Implements generator cli for secrets (#3531)

Signed-off-by: Codruț Constantin Gușoi <codrut.gusoi@gmail.com>
2025-11-04 16:40:24 +08:00 · 2018-02-18 18:14:37 +00:00
parent e59fe7c8d9
commit 96c268c0fc
12 changed files with 215 additions and 67 deletions
--- a/cmd/generate.go
+++ b/cmd/generate.go
@@ -0,0 +1,83 @@
+// Copyright 2016 The Gogs Authors. All rights reserved.
+// Copyright 2016 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package cmd
+
+import (
+	"fmt"
+
+	"code.gitea.io/gitea/modules/generate"
+
+	"github.com/urfave/cli"
+)
+
+var (
+	// CmdGenerate represents the available generate sub-command.
+	CmdGenerate = cli.Command{
+		Name:  "generate",
+		Usage: "Command line interface for running generators",
+		Subcommands: []cli.Command{
+			subcmdSecret,
+		},
+	}
+
+	subcmdSecret = cli.Command{
+		Name:  "secret",
+		Usage: "Generate a secret token",
+		Subcommands: []cli.Command{
+			microcmdGenerateInternalToken,
+			microcmdGenerateLfsJwtSecret,
+			microcmdGenerateSecretKey,
+		},
+	}
+
+	microcmdGenerateInternalToken = cli.Command{
+		Name:   "INTERNAL_TOKEN",
+		Usage:  "Generate a new INTERNAL_TOKEN",
+		Action: runGenerateInternalToken,
+	}
+
+	microcmdGenerateLfsJwtSecret = cli.Command{
+		Name:   "LFS_JWT_SECRET",
+		Usage:  "Generate a new LFS_JWT_SECRET",
+		Action: runGenerateLfsJwtSecret,
+	}
+
+	microcmdGenerateSecretKey = cli.Command{
+		Name:   "SECRET_KEY",
+		Usage:  "Generate a new SECRET_KEY",
+		Action: runGenerateSecretKey,
+	}
+)
+
+func runGenerateInternalToken(c *cli.Context) error {
+	internalToken, err := generate.NewInternalToken()
+	if err != nil {
+		return err
+	}
+
+	fmt.Printf("%s\n", internalToken)
+	return nil
+}
+
+func runGenerateLfsJwtSecret(c *cli.Context) error {
+	JWTSecretBase64, err := generate.NewLfsJwtSecret()
+	if err != nil {
+		return err
+	}
+
+	fmt.Printf("%s\n", JWTSecretBase64)
+	return nil
+}
+
+func runGenerateSecretKey(c *cli.Context) error {
+	secretKey, err := generate.NewSecretKey()
+	if err != nil {
+		return err
+	}
+
+	fmt.Printf("%s\n", secretKey)
+	return nil
+}
--- a/main.go
+++ b/main.go
@@ -45,6 +45,7 @@ arguments - which can alternatively be run by running the subcommand web.`
 		cmd.CmdDump,
 		cmd.CmdCert,
 		cmd.CmdAdmin,
+		cmd.CmdGenerate,
 	}
 	app.Flags = append(app.Flags, []cli.Flag{}...)
 	app.Action = cmd.CmdWeb.Action
--- a/models/migrations/migrations.go
+++ b/models/migrations/migrations.go
@@ -20,7 +20,7 @@ import (
 	gouuid "github.com/satori/go.uuid"
 	"gopkg.in/ini.v1"

-	"code.gitea.io/gitea/modules/base"
+	"code.gitea.io/gitea/modules/generate"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
 )
@@ -539,10 +539,10 @@ func generateOrgRandsAndSalt(x *xorm.Engine) (err error) {
 	}

 	for _, org := range orgs {
-		if org.Rands, err = base.GetRandomString(10); err != nil {
+		if org.Rands, err = generate.GetRandomString(10); err != nil {
 			return err
 		}
-		if org.Salt, err = base.GetRandomString(10); err != nil {
+		if org.Salt, err = generate.GetRandomString(10); err != nil {
 			return err
 		}
 		if _, err = sess.Id(org.ID).Update(org); err != nil {
--- a/models/twofactor.go
+++ b/models/twofactor.go
@@ -16,7 +16,7 @@ import (

 	"github.com/pquerna/otp/totp"

-	"code.gitea.io/gitea/modules/base"
+	"code.gitea.io/gitea/modules/generate"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/util"
 )
@@ -33,7 +33,7 @@ type TwoFactor struct {

 // GenerateScratchToken recreates the scratch token the user is using.
 func (t *TwoFactor) GenerateScratchToken() error {
-	token, err := base.GetRandomString(8)
+	token, err := generate.GetRandomString(8)
 	if err != nil {
 		return err
 	}
--- a/models/user.go
+++ b/models/user.go
@@ -34,6 +34,7 @@ import (

 	"code.gitea.io/gitea/modules/avatar"
 	"code.gitea.io/gitea/modules/base"
+	"code.gitea.io/gitea/modules/generate"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/util"
@@ -638,7 +639,7 @@ func IsUserExist(uid int64, name string) (bool, error) {

 // GetUserSalt returns a random user salt token.
 func GetUserSalt() (string, error) {
-	return base.GetRandomString(10)
+	return generate.GetRandomString(10)
 }

 // NewGhostUser creates and returns a fake user for someone has deleted his/her account.
--- a/modules/base/tool.go
+++ b/modules/base/tool.go
@@ -14,7 +14,6 @@ import (
 	"html/template"
 	"io"
 	"math"
-	"math/big"
 	"net/http"
 	"net/url"
 	"path"
@@ -88,25 +87,6 @@ func BasicAuthEncode(username, password string) string {
 	return base64.StdEncoding.EncodeToString([]byte(username + ":" + password))
 }

-// GetRandomString generate random string by specify chars.
-func GetRandomString(n int) (string, error) {
-	const alphanum = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
-
-	buffer := make([]byte, n)
-	max := big.NewInt(int64(len(alphanum)))
-
-	for i := 0; i < n; i++ {
-		index, err := randomInt(max)
-		if err != nil {
-			return "", err
-		}
-
-		buffer[i] = alphanum[index]
-	}
-
-	return string(buffer), nil
-}
-
 // GetRandomBytesAsBase64 generates a random base64 string from n bytes
 func GetRandomBytesAsBase64(n int) string {
 	bytes := make([]byte, 32)
@@ -119,15 +99,6 @@ func GetRandomBytesAsBase64(n int) string {
 	return base64.RawURLEncoding.EncodeToString(bytes)
 }

-func randomInt(max *big.Int) (int, error) {
-	rand, err := rand.Int(rand.Reader, max)
-	if err != nil {
-		return 0, err
-	}
-
-	return int(rand.Int64()), nil
-}
-
 // VerifyTimeLimitCode verify time limit code
 func VerifyTimeLimitCode(data string, minutes int, code string) bool {
 	if len(code) <= 18 {
--- a/modules/base/tool_test.go
+++ b/modules/base/tool_test.go
@@ -107,12 +107,6 @@ func TestBasicAuthEncode(t *testing.T) {
 	assert.Equal(t, "Zm9vOmJhcg==", BasicAuthEncode("foo", "bar"))
 }

