Signed-off-by: Codruț Constantin Gușoi <codrut.gusoi@gmail.com>tags/v1.5.0-dev
// Copyright 2016 The Gogs Authors. All rights reserved. | |||||
// Copyright 2016 The Gitea Authors. All rights reserved. | |||||
// Use of this source code is governed by a MIT-style | |||||
// license that can be found in the LICENSE file. | |||||
package cmd | |||||
import ( | |||||
"fmt" | |||||
"code.gitea.io/gitea/modules/generate" | |||||
"github.com/urfave/cli" | |||||
) | |||||
var ( | |||||
// CmdGenerate represents the available generate sub-command. | |||||
CmdGenerate = cli.Command{ | |||||
Name: "generate", | |||||
Usage: "Command line interface for running generators", | |||||
Subcommands: []cli.Command{ | |||||
subcmdSecret, | |||||
}, | |||||
} | |||||
subcmdSecret = cli.Command{ | |||||
Name: "secret", | |||||
Usage: "Generate a secret token", | |||||
Subcommands: []cli.Command{ | |||||
microcmdGenerateInternalToken, | |||||
microcmdGenerateLfsJwtSecret, | |||||
microcmdGenerateSecretKey, | |||||
}, | |||||
} | |||||
microcmdGenerateInternalToken = cli.Command{ | |||||
Name: "INTERNAL_TOKEN", | |||||
Usage: "Generate a new INTERNAL_TOKEN", | |||||
Action: runGenerateInternalToken, | |||||
} | |||||
microcmdGenerateLfsJwtSecret = cli.Command{ | |||||
Name: "LFS_JWT_SECRET", | |||||
Usage: "Generate a new LFS_JWT_SECRET", | |||||
Action: runGenerateLfsJwtSecret, | |||||
} | |||||
microcmdGenerateSecretKey = cli.Command{ | |||||
Name: "SECRET_KEY", | |||||
Usage: "Generate a new SECRET_KEY", | |||||
Action: runGenerateSecretKey, | |||||
} | |||||
) | |||||
func runGenerateInternalToken(c *cli.Context) error { | |||||
internalToken, err := generate.NewInternalToken() | |||||
if err != nil { | |||||
return err | |||||
} | |||||
fmt.Printf("%s\n", internalToken) | |||||
return nil | |||||
} | |||||
func runGenerateLfsJwtSecret(c *cli.Context) error { | |||||
JWTSecretBase64, err := generate.NewLfsJwtSecret() | |||||
if err != nil { | |||||
return err | |||||
} | |||||
fmt.Printf("%s\n", JWTSecretBase64) | |||||
return nil | |||||
} | |||||
func runGenerateSecretKey(c *cli.Context) error { | |||||
secretKey, err := generate.NewSecretKey() | |||||
if err != nil { | |||||
return err | |||||
} | |||||
fmt.Printf("%s\n", secretKey) | |||||
return nil | |||||
} |
cmd.CmdDump, | cmd.CmdDump, | ||||
cmd.CmdCert, | cmd.CmdCert, | ||||
cmd.CmdAdmin, | cmd.CmdAdmin, | ||||
cmd.CmdGenerate, | |||||
} | } | ||||
app.Flags = append(app.Flags, []cli.Flag{}...) | app.Flags = append(app.Flags, []cli.Flag{}...) | ||||
app.Action = cmd.CmdWeb.Action | app.Action = cmd.CmdWeb.Action |
gouuid "github.com/satori/go.uuid" | gouuid "github.com/satori/go.uuid" | ||||
"gopkg.in/ini.v1" | "gopkg.in/ini.v1" | ||||
"code.gitea.io/gitea/modules/base" | |||||
"code.gitea.io/gitea/modules/generate" | |||||
"code.gitea.io/gitea/modules/log" | "code.gitea.io/gitea/modules/log" | ||||
"code.gitea.io/gitea/modules/setting" | "code.gitea.io/gitea/modules/setting" | ||||
) | ) | ||||
} | } | ||||
for _, org := range orgs { | for _, org := range orgs { | ||||
if org.Rands, err = base.GetRandomString(10); err != nil { | |||||
if org.Rands, err = generate.GetRandomString(10); err != nil { | |||||
return err | return err | ||||
} | } | ||||
if org.Salt, err = base.GetRandomString(10); err != nil { | |||||
if org.Salt, err = generate.GetRandomString(10); err != nil { | |||||
return err | return err | ||||
} | } | ||||
if _, err = sess.Id(org.ID).Update(org); err != nil { | if _, err = sess.Id(org.ID).Update(org); err != nil { |
"github.com/pquerna/otp/totp" | "github.com/pquerna/otp/totp" | ||||
"code.gitea.io/gitea/modules/base" | |||||
"code.gitea.io/gitea/modules/generate" | |||||
"code.gitea.io/gitea/modules/setting" | "code.gitea.io/gitea/modules/setting" | ||||
"code.gitea.io/gitea/modules/util" | "code.gitea.io/gitea/modules/util" | ||||
) | ) | ||||
// GenerateScratchToken recreates the scratch token the user is using. | // GenerateScratchToken recreates the scratch token the user is using. | ||||
func (t *TwoFactor) GenerateScratchToken() error { | func (t *TwoFactor) GenerateScratchToken() error { | ||||
token, err := base.GetRandomString(8) | |||||
token, err := generate.GetRandomString(8) | |||||
if err != nil { | if err != nil { | ||||
return err | return err | ||||
} | } |
"code.gitea.io/gitea/modules/avatar" | "code.gitea.io/gitea/modules/avatar" | ||||
"code.gitea.io/gitea/modules/base" | "code.gitea.io/gitea/modules/base" | ||||
"code.gitea.io/gitea/modules/generate" | |||||
"code.gitea.io/gitea/modules/log" | "code.gitea.io/gitea/modules/log" | ||||
"code.gitea.io/gitea/modules/setting" | "code.gitea.io/gitea/modules/setting" | ||||
"code.gitea.io/gitea/modules/util" | "code.gitea.io/gitea/modules/util" | ||||
// GetUserSalt returns a random user salt token. | // GetUserSalt returns a random user salt token. | ||||
func GetUserSalt() (string, error) { | func GetUserSalt() (string, error) { | ||||
return base.GetRandomString(10) | |||||
return generate.GetRandomString(10) | |||||
} | } | ||||
// NewGhostUser creates and returns a fake user for someone has deleted his/her account. | // NewGhostUser creates and returns a fake user for someone has deleted his/her account. |
"html/template" | "html/template" | ||||
"io" | "io" | ||||
"math" | "math" | ||||
"math/big" | |||||
"net/http" | "net/http" | ||||
"net/url" | "net/url" | ||||
"path" | "path" | ||||
return base64.StdEncoding.EncodeToString([]byte(username + ":" + password)) | return base64.StdEncoding.EncodeToString([]byte(username + ":" + password)) | ||||
} | } | ||||
// GetRandomString generate random string by specify chars. | |||||
func GetRandomString(n int) (string, error) { | |||||
const alphanum = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" | |||||
buffer := make([]byte, n) | |||||
max := big.NewInt(int64(len(alphanum))) | |||||
for i := 0; i < n; i++ { | |||||
index, err := randomInt(max) | |||||
if err != nil { | |||||
return "", err | |||||
} | |||||
buffer[i] = alphanum[index] | |||||
} | |||||
return string(buffer), nil | |||||
} | |||||
// GetRandomBytesAsBase64 generates a random base64 string from n bytes | // GetRandomBytesAsBase64 generates a random base64 string from n bytes | ||||
func GetRandomBytesAsBase64(n int) string { | func GetRandomBytesAsBase64(n int) string { | ||||
bytes := make([]byte, 32) | bytes := make([]byte, 32) | ||||
return base64.RawURLEncoding.EncodeToString(bytes) | return base64.RawURLEncoding.EncodeToString(bytes) | ||||
