github-forks
/
gitea
mirror of https://github.com/go-gitea/gitea.git
1
0
Fork 0
Code Projects Releases Activity

Implements generator cli for secrets (#3531)

Browse Source 
Signed-off-by: Codruț Constantin Gușoi <codrut.gusoi@gmail.com>
pull/3530/head^2
Codruț Constantin Gușoi 7 years ago committed by Lauris BH
parent e59fe7c8d9
commit 96c268c0fc
12 changed files with 215 additions and 67 deletions
Show Stats Download Patch File Download Diff File

83
cmd/generate.go
Unescape Escape View File

@ -0,0 +1,83 @@
// Copyright 2016 The Gogs Authors. All rights reserved.
// Copyright 2016 The Gitea Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
package cmd
import (
"fmt"
"code.gitea.io/gitea/modules/generate"
"github.com/urfave/cli"
)
var (
// CmdGenerate represents the available generate sub-command.
CmdGenerate = cli.Command{
Name: "generate",
Usage: "Command line interface for running generators",
Subcommands: []cli.Command{
subcmdSecret,
},
}
subcmdSecret = cli.Command{
Name: "secret",
Usage: "Generate a secret token",
Subcommands: []cli.Command{
microcmdGenerateInternalToken,
microcmdGenerateLfsJwtSecret,
microcmdGenerateSecretKey,
},
}
microcmdGenerateInternalToken = cli.Command{
Name: "INTERNAL_TOKEN",
Usage: "Generate a new INTERNAL_TOKEN",
Action: runGenerateInternalToken,
}
microcmdGenerateLfsJwtSecret = cli.Command{
Name: "LFS_JWT_SECRET",
Usage: "Generate a new LFS_JWT_SECRET",
Action: runGenerateLfsJwtSecret,
}
microcmdGenerateSecretKey = cli.Command{
Name: "SECRET_KEY",
Usage: "Generate a new SECRET_KEY",
Action: runGenerateSecretKey,
}
)
func runGenerateInternalToken(c *cli.Context) error {
internalToken, err := generate.NewInternalToken()
if err != nil {
return err
}
fmt.Printf("%s\n", internalToken)
return nil
}
func runGenerateLfsJwtSecret(c *cli.Context) error {
JWTSecretBase64, err := generate.NewLfsJwtSecret()
if err != nil {
return err
}
fmt.Printf("%s\n", JWTSecretBase64)
return nil
}
func runGenerateSecretKey(c *cli.Context) error {
secretKey, err := generate.NewSecretKey()
if err != nil {
return err
}
fmt.Printf("%s\n", secretKey)
return nil
}

1
main.go
Unescape Escape View File

@ -45,6 +45,7 @@ arguments - which can alternatively be run by running the subcommand web.`
cmd.CmdDump, cmd.CmdDump,
cmd.CmdCert, cmd.CmdCert,
cmd.CmdAdmin, cmd.CmdAdmin,
cmd.CmdGenerate,
} }
app.Flags = append(app.Flags, []cli.Flag{}...) app.Flags = append(app.Flags, []cli.Flag{}...)
app.Action = cmd.CmdWeb.Action app.Action = cmd.CmdWeb.Action

6
models/migrations/migrations.go
Unescape Escape View File

@ -20,7 +20,7 @@ import (
gouuid "github.com/satori/go.uuid" gouuid "github.com/satori/go.uuid"
"gopkg.in/ini.v1" "gopkg.in/ini.v1"
"code.gitea.io/gitea/modules/base" "code.gitea.io/gitea/modules/generate"
"code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/setting"
) )
@ -539,10 +539,10 @@ func generateOrgRandsAndSalt(x *xorm.Engine) (err error) {
} }
for _, org := range orgs { for _, org := range orgs {
if org.Rands, err = base.GetRandomString(10); err != nil { if org.Rands, err = generate.GetRandomString(10); err != nil {
return err return err
} }
if org.Salt, err = base.GetRandomString(10); err != nil { if org.Salt, err = generate.GetRandomString(10); err != nil {
return err return err
} }
if _, err = sess.Id(org.ID).Update(org); err != nil { if _, err = sess.Id(org.ID).Update(org); err != nil {

