closed-social
/
gitea
3
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
Browse Source

Implements generator cli for secrets (#3531) 

Signed-off-by: Codruț Constantin Gușoi <codrut.gusoi@gmail.com>
for-closed-social
Codruț Constantin Gușoi 6 years ago
committed by Lauris BH
parent
e59fe7c8d9
commit
96c268c0fc
12 changed files with 215 additions and 67 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +83
    -0
      cmd/generate.go
  2. +1
    -0
      main.go
  3. +3
    -3
      models/migrations/migrations.go
  4. +2
    -2
      models/twofactor.go
  5. +2
    -1
      models/user.go
  6. +0
    -29
      modules/base/tool.go
  7. +0
    -6
      modules/base/tool_test.go
  8. +89
    -0
      modules/generate/generate.go
  9. +20
    -0
      modules/generate/generate_test.go
  10. +5
    -23
      modules/setting/setting.go
  11. +8
    -2
      routers/install.go
  12. +2
    -1
      routers/user/auth_openid.go

+ 83
- 0
cmd/generate.go View File

@ -0,0 +1,83 @@
// Copyright 2016 The Gogs Authors. All rights reserved.
// Copyright 2016 The Gitea Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
package cmd
import (
"fmt"
"code.gitea.io/gitea/modules/generate"
"github.com/urfave/cli"
)
var (
// CmdGenerate represents the available generate sub-command.
CmdGenerate = cli.Command{
Name: "generate",
Usage: "Command line interface for running generators",
Subcommands: []cli.Command{
subcmdSecret,
},
}
subcmdSecret = cli.Command{
Name: "secret",
Usage: "Generate a secret token",
Subcommands: []cli.Command{
microcmdGenerateInternalToken,
microcmdGenerateLfsJwtSecret,
microcmdGenerateSecretKey,
},
}
microcmdGenerateInternalToken = cli.Command{
Name: "INTERNAL_TOKEN",
Usage: "Generate a new INTERNAL_TOKEN",
Action: runGenerateInternalToken,
}
microcmdGenerateLfsJwtSecret = cli.Command{
Name: "LFS_JWT_SECRET",
Usage: "Generate a new LFS_JWT_SECRET",
Action: runGenerateLfsJwtSecret,
}
microcmdGenerateSecretKey = cli.Command{
Name: "SECRET_KEY",
Usage: "Generate a new SECRET_KEY",
Action: runGenerateSecretKey,
}
)
func runGenerateInternalToken(c *cli.Context) error {
internalToken, err := generate.NewInternalToken()
if err != nil {
return err
}
fmt.Printf("%s\n", internalToken)
return nil
}
func runGenerateLfsJwtSecret(c *cli.Context) error {
JWTSecretBase64, err := generate.NewLfsJwtSecret()
if err != nil {
return err
}
fmt.Printf("%s\n", JWTSecretBase64)
return nil
}
func runGenerateSecretKey(c *cli.Context) error {
secretKey, err := generate.NewSecretKey()
if err != nil {
return err
}
fmt.Printf("%s\n", secretKey)
return nil
}

+ 1
- 0
main.go View File

@ -45,6 +45,7 @@ arguments - which can alternatively be run by running the subcommand web.`
cmd.CmdDump, cmd.CmdDump,
cmd.CmdCert, cmd.CmdCert,
cmd.CmdAdmin, cmd.CmdAdmin,
cmd.CmdGenerate,
} }
app.Flags = append(app.Flags, []cli.Flag{}...) app.Flags = append(app.Flags, []cli.Flag{}...)
app.Action = cmd.CmdWeb.Action app.Action = cmd.CmdWeb.Action

+ 3
- 3
models/migrations/migrations.go View File

@ -20,7 +20,7 @@ import (
gouuid "github.com/satori/go.uuid" gouuid "github.com/satori/go.uuid"
"gopkg.in/ini.v1" "gopkg.in/ini.v1"
"code.gitea.io/gitea/modules/base"
"code.gitea.io/gitea/modules/generate"
"code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/setting"
) )
@ -539,10 +539,10 @@ func generateOrgRandsAndSalt(x *xorm.Engine) (err error) {
} }
for _, org := range orgs { for _, org := range orgs {
if org.Rands, err = base.GetRandomString(10); err != nil {
if org.Rands, err = generate.GetRandomString(10); err != nil {
return err return err
} }
if org.Salt, err = base.GetRandomString(10); err != nil {
if org.Salt, err = generate.GetRandomString(10); err != nil {
return err return err
} }
if _, err = sess.Id(org.ID).Update(org); err != nil { if _, err = sess.Id(org.ID).Update(org); err != nil {

