third_party
/
gitea
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Implements generator cli for secrets (#3531)

Browse Source 
Signed-off-by: Codruț Constantin Gușoi <codrut.gusoi@gmail.com>
tokarchuk/v1.17
Codruț Constantin Gușoi 7 years ago committed by Lauris BH
parent e59fe7c8d9
commit 96c268c0fc
12 changed files with 215 additions and 67 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 83
      cmd/generate.go
  2. 1
      main.go
  3. 6
      models/migrations/migrations.go
  4. 4
      models/twofactor.go
  5. 3
      models/user.go
  6. 29
      modules/base/tool.go
  7. 6
      modules/base/tool_test.go
  8. 89
      modules/generate/generate.go
  9. 20
      modules/generate/generate_test.go
  10. 28
      modules/setting/setting.go
  11. 10
      routers/install.go
  12. 3
      routers/user/auth_openid.go

83
cmd/generate.go
Unescape View File

@ -0,0 +1,83 @@
// Copyright 2016 The Gogs Authors. All rights reserved.
// Copyright 2016 The Gitea Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
package cmd
import (
"fmt"
"code.gitea.io/gitea/modules/generate"
"github.com/urfave/cli"
)
var (
// CmdGenerate represents the available generate sub-command.
CmdGenerate = cli.Command{
Name: "generate",
Usage: "Command line interface for running generators",
Subcommands: []cli.Command{
subcmdSecret,
},
}
subcmdSecret = cli.Command{
Name: "secret",
Usage: "Generate a secret token",
Subcommands: []cli.Command{
microcmdGenerateInternalToken,
microcmdGenerateLfsJwtSecret,
microcmdGenerateSecretKey,
},
}
microcmdGenerateInternalToken = cli.Command{
Name: "INTERNAL_TOKEN",
Usage: "Generate a new INTERNAL_TOKEN",
Action: runGenerateInternalToken,
}
microcmdGenerateLfsJwtSecret = cli.Command{
Name: "LFS_JWT_SECRET",
Usage: "Generate a new LFS_JWT_SECRET",
Action: runGenerateLfsJwtSecret,
}
microcmdGenerateSecretKey = cli.Command{
Name: "SECRET_KEY",
Usage: "Generate a new SECRET_KEY",
Action: runGenerateSecretKey,
}
)
func runGenerateInternalToken(c *cli.Context) error {
internalToken, err := generate.NewInternalToken()
if err != nil {
return err
}
fmt.Printf("%s\n", internalToken)
return nil
}
func runGenerateLfsJwtSecret(c *cli.Context) error {
JWTSecretBase64, err := generate.NewLfsJwtSecret()
if err != nil {
return err
}
fmt.Printf("%s\n", JWTSecretBase64)
return nil
}
func runGenerateSecretKey(c *cli.Context) error {
secretKey, err := generate.NewSecretKey()
if err != nil {
return err
}
fmt.Printf("%s\n", secretKey)
return nil
}

1
main.go
Unescape View File

@ -45,6 +45,7 @@ arguments - which can alternatively be run by running the subcommand web.`
cmd.CmdDump, cmd.CmdDump,
cmd.CmdCert, cmd.CmdCert,
cmd.CmdAdmin, cmd.CmdAdmin,
cmd.CmdGenerate,
} }
app.Flags = append(app.Flags, []cli.Flag{}...) app.Flags = append(app.Flags, []cli.Flag{}...)
app.Action = cmd.CmdWeb.Action app.Action = cmd.CmdWeb.Action

6
models/migrations/migrations.go
Unescape View File

@ -20,7 +20,7 @@ import (
gouuid "github.com/satori/go.uuid" gouuid "github.com/satori/go.uuid"
"gopkg.in/ini.v1" "gopkg.in/ini.v1"
"code.gitea.io/gitea/modules/base" "code.gitea.io/gitea/modules/generate"
"code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/setting"
) )
@ -539,10 +539,10 @@ func generateOrgRandsAndSalt(x *xorm.Engine) (err error) {
} }
for _, org := range orgs { for _, org := range orgs {
if org.Rands, err = base.GetRandomString(10); err != nil { if org.Rands, err = generate.GetRandomString(10); err != nil {
return err return err
} }
if org.Salt, err = base.GetRandomString(10); err != nil { if org.Salt, err = generate.GetRandomString(10); err != nil {
return err return err
} }
if _, err = sess.Id(org.ID).Update(org); err != nil { if _, err = sess.Id(org.ID).Update(org); err != nil {

