gitea/modules/generate/generate.go

// Copyright 2016 The Gogs Authors. All rights reserved.
// Copyright 2016 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT

package generate

import (
	"crypto/rand"
	"encoding/base64"
	"fmt"
	"io"
	"time"

	"code.gitea.io/gitea/modules/util"

	"github.com/golang-jwt/jwt/v5"
)

// NewInternalToken generate a new value intended to be used by INTERNAL_TOKEN.
func NewInternalToken() (string, error) {
	secretBytes := make([]byte, 32)
	_, err := io.ReadFull(rand.Reader, secretBytes)
	if err != nil {
		return "", err
	}

	secretKey := base64.RawURLEncoding.EncodeToString(secretBytes)

	now := time.Now()

	var internalToken string
	internalToken, err = jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
		"nbf": now.Unix(),
	}).SignedString([]byte(secretKey))
	if err != nil {
		return "", err
	}

	return internalToken, nil
}

const defaultJwtSecretLen = 32

// DecodeJwtSecretBase64 decodes a base64 encoded jwt secret into bytes, and check its length
func DecodeJwtSecretBase64(src string) ([]byte, error) {
	encoding := base64.RawURLEncoding
	decoded := make([]byte, encoding.DecodedLen(len(src))+3)
	if n, err := encoding.Decode(decoded, []byte(src)); err != nil {
		return nil, err
	} else if n != defaultJwtSecretLen {
		return nil, fmt.Errorf("invalid base64 decoded length: %d, expects: %d", n, defaultJwtSecretLen)
	}
	return decoded[:defaultJwtSecretLen], nil
}

// NewJwtSecretWithBase64 generates a jwt secret with its base64 encoded value intended to be used for saving into config file
func NewJwtSecretWithBase64() ([]byte, string, error) {
	bytes := make([]byte, defaultJwtSecretLen)
	_, err := io.ReadFull(rand.Reader, bytes)
	if err != nil {
		return nil, "", err
	}
	return bytes, base64.RawURLEncoding.EncodeToString(bytes), nil
}

// NewSecretKey generate a new value intended to be used by SECRET_KEY.
func NewSecretKey() (string, error) {
	secretKey, err := util.CryptoRandomString(64)
	if err != nil {
		return "", err
	}

	return secretKey, nil
}
Implements generator cli for secrets (#3531) Signed-off-by: Codruț Constantin Gușoi <codrut.gusoi@gmail.com> 2018-02-18 21:14:37 +03:00			`// Copyright 2016 The Gogs Authors. All rights reserved.`
			`// Copyright 2016 The Gitea Authors. All rights reserved.`
Implement FSFE REUSE for golang files (#21840) Change all license headers to comply with REUSE specification. Fix #16132 Co-authored-by: flynnnnnnnnnn <flynnnnnnnnnn@github> Co-authored-by: John Olheiser <john.olheiser@gmail.com> 2022-11-27 21:20:29 +03:00			`// SPDX-License-Identifier: MIT`
Implements generator cli for secrets (#3531) Signed-off-by: Codruț Constantin Gușoi <codrut.gusoi@gmail.com> 2018-02-18 21:14:37 +03:00
			`package generate`

			`import (`
			`"crypto/rand"`
			`"encoding/base64"`
Refactor JWT secret generating & decoding code (#29172) Old code is not consistent for generating & decoding the JWT secrets. Now, the callers only need to use 2 consistent functions: NewJwtSecretWithBase64 and DecodeJwtSecretBase64 And remove a non-common function Base64FixedDecode from util.go 2024-02-16 18:18:30 +03:00			`"fmt"`
Implements generator cli for secrets (#3531) Signed-off-by: Codruț Constantin Gușoi <codrut.gusoi@gmail.com> 2018-02-18 21:14:37 +03:00			`"io"`
			`"time"`

Use single shared random string generation function (#15741) * Use single shared random string generation function - Replace 3 functions that do the same with 1 shared one - Use crypto/rand over math/rand for a stronger RNG - Output only alphanumerical for URL compatibilty Fixes: #15536 * use const string method * Update modules/avatar/avatar.go Co-authored-by: a1012112796 <1012112796@qq.com> Co-authored-by: a1012112796 <1012112796@qq.com> 2021-05-10 09:45:17 +03:00			`"code.gitea.io/gitea/modules/util"`
switch to maintained lib (#16532) Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: Andrew Thornton <art27@cantab.net> 2021-07-24 14:00:41 +03:00
Bump github.com/golang-jwt/jwt to v5 (#25975) Bumping `github.com/golang-jwt/jwt` from v4 to v5. `github.com/golang-jwt/jwt` v5 is bringing some breaking changes: - standard `Valid()` method on claims is removed. It's replaced by `ClaimsValidator` interface implementing `Validator()` method instead, which is called after standard validation. Gitea doesn't seem to be using this logic. - `jwt.Token` has a field `Valid`, so it's checked in `ParseToken` function in `services/auth/source/oauth2/token.go` --------- Co-authored-by: Giteabot <teabot@gitea.io> 2023-07-19 12:57:10 +03:00			`"github.com/golang-jwt/jwt/v5"`
Implements generator cli for secrets (#3531) Signed-off-by: Codruț Constantin Gușoi <codrut.gusoi@gmail.com> 2018-02-18 21:14:37 +03:00			`)`