+ 2
- 2
models/twofactor.go View File

@ -16,7 +16,7 @@ import (
"github.com/pquerna/otp/totp" "github.com/pquerna/otp/totp"
"code.gitea.io/gitea/modules/base"
"code.gitea.io/gitea/modules/generate"
"code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/util" "code.gitea.io/gitea/modules/util"
) )
@ -33,7 +33,7 @@ type TwoFactor struct {
// GenerateScratchToken recreates the scratch token the user is using. // GenerateScratchToken recreates the scratch token the user is using.
func (t *TwoFactor) GenerateScratchToken() error { func (t *TwoFactor) GenerateScratchToken() error {
token, err := base.GetRandomString(8)
token, err := generate.GetRandomString(8)
if err != nil { if err != nil {
return err return err
} }

+ 2
- 1
models/user.go View File

@ -34,6 +34,7 @@ import (
"code.gitea.io/gitea/modules/avatar" "code.gitea.io/gitea/modules/avatar"
"code.gitea.io/gitea/modules/base" "code.gitea.io/gitea/modules/base"
"code.gitea.io/gitea/modules/generate"
"code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/util" "code.gitea.io/gitea/modules/util"
@ -638,7 +639,7 @@ func IsUserExist(uid int64, name string) (bool, error) {
// GetUserSalt returns a random user salt token. // GetUserSalt returns a random user salt token.
func GetUserSalt() (string, error) { func GetUserSalt() (string, error) {
return base.GetRandomString(10)
return generate.GetRandomString(10)
} }
// NewGhostUser creates and returns a fake user for someone has deleted his/her account. // NewGhostUser creates and returns a fake user for someone has deleted his/her account.

+ 0
- 29
modules/base/tool.go View File

@ -14,7 +14,6 @@ import (
"html/template" "html/template"
"io" "io"
"math" "math"
"math/big"
"net/http" "net/http"
"net/url" "net/url"
"path" "path"
@ -88,25 +87,6 @@ func BasicAuthEncode(username, password string) string {
return base64.StdEncoding.EncodeToString([]byte(username + ":" + password)) return base64.StdEncoding.EncodeToString([]byte(username + ":" + password))
} }
// GetRandomString generate random string by specify chars.
func GetRandomString(n int) (string, error) {
const alphanum = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
buffer := make([]byte, n)
max := big.NewInt(int64(len(alphanum)))
for i := 0; i < n; i++ {
index, err := randomInt(max)
if err != nil {
return "", err
}
buffer[i] = alphanum[index]
}
return string(buffer), nil
}
// GetRandomBytesAsBase64 generates a random base64 string from n bytes // GetRandomBytesAsBase64 generates a random base64 string from n bytes
func GetRandomBytesAsBase64(n int) string { func GetRandomBytesAsBase64(n int) string {
bytes := make([]byte, 32) bytes := make([]byte, 32)
@ -119,15 +99,6 @@ func GetRandomBytesAsBase64(n int) string {
return base64.RawURLEncoding.EncodeToString(bytes) return base64.RawURLEncoding.EncodeToString(bytes)
} }
func randomInt(max *big.Int) (int, error) {
rand, err := rand.Int(rand.Reader, max)
if err != nil {
return 0, err
}
return int(rand.Int64()), nil
}
// VerifyTimeLimitCode verify time limit code // VerifyTimeLimitCode verify time limit code
func VerifyTimeLimitCode(data string, minutes int, code string) bool { func VerifyTimeLimitCode(data string, minutes int, code string) bool {
if len(code) <= 18 { if len(code) <= 18 {

+ 0
- 6
modules/base/tool_test.go View File

@ -107,12 +107,6 @@ func TestBasicAuthEncode(t *testing.T) {
assert.Equal(t, "Zm9vOmJhcg==", BasicAuthEncode("foo", "bar")) assert.Equal(t, "Zm9vOmJhcg==", BasicAuthEncode("foo", "bar"))
} }
func TestGetRandomString(t *testing.T) {
randomString, err := GetRandomString(4)
assert.NoError(t, err)
assert.Len(t, randomString, 4)
}
// TODO: Test PBKDF2() // TODO: Test PBKDF2()
// TODO: Test VerifyTimeLimitCode() // TODO: Test VerifyTimeLimitCode()
// TODO: Test CreateTimeLimitCode() // TODO: Test CreateTimeLimitCode()

