data key checking + finish up license compliance

Cargo.lock

@@ -2408,6 +2408,7 @@ dependencies = [
  "rand",
  "rocket",
  "serde",
+ "sha2",
  "sqlx",
  "tokio",
  "toml 0.7.1",

trifid-api/Cargo.toml

@@ -23,4 +23,5 @@ chrono = "0.4.23"
 aes-gcm = "0.10.1"
 hex = "0.4.3"
 rand = "0.8.5"
-trifid-pki = { version = "0.1.3", path = "../trifid-pki" }
+trifid-pki = { version = "0.1.3", path = "../trifid-pki" }
+sha2 = "0.10.6"

trifid-api/config.example.toml

@@ -63,24 +63,12 @@ totp_verification_valid_for = 3600
 
 # The per-instance data encryption key to protect sensitive data in the instance.
 # YOU ABSOLUTELY NEED TO CHANGE THIS. If you don't change anything else in this file, this should be the one thing you change.
-# Reiterating:
+
-# -----
-# YOU ABSOLUTELY NEED TO CHANGE THIS VALUE
-# -----
-# Leaving this at it's default (edd600bcebea461381ea23791b6967c8667e12827ac8b94dc022f189a5dc59a2) is DANGEROUS
-# and UNSAFE, and could lead to DATA LEAKS and SECURITY BREACHES.
-#
 # This should be a 32-byte hex value. Generate it with `openssl rand -hex 32`, or any other tool of your choice.
 # If you get "InvalidLength" errors while trying to do anything involving organizations, that indicates that this
 # value was improperly generated.
 #
 # ------- WARNING -------
-# DO NOT CHANGE THIS VALUE IN A PRODUCTION INSTANCE.
+# Do not change this value in a production instance. It will make existing data inaccessible until changed back.
-# CHANGING THIS VALUE WILL RESULT IN PERMANENT, IRREVERSIBLE LOSS OF **ALL** ORGANIZATION DATA IN THE DATABASE.
-# IT IS DIRECTLY RESPONSIBLE FOR DECRYPTING ORGANIZATION KEYS.
-# ENSURE THAT ORGANIZATIONS FUNCTION PROPERