From 96c268c0fcc22604103f67821d66fef39944e80b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Codru=C8=9B=20Constantin=20Gu=C8=99oi?=
<codrut.gusoi@gmail.com>
Date: Sun, 18 Feb 2018 18:14:37 +0000
Subject: [PATCH] Implements generator cli for secrets (#3531)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Codruț Constantin Gușoi <codrut.gusoi@gmail.com>
---
cmd/generate.go | 83 ++++++++++++++++++++++++++++
main.go | 1 +
models/migrations/migrations.go | 6 +--
models/twofactor.go | 4 +-
models/user.go | 3 +-
modules/base/tool.go | 29 ----------
modules/base/tool_test.go | 6 ---
modules/generate/generate.go | 89 +++++++++++++++++++++++++++++++
modules/generate/generate_test.go | 20 +++++++
modules/setting/setting.go | 28 ++--------
routers/install.go | 10 +++-
routers/user/auth_openid.go | 3 +-
12 files changed, 215 insertions(+), 67 deletions(-)
create mode 100644 cmd/generate.go
create mode 100644 modules/generate/generate.go
create mode 100644 modules/generate/generate_test.go
diff --git a/cmd/generate.go b/cmd/generate.go
new file mode 100644
index 0000000000..27c5d7884e
--- /dev/null
+++ b/cmd/generate.go
@@ -0,0 +1,83 @@
+// Copyright 2016 The Gogs Authors. All rights reserved.
+// Copyright 2016 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package cmd
+
+import (
+ "fmt"
+
+ "code.gitea.io/gitea/modules/generate"
+
+ "github.com/urfave/cli"
+)
+
+var (
+ // CmdGenerate represents the available generate sub-command.
+ CmdGenerate = cli.Command{
+ Name: "generate",
+ Usage: "Command line interface for running generators",
+ Subcommands: []cli.Command{
+ subcmdSecret,
+ },
+ }
+
+ subcmdSecret = cli.Command{
+ Name: "secret",
+ Usage: "Generate a secret token",
+ Subcommands: []cli.Command{
+ microcmdGenerateInternalToken,
+ microcmdGenerateLfsJwtSecret,
+ microcmdGenerateSecretKey,
+ },
+ }
+
+ microcmdGenerateInternalToken = cli.Command{
+ Name: "INTERNAL_TOKEN",
+ Usage: "Generate a new INTERNAL_TOKEN",
+ Action: runGenerateInternalToken,
+ }
+
+ microcmdGenerateLfsJwtSecret = cli.Command{
+ Name: "LFS_JWT_SECRET",
+ Usage: "Generate a new LFS_JWT_SECRET",
+ Action: runGenerateLfsJwtSecret,
+ }
+
+ microcmdGenerateSecretKey = cli.Command{
+ Name: "SECRET_KEY",
+ Usage: "Generate a new SECRET_KEY",
+ Action: runGenerateSecretKey,
+ }
+)
+
+func runGenerateInternalToken(c *cli.Context) error {
+ internalToken, err := generate.NewInternalToken()
+ if err != nil {
+ return err
+ }
+
+ fmt.Printf("%s\n", internalToken)
+ return nil
+}
+
+func runGenerateLfsJwtSecret(c *cli.Context) error {
+ JWTSecretBase64, err := generate.NewLfsJwtSecret()
+ if err != nil {
+ return err
+ }
+
+ fmt.Printf("%s\n", JWTSecretBase64)
+ return nil
+}
+
+func runGenerateSecretKey(c *cli.Context) error {
+ secretKey, err := generate.NewSecretKey()
+ if err != nil {
+ return err
+ }
+
+ fmt.Printf("%s\n", secretKey)
+ return nil
+}
diff --git a/main.go b/main.go
index 788637f709..179132f587 100644
--- a/main.go
+++ b/main.go
@@ -45,6 +45,7 @@ arguments - which can alternatively be run by running the subcommand web.`
cmd.CmdDump,
cmd.CmdCert,
cmd.CmdAdmin,
+ cmd.CmdGenerate,
}
app.Flags = append(app.Flags, []cli.Flag{}...)
