fix

Author: wxiaoguang

cmd/generate.go

@@ -31,6 +31,7 @@ var (
 			microcmdGenerateInternalToken,
 			microcmdGenerateLfsJwtSecret,
 			microcmdGenerateSecretKey,
+			microcmdGenerateGeneralWebSecret,
 		},
 	}
 
@@ -52,6 +53,12 @@ var (
 		Usage:  "Generate a new SECRET_KEY",
 		Action: runGenerateSecretKey,
 	}
+
+	microcmdGenerateGeneralWebSecret = &cli.Command{
+		Name:   "GENERAL_WEB_SECRET",
+		Usage:  "Generate a new GENERAL_WEB_SECRET",
+		Action: runGenerateGeneralWebSecret,
+	}
 )
 
 func runGenerateInternalToken(c *cli.Context) error {
@@ -84,6 +91,18 @@ func runGenerateLfsJwtSecret(c *cli.Context) error {
 	return nil
 }
 
+func runGenerateGeneralWebSecret(c *cli.Context) error {
+	_, webSecretBase64, err := generate.NewGeneralWebSecretWithBase64()
+	if err != nil {
+		return err
+	}
+	fmt.Printf("%s", webSecretBase64)
+	if isatty.IsTerminal(os.Stdout.Fd()) {
+		fmt.Printf("\n")
+	}
+	return nil
+}
+
 func runGenerateSecretKey(c *cli.Context) error {
 	secretKey, err := generate.NewSecretKey()
 	if err != nil {

custom/conf/app.example.ini

@@ -428,18 +428,24 @@ INSTALL_LOCK = false
 ;;
 ;; Global secret key that will be used
 ;; This key is VERY IMPORTANT. If you lose it, the data encrypted by it (like 2FA secret) can't be decrypted anymore.
-SECRET_KEY =
+;SECRET_KEY =
 ;;
 ;; Alternative location to specify secret key, instead of this file; you cannot specify both this and SECRET_KEY, and must pick one
 ;; This key is VERY IMPORTANT. If you lose it, the data encrypted by it (like 2FA secret) can't be decrypted anymore.
 ;SECRET_KEY_URI = file:/etc/gitea/secret_key
 ;;
 ;; Secret used to validate communication within Gitea binary.
-INTERNAL_TOKEN =
+;INTERNAL_TOKEN =
 ;;
 ;; Alternative location to specify internal token, instead of this file; you cannot specify both this and INTERNAL_TOKEN, and must pick one
 ;INTERNAL_TOKEN_URI = file:/etc/gitea/internal_token
 ;;
+;; A general secret used for signing or encrypting web related contents (CSRF token, JWT token, validation, etc)
+;GENERAL_WEB_SECRET =
+;;
+;; Alternative location to specify general web secret (eg: file:/etc/gitea/general_web_secret), you cannot specify both this and GENERAL_WEB_SECRET, and must pick one
+;GENERAL_WEB_SECRET_URI =
+;;
 ;; How long to remember that a user is logged in before requiring relogin (in days)
 ;LOGIN_REMEMBER_DAYS = 31
 ;;

docs/content/administration/config-cheat-sheet.en-us.md

@@ -556,6 +556,8 @@ And the following unique queues:
 - `IMPORT_LOCAL_PATHS`: **false**: Set to `false` to prevent all users (including admin) from importing local path on server.
 - `INTERNAL_TOKEN`: **\<random at every install if no uri set\>**: Secret used to validate communication within Gitea binary.
 - `INTERNAL_TOKEN_URI`: **_empty_**: Instead of defining INTERNAL_TOKEN in the configuration, this configuration option can be used to give Gitea a path to a file that contains the internal token (example value: `file:/etc/gitea/internal_token`)
+- `GENERAL_WEB_SECRET`: **\<random at every install if no uri set\>**: A general secret used for signing or encrypting web related contents (CSRF token, JWT token, validation, etc).
+- `GENERAL_WEB_SECRET_URI`: **_empty_**: Instead of defining GENERAL_WEB_SECRET in the configuration, this configuration option can be used to give Gitea a path to a file that contains the general web secret (example value: `file:/etc/gitea/genearl_web_secret`)
 - `PASSWORD_HASH_ALGO`: **pbkdf2**: The hash algorithm to use \[argon2, pbkdf2, pbkdf2_v1, pbkdf2_hi, scrypt, bcrypt\], argon2 and scrypt will spend significant amounts of memory.
   - Note: The default parameters for `pbkdf2` hashing have changed - the previous settings are available as `pbkdf2_v1` but are not recommended.
   - The hash functions may be tuned by using `$` after the algorithm:

modules/generate/generate.go

@@ -39,23 +39,37 @@ func NewInternalToken() (string, error) {
 	return internalToken, nil
 }
 
