diff options
author | Vladimir Shushlin <v.shushlin@gmail.com> | 2019-05-16 22:17:09 +0300 |
---|---|---|
committer | Vladimir Shushlin <v.shushlin@gmail.com> | 2019-05-16 22:17:09 +0300 |
commit | 06577af638d0a310cb976ea6ce893edde36747d0 (patch) | |
tree | 51ca4ad3aff093f2388b1096494206982ee04b3b | |
parent | 863ef93261daa970558a302ba05724df5739b090 (diff) | |
download | gitlab-ce-acme-private-key-application-settings.tar.gz |
Generate Let's Encrypt private keyacme-private-key-application-settings
-rw-r--r-- | app/models/application_setting.rb | 6 | ||||
-rw-r--r-- | lib/gitlab/lets_encrypt/client.rb | 13 | ||||
-rw-r--r-- | spec/lib/gitlab/lets_encrypt/client_spec.rb | 27 | ||||
-rw-r--r-- | spec/support/matchers/eq_pem.rb | 9 |
4 files changed, 54 insertions, 1 deletions
diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb index fb1e558e46c..bbe2d2e8fd4 100644 --- a/app/models/application_setting.rb +++ b/app/models/application_setting.rb @@ -257,6 +257,12 @@ class ApplicationSetting < ApplicationRecord algorithm: 'aes-256-gcm', encode: true + attr_encrypted :lets_encrypt_private_key, + mode: :per_attribute_iv, + key: Settings.attr_encrypted_db_key_base_truncated, + algorithm: 'aes-256-gcm', + encode: true + before_validation :ensure_uuid! before_validation :strip_sentry_values diff --git a/lib/gitlab/lets_encrypt/client.rb b/lib/gitlab/lets_encrypt/client.rb index d7468b06767..33119452318 100644 --- a/lib/gitlab/lets_encrypt/client.rb +++ b/lib/gitlab/lets_encrypt/client.rb @@ -45,7 +45,7 @@ module Gitlab end def private_key - @private_key ||= OpenSSL::PKey.read(Gitlab::Application.secrets.lets_encrypt_private_key) + @private_key ||= OpenSSL::PKey.read(Gitlab::CurrentSettings.lets_encrypt_private_key || generate_private_key) end def admin_email @@ -69,6 +69,17 @@ module Gitlab STAGING_DIRECTORY_URL end end + + def generate_private_key + application_settings = Gitlab::CurrentSettings.current_application_settings + application_settings.with_lock do + unless application_settings.lets_encrypt_private_key + application_settings.update(lets_encrypt_private_key: OpenSSL::PKey::RSA.new(4096).to_pem) + end + + application_settings.lets_encrypt_private_key + end + end end end end diff --git a/spec/lib/gitlab/lets_encrypt/client_spec.rb b/spec/lib/gitlab/lets_encrypt/client_spec.rb index 16a16acfd25..5b9e4e0b6ab 100644 --- a/spec/lib/gitlab/lets_encrypt/client_spec.rb +++ b/spec/lib/gitlab/lets_encrypt/client_spec.rb @@ -26,6 +26,33 @@ describe ::Gitlab::LetsEncrypt::Client do ) end + it 'generates and stores private key and initialize acme client with it' do + expect(Gitlab::CurrentSettings.lets_encrypt_private_key).to eq(nil) + + subject + + saved_private_key = Gitlab::CurrentSettings.lets_encrypt_private_key + + expect(saved_private_key).to be + expect(Acme::Client).to have_received(:new).with( + hash_including(private_key: eq_pem(saved_private_key)) + ) + end + + context 'when private key is saved in settings' do + let!(:saved_private_key) do + key = OpenSSL::PKey::RSA.new(4096) + Gitlab::CurrentSettings.current_application_settings.update(lets_encrypt_private_key: key.to_pem) + key + end + + it 'uses current value of private key' do + subject + + expect(Gitlab::CurrentSettings.lets_encrypt_private_key).to eq(saved_private_key.to_pem) + end + end + context 'when acme integration is disabled' do before do stub_application_setting(lets_encrypt_terms_of_service_accepted: false) diff --git a/spec/support/matchers/eq_pem.rb b/spec/support/matchers/eq_pem.rb new file mode 100644 index 00000000000..69ea6eb4df8 --- /dev/null +++ b/spec/support/matchers/eq_pem.rb @@ -0,0 +1,9 @@ +RSpec::Matchers.define :eq_pem do |expected_pem_string| + match do |actual| + actual.to_pem == expected_pem_string + end + + description do + "contain pem #{expected_pem_string}" + end +end |