diff options
author | Kamil Trzcinski <ayufan@ayufan.eu> | 2015-07-10 11:34:21 +0200 |
---|---|---|
committer | Kamil Trzcinski <ayufan@ayufan.eu> | 2015-07-10 11:34:21 +0200 |
commit | 0c7212394c2ba2265fe715a69c31d1b84adc7f9e (patch) | |
tree | 78f6cbd4cef4ed9de9142f2a17dc7c51b1470c62 | |
parent | 0261c8f1672d75ec5aaf3108476e655cdd93ad3b (diff) | |
download | gitlab-ci-0c7212394c2ba2265fe715a69c31d1b84adc7f9e.tar.gz |
Use config/secrets.yml to store session secret and database encryption secret
-rw-r--r-- | .gitignore | 1 | ||||
-rw-r--r-- | .gitlab-ci.yml | 1 | ||||
-rw-r--r-- | config/initializers/secret_token.rb | 36 | ||||
-rw-r--r-- | config/secrets.yml.example | 20 | ||||
-rw-r--r-- | doc/raketasks/backup_restore.md | 9 |
5 files changed, 57 insertions, 10 deletions
@@ -9,6 +9,7 @@ config/application.yml config/database.yml config/resque.yml config/unicorn.rb +config/secrets.yml config/initializers/smtp_settings.rb coverage/* log/* diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index db1cda4..0b7d749 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -4,6 +4,7 @@ before_script: - gem install bundler - cp config/database.yml.mysql config/database.yml - cp config/application.yml.example config/application.yml + - cp config/secrets.yml.example config/secrets.yml - 'sed "s/username\:.*$/username\: runner/" -i config/database.yml' - 'sed "s/password\:.*$/password\: ''password''/" -i config/database.yml' - bundle --without postgres diff --git a/config/initializers/secret_token.rb b/config/initializers/secret_token.rb index 4d4329c..7ebae44 100644 --- a/config/initializers/secret_token.rb +++ b/config/initializers/secret_token.rb @@ -2,22 +2,44 @@ require 'securerandom' -# Your secret key for verifying the integrity of signed cookies. -# If you change this key, all old signed cookies will become invalid! -# Make sure the secret is at least 30 characters and all random, -# no regular words or you'll be exposed to dictionary attacks. +# Your secret key for verifying the integrity of signed cookies and encryption database variables. +# If you change or lose this key, you will lose also all encrypted data! +# Ensue that you backup the `config/secrets.yml` in some place secure. -def find_secure_token +def generate_new_secure_token + SecureRandom.hex(64) +end + +def find_old_secure_token token_file = Rails.root.join('.secret') if File.exist? token_file # Use the existing token. File.read(token_file).chomp else # Generate a new token of 64 random hexadecimal characters and store it in token_file. - token = SecureRandom.hex(64) + token = generate_new_secure_token File.write(token_file, token) token end end -GitlabCi::Application.config.secret_key_base = find_secure_token +if GitlabCi::Application.secrets.secret_key_base.blank? || GitlabCi::Application.secrets.db_key_base.blank? + warn "Missing `secret_key_base` or `db_key_base` for '#{Rails.env}' environment. The secrets will be generated and stored in `config/secrets.yml`" + + all_secrets = YAML.load_file('config/secrets.yml') if File.exist?('config/secrets.yml') + all_secrets ||= {} + + # generate secrets + env_secrets = all_secrets[Rails.env] || {} + env_secrets['secret_key_base'] ||= find_old_secure_token + env_secrets['db_key_base'] ||= generate_new_secure_token + all_secrets[Rails.env] = env_secrets + + # save secrets + File.open('config/secrets.yml', 'w') do |file| + file.write(YAML.dump(all_secrets)) + end + + GitlabCi::Application.secrets.secret_key_base = env_secrets['secret_key_base'] + GitlabCi::Application.secrets.db_key_base = env_secrets['db_key_base'] +end diff --git a/config/secrets.yml.example b/config/secrets.yml.example new file mode 100644 index 0000000..8173ab1 --- /dev/null +++ b/config/secrets.yml.example @@ -0,0 +1,20 @@ +production: + # secret_key_base is used to verify the integrity of signed cookies. + # If you change this key, all old signed cookies will become invalid! + # Make sure the secret is at least 30 characters and all random, + # no regular words or you'll be exposed to dictionary attacks. + # secret_key_base: + + # db_key_base is used to encrypt for Variables. Ensure that you don't lose it. + # If you change or lose this key you will be unable to access variables stored in database. + # Make sure the secret is at least 30 characters and all random, + # no regular words or you'll be exposed to dictionary attacks. + # db_key_base: + +development: + secret_key_base: development + db_key_base: development + +test: + secret_key_base: test + db_key_base: test diff --git a/doc/raketasks/backup_restore.md b/doc/raketasks/backup_restore.md index 3da3f26..c31545c 100644 --- a/doc/raketasks/backup_restore.md +++ b/doc/raketasks/backup_restore.md @@ -123,11 +123,14 @@ with the name of your bucket: ## Storing configuration files -Please be informed that a backup does not store your configuration files. +Please be informed that a backup does not store your configuration and secret files. If you use an Omnibus package please see the [instructions in the readme to backup your configuration](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/README.md#backup-and-restore-omnibus-gitlab-configuration). If you have a cookbook installation there should be a copy of your configuration in Chef. -If you have an installation from source, please consider backing up your `application.yml` file, any SSL keys and certificates, and your [SSH host keys](https://superuser.com/questions/532040/copy-ssh-keys-from-one-server-to-another-server/532079#532079). - +If you have an installation from source: +1. please backup `config/secrets.yml` file that contains key to encrypt variables in database, +1. please consider backing up your `application.yml` file, +1. any SSL keys and certificates, +1. and your [SSH host keys](https://superuser.com/questions/532040/copy-ssh-keys-from-one-server-to-another-server/532079#532079). ## Restore a previously created backup |