4
models/twofactor.go
Unescape View File

@ -16,7 +16,7 @@ import (
"github.com/pquerna/otp/totp" "github.com/pquerna/otp/totp"
"code.gitea.io/gitea/modules/base" "code.gitea.io/gitea/modules/generate"
"code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/util" "code.gitea.io/gitea/modules/util"
) )
@ -33,7 +33,7 @@ type TwoFactor struct {
// GenerateScratchToken recreates the scratch token the user is using. // GenerateScratchToken recreates the scratch token the user is using.
func (t *TwoFactor) GenerateScratchToken() error { func (t *TwoFactor) GenerateScratchToken() error {
token, err := base.GetRandomString(8) token, err := generate.GetRandomString(8)
if err != nil { if err != nil {
return err return err
} }

3
models/user.go
Unescape View File

@ -34,6 +34,7 @@ import (
"code.gitea.io/gitea/modules/avatar" "code.gitea.io/gitea/modules/avatar"
"code.gitea.io/gitea/modules/base" "code.gitea.io/gitea/modules/base"
"code.gitea.io/gitea/modules/generate"
"code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/util" "code.gitea.io/gitea/modules/util"
@ -638,7 +639,7 @@ func IsUserExist(uid int64, name string) (bool, error) {
// GetUserSalt returns a random user salt token. // GetUserSalt returns a random user salt token.
func GetUserSalt() (string, error) { func GetUserSalt() (string, error) {
return base.GetRandomString(10) return generate.GetRandomString(10)
} }
// NewGhostUser creates and returns a fake user for someone has deleted his/her account. // NewGhostUser creates and returns a fake user for someone has deleted his/her account.

29
modules/base/tool.go
Unescape View File

@ -14,7 +14,6 @@ import (
"html/template" "html/template"
"io" "io"
"math" "math"
"math/big"
"net/http" "net/http"
"net/url" "net/url"
"path" "path"
@ -88,25 +87,6 @@ func BasicAuthEncode(username, password string) string {
return base64.StdEncoding.EncodeToString([]byte(username + ":" + password)) return base64.StdEncoding.EncodeToString([]byte(username + ":" + password))
} }
// GetRandomString generate random string by specify chars.
func GetRandomString(n int) (string, error) {
const alphanum = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
buffer := make([]byte, n)
max := big.NewInt(int64(len(alphanum)))
for i := 0; i < n; i++ {
index, err := randomInt(max)
if err != nil {
return "", err
}
buffer[i] = alphanum[index]
}
return string(buffer), nil
}
// GetRandomBytesAsBase64 generates a random base64 string from n bytes // GetRandomBytesAsBase64 generates a random base64 string from n bytes
func GetRandomBytesAsBase64(n int) string { func GetRandomBytesAsBase64(n int) string {
bytes := make([]byte, 32) bytes := make([]byte, 32)
@ -119,15 +99,6 @@ func GetRandomBytesAsBase64(n int) string {
return base64.RawURLEncoding.EncodeToString(bytes) return base64.RawURLEncoding.EncodeToString(bytes)
} }
func randomInt(max *big.Int) (int, error) {
rand, err := rand.Int(rand.Reader, max)
if err != nil {
return 0, err
}
return int(rand.Int64()), nil
}
// VerifyTimeLimitCode verify time limit code // VerifyTimeLimitCode verify time limit code
func VerifyTimeLimitCode(data string, minutes int, code string) bool { func VerifyTimeLimitCode(data string, minutes int, code string) bool {
if len(code) <= 18 { if len(code) <= 18 {

6
modules/base/tool_test.go
Unescape View File

@ -107,12 +107,6 @@ func TestBasicAuthEncode(t *testing.T) {
assert.Equal(t, "Zm9vOmJhcg==", BasicAuthEncode("foo", "bar")) assert.Equal(t, "Zm9vOmJhcg==", BasicAuthEncode("foo", "bar"))
} }
func TestGetRandomString(t *testing.T) {
randomString, err := GetRandomString(4)
assert.NoError(t, err)
assert.Len(t, randomString, 4)
}
// TODO: Test PBKDF2() // TODO: Test PBKDF2()
// TODO: Test VerifyTimeLimitCode() // TODO: Test VerifyTimeLimitCode()
// TODO: Test CreateTimeLimitCode() // TODO: Test CreateTimeLimitCode()

