diff --git a/Cargo.lock b/Cargo.lock
index de8e821..1ede611 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2408,6 +2408,7 @@ dependencies = [
"rand",
"rocket",
"serde",
+ "sha2",
"sqlx",
"tokio",
"toml 0.7.1",
diff --git a/trifid-api/Cargo.toml b/trifid-api/Cargo.toml
index 49a21ac..cf1e56d 100644
--- a/trifid-api/Cargo.toml
+++ b/trifid-api/Cargo.toml
@@ -23,4 +23,5 @@ chrono = "0.4.23"
aes-gcm = "0.10.1"
hex = "0.4.3"
rand = "0.8.5"
-trifid-pki = { version = "0.1.3", path = "../trifid-pki" }
\ No newline at end of file
+trifid-pki = { version = "0.1.3", path = "../trifid-pki" }
+sha2 = "0.10.6"
\ No newline at end of file
diff --git a/trifid-api/config.example.toml b/trifid-api/config.example.toml
index ee5c7f2..b60e4c7 100644
--- a/trifid-api/config.example.toml
+++ b/trifid-api/config.example.toml
@@ -63,24 +63,12 @@ totp_verification_valid_for = 3600
# The per-instance data encryption key to protect sensitive data in the instance.
# YOU ABSOLUTELY NEED TO CHANGE THIS. If you don't change anything else in this file, this should be the one thing you change.
-# Reiterating:
-# -----
-# YOU ABSOLUTELY NEED TO CHANGE THIS VALUE
-# -----
-# Leaving this at it's default (edd600bcebea461381ea23791b6967c8667e12827ac8b94dc022f189a5dc59a2) is DANGEROUS
-# and UNSAFE, and could lead to DATA LEAKS and SECURITY BREACHES.
-#
+
# This should be a 32-byte hex value. Generate it with `openssl rand -hex 32`, or any other tool of your choice.
# If you get "InvalidLength" errors while trying to do anything involving organizations, that indicates that this
# value was improperly generated.
#
# ------- WARNING -------
-# DO NOT CHANGE THIS VALUE IN A PRODUCTION INSTANCE.
-# CHANGING THIS VALUE WILL RESULT IN PERMANENT, IRREVERSIBLE LOSS OF **ALL** ORGANIZATION DATA IN THE DATABASE.
-# IT IS DIRECTLY RESPONSIBLE FOR DECRYPTING ORGANIZATION KEYS.
-# ENSURE THAT ORGANIZATIONS FUNCTION PROPERLY BEFORE CREATING A PRODUCTION ORGANIZATION.
-# REITERATING: CHANGING THIS VALUE WILL RESULT IN PERMANENT, IRREVIRSIBLE LOSS OF **ALL** ORGANIZATION DATA IN THE DATABASE.
-# DO NOT CHANGE THIS VALUE IN A PRODUCTION INSTANCE.
-# THERE IS NO GOING BACK.
+# Do not change this value in a production instance. It will make existing data inaccessible until changed back.
# ------- WARNING -------
data_key = "edd600bcebea461381ea23791b6967c8667e12827ac8b94dc022f189a5dc59a2"
diff --git a/trifid-api/migrations/20230204174853_create_users.sql b/trifid-api/migrations/20230204174853_create_users.sql
index 9b1ef88..eaeb63a 100644
--- a/trifid-api/migrations/20230204174853_create_users.sql
+++ b/trifid-api/migrations/20230204174853_create_users.sql
@@ -1,3 +1,19 @@
+-- trifid-api, an open source reimplementation of the Defined Networking nebula management server.
+-- Copyright (C) 2023 c0repwn3r
+--
+-- This program is free software: you can redistribute it and/or modify
+-- it under the terms of the GNU General Public License as published by
+-- the Free Software Foundation, either version 3 of the License, or
+-- (at your option) any later version.
+--
+-- This program is distributed in the hope that it will be useful,
+-- but WITHOUT ANY WARRANTY; without even the implied warranty of
+-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+-- GNU General Public License for more details.
+--
+-- You should have received a copy of the GNU General Public License
+-- along with this program. If not, see .
