Merge branch 'secrets-yaml' into 'master'

Use config/secrets.yml to store session secret and database encryption secret

I took the approach that config/secrets.yml is generated when key is not found.

/cc @vsizov @jacobvosmaer

See merge request !195

.gitignore

@@ -9,6 +9,7 @@ config/application.yml
 config/database.yml
 config/resque.yml
 config/unicorn.rb
+config/secrets.yml
 config/initializers/smtp_settings.rb
 coverage/*
 log/*

.gitlab-ci.yml

@@ -4,6 +4,7 @@ before_script:
   - gem install bundler
   - cp config/database.yml.mysql config/database.yml
   - cp config/application.yml.example config/application.yml
+  - cp config/secrets.yml.example config/secrets.yml
   - 'sed "s/username\:.*$/username\: runner/" -i config/database.yml'
   - 'sed "s/password\:.*$/password\: ''password''/" -i config/database.yml'
   - bundle --without postgres

CHANGELOG

@@ -13,6 +13,7 @@ v7.13.0
   - Build traces is stored in the file instead of database
   - Make the builds path configurable
   - Disable link to runner if it's not assigned to specific project
+  - Store all secrets in config/secrets.yml
 v7.12.2
   - Revert: Runner without tag should pick builds without tag only

app/helpers/user_sessions_helper.rb

@@ -6,7 +6,7 @@ module UserSessionsHelper
   def generate_oauth_hmac(salt, return_to)
     return unless return_to
     digest = OpenSSL::Digest.new('sha256')
-    key = GitlabCi::Application.config.secret_key_base + salt
+    key = GitlabCi::Application.secrets.secret_key_base + salt
     OpenSSL::HMAC.hexdigest(digest, key, return_to)
   end

config/initializers/secret_token.rb

@@ -2,22 +2,44 @@
 require 'securerandom'
-# Your secret key for verifying the integrity of signed cookies.
-# If you change this key, all old signed cookies will become invalid!
-# Make sure the secret is at least 30 characters and all random,
-# no regular words or you'll be exposed to dictionary attacks.
-def find_secure_token
+# Your secret key for verifying the integrity of signed cookies and encryption database variables.
+# If you change or lose this key, you will lose also all encrypted data!
+# Ensue that you backup the `config/secrets.yml` in some place secure.
+def generate_new_secure_token
+  SecureRandom.hex(64)
+end
+
+def find_old_secure_token
   token_file = Rails.root.join('.secret')
   if File.exist? token_file
     # Use the existing token.
     File.read(token_file).chomp
   else
     # Generate a new token of 64 random hexadecimal characters and store it in token_file.
-    token = SecureRandom.hex(64)
+    token = generate_new_secure_token
     File.write(token_file, token)
     token
   end
 end
-GitlabCi::Application.config.secret_key_base = find_secure_token
+if GitlabCi::Application.secrets.secret_key_base.blank? || GitlabCi::Application.secrets.db_key_base.blank?
+  warn "Missing `secret_key_base` or `db_key_base` for '#{Rails.env}' environment. The secrets will be generated and stored in `config/secrets.yml`"
+
+  all_secrets = YAML.load_file('config/secrets.yml') if File.exist?('config/secrets.yml')
+  all_secrets ||= {}
+
+  # generate secrets
+  env_secrets = all_secrets[Rails.env] || {}
+  env_secrets['secret_key_base'] ||= find_old_secure_token
+  env_secrets['db_key_base'] ||= generate_new_secure_token
+  all_secrets[Rails.env] = env_secrets
+
+  # save secrets
+  File.open('config/secrets.yml', 'w') do |file|
+    file.write(YAML.dump(all_secrets))
+  end
+
+  GitlabCi::Application.secrets.secret_key_base = env_secrets['secret_key_base']
+  GitlabCi::Application.secrets.db_key_base = env_secrets['db_key_base']
+end

config/secrets.yml.example

+production:
+  # secret_key_base is used to verify the integrity of signed cookies.
+  # If you change this key, all old signed cookies will become invalid!
+  # Make sure the secret is at least 30 characters and all random,
+  # no regular words or you'll be exposed to dictionary attacks.
+  # secret_key_base:
+
+  # db_key_base is used to encrypt for Variables. Ensure that you don't lose it.
+  # If you change or lose this key you will be unable to access variables stored in database.
+  # Make sure the secret is at least 30 characters and all random,
+  # no regular words or you'll be exposed to dictionary attacks.
+  # db_key_base:
+
+development:
+  secret_key_base: development
+  db_key_base: development
+
+test:
+  secret_key_base: test
+  db_key_base: test

doc/raketasks/backup_restore.md

@@ -123,11 +123,16 @@ with the name of your bucket:
 ## Storing configuration files
-Please be informed that a backup does not store your configuration files.
+Please be informed that a backup does not store your configuration and secret files.
 If you use an Omnibus package please see the [instructions in the readme to backup your configuration](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/README.md#backup-and-restore-omnibus-gitlab-configuration).
 If you have a cookbook installation there should be a copy of your configuration in Chef.
-If you have an installation from source, please consider backing up your `application.yml` file, any SSL keys and certificates, and your [SSH host keys](https://superuser.com/questions/532040/copy-ssh-keys-from-one-server-to-another-server/532079#532079).
-
+If you have an installation from source:
+1. please backup `config/secrets.yml` file that contains key to encrypt variables in database,
+but don't store it in the same place as your database backups.
+Otherwise your users secrets are exposed in case one of your backups is compromised.
+1. please consider backing up your `application.yml` file,
+1. any SSL keys and certificates, 
+1. and your [SSH host keys](https://superuser.com/questions/532040/copy-ssh-keys-from-one-server-to-another-server/532079#532079).
 ## Restore a previously created backup