-func TestGetRandomString(t *testing.T) {
-	randomString, err := GetRandomString(4)
-	assert.NoError(t, err)
-	assert.Len(t, randomString, 4)
-}
-
 // TODO: Test PBKDF2()
 // TODO: Test VerifyTimeLimitCode()
 // TODO: Test CreateTimeLimitCode()
--- a/modules/generate/generate.go
+++ b/modules/generate/generate.go
@@ -0,0 +1,89 @@
+// Copyright 2016 The Gogs Authors. All rights reserved.
+// Copyright 2016 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package generate
+
+import (
+	"crypto/rand"
+	"encoding/base64"
+	"io"
+	"math/big"
+	"time"
+
+	"github.com/dgrijalva/jwt-go"
+)
+
+// GetRandomString generate random string by specify chars.
+func GetRandomString(n int) (string, error) {
+	const alphanum = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
+
+	buffer := make([]byte, n)
+	max := big.NewInt(int64(len(alphanum)))
+
+	for i := 0; i < n; i++ {
+		index, err := randomInt(max)
+		if err != nil {
+			return "", err
+		}
+
+		buffer[i] = alphanum[index]
+	}
+
+	return string(buffer), nil
+}
+
+// NewInternalToken generate a new value intended to be used by INTERNAL_TOKEN.
+func NewInternalToken() (string, error) {
+	secretBytes := make([]byte, 32)
+	_, err := io.ReadFull(rand.Reader, secretBytes)
+	if err != nil {
+		return "", err
+	}
+
+	secretKey := base64.RawURLEncoding.EncodeToString(secretBytes)
+
+	now := time.Now()
+
+	var internalToken string
+	internalToken, err = jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
+		"nbf": now.Unix(),
+	}).SignedString([]byte(secretKey))
+	if err != nil {
+		return "", err
+	}
+
+	return internalToken, nil
+}
+
+// NewLfsJwtSecret generate a new value intended to be used by LFS_JWT_SECRET.
+func NewLfsJwtSecret() (string, error) {
+	JWTSecretBytes := make([]byte, 32)
+	_, err := io.ReadFull(rand.Reader, JWTSecretBytes)
+	if err != nil {
+		return "", err
+	}
+
+	JWTSecretBase64 := base64.RawURLEncoding.EncodeToString(JWTSecretBytes)
+	return JWTSecretBase64, nil
+}
+
+// NewSecretKey generate a new value intended to be used by SECRET_KEY.
+func NewSecretKey() (string, error) {
+	secretKey, err := GetRandomString(64)
+	if err != nil {
+		return "", err
+	}
+
+	return secretKey, nil
+}
+
+func randomInt(max *big.Int) (int, error) {
+	rand, err := rand.Int(rand.Reader, max)
+	if err != nil {
+		return 0, err
+	}
+
+	return int(rand.Int64()), nil
+}
--- a/modules/generate/generate_test.go
+++ b/modules/generate/generate_test.go
@@ -0,0 +1,20 @@
+package generate
+
+import (
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestMain(m *testing.M) {
+	retVal := m.Run()
+
+	os.Exit(retVal)
+}
+
+func TestGetRandomString(t *testing.T) {
+	randomString, err := GetRandomString(4)
+	assert.NoError(t, err)
+	assert.Len(t, randomString, 4)
+}
--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@@ -6,10 +6,8 @@
 package setting

 import (
-	"crypto/rand"
 	"encoding/base64"
 	"fmt"
-	"io"
 	"net"
 	"net/mail"
 	"net/url"
@@ -24,12 +22,12 @@ import (
 	"time"

 	"code.gitea.io/git"
+	"code.gitea.io/gitea/modules/generate"
 	"code.gitea.io/gitea/modules/log"
 	_ "code.gitea.io/gitea/modules/minwinsvc" // import minwinsvc for windows services
 	"code.gitea.io/gitea/modules/user"

 	"github.com/Unknwon/com"
-	"github.com/dgrijalva/jwt-go"
 	_ "github.com/go-macaron/cache/memcache" // memcache plugin for cache
 	_ "github.com/go-macaron/cache/redis"
 	"github.com/go-macaron/session"
@@ -834,16 +832,12 @@ func NewContext() {
 		n, err := base64.RawURLEncoding.Decode(LFS.JWTSecretBytes, []byte(LFS.JWTSecretBase64))

 		if err != nil || n != 32 {
-			//Generate new secret and save to config
-
-			_, err := io.ReadFull(rand.Reader, LFS.JWTSecretBytes)
-
+			LFS.JWTSecretBase64, err = generate.NewLfsJwtSecret()
 			if err != nil {
-				log.Fatal(4, "Error reading random bytes: %v", err)
+				log.Fatal(4, "Error generating JWT Secret for custom config: %v", err)
+				return
 			}