89
modules/generate/generate.go
Unescape View File

@ -0,0 +1,89 @@
// Copyright 2016 The Gogs Authors. All rights reserved.
// Copyright 2016 The Gitea Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
package generate
import (
"crypto/rand"
"encoding/base64"
"io"
"math/big"
"time"
"github.com/dgrijalva/jwt-go"
)
// GetRandomString generate random string by specify chars.
func GetRandomString(n int) (string, error) {
const alphanum = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
buffer := make([]byte, n)
max := big.NewInt(int64(len(alphanum)))
for i := 0; i < n; i++ {
index, err := randomInt(max)
if err != nil {
return "", err
}
buffer[i] = alphanum[index]
}
return string(buffer), nil
}
// NewInternalToken generate a new value intended to be used by INTERNAL_TOKEN.
func NewInternalToken() (string, error) {
secretBytes := make([]byte, 32)
_, err := io.ReadFull(rand.Reader, secretBytes)
if err != nil {
return "", err
}
secretKey := base64.RawURLEncoding.EncodeToString(secretBytes)
now := time.Now()
var internalToken string
internalToken, err = jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
"nbf": now.Unix(),
}).SignedString([]byte(secretKey))
if err != nil {
return "", err
}
return internalToken, nil
}
// NewLfsJwtSecret generate a new value intended to be used by LFS_JWT_SECRET.
func NewLfsJwtSecret() (string, error) {
JWTSecretBytes := make([]byte, 32)
_, err := io.ReadFull(rand.Reader, JWTSecretBytes)
if err != nil {
return "", err
}
JWTSecretBase64 := base64.RawURLEncoding.EncodeToString(JWTSecretBytes)
return JWTSecretBase64, nil
}
// NewSecretKey generate a new value intended to be used by SECRET_KEY.
func NewSecretKey() (string, error) {
secretKey, err := GetRandomString(64)
if err != nil {
return "", err
}
return secretKey, nil
}
func randomInt(max *big.Int) (int, error) {
rand, err := rand.Int(rand.Reader, max)
if err != nil {
return 0, err
}
return int(rand.Int64()), nil
}

20
modules/generate/generate_test.go
Unescape View File

@ -0,0 +1,20 @@
package generate
import (
"os"
"testing"
"github.com/stretchr/testify/assert"
)
func TestMain(m *testing.M) {
retVal := m.Run()
os.Exit(retVal)
}
func TestGetRandomString(t *testing.T) {
randomString, err := GetRandomString(4)
assert.NoError(t, err)
assert.Len(t, randomString, 4)
}

28
modules/setting/setting.go
Unescape View File

@ -6,10 +6,8 @@
package setting package setting
import ( import (
"crypto/rand"
"encoding/base64" "encoding/base64"
"fmt" "fmt"
"io"
"net" "net"
"net/mail" "net/mail"
"net/url" "net/url"
@ -24,12 +22,12 @@ import (
"time" "time"
"code.gitea.io/git" "code.gitea.io/git"
"code.gitea.io/gitea/modules/generate"
"code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/log"
_ "code.gitea.io/gitea/modules/minwinsvc" // import minwinsvc for windows services _ "code.gitea.io/gitea/modules/minwinsvc" // import minwinsvc for windows services
"code.gitea.io/gitea/modules/user" "code.gitea.io/gitea/modules/user"
"github.com/Unknwon/com" "github.com/Unknwon/com"
"github.com/dgrijalva/jwt-go"
_ "github.com/go-macaron/cache/memcache" // memcache plugin for cache _ "github.com/go-macaron/cache/memcache" // memcache plugin for cache
_ "github.com/go-macaron/cache/redis" _ "github.com/go-macaron/cache/redis"
"github.com/go-macaron/session" "github.com/go-macaron/session"
@ -834,16 +832,12 @@ func NewContext() {
n, err := base64.RawURLEncoding.Decode(LFS.JWTSecretBytes, []byte(LFS.JWTSecretBase64)) n, err := base64.RawURLEncoding.Decode(LFS.JWTSecretBytes, []byte(LFS.JWTSecretBase64))
if err != nil || n != 32 { if err != nil || n != 32 {
//Generate new secret and save to config LFS.JWTSecretBase64, err = generate.NewLfsJwtSecret()
_, err := io.ReadFull(rand.Reader, LFS.JWTSecretBytes)
if err != nil { if err != nil {
log.Fatal(4, "Error reading random bytes: %v", err) log.Fatal(4, "Error generating JWT Secret for custom config: %v", err)
return
} }
LFS.JWTSecretBase64 = base64.RawURLEncoding.EncodeToString(LFS.JWTSecretBytes)
// Save secret // Save secret
cfg := ini.Empty() cfg := ini.Empty()
if com.IsFile(CustomConf) { if com.IsFile(CustomConf) {
@ -913,19 +907,7 @@ func NewContext() {
DisableGitHooks = sec.Key("DISABLE_GIT_HOOKS").MustBool(false) DisableGitHooks = sec.Key("DISABLE_GIT_HOOKS").MustBool(false)
InternalToken = sec.Key("INTERNAL_TOKEN").String() InternalToken = sec.Key("INTERNAL_TOKEN").String()
if len(InternalToken) == 0 { if len(InternalToken) == 0 {
secretBytes := make([]byte, 32) InternalToken, err = generate.NewInternalToken()
_, err := io.ReadFull(rand.Reader, secretBytes)
if err != nil {
log.Fatal(4, "Error reading random bytes: %v", err)
}
secretKey := base64.RawURLEncoding.EncodeToString(secretBytes)
now := time.Now()
InternalToken, err = jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
"nbf": now.Unix(),
}).SignedString([]byte(secretKey))
if err != nil { if err != nil {
log.Fatal(4, "Error generate internal token: %v", err) log.Fatal(4, "Error generate internal token: %v", err)
} }

