Move secrets read and write to a helper.

757aced2 · Marin Jankovski · 81f25b83 · 757aced2 · 757aced2
Commit 757aced2 authored 9 years ago by Marin Jankovski
--- a/files/gitlab-cookbooks/gitlab/libraries/gitlab.rb
+++ b/files/gitlab-cookbooks/gitlab/libraries/gitlab.rb
@@ -67,38 +67,15 @@ module Gitlab
    end
  
    def generate_secrets(node_name)
-      existing_secrets ||= Hash.new
-      if File.exists?("/etc/gitlab/gitlab-secrets.json")
-        existing_secrets = Chef::JSONCompat.from_json(File.read("/etc/gitlab/gitlab-secrets.json"))
-      end
-      existing_secrets.each do |k, v|
-        v.each do |pk, p|
-          Gitlab[k][pk] = p
-        end
-      end
+      SecretsHelper.read_gitlab_secrets
  
      Gitlab['gitlab_shell']['secret_token'] ||= generate_hex(64)
      Gitlab['gitlab_rails']['secret_token'] ||= generate_hex(64)
      Gitlab['gitlab_ci']['secret_token'] ||= generate_hex(64)
  
-      if File.directory?("/etc/gitlab")
-        File.open("/etc/gitlab/gitlab-secrets.json", "w") do |f|
-          f.puts(
-            Chef::JSONCompat.to_json_pretty({
-              'gitlab_shell' => {
-                'secret_token' => Gitlab['gitlab_shell']['secret_token'],
-              },
-              'gitlab_rails' => {
-                'secret_token' => Gitlab['gitlab_rails']['secret_token'],
-              },
-              'gitlab_ci' => {
-                'secret_token' => Gitlab['gitlab_ci']['secret_token'],
-              }
-            })
-          )
-          system("chmod 0600 /etc/gitlab/gitlab-secrets.json")
-        end
-      end
+      # Note: Besides the section below, gitlab-secrets.json will also change
+      # in CiHelper in libraries/helper.rb
+      SecretsHelper.write_to_gitlab_secrets
    end
  
    def parse_external_url

--- a/files/gitlab-cookbooks/gitlab/libraries/helper.rb
+++ b/files/gitlab-cookbooks/gitlab/libraries/helper.rb
@@ -93,41 +93,38 @@ end
 class CiHelper
  
