Merge branch 'feature/openid-connect' into 'master'
Setup RSA private key for doorkeeper-openid_connect See merge request !1222
This commit is contained in:
commit
a447c410b6
|
@ -4,9 +4,11 @@ The latest version of this file can be found at the master branch of the
|
|||
omnibus-gitlab repository.
|
||||
|
||||
9.0
|
||||
|
||||
- Remove Bitbucket from templates as it does not require special settings anymore
|
||||
- Fix the issue that prevents registry from starting when user and group
|
||||
are not the same (O Schwede) 62b5cc
|
||||
- Setup RSA private key for OpenID Connect
|
||||
|
||||
8.17.3
|
||||
- Changing call to create tmp dir as the database user 7b54cd76
|
||||
|
|
|
@ -103,10 +103,6 @@ module Gitlab
|
|||
|
||||
class << self
|
||||
# guards against creating secrets on non-bootstrap node
|
||||
def generate_hex(chars)
|
||||
SecureRandom.hex(chars)
|
||||
end
|
||||
|
||||
def generate_secrets(node_name)
|
||||
SecretsHelper.read_gitlab_secrets
|
||||
|
||||
|
@ -130,24 +126,25 @@ module Gitlab
|
|||
Gitlab['gitlab_rails']['otp_key_base'] ||= Gitlab['gitlab_rails']['secret_token']
|
||||
|
||||
# Note: If you add another secret to generate here make sure it gets written to disk in SecretsHelper.write_to_gitlab_secrets
|
||||
Gitlab['gitlab_rails']['db_key_base'] ||= generate_hex(64)
|
||||
Gitlab['gitlab_rails']['secret_key_base'] ||= generate_hex(64)
|
||||
Gitlab['gitlab_rails']['otp_key_base'] ||= generate_hex(64)
|
||||
Gitlab['gitlab_rails']['db_key_base'] ||= SecretsHelper.generate_hex(64)
|
||||
Gitlab['gitlab_rails']['secret_key_base'] ||= SecretsHelper.generate_hex(64)
|
||||
Gitlab['gitlab_rails']['otp_key_base'] ||= SecretsHelper.generate_hex(64)
|
||||
Gitlab['gitlab_rails']['jws_private_key'] ||= SecretsHelper.generate_rsa(4096).to_pem
|
||||
|
||||
Gitlab['gitlab_shell']['secret_token'] ||= generate_hex(64)
|
||||
Gitlab['gitlab_shell']['secret_token'] ||= SecretsHelper.generate_hex(64)
|
||||
|
||||
# gitlab-workhorse expects exactly 32 bytes, encoded with base64
|
||||
Gitlab['gitlab_workhorse']['secret_token'] ||= SecureRandom.base64(32)
|
||||
|
||||
Gitlab['registry']['http_secret'] ||= generate_hex(64)
|
||||
Gitlab['registry']['http_secret'] ||= SecretsHelper.generate_hex(64)
|
||||
gitlab_registry_crt, gitlab_registry_key = Registry.generate_registry_keypair
|
||||
Gitlab['registry']['internal_certificate'] ||= gitlab_registry_crt
|
||||
Gitlab['registry']['internal_key'] ||= gitlab_registry_key
|
||||
|
||||
Gitlab['mattermost']['email_invite_salt'] ||= generate_hex(16)
|
||||
Gitlab['mattermost']['file_public_link_salt'] ||= generate_hex(16)
|
||||
Gitlab['mattermost']['email_password_reset_salt'] ||= generate_hex(16)
|
||||
Gitlab['mattermost']['sql_at_rest_encrypt_key'] ||= generate_hex(16)
|
||||
Gitlab['mattermost']['email_invite_salt'] ||= SecretsHelper.generate_hex(16)
|
||||
Gitlab['mattermost']['file_public_link_salt'] ||= SecretsHelper.generate_hex(16)
|
||||
Gitlab['mattermost']['email_password_reset_salt'] ||= SecretsHelper.generate_hex(16)
|
||||
Gitlab['mattermost']['sql_at_rest_encrypt_key'] ||= SecretsHelper.generate_hex(16)
|
||||
|
||||
SecretsHelper.write_to_gitlab_secrets
|
||||
end
|
||||
|
|
|
@ -19,6 +19,7 @@
|
|||
require 'mixlib/shellout'
|
||||
require 'uri'
|
||||
require 'digest'
|
||||
require 'openssl'
|
||||
|
||||
module ShellOutHelper
|
||||
|
||||
|
@ -162,6 +163,13 @@ class MattermostHelper
|
|||
end
|
||||
|
||||
class SecretsHelper
|
||||
def self.generate_hex(chars)
|
||||
SecureRandom.hex(chars)
|
||||
end
|
||||
|
||||
def self.generate_rsa(bits)
|
||||
OpenSSL::PKey::RSA.new(bits)
|
||||
end
|
||||
|
||||
def self.read_gitlab_secrets
|
||||
existing_secrets ||= Hash.new