} | } | ||||
func randomInt(max *big.Int) (int, error) { | |||||
rand, err := rand.Int(rand.Reader, max) | |||||
if err != nil { | |||||
return 0, err | |||||
} | |||||
return int(rand.Int64()), nil | |||||
} | |||||
// VerifyTimeLimitCode verify time limit code | // VerifyTimeLimitCode verify time limit code | ||||
func VerifyTimeLimitCode(data string, minutes int, code string) bool { | func VerifyTimeLimitCode(data string, minutes int, code string) bool { | ||||
if len(code) <= 18 { | if len(code) <= 18 { |
assert.Equal(t, "Zm9vOmJhcg==", BasicAuthEncode("foo", "bar")) | assert.Equal(t, "Zm9vOmJhcg==", BasicAuthEncode("foo", "bar")) | ||||
} | } | ||||
func TestGetRandomString(t *testing.T) { | |||||
randomString, err := GetRandomString(4) | |||||
assert.NoError(t, err) | |||||
assert.Len(t, randomString, 4) | |||||
} | |||||
// TODO: Test PBKDF2() | // TODO: Test PBKDF2() | ||||
// TODO: Test VerifyTimeLimitCode() | // TODO: Test VerifyTimeLimitCode() | ||||
// TODO: Test CreateTimeLimitCode() | // TODO: Test CreateTimeLimitCode() |
// Copyright 2016 The Gogs Authors. All rights reserved. | |||||
// Copyright 2016 The Gitea Authors. All rights reserved. | |||||
// Use of this source code is governed by a MIT-style | |||||
// license that can be found in the LICENSE file. | |||||
package generate | |||||
import ( | |||||
"crypto/rand" | |||||
"encoding/base64" | |||||
"io" | |||||
"math/big" | |||||
"time" | |||||
"github.com/dgrijalva/jwt-go" | |||||
) | |||||
// GetRandomString generate random string by specify chars. | |||||
func GetRandomString(n int) (string, error) { | |||||
const alphanum = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" | |||||
buffer := make([]byte, n) | |||||
max := big.NewInt(int64(len(alphanum))) | |||||
for i := 0; i < n; i++ { | |||||
index, err := randomInt(max) | |||||
if err != nil { | |||||
return "", err | |||||
} | |||||
buffer[i] = alphanum[index] | |||||
} | |||||
return string(buffer), nil | |||||
} | |||||
// NewInternalToken generate a new value intended to be used by INTERNAL_TOKEN. | |||||
func NewInternalToken() (string, error) { | |||||
secretBytes := make([]byte, 32) | |||||
_, err := io.ReadFull(rand.Reader, secretBytes) | |||||
if err != nil { | |||||
return "", err | |||||
} | |||||
secretKey := base64.RawURLEncoding.EncodeToString(secretBytes) | |||||
now := time.Now() | |||||
var internalToken string | |||||
internalToken, err = jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{ | |||||
"nbf": now.Unix(), | |||||
}).SignedString([]byte(secretKey)) | |||||
if err != nil { | |||||
return "", err | |||||
} | |||||
return internalToken, nil | |||||
} | |||||
// NewLfsJwtSecret generate a new value intended to be used by LFS_JWT_SECRET. | |||||
func NewLfsJwtSecret() (string, error) { | |||||
JWTSecretBytes := make([]byte, 32) | |||||
_, err := io.ReadFull(rand.Reader, JWTSecretBytes) | |||||
if err != nil { | |||||
return "", err | |||||
} | |||||
JWTSecretBase64 := base64.RawURLEncoding.EncodeToString(JWTSecretBytes) | |||||
return JWTSecretBase64, nil | |||||
} | |||||
// NewSecretKey generate a new value intended to be used by SECRET_KEY. | |||||
func NewSecretKey() (string, error) { | |||||
