From 96c268c0fcc22604103f67821d66fef39944e80b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Codru=C8=9B=20Constantin=20Gu=C8=99oi?= Date: Sun, 18 Feb 2018 18:14:37 +0000 Subject: [PATCH] Implements generator cli for secrets (#3531) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Codruț Constantin Gușoi --- cmd/generate.go | 83 ++++++++++++++++++++++++++++ main.go | 1 + models/migrations/migrations.go | 6 +-- models/twofactor.go | 4 +- models/user.go | 3 +- modules/base/tool.go | 29 ---------- modules/base/tool_test.go | 6 --- modules/generate/generate.go | 89 +++++++++++++++++++++++++++++++ modules/generate/generate_test.go | 20 +++++++ modules/setting/setting.go | 28 ++-------- routers/install.go | 10 +++- routers/user/auth_openid.go | 3 +- 12 files changed, 215 insertions(+), 67 deletions(-) create mode 100644 cmd/generate.go create mode 100644 modules/generate/generate.go create mode 100644 modules/generate/generate_test.go diff --git a/cmd/generate.go b/cmd/generate.go new file mode 100644 index 000000000..27c5d7884 --- /dev/null +++ b/cmd/generate.go @@ -0,0 +1,83 @@ +// Copyright 2016 The Gogs Authors. All rights reserved. +// Copyright 2016 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package cmd + +import ( + "fmt" + + "code.gitea.io/gitea/modules/generate" + + "github.com/urfave/cli" +) + +var ( + // CmdGenerate represents the available generate sub-command. + CmdGenerate = cli.Command{ + Name: "generate", + Usage: "Command line interface for running generators", + Subcommands: []cli.Command{ + subcmdSecret, + }, + } + + subcmdSecret = cli.Command{ + Name: "secret", + Usage: "Generate a secret token", + Subcommands: []cli.Command{ + microcmdGenerateInternalToken, + microcmdGenerateLfsJwtSecret, + microcmdGenerateSecretKey, + }, + } + + microcmdGenerateInternalToken = cli.Command{ + Name: "INTERNAL_TOKEN", + Usage: "Generate a new INTERNAL_TOKEN", + Action: runGenerateInternalToken, + } + + microcmdGenerateLfsJwtSecret = cli.Command{ + Name: "LFS_JWT_SECRET", + Usage: "Generate a new LFS_JWT_SECRET", + Action: runGenerateLfsJwtSecret, + } + + microcmdGenerateSecretKey = cli.Command{ + Name: "SECRET_KEY", + Usage: "Generate a new SECRET_KEY", + Action: runGenerateSecretKey, + } +) + +func runGenerateInternalToken(c *cli.Context) error { + internalToken, err := generate.NewInternalToken() + if err != nil { + return err + } + + fmt.Printf("%s\n", internalToken) + return nil +} + +func runGenerateLfsJwtSecret(c *cli.Context) error { + JWTSecretBase64, err := generate.NewLfsJwtSecret() + if err != nil { + return err + } + + fmt.Printf("%s\n", JWTSecretBase64) + return nil +} + +func runGenerateSecretKey(c *cli.Context) error { + secretKey, err := generate.NewSecretKey() + if err != nil { + return err + } + + fmt.Printf("%s\n", secretKey) + return nil +} diff --git a/main.go b/main.go index 788637f70..179132f58 100644 --- a/main.go +++ b/main.go @@ -45,6 +45,7 @@ arguments - which can alternatively be run by running the subcommand web.