gitlab: Add patch for db_key_base length bug, fix descriptions

The upstream recommended minimum length for db_key_base is 30 bytes, which our option descriptions repeated. Recently, however, upstream has, in many places, moved to using aes-256-gcm, which requires a key of exactly 32 bytes. To allow for shorter keys, the upstream code pads the key in some places. However, in many others, it just truncates the key if it's too long, leaving it too short if it was to begin with. This adds a patch that fixes this and updates the descriptions to recommend a key of at least 32 characters. See https://gitlab.com/gitlab-org/gitlab/-/merge_requests/53602
2021-02-10 18:42:07 +01:00
parent ba6f0e8f03
commit 7a67a2d1a8
2 changed files with 13 additions and 4 deletions
--- a/pkgs/applications/version-management/gitlab/default.nix
+++ b/pkgs/applications/version-management/gitlab/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, lib, fetchurl, fetchFromGitLab, bundlerEnv
+{ stdenv, lib, fetchurl, fetchpatch, fetchFromGitLab, bundlerEnv
 , ruby, tzdata, git, nettools, nixosTests, nodejs, openssl
 , gitlabEnterprise ? false, callPackage, yarn
 , fixup_yarn_lock, replace, file
@@ -125,6 +125,15 @@ stdenv.mkDerivation {
  patches = [
    # Change hardcoded paths to the NixOS equivalent
    ./remove-hardcoded-locations.patch
+
+    # Use the exactly 32 byte long version of db_key_base with
+    # aes-256-gcm, see
+    # https://gitlab.com/gitlab-org/gitlab/-/merge_requests/53602
+    (fetchpatch {
+      name = "secrets_db_key_base_length.patch";
+      url = "https://gitlab.com/gitlab-org/gitlab/-/commit/dea620633d446ca0f53a75674454ff0dd4bd8f99.patch";
+      sha256 = "19m4z4np3sai9kqqqgabl44xv7p8lkcyqr6s5471axfxmf9m2023";
+    })
  ];

  postPatch = ''