data key checking + finish up license compliance
This commit is contained in:
parent
86e7fda995
commit
7a074bf38f
13 changed files with 202 additions and 16 deletions
1
Cargo.lock
generated
1
Cargo.lock
generated
|
@ -2408,6 +2408,7 @@ dependencies = [
|
|||
"rand",
|
||||
"rocket",
|
||||
"serde",
|
||||
"sha2",
|
||||
"sqlx",
|
||||
"tokio",
|
||||
"toml 0.7.1",
|
||||
|
|
|
@ -23,4 +23,5 @@ chrono = "0.4.23"
|
|||
aes-gcm = "0.10.1"
|
||||
hex = "0.4.3"
|
||||
rand = "0.8.5"
|
||||
trifid-pki = { version = "0.1.3", path = "../trifid-pki" }
|
||||
trifid-pki = { version = "0.1.3", path = "../trifid-pki" }
|
||||
sha2 = "0.10.6"
|
|
@ -63,24 +63,12 @@ totp_verification_valid_for = 3600
|
|||
|
||||
# The per-instance data encryption key to protect sensitive data in the instance.
|
||||
# YOU ABSOLUTELY NEED TO CHANGE THIS. If you don't change anything else in this file, this should be the one thing you change.
|
||||
# Reiterating:
|
||||
# -----
|
||||
# YOU ABSOLUTELY NEED TO CHANGE THIS VALUE
|
||||
# -----
|
||||
# Leaving this at it's default (edd600bcebea461381ea23791b6967c8667e12827ac8b94dc022f189a5dc59a2) is DANGEROUS
|
||||
# and UNSAFE, and could lead to DATA LEAKS and SECURITY BREACHES.
|
||||
#
|
||||
|
||||
# This should be a 32-byte hex value. Generate it with `openssl rand -hex 32`, or any other tool of your choice.
|
||||
# If you get "InvalidLength" errors while trying to do anything involving organizations, that indicates that this
|
||||
# value was improperly generated.
|
||||
#
|
||||
# ------- WARNING -------
|
||||
# DO NOT CHANGE THIS VALUE IN A PRODUCTION INSTANCE.
|
||||
# CHANGING THIS VALUE WILL RESULT IN PERMANENT, IRREVERSIBLE LOSS OF **ALL** ORGANIZATION DATA IN THE DATABASE.
|
||||
# IT IS DIRECTLY RESPONSIBLE FOR DECRYPTING ORGANIZATION KEYS.
|
||||
# ENSURE THAT ORGANIZATIONS FUNCTION PROPERLY BEFORE CREATING A PRODUCTION ORGANIZATION.
|
||||
# REITERATING: CHANGING THIS VALUE WILL RESULT IN PERMANENT, IRREVIRSIBLE LOSS OF **ALL** ORGANIZATION DATA IN THE DATABASE.
|
||||
# DO NOT CHANGE THIS VALUE IN A PRODUCTION INSTANCE.
|
||||
# THERE IS NO GOING BACK.
|
||||
# Do not change this value in a production instance. It will make existing data inaccessible until changed back.
|
||||
# ------- WARNING -------
|
||||
data_key = "edd600bcebea461381ea23791b6967c8667e12827ac8b94dc022f189a5dc59a2"
|
||||
|
|
|
@ -1,3 +1,19 @@
|
|||
-- trifid-api, an open source reimplementation of the Defined Networking nebula management server.
|
||||
-- Copyright (C) 2023 c0repwn3r
|
||||
--
|
||||
-- This program is free software: you can redistribute it and/or modify
|
||||
-- it under the terms of the GNU General Public License as published by
|
||||
-- the Free Software Foundation, either version 3 of the License, or
|
||||
-- (at your option) any later version.
|
||||
--
|
||||
-- This program is distributed in the hope that it will be useful,
|
||||
-- but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
-- GNU General Public License for more details.
|
||||
--
|
||||
-- You should have received a copy of the GNU General Public License
|
||||
-- along with this program. If not, see <https:--www.gnu.org/licenses/>.
