Allow to configure gitlab_shell_secret location

6 files changed, 12 insertions, 6 deletions

diff --git a/CHANGELOG b/CHANGELOG
index ade877feb9a..5afd70a2f49 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -67,6 +67,7 @@ v 7.11.0 (unreleased)
   - Spin spinner icon next to "Checking for CI status..." on MR page.
   - Fix reference links in dashboard activity and ATOM feeds.
   - Ensure that the first added admin performs repository imports
+  - Allow to configure location of the `.gitlab_shell_secret` file. (Jakub Jirutka)
 
 v 7.10.2
   - Fix CI links on MR page
diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example
index bd2081688d1..fbc7f515f34 100644
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -245,6 +245,10 @@ production: &base
     repos_path: /home/git/repositories/
     hooks_path: /home/git/gitlab-shell/hooks/
 
+    # File that contains the secret key for verifying access for gitlab-shell.
+    # Default is '.gitlab_shell_secret' relative to Rails.root (i.e. root of the GitLab app).
+    # secret_file: /home/git/gitlab/.gitlab_shell_secret
+
     # Git over HTTP
     upload_pack: true
     receive_pack: true
diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb
index e5ac66a2323..2351ef7b0ce 100644
--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -148,6 +148,7 @@ Settings.gravatar['ssl_url']    ||= 'https://secure.gravatar.com/avatar/%{hash}?
 Settings['gitlab_shell'] ||= Settingslogic.new({})
 Settings.gitlab_shell['path']         ||= Settings.gitlab['user_home'] + '/gitlab-shell/'
 Settings.gitlab_shell['hooks_path']   ||= Settings.gitlab['user_home'] + '/gitlab-shell/hooks/'
+Settings.gitlab_shell['secret_file'] ||= Rails.root.join('.gitlab_shell_secret')
 Settings.gitlab_shell['receive_pack']   = true if Settings.gitlab_shell['receive_pack'].nil?
 Settings.gitlab_shell['upload_pack']    = true if Settings.gitlab_shell['upload_pack'].nil?
 Settings.gitlab_shell['repos_path']   ||= Settings.gitlab['user_home'] + '/repositories/'
diff --git a/config/initializers/gitlab_shell_secret_token.rb b/config/initializers/gitlab_shell_secret_token.rb
index e7c9f0ba7c2..751fccead07 100644
--- a/config/initializers/gitlab_shell_secret_token.rb
+++ b/config/initializers/gitlab_shell_secret_token.rb
@@ -5,8 +5,7 @@ require 'securerandom'
 # Your secret key for verifying the gitlab_shell.
 
 
-secret_file = Rails.root.join('.gitlab_shell_secret')
-gitlab_shell_symlink = File.join(Gitlab.config.gitlab_shell.path, '.gitlab_shell_secret')
+secret_file = Gitlab.config.gitlab_shell.secret_file
 
 unless File.exist? secret_file
   # Generate a new token of 16 random hexadecimal characters and store it in secret_file.
@@ -14,6 +13,7 @@ unless File.exist? secret_file
   File.write(secret_file, token)
 end
 
-if File.exist?(Gitlab.config.gitlab_shell.path) && !File.exist?(gitlab_shell_symlink)
-  FileUtils.symlink(secret_file, gitlab_shell_symlink)
+link_path = File.join(Gitlab.config.gitlab_shell.path, '.gitlab_shell_secret')
+if File.exist?(Gitlab.config.gitlab_shell.path) && !File.exist?(link_path)
+  FileUtils.symlink(secret_file, link_path)
 end
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index 85e9081680d..1ebf9a1f022 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -243,7 +243,7 @@ module API
     end
 
     def secret_token
-      File.read(Rails.root.join('.gitlab_shell_secret')).chomp
+      File.read(Gitlab.config.gitlab_shell.secret_file).chomp
     end
 
     def handle_member_errors(errors)
diff --git a/spec/requests/api/internal_spec.rb b/spec/requests/api/internal_spec.rb
index 4c7d15d6594..8d0ae1475c2 100644
--- a/spec/requests/api/internal_spec.rb
+++ b/spec/requests/api/internal_spec.rb
@@ -5,7 +5,7 @@ describe API::API, api: true  do
   let(:user) { create(:user) }
   let(:key) { create(:key, user: user) }
   let(:project) { create(:project) }
-  let(:secret_token) { File.read Rails.root.join('.gitlab_shell_secret') }
+  let(:secret_token) { File.read Gitlab.config.gitlab_shell.secret_file }
 
   describe "GET /internal/check", no_db: true do
     it do