gitlab: add rake task to delete tokens

The information disclosure was caued by CVE-2017-0882.
2017-03-21 12:52:39 +01:00 · 2017-03-21 12:52:39 +01:00 · 219e91b4c6
commit 219e91b4c6
parent 4bd12fa7b2
2 changed files with 47 additions and 0 deletions
--- a/pkgs/applications/version-management/gitlab/default.nix
+++ b/pkgs/applications/version-management/gitlab/default.nix
@ -91,6 +91,10 @@ stdenv.mkDerivation rec {
    cp -r . $out/share/gitlab
    ln -sf /run/gitlab/uploads $out/share/gitlab/public/uploads
    ln -sf /run/gitlab/config $out/share/gitlab/config
    # rake tasks to mitigate CVE-2017-0882
    # see https://about.gitlab.com/2017/03/20/gitlab-8-dot-17-dot-4-security-release/
    cp ${./reset_token.rake} $out/share/gitlab/lib/tasks/reset_token.rake
  '';
  passthru = {
--- a/pkgs/applications/version-management/gitlab/reset_token.rake
+++ b/pkgs/applications/version-management/gitlab/reset_token.rake
@ -0,0 +1,43 @@
 # Taken from:
 # https://about.gitlab.com/2017/03/20/gitlab-8-dot-17-dot-4-security-release/
 # lib/tasks/reset_token.rake
 require_relative '../../app/models/concerns/token_authenticatable.rb'
 STDOUT.sync = true
 namespace :tokens do
  desc "Reset all GitLab user auth tokens"
  task reset_all: :environment do
    reset_all_users_token(:reset_authentication_token!)
  end
  desc "Reset all GitLab email tokens"
  task reset_all_email: :environment do
    reset_all_users_token(:reset_incoming_email_token!)
  end
  def reset_all_users_token(token)
    TmpUser.find_in_batches do |batch|
      puts "Processing batch starting with user ID: #{batch.first.id}"
      batch.each(&token)
    end
  end
 end
 class TmpUser < ActiveRecord::Base
  include TokenAuthenticatable
  self.table_name = 'users'
  def reset_authentication_token!
    write_new_token(:authentication_token)
    save!(validate: false)
  end
  def reset_incoming_email_token!
    write_new_token(:incoming_email_token)
    save!(validate: false)
  end
 end