mirror
/
gitea
mirror of https://github.com/go-gitea/gitea
2
0
Fork 0
Code Issues Releases Wiki Activity

Use general token signing secret (#29205)

Browse Source 
Use a clearly defined "signing secret" for token signing.
pull/29247/head
wxiaoguang 9 months ago committed by GitHub
parent c2a8aacae5
commit 8be198cdef
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
9 changed files with 82 additions and 33 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 2
      modules/base/tool.go
  2. 3
      modules/context/context.go
  3. 21
      modules/setting/lfs.go
  4. 36
      modules/setting/oauth2.go
  5. 34
      modules/setting/oauth2_test.go
  6. 4
      services/actions/auth.go
  7. 2
      services/actions/auth_test.go
  8. 9
      services/auth/source/oauth2/jwtsigningkey.go
  9. 4
      services/packages/auth.go

2
modules/base/tool.go
Unescape View File

@ -115,7 +115,7 @@ func CreateTimeLimitCode(data string, minutes int, startInf any) string {
// create sha1 encode string // create sha1 encode string
sh := sha1.New() sh := sha1.New()
_, _ = sh.Write([]byte(fmt.Sprintf("%s%s%s%s%d", data, setting.SecretKey, startStr, endStr, minutes))) _, _ = sh.Write([]byte(fmt.Sprintf("%s%s%s%s%d", data, hex.EncodeToString(setting.GetGeneralTokenSigningSecret()), startStr, endStr, minutes)))
encoded := hex.EncodeToString(sh.Sum(nil)) encoded := hex.EncodeToString(sh.Sum(nil))
code := fmt.Sprintf("%s%06d%s", startStr, minutes, encoded) code := fmt.Sprintf("%s%06d%s", startStr, minutes, encoded)

3
modules/context/context.go
Unescape View File

@ -6,6 +6,7 @@ package context
import ( import (
"context" "context"
"encoding/hex"
"fmt" "fmt"
"html/template" "html/template"
"io" "io"
@ -124,7 +125,7 @@ func NewWebContext(base *Base, render Render, session session.Store) *Context {
func Contexter() func(next http.Handler) http.Handler { func Contexter() func(next http.Handler) http.Handler {
rnd := templates.HTMLRenderer() rnd := templates.HTMLRenderer()
csrfOpts := CsrfOptions{ csrfOpts := CsrfOptions{
Secret: setting.SecretKey, Secret: hex.EncodeToString(setting.GetGeneralTokenSigningSecret()),
Cookie: setting.CSRFCookieName, Cookie: setting.CSRFCookieName,
SetCookie: true, SetCookie: true,
Secure: setting.SessionConfig.Secure, Secure: setting.SessionConfig.Secure,

21
modules/setting/lfs.go
Unescape View File

@ -12,12 +12,11 @@ import (
// LFS represents the configuration for Git LFS // LFS represents the configuration for Git LFS
var LFS = struct { var LFS = struct {
StartServer bool `ini:"LFS_START_SERVER"` StartServer bool `ini:"LFS_START_SERVER"`
JWTSecretBase64 string `ini:"LFS_JWT_SECRET"` JWTSecretBytes []byte `ini:"-"`
JWTSecretBytes []byte `ini:"-"` HTTPAuthExpiry time.Duration `ini:"LFS_HTTP_AUTH_EXPIRY"`
HTTPAuthExpiry time.Duration `ini:"LFS_HTTP_AUTH_EXPIRY"` MaxFileSize int64 `ini:"LFS_MAX_FILE_SIZE"`
MaxFileSize int64 `ini:"LFS_MAX_FILE_SIZE"` LocksPagingNum int `ini:"LFS_LOCKS_PAGING_NUM"`
LocksPagingNum int `ini:"LFS_LOCKS_PAGING_NUM"`
Storage *Storage Storage *Storage
}{} }{}
@ -59,10 +58,10 @@ func loadLFSFrom(rootCfg ConfigProvider) error {
return nil return nil
} }
LFS.JWTSecretBase64 = loadSecret(rootCfg.Section("server"), "LFS_JWT_SECRET_URI", "LFS_JWT_SECRET") jwtSecretBase64 := loadSecret(rootCfg.Section("server"), "LFS_JWT_SECRET_URI", "LFS_JWT_SECRET")
LFS.JWTSecretBytes, err = generate.DecodeJwtSecretBase64(LFS.JWTSecretBase64) LFS.JWTSecretBytes, err = generate.DecodeJwtSecretBase64(jwtSecretBase64)
if err != nil { if err != nil {
LFS.JWTSecretBytes, LFS.JWTSecretBase64, err = generate.NewJwtSecretWithBase64() LFS.JWTSecretBytes, jwtSecretBase64, err = generate.NewJwtSecretWithBase64()
if err != nil { if err != nil {
return fmt.Errorf("error generating JWT Secret for custom config: %v", err) return fmt.Errorf("error generating JWT Secret for custom config: %v", err)
} }
@ -72,8 +71,8 @@ func loadLFSFrom(rootCfg ConfigProvider) error {
if err != nil { if err != nil {
return fmt.Errorf("error saving JWT Secret for custom config: %v", err) return fmt.Errorf("error saving JWT Secret for custom config: %v", err)
} }
rootCfg.Section("server").Key("LFS_JWT_SECRET").SetValue(LFS.JWTSecretBase64) rootCfg.Section("server").Key("LFS_JWT_SECRET").SetValue(jwtSecretBase64)
saveCfg.Section("server").Key("LFS_JWT_SECRET").SetValue(LFS.JWTSecretBase64) saveCfg.Section("server").Key("LFS_JWT_SECRET").SetValue(jwtSecretBase64)
if err := saveCfg.Save(); err != nil { if err := saveCfg.Save(); err != nil {
return fmt.Errorf("error saving JWT Secret for custom config: %v", err) return fmt.Errorf("error saving JWT Secret for custom config: %v", err)
} }