  def self.authorize_with_gitlab(gitlab_external_url)
-    require 'yaml'
-    credentials_file = "/var/opt/gitlab/gitlab-ci/etc/gitlab_server.yml"
-
-    if File.exists?(credentials_file)
-      Chef::Log.debug("Reading the CI credentials file at #{credentials_file}")
-      Chef::Log.debug("If you need to change app_id and app_secret use gitlab.rb.")
-      gitlab_server = YAML::load_file(credentials_file)
-      app_id = gitlab_server[:app_id]
-      app_secret = gitlab_server[:app_secret]
+    credentials_file = "/etc/gitlab/gitlab-secrets.json"
+
+    Chef::Log.warn("Connecting to GitLab to generate new app_id and app_secret.")
+    runner_cmd = [
+      "app=Doorkeeper::Application.where(redirect_uri: \"#{gitlab_external_url}\", name: \"GitLab CI\").first_or_create",
+      "puts app.uid.concat(\" \").concat(app.secret);"
+      ].join(" ;")
+
+    cmd = [
+      '/opt/gitlab/bin/gitlab-rails',
+      'runner',
+      '-e production',
+      "\'#{runner_cmd}\'"
+    ].join(" ")
+
+    o = Mixlib::ShellOut.new(cmd)
+    o.run_command
+
+    app_id, app_secret = nil
+    if o.exitstatus == 0
+      app_id, app_secret = o.stdout.chomp.split(" ")
+
+      Gitlab['gitlab_ci']['gitlab_server'] = { 'url' => gitlab_external_url,
+                                                 'app_id' => app_id,
+                                                 'app_secret' => app_secret
+                                               }
+
+      SecretsHelper.write_to_gitlab_secrets
+
+      Chef::Log.info("Updated the #{credentials_file} file.")
    else
-      Chef::Log.debug("Didn't find #{credentials_file}, connecting to database to generate new app_id and app_secret.")
-      runner_cmd = [
-        "app=Doorkeeper::Application.where(redirect_uri: \"#{gitlab_external_url}\", name: \"GitLab CI\").first_or_create",
-        "puts app.uid.concat(\" \").concat(app.secret);"
-        ].join(" ;")
-
-      cmd = [
-        '/opt/gitlab/bin/gitlab-rails',
-        'runner',
-        '-e production',
-        "\'#{runner_cmd}\'"
-      ].join(" ")
-
-      o = Mixlib::ShellOut.new(cmd)
-      o.run_command
-
-      app_id, app_secret = nil
-      if o.exitstatus == 0
-        app_id, app_secret = o.stdout.chomp.split(" ")
-        gitlab_server = { app_id: app_id, app_secret: app_secret }
-        File.open(credentials_file, 'w') { |file| file.write gitlab_server.to_yaml }
-        Chef::Log.debug("Created the CI credentials file at #{credentials_file}")
-      else
-        Chef::Log.warn("Something went wrong while trying to create #{credentials_file}. Check the file permissions and try reconfiguring again.")
-      end
+      Chef::Log.warn("Something went wrong while trying to update #{credentials_file}. Check the file permissions (default 600) and try reconfiguring again.")
    end
  
    { 'url' => gitlab_external_url, 'app_id' => app_id, 'app_secret' => app_secret }
@@ -135,6 +132,62 @@ class CiHelper
  
 end
  
+class SecretsHelper
+
+  def self.read_gitlab_secrets
+    existing_secrets ||= Hash.new
+
+    if File.exists?("/etc/gitlab/gitlab-secrets.json")
+      existing_secrets = Chef::JSONCompat.from_json(File.read("/etc/gitlab/gitlab-secrets.json"))
+    end
+
+    existing_secrets.each do |k, v|
+      v.each do |pk, p|
+        # Note: Specifiying a secret in gitlab.rb will take precendence over the `gitlab-secrets.json`
+        Gitlab[k][pk] ||= p
+      end
+    end
+  end
+
+  def self.write_to_gitlab_secrets
+    secret_tokens = {
+                      'gitlab_shell' => {
+                        'secret_token' => Gitlab['gitlab_shell']['secret_token'],
+                      },
+                      'gitlab_rails' => {
+                        'secret_token' => Gitlab['gitlab_rails']['secret_token'],
+                      },
+                      'gitlab_ci' => {
+                        'secret_token' => Gitlab['gitlab_ci']['secret_token'],
+                      }
+                    }
+
+    ci_credentials = if Gitlab['gitlab_ci']['gitlab_server']
+       { 'gitlab_ci' => {
+                          'secret_token' => Gitlab['gitlab_ci']['secret_token'],
+                          'gitlab_server' => {
+                            'url' => Gitlab['gitlab_ci']['gitlab_server']['url'],
+                            'app_id' => Gitlab['gitlab_ci']['gitlab_server']['app_id'],
+                            'app_secret' => Gitlab['gitlab_ci']['gitlab_server']['app_secret']
+                          }
+                        }
+        }
+    else
+      {}
+    end
+
+    if File.directory?("/etc/gitlab")
+      File.open("/etc/gitlab/gitlab-secrets.json", "w") do |f|
+        f.puts(
+          Chef::JSONCompat.to_json_pretty(secret_tokens.merge(ci_credentials))
+        )
+        system("chmod 0600 /etc/gitlab/gitlab-secrets.json")
+      end
+    end
+  end
+
+end
+
 module SingleQuoteHelper
  
  def single_quote(string)