2017-03-07 16:28:26 +00:00 · 2017-03-07 16:28:26 +00:00 · a447c410b6
parent f246a60bc5 3eaf7a7d16
commit a447c410b6
7 changed files with 41 additions and 25 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -4,9 +4,11 @@ The latest version of this file can be found at the master branch of the
 omnibus-gitlab repository.

 9.0
+
 - Remove Bitbucket from templates as it does not require special settings anymore
 - Fix the issue that prevents registry from starting when user and group
 are not the same (O Schwede) 62b5cc
+- Setup RSA private key for OpenID Connect

 8.17.3
 - Changing call to create tmp dir as the database user 7b54cd76
--- a/files/gitlab-cookbooks/gitlab/libraries/gitlab.rb
+++ b/files/gitlab-cookbooks/gitlab/libraries/gitlab.rb
@ -103,10 +103,6 @@ module Gitlab

  class << self
    # guards against creating secrets on non-bootstrap node
-    def generate_hex(chars)
-      SecureRandom.hex(chars)
-    end
-
    def generate_secrets(node_name)
      SecretsHelper.read_gitlab_secrets

@ -130,24 +126,25 @@ module Gitlab
      Gitlab['gitlab_rails']['otp_key_base'] ||= Gitlab['gitlab_rails']['secret_token']

      # Note: If you add another secret to generate here make sure it gets written to disk in SecretsHelper.write_to_gitlab_secrets
-      Gitlab['gitlab_rails']['db_key_base'] ||= generate_hex(64)
-      Gitlab['gitlab_rails']['secret_key_base'] ||= generate_hex(64)
-      Gitlab['gitlab_rails']['otp_key_base'] ||= generate_hex(64)
+      Gitlab['gitlab_rails']['db_key_base'] ||= SecretsHelper.generate_hex(64)
+      Gitlab['gitlab_rails']['secret_key_base'] ||= SecretsHelper.generate_hex(64)
+      Gitlab['gitlab_rails']['otp_key_base'] ||= SecretsHelper.generate_hex(64)
+      Gitlab['gitlab_rails']['jws_private_key'] ||= SecretsHelper.generate_rsa(4096).to_pem

-      Gitlab['gitlab_shell']['secret_token'] ||= generate_hex(64)
+      Gitlab['gitlab_shell']['secret_token'] ||= SecretsHelper.generate_hex(64)

      # gitlab-workhorse expects exactly 32 bytes, encoded with base64
      Gitlab['gitlab_workhorse']['secret_token'] ||= SecureRandom.base64(32)

-      Gitlab['registry']['http_secret'] ||= generate_hex(64)
+      Gitlab['registry']['http_secret'] ||= SecretsHelper.generate_hex(64)
      gitlab_registry_crt, gitlab_registry_key = Registry.generate_registry_keypair
      Gitlab['registry']['internal_certificate'] ||= gitlab_registry_crt
      Gitlab['registry']['internal_key'] ||= gitlab_registry_key

-      Gitlab['mattermost']['email_invite_salt'] ||= generate_hex(16)
-      Gitlab['mattermost']['file_public_link_salt'] ||= generate_hex(16)
-      Gitlab['mattermost']['email_password_reset_salt'] ||= generate_hex(16)
-      Gitlab['mattermost']['sql_at_rest_encrypt_key'] ||= generate_hex(16)
+      Gitlab['mattermost']['email_invite_salt'] ||= SecretsHelper.generate_hex(16)
+      Gitlab['mattermost']['file_public_link_salt'] ||= SecretsHelper.generate_hex(16)
+      Gitlab['mattermost']['email_password_reset_salt'] ||= SecretsHelper.generate_hex(16)
+      Gitlab['mattermost']['sql_at_rest_encrypt_key'] ||= SecretsHelper.generate_hex(16)

      SecretsHelper.write_to_gitlab_secrets
    end
--- a/files/gitlab-cookbooks/gitlab/libraries/helper.rb
+++ b/files/gitlab-cookbooks/gitlab/libraries/helper.rb
@ -19,6 +19,7 @@
 require 'mixlib/shellout'
 require 'uri'
 require 'digest'
+require 'openssl'

 module ShellOutHelper

@ -162,6 +163,13 @@ class MattermostHelper
 end

 class SecretsHelper
+  def self.generate_hex(chars)
+    SecureRandom.hex(chars)
+  end
+
+  def self.generate_rsa(bits)
+    OpenSSL::PKey::RSA.new(bits)
+  end