+
CREATE TABLE users (
id SERIAL NOT NULL PRIMARY KEY,
email VARCHAR(320) NOT NULL UNIQUE,
diff --git a/trifid-api/migrations/20230204185754_magic_links.sql b/trifid-api/migrations/20230204185754_magic_links.sql
index 14d175d..3208b12 100644
--- a/trifid-api/migrations/20230204185754_magic_links.sql
+++ b/trifid-api/migrations/20230204185754_magic_links.sql
@@ -1,3 +1,19 @@
+-- trifid-api, an open source reimplementation of the Defined Networking nebula management server.
+-- Copyright (C) 2023 c0repwn3r
+--
+-- This program is free software: you can redistribute it and/or modify
+-- it under the terms of the GNU General Public License as published by
+-- the Free Software Foundation, either version 3 of the License, or
+-- (at your option) any later version.
+--
+-- This program is distributed in the hope that it will be useful,
+-- but WITHOUT ANY WARRANTY; without even the implied warranty of
+-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+-- GNU General Public License for more details.
+--
+-- You should have received a copy of the GNU General Public License
+-- along with this program. If not, see .
+
CREATE TABLE magic_links (
id VARCHAR(39) NOT NULL PRIMARY KEY UNIQUE,
user_id SERIAL NOT NULL REFERENCES users(id),
diff --git a/trifid-api/migrations/20230206012409_create_session_tokens.sql b/trifid-api/migrations/20230206012409_create_session_tokens.sql
index c68dd4a..87a6c06 100644
--- a/trifid-api/migrations/20230206012409_create_session_tokens.sql
+++ b/trifid-api/migrations/20230206012409_create_session_tokens.sql
@@ -1,3 +1,19 @@
+-- trifid-api, an open source reimplementation of the Defined Networking nebula management server.
+-- Copyright (C) 2023 c0repwn3r
+--
+-- This program is free software: you can redistribute it and/or modify
+-- it under the terms of the GNU General Public License as published by
+-- the Free Software Foundation, either version 3 of the License, or
+-- (at your option) any later version.
+--
+-- This program is distributed in the hope that it will be useful,
+-- but WITHOUT ANY WARRANTY; without even the implied warranty of
+-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+-- GNU General Public License for more details.
+--
+-- You should have received a copy of the GNU General Public License
+-- along with this program. If not, see .
+
CREATE TABLE session_tokens (
id VARCHAR(39) NOT NULL PRIMARY KEY,
user_id SERIAL NOT NULL REFERENCES users(id),
diff --git a/trifid-api/migrations/20230206031048_create_auth_tokens.sql b/trifid-api/migrations/20230206031048_create_auth_tokens.sql
index 0e023e9..23c9b5e 100644
--- a/trifid-api/migrations/20230206031048_create_auth_tokens.sql
+++ b/trifid-api/migrations/20230206031048_create_auth_tokens.sql
@@ -1,3 +1,19 @@
+-- trifid-api, an open source reimplementation of the Defined Networking nebula management server.
+-- Copyright (C) 2023 c0repwn3r
+--
+-- This program is free software: you can redistribute it and/or modify
+-- it under the terms of the GNU General Public License as published by
+-- the Free Software Foundation, either version 3 of the License, or
+-- (at your option) any later version.
+--
+-- This program is distributed in the hope that it will be useful,
+-- but WITHOUT ANY WARRANTY; without even the implied warranty of
+-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+-- GNU General Public License for more details.
+--
+-- You should have received a copy of the GNU General Public License
+-- along with this program. If not, see .
+
CREATE TABLE auth_tokens (
id VARCHAR(39) NOT NULL PRIMARY KEY,
user_id SERIAL NOT NULL REFERENCES users(id),
diff --git a/trifid-api/migrations/20230207145453_create_totp_tokens.sql b/trifid-api/migrations/20230207145453_create_totp_tokens.sql
index c484e94..1f08efe 100644
--- a/trifid-api/migrations/20230207145453_create_totp_tokens.sql
+++ b/trifid-api/migrations/20230207145453_create_totp_tokens.sql
@@ -1,3 +1,19 @@
+-- trifid-api, an open source reimplementation of the Defined Networking nebula management server.
