,6 +264,13 @@ func (s *sqlDatabase) ListPoolInstances(ctx context.Context, poolID string) ([]p
 
 	ret := make([]params.Instance, len(pool.Instances))
 	for idx, inst := range pool.Instances {
+		if inst.GithubRegistrationToken != nil {
+			decodedTk, err := util.Aes256DecodeString(inst.GithubRegistrationToken, s.cfg.Passphrase)
+			if err != nil {
+				return nil, errors.Wrap(err, "decrypting GithubRegistrationToken")
+			}
+			inst.GithubRegistrationToken = []byte(decodedTk)
+		}
 		ret[idx] = s.sqlToParamsInstance(inst)
 	}
 	return ret, nil
@@ -258,6 +285,13 @@ func (s *sqlDatabase) ListAllInstances(ctx context.Context) ([]params.Instance,
 	}
 	ret := make([]params.Instance, len(instances))
 	for idx, instance := range instances {
+		if instance.GithubRegistrationToken != nil {
+			decodedTk, err := util.Aes256DecodeString(instance.GithubRegistrationToken, s.cfg.Passphrase)
+			if err != nil {
+				return nil, errors.Wrap(err, "decrypting GithubRegistrationToken")
+			}
+			instance.GithubRegistrationToken = []byte(decodedTk)
+		}
 		ret[idx] = s.sqlToParamsInstance(instance)
 	}
 	return ret, nil
diff --git a/database/sql/organizations.go b/database/sql/organizations.go
index 35b4b241..8a4b8ee4 100644
--- a/database/sql/organizations.go
+++ b/database/sql/organizations.go
@@ -255,6 +255,13 @@ func (s *sqlDatabase) ListOrgInstances(ctx context.Context, orgID string) ([]par
 	ret := []params.Instance{}
 	for _, pool := range pools {
 		for _, instance := range pool.Instances {
+			if instance.GithubRegistrationToken != nil {
+				decodedTk, err := util.Aes256DecodeString(instance.GithubRegistrationToken, s.cfg.Passphrase)
+				if err != nil {
+					return nil, errors.Wrap(err, "decrypting GithubRegistrationToken")
+				}
+				instance.GithubRegistrationToken = []byte(decodedTk)
+			}
 			ret = append(ret, s.sqlToParamsInstance(instance))
 		}
 	}
diff --git a/database/sql/repositories.go b/database/sql/repositories.go
index 73cf4295..a6ef5ce6 100644
--- a/database/sql/repositories.go
+++ b/database/sql/repositories.go
@@ -264,6 +264,13 @@ func (s *sqlDatabase) ListRepoInstances(ctx context.Context, repoID string) ([]p
 	ret := []params.Instance{}
 	for _, pool := range pools {
 		for _, instance := range pool.Instances {
+			if instance.GithubRegistrationToken != nil {
+				decodedTk, err := util.Aes256DecodeString(instance.GithubRegistrationToken, s.cfg.Passphrase)
+				if err != nil {
+					return nil, errors.Wrap(err, "decrypting GithubRegistrationToken")
+				}
+				instance.GithubRegistrationToken = []byte(decodedTk)
+			}
 			ret = append(ret, s.sqlToParamsInstance(instance))
 		}
 	}
diff --git a/runner/pool/pool.go b/runner/pool/pool.go
index aef90357..927a8c90 100644
--- a/runner/pool/pool.go
+++ b/runner/pool/pool.go
@@ -548,19 +548,22 @@ func (r *basePoolManager) addInstanceToProvider(instance params.Instance) error
 	}
 
 	bootstrapArgs := params.BootstrapInstance{
-		Name:                    instance.Name,
-		Tools:                   r.tools,
-		RepoURL:                 r.helper.GithubURL(),
-		GithubRunnerAccessToken: string(instance.GithubRegistrationToken),
-		MetadataURL:             instance.MetadataURL,
-		CallbackURL:             instance.CallbackURL,
-		InstanceToken:           jwtToken,
-		OSArch:                  pool.OSArch,
-		Flavor:                  pool.Flavor,
-		Image:                   pool.Image,
-		Labels:                  labels,
-		PoolID:                  instance.PoolID,
-		CACertBundle:            r.credsDetails.CABundle,
+		Name:          instance.Name,
+		Tools:         r.tools,
+		RepoURL:       r.helper.GithubURL(),
+		MetadataURL:   instance.MetadataURL,
+		CallbackURL:   instance.CallbackURL,
+		InstanceToken: jwtToken,
+		OSArch:        pool.OSArch,
+		Flavor:        pool.Flavor,
+		Image:         pool.Image,
+		Labels:        labels,
+		PoolID:        instance.PoolID,
+		CACertBundle:  r.credsDetails.CABundle,
+	}
+
+	if instance.MetadataURL == "" {
+		bootstrapArgs.GithubRunnerAccessToken = string(instance.GithubRegistrationToken)
 	}
 
 	var instanceIDToDelete string