secretKey, err := GetRandomString(64) | |||||
if err != nil { | |||||
return "", err | |||||
} | |||||
return secretKey, nil | |||||
} | |||||
func randomInt(max *big.Int) (int, error) { | |||||
rand, err := rand.Int(rand.Reader, max) | |||||
if err != nil { | |||||
return 0, err | |||||
} | |||||
return int(rand.Int64()), nil | |||||
} |
package generate | |||||
import ( | |||||
"os" | |||||
"testing" | |||||
"github.com/stretchr/testify/assert" | |||||
) | |||||
func TestMain(m *testing.M) { | |||||
retVal := m.Run() | |||||
os.Exit(retVal) | |||||
} | |||||
func TestGetRandomString(t *testing.T) { | |||||
randomString, err := GetRandomString(4) | |||||
assert.NoError(t, err) | |||||
assert.Len(t, randomString, 4) | |||||
} |
package setting | package setting | ||||
import ( | import ( | ||||
"crypto/rand" | |||||
"encoding/base64" | "encoding/base64" | ||||
"fmt" | "fmt" | ||||
"io" | |||||
"net" | "net" | ||||
"net/mail" | "net/mail" | ||||
"net/url" | "net/url" | ||||
"time" | "time" | ||||
"code.gitea.io/git" | "code.gitea.io/git" | ||||
"code.gitea.io/gitea/modules/generate" | |||||
"code.gitea.io/gitea/modules/log" | "code.gitea.io/gitea/modules/log" | ||||
_ "code.gitea.io/gitea/modules/minwinsvc" // import minwinsvc for windows services | _ "code.gitea.io/gitea/modules/minwinsvc" // import minwinsvc for windows services | ||||
"code.gitea.io/gitea/modules/user" | "code.gitea.io/gitea/modules/user" | ||||
"github.com/Unknwon/com" | "github.com/Unknwon/com" | ||||
"github.com/dgrijalva/jwt-go" | |||||
_ "github.com/go-macaron/cache/memcache" // memcache plugin for cache | _ "github.com/go-macaron/cache/memcache" // memcache plugin for cache | ||||
_ "github.com/go-macaron/cache/redis" | _ "github.com/go-macaron/cache/redis" | ||||
"github.com/go-macaron/session" | "github.com/go-macaron/session" | ||||
n, err := base64.RawURLEncoding.Decode(LFS.JWTSecretBytes, []byte(LFS.JWTSecretBase64)) | n, err := base64.RawURLEncoding.Decode(LFS.JWTSecretBytes, []byte(LFS.JWTSecretBase64)) | ||||
if err != nil || n != 32 { | if err != nil || n != 32 { | ||||
//Generate new secret and save to config | |||||
_, err := io.ReadFull(rand.Reader, LFS.JWTSecretBytes) | |||||
LFS.JWTSecretBase64, err = generate.NewLfsJwtSecret() | |||||
if err != nil { | if err != nil { | ||||
log.Fatal(4, "Error reading random bytes: %v", err) | |||||
log.Fatal(4, "Error generating JWT Secret for custom config: %v", err) | |||||
return | |||||
} | } | ||||
LFS.JWTSecretBase64 = base64.RawURLEncoding.EncodeToString(LFS.JWTSecretBytes) | |||||
// Save secret | // Save secret | ||||
cfg := ini.Empty() | cfg := ini.Empty() | ||||
if com.IsFile(CustomConf) { | if com.IsFile(CustomConf) { | ||||
DisableGitHooks = sec.Key("DISABLE_GIT_HOOKS").MustBool(false) | DisableGitHooks = sec.Key("DISABLE_GIT_HOOKS").MustBool(false) | ||||
InternalToken = sec.Key("INTERNAL_TOKEN").String() | InternalToken = sec.Key("INTERNAL_TOKEN").String() | ||||
if len(InternalToken) == 0 { | if len(InternalToken) == 0 { | ||||
secretBytes := make([]byte, 32) | |||||
_, err := io.ReadFull(rand.Reader, secretBytes) | |||||
if err != nil { | |||||
log.Fatal(4, "Error reading random bytes: %v", err) | |||||
} | |||||
secretKey := base64.RawURLEncoding.EncodeToString(secretBytes) | |||||
now := time.Now() | |||||
InternalToken, err = jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{ | |||||
"nbf": now.Unix(), | |||||
}).SignedString([]byte(secretKey)) | |||||
InternalToken, err = generate.NewInternalToken() | |||||
if err != nil { | if err != nil { | ||||
log.Fatal(4, "Error generate internal token: %v", err) | log.Fatal(4, "Error generate internal token: %v", err) | ||||
} | } |
"code.gitea.io/gitea/modules/auth" | "code.gitea.io/gitea/modules/auth" | ||||
"code.gitea.io/gitea/modules/base" | "code.gitea.io/gitea/modules/base" | ||||
"code.gitea.io/gitea/modules/context" | "code.gitea.io/gitea/modules/context" | ||||
"code.gitea.io/gitea/modules/generate" | |||||
"code.gitea.io/gitea/modules/log" | "code.gitea.io/gitea/modules/log" | ||||
"code.gitea.io/gitea/modules/setting" | "code.gitea.io/gitea/modules/setting" | ||||
"code.gitea.io/gitea/modules/user" | "code.gitea.io/gitea/modules/user" | ||||
if form.LFSRootPath != "" { | if form.LFSRootPath != "" { | ||||
cfg.Section("server").Key("LFS_START_SERVER").SetValue("true") | cfg.Section("server").Key("LFS_START_SERVER").SetValue("true") | ||||
cfg.Section("server").Key("LFS_CONTENT_PATH").SetValue(form.LFSRootPath) | cfg.Section("server").Key("LFS_CONTENT_PATH").SetValue(form.LFSRootPath) | ||||
cfg.Section("server").Key("LFS_JWT_SECRET").SetValue(base.GetRandomBytesAsBase64(32)) | |||||
var secretKey string | |||||
if secretKey, err = generate.NewLfsJwtSecret(); err != nil { | |||||
ctx.RenderWithErr(ctx.Tr("install.lfs_jwt_secret_failed", err), tplInstall, &form) | |||||
return | |||||
} | |||||
cfg.Section("server").Key("LFS_JWT_SECRET").SetValue(secretKey) | |||||
} else { | } else { | ||||
cfg.Section("server").Key("LFS_START_SERVER").SetValue("false") | cfg.Section("server").Key("LFS_START_SERVER").SetValue("false") | ||||
} | } | ||||
cfg.Section("security").Key("INSTALL_LOCK").SetValue("true") | cfg.Section("security").Key("INSTALL_LOCK").SetValue("true") | ||||
var secretKey string | var secretKey string | ||||
if secretKey, err = base.GetRandomString(10); err != nil { | |||||
if secretKey, err = generate.NewSecretKey(); err != nil { | |||||
ctx.RenderWithErr(ctx.Tr("install.secret_key_failed", err), tplInstall, &form) | ctx.RenderWithErr(ctx.Tr("install.secret_key_failed", err), tplInstall, &form) | ||||
return | return | ||||
} | } |
"code.gitea.io/gitea/modules/auth/openid" | "code.gitea.io/gitea/modules/auth/openid" | ||||
"code.gitea.io/gitea/modules/base" | "code.gitea.io/gitea/modules/base" | ||||
"code.gitea.io/gitea/modules/context" | "code.gitea.io/gitea/modules/context" | ||||
"code.gitea.io/gitea/modules/generate" | |||||
"code.gitea.io/gitea/modules/log" | "code.gitea.io/gitea/modules/log" | ||||
"code.gitea.io/gitea/modules/setting" | "code.gitea.io/gitea/modules/setting" | ||||
if len < 256 { | if len < 256 { | ||||
len = 256 | len = 256 | ||||
} | } | ||||
password, err := base.GetRandomString(len) | |||||
password, err := generate.GetRandomString(len) | |||||
if err != nil { | if err != nil { | ||||
ctx.RenderWithErr(err.Error(), tplSignUpOID, form) | ctx.RenderWithErr(err.Error(), tplSignUpOID, form) | ||||
return | return |