` cmd.CmdDump, cmd.CmdCert, cmd.CmdAdmin, + cmd.CmdGenerate, } app.Flags = append(app.Flags, []cli.Flag{}...) app.Action = cmd.CmdWeb.Action diff --git a/models/migrations/migrations.go b/models/migrations/migrations.go index 23235f781..d79d40371 100644 --- a/models/migrations/migrations.go +++ b/models/migrations/migrations.go @@ -20,7 +20,7 @@ import ( gouuid "github.com/satori/go.uuid" "gopkg.in/ini.v1" - "code.gitea.io/gitea/modules/base" + "code.gitea.io/gitea/modules/generate" "code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/setting" ) @@ -539,10 +539,10 @@ func generateOrgRandsAndSalt(x *xorm.Engine) (err error) { } for _, org := range orgs { - if org.Rands, err = base.GetRandomString(10); err != nil { + if org.Rands, err = generate.GetRandomString(10); err != nil { return err } - if org.Salt, err = base.GetRandomString(10); err != nil { + if org.Salt, err = generate.GetRandomString(10); err != nil { return err } if _, err = sess.Id(org.ID).Update(org); err != nil { diff --git a/models/twofactor.go b/models/twofactor.go index 526ab917e..789315021 100644 --- a/models/twofactor.go +++ b/models/twofactor.go @@ -16,7 +16,7 @@ import ( "github.com/pquerna/otp/totp" - "code.gitea.io/gitea/modules/base" + "code.gitea.io/gitea/modules/generate" "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/util" ) @@ -33,7 +33,7 @@ type TwoFactor struct { // GenerateScratchToken recreates the scratch token the user is using. func (t *TwoFactor) GenerateScratchToken() error { - token, err := base.GetRandomString(8) + token, err := generate.GetRandomString(8) if err != nil { return err } diff --git a/models/user.go b/models/user.go index 57abfc196..fa41deec9 100644 --- a/models/user.go +++ b/models/user.go @@ -34,6 +34,7 @@ import ( "code.gitea.io/gitea/modules/avatar" "code.gitea.io/gitea/modules/base" + "code.gitea.io/gitea/modules/generate" "code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/util" @@ -638,7 +639,7 @@ func IsUserExist(uid int64, name string) (bool, error) { // GetUserSalt returns a random user salt token. func GetUserSalt() (string, error) { - return base.GetRandomString(10) + return generate.GetRandomString(10) } // NewGhostUser creates and returns a fake user for someone has deleted his/her account. diff --git a/modules/base/tool.go b/modules/base/tool.go index 347241e6b..16ac4dbff 100644 --- a/modules/base/tool.go +++ b/modules/base/tool.go @@ -14,7 +14,6 @@ import ( "html/template" "io" "math" - "math/big" "net/http" "net/url" "path" @@ -88,25 +87,6 @@ func BasicAuthEncode(username, password string) string { return base64.StdEncoding.EncodeToString([]byte(username + ":" + password)) } -// GetRandomString generate random string by specify chars. -func GetRandomString(n int) (string, error) { - const alphanum = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" - - buffer := make([]byte, n) - max := big.NewInt(int64(len(alphanum))) - - for i := 0; i < n; i++ { - index, err := randomInt(max) - if err != nil { - return "", err - } - - buffer[i] = alphanum[index] - } - - return string(buffer), nil -} - // GetRandomBytesAsBase64 generates a random base64 string from n bytes func GetRandomBytesAsBase64(n int) string { bytes := make([]byte, 32) @@ -119,15 +99,6 @@ func GetRandomBytesAsBase64(n int) string { return base64.RawURLEncoding.EncodeToString(bytes) } -func randomInt(max *big.Int) (int, error) { - rand, err := rand.Int(rand.Reader, max) - if err != nil { - return 0, err - } - - return int(rand.Int64()), nil -} - // VerifyTimeLimitCode verify time limit code func VerifyTimeLimitCode(data string, minutes int, code string) bool { if len(code) <= 18 { diff --git a/modules/base/tool_test.go b/modules/base/tool_test.go index ffa17fae0..f99edd5fb 100644 --- a/modules/base/tool_test.go +++ b/modules/base/tool_test.go @@ -107,12 +107,6 @@ func TestBasicAuthEncode(t *testing.T) { assert.Equal(t, "Zm9vOmJhcg==", BasicAuthEncode("foo", "bar")) } -func TestGetRandomString(t *testing.T) { - randomString, err := GetRandomString(4) - assert.NoError(t, err) - assert.Len(t, randomString, 4) -} - // TODO: Test PBKDF2() // TODO: Test VerifyTimeLimitCode() // TODO: Test CreateTimeLimitCode() diff --git a/modules/generate/generate.go b/modules/generate/generate.go new file mode 100644 index 000000000..d0e759301 --- /dev/null +++ b/modules/generate/generate.go @@ -0,0 +1,89 @@ +// Copyright 2016 The Gogs Authors. All rights reserved. +// Copyright 2016 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package generate + +import ( + "crypto/rand" + "encoding/base64" + "io" + "math/big" + "time" + + "github.com/dgrijalva/jwt-go" +) + +// GetRandomString generate random string by specify chars. +func GetRandomString(n int) (string, error) { + const alphanum = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" + + buffer := make([]byte, n) + max := big.NewInt(int64(len(alphanum))) + + for i := 0; i < n; i++ { + index, err := randomInt(max) + if err != nil { + return "", err + } + + buffer[i] = alphanum[index] + } + + return string(buffer), nil +} + +// NewInternalToken generate a new value intended to be used by INTERNAL_TOKEN. +func NewInternalToken() (string, error) { + secretBytes := make([]byte, 32) + _, err := io.ReadFull(rand.Reader, secretBytes) + if err != nil { + return "", err + } + + secretKey := base64.RawURLEncoding.EncodeToString(secretBytes) + + now := time.Now() + + var internalToken string + internalToken, err = jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{ + "nbf": now.Unix(), + }).SignedString([]byte(secretKey)) + if err != nil { + return "", err + } + + return internalToken, nil +} + +// NewLfsJwtSecret generate a new value intended to be used by LFS_JWT_SECRET. +func NewLfsJwtSecret() (string, error) { + JWTSecretBytes := make([]byte, 32) + _, err := io.ReadFull(rand.Reader, JWTSecretBytes) + if err != nil { + return "", err + } + + JWTSecretBase64 := base64.RawURLEncoding.EncodeToString(JWTSecretBytes) + return JWTSecretBase64, nil +} + +// NewSecretKey generate a new value intended to be used by SECRET_KEY. +func NewSecretKey() (string, error) { + secretKey, err := GetRandomString(64) + if err != nil { + return "", err + } + + return secretKey, nil +} + +func randomInt(max *big.Int) (int, error) { + rand, err := rand.Int(rand.Reader, max) + if err != nil { + return 0, err + } + + return int(rand.Int64()), nil +} diff --git a/modules/generate/generate_test.go b/modules/generate/generate_test.go new file mode 100644 index 000000000..538471af4 --- /dev/null +++ b/modules/generate/generate_test.go @@ -0,0 +1,20 @@ +package generate + +import ( + "os" + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestMain(m *testing.M) { + retVal := m.Run() + + os.Exit(retVal) +} + +func TestGetRandomString(t *testing.T) { + randomString, err := GetRandomString(4) + assert.NoError(t, err) + assert.Len(t, randomString, 4) +} diff --git a/modules/setting/setting.go b/modules/setting/setting.go index 936dac85c..9ef175d20 100644 --- a/modules/setting/setting.go +++ b/modules/setting/setting.go @@ -6,10 +6,8 @@ package setting import ( - "crypto/rand" "encoding/base64" "fmt" - "io" "net" "net/mail" "net/url" @@ -24,12 +22,12 @@ import ( "time" "code.gitea.io/git" + "code.gitea.io/gitea/modules/generate" "code.gitea.io/gitea/modules/log" _ "code.gitea.io/gitea/modules/minwinsvc" // import minwinsvc for windows services "code.gitea.io/gitea/modules/user" "github.com/Unknwon/com" - "github.com/dgrijalva/jwt-go" _ "github.com/go-macaron/cache/memcache" // memcache plugin for cache _ "github.com/go-macaron/cache/redis" "github.com/go-macaron/session" @@ -834,16 +832,12 @@ func NewContext() { n, err := base64.RawURLEncoding.Decode(LFS.JWTSecretBytes, []byte(LFS.JWTSecretBase64)) if err != nil || n != 32 { - //Generate new secret and save to config - - _, err := io.ReadFull(rand.Reader, LFS.JWTSecretBytes) - + LFS.JWTSecretBase64, err = generate.NewLfsJwtSecret() if err != nil { - log.Fatal(4, "Error reading random bytes: %v", err) + log.Fatal(4, "Error generating JWT Secret for custom config: %v", err) + return } - LFS.JWTSecretBase64 = base64.RawURLEncoding.EncodeToString(LFS.JWTSecretBytes) - // Save secret cfg := ini.Empty() if com.IsFile(CustomConf) { @@ -913,19 +907,7 @@ func NewContext() { DisableGitHooks = sec.Key("DISABLE_GIT_HOOKS").MustBool(false) InternalToken = sec.Key("INTERNAL_TOKEN").String() if len(InternalToken) == 0 { - secretBytes := make([]byte, 32) - _, err := io.ReadFull(rand.Reader, secretBytes) - if err != nil { - log.Fatal(4, "Error reading random bytes: %v", err) - } - - secretKey := base64.RawURLEncoding.EncodeToString(secretBytes) - - now := time.Now() - InternalToken, err = jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{ - "nbf": now.Unix(), - }).SignedString([]byte(secretKey)) - + InternalToken, err = generate.NewInternalToken() if err != nil { log.Fatal(4, "Error generate internal token: %v", err) } diff --git a/routers/install.go b/routers/install.go index c180d947f..2a7ec93d2 100644 --- a/routers/install.go +++ b/routers/install.go @@ -20,6 +20,7 @@ import ( "code.gitea.io/gitea/modules/auth" "code.gitea.io/gitea/modules/base" "code.gitea.io/gitea/modules/context" + "code.gitea.io/gitea/modules/generate" "code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/user" @@ -275,7 +276,12 @@ func InstallPost(ctx *context.Context, form auth.InstallForm) { if form.LFSRootPath != "" { cfg.Section("server").Key("LFS_START_SERVER").SetValue("true") cfg.Section("server").Key("LFS_CONTENT_PATH").SetValue(form.LFSRootPath) - cfg.Section("server").Key("LFS_JWT_SECRET").SetValue(base.GetRandomBytesAsBase64(32)) + var secretKey string + if secretKey, err = generate.NewLfsJwtSecret(); err != nil { + ctx.RenderWithErr(ctx.Tr("install.lfs_jwt_secret_failed", err), tplInstall, &form) + return + } + cfg.Section("server").Key("LFS_JWT_SECRET").SetValue(secretKey) } else { cfg.Section("server").Key("LFS_START_SERVER").SetValue("false") } @@ -315,7 +321,7 @@ func InstallPost(ctx *context.Context, form auth.InstallForm) { cfg.Section("security").Key("INSTALL_LOCK").SetValue("true") var secretKey string - if secretKey, err = base.GetRandomString(10); err != nil { + if secretKey, err = generate.NewSecretKey(); err != nil { ctx.RenderWithErr(ctx.Tr("install.secret_key_failed", err), tplInstall, &form) return } diff --git a/routers/user/auth_openid.go b/routers/user/auth_openid.go index c784d7e1e..7df40bcc9 100644 --- a/routers/user/auth_openid.go +++ b/routers/user/auth_openid.go @@ -13,6 +13,7 @@ import ( "code.gitea.io/gitea/modules/auth/openid" "code.gitea.io/gitea/modules/base" "code.gitea.io/gitea/modules/context" + "code.gitea.io/gitea/modules/generate" "code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/setting" @@ -348,7 +349,7 @@ func RegisterOpenIDPost(ctx *context.Context, cpt *captcha.Captcha, form auth.Si if len < 256 { len = 256 } - password, err := base.GetRandomString(len) + password, err := generate.GetRandomString(len) if err != nil { ctx.RenderWithErr(err.Error(), tplSignUpOID, form) return