app.Action = cmd.CmdWeb.Action
diff --git a/models/migrations/migrations.go b/models/migrations/migrations.go
index 23235f7819..d79d403712 100644
--- a/models/migrations/migrations.go
+++ b/models/migrations/migrations.go
@@ -20,7 +20,7 @@ import (
gouuid "github.com/satori/go.uuid"
"gopkg.in/ini.v1"
- "code.gitea.io/gitea/modules/base"
+ "code.gitea.io/gitea/modules/generate"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting"
)
@@ -539,10 +539,10 @@ func generateOrgRandsAndSalt(x *xorm.Engine) (err error) {
}
for _, org := range orgs {
- if org.Rands, err = base.GetRandomString(10); err != nil {
+ if org.Rands, err = generate.GetRandomString(10); err != nil {
return err
}
- if org.Salt, err = base.GetRandomString(10); err != nil {
+ if org.Salt, err = generate.GetRandomString(10); err != nil {
return err
}
if _, err = sess.Id(org.ID).Update(org); err != nil {
diff --git a/models/twofactor.go b/models/twofactor.go
index 526ab917e8..789315021e 100644
--- a/models/twofactor.go
+++ b/models/twofactor.go
@@ -16,7 +16,7 @@ import (
"github.com/pquerna/otp/totp"
- "code.gitea.io/gitea/modules/base"
+ "code.gitea.io/gitea/modules/generate"
"code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/util"
)
@@ -33,7 +33,7 @@ type TwoFactor struct {
// GenerateScratchToken recreates the scratch token the user is using.
func (t *TwoFactor) GenerateScratchToken() error {
- token, err := base.GetRandomString(8)
+ token, err := generate.GetRandomString(8)
if err != nil {
return err
}
diff --git a/models/user.go b/models/user.go
index 57abfc1965..fa41deec92 100644
--- a/models/user.go
+++ b/models/user.go
@@ -34,6 +34,7 @@ import (
"code.gitea.io/gitea/modules/avatar"
"code.gitea.io/gitea/modules/base"
+ "code.gitea.io/gitea/modules/generate"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/util"
@@ -638,7 +639,7 @@ func IsUserExist(uid int64, name string) (bool, error) {
// GetUserSalt returns a random user salt token.
func GetUserSalt() (string, error) {
- return base.GetRandomString(10)
+ return generate.GetRandomString(10)
}
// NewGhostUser creates and returns a fake user for someone has deleted his/her account.
diff --git a/modules/base/tool.go b/modules/base/tool.go
index 347241e6bb..16ac4dbff1 100644
--- a/modules/base/tool.go
+++ b/modules/base/tool.go
@@ -14,7 +14,6 @@ import (
"html/template"
"io"
"math"
- "math/big"
"net/http"
"net/url"
"path"
@@ -88,25 +87,6 @@ func BasicAuthEncode(username, password string) string {
return base64.StdEncoding.EncodeToString([]byte(username + ":" + password))
}
-// GetRandomString generate random string by specify chars.
-func GetRandomString(n int) (string, error) {
- const alphanum = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
-
- buffer := make([]byte, n)
- max := big.NewInt(int64(len(alphanum)))
-
- for i := 0; i < n; i++ {
- index, err := randomInt(max)
- if err != nil {
- return "", err
- }
-
- buffer[i] = alphanum[index]
- }
-
- return string(buffer), nil
-}
-
// GetRandomBytesAsBase64 generates a random base64 string from n bytes
func GetRandomBytesAsBase64(n int) string {
bytes := make([]byte, 32)
@@ -119,15 +99,6 @@ func GetRandomBytesAsBase64(n int) string {
return base64.RawURLEncoding.EncodeToString(bytes)
}
-func randomInt(max *big.Int) (int, error) {
- rand, err := rand.Int(rand.Reader, max)
- if err != nil {
- return 0, err
- }
-
- return int(rand.Int64()), nil
-}
-
// VerifyTimeLimitCode verify time limit code
func VerifyTimeLimitCode(data string, minutes int, code string) bool {
if len(code) <= 18 {
diff --git a/modules/base/tool_test.go b/modules/base/tool_test.go
index ffa17fae00..f99edd5fbf 100644
--- a/modules/base/tool_test.go
+++ b/modules/base/tool_test.go
@@ -107,12 +107,6 @@ func TestBasicAuthEncode(t *testing.T) {
assert.Equal(t, "Zm9vOmJhcg==", BasicAuthEncode("foo", "bar"))
}
-func TestGetRandomString(t *testing.T) {
- randomString, err := GetRandomString(4)
- assert.NoError(t, err)
- assert.Len(t, randomString, 4)
-}
-
// TODO: Test PBKDF2()
// TODO: Test VerifyTimeLimitCode()
// TODO: Test CreateTimeLimitCode()
diff --git a/modules/generate/generate.go b/modules/generate/generate.go
new file mode 100644
index 0000000000..d0e7593013
--- /dev/null
+++ b/modules/generate/generate.go
@@ -0,0 +1,89 @@
+// Copyright 2016 The Gogs Authors. All rights reserved.
