diff options
| author | Vladimir Shushlin <vshushlin@gitlab.com> | 2019-05-28 07:47:34 +0300 |
|---|---|---|
| committer | Stan Hu <stanhu@gmail.com> | 2019-05-28 07:47:34 +0300 |
| commit | 4687ff7c9be789341e82a6440234fce43f30b5be (patch) | |
| tree | 59b72fafa974c92af04590e7fc3b64c6536aef70 /spec | |
| parent | af43970834b911242eecf9b7c815faf0f6b50048 (diff) | |
Store Let's Encrypt private key in settings
Storing this key in secrets.yml was a bad idea,
it would require users using HA setups to manually
replicate secrets across nodes during update,
it also needed support from omnibus package
* Revert "Generate Let's Encrypt private key"
This reverts commit 444959bfa0b79e827a2a1a7a314acac19390f976.
* Add Let's Encrypt private key to settings
as encrypted attribute
* Generate Let's Encrypt private key
in database migration
Diffstat (limited to 'spec')
| -rw-r--r-- | spec/initializers/secret_token_spec.rb | 11 | ||||
| -rw-r--r-- | spec/lib/gitlab/lets_encrypt/client_spec.rb | 4 | ||||
| -rw-r--r-- | spec/migrations/generate_lets_encrypt_private_key_spec.rb | 20 |
3 files changed, 23 insertions, 12 deletions
diff --git a/spec/initializers/secret_token_spec.rb b/spec/initializers/secret_token_spec.rb index 77bc28a6b07..726ce07a2d1 100644 --- a/spec/initializers/secret_token_spec.rb +++ b/spec/initializers/secret_token_spec.rb @@ -45,21 +45,11 @@ describe 'create_tokens' do expect(keys).to all(match(RSA_KEY)) end - it "generates private key for Let's Encrypt" do - create_tokens - - keys = secrets.values_at(:lets_encrypt_private_key) - - expect(keys.uniq).to eq(keys) - expect(keys).to all(match(RSA_KEY)) - end - it 'warns about the secrets to add to secrets.yml' do expect(self).to receive(:warn_missing_secret).with('secret_key_base') expect(self).to receive(:warn_missing_secret).with('otp_key_base') expect(self).to receive(:warn_missing_secret).with('db_key_base') expect(self).to receive(:warn_missing_secret).with('openid_connect_signing_key') - expect(self).to receive(:warn_missing_secret).with('lets_encrypt_private_key') create_tokens end @@ -88,7 +78,6 @@ describe 'create_tokens' do before do secrets.db_key_base = 'db_key_base' secrets.openid_connect_signing_key = 'openid_connect_signing_key' - secrets.lets_encrypt_private_key = 'lets_encrypt_private_key' allow(File).to receive(:exist?).with('.secret').and_return(true) allow(File).to receive(:read).with('.secret').and_return('file_key') diff --git a/spec/lib/gitlab/lets_encrypt/client_spec.rb b/spec/lib/gitlab/lets_encrypt/client_spec.rb index 16a16acfd25..d63a2fbee04 100644 --- a/spec/lib/gitlab/lets_encrypt/client_spec.rb +++ b/spec/lib/gitlab/lets_encrypt/client_spec.rb @@ -5,12 +5,14 @@ require 'spec_helper' describe ::Gitlab::LetsEncrypt::Client do include LetsEncryptHelpers + set(:private_key) { OpenSSL::PKey::RSA.new(4096).to_pem } let(:client) { described_class.new } before do stub_application_setting( lets_encrypt_notification_email: 'myemail@test.example.com', - lets_encrypt_terms_of_service_accepted: true + lets_encrypt_terms_of_service_accepted: true, + lets_encrypt_private_key: private_key ) end diff --git a/spec/migrations/generate_lets_encrypt_private_key_spec.rb b/spec/migrations/generate_lets_encrypt_private_key_spec.rb new file mode 100644 index 00000000000..f47cc0c36ef --- /dev/null +++ b/spec/migrations/generate_lets_encrypt_private_key_spec.rb @@ -0,0 +1,20 @@ +require 'spec_helper' +require Rails.root.join('db', 'migrate', '20190524062810_generate_lets_encrypt_private_key.rb') + +describe GenerateLetsEncryptPrivateKey, :migration do + describe '#up' do + let(:applications_settings) { table(:applications_settings) } + + it 'generates RSA private key and saves it in application settings' do + application_setting = described_class::ApplicationSetting.create! + + described_class.new.up + application_setting.reload + + expect(application_setting.lets_encrypt_private_key).to be_present + expect do + OpenSSL::PKey::RSA.new(application_setting.lets_encrypt_private_key) + end.not_to raise_error + end + end +end |