-const defaultJwtSecretLen = 32
-
-// DecodeJwtSecretBase64 decodes a base64 encoded jwt secret into bytes, and check its length
 func DecodeJwtSecretBase64(src string) ([]byte, error) {
+	return decodeGeneralSecretBase64(src, 32)
+}
+
+func NewJwtSecretWithBase64() ([]byte, string, error) {
+	return newGeneralSecretWithBase64(32)
+}
+
+func DecodeGeneralWebSecretBase64(src string) ([]byte, error) {
+	return decodeGeneralSecretBase64(src, 32)
+}
+
+func NewGeneralWebSecretWithBase64() ([]byte, string, error) {
+	return newGeneralSecretWithBase64(32)
+}
+
+// decodeGeneralSecretBase64 decodes a base64 encoded secret into bytes, and check its length
+func decodeGeneralSecretBase64(src string, length int) ([]byte, error) {
 	encoding := base64.RawURLEncoding
 	decoded := make([]byte, encoding.DecodedLen(len(src))+3)
 	if n, err := encoding.Decode(decoded, []byte(src)); err != nil {
 		return nil, err
-	} else if n != defaultJwtSecretLen {
-		return nil, fmt.Errorf("invalid base64 decoded length: %d, expects: %d", n, defaultJwtSecretLen)
+	} else if n != length {
+		return nil, fmt.Errorf("invalid base64 decoded length: %d, expects: %d", n, length)
 	}
-	return decoded[:defaultJwtSecretLen], nil
+	return decoded[:length], nil
 }
 
-// NewJwtSecretWithBase64 generates a jwt secret with its base64 encoded value intended to be used for saving into config file
-func NewJwtSecretWithBase64() ([]byte, string, error) {
-	bytes := make([]byte, defaultJwtSecretLen)
+// newGeneralSecretWithBase64 generates a secret with its base64 encoded value intended to be used for saving into config file
+func newGeneralSecretWithBase64(length int) ([]byte, string, error) {
+	bytes := make([]byte, length)
 	_, err := io.ReadFull(rand.Reader, bytes)
 	if err != nil {
 		return nil, "", err

modules/setting/oauth2.go

@@ -6,7 +6,6 @@ package setting
 import (
 	"math"
 	"path/filepath"
-	"sync/atomic"
 
 	"code.gitea.io/gitea/modules/generate"
 	"code.gitea.io/gitea/modules/log"
@@ -137,9 +136,9 @@ func loadOAuth2From(rootCfg ConfigProvider) {
 	}
 
 	if InstallLock {
-		jwtSecretBytes, err := generate.DecodeJwtSecretBase64(jwtSecretBase64)
+		_, err := generate.DecodeJwtSecretBase64(jwtSecretBase64)
 		if err != nil {
-			jwtSecretBytes, jwtSecretBase64, err = generate.NewJwtSecretWithBase64()
+			_, jwtSecretBase64, err = generate.NewJwtSecretWithBase64()
 			if err != nil {
 				log.Fatal("error generating JWT secret: %v", err)
 			}
@@ -153,27 +152,5 @@ func loadOAuth2From(rootCfg ConfigProvider) {
 				log.Fatal("save oauth2.JWT_SECRET failed: %v", err)
 			}
 		}
-		generalSigningSecret.Store(&jwtSecretBytes)
 	}
 }
-
-// generalSigningSecret is used as container for a []byte value
-// instead of an additional mutex, we use CompareAndSwap func to change the value thread save
-var generalSigningSecret atomic.Pointer[[]byte]
-
-func GetGeneralTokenSigningSecret() []byte {
-	old := generalSigningSecret.Load()
-	if old == nil || len(*old) == 0 {
-		jwtSecret, _, err := generate.NewJwtSecretWithBase64()
-		if err != nil {
-			log.Fatal("Unable to generate general JWT secret: %s", err.Error())
-		}
-		if generalSigningSecret.CompareAndSwap(old, &jwtSecret) {
-			// FIXME: in main branch, the signing token should be refactored (eg: one unique for LFS/OAuth2/etc ...)
-			LogStartupProblem(1, log.WARN, "OAuth2 is not enabled, unable to use a persistent signing secret, a new one is generated, which is not persistent between restarts and cluster nodes")
-			return jwtSecret
-		}
-		return *generalSigningSecret.Load()
-	}
-	return *old
-}

modules/setting/oauth2_test.go

@@ -6,33 +6,9 @@ package setting
 import (
 	"testing"
 
