summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorVladimir Shushlin <vshushlin@gitlab.com>2019-05-28 04:47:34 +0000
committerStan Hu <stanhu@gmail.com>2019-05-28 04:47:34 +0000
commit4687ff7c9be789341e82a6440234fce43f30b5be (patch)
tree59b72fafa974c92af04590e7fc3b64c6536aef70
parentaf43970834b911242eecf9b7c815faf0f6b50048 (diff)
downloadgitlab-ce-4687ff7c9be789341e82a6440234fce43f30b5be.tar.gz
Store Let's Encrypt private key in settings
Storing this key in secrets.yml was a bad idea, it would require users using HA setups to manually replicate secrets across nodes during update, it also needed support from omnibus package * Revert "Generate Let's Encrypt private key" This reverts commit 444959bfa0b79e827a2a1a7a314acac19390f976. * Add Let's Encrypt private key to settings as encrypted attribute * Generate Let's Encrypt private key in database migration
-rw-r--r--app/models/application_setting.rb6
-rw-r--r--config/initializers/01_secret_token.rb7
-rw-r--r--db/migrate/20190516151857_add_lets_encrypt_private_key_to_application_settings.rb16
-rw-r--r--db/migrate/20190524062810_generate_lets_encrypt_private_key.rb33
-rw-r--r--db/schema.rb4
-rw-r--r--lib/gitlab/lets_encrypt/client.rb2
-rw-r--r--spec/initializers/secret_token_spec.rb11
-rw-r--r--spec/lib/gitlab/lets_encrypt/client_spec.rb4
-rw-r--r--spec/migrations/generate_lets_encrypt_private_key_spec.rb20
9 files changed, 83 insertions, 20 deletions
diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb
index fb1e558e46c..bbe2d2e8fd4 100644
--- a/app/models/application_setting.rb
+++ b/app/models/application_setting.rb
@@ -257,6 +257,12 @@ class ApplicationSetting < ApplicationRecord
algorithm: 'aes-256-gcm',
encode: true
+ attr_encrypted :lets_encrypt_private_key,
+ mode: :per_attribute_iv,
+ key: Settings.attr_encrypted_db_key_base_truncated,
+ algorithm: 'aes-256-gcm',
+ encode: true
+
before_validation :ensure_uuid!
before_validation :strip_sentry_values
diff --git a/config/initializers/01_secret_token.rb b/config/initializers/01_secret_token.rb
index e24b5cbd510..9225a99a584 100644
--- a/config/initializers/01_secret_token.rb
+++ b/config/initializers/01_secret_token.rb
@@ -39,8 +39,7 @@ def create_tokens
secret_key_base: file_secret_key || generate_new_secure_token,
otp_key_base: env_secret_key || file_secret_key || generate_new_secure_token,
db_key_base: generate_new_secure_token,
- openid_connect_signing_key: generate_new_rsa_private_key,
- lets_encrypt_private_key: generate_lets_encrypt_private_key
+ openid_connect_signing_key: generate_new_rsa_private_key
}
missing_secrets = set_missing_keys(defaults)
@@ -61,10 +60,6 @@ def generate_new_rsa_private_key
OpenSSL::PKey::RSA.new(2048).to_pem
end
-def generate_lets_encrypt_private_key
- OpenSSL::PKey::RSA.new(4096).to_pem
-end
-
def warn_missing_secret(secret)
warn "Missing Rails.application.secrets.#{secret} for #{Rails.env} environment. The secret will be generated and stored in config/secrets.yml."
end
diff --git a/db/migrate/20190516151857_add_lets_encrypt_private_key_to_application_settings.rb b/db/migrate/20190516151857_add_lets_encrypt_private_key_to_application_settings.rb
new file mode 100644
index 00000000000..e1d3cca48d6
--- /dev/null
+++ b/db/migrate/20190516151857_add_lets_encrypt_private_key_to_application_settings.rb
@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+# See http://doc.gitlab.com/ce/development/migration_style_guide.html
+# for more information on how to write migrations for GitLab.
+
+class AddLetsEncryptPrivateKeyToApplicationSettings < ActiveRecord::Migration[5.1]
+ include Gitlab::Database::MigrationHelpers
+
+ # Set this constant to true if this migration requires downtime.
+ DOWNTIME = false
+
+ def change
+ add_column :application_settings, :encrypted_lets_encrypt_private_key, :text
+ add_column :application_settings, :encrypted_lets_encrypt_private_key_iv, :text
+ end
+end
diff --git a/db/migrate/20190524062810_generate_lets_encrypt_private_key.rb b/db/migrate/20190524062810_generate_lets_encrypt_private_key.rb
new file mode 100644
index 00000000000..21d7049b998
--- /dev/null
+++ b/db/migrate/20190524062810_generate_lets_encrypt_private_key.rb
@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+# See http://doc.gitlab.com/ce/development/migration_style_guide.html
+# for more information on how to write migrations for GitLab.
+
+class GenerateLetsEncryptPrivateKey < ActiveRecord::Migration[5.1]
+ include Gitlab::Database::MigrationHelpers
+
+ # Set this constant to true if this migration requires downtime.