10
routers/install.go
Unescape View File

@ -20,6 +20,7 @@ import (
"code.gitea.io/gitea/modules/auth" "code.gitea.io/gitea/modules/auth"
"code.gitea.io/gitea/modules/base" "code.gitea.io/gitea/modules/base"
"code.gitea.io/gitea/modules/context" "code.gitea.io/gitea/modules/context"
"code.gitea.io/gitea/modules/generate"
"code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/user" "code.gitea.io/gitea/modules/user"
@ -275,7 +276,12 @@ func InstallPost(ctx *context.Context, form auth.InstallForm) {
if form.LFSRootPath != "" { if form.LFSRootPath != "" {
cfg.Section("server").Key("LFS_START_SERVER").SetValue("true") cfg.Section("server").Key("LFS_START_SERVER").SetValue("true")
cfg.Section("server").Key("LFS_CONTENT_PATH").SetValue(form.LFSRootPath) cfg.Section("server").Key("LFS_CONTENT_PATH").SetValue(form.LFSRootPath)
cfg.Section("server").Key("LFS_JWT_SECRET").SetValue(base.GetRandomBytesAsBase64(32)) var secretKey string
if secretKey, err = generate.NewLfsJwtSecret(); err != nil {
ctx.RenderWithErr(ctx.Tr("install.lfs_jwt_secret_failed", err), tplInstall, &form)
return
}
cfg.Section("server").Key("LFS_JWT_SECRET").SetValue(secretKey)
} else { } else {
cfg.Section("server").Key("LFS_START_SERVER").SetValue("false") cfg.Section("server").Key("LFS_START_SERVER").SetValue("false")
} }
@ -315,7 +321,7 @@ func InstallPost(ctx *context.Context, form auth.InstallForm) {
cfg.Section("security").Key("INSTALL_LOCK").SetValue("true") cfg.Section("security").Key("INSTALL_LOCK").SetValue("true")
var secretKey string var secretKey string
if secretKey, err = base.GetRandomString(10); err != nil { if secretKey, err = generate.NewSecretKey(); err != nil {
ctx.RenderWithErr(ctx.Tr("install.secret_key_failed", err), tplInstall, &form) ctx.RenderWithErr(ctx.Tr("install.secret_key_failed", err), tplInstall, &form)
return return
} }

3
routers/user/auth_openid.go
Unescape View File

@ -13,6 +13,7 @@ import (
"code.gitea.io/gitea/modules/auth/openid" "code.gitea.io/gitea/modules/auth/openid"
"code.gitea.io/gitea/modules/base" "code.gitea.io/gitea/modules/base"
"code.gitea.io/gitea/modules/context" "code.gitea.io/gitea/modules/context"
"code.gitea.io/gitea/modules/generate"
"code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/setting"
@ -348,7 +349,7 @@ func RegisterOpenIDPost(ctx *context.Context, cpt *captcha.Captcha, form auth.Si
if len < 256 { if len < 256 {
len = 256 len = 256
} }
password, err := base.GetRandomString(len) password, err := generate.GetRandomString(len)
if err != nil { if err != nil {
ctx.RenderWithErr(err.Error(), tplSignUpOID, form) ctx.RenderWithErr(err.Error(), tplSignUpOID, form)
return return

Write Preview
Loading…
Cancel
Save