From e83af616d6b6f4f81bfd8131a9d843c445857ac3 Mon Sep 17 00:00:00 2001 From: Aaron Lehmann Date: Wed, 29 Jul 2015 12:50:43 -0700 Subject: [PATCH] Automatically generate a HTTP secret if none is provided Log a warning if the registry generates its own secret. Update configuration doc, and remove the default secret from the development config file. Signed-off-by: Aaron Lehmann --- docs/handlers/app.go | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/docs/handlers/app.go b/docs/handlers/app.go index fd8f36bbd..9fb82cbb0 100644 --- a/docs/handlers/app.go +++ b/docs/handlers/app.go @@ -1,6 +1,7 @@ package handlers import ( + cryptorand "crypto/rand" "expvar" "fmt" "math/rand" @@ -30,6 +31,10 @@ import ( "golang.org/x/net/context" ) +// randomSecretSize is the number of random bytes to generate if no secret +// was specified. +const randomSecretSize = 32 + // App is a global registry application object. Shared resources can be placed // on this object that will be accessible from all requests. Any writable // fields should be protected. @@ -102,6 +107,7 @@ func NewApp(ctx context.Context, configuration configuration.Configuration) *App panic(err) } + app.configureSecret(&configuration) app.configureEvents(&configuration) app.configureRedis(&configuration) app.configureLogHook(&configuration) @@ -337,6 +343,19 @@ func (app *App) configureLogHook(configuration *configuration.Configuration) { } } +// configureSecret creates a random secret if a secret wasn't included in the +// configuration. +func (app *App) configureSecret(configuration *configuration.Configuration) { + if configuration.HTTP.Secret == "" { + var secretBytes [randomSecretSize]byte + if _, err := cryptorand.Read(secretBytes[:]); err != nil { + panic(fmt.Sprintf("could not generate random bytes for HTTP secret: %v", err)) + } + configuration.HTTP.Secret = string(secretBytes[:]) + ctxu.GetLogger(app).Warn("No HTTP secret provided - generated random secret. This may cause problems with uploads if multiple registries are behind a load-balancer. To provide a shared secret, fill in http.secret in the configuration file or set the REGISTRY_HTTP_SECRET environment variable.") + } +} + func (app *App) ServeHTTP(w http.ResponseWriter, r *http.Request) { defer r.Body.Close() // ensure that request body is always closed.