Merge branch 'secrets-yaml' into 'master'

Use config/secrets.yml to store session secret and database encryption secret I took the approach that config/secrets.yml is generated when key is not found. /cc @vsizov @jacobvosmaer See merge request !195
author: Kamil Trzciński <ayufan@ayufan.eu> 2015-07-13 10:07:27 +0000
committer: Kamil Trzciński <ayufan@ayufan.eu> 2015-07-13 10:07:27 +0000
commit: 73e3a6ad5944a1b4ead4a6d6a5c3cee45a5449e1 (patch)
tree: 4ed8bcc481d08dff915cc06fee22f124177a8536
parent: d841ed56d39db1b33947b9b9c0291beaa7dcdd43 (diff)
parent: bb1401985e55e0740ef037c5200f098de9ac8657 (diff)
download: gitlab-ci-73e3a6ad5944a1b4ead4a6d6a5c3cee45a5449e1.tar.gz
7 files changed, 61 insertions, 11 deletions
diff --git a/.gitignore b/.gitignore
index 6c806ae..346f243 100644
--- a/.gitignore
+++ b/.gitignore
@@ -9,6 +9,7 @@ config/application.yml
 config/database.yml
 config/resque.yml
 config/unicorn.rb
+config/secrets.yml
 config/initializers/smtp_settings.rb
 coverage/*
 log/*
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index db1cda4..0b7d749 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -4,6 +4,7 @@ before_script:
   - gem install bundler
   - cp config/database.yml.mysql config/database.yml
   - cp config/application.yml.example config/application.yml
+  - cp config/secrets.yml.example config/secrets.yml
   - 'sed "s/username\:.*$/username\: runner/" -i config/database.yml'
   - 'sed "s/password\:.*$/password\: ''password''/" -i config/database.yml'
   - bundle --without postgres
diff --git a/CHANGELOG b/CHANGELOG
index 8cbfefe..a9946d0 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -13,6 +13,7 @@ v7.13.0
   - Build traces is stored in the file instead of database
   - Make the builds path configurable
   - Disable link to runner if it's not assigned to specific project
+  - Store all secrets in config/secrets.yml
 
 v7.12.2
   - Revert: Runner without tag should pick builds without tag only
diff --git a/app/helpers/user_sessions_helper.rb b/app/helpers/user_sessions_helper.rb
index df158c6..0948674 100644
--- a/app/helpers/user_sessions_helper.rb
+++ b/app/helpers/user_sessions_helper.rb
@@ -6,7 +6,7 @@ module UserSessionsHelper
   def generate_oauth_hmac(salt, return_to)
     return unless return_to
     digest = OpenSSL::Digest.new('sha256')
-    key = GitlabCi::Application.config.secret_key_base + salt
+    key = GitlabCi::Application.secrets.secret_key_base + salt
     OpenSSL::HMAC.hexdigest(digest, key, return_to)
   end
 
diff --git a/config/initializers/secret_token.rb b/config/initializers/secret_token.rb
index 4d4329c..7ebae44 100644
--- a/config/initializers/secret_token.rb
+++ b/config/initializers/secret_token.rb
@@ -2,22 +2,44 @@
 
 require 'securerandom'
 
-# Your secret key for verifying the integrity of signed cookies.
-# If you change this key, all old signed cookies will become invalid!
-# Make sure the secret is at least 30 characters and all random,
-# no regular words or you'll be exposed to dictionary attacks.
+# Your secret key for verifying the integrity of signed cookies and encryption database variables.
+# If you change or lose this key, you will lose also all encrypted data!
+# Ensue that you backup the `config/secrets.yml` in some place secure.
 
