Merge branch...

Merge branch '28996-automatic-https-certificate-creation-renewal-for-pages-custom-domains-4' into 'master' Store Let's Encrypt private_key in `application_settings` instead of `secrets.yml` See merge request gitlab-org/gitlab-ce!28353

Merge branch...
Merge branch '28996-automatic-https-certificate-creation-renewal-for-pages-custom-domains-4' into 'master' Store Let's Encrypt private_key in `application_settings` instead of `secrets.yml` See merge request gitlab-org/gitlab-ce!28353
c2b7c6e6 · Stan Hu · af439708 · 4687ff7c · c2b7c6e6 · c2b7c6e6
Commit c2b7c6e6 authored May 28, 2019 by Stan Hu
9 changed files
--- a/app/models/application_setting.rb
+++ b/app/models/application_setting.rb
@@ -257,6 +257,12 @@ class ApplicationSetting < ApplicationRecord
                 algorithm: 'aes-256-gcm',
                 encode: true

+  attr_encrypted :lets_encrypt_private_key,
+                 mode: :per_attribute_iv,
+                 key: Settings.attr_encrypted_db_key_base_truncated,
+                 algorithm: 'aes-256-gcm',
+                 encode: true
+
  before_validation :ensure_uuid!
  before_validation :strip_sentry_values


--- a/config/initializers/01_secret_token.rb
+++ b/config/initializers/01_secret_token.rb
@@ -39,8 +39,7 @@ def create_tokens
    secret_key_base: file_secret_key || generate_new_secure_token,
    otp_key_base: env_secret_key || file_secret_key || generate_new_secure_token,
    db_key_base: generate_new_secure_token,
-    openid_connect_signing_key: generate_new_rsa_private_key,
-    lets_encrypt_private_key: generate_lets_encrypt_private_key
+    openid_connect_signing_key: generate_new_rsa_private_key
  }

  missing_secrets = set_missing_keys(defaults)
@@ -61,10 +60,6 @@ def generate_new_rsa_private_key
  OpenSSL::PKey::RSA.new(2048).to_pem
 end

-def generate_lets_encrypt_private_key
-  OpenSSL::PKey::RSA.new(4096).to_pem
-end
-
 def warn_missing_secret(secret)
  warn "Missing Rails.application.secrets.#{secret} for #{Rails.env} environment. The secret will be generated and stored in config/secrets.yml."
 end

--- a/db/migrate/20190516151857_add_lets_encrypt_private_key_to_application_settings.rb
+++ b/db/migrate/20190516151857_add_lets_encrypt_private_key_to_application_settings.rb
+# frozen_string_literal: true
+
+# See http://doc.gitlab.com/ce/development/migration_style_guide.html
+# for more information on how to write migrations for GitLab.
+
+class AddLetsEncryptPrivateKeyToApplicationSettings < ActiveRecord::Migration[5.1]
+  include Gitlab::Database::MigrationHelpers
+
+  # Set this constant to true if this migration requires downtime.
+  DOWNTIME = false
+
+  def change
+    add_column :application_settings, :encrypted_lets_encrypt_private_key, :text
+    add_column :application_settings, :encrypted_lets_encrypt_private_key_iv, :text
+  end
+end
--- a/db/migrate/20190524062810_generate_lets_encrypt_private_key.rb
+++ b/db/migrate/20190524062810_generate_lets_encrypt_private_key.rb
+# frozen_string_literal: true
+
+# See http://doc.gitlab.com/ce/development/migration_style_guide.html
+# for more information on how to write migrations for GitLab.
+
+class GenerateLetsEncryptPrivateKey < ActiveRecord::Migration[5.1]
+  include Gitlab::Database::MigrationHelpers
+
+  # Set this constant to true if this migration requires downtime.
+  DOWNTIME = false
+
+  class ApplicationSetting < ActiveRecord::Base
+    self.table_name = 'application_settings'
+
+    attr_encrypted :lets_encrypt_private_key,
+                   mode: :per_attribute_iv,
+                   key: Settings.attr_encrypted_db_key_base_truncated,
+                   algorithm: 'aes-256-gcm',
+                   encode: true
+  end
+
+  def up
+    ApplicationSetting.reset_column_information
+
+    private_key = OpenSSL::PKey::RSA.new(4096).to_pem
+    ApplicationSetting.find_each do |setting|
+      setting.update!(lets_encrypt_private_key: private_key)
+    end
+  end
+
+  def down
+  end
+end
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.