+ 89
- 0
modules/generate/generate.go View File

@ -0,0 +1,89 @@
// Copyright 2016 The Gogs Authors. All rights reserved.
// Copyright 2016 The Gitea Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
package generate
import (
"crypto/rand"
"encoding/base64"
"io"
"math/big"
"time"
"github.com/dgrijalva/jwt-go"
)
// GetRandomString generate random string by specify chars.
func GetRandomString(n int) (string, error) {
const alphanum = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
buffer := make([]byte, n)
max := big.NewInt(int64(len(alphanum)))
for i := 0; i < n; i++ {
index, err := randomInt(max)
if err != nil {
return "", err
}
buffer[i] = alphanum[index]
}
return string(buffer), nil
}
// NewInternalToken generate a new value intended to be used by INTERNAL_TOKEN.
func NewInternalToken() (string, error) {
secretBytes := make([]byte, 32)
_, err := io.ReadFull(rand.Reader, secretBytes)
if err != nil {
return "", err
}
secretKey := base64.RawURLEncoding.EncodeToString(secretBytes)
now := time.Now()
var internalToken string
internalToken, err = jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
"nbf": now.Unix(),
}).SignedString([]byte(secretKey))
if err != nil {
return "", err
}
return internalToken, nil
}
// NewLfsJwtSecret generate a new value intended to be used by LFS_JWT_SECRET.
func NewLfsJwtSecret() (string, error) {
JWTSecretBytes := make([]byte, 32)
_, err := io.ReadFull(rand.Reader, JWTSecretBytes)
if err != nil {
return "", err
}
JWTSecretBase64 := base64.RawURLEncoding.EncodeToString(JWTSecretBytes)
return JWTSecretBase64, nil
}
// NewSecretKey generate a new value intended to be used by SECRET_KEY.
func NewSecretKey() (string, error) {
secretKey, err := GetRandomString(64)
if err != nil {
return "", err
}
return secretKey, nil
}
func randomInt(max *big.Int) (int, error) {
rand, err := rand.Int(rand.Reader, max)
if err != nil {
return 0, err
}
return int(rand.Int64()), nil
}

+ 20
- 0
modules/generate/generate_test.go View File

@ -0,0 +1,20 @@
package generate
import (
"os"
"testing"
"github.com/stretchr/testify/assert"
)
func TestMain(m *testing.M) {
retVal := m.Run()
os.Exit(retVal)
}
func TestGetRandomString(t *testing.T) {
randomString, err := GetRandomString(4)
assert.NoError(t, err)
assert.Len(t, randomString, 4)
}

+ 5
- 23
modules/setting/setting.go View File

@ -6,10 +6,8 @@
package setting package setting
import ( import (
"crypto/rand"
"encoding/base64" "encoding/base64"
"fmt" "fmt"
"io"
"net" "net"
"net/mail" "net/mail"
"net/url" "net/url"
@ -24,12 +22,12 @@ import (
"time" "time"
"code.gitea.io/git" "code.gitea.io/git"
"code.gitea.io/gitea/modules/generate"
"code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/log"
_ "code.gitea.io/gitea/modules/minwinsvc" // import minwinsvc for windows services _ "code.gitea.io/gitea/modules/minwinsvc" // import minwinsvc for windows services
"code.gitea.io/gitea/modules/user" "code.gitea.io/gitea/modules/user"
"github.com/Unknwon/com" "github.com/Unknwon/com"
"github.com/dgrijalva/jwt-go"
_ "github.com/go-macaron/cache/memcache" // memcache plugin for cache _ "github.com/go-macaron/cache/memcache" // memcache plugin for cache
_ "github.com/go-macaron/cache/redis" _ "github.com/go-macaron/cache/redis"
"github.com/go-macaron/session" "github.com/go-macaron/session"
@ -834,16 +832,12 @@ func NewContext() {
n, err := base64.RawURLEncoding.Decode(LFS.JWTSecretBytes, []byte(LFS.JWTSecretBase64)) n, err := base64.RawURLEncoding.Decode(LFS.JWTSecretBytes, []byte(LFS.JWTSecretBase64))
if err != nil || n != 32 { if err != nil || n != 32 {
//Generate new secret and save to config
_, err := io.ReadFull(rand.Reader, LFS.JWTSecretBytes)
LFS.JWTSecretBase64, err = generate.NewLfsJwtSecret()
if err != nil { if err != nil {
log.Fatal(4, "Error reading random bytes: %v", err)
log.Fatal(4, "Error generating JWT Secret for custom config: %v", err)
return
} }
LFS.JWTSecretBase64 = base64.RawURLEncoding.EncodeToString(LFS.JWTSecretBytes)
// Save secret // Save secret
cfg := ini.Empty() cfg := ini.Empty()
if com.IsFile(CustomConf) { if com.IsFile(CustomConf) {
@ -913,19 +907,7 @@ func NewContext() {
DisableGitHooks = sec.Key("DISABLE_GIT_HOOKS").MustBool(false) DisableGitHooks = sec.Key("DISABLE_GIT_HOOKS").MustBool(false)
InternalToken = sec.Key("INTERNAL_TOKEN").String() InternalToken = sec.Key("INTERNAL_TOKEN").String()
if len(InternalToken) == 0 { if len(InternalToken) == 0 {
secretBytes := make([]byte, 32)
_, err := io.ReadFull(rand.Reader, secretBytes)
if err != nil {
log.Fatal(4, "Error reading random bytes: %v", err)
}
secretKey := base64.RawURLEncoding.EncodeToString(secretBytes)
now := time.Now()
InternalToken, err = jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
"nbf": now.Unix(),
}).SignedString([]byte(secretKey))
InternalToken, err = generate.NewInternalToken()
if err != nil { if err != nil {
log.Fatal(4, "Error generate internal token: %v", err) log.Fatal(4, "Error generate internal token: %v", err)
} }

