Add missing encrypted attributes to encryption key rotation script, and add fingerprinter key rotation script

lib/tasks/rotate.rake

@@ -6,7 +6,9 @@ namespace :rotate do
   desc 'attribute encryption key'
   task attribute_encryption_key: :environment do
     num_users = User.count
+    num_phone_opt_outs = PhoneNumberOptOut.count
     progress = new_progress_bar('Users', num_users)
+    progress_phone_number_opt_outs = new_progress_bar('PhoneNumberOptOuts', num_phone_opt_outs)
 
     User.find_in_batches.with_index do |users, _batch|
       User.transaction do
@@ -15,10 +17,45 @@ namespace :rotate do
             rotator = KeyRotator::AttributeEncryption.new(phone_configuration)
             rotator.rotate
           end
+
           user.email_addresses.each do |email_address|
             rotator = KeyRotator::AttributeEncryption.new(email_address)
             rotator.rotate
           end
+
+          user.auth_app_configurations.each do |auth_app_configuration|
+            rotator = KeyRotator::AttributeEncryption.new(auth_app_configuration)
+            rotator.rotate
+          end
+          progress&.increment
+        rescue StandardError => err # Don't use user.email in output...
+          Kernel.puts "Error with user id:#{user.id} #{err.message} #{err.backtrace}"
+        end
+      end
+    end
+
+    PhoneNumberOptOut.find_in_batches.with_index do |phone_number_opt_outs, _batch|
+      PhoneNumberOptOut.transaction do
+        phone_number_opt_outs.each do |phone_number_opt_out|
+          rotator = KeyRotator::AttributeEncryption.new(phone_number_opt_out)
+          rotator.rotate
+        end
+        progress_phone_number_opt_outs&.increment
+      rescue StandardError => err # Don't use user.email in output...
+        Kernel.puts "Error with user id:#{user.id} #{err.message} #{err.backtrace}"
+      end
+    end
+  end
+
+  desc 'hmac fingerprinter key'
+  task hmac_fingerprinter_key: :environment do
+    num_users = User.count
+    progress = new_progress_bar('Users', num_users)
+
+    User.find_in_batches.with_index do |users, _batch|
+      User.transaction do
+        users.each do |user|
+          KeyRotator::HmacFingerprinter.new.rotate(user: user)
           progress&.increment
         rescue StandardError => err # Don't use user.email in output...
           Kernel.puts "Error with user id:#{user.id} #{err.message} #{err.backtrace}"

spec/factories/auth_app_configurations.rb

@@ -3,7 +3,7 @@
 
   factory :auth_app_configuration do
     name { Faker::Lorem.word }
-    encrypted_otp_secret_key { SecureRandom.hex(16) }
+    otp_secret_key { SecureRandom.hex(16) }
     user
   end
 end

spec/lib/tasks/rotate_rake_spec.rb

@@ -14,21 +14,40 @@
 
   describe 'attribute_encryption_key' do
     it 'runs successfully' do
+      auth_app = create(:auth_app_configuration, user: user)
+      phone_number_opt_out = PhoneNumberOptOut.create_or_find_with_phone(
+        Faker::PhoneNumber.cell_phone,
+      )
+
       old_email = user.email_addresses.first.email
       old_phone = user.phone_configurations.first.phone
+      old_otp_secret_key = auth_app.otp_secret_key
       old_encrypted_email_address_email = user.email_addresses.first.encrypted_email
       old_encrypted_phone = user.phone_configurations.first.encrypted_phone
+      old_encrypted_otp_secret_key = auth_app.encrypted_otp_secret_key
+
+      old_opt_out_phone = phone_number_opt_out.phone
+      old_encrypted_opt_out_phone = phone_number_opt_out.encrypted_phone
 
       rotate_attribute_encryption_key
 
       Rake::Task['rotate:attribute_encryption_key'].execute
 
       user.reload
       user.phone_configurations.reload
+      user.auth_app_configurations.reload
       expect(user.phone_configurations.first.phone).to eq old_phone
       expect(user.email_addresses.first.email).to eq old_email
+      expect(user.auth_app_configurations.first.otp_secret_key).to eq old_otp_secret_key
       expect(user.email_addresses.first.encrypted_email).to_not eq old_encrypted_email_address_email
       expect(user.phone_configurations.first.encrypted_phone).to_not eq old_encrypted_phone
+      expect(user.auth_app_configurations.first.encrypted_otp_secret_key).to_not eq(
+        old_encrypted_otp_secret_key,
+      )
+
+      phone_number_opt_out.reload
+      expect(phone_number_opt_out.phone).to eq old_opt_out_phone
+      expect(phone_number_opt_out.encrypted_phone).to_not eq old_encrypted_opt_out_phone
     end
 
     it 'does not raise an exception when encrypting/decrypting a user' do
@@ -47,4 +66,23 @@
       end.to output(/Error with user id:#{user.id}/).to_stdout
     end
   end
+
+  describe 'hmac_fingerprinter_key' do
+    it 'runs successfully' do
+      old_email = user.email_addresses.first.email
+      old_email_fingerprint = user.email_addresses.first.email_fingerprint
+
+      rotate_hmac_key
+
+      Rake::Task['rotate:hmac_fingerprinter_key'].execute
+      user.reload
+
+      expect(user.email_addresses.first.email).to eq old_email
+      expect(user.email_addresses.first.email_fingerprint).to_not eq(old_email_fingerprint)
+      expect(EmailAddress.find_by(email_fingerprint: old_email_fingerprint)).to eq nil
+      expect(
+        EmailAddress.find_by(email_fingerprint: user.email_addresses.first.email_fingerprint).id,
+      ).to eq user.email_addresses.first.id
+    end
+  end
 end