-def find_secure_token
+def generate_new_secure_token
+  SecureRandom.hex(64)
+end
+
+def find_old_secure_token
   token_file = Rails.root.join('.secret')
   if File.exist? token_file
     # Use the existing token.
     File.read(token_file).chomp
   else
     # Generate a new token of 64 random hexadecimal characters and store it in token_file.
-    token = SecureRandom.hex(64)
+    token = generate_new_secure_token
     File.write(token_file, token)
     token
   end
 end
 
-GitlabCi::Application.config.secret_key_base = find_secure_token
+if GitlabCi::Application.secrets.secret_key_base.blank? || GitlabCi::Application.secrets.db_key_base.blank?
+  warn "Missing `secret_key_base` or `db_key_base` for '#{Rails.env}' environment. The secrets will be generated and stored in `config/secrets.yml`"
+
+  all_secrets = YAML.load_file('config/secrets.yml') if File.exist?('config/secrets.yml')
+  all_secrets ||= {}
+
+  # generate secrets
+  env_secrets = all_secrets[Rails.env] || {}
+  env_secrets['secret_key_base'] ||= find_old_secure_token
+  env_secrets['db_key_base'] ||= generate_new_secure_token
+  all_secrets[Rails.env] = env_secrets
+
+  # save secrets
+  File.open('config/secrets.yml', 'w') do |file|
+    file.write(YAML.dump(all_secrets))
+  end
+
+  GitlabCi::Application.secrets.secret_key_base = env_secrets['secret_key_base']
+  GitlabCi::Application.secrets.db_key_base = env_secrets['db_key_base']
+end
diff --git a/config/secrets.yml.example b/config/secrets.yml.example
new file mode 100644
index 0000000..8173ab1
--- /dev/null
+++ b/config/secrets.yml.example
@@ -0,0 +1,20 @@
+production:
+  # secret_key_base is used to verify the integrity of signed cookies.
+  # If you change this key, all old signed cookies will become invalid!
+  # Make sure the secret is at least 30 characters and all random,
+  # no regular words or you'll be exposed to dictionary attacks.
+  # secret_key_base:
+
+  # db_key_base is used to encrypt for Variables. Ensure that you don't lose it.
+  # If you change or lose this key you will be unable to access variables stored in database.
+  # Make sure the secret is at least 30 characters and all random,
+  # no regular words or you'll be exposed to dictionary attacks.
+  # db_key_base:
+
+development:
+  secret_key_base: development
+  db_key_base: development
+
+test:
+  secret_key_base: test
+  db_key_base: test
diff --git a/doc/raketasks/backup_restore.md b/doc/raketasks/backup_restore.md
index 3da3f26..accc8bf 100644
--- a/doc/raketasks/backup_restore.md
+++ b/doc/raketasks/backup_restore.md
@@ -123,11 +123,16 @@ with the name of your bucket:
 
 ## Storing configuration files
 
-Please be informed that a backup does not store your configuration files.
+Please be informed that a backup does not store your configuration and secret files.
 If you use an Omnibus package please see the [instructions in the readme to backup your configuration](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/README.md#backup-and-restore-omnibus-gitlab-configuration).
 If you have a cookbook installation there should be a copy of your configuration in Chef.
-If you have an installation from source, please consider backing up your `application.yml` file, any SSL keys and certificates, and your [SSH host keys](https://superuser.com/questions/532040/copy-ssh-keys-from-one-server-to-another-server/532079#532079).
-
+If you have an installation from source:
+1. please backup `config/secrets.yml` file that contains key to encrypt variables in database,
+but don't store it in the same place as your database backups.
+Otherwise your users secrets are exposed in case one of your backups is compromised.
+1. please consider backing up your `application.yml` file,
+1. any SSL keys and certificates, 
+1. and your [SSH host keys](https://superuser.com/questions/532040/copy-ssh-keys-from-one-server-to-another-server/532079#532079).
 
 ## Restore a previously created backup
author	Kamil Trzciński <ayufan@ayufan.eu>	2015-07-13 10:07:27 +0000
committer	Kamil Trzciński <ayufan@ayufan.eu>	2015-07-13 10:07:27 +0000
commit	73e3a6ad5944a1b4ead4a6d6a5c3cee45a5449e1 (patch)
tree	4ed8bcc481d08dff915cc06fee22f124177a8536
parent	d841ed56d39db1b33947b9b9c0291beaa7dcdd43 (diff)
parent	bb1401985e55e0740ef037c5200f098de9ac8657 (diff)
download	gitlab-ci-73e3a6ad5944a1b4ead4a6d6a5c3cee45a5449e1.tar.gz