+ 8
- 2
routers/install.go View File

@ -20,6 +20,7 @@ import (
"code.gitea.io/gitea/modules/auth" "code.gitea.io/gitea/modules/auth"
"code.gitea.io/gitea/modules/base" "code.gitea.io/gitea/modules/base"
"code.gitea.io/gitea/modules/context" "code.gitea.io/gitea/modules/context"
"code.gitea.io/gitea/modules/generate"
"code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/user" "code.gitea.io/gitea/modules/user"
@ -275,7 +276,12 @@ func InstallPost(ctx *context.Context, form auth.InstallForm) {
if form.LFSRootPath != "" { if form.LFSRootPath != "" {
cfg.Section("server").Key("LFS_START_SERVER").SetValue("true") cfg.Section("server").Key("LFS_START_SERVER").SetValue("true")
cfg.Section("server").Key("LFS_CONTENT_PATH").SetValue(form.LFSRootPath) cfg.Section("server").Key("LFS_CONTENT_PATH").SetValue(form.LFSRootPath)
cfg.Section("server").Key("LFS_JWT_SECRET").SetValue(base.GetRandomBytesAsBase64(32))
var secretKey string
if secretKey, err = generate.NewLfsJwtSecret(); err != nil {
ctx.RenderWithErr(ctx.Tr("install.lfs_jwt_secret_failed", err), tplInstall, &form)
return
}
cfg.Section("server").Key("LFS_JWT_SECRET").SetValue(secretKey)
} else { } else {
cfg.Section("server").Key("LFS_START_SERVER").SetValue("false") cfg.Section("server").Key("LFS_START_SERVER").SetValue("false")
} }
@ -315,7 +321,7 @@ func InstallPost(ctx *context.Context, form auth.InstallForm) {
cfg.Section("security").Key("INSTALL_LOCK").SetValue("true") cfg.Section("security").Key("INSTALL_LOCK").SetValue("true")
var secretKey string var secretKey string
if secretKey, err = base.GetRandomString(10); err != nil {
if secretKey, err = generate.NewSecretKey(); err != nil {
ctx.RenderWithErr(ctx.Tr("install.secret_key_failed", err), tplInstall, &form) ctx.RenderWithErr(ctx.Tr("install.secret_key_failed", err), tplInstall, &form)
return return
} }

+ 2
- 1
routers/user/auth_openid.go View File

@ -13,6 +13,7 @@ import (
"code.gitea.io/gitea/modules/auth/openid" "code.gitea.io/gitea/modules/auth/openid"
"code.gitea.io/gitea/modules/base" "code.gitea.io/gitea/modules/base"
"code.gitea.io/gitea/modules/context" "code.gitea.io/gitea/modules/context"
"code.gitea.io/gitea/modules/generate"
"code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/setting"
@ -348,7 +349,7 @@ func RegisterOpenIDPost(ctx *context.Context, cpt *captcha.Captcha, form auth.Si
if len < 256 { if len < 256 {
len = 256 len = 256
} }
password, err := base.GetRandomString(len)
password, err := generate.GetRandomString(len)
if err != nil { if err != nil {
ctx.RenderWithErr(err.Error(), tplSignUpOID, form) ctx.RenderWithErr(err.Error(), tplSignUpOID, form)
return return

Write Preview
Loading…
Cancel
Save