-			LFS.JWTSecretBase64 = base64.RawURLEncoding.EncodeToString(LFS.JWTSecretBytes)
-
 			// Save secret
 			cfg := ini.Empty()
 			if com.IsFile(CustomConf) {
@@ -913,19 +907,7 @@ func NewContext() {
 	DisableGitHooks = sec.Key("DISABLE_GIT_HOOKS").MustBool(false)
 	InternalToken = sec.Key("INTERNAL_TOKEN").String()
 	if len(InternalToken) == 0 {
-		secretBytes := make([]byte, 32)
-		_, err := io.ReadFull(rand.Reader, secretBytes)
-		if err != nil {
-			log.Fatal(4, "Error reading random bytes: %v", err)
-		}
-
-		secretKey := base64.RawURLEncoding.EncodeToString(secretBytes)
-
-		now := time.Now()
-		InternalToken, err = jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
-			"nbf": now.Unix(),
-		}).SignedString([]byte(secretKey))
-
+		InternalToken, err = generate.NewInternalToken()
 		if err != nil {
 			log.Fatal(4, "Error generate internal token: %v", err)
 		}
--- a/routers/install.go
+++ b/routers/install.go
@@ -20,6 +20,7 @@ import (
 	"code.gitea.io/gitea/modules/auth"
 	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/context"
+	"code.gitea.io/gitea/modules/generate"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/user"
@@ -275,7 +276,12 @@ func InstallPost(ctx *context.Context, form auth.InstallForm) {
 	if form.LFSRootPath != "" {
 		cfg.Section("server").Key("LFS_START_SERVER").SetValue("true")
 		cfg.Section("server").Key("LFS_CONTENT_PATH").SetValue(form.LFSRootPath)
-		cfg.Section("server").Key("LFS_JWT_SECRET").SetValue(base.GetRandomBytesAsBase64(32))
+		var secretKey string
+		if secretKey, err = generate.NewLfsJwtSecret(); err != nil {
+			ctx.RenderWithErr(ctx.Tr("install.lfs_jwt_secret_failed", err), tplInstall, &form)
+			return
+		}
+		cfg.Section("server").Key("LFS_JWT_SECRET").SetValue(secretKey)
 	} else {
 		cfg.Section("server").Key("LFS_START_SERVER").SetValue("false")
 	}
@@ -315,7 +321,7 @@ func InstallPost(ctx *context.Context, form auth.InstallForm) {

 	cfg.Section("security").Key("INSTALL_LOCK").SetValue("true")
 	var secretKey string
-	if secretKey, err = base.GetRandomString(10); err != nil {
+	if secretKey, err = generate.NewSecretKey(); err != nil {
 		ctx.RenderWithErr(ctx.Tr("install.secret_key_failed", err), tplInstall, &form)
 		return
 	}
--- a/routers/user/auth_openid.go
+++ b/routers/user/auth_openid.go
@@ -13,6 +13,7 @@ import (
 	"code.gitea.io/gitea/modules/auth/openid"
 	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/context"
+	"code.gitea.io/gitea/modules/generate"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"

@@ -348,7 +349,7 @@ func RegisterOpenIDPost(ctx *context.Context, cpt *captcha.Captcha, form auth.Si
 	if len < 256 {
 		len = 256
 	}
-	password, err := base.GetRandomString(len)
+	password, err := generate.GetRandomString(len)
 	if err != nil {
 		ctx.RenderWithErr(err.Error(), tplSignUpOID, form)
 		return