  def self.read_gitlab_secrets
    existing_secrets ||= Hash.new
@ -193,7 +201,8 @@ class SecretsHelper
                      'gitlab_rails' => {
                        'secret_key_base' => Gitlab['gitlab_rails']['secret_key_base'],
                        'db_key_base' => Gitlab['gitlab_rails']['db_key_base'],
-                        'otp_key_base' => Gitlab['gitlab_rails']['otp_key_base']
+                        'otp_key_base' => Gitlab['gitlab_rails']['otp_key_base'],
+                        'jws_private_key' => Gitlab['gitlab_rails']['jws_private_key']
                      },
                      'registry' => {
                        'http_secret' => Gitlab['registry']['http_secret'],
--- a/files/gitlab-cookbooks/gitlab/libraries/registry.rb
+++ b/files/gitlab-cookbooks/gitlab/libraries/registry.rb
@ -82,7 +82,7 @@ module Registry
    end

    def generate_registry_keypair
-      key = OpenSSL::PKey::RSA.new(4096)
+      key = SecretsHelper.generate_rsa(4096)
      subject = "/C=USA/O=GitLab/OU=Container/CN=Registry"

      cert = OpenSSL::X509::Certificate.new
--- a/files/gitlab-cookbooks/gitlab/recipes/gitlab-rails.rb
+++ b/files/gitlab-cookbooks/gitlab/recipes/gitlab-rails.rb
@ -164,7 +164,12 @@ templatesymlink "Create a secrets.yml and create a symlink to Rails root" do
  owner "root"
  group "root"
  mode "0644"
-  variables(node['gitlab']['gitlab-rails'].to_hash)
+  variables('secrets' => { 'production' =>  {
+    'db_key_base' => node['gitlab']['gitlab-rails']['db_key_base'],
+    'secret_key_base' => node['gitlab']['gitlab-rails']['secret_key_base'],
+    'otp_key_base' => node['gitlab']['gitlab-rails']['otp_key_base'],
+    'jws_private_key' => node['gitlab']['gitlab-rails']['jws_private_key']
+  }})
  restarts dependent_services
 end

--- a/files/gitlab-cookbooks/gitlab/templates/default/secrets.yml.erb
+++ b/files/gitlab-cookbooks/gitlab/templates/default/secrets.yml.erb
@ -2,7 +2,4 @@
 # erased! To change the contents below, edit /etc/gitlab/gitlab.rb
 # and run `sudo gitlab-ctl reconfigure`.

-production:
-  db_key_base: <%= @db_key_base %>
-  secret_key_base: <%= @secret_key_base %>
-  otp_key_base: <%= @otp_key_base %>
+<%= @secrets.to_yaml %>
--- a/spec/chef/secrets_spec.rb
+++ b/spec/chef/secrets_spec.rb
@ -4,6 +4,9 @@ require 'base64'
 describe 'secrets' do
  let(:chef_run) { ChefSpec::SoloRunner.new(step_into: %w(templatesymlink)).converge('gitlab::default') }

+  HEX_KEY = /\h{128}/.freeze
+  RSA_KEY = /\A-----BEGIN RSA PRIVATE KEY-----\n.+\n-----END RSA PRIVATE KEY-----\n\Z/m.freeze
+
  def stub_gitlab_secrets_json(secrets)
    allow(File).to receive(:read).with('/etc/gitlab/gitlab-secrets.json').and_return(JSON.generate(secrets))
  end
@ -44,10 +47,13 @@ describe 'secrets' do
      end

      it 'writes new secrets to the file, with different values for each' do
-        rails_keys = new_secrets['gitlab_rails'].values_at('db_key_base', 'otp_key_base', 'secret_key_base')
+        rails_keys = new_secrets['gitlab_rails']
+        hex_keys = rails_keys.values_at('db_key_base', 'otp_key_base', 'secret_key_base')
+        rsa_keys = rails_keys.values_at('jws_private_key')

-        expect(rails_keys).to all(match(/\h{128}/))
-        expect(rails_keys.uniq).to eq(rails_keys)
+        expect(rails_keys.to_a.uniq).to eq(rails_keys.to_a)
+        expect(hex_keys).to all(match(HEX_KEY))
+        expect(rsa_keys).to all(match(RSA_KEY))
      end

      it 'does not write legacy keys' do
@ -79,7 +85,7 @@ describe 'secrets' do
        end

        it 'falls back further to generating new secrets' do
-          expect(new_secrets['gitlab_rails']['otp_key_base']).to match(/\h{128}/)
+          expect(new_secrets['gitlab_rails']['otp_key_base']).to match(HEX_KEY)
        end
      end

@ -137,7 +143,7 @@ describe 'secrets' do
        end

        it 'falls back further to generating new secrets' do
-          expect(new_secrets['gitlab_shell']['secret_token']).to match(/\h{128}/)
+          expect(new_secrets['gitlab_shell']['secret_token']).to match(HEX_KEY)
        end
      end