36
modules/setting/oauth2.go
Unescape View File

@ -6,6 +6,7 @@ package setting
import ( import (
"math" "math"
"path/filepath" "path/filepath"
"sync/atomic"
"code.gitea.io/gitea/modules/generate" "code.gitea.io/gitea/modules/generate"
"code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/log"
@ -96,7 +97,6 @@ var OAuth2 = struct {
RefreshTokenExpirationTime int64 RefreshTokenExpirationTime int64
InvalidateRefreshTokens bool InvalidateRefreshTokens bool
JWTSigningAlgorithm string `ini:"JWT_SIGNING_ALGORITHM"` JWTSigningAlgorithm string `ini:"JWT_SIGNING_ALGORITHM"`
JWTSecretBase64 string `ini:"JWT_SECRET"`
JWTSigningPrivateKeyFile string `ini:"JWT_SIGNING_PRIVATE_KEY_FILE"` JWTSigningPrivateKeyFile string `ini:"JWT_SIGNING_PRIVATE_KEY_FILE"`
MaxTokenLength int MaxTokenLength int
DefaultApplications []string DefaultApplications []string
@ -128,28 +128,50 @@ func loadOAuth2From(rootCfg ConfigProvider) {
return return
} }
OAuth2.JWTSecretBase64 = loadSecret(sec, "JWT_SECRET_URI", "JWT_SECRET") jwtSecretBase64 := loadSecret(sec, "JWT_SECRET_URI", "JWT_SECRET")
if !filepath.IsAbs(OAuth2.JWTSigningPrivateKeyFile) { if !filepath.IsAbs(OAuth2.JWTSigningPrivateKeyFile) {
OAuth2.JWTSigningPrivateKeyFile = filepath.Join(AppDataPath, OAuth2.JWTSigningPrivateKeyFile) OAuth2.JWTSigningPrivateKeyFile = filepath.Join(AppDataPath, OAuth2.JWTSigningPrivateKeyFile)
} }
if InstallLock { if InstallLock {
if _, err := generate.DecodeJwtSecretBase64(OAuth2.JWTSecretBase64); err != nil { jwtSecretBytes, err := generate.DecodeJwtSecretBase64(jwtSecretBase64)
_, OAuth2.JWTSecretBase64, err = generate.NewJwtSecretWithBase64() if err != nil {
jwtSecretBytes, jwtSecretBase64, err = generate.NewJwtSecretWithBase64()
if err != nil { if err != nil {
log.Fatal("error generating JWT secret: %v", err) log.Fatal("error generating JWT secret: %v", err)
} }
saveCfg, err := rootCfg.PrepareSaving() saveCfg, err := rootCfg.PrepareSaving()
if err != nil { if err != nil {
log.Fatal("save oauth2.JWT_SECRET failed: %v", err) log.Fatal("save oauth2.JWT_SECRET failed: %v", err)
} }
rootCfg.Section("oauth2").Key("JWT_SECRET").SetValue(OAuth2.JWTSecretBase64) rootCfg.Section("oauth2").Key("JWT_SECRET").SetValue(jwtSecretBase64)
saveCfg.Section("oauth2").Key("JWT_SECRET").SetValue(OAuth2.JWTSecretBase64) saveCfg.Section("oauth2").Key("JWT_SECRET").SetValue(jwtSecretBase64)
if err := saveCfg.Save(); err != nil { if err := saveCfg.Save(); err != nil {
log.Fatal("save oauth2.JWT_SECRET failed: %v", err) log.Fatal("save oauth2.JWT_SECRET failed: %v", err)
} }
} }
generalSigningSecret.Store(&jwtSecretBytes)
}
}
// generalSigningSecret is used as container for a []byte value
// instead of an additional mutex, we use CompareAndSwap func to change the value thread save
var generalSigningSecret atomic.Pointer[[]byte]
func GetGeneralTokenSigningSecret() []byte {
old := generalSigningSecret.Load()
if old == nil || len(*old) == 0 {
jwtSecret, _, err := generate.NewJwtSecretWithBase64()
if err != nil {
log.Fatal("Unable to generate general JWT secret: %s", err.Error())
}
if generalSigningSecret.CompareAndSwap(old, &jwtSecret) {
// FIXME: in main branch, the signing token should be refactored (eg: one unique for LFS/OAuth2/etc ...)
log.Warn("OAuth2 is not enabled, unable to use a persistent signing secret, a new one is generated, which is not persistent between restarts and cluster nodes")
return jwtSecret
}
return *generalSigningSecret.Load()
} }
return *old
} }