|
||||
|
||||
CREATE TABLE users (
|
||||
id SERIAL NOT NULL PRIMARY KEY,
|
||||
email VARCHAR(320) NOT NULL UNIQUE,
|
||||
|
|
|
@ -1,3 +1,19 @@
|
|||
-- trifid-api, an open source reimplementation of the Defined Networking nebula management server.
|
||||
-- Copyright (C) 2023 c0repwn3r
|
||||
--
|
||||
-- This program is free software: you can redistribute it and/or modify
|
||||
-- it under the terms of the GNU General Public License as published by
|
||||
-- the Free Software Foundation, either version 3 of the License, or
|
||||
-- (at your option) any later version.
|
||||
--
|
||||
-- This program is distributed in the hope that it will be useful,
|
||||
-- but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
-- GNU General Public License for more details.
|
||||
--
|
||||
-- You should have received a copy of the GNU General Public License
|
||||
-- along with this program. If not, see <https:--www.gnu.org/licenses/>.
|
||||
|
||||
CREATE TABLE magic_links (
|
||||
id VARCHAR(39) NOT NULL PRIMARY KEY UNIQUE,
|
||||
user_id SERIAL NOT NULL REFERENCES users(id),
|
||||
|
|
|
@ -1,3 +1,19 @@
|
|||
-- trifid-api, an open source reimplementation of the Defined Networking nebula management server.
|
||||
-- Copyright (C) 2023 c0repwn3r
|
||||
--
|
||||
-- This program is free software: you can redistribute it and/or modify
|
||||
-- it under the terms of the GNU General Public License as published by
|
||||
-- the Free Software Foundation, either version 3 of the License, or
|
||||
-- (at your option) any later version.
|
||||
--
|
||||
-- This program is distributed in the hope that it will be useful,
|
||||
-- but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
-- GNU General Public License for more details.
|
||||
--
|
||||
-- You should have received a copy of the GNU General Public License
|
||||
-- along with this program. If not, see <https:--www.gnu.org/licenses/>.
|
||||
|
||||
CREATE TABLE session_tokens (
|
||||
id VARCHAR(39) NOT NULL PRIMARY KEY,
|
||||
user_id SERIAL NOT NULL REFERENCES users(id),
|
||||
|
|
|
@ -1,3 +1,19 @@
|
|||
-- trifid-api, an open source reimplementation of the Defined Networking nebula management server.
|
||||
-- Copyright (C) 2023 c0repwn3r
|
||||
--
|
||||
-- This program is free software: you can redistribute it and/or modify
|
||||
-- it under the terms of the GNU General Public License as published by
|
||||
-- the Free Software Foundation, either version 3 of the License, or
|
||||
-- (at your option) any later version.
|
||||
--
|
||||
-- This program is distributed in the hope that it will be useful,
|
||||
-- but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
-- GNU General Public License for more details.
|
||||
--
|
||||
-- You should have received a copy of the GNU General Public License
|
||||
-- along with this program. If not, see <https:--www.gnu.org/licenses/>.
|
||||
|
||||
CREATE TABLE auth_tokens (
|
||||
id VARCHAR(39) NOT NULL PRIMARY KEY,
|
||||
user_id SERIAL NOT NULL REFERENCES users(id),
|
||||
|
|
|
@ -1,3 +1,19 @@
|
|||
-- trifid-api, an open source reimplementation of the Defined Networking nebula management server.
|
||||
-- Copyright (C) 2023 c0repwn3r
|
||||
--
|
||||
-- This program is free software: you can redistribute it and/or modify
|
||||
-- it under the terms of the GNU General Public License as published by
|
||||
-- the Free Software Foundation, either version 3 of the License, or
|
||||
-- (at your option) any later version.
|
||||
--
|
||||
-- This program is distributed in the hope that it will be useful,
|
||||
-- but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
-- GNU General Public License for more details.
|
||||
--
|
||||
-- You should have received a copy of the GNU General Public License
|
||||
-- along with this program. If not, see <https:--www.gnu.org/licenses/>.
