diff options
author | Kamil Trzciński <ayufan@ayufan.eu> | 2015-07-13 10:07:27 +0000 |
---|---|---|
committer | Kamil Trzciński <ayufan@ayufan.eu> | 2015-07-13 10:07:27 +0000 |
commit | 73e3a6ad5944a1b4ead4a6d6a5c3cee45a5449e1 (patch) | |
tree | 4ed8bcc481d08dff915cc06fee22f124177a8536 | |
parent | d841ed56d39db1b33947b9b9c0291beaa7dcdd43 (diff) | |
parent | bb1401985e55e0740ef037c5200f098de9ac8657 (diff) | |
download | gitlab-ci-73e3a6ad5944a1b4ead4a6d6a5c3cee45a5449e1.tar.gz |
Merge branch 'secrets-yaml' into 'master'
Use config/secrets.yml to store session secret and database encryption secret
I took the approach that config/secrets.yml is generated when key is not found.
/cc @vsizov @jacobvosmaer
See merge request !195
-rw-r--r-- | .gitignore | 1 | ||||
-rw-r--r-- | .gitlab-ci.yml | 1 | ||||
-rw-r--r-- | CHANGELOG | 1 | ||||
-rw-r--r-- | app/helpers/user_sessions_helper.rb | 2 | ||||
-rw-r--r-- | config/initializers/secret_token.rb | 36 | ||||
-rw-r--r-- | config/secrets.yml.example | 20 | ||||
-rw-r--r-- | doc/raketasks/backup_restore.md | 11 |
7 files changed, 61 insertions, 11 deletions
@@ -9,6 +9,7 @@ config/application.yml config/database.yml config/resque.yml config/unicorn.rb +config/secrets.yml config/initializers/smtp_settings.rb coverage/* log/* diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index db1cda4..0b7d749 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -4,6 +4,7 @@ before_script: - gem install bundler - cp config/database.yml.mysql config/database.yml - cp config/application.yml.example config/application.yml + - cp config/secrets.yml.example config/secrets.yml - 'sed "s/username\:.*$/username\: runner/" -i config/database.yml' - 'sed "s/password\:.*$/password\: ''password''/" -i config/database.yml' - bundle --without postgres @@ -13,6 +13,7 @@ v7.13.0 - Build traces is stored in the file instead of database - Make the builds path configurable - Disable link to runner if it's not assigned to specific project + - Store all secrets in config/secrets.yml v7.12.2 - Revert: Runner without tag should pick builds without tag only diff --git a/app/helpers/user_sessions_helper.rb b/app/helpers/user_sessions_helper.rb index df158c6..0948674 100644 --- a/app/helpers/user_sessions_helper.rb +++ b/app/helpers/user_sessions_helper.rb @@ -6,7 +6,7 @@ module UserSessionsHelper def generate_oauth_hmac(salt, return_to) return unless return_to digest = OpenSSL::Digest.new('sha256') - key = GitlabCi::Application.config.secret_key_base + salt + key = GitlabCi::Application.secrets.secret_key_base + salt OpenSSL::HMAC.hexdigest(digest, key, return_to) end diff --git a/config/initializers/secret_token.rb b/config/initializers/secret_token.rb index 4d4329c..7ebae44 100644 --- a/config/initializers/secret_token.rb +++ b/config/initializers/secret_token.rb @@ -2,22 +2,44 @@ require 'securerandom' -# Your secret key for verifying the integrity of signed cookies. -# If you change this key, all old signed cookies will become invalid! -# Make sure the secret is at least 30 characters and all random, -# no regular words or you'll be exposed to dictionary attacks. +# Your secret key for verifying the integrity of signed cookies and encryption database variables. +# If you change or lose this key, you will lose also all encrypted data! +# Ensue that you backup the `config/secrets.yml` in some place secure. -def find_secure_token +def generate_new_secure_token + SecureRandom.hex(64) +end + +def find_old_secure_token token_file = Rails.root.join('.secret') if File.exist? token_file # Use the existing token. File.read(token_file).chomp else # Generate a new token of 64 random hexadecimal characters and store it in token_file. - token = SecureRandom.hex(64) + token = generate_new_secure_token File.write(token_file, token) token end end -GitlabCi::Application.config.secret_key_base = find_secure_token +if GitlabCi::Application.secrets.secret_key_base.blank? || GitlabCi::Application.secrets.db_key_base.blank? + warn "Missing `secret_key_base` or `db_key_base` for '#{Rails.env}' environment. The secrets will be generated and stored in `config/secrets.yml`" + + all_secrets = YAML.load_file('config/secrets.yml') if File.exist?('config/secrets.yml') + all_secrets ||= {} + + # generate secrets + env_secrets = all_secrets[Rails.env] || {} + env_secrets['secret_key_base'] ||= find_old_secure_token + env_secrets['db_key_base'] ||= generate_new_secure_token + all_secrets[Rails.env] = env_secrets + + # save secrets + File.open('config/secrets.yml', 'w') do |file| + file.write(YAML.dump(all_secrets)) + end + + GitlabCi::Application.secrets.secret_key_base = env_secrets['secret_key_base'] + GitlabCi::Application.secrets.db_key_base = env_secrets['db_key_base'] +end diff --git a/config/secrets.yml.example b/config/secrets.yml.example new file mode 100644 index 0000000..8173ab1 --- /dev/null +++ b/config/secrets.yml.example @@ -0,0 +1,20 @@ +production: + # secret_key_base is used to verify the integrity of signed cookies. + # If you change this key, all old signed cookies will become invalid! + # Make sure the secret is at least 30 characters and all random, + # no regular words or you'll be exposed to dictionary attacks. + # secret_key_base: + + # db_key_base is used to encrypt for Variables. Ensure that you don't lose it. + # If you change or lose this key you will be unable to access variables stored in database. + # Make sure the secret is at least 30 characters and all random, + # no regular words or you'll be exposed to dictionary attacks. + # db_key_base: + +development: + secret_key_base: development + db_key_base: development + +test: + secret_key_base: test + db_key_base: test diff --git a/doc/raketasks/backup_restore.md b/doc/raketasks/backup_restore.md index 3da3f26..accc8bf 100644 --- a/doc/raketasks/backup_restore.md +++ b/doc/raketasks/backup_restore.md @@ -123,11 +123,16 @@ with the name of your bucket: ## Storing configuration files -Please be informed that a backup does not store your configuration files. +Please be informed that a backup does not store your configuration and secret files. If you use an Omnibus package please see the [instructions in the readme to backup your configuration](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/README.md#backup-and-restore-omnibus-gitlab-configuration). If you have a cookbook installation there should be a copy of your configuration in Chef. -If you have an installation from source, please consider backing up your `application.yml` file, any SSL keys and certificates, and your [SSH host keys](https://superuser.com/questions/532040/copy-ssh-keys-from-one-server-to-another-server/532079#532079). - +If you have an installation from source: +1. please backup `config/secrets.yml` file that contains key to encrypt variables in database, +but don't store it in the same place as your database backups. +Otherwise your users secrets are exposed in case one of your backups is compromised. +1. please consider backing up your `application.yml` file, +1. any SSL keys and certificates, +1. and your [SSH host keys](https://superuser.com/questions/532040/copy-ssh-keys-from-one-server-to-another-server/532079#532079). ## Restore a previously created backup |