From e97fad680a73720b4b539f54f0ac9bcd46ee92f9 Mon Sep 17 00:00:00 2001
From: Krasimir Angelov <kangelov@gitlab.com>
Date: Thu, 5 Dec 2019 21:44:17 +1300
Subject: Base64 decode GitLab API secret

before using it.
---
 acceptance_test.go                           |  3 ++-
 helpers_test.go                              | 10 ++++++++++
 internal/fixture/fixtures.go                 |  4 ++++
 internal/source/gitlab/client/client_test.go |  4 +++-
 main.go                                      | 22 +++++++++++++++++++++-
 5 files changed, 40 insertions(+), 3 deletions(-)

diff --git a/acceptance_test.go b/acceptance_test.go
index dfa334b9..3dbb6950 100644
--- a/acceptance_test.go
+++ b/acceptance_test.go
@@ -1536,7 +1536,8 @@ func TestGitlabDomainsSource(t *testing.T) {
 	defer source.Close()
 
 	newSourceDomains := "GITLAB_NEW_SOURCE_DOMAINS=new-source-test.gitlab.io,other-test.gitlab.io"
-	pagesArgs := []string{"-gitlab-server", source.URL, "-api-secret-key", "README.md"}
+	gitLabAPISecretKey := CreateGitLabAPISecretKeyFixtureFile(t)
+	pagesArgs := []string{"-gitlab-server", source.URL, "-api-secret-key", gitLabAPISecretKey}
 	teardown := RunPagesProcessWithEnvs(t, true, *pagesBinary, listeners, "", []string{newSourceDomains}, pagesArgs...)
 	defer teardown()
 
diff --git a/helpers_test.go b/helpers_test.go
index b13fb18f..c04993e9 100644
--- a/helpers_test.go
+++ b/helpers_test.go
@@ -75,6 +75,16 @@ func CreateHTTPSFixtureFiles(t *testing.T) (key string, cert string) {
 	return keyfile.Name(), certfile.Name()
 }
 
+func CreateGitLabAPISecretKeyFixtureFile(t *testing.T) (filepath string) {
+	secretfile, err := ioutil.TempFile("", "gitlab-api-secret")
+	require.NoError(t, err)
+	secretfile.Close()
+
+	require.NoError(t, ioutil.WriteFile(secretfile.Name(), []byte(fixture.GitLabAPISecretKey), 0644))
+
+	return secretfile.Name()
+}
+
 // ListenSpec is used to point at a gitlab-pages http server, preserving the
 // type of port it is (http, https, proxy)
 type ListenSpec struct {
diff --git a/internal/fixture/fixtures.go b/internal/fixture/fixtures.go
index 38bbd375..e425da1b 100644
--- a/internal/fixture/fixtures.go
+++ b/internal/fixture/fixtures.go
@@ -53,4 +53,8 @@ yhGSbQKBgD3VEnPiSUmXBo39kPcnPg93E3JfdAOiOwIB2qwfYzg9kpmuTWws+DFz
 lKpMI27YkmnPqROQ2NTUfdxYmw3EHHMAsvnmHeMNGn3ijSUZVKmPfV436Qc8iVci
 s4wKoCRhBUZ52sHki/ieb+5hycT3JnVXMDtbJxgXFW5a86usXEpO
 -----END RSA PRIVATE KEY-----`
+
+	// GitLabAPISecretKey used in tests
+	// 32 bytes, base64 encoded
+	GitLabAPISecretKey = "e41rcFh7XBA7sNABWVCe2AZvxMsy6QDtJ8S9Ql1UiN8="
 )
diff --git a/internal/source/gitlab/client/client_test.go b/internal/source/gitlab/client/client_test.go
index d056f2bd..e8c36c48 100644
--- a/internal/source/gitlab/client/client_test.go
+++ b/internal/source/gitlab/client/client_test.go
@@ -10,6 +10,8 @@ import (
 	"github.com/stretchr/testify/require"
 
 	jwt "github.com/dgrijalva/jwt-go"
+
+	"gitlab.com/gitlab-org/gitlab-pages/internal/fixture"
 )
 
 var (
@@ -144,6 +146,6 @@ func validateToken(t *testing.T, tokenString string) {
 }
 
 func secretKey() []byte {
-	secretKey, _ := base64.StdEncoding.DecodeString(encodedSecret)
+	secretKey, _ := base64.StdEncoding.DecodeString(fixture.GitLabAPISecretKey)
 	return secretKey
 }
diff --git a/main.go b/main.go
index aed0cc27..c4a6a4e2 100644
--- a/main.go
+++ b/main.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"encoding/base64"
 	"errors"
 	"fmt"
 	"io"
@@ -121,6 +122,22 @@ func setArtifactsServer(artifactsServer string, artifactsServerTimeout int, conf
 	config.ArtifactsServer = artifactsServer
 }
 
+func setGitLabAPISecretKey(secretFile string, config *appConfig) {
+	encoded := readFile(secretFile)
+
+	decoded := make([]byte, base64.StdEncoding.DecodedLen(len(encoded)))
+	secretLength, err := base64.StdEncoding.Decode(decoded, encoded)
+	if err != nil {
+		log.WithError(err).Fatal("Failed to decode GitLab API secret")
+	}
+
+	if secretLength != 32 {
+		log.WithError(fmt.Errorf("Expected 32 bytes GitLab API secret but got %d bytes", secretLength)).Fatal("Failed to decode GitLab API secret")
+	}
+
+	config.GitLabAPISecretKey = decoded
+}
+
 func configFromFlags() appConfig {
 	var config appConfig
 
@@ -144,13 +161,16 @@ func configFromFlags() appConfig {
 	}{
 		{&config.RootCertificate, *pagesRootCert},
 		{&config.RootKey, *pagesRootKey},
-		{&config.GitLabAPISecretKey, *gitLabAPISecretKey},
 	} {
 		if file.path != "" {
 			*file.contents = readFile(file.path)
 		}
 	}
 
+	if *gitLabAPISecretKey != "" {
+		setGitLabAPISecretKey(*gitLabAPISecretKey, &config)
+	}
+
 	if *artifactsServer != "" {
 		setArtifactsServer(*artifactsServer, *artifactsServerTimeout, &config)
 	}
-- 
cgit v1.2.3