-	"code.gitea.io/gitea/modules/generate"
-	"code.gitea.io/gitea/modules/test"
-
 	"github.com/stretchr/testify/assert"
 )
 
-func TestGetGeneralSigningSecret(t *testing.T) {
-	// when there is no general signing secret, it should be generated, and keep the same value
-	assert.Nil(t, generalSigningSecret.Load())
-	s1 := GetGeneralTokenSigningSecret()
-	assert.NotNil(t, s1)
-	s2 := GetGeneralTokenSigningSecret()
-	assert.Equal(t, s1, s2)
-
-	// the config value should always override any pre-generated value
-	cfg, _ := NewConfigProviderFromData(`
-[oauth2]
-JWT_SECRET = BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
-`)
-	defer test.MockVariableValue(&InstallLock, true)()
-	loadOAuth2From(cfg)
-	actual := GetGeneralTokenSigningSecret()
-	expected, _ := generate.DecodeJwtSecretBase64("BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB")
-	assert.Len(t, actual, 32)
-	assert.EqualValues(t, expected, actual)
-}
-
 func TestOauth2DefaultApplications(t *testing.T) {
 	cfg, _ := NewConfigProviderFromData(``)
 	loadOAuth2From(cfg)

modules/setting/secret_test.go

@@ -0,0 +1,39 @@
+package setting
+
+import (
+	"os"
+	"testing"
+
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/test"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGeneralWebSecret(t *testing.T) {
+	osExiter := test.MockedOsExiter{}
+	defer test.MockVariableValue(&log.OsExiter, osExiter.Exit)()
+	assert.Nil(t, GeneralWebSecretBytes)
+	_ = GetGeneralTokenSigningSecret()
+	assert.Equal(t, 1, osExiter.FetchCode())
+
+	tmpFile := t.TempDir() + "/app.ini"
+	_ = os.WriteFile(tmpFile, []byte("[security]\nINSTALL_LOCK=true"), 0o644)
+	cfg, _ := NewConfigProviderFromFile(tmpFile)
+	loadSecurityFrom(cfg)
+	generated := GeneralWebSecretBytes
+	assert.Len(t, generated, 32)
+
+	cfg, _ = NewConfigProviderFromFile(tmpFile)
+	GeneralWebSecretBytes = nil
+	loadSecurityFrom(cfg)
+	loaded := GeneralWebSecretBytes
+	assert.Equal(t, generated, loaded)
+
+	_ = os.WriteFile(tmpFile, []byte("[security]\nINSTALL_LOCK=true"), 0o644)
+	cfg, _ = NewConfigProviderFromFile(tmpFile)
+	loadSecurityFrom(cfg)
+	generated2 := GeneralWebSecretBytes
+	assert.Len(t, generated2, 32)
+	assert.NotEqual(t, generated, generated2)
+}

modules/setting/security.go

@@ -17,7 +17,8 @@ var (
 	// Security settings
 	InstallLock                        bool
 	SecretKey                          string
-	InternalToken                      string // internal access token
+	InternalToken                      string // internal access token is used by Gitea cli to communicate with Gitea server
+	GeneralWebSecretBytes              []byte // general web secret is used for signing or encrypting web related contents (CSRF token, JWT token, validation, etc)
 	LogInRememberDays                  int
 	CookieRememberName                 string
 	ReverseProxyAuthUser               string
@@ -85,18 +86,37 @@ func loadSecret(sec ConfigSection, uriKey, verbatimKey string) string {
 func generateSaveInternalToken(rootCfg ConfigProvider) {
 	token, err := generate.NewInternalToken()
 	if err != nil {
-		log.Fatal("Error generate internal token: %v", err)
+		log.Fatal("Failed to generate internal token: %v", err)
 	}
 