-ActiveRecord::Schema.define(version: 20190516011213) do
+ActiveRecord::Schema.define(version: 20190524062810) do

  # These are extensions that must be enabled in order to support this database
  enable_extension "plpgsql"
@@ -191,6 +191,8 @@ ActiveRecord::Schema.define(version: 20190516011213) do
    t.boolean "lets_encrypt_terms_of_service_accepted", default: false, null: false
    t.integer "elasticsearch_shards", default: 5, null: false
    t.integer "elasticsearch_replicas", default: 1, null: false
+    t.text "encrypted_lets_encrypt_private_key"
+    t.text "encrypted_lets_encrypt_private_key_iv"
    t.index ["usage_stats_set_by_user_id"], name: "index_application_settings_on_usage_stats_set_by_user_id", using: :btree
  end


--- a/lib/gitlab/lets_encrypt/client.rb
+++ b/lib/gitlab/lets_encrypt/client.rb
@@ -45,7 +45,7 @@ module Gitlab
      end

      def private_key
-        @private_key ||= OpenSSL::PKey.read(Gitlab::Application.secrets.lets_encrypt_private_key)
+        @private_key ||= OpenSSL::PKey.read(Gitlab::CurrentSettings.lets_encrypt_private_key)
      end

      def admin_email

--- a/spec/initializers/secret_token_spec.rb
+++ b/spec/initializers/secret_token_spec.rb
@@ -45,21 +45,11 @@ describe 'create_tokens' do
        expect(keys).to all(match(RSA_KEY))
      end

-      it "generates private key for Let's Encrypt" do
-        create_tokens
-
-        keys = secrets.values_at(:lets_encrypt_private_key)
-
-        expect(keys.uniq).to eq(keys)
-        expect(keys).to all(match(RSA_KEY))
-      end
-
      it 'warns about the secrets to add to secrets.yml' do
        expect(self).to receive(:warn_missing_secret).with('secret_key_base')
        expect(self).to receive(:warn_missing_secret).with('otp_key_base')
        expect(self).to receive(:warn_missing_secret).with('db_key_base')
        expect(self).to receive(:warn_missing_secret).with('openid_connect_signing_key')
-        expect(self).to receive(:warn_missing_secret).with('lets_encrypt_private_key')

        create_tokens
      end
@@ -88,7 +78,6 @@ describe 'create_tokens' do
      before do
        secrets.db_key_base = 'db_key_base'
        secrets.openid_connect_signing_key = 'openid_connect_signing_key'
-        secrets.lets_encrypt_private_key = 'lets_encrypt_private_key'

        allow(File).to receive(:exist?).with('.secret').and_return(true)
        allow(File).to receive(:read).with('.secret').and_return('file_key')

--- a/spec/lib/gitlab/lets_encrypt/client_spec.rb
+++ b/spec/lib/gitlab/lets_encrypt/client_spec.rb
@@ -5,12 +5,14 @@ require 'spec_helper'
 describe ::Gitlab::LetsEncrypt::Client do
  include LetsEncryptHelpers

+  set(:private_key) { OpenSSL::PKey::RSA.new(4096).to_pem }
  let(:client) { described_class.new }

  before do
    stub_application_setting(
      lets_encrypt_notification_email: 'myemail@test.example.com',
-      lets_encrypt_terms_of_service_accepted: true
+      lets_encrypt_terms_of_service_accepted: true,
+      lets_encrypt_private_key: private_key
    )
  end


--- a/spec/migrations/generate_lets_encrypt_private_key_spec.rb
+++ b/spec/migrations/generate_lets_encrypt_private_key_spec.rb
+require 'spec_helper'
+require Rails.root.join('db', 'migrate', '20190524062810_generate_lets_encrypt_private_key.rb')
+
+describe GenerateLetsEncryptPrivateKey, :migration do
+  describe '#up' do
+    let(:applications_settings) { table(:applications_settings) }
+
+    it 'generates RSA private key and saves it in application settings' do
+      application_setting = described_class::ApplicationSetting.create!
+
+      described_class.new.up
+      application_setting.reload
+
+      expect(application_setting.lets_encrypt_private_key).to be_present
+      expect do
+        OpenSSL::PKey::RSA.new(application_setting.lets_encrypt_private_key)
+      end.not_to raise_error
+    end
+  end
+end