4
models/twofactor.go
Unescape Escape View File

@ -16,7 +16,7 @@ import (
"github.com/pquerna/otp/totp" "github.com/pquerna/otp/totp"
"code.gitea.io/gitea/modules/base" "code.gitea.io/gitea/modules/generate"
"code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/util" "code.gitea.io/gitea/modules/util"
) )
@ -33,7 +33,7 @@ type TwoFactor struct {
// GenerateScratchToken recreates the scratch token the user is using. // GenerateScratchToken recreates the scratch token the user is using.
func (t *TwoFactor) GenerateScratchToken() error { func (t *TwoFactor) GenerateScratchToken() error {
token, err := base.GetRandomString(8) token, err := generate.GetRandomString(8)
if err != nil { if err != nil {
return err return err
} }

3
models/user.go
Unescape Escape View File

@ -34,6 +34,7 @@ import (
"code.gitea.io/gitea/modules/avatar" "code.gitea.io/gitea/modules/avatar"
"code.gitea.io/gitea/modules/base" "code.gitea.io/gitea/modules/base"
"code.gitea.io/gitea/modules/generate"
"code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/util" "code.gitea.io/gitea/modules/util"
@ -638,7 +639,7 @@ func IsUserExist(uid int64, name string) (bool, error) {
// GetUserSalt returns a random user salt token. // GetUserSalt returns a random user salt token.
func GetUserSalt() (string, error) { func GetUserSalt() (string, error) {
return base.GetRandomString(10) return generate.GetRandomString(10)
} }
// NewGhostUser creates and returns a fake user for someone has deleted his/her account. // NewGhostUser creates and returns a fake user for someone has deleted his/her account.

29
modules/base/tool.go
Unescape Escape View File

@ -14,7 +14,6 @@ import (
"html/template" "html/template"
"io" "io"
"math" "math"
"math/big"
"net/http" "net/http"
"net/url" "net/url"
"path" "path"
@ -88,25 +87,6 @@ func BasicAuthEncode(username, password string) string {
return base64.StdEncoding.EncodeToString([]byte(username + ":" + password)) return base64.StdEncoding.EncodeToString([]byte(username + ":" + password))
} }
// GetRandomString generate random string by specify chars.
func GetRandomString(n int) (string, error) {
const alphanum = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
buffer := make([]byte, n)
max := big.NewInt(int64(len(alphanum)))
for i := 0; i < n; i++ {
index, err := randomInt(max)
if err != nil {
return "", err
}
buffer[i] = alphanum[index]
}
return string(buffer), nil
}
// GetRandomBytesAsBase64 generates a random base64 string from n bytes // GetRandomBytesAsBase64 generates a random base64 string from n bytes
func GetRandomBytesAsBase64(n int) string { func GetRandomBytesAsBase64(n int) string {
bytes := make([]byte, 32) bytes := make([]byte, 32)
@ -119,15 +99,6 @@ func GetRandomBytesAsBase64(n int) string {
return base64.RawURLEncoding.EncodeToString(bytes) return base64.RawURLEncoding.EncodeToString(bytes)
} }
func randomInt(max *big.Int) (int, error) {
rand, err := rand.Int(rand.Reader, max)
if err != nil {
return 0, err
}
return int(rand.Int64()), nil
}
// VerifyTimeLimitCode verify time limit code // VerifyTimeLimitCode verify time limit code
func VerifyTimeLimitCode(data string, minutes int, code string) bool { func VerifyTimeLimitCode(data string, minutes int, code string) bool {
if len(code) <= 18 { if len(code) <= 18 {

6
modules/base/tool_test.go
Unescape Escape View File

@ -107,12 +107,6 @@ func TestBasicAuthEncode(t *testing.T) {
assert.Equal(t, "Zm9vOmJhcg==", BasicAuthEncode("foo", "bar")) assert.Equal(t, "Zm9vOmJhcg==", BasicAuthEncode("foo", "bar"))
} }
func TestGetRandomString(t *testing.T) {
randomString, err := GetRandomString(4)
assert.NoError(t, err)
assert.Len(t, randomString, 4)
}
// TODO: Test PBKDF2() // TODO: Test PBKDF2()
// TODO: Test VerifyTimeLimitCode() // TODO: Test VerifyTimeLimitCode()
// TODO: Test CreateTimeLimitCode() // TODO: Test CreateTimeLimitCode()

