Merge branch 'siemens/omnibus-gitlab-fix/update-doorkeeper-openid-connect'

CHANGELOG.md

@@ -13,7 +13,7 @@ omnibus-gitlab repository.
 - Added PostgreSQL support for max_worker_processes and max_parallel_workers_per_gather
 - Added PostgreSQL support for log_lock_waits and deadlock_timeout
 - Added PostgreSQL support for track_io_timing
-
+- Rename Rails secret jws_private_key to openid_connect_signing_key
 
 10.0.2
 

files/gitlab-cookbooks/gitlab/libraries/gitlab_rails.rb

@@ -57,12 +57,13 @@ module GitlabRails
       Gitlab['gitlab_rails']['db_key_base'] ||= Gitlab['gitlab_ci']['db_key_base'] # Changed in 8.11
       Gitlab['gitlab_rails']['secret_key_base'] ||= Gitlab['gitlab_ci']['db_key_base'] # Changed in 8.11
       Gitlab['gitlab_rails']['otp_key_base'] ||= Gitlab['gitlab_rails']['secret_token']
+      Gitlab['gitlab_rails']['openid_connect_signing_key'] ||= Gitlab['gitlab_rails']['jws_private_key'] # Changed in 10.1
 
       # Note: If you add another secret to generate here make sure it gets written to disk in SecretsHelper.write_to_gitlab_secrets
       Gitlab['gitlab_rails']['db_key_base'] ||= SecretsHelper.generate_hex(64)
       Gitlab['gitlab_rails']['secret_key_base'] ||= SecretsHelper.generate_hex(64)
       Gitlab['gitlab_rails']['otp_key_base'] ||= SecretsHelper.generate_hex(64)
-      Gitlab['gitlab_rails']['jws_private_key'] ||= SecretsHelper.generate_rsa(4096).to_pem
+      Gitlab['gitlab_rails']['openid_connect_signing_key'] ||= SecretsHelper.generate_rsa(4096).to_pem
     end
 
     def parse_external_url

files/gitlab-cookbooks/gitlab/recipes/gitlab-rails.rb

@@ -174,7 +174,7 @@ templatesymlink "Create a secrets.yml and create a symlink to Rails root" do
     'db_key_base' => node['gitlab']['gitlab-rails']['db_key_base'],
     'secret_key_base' => node['gitlab']['gitlab-rails']['secret_key_base'],
     'otp_key_base' => node['gitlab']['gitlab-rails']['otp_key_base'],
-    'jws_private_key' => node['gitlab']['gitlab-rails']['jws_private_key']
+    'openid_connect_signing_key' => node['gitlab']['gitlab-rails']['openid_connect_signing_key']
   }})
   restarts dependent_services
 end

files/gitlab-cookbooks/package/libraries/helpers/secrets_helper.rb

@@ -40,7 +40,7 @@ class SecretsHelper
         'secret_key_base' => Gitlab['gitlab_rails']['secret_key_base'],
         'db_key_base' => Gitlab['gitlab_rails']['db_key_base'],
         'otp_key_base' => Gitlab['gitlab_rails']['otp_key_base'],
-        'jws_private_key' => Gitlab['gitlab_rails']['jws_private_key']
+        'openid_connect_signing_key' => Gitlab['gitlab_rails']['openid_connect_signing_key']
       },
       'registry' => {
         'http_secret' => Gitlab['registry']['http_secret'],

spec/chef/secrets_spec.rb

@@ -49,7 +49,7 @@ describe 'secrets' do
       it 'writes new secrets to the file, with different values for each' do
         rails_keys = new_secrets['gitlab_rails']
         hex_keys = rails_keys.values_at('db_key_base', 'otp_key_base', 'secret_key_base')
-        rsa_keys = rails_keys.values_at('jws_private_key')
+        rsa_keys = rails_keys.values_at('openid_connect_signing_key')
 
         expect(rails_keys.to_a.uniq).to eq(rails_keys.to_a)
         expect(hex_keys).to all(match(HEX_KEY))
@@ -58,6 +58,7 @@ describe 'secrets' do
 
       it 'does not write legacy keys' do
         expect(new_secrets).not_to have_key('gitlab_ci')
+        expect(new_secrets['gitlab_rails']).not_to have_key('jws_private_key')
       end
 
       it 'generates an appropriate secret for gitlab-workhorse' do
@@ -93,7 +94,10 @@ describe 'secrets' do
         before do
           stub_gitlab_secrets_json(
             gitlab_ci: { db_key_base: 'json_ci_db_key_base', secret_token: 'json_ci_secret_token' },
-            gitlab_rails: { secret_token: 'json_rails_secret_token' }
+            gitlab_rails: {
+              secret_token: 'json_rails_secret_token',
+              jws_private_key: 'json_rails_jws_private_key'
+            }
           )
 
           chef_run
@@ -111,6 +115,10 @@ describe 'secrets' do
           expect(new_secrets['gitlab_rails']['secret_key_base']).to eq('json_ci_db_key_base')
         end
 
+        it 'moves gitlab_rails.jws_private_key to gitlab_rails.openid_connect_signing_key' do
+          expect(new_secrets['gitlab_rails']['openid_connect_signing_key']).to eq('json_rails_jws_private_key')
+        end
+
         it 'ignores other, unused, secrets' do
           expect(new_secrets.inspect).not_to include('json_ci_secret_token')
         end
@@ -127,7 +135,10 @@ describe 'secrets' do
         before do
           stub_gitlab_secrets_json(
             gitlab_ci: { db_key_base: 'json_ci_db_key_base' },
-            gitlab_rails: { secret_token: 'json_rails_secret_token' }
+            gitlab_rails: {
+              secret_token: 'json_rails_secret_token',
+              jws_private_key: 'json_rails_jws_private_key'
+            }
           )
 
           stub_gitlab_rb(gitlab_ci: { db_key_base: 'rb_ci_db_key_base' })
@@ -152,7 +163,13 @@ describe 'secrets' do
           stub_gitlab_rb(gitlab_ci: { db_key_base: 'rb_ci_db_key_base',
                                       secret_token: 'rb_ci_secret_token' })
 
-          stub_gitlab_secrets_json(gitlab_rails: { secret_token: 'json_rails_secret_token' })
+          stub_gitlab_secrets_json(
+            gitlab_rails: {
+              secret_token: 'json_rails_secret_token',
+              jws_private_key: 'json_rails_jws_private_key'
+            }
+          )
+
           chef_run
         end
 
@@ -168,6 +185,10 @@ describe 'secrets' do
           expect(new_secrets['gitlab_rails']['secret_key_base']).to eq('rb_ci_db_key_base')
         end
 
+        it 'moves gitlab_rails.jws_private_key to gitlab_rails.openid_connect_signing_key' do
+          expect(new_secrets['gitlab_rails']['openid_connect_signing_key']).to eq('json_rails_jws_private_key')
+        end
+
         it 'ignores other, unused, secrets' do
           expect(new_secrets.inspect).not_to include('rb_ci_secret_token')
         end