require 'openssl' class SecretsHelper SECRETS_FILE = '/etc/gitlab/gitlab-secrets.json'.freeze SECRETS_FILE_CHEF_ATTR = '_gitlab_secrets_file_path'.freeze SKIP_GENERATE_SECRETS_CHEF_ATTR = '_skip_generate_secrets'.freeze def self.generate_hex(chars) SecureRandom.hex(chars) end def self.generate_base64(bytes) SecureRandom.base64(bytes) end def self.generate_urlsafe_base64(bytes = 32) SecureRandom.urlsafe_base64(bytes) end def self.generate_alphanumeric(chars) SecureRandom.alphanumeric(chars) end def self.generate_rsa(bits) OpenSSL::PKey::RSA.new(bits) end def self.generate_x509(subject:, validity:, key:) cert = OpenSSL::X509::Certificate.new cert.subject = cert.issuer = OpenSSL::X509::Name.parse(subject) cert.not_before = Time.now cert.not_after = (DateTime.now + validity).to_time cert.public_key = key.public_key cert.serial = 0x0 cert.version = 2 cert.sign(key, OpenSSL::Digest.new('SHA256')) cert end def self.generate_keypair(bits:, subject:, validity:) key = generate_rsa(bits) cert = generate_x509(subject: subject, validity: validity, key: key) [key, cert] end # Load the secrets from disk # # @return [Hash] empty if no secrets def self.load_gitlab_secrets(path = SecretsHelper::SECRETS_FILE) existing_secrets = {} existing_secrets = Chef::JSONCompat.from_json(File.read(path)) if File.exist?(path) existing_secrets end # Reads the secrets into the Gitlab config singleton def self.read_gitlab_secrets(path = SecretsHelper::SECRETS_FILE) existing_secrets = load_gitlab_secrets(path) existing_secrets.each do |k, v| if Gitlab[k] v.each do |pk, p| # Note: Specifying a secret in gitlab.rb will take precedence over "gitlab-secrets.json" Gitlab[k][pk] ||= p end else warn("Ignoring section #{k} in #{path}, does not exist in gitlab.rb") end end end def self.gather_gitlab_secrets # rubocop:disable Metrics/AbcSize secret_tokens = { 'gitlab_workhorse' => { 'secret_token' => Gitlab['gitlab_workhorse']['secret_token'], }, 'gitlab_shell' => { 'secret_token' => Gitlab['gitlab_shell']['secret_token'], }, 'gitlab_rails' => { 'secret_key_base' => Gitlab['gitlab_rails']['secret_key_base'], 'db_key_base' => Gitlab['gitlab_rails']['db_key_base'], 'otp_key_base' => Gitlab['gitlab_rails']['otp_key_base'], 'encrypted_settings_key_base' => Gitlab['gitlab_rails']['encrypted_settings_key_base'], 'openid_connect_signing_key' => Gitlab['gitlab_rails']['openid_connect_signing_key'], 'active_record_encryption_primary_key' => Gitlab['gitlab_rails']['active_record_encryption_primary_key'], 'active_record_encryption_deterministic_key' => Gitlab['gitlab_rails']['active_record_encryption_deterministic_key'], 'active_record_encryption_key_derivation_salt' => Gitlab['gitlab_rails']['active_record_encryption_key_derivation_salt'] }, 'gitlab_pages' => { 'gitlab_secret' => Gitlab['gitlab_pages']['gitlab_secret'], 'gitlab_id' => Gitlab['gitlab_pages']['gitlab_id'], 'auth_secret' => Gitlab['gitlab_pages']['auth_secret'], 'api_secret_key' => Gitlab['gitlab_pages']['api_secret_key'], 'register_as_oauth_app' => Gitlab['gitlab_pages']['register_as_oauth_app'] }, 'gitlab_kas' => { 'api_secret_key' => Gitlab['gitlab_kas']['api_secret_key'], 'private_api_secret_key' => Gitlab['gitlab_kas']['private_api_secret_key'], 'websocket_token_secret_key' => Gitlab['gitlab_kas']['websocket_token_secret_key'] }, 'suggested_reviewers' => { 'api_secret_key' => Gitlab['suggested_reviewers']['api_secret_key'] }, 'registry' => { 'http_secret' => Gitlab['registry']['http_secret'], 'internal_certificate' => Gitlab['registry']['internal_certificate'], 'internal_key' => Gitlab['registry']['internal_key'] }, 'letsencrypt' => { 'auto_enabled' => Gitlab['letsencrypt']['auto_enabled'] }, 'mattermost' => { 'email_invite_salt' => Gitlab['mattermost']['email_invite_salt'], 'file_public_link_salt' => Gitlab['mattermost']['file_public_link_salt'], 'sql_at_rest_encrypt_key' => Gitlab['mattermost']['sql_at_rest_encrypt_key'], 'register_as_oauth_app' => Gitlab['mattermost']['register_as_oauth_app'] }, 'postgresql' => { 'internal_certificate' => Gitlab['postgresql']['internal_certificate'], 'internal_key' => Gitlab['postgresql']['internal_key'] }, 'mailroom' => { 'incoming_email_auth_token' => Gitlab['mailroom']['incoming_email_auth_token'], 'service_desk_email_auth_token' => Gitlab['mailroom']['service_desk_email_auth_token'], }, 'gitaly' => { 'gitlab_secret' => Gitlab['gitaly']['gitlab_secret'] } } if Gitlab['mattermost']['gitlab_enable'] gitlab_oauth = { 'gitlab_enable' => Gitlab['mattermost']['gitlab_enable'], 'gitlab_secret' => Gitlab['mattermost']['gitlab_secret'], 'gitlab_id' => Gitlab['mattermost']['gitlab_id'], } secret_tokens['mattermost'].merge!(gitlab_oauth) end secret_tokens end def self.write_to_gitlab_secrets(path = SECRETS_FILE) secret_tokens = gather_gitlab_secrets if File.directory?(File.dirname(path)) File.open(path, 'w', 0600) do |f| f.puts(Chef::JSONCompat.to_json_pretty(secret_tokens)) f.chmod(0600) end end nil end end