 	InternalToken = token
 	saveCfg, err := rootCfg.PrepareSaving()
 	if err != nil {
-		log.Fatal("Error saving internal token: %v", err)
+		log.Fatal("Failed to save internal token: %v", err)
 	}
 	rootCfg.Section("security").Key("INTERNAL_TOKEN").SetValue(token)
 	saveCfg.Section("security").Key("INTERNAL_TOKEN").SetValue(token)
 	if err = saveCfg.Save(); err != nil {
-		log.Fatal("Error saving internal token: %v", err)
+		log.Fatal("Failed to save internal token: %v", err)
+	}
+}
+
+// generateSaveInternalToken generates and saves the internal token to app.ini
+func generateSaveGeneralWebSecret(rootCfg ConfigProvider) {
+	secretBytes, secretString, err := generate.NewGeneralWebSecretWithBase64()
+	if err != nil {
+		log.Fatal("Failed to generate general web secret: %v", err)
+	}
+
+	GeneralWebSecretBytes = secretBytes
+	saveCfg, err := rootCfg.PrepareSaving()
+	if err != nil {
+		log.Fatal("Failed to save general web secret: %v", err)
+	}
+	rootCfg.Section("security").Key("GENERAL_WEB_SECRET").SetValue(secretString)
+	saveCfg.Section("security").Key("GENERAL_WEB_SECRET").SetValue(secretString)
+	if err = saveCfg.Save(); err != nil {
+		log.Fatal("Failed to save general web secret: %v", err)
 	}
 }
 
@@ -147,6 +167,13 @@ func loadSecurityFrom(rootCfg ConfigProvider) {
 		generateSaveInternalToken(rootCfg)
 	}
 
+	var err error
+	generalWebSecret := loadSecret(sec, "GENERAL_WEB_SECRET_URI", "GENERAL_WEB_SECRET")
+	GeneralWebSecretBytes, err = generate.DecodeGeneralWebSecretBase64(generalWebSecret)
+	if InstallLock && err != nil {
+		generateSaveGeneralWebSecret(rootCfg)
+	}
+
 	cfgdata := sec.Key("PASSWORD_COMPLEXITY").Strings(",")
 	if len(cfgdata) == 0 {
 		cfgdata = []string{"off"}
@@ -169,3 +196,10 @@ func loadSecurityFrom(rootCfg ConfigProvider) {
 		log.Warn("Enabling Query API Auth tokens is not recommended. DISABLE_QUERY_AUTH_TOKEN will default to true in gitea 1.23 and will be removed in gitea 1.24.")
 	}
 }
+
+func GetGeneralTokenSigningSecret() []byte {
+	if len(GeneralWebSecretBytes) == 0 {
+		log.Fatal("GeneralWebSecretBytes is empty")
+	}
+	return GeneralWebSecretBytes
+}

modules/test/utils.go

@@ -9,6 +9,7 @@ import (
 	"strings"
 
 	"code.gitea.io/gitea/modules/json"
+	"code.gitea.io/gitea/modules/util"
 )
 
 // RedirectURL returns the redirect URL of a http response.
@@ -39,3 +40,20 @@ func MockVariableValue[T any](p *T, v T) (reset func()) {
 	*p = v
 	return func() { *p = old }
 }
+
+type MockedOsExiter struct {
+	exitCode int
+	called   bool
+}
+
+func (m *MockedOsExiter) Exit(code int) {
+	m.called = true
+	m.exitCode = code
+}
+
+func (m *MockedOsExiter) FetchCode() int {
+	c := util.Iif(m.called, m.exitCode, -1)
+	m.exitCode = 0
+	m.called = false
+	return c
+}

routers/install/install.go

@@ -481,6 +481,15 @@ func SubmitInstall(ctx *context.Context) {
 		cfg.Section("security").Key("INTERNAL_TOKEN").SetValue(internalToken)
 	}
 
+	if len(setting.GeneralWebSecretBytes) == 0 {
+		_, generalWebSecret, err := generate.NewGeneralWebSecretWithBase64()
+		if err != nil {
+			ctx.RenderWithErr(ctx.Tr("install.secret_key_failed", err), tplInstall, &form)
+			return
+		}
+		cfg.Section("security").Key("GENERAL_WEB_SECRET").SetValue(generalWebSecret)
+	}
+
 	// if there is already a SECRET_KEY, we should not overwrite it, otherwise the encrypted data will not be able to be decrypted
 	if setting.SecretKey == "" {
 		var secretKey string