89
modules/generate/generate.go
Unescape Escape View File

@ -0,0 +1,89 @@
// Copyright 2016 The Gogs Authors. All rights reserved.
// Copyright 2016 The Gitea Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
package generate
import (
"crypto/rand"
"encoding/base64"
"io"
"math/big"
"time"
"github.com/dgrijalva/jwt-go"
)
// GetRandomString generate random string by specify chars.
func GetRandomString(n int) (string, error) {
const alphanum = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
buffer := make([]byte, n)
max := big.NewInt(int64(len(alphanum)))
for i := 0; i < n; i++ {
index, err := randomInt(max)
if err != nil {
return "", err
}
buffer[i] = alphanum[index]
}
return string(buffer), nil
}
// NewInternalToken generate a new value intended to be used by INTERNAL_TOKEN.
func NewInternalToken() (string, error) {
secretBytes := make([]byte, 32)
_, err := io.ReadFull(rand.Reader, secretBytes)
if err != nil {
return "", err
}
secretKey := base64.RawURLEncoding.EncodeToString(secretBytes)
now := time.Now()
var internalToken string
internalToken, err = jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
"nbf": now.Unix(),
}).SignedString([]byte(secretKey))
if err != nil {
return "", err
}
return internalToken, nil
}
// NewLfsJwtSecret generate a new value intended to be used by LFS_JWT_SECRET.
func NewLfsJwtSecret() (string, error) {
JWTSecretBytes := make([]byte, 32)
_, err := io.ReadFull(rand.Reader, JWTSecretBytes)
if err != nil {
return "", err
}
JWTSecretBase64 := base64.RawURLEncoding.EncodeToString(JWTSecretBytes)
return JWTSecretBase64, nil
}
// NewSecretKey generate a new value intended to be used by SECRET_KEY.
func NewSecretKey() (string, error) {
secretKey, err := GetRandomString(64)
if err != nil {
return "", err
}
return secretKey, nil
}
func randomInt(max *big.Int) (int, error) {
rand, err := rand.Int(rand.Reader, max)
if err != nil {
return 0, err
}
return int(rand.Int64()), nil
}

20
modules/generate/generate_test.go
Unescape Escape View File

@ -0,0 +1,20 @@
package generate
import (
"os"
"testing"
"github.com/stretchr/testify/assert"
)
func TestMain(m *testing.M) {
retVal := m.Run()
os.Exit(retVal)
}
func TestGetRandomString(t *testing.T) {
randomString, err := GetRandomString(4)
assert.NoError(t, err)
assert.Len(t, randomString, 4)
}

28
modules/setting/setting.go
Unescape Escape View File

@ -6,10 +6,8 @@
package setting package setting
import ( import (
"crypto/rand"
"encoding/base64" "encoding/base64"
"fmt" "fmt"
"io"
"net" "net"
"net/mail" "net/mail"
"net/url" "net/url"
@ -24,12 +22,12 @@ import (
"time" "time"
"code.gitea.io/git" "code.gitea.io/git"
"code.gitea.io/gitea/modules/generate"
"code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/log"
_ "code.gitea.io/gitea/modules/minwinsvc" // import minwinsvc for windows services _ "code.gitea.io/gitea/modules/minwinsvc" // import minwinsvc for windows services
"code.gitea.io/gitea/modules/user" "code.gitea.io/gitea/modules/user"
"github.com/Unknwon/com" "github.com/Unknwon/com"
"github.com/dgrijalva/jwt-go"
_ "github.com/go-macaron/cache/memcache" // memcache plugin for cache _ "github.com/go-macaron/cache/memcache" // memcache plugin for cache
_ "github.com/go-macaron/cache/redis" _ "github.com/go-macaron/cache/redis"
"github.com/go-macaron/session" "github.com/go-macaron/session"
@ -834,16 +832,12 @@ func NewContext() {
n, err := base64.RawURLEncoding.Decode(LFS.JWTSecretBytes, []byte(LFS.JWTSecretBase64)) n, err := base64.RawURLEncoding.Decode(LFS.JWTSecretBytes, []byte(LFS.JWTSecretBase64))
if err != nil || n != 32 { if err != nil || n != 32 {
//Generate new secret and save to config LFS.JWTSecretBase64, err = generate.NewLfsJwtSecret()
_, err := io.ReadFull(rand.Reader, LFS.JWTSecretBytes)
if err != nil { if err != nil {
log.Fatal(4, "Error reading random bytes: %v", err) log.Fatal(4, "Error generating JWT Secret for custom config: %v", err)
return
} }
LFS.JWTSecretBase64 = base64.RawURLEncoding.EncodeToString(LFS.JWTSecretBytes)
// Save secret // Save secret
cfg := ini.Empty() cfg := ini.Empty()
if com.IsFile(CustomConf) { if com.IsFile(CustomConf) {
@ -913,19 +907,7 @@ func NewContext() {
DisableGitHooks = sec.Key("DISABLE_GIT_HOOKS").MustBool(false) DisableGitHooks = sec.Key("DISABLE_GIT_HOOKS").MustBool(false)
InternalToken = sec.Key("INTERNAL_TOKEN").String() InternalToken = sec.Key("INTERNAL_TOKEN").String()
if len(InternalToken) == 0 { if len(InternalToken) == 0 {
secretBytes := make([]byte, 32) InternalToken, err = generate.NewInternalToken()
_, err := io.ReadFull(rand.Reader, secretBytes)
if err != nil {
log.Fatal(4, "Error reading random bytes: %v", err)
}
secretKey := base64.RawURLEncoding.EncodeToString(secretBytes)
now := time.Now()
InternalToken, err = jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
"nbf": now.Unix(),
}).SignedString([]byte(secretKey))
if err != nil { if err != nil {
log.Fatal(4, "Error generate internal token: %v", err) log.Fatal(4, "Error generate internal token: %v", err)
} }