34
modules/setting/oauth2_test.go
Unescape View File

@ -0,0 +1,34 @@
// Copyright 2024 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package setting
import (
"testing"
"code.gitea.io/gitea/modules/generate"
"code.gitea.io/gitea/modules/test"
"github.com/stretchr/testify/assert"
)
func TestGetGeneralSigningSecret(t *testing.T) {
// when there is no general signing secret, it should be generated, and keep the same value
assert.Nil(t, generalSigningSecret.Load())
s1 := GetGeneralTokenSigningSecret()
assert.NotNil(t, s1)
s2 := GetGeneralTokenSigningSecret()
assert.Equal(t, s1, s2)
// the config value should always override any pre-generated value
cfg, _ := NewConfigProviderFromData(`
[oauth2]
JWT_SECRET = BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
`)
defer test.MockVariableValue(&InstallLock, true)()
loadOAuth2From(cfg)
actual := GetGeneralTokenSigningSecret()
expected, _ := generate.DecodeJwtSecretBase64("BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB")
assert.Len(t, actual, 32)
assert.EqualValues(t, expected, actual)
}

4
services/actions/auth.go
Unescape View File

@ -38,7 +38,7 @@ func CreateAuthorizationToken(taskID, runID, jobID int64) (string, error) {
} }
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims) token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
tokenString, err := token.SignedString([]byte(setting.SecretKey)) tokenString, err := token.SignedString(setting.GetGeneralTokenSigningSecret())
if err != nil { if err != nil {
return "", err return "", err
} }
@ -62,7 +62,7 @@ func ParseAuthorizationToken(req *http.Request) (int64, error) {
if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok { if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"]) return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"])
} }
return []byte(setting.SecretKey), nil return setting.GetGeneralTokenSigningSecret(), nil
}) })
if err != nil { if err != nil {
return 0, err return 0, err

2
services/actions/auth_test.go
Unescape View File

@ -20,7 +20,7 @@ func TestCreateAuthorizationToken(t *testing.T) {
assert.NotEqual(t, "", token) assert.NotEqual(t, "", token)
claims := jwt.MapClaims{} claims := jwt.MapClaims{}
_, err = jwt.ParseWithClaims(token, claims, func(t *jwt.Token) (interface{}, error) { _, err = jwt.ParseWithClaims(token, claims, func(t *jwt.Token) (interface{}, error) {
return []byte(setting.SecretKey), nil return setting.GetGeneralTokenSigningSecret(), nil
}) })
assert.Nil(t, err) assert.Nil(t, err)
scp, ok := claims["scp"] scp, ok := claims["scp"]

9
services/auth/source/oauth2/jwtsigningkey.go
Unescape View File

@ -18,7 +18,6 @@ import (
"path/filepath" "path/filepath"
"strings" "strings"
"code.gitea.io/gitea/modules/generate"
"code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/util" "code.gitea.io/gitea/modules/util"
@ -301,7 +300,7 @@ func InitSigningKey() error {
case "HS384": case "HS384":
fallthrough fallthrough
case "HS512": case "HS512":
key, err = loadSymmetricKey() key = setting.GetGeneralTokenSigningSecret()
case "RS256": case "RS256":
fallthrough fallthrough
case "RS384": case "RS384":
@ -334,12 +333,6 @@ func InitSigningKey() error {
return nil return nil
} }
// loadSymmetricKey checks if the configured secret is valid.
// If it is not valid, it will return an error.
func loadSymmetricKey() (any, error) {
return generate.DecodeJwtSecretBase64(setting.OAuth2.JWTSecretBase64)
}
// loadOrCreateAsymmetricKey checks if the configured private key exists. // loadOrCreateAsymmetricKey checks if the configured private key exists.
// If it does not exist a new random key gets generated and saved on the configured path. // If it does not exist a new random key gets generated and saved on the configured path.
func loadOrCreateAsymmetricKey() (any, error) { func loadOrCreateAsymmetricKey() (any, error) {

4
services/packages/auth.go
Unescape View File

@ -33,7 +33,7 @@ func CreateAuthorizationToken(u *user_model.User) (string, error) {
} }
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims) token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
tokenString, err := token.SignedString([]byte(setting.SecretKey)) tokenString, err := token.SignedString(setting.GetGeneralTokenSigningSecret())
if err != nil { if err != nil {
return "", err return "", err
} }
@ -57,7 +57,7 @@ func ParseAuthorizationToken(req *http.Request) (int64, error) {
if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok { if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"]) return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"])
} }
return []byte(setting.SecretKey), nil return setting.GetGeneralTokenSigningSecret(), nil
}) })
if err != nil { if err != nil {
return 0, err return 0, err

Write Preview
Loading…
Cancel
Save