			`// NewInternalToken generate a new value intended to be used by INTERNAL_TOKEN.`
			`func NewInternalToken() (string, error) {`
			`secretBytes := make([]byte, 32)`
			`_, err := io.ReadFull(rand.Reader, secretBytes)`
			`if err != nil {`
			`return "", err`
			`}`

			`secretKey := base64.RawURLEncoding.EncodeToString(secretBytes)`

			`now := time.Now()`

			`var internalToken string`
			`internalToken, err = jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{`
			`"nbf": now.Unix(),`
			`}).SignedString([]byte(secretKey))`
			`if err != nil {`
			`return "", err`
			`}`

			`return internalToken, nil`
			`}`

Refactor JWT secret generating & decoding code (#29172) Old code is not consistent for generating & decoding the JWT secrets. Now, the callers only need to use 2 consistent functions: NewJwtSecretWithBase64 and DecodeJwtSecretBase64 And remove a non-common function Base64FixedDecode from util.go 2024-02-16 18:18:30 +03:00			`const defaultJwtSecretLen = 32`

			`// DecodeJwtSecretBase64 decodes a base64 encoded jwt secret into bytes, and check its length`
			`func DecodeJwtSecretBase64(src string) ([]byte, error) {`
			`encoding := base64.RawURLEncoding`
			`decoded := make([]byte, encoding.DecodedLen(len(src))+3)`
			`if n, err := encoding.Decode(decoded, []byte(src)); err != nil {`
Add asymmetric JWT signing (#16010) * Added asymmetric token signing. * Load signing key from settings. * Added optional kid parameter. * Updated documentation. * Add "kid" to token header. 2021-06-18 00:56:46 +03:00			`return nil, err`
Refactor JWT secret generating & decoding code (#29172) Old code is not consistent for generating & decoding the JWT secrets. Now, the callers only need to use 2 consistent functions: NewJwtSecretWithBase64 and DecodeJwtSecretBase64 And remove a non-common function Base64FixedDecode from util.go 2024-02-16 18:18:30 +03:00			`} else if n != defaultJwtSecretLen {`
			`return nil, fmt.Errorf("invalid base64 decoded length: %d, expects: %d", n, defaultJwtSecretLen)`
Add asymmetric JWT signing (#16010) * Added asymmetric token signing. * Load signing key from settings. * Added optional kid parameter. * Updated documentation. * Add "kid" to token header. 2021-06-18 00:56:46 +03:00			`}`
Refactor JWT secret generating & decoding code (#29172) Old code is not consistent for generating & decoding the JWT secrets. Now, the callers only need to use 2 consistent functions: NewJwtSecretWithBase64 and DecodeJwtSecretBase64 And remove a non-common function Base64FixedDecode from util.go 2024-02-16 18:18:30 +03:00			`return decoded[:defaultJwtSecretLen], nil`
Add asymmetric JWT signing (#16010) * Added asymmetric token signing. * Load signing key from settings. * Added optional kid parameter. * Updated documentation. * Add "kid" to token header. 2021-06-18 00:56:46 +03:00			`}`

Refactor JWT secret generating & decoding code (#29172) Old code is not consistent for generating & decoding the JWT secrets. Now, the callers only need to use 2 consistent functions: NewJwtSecretWithBase64 and DecodeJwtSecretBase64 And remove a non-common function Base64FixedDecode from util.go 2024-02-16 18:18:30 +03:00			`// NewJwtSecretWithBase64 generates a jwt secret with its base64 encoded value intended to be used for saving into config file`
			`func NewJwtSecretWithBase64() ([]byte, string, error) {`
			`bytes := make([]byte, defaultJwtSecretLen)`
			`_, err := io.ReadFull(rand.Reader, bytes)`
Implements generator cli for secrets (#3531) Signed-off-by: Codruț Constantin Gușoi <codrut.gusoi@gmail.com> 2018-02-18 21:14:37 +03:00			`if err != nil {`
Handle base64 decoding correctly to avoid panic (#26483) Fix the panic if the "base64 secret" is too long. 2023-08-14 13:30:16 +03:00			`return nil, "", err`
Implements generator cli for secrets (#3531) Signed-off-by: Codruț Constantin Gușoi <codrut.gusoi@gmail.com> 2018-02-18 21:14:37 +03:00			`}`
Handle base64 decoding correctly to avoid panic (#26483) Fix the panic if the "base64 secret" is too long. 2023-08-14 13:30:16 +03:00			`return bytes, base64.RawURLEncoding.EncodeToString(bytes), nil`
Implements generator cli for secrets (#3531) Signed-off-by: Codruț Constantin Gușoi <codrut.gusoi@gmail.com> 2018-02-18 21:14:37 +03:00			`}`

			`// NewSecretKey generate a new value intended to be used by SECRET_KEY.`
			`func NewSecretKey() (string, error) {`
Use base32 for 2FA scratch token (#18384) * Use base32 for 2FA scratch token * rename Secure* to Crypto*, add comments 2022-01-26 07:10:10 +03:00			`secretKey, err := util.CryptoRandomString(64)`
Implements generator cli for secrets (#3531) Signed-off-by: Codruț Constantin Gușoi <codrut.gusoi@gmail.com> 2018-02-18 21:14:37 +03:00			`if err != nil {`
			`return "", err`
			`}`

			`return secretKey, nil`
			`}`