+ DOWNTIME = false
+
+ class ApplicationSetting < ActiveRecord::Base
+ self.table_name = 'application_settings'
+
+ attr_encrypted :lets_encrypt_private_key,
+ mode: :per_attribute_iv,
+ key: Settings.attr_encrypted_db_key_base_truncated,
+ algorithm: 'aes-256-gcm',
+ encode: true
+ end
+
+ def up
+ ApplicationSetting.reset_column_information
+
+ private_key = OpenSSL::PKey::RSA.new(4096).to_pem
+ ApplicationSetting.find_each do |setting|
+ setting.update!(lets_encrypt_private_key: private_key)
+ end
+ end
+
+ def down
+ end
+end
diff --git a/db/schema.rb b/db/schema.rb
index 412b5313b69..bb59af540fe 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -10,7 +10,7 @@
#
# It's strongly recommended that you check this file into your version control system.
-ActiveRecord::Schema.define(version: 20190516011213) do
+ActiveRecord::Schema.define(version: 20190524062810) do
# These are extensions that must be enabled in order to support this database
enable_extension "plpgsql"
@@ -191,6 +191,8 @@ ActiveRecord::Schema.define(version: 20190516011213) do
t.boolean "lets_encrypt_terms_of_service_accepted", default: false, null: false
t.integer "elasticsearch_shards", default: 5, null: false
t.integer "elasticsearch_replicas", default: 1, null: false
+ t.text "encrypted_lets_encrypt_private_key"
+ t.text "encrypted_lets_encrypt_private_key_iv"
t.index ["usage_stats_set_by_user_id"], name: "index_application_settings_on_usage_stats_set_by_user_id", using: :btree
end
diff --git a/lib/gitlab/lets_encrypt/client.rb b/lib/gitlab/lets_encrypt/client.rb
index d7468b06767..5501f7981ec 100644
--- a/lib/gitlab/lets_encrypt/client.rb
+++ b/lib/gitlab/lets_encrypt/client.rb
@@ -45,7 +45,7 @@ module Gitlab
end
def private_key
- @private_key ||= OpenSSL::PKey.read(Gitlab::Application.secrets.lets_encrypt_private_key)
+ @private_key ||= OpenSSL::PKey.read(Gitlab::CurrentSettings.lets_encrypt_private_key)
end
def admin_email
diff --git a/spec/initializers/secret_token_spec.rb b/spec/initializers/secret_token_spec.rb
index 77bc28a6b07..726ce07a2d1 100644
--- a/spec/initializers/secret_token_spec.rb
+++ b/spec/initializers/secret_token_spec.rb
@@ -45,21 +45,11 @@ describe 'create_tokens' do
expect(keys).to all(match(RSA_KEY))
end
- it "generates private key for Let's Encrypt" do
- create_tokens
-
- keys = secrets.values_at(:lets_encrypt_private_key)
-
- expect(keys.uniq).to eq(keys)
- expect(keys).to all(match(RSA_KEY))
- end
-
it 'warns about the secrets to add to secrets.yml' do
expect(self).to receive(:warn_missing_secret).with('secret_key_base')
expect(self).to receive(:warn_missing_secret).with('otp_key_base')
expect(self).to receive(:warn_missing_secret).with('db_key_base')
expect(self).to receive(:warn_missing_secret).with('openid_connect_signing_key')
- expect(self).to receive(:warn_missing_secret).with('lets_encrypt_private_key')
create_tokens
end
@@ -88,7 +78,6 @@ describe 'create_tokens' do
before do
secrets.db_key_base = 'db_key_base'
secrets.openid_connect_signing_key = 'openid_connect_signing_key'
- secrets.lets_encrypt_private_key = 'lets_encrypt_private_key'
allow(File).to receive(:exist?).with('.secret').and_return(true)
allow(File).to receive(:read).with('.secret').and_return('file_key')
diff --git a/spec/lib/gitlab/lets_encrypt/client_spec.rb b/spec/lib/gitlab/lets_encrypt/client_spec.rb
index 16a16acfd25..d63a2fbee04 100644
--- a/spec/lib/gitlab/lets_encrypt/client_spec.rb
+++ b/spec/lib/gitlab/lets_encrypt/client_spec.rb
@@ -5,12 +5,14 @@ require 'spec_helper'
describe ::Gitlab::LetsEncrypt::Client do
include LetsEncryptHelpers
+ set(:private_key) { OpenSSL::PKey::RSA.new(4096).to_pem }
let(:client) { described_class.new }
before do
stub_application_setting(
lets_encrypt_notification_email: 'myemail@test.example.com',
- lets_encrypt_terms_of_service_accepted: true
+ lets_encrypt_terms_of_service_accepted: true,
+ lets_encrypt_private_key: private_key
)
end
diff --git a/spec/migrations/generate_lets_encrypt_private_key_spec.rb b/spec/migrations/generate_lets_encrypt_private_key_spec.rb
new file mode 100644
index 00000000000..f47cc0c36ef
--- /dev/null
+++ b/spec/migrations/generate_lets_encrypt_private_key_spec.rb
@@ -0,0 +1,20 @@
+require 'spec_helper'
+require Rails.root.join('db', 'migrate', '20190524062810_generate_lets_encrypt_private_key.rb')
+
+describe GenerateLetsEncryptPrivateKey, :migration do
+ describe '#up' do
+ let(:applications_settings) { table(:applications_settings) }
+
+ it 'generates RSA private key and saves it in application settings' do
+ application_setting = described_class::ApplicationSetting.create!
+
+ described_class.new.up
+ application_setting.reload
+
+ expect(application_setting.lets_encrypt_private_key).to be_present
+ expect do
+ OpenSSL::PKey::RSA.new(application_setting.lets_encrypt_private_key)
+ end.not_to raise_error
+ end
+ end
+end