+-- Copyright (C) 2023 c0repwn3r
+--
+-- This program is free software: you can redistribute it and/or modify
+-- it under the terms of the GNU General Public License as published by
+-- the Free Software Foundation, either version 3 of the License, or
+-- (at your option) any later version.
+--
+-- This program is distributed in the hope that it will be useful,
+-- but WITHOUT ANY WARRANTY; without even the implied warranty of
+-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+-- GNU General Public License for more details.
+--
+-- You should have received a copy of the GNU General Public License
+-- along with this program. If not, see .
+
CREATE TABLE totp_create_tokens (
id VARCHAR(41) NOT NULL PRIMARY KEY,
expires_on INTEGER NOT NULL,
diff --git a/trifid-api/migrations/20230224000741_create_orgs.sql b/trifid-api/migrations/20230224000741_create_orgs.sql
index c2eb3fd..66e5807 100644
--- a/trifid-api/migrations/20230224000741_create_orgs.sql
+++ b/trifid-api/migrations/20230224000741_create_orgs.sql
@@ -1,3 +1,19 @@
+-- trifid-api, an open source reimplementation of the Defined Networking nebula management server.
+-- Copyright (C) 2023 c0repwn3r
+--
+-- This program is free software: you can redistribute it and/or modify
+-- it under the terms of the GNU General Public License as published by
+-- the Free Software Foundation, either version 3 of the License, or
+-- (at your option) any later version.
+--
+-- This program is distributed in the hope that it will be useful,
+-- but WITHOUT ANY WARRANTY; without even the implied warranty of
+-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+-- GNU General Public License for more details.
+--
+-- You should have received a copy of the GNU General Public License
+-- along with this program. If not, see .
+
CREATE TABLE organizations (
id SERIAL NOT NULL PRIMARY KEY,
owner SERIAL NOT NULL REFERENCES users(id),
diff --git a/trifid-api/migrations/20230226020713_create_orgs_authorized_users.sql b/trifid-api/migrations/20230226020713_create_orgs_authorized_users.sql
index cf1b794..530b9e4 100644
--- a/trifid-api/migrations/20230226020713_create_orgs_authorized_users.sql
+++ b/trifid-api/migrations/20230226020713_create_orgs_authorized_users.sql
@@ -1,3 +1,19 @@
+-- trifid-api, an open source reimplementation of the Defined Networking nebula management server.
+-- Copyright (C) 2023 c0repwn3r
+--
+-- This program is free software: you can redistribute it and/or modify
+-- it under the terms of the GNU General Public License as published by
+-- the Free Software Foundation, either version 3 of the License, or
+-- (at your option) any later version.
+--
+-- This program is distributed in the hope that it will be useful,
+-- but WITHOUT ANY WARRANTY; without even the implied warranty of
+-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+-- GNU General Public License for more details.
+--
+-- You should have received a copy of the GNU General Public License
+-- along with this program. If not, see .
+
CREATE TABLE organization_authorized_users (
id SERIAL NOT NULL PRIMARY KEY,
user_id SERIAL NOT NULL REFERENCES users(id),
diff --git a/trifid-api/migrations/20230228132411_add_cacheddata.sql b/trifid-api/migrations/20230228132411_add_cacheddata.sql
new file mode 100644
index 0000000..169105d
--- /dev/null
+++ b/trifid-api/migrations/20230228132411_add_cacheddata.sql
@@ -0,0 +1,20 @@
+-- trifid-api, an open source reimplementation of the Defined Networking nebula management server.
+-- Copyright (C) 2023 c0repwn3r
+--
+-- This program is free software: you can redistribute it and/or modify
+-- it under the terms of the GNU General Public License as published by
+-- the Free Software Foundation, either version 3 of the License, or
+-- (at your option) any later version.
+--
+-- This program is distributed in the hope that it will be useful,
+-- but WITHOUT ANY WARRANTY; without even the implied warranty of
+-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+-- GNU General Public License for more details.
+--
+-- You should have received a copy of the GNU General Public License
+-- along with this program. If not, see .