+// Copyright 2016 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package generate
+
+import (
+ "crypto/rand"
+ "encoding/base64"
+ "io"
+ "math/big"
+ "time"
+
+ "github.com/dgrijalva/jwt-go"
+)
+
+// GetRandomString generate random string by specify chars.
+func GetRandomString(n int) (string, error) {
+ const alphanum = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
+
+ buffer := make([]byte, n)
+ max := big.NewInt(int64(len(alphanum)))
+
+ for i := 0; i < n; i++ {
+ index, err := randomInt(max)
+ if err != nil {
+ return "", err
+ }
+
+ buffer[i] = alphanum[index]
+ }
+
+ return string(buffer), nil
+}
+
+// NewInternalToken generate a new value intended to be used by INTERNAL_TOKEN.
+func NewInternalToken() (string, error) {
+ secretBytes := make([]byte, 32)
+ _, err := io.ReadFull(rand.Reader, secretBytes)
+ if err != nil {
+ return "", err
+ }
+
+ secretKey := base64.RawURLEncoding.EncodeToString(secretBytes)
+
+ now := time.Now()
+
+ var internalToken string
+ internalToken, err = jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
+ "nbf": now.Unix(),
+ }).SignedString([]byte(secretKey))
+ if err != nil {
+ return "", err
+ }
+
+ return internalToken, nil
+}
+
+// NewLfsJwtSecret generate a new value intended to be used by LFS_JWT_SECRET.
+func NewLfsJwtSecret() (string, error) {
+ JWTSecretBytes := make([]byte, 32)
+ _, err := io.ReadFull(rand.Reader, JWTSecretBytes)
+ if err != nil {
+ return "", err
+ }
+
+ JWTSecretBase64 := base64.RawURLEncoding.EncodeToString(JWTSecretBytes)
+ return JWTSecretBase64, nil
+}
+
+// NewSecretKey generate a new value intended to be used by SECRET_KEY.
+func NewSecretKey() (string, error) {
+ secretKey, err := GetRandomString(64)
+ if err != nil {
+ return "", err
+ }
+
+ return secretKey, nil
+}
+
+func randomInt(max *big.Int) (int, error) {
+ rand, err := rand.Int(rand.Reader, max)
+ if err != nil {
+ return 0, err
+ }
+
+ return int(rand.Int64()), nil
+}
diff --git a/modules/generate/generate_test.go b/modules/generate/generate_test.go
new file mode 100644
index 0000000000..538471af49
--- /dev/null
+++ b/modules/generate/generate_test.go
@@ -0,0 +1,20 @@
+package generate
+
+import (
+ "os"
+ "testing"
+
+ "github.com/stretchr/testify/assert"
+)
+
+func TestMain(m *testing.M) {
+ retVal := m.Run()
+
+ os.Exit(retVal)
+}
+
+func TestGetRandomString(t *testing.T) {
+ randomString, err := GetRandomString(4)
+ assert.NoError(t, err)
+ assert.Len(t, randomString, 4)
+}
diff --git a/modules/setting/setting.go b/modules/setting/setting.go
index 936dac85c4..9ef175d20e 100644
--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@@ -6,10 +6,8 @@
package setting
import (
- "crypto/rand"
"encoding/base64"
"fmt"
- "io"
"net"
"net/mail"
"net/url"
@@ -24,12 +22,12 @@ import (
"time"
"code.gitea.io/git"
+ "code.gitea.io/gitea/modules/generate"
"code.gitea.io/gitea/modules/log"
_ "code.gitea.io/gitea/modules/minwinsvc" // import minwinsvc for windows services
"code.gitea.io/gitea/modules/user"
"github.com/Unknwon/com"
- "github.com/dgrijalva/jwt-go"
_ "github.com/go-macaron/cache/memcache" // memcache plugin for cache
_ "github.com/go-macaron/cache/redis"
"github.com/go-macaron/session"
@@ -834,16 +832,12 @@ func NewContext() {
n, err := base64.RawURLEncoding.Decode(LFS.JWTSecretBytes, []byte(LFS.JWTSecretBase64))