|
||||
|
@ -193,7 +201,8 @@ class SecretsHelper
|
|||
'gitlab_rails' => {
|
||||
'secret_key_base' => Gitlab['gitlab_rails']['secret_key_base'],
|
||||
'db_key_base' => Gitlab['gitlab_rails']['db_key_base'],
|
||||
'otp_key_base' => Gitlab['gitlab_rails']['otp_key_base']
|
||||
'otp_key_base' => Gitlab['gitlab_rails']['otp_key_base'],
|
||||
'jws_private_key' => Gitlab['gitlab_rails']['jws_private_key']
|
||||
},
|
||||
'registry' => {
|
||||
'http_secret' => Gitlab['registry']['http_secret'],
|
||||
|
|
|
@ -82,7 +82,7 @@ module Registry
|
|||
end
|
||||
|
||||
def generate_registry_keypair
|
||||
key = OpenSSL::PKey::RSA.new(4096)
|
||||
key = SecretsHelper.generate_rsa(4096)
|
||||
subject = "/C=USA/O=GitLab/OU=Container/CN=Registry"
|
||||
|
||||
cert = OpenSSL::X509::Certificate.new
|
||||
|
|
|
@ -164,7 +164,12 @@ templatesymlink "Create a secrets.yml and create a symlink to Rails root" do
|
|||
owner "root"
|
||||
group "root"
|
||||
mode "0644"
|
||||
variables(node['gitlab']['gitlab-rails'].to_hash)
|
||||
variables('secrets' => { 'production' => {
|
||||
'db_key_base' => node['gitlab']['gitlab-rails']['db_key_base'],
|
||||
'secret_key_base' => node['gitlab']['gitlab-rails']['secret_key_base'],
|
||||
'otp_key_base' => node['gitlab']['gitlab-rails']['otp_key_base'],
|
||||
'jws_private_key' => node['gitlab']['gitlab-rails']['jws_private_key']
|
||||
}})
|
||||
restarts dependent_services
|
||||
end
|
||||
|
||||
|
|
|
@ -2,7 +2,4 @@
|
|||
# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
|
||||
# and run `sudo gitlab-ctl reconfigure`.
|
||||
|
||||
production:
|
||||
db_key_base: <%= @db_key_base %>
|
||||
secret_key_base: <%= @secret_key_base %>
|
||||
otp_key_base: <%= @otp_key_base %>
|
||||
<%= @secrets.to_yaml %>
|
||||
|
|
|
@ -4,6 +4,9 @@ require 'base64'
|
|||
describe 'secrets' do
|
||||
let(:chef_run) { ChefSpec::SoloRunner.new(step_into: %w(templatesymlink)).converge('gitlab::default') }
|
||||
|
||||
HEX_KEY = /\h{128}/.freeze
|
||||
RSA_KEY = /\A-----BEGIN RSA PRIVATE KEY-----\n.+\n-----END RSA PRIVATE KEY-----\n\Z/m.freeze
|
||||
|
||||
def stub_gitlab_secrets_json(secrets)
|
||||
allow(File).to receive(:read).with('/etc/gitlab/gitlab-secrets.json').and_return(JSON.generate(secrets))
|
||||
end
|
||||
|
@ -44,10 +47,13 @@ describe 'secrets' do
|
|||
end
|
||||
|
||||
it 'writes new secrets to the file, with different values for each' do
|
||||
rails_keys = new_secrets['gitlab_rails'].values_at('db_key_base', 'otp_key_base', 'secret_key_base')
|
||||
rails_keys = new_secrets['gitlab_rails']
|
||||
hex_keys = rails_keys.values_at('db_key_base', 'otp_key_base', 'secret_key_base')
|
||||
rsa_keys = rails_keys.values_at('jws_private_key')
|
||||
|
||||
expect(rails_keys).to all(match(/\h{128}/))
|
||||
expect(rails_keys.uniq).to eq(rails_keys)
|
||||
expect(rails_keys.to_a.uniq).to eq(rails_keys.to_a)
|
||||
expect(hex_keys).to all(match(HEX_KEY))
|
||||
expect(rsa_keys).to all(match(RSA_KEY))
|
||||
end
|
||||
|
||||
it 'does not write legacy keys' do
|
||||
|
@ -79,7 +85,7 @@ describe 'secrets' do
|
|||
end
|
||||
|
||||
it 'falls back further to generating new secrets' do
|
||||
expect(new_secrets['gitlab_rails']['otp_key_base']).to match(/\h{128}/)
|
||||
expect(new_secrets['gitlab_rails']['otp_key_base']).to match(HEX_KEY)
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -137,7 +143,7 @@ describe 'secrets' do
|
|||
end
|
||||
|
||||
it 'falls back further to generating new secrets' do
|
||||
expect(new_secrets['gitlab_shell']['secret_token']).to match(/\h{128}/)
|
||||
expect(new_secrets['gitlab_shell']['secret_token']).to match(HEX_KEY)
|
||||
end
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in New Issue