|
||||
|
||||
CREATE TABLE totp_create_tokens (
|
||||
id VARCHAR(41) NOT NULL PRIMARY KEY,
|
||||
expires_on INTEGER NOT NULL,
|
||||
|
|
|
@ -1,3 +1,19 @@
|
|||
-- trifid-api, an open source reimplementation of the Defined Networking nebula management server.
|
||||
-- Copyright (C) 2023 c0repwn3r
|
||||
--
|
||||
-- This program is free software: you can redistribute it and/or modify
|
||||
-- it under the terms of the GNU General Public License as published by
|
||||
-- the Free Software Foundation, either version 3 of the License, or
|
||||
-- (at your option) any later version.
|
||||
--
|
||||
-- This program is distributed in the hope that it will be useful,
|
||||
-- but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
-- GNU General Public License for more details.
|
||||
--
|
||||
-- You should have received a copy of the GNU General Public License
|
||||
-- along with this program. If not, see <https:--www.gnu.org/licenses/>.
|
||||
|
||||
CREATE TABLE organizations (
|
||||
id SERIAL NOT NULL PRIMARY KEY,
|
||||
owner SERIAL NOT NULL REFERENCES users(id),
|
||||
|
|
|
@ -1,3 +1,19 @@
|
|||
-- trifid-api, an open source reimplementation of the Defined Networking nebula management server.
|
||||
-- Copyright (C) 2023 c0repwn3r
|
||||
--
|
||||
-- This program is free software: you can redistribute it and/or modify
|
||||
-- it under the terms of the GNU General Public License as published by
|
||||
-- the Free Software Foundation, either version 3 of the License, or
|
||||
-- (at your option) any later version.
|
||||
--
|
||||
-- This program is distributed in the hope that it will be useful,
|
||||
-- but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
-- GNU General Public License for more details.
|
||||
--
|
||||
-- You should have received a copy of the GNU General Public License
|
||||
-- along with this program. If not, see <https:--www.gnu.org/licenses/>.
|
||||
|
||||
CREATE TABLE organization_authorized_users (
|
||||
id SERIAL NOT NULL PRIMARY KEY,
|
||||
user_id SERIAL NOT NULL REFERENCES users(id),
|
||||
|
|
20
trifid-api/migrations/20230228132411_add_cacheddata.sql
Normal file
20
trifid-api/migrations/20230228132411_add_cacheddata.sql
Normal file
|
@ -0,0 +1,20 @@
|
|||
-- trifid-api, an open source reimplementation of the Defined Networking nebula management server.
|
||||
-- Copyright (C) 2023 c0repwn3r
|
||||
--
|
||||
-- This program is free software: you can redistribute it and/or modify
|
||||
-- it under the terms of the GNU General Public License as published by
|
||||
-- the Free Software Foundation, either version 3 of the License, or
|
||||
-- (at your option) any later version.
|
||||
--
|
||||
-- This program is distributed in the hope that it will be useful,
|
||||
-- but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
-- GNU General Public License for more details.
|
||||
--
|
||||
-- You should have received a copy of the GNU General Public License
|
||||
-- along with this program. If not, see <https:--www.gnu.org/licenses/>.
|
||||
|
||||
CREATE TABLE cacheddata (
|
||||
datakey VARCHAR(256) NOT NULL PRIMARY KEY,
|
||||
datavalue VARCHAR(2048) NOT NULL
|
||||
);
|
28
trifid-api/src/kv.rs
Normal file
28
trifid-api/src/kv.rs
Normal file
|
@ -0,0 +1,28 @@
|
|||
// trifid-api, an open source reimplementation of the Defined Networking nebula management server.
|
||||
// Copyright (C) 2023 c0repwn3r
|
||||
//
|
||||
// This program is free software: you can redistribute it and/or modify
|
||||
// it under the terms of the GNU General Public License as published by
|
||||
// the Free Software Foundation, either version 3 of the License, or
|
||||
// (at your option) any later version.
|
||||
//
|
||||
// This program is distributed in the hope that it will be useful,
|
||||
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
// GNU General Public License for more details.