if err != nil || n != 32 {
- //Generate new secret and save to config
-
- _, err := io.ReadFull(rand.Reader, LFS.JWTSecretBytes)
-
+ LFS.JWTSecretBase64, err = generate.NewLfsJwtSecret()
if err != nil {
- log.Fatal(4, "Error reading random bytes: %v", err)
+ log.Fatal(4, "Error generating JWT Secret for custom config: %v", err)
+ return
}
- LFS.JWTSecretBase64 = base64.RawURLEncoding.EncodeToString(LFS.JWTSecretBytes)
-
// Save secret
cfg := ini.Empty()
if com.IsFile(CustomConf) {
@@ -913,19 +907,7 @@ func NewContext() {
DisableGitHooks = sec.Key("DISABLE_GIT_HOOKS").MustBool(false)
InternalToken = sec.Key("INTERNAL_TOKEN").String()
if len(InternalToken) == 0 {
- secretBytes := make([]byte, 32)
- _, err := io.ReadFull(rand.Reader, secretBytes)
- if err != nil {
- log.Fatal(4, "Error reading random bytes: %v", err)
- }
-
- secretKey := base64.RawURLEncoding.EncodeToString(secretBytes)
-
- now := time.Now()
- InternalToken, err = jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
- "nbf": now.Unix(),
- }).SignedString([]byte(secretKey))
-
+ InternalToken, err = generate.NewInternalToken()
if err != nil {
log.Fatal(4, "Error generate internal token: %v", err)
}
diff --git a/routers/install.go b/routers/install.go
index c180d947fc..2a7ec93d21 100644
--- a/routers/install.go
+++ b/routers/install.go
@@ -20,6 +20,7 @@ import (
"code.gitea.io/gitea/modules/auth"
"code.gitea.io/gitea/modules/base"
"code.gitea.io/gitea/modules/context"
+ "code.gitea.io/gitea/modules/generate"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/user"
@@ -275,7 +276,12 @@ func InstallPost(ctx *context.Context, form auth.InstallForm) {
if form.LFSRootPath != "" {
cfg.Section("server").Key("LFS_START_SERVER").SetValue("true")
cfg.Section("server").Key("LFS_CONTENT_PATH").SetValue(form.LFSRootPath)
- cfg.Section("server").Key("LFS_JWT_SECRET").SetValue(base.GetRandomBytesAsBase64(32))
+ var secretKey string
+ if secretKey, err = generate.NewLfsJwtSecret(); err != nil {
+ ctx.RenderWithErr(ctx.Tr("install.lfs_jwt_secret_failed", err), tplInstall, &form)
+ return
+ }
+ cfg.Section("server").Key("LFS_JWT_SECRET").SetValue(secretKey)
} else {
cfg.Section("server").Key("LFS_START_SERVER").SetValue("false")
}
@@ -315,7 +321,7 @@ func InstallPost(ctx *context.Context, form auth.InstallForm) {
cfg.Section("security").Key("INSTALL_LOCK").SetValue("true")
var secretKey string
- if secretKey, err = base.GetRandomString(10); err != nil {
+ if secretKey, err = generate.NewSecretKey(); err != nil {
ctx.RenderWithErr(ctx.Tr("install.secret_key_failed", err), tplInstall, &form)
return
}
diff --git a/routers/user/auth_openid.go b/routers/user/auth_openid.go
index c784d7e1e2..7df40bcc98 100644
--- a/routers/user/auth_openid.go
+++ b/routers/user/auth_openid.go
@@ -13,6 +13,7 @@ import (
"code.gitea.io/gitea/modules/auth/openid"
"code.gitea.io/gitea/modules/base"
"code.gitea.io/gitea/modules/context"
+ "code.gitea.io/gitea/modules/generate"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting"
@@ -348,7 +349,7 @@ func RegisterOpenIDPost(ctx *context.Context, cpt *captcha.Captcha, form auth.Si
if len < 256 {
len = 256
}
- password, err := base.GetRandomString(len)
+ password, err := generate.GetRandomString(len)
if err != nil {
ctx.RenderWithErr(err.Error(), tplSignUpOID, form)
return