+
+CREATE TABLE cacheddata (
+ datakey VARCHAR(256) NOT NULL PRIMARY KEY,
+ datavalue VARCHAR(2048) NOT NULL
+);
\ No newline at end of file
diff --git a/trifid-api/src/kv.rs b/trifid-api/src/kv.rs
new file mode 100644
index 0000000..15ccb05
--- /dev/null
+++ b/trifid-api/src/kv.rs
@@ -0,0 +1,28 @@
+// trifid-api, an open source reimplementation of the Defined Networking nebula management server.
+// Copyright (C) 2023 c0repwn3r
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program. If not, see .
+
+use std::error::Error;
+use sqlx::PgPool;
+
+pub async fn kv_get<'a>(key: &'a str, db: &PgPool) -> Result, Box> {
+ let res = sqlx::query!("SELECT datavalue FROM cacheddata WHERE datakey = $1", key).fetch_optional(db).await?;
+ Ok(res.map(|i| i.datavalue))
+}
+
+pub async fn kv_set(key: &str, value: &str, db: &PgPool) -> Result<(), Box> {
+ sqlx::query!("INSERT INTO cacheddata (datakey, datavalue) VALUES ($2, $1) ON CONFLICT (datakey) DO UPDATE SET datavalue = $1", value, key).execute(db).await?;
+ Ok(())
+}
\ No newline at end of file
diff --git a/trifid-api/src/main.rs b/trifid-api/src/main.rs
index 82e4b04..efa4468 100644
--- a/trifid-api/src/main.rs
+++ b/trifid-api/src/main.rs
@@ -24,9 +24,12 @@ use log::{error, info};
use rocket::{catchers, Request, Response, routes};
use rocket::fairing::{Fairing, Info, Kind};
use rocket::http::Header;
+use sha2::Sha256;
use sqlx::migrate::Migrator;
use sqlx::postgres::PgPoolOptions;
use crate::config::TFConfig;
+use crate::kv::{kv_get, kv_set};
+use sha2::Digest;
pub mod format;
pub mod util;
@@ -37,6 +40,7 @@ pub mod routes;
pub mod auth;
pub mod crypto;
pub mod org;
+pub mod kv;
static MIGRATOR: Migrator = sqlx::migrate!();
@@ -47,7 +51,7 @@ impl Fairing for CORS {
fn info(&self) -> Info {
Info {
name: "Add CORS headers to responses",
- kind: Kind::Response
+ kind: Kind::Response,
}
}
@@ -113,6 +117,38 @@ async fn main() -> Result<(), Box> {
MIGRATOR.run(&pool).await?;
+ info!("[tfapi] verifying encryption key");
+
+ let kv_hash = kv_get("pmk_hash", &pool).await.expect("Unable to get pmk hash from kv store");
+
+ let mut hasher = Sha256::new();
+ hasher.update(config.data_key.as_bytes());
+ let config_hash = hex::encode(hasher.finalize());
+ if let Some(k_hash) = kv_hash {
+ if config_hash != k_hash {
+ error!("[tfapi] fatal: instance master key does not match key used to encrypt data");
+ error!("[tfapi] fatal: datastore was encrypted with keyid {k_hash}");
+ error!("[tfapi] fatal: the key in your config has the keyid {config_hash}");
+ error!("[tfapi] fatal: you probably changed data_key. please return it to it's original value");
+ std::process::exit(1);
+ } else {
+ info!("[tfapi] data keyid is {config_hash}");
+ }
+ } else {
+ info!("[tfapi] detected first run");
+ info!("[tfapi] welcome to trifid!");
+ info!("[tfapi] data keyid is {config_hash}");
+
+ if let Err(e) = kv_set("pmk_hash", config_hash.as_str(), &pool).await {
+ error!("[tfapi] fatal: unable to set pmk_hash in kv store");
+ error!("[tfapi] fatal: the database returned the following error:");
+ error!("[tfapi] fatal: {e}");
+ std::process::exit(1);
+ } else {
+ info!("[tfapi] configured instance information in kv store");
+ }
+ }
+
info!("[tfapi] building rocket config");
let figment = rocket::Config::figment().merge(("port", config.listen_port));