Merge pull request #113201 from talyz/gitlab-db-key-base-patch

gitlab: Add patch for db_key_base length bug, fix descriptions
2021-04-27 19:25:43 +02:00 · 2021-04-27 19:25:43 +02:00 · e50164a7ce
parent 8e1f3bcfa5 1215bd4ea9
commit e50164a7ce
3 changed files with 16 additions and 7 deletions
--- a/nixos/modules/services/misc/gitlab.nix
+++ b/nixos/modules/services/misc/gitlab.nix
@ -588,7 +588,7 @@ in {
          the DB. If you change or lose this key you will be unable to
          access variables stored in database.

-          Make sure the secret is at least 30 characters and all random,
+          Make sure the secret is at least 32 characters and all random,
          no regular words or you'll be exposed to dictionary attacks.

          This should be a string, not a nix path, since nix paths are
@ -604,7 +604,7 @@ in {
          the DB. If you change or lose this key you will be unable to
          access variables stored in database.

-          Make sure the secret is at least 30 characters and all random,
+          Make sure the secret is at least 32 characters and all random,
          no regular words or you'll be exposed to dictionary attacks.

          This should be a string, not a nix path, since nix paths are
@ -620,7 +620,7 @@ in {
          tokens. If you change or lose this key, users which have 2FA
          enabled for login won't be able to login anymore.

-          Make sure the secret is at least 30 characters and all random,
+          Make sure the secret is at least 32 characters and all random,
          no regular words or you'll be exposed to dictionary attacks.

          This should be a string, not a nix path, since nix paths are
--- a/nixos/tests/gitlab.nix
+++ b/nixos/tests/gitlab.nix
@ -57,9 +57,9 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : with lib; {
          };
        };
        secrets = {
-          secretFile = pkgs.writeText "secret" "r8X9keSKynU7p4aKlh4GO1Bo77g5a7vj";
-          otpFile = pkgs.writeText "otpsecret" "Zu5hGx3YvQx40DvI8WoZJQpX2paSDOlG";
-          dbFile = pkgs.writeText "dbsecret" "lsGltKWTejOf6JxCVa7nLDenzkO9wPLR";
+          secretFile = pkgs.writeText "secret" "Aig5zaic";
+          otpFile = pkgs.writeText "otpsecret" "Riew9mue";
+          dbFile = pkgs.writeText "dbsecret" "we2quaeZ";
          jwsFile = pkgs.runCommand "oidcKeyBase" {} "${pkgs.openssl}/bin/openssl genrsa 2048 > $out";
        };
      };
--- a/pkgs/applications/version-management/gitlab/default.nix
+++ b/pkgs/applications/version-management/gitlab/default.nix
@ -1,4 +1,4 @@
-{ stdenv, lib, fetchurl, fetchFromGitLab, bundlerEnv
+{ stdenv, lib, fetchurl, fetchpatch, fetchFromGitLab, bundlerEnv
 , ruby, tzdata, git, nettools, nixosTests, nodejs, openssl
 , gitlabEnterprise ? false, callPackage, yarn
 , fixup_yarn_lock, replace, file
@ -125,6 +125,15 @@ stdenv.mkDerivation {
  patches = [
    # Change hardcoded paths to the NixOS equivalent
    ./remove-hardcoded-locations.patch
+
+    # Use the exactly 32 byte long version of db_key_base with
+    # aes-256-gcm, see
+    # https://gitlab.com/gitlab-org/gitlab/-/merge_requests/53602
+    (fetchpatch {
+      name = "secrets_db_key_base_length.patch";
+      url = "https://gitlab.com/gitlab-org/gitlab/-/commit/dea620633d446ca0f53a75674454ff0dd4bd8f99.patch";
+      sha256 = "19m4z4np3sai9kqqqgabl44xv7p8lkcyqr6s5471axfxmf9m2023";
+    })
  ];

  postPatch = ''