10
routers/install.go
Unescape Escape View File

@ -20,6 +20,7 @@ import (
"code.gitea.io/gitea/modules/auth" "code.gitea.io/gitea/modules/auth"
"code.gitea.io/gitea/modules/base" "code.gitea.io/gitea/modules/base"
"code.gitea.io/gitea/modules/context" "code.gitea.io/gitea/modules/context"
"code.gitea.io/gitea/modules/generate"
"code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/user" "code.gitea.io/gitea/modules/user"
@ -275,7 +276,12 @@ func InstallPost(ctx *context.Context, form auth.InstallForm) {
if form.LFSRootPath != "" { if form.LFSRootPath != "" {
cfg.Section("server").Key("LFS_START_SERVER").SetValue("true") cfg.Section("server").Key("LFS_START_SERVER").SetValue("true")
cfg.Section("server").Key("LFS_CONTENT_PATH").SetValue(form.LFSRootPath) cfg.Section("server").Key("LFS_CONTENT_PATH").SetValue(form.LFSRootPath)
cfg.Section("server").Key("LFS_JWT_SECRET").SetValue(base.GetRandomBytesAsBase64(32)) var secretKey string
if secretKey, err = generate.NewLfsJwtSecret(); err != nil {
ctx.RenderWithErr(ctx.Tr("install.lfs_jwt_secret_failed", err), tplInstall, &form)
return
}
cfg.Section("server").Key("LFS_JWT_SECRET").SetValue(secretKey)
} else { } else {
cfg.Section("server").Key("LFS_START_SERVER").SetValue("false") cfg.Section("server").Key("LFS_START_SERVER").SetValue("false")
} }
@ -315,7 +321,7 @@ func InstallPost(ctx *context.Context, form auth.InstallForm) {
cfg.Section("security").Key("INSTALL_LOCK").SetValue("true") cfg.Section("security").Key("INSTALL_LOCK").SetValue("true")
var secretKey string var secretKey string
if secretKey, err = base.GetRandomString(10); err != nil { if secretKey, err = generate.NewSecretKey(); err != nil {
ctx.RenderWithErr(ctx.Tr("install.secret_key_failed", err), tplInstall, &form) ctx.RenderWithErr(ctx.Tr("install.secret_key_failed", err), tplInstall, &form)
return return
} }

3
routers/user/auth_openid.go
Unescape Escape View File

@ -13,6 +13,7 @@ import (
"code.gitea.io/gitea/modules/auth/openid" "code.gitea.io/gitea/modules/auth/openid"
"code.gitea.io/gitea/modules/base" "code.gitea.io/gitea/modules/base"
"code.gitea.io/gitea/modules/context" "code.gitea.io/gitea/modules/context"
"code.gitea.io/gitea/modules/generate"
"code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/setting"
@ -348,7 +349,7 @@ func RegisterOpenIDPost(ctx *context.Context, cpt *captcha.Captcha, form auth.Si
if len < 256 { if len < 256 {
len = 256 len = 256
} }
password, err := base.GetRandomString(len) password, err := generate.GetRandomString(len)
if err != nil { if err != nil {
ctx.RenderWithErr(err.Error(), tplSignUpOID, form) ctx.RenderWithErr(err.Error(), tplSignUpOID, form)
return return

Write Preview
Loading…
Cancel
Save