|
||||
//
|
||||
// You should have received a copy of the GNU General Public License
|
||||
// along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||||
|
||||
use std::error::Error;
|
||||
use sqlx::PgPool;
|
||||
|
||||
pub async fn kv_get<'a>(key: &'a str, db: &PgPool) -> Result<Option<String>, Box<dyn Error>> {
|
||||
let res = sqlx::query!("SELECT datavalue FROM cacheddata WHERE datakey = $1", key).fetch_optional(db).await?;
|
||||
Ok(res.map(|i| i.datavalue))
|
||||
}
|
||||
|
||||
pub async fn kv_set(key: &str, value: &str, db: &PgPool) -> Result<(), Box<dyn Error>> {
|
||||
sqlx::query!("INSERT INTO cacheddata (datakey, datavalue) VALUES ($2, $1) ON CONFLICT (datakey) DO UPDATE SET datavalue = $1", value, key).execute(db).await?;
|
||||
Ok(())
|
||||
}
|
|
@ -24,9 +24,12 @@ use log::{error, info};
|
|||
use rocket::{catchers, Request, Response, routes};
|
||||
use rocket::fairing::{Fairing, Info, Kind};
|
||||
use rocket::http::Header;
|
||||
use sha2::Sha256;
|
||||
use sqlx::migrate::Migrator;
|
||||
use sqlx::postgres::PgPoolOptions;
|
||||
use crate::config::TFConfig;
|
||||
use crate::kv::{kv_get, kv_set};
|
||||
use sha2::Digest;
|
||||
|
||||
pub mod format;
|
||||
pub mod util;
|
||||
|
@ -37,6 +40,7 @@ pub mod routes;
|
|||
pub mod auth;
|
||||
pub mod crypto;
|
||||
pub mod org;
|
||||
pub mod kv;
|
||||
|
||||
static MIGRATOR: Migrator = sqlx::migrate!();
|
||||
|
||||
|
@ -47,7 +51,7 @@ impl Fairing for CORS {
|
|||
fn info(&self) -> Info {
|
||||
Info {
|
||||
name: "Add CORS headers to responses",
|
||||
kind: Kind::Response
|
||||
kind: Kind::Response,
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -113,6 +117,38 @@ async fn main() -> Result<(), Box<dyn Error>> {
|
|||
|
||||
MIGRATOR.run(&pool).await?;
|
||||
|
||||
info!("[tfapi] verifying encryption key");
|
||||
|
||||
let kv_hash = kv_get("pmk_hash", &pool).await.expect("Unable to get pmk hash from kv store");
|
||||
|
||||
let mut hasher = Sha256::new();
|
||||
hasher.update(config.data_key.as_bytes());
|
||||
let config_hash = hex::encode(hasher.finalize());
|
||||
if let Some(k_hash) = kv_hash {
|
||||
if config_hash != k_hash {
|
||||
error!("[tfapi] fatal: instance master key does not match key used to encrypt data");
|
||||
error!("[tfapi] fatal: datastore was encrypted with keyid {k_hash}");
|
||||
error!("[tfapi] fatal: the key in your config has the keyid {config_hash}");
|
||||
error!("[tfapi] fatal: you probably changed data_key. please return it to it's original value");
|
||||
std::process::exit(1);
|
||||
} else {
|
||||
info!("[tfapi] data keyid is {config_hash}");
|
||||
}
|
||||
} else {
|
||||
info!("[tfapi] detected first run");
|
||||
info!("[tfapi] welcome to trifid!");
|
||||
info!("[tfapi] data keyid is {config_hash}");
|
||||
|
||||
if let Err(e) = kv_set("pmk_hash", config_hash.as_str(), &pool).await {
|
||||
error!("[tfapi] fatal: unable to set pmk_hash in kv store");
|
||||
error!("[tfapi] fatal: the database returned the following error:");
|
||||
error!("[tfapi] fatal: {e}");
|
||||
std::process::exit(1);
|
||||
} else {
|
||||
info!("[tfapi] configured instance information in kv store");
|
||||
}
|
||||
}
|
||||
|
||||
info!("[tfapi] building rocket config");
|
||||
|
||||
let figment = rocket::Config::figment().merge(("port", config.listen_port));
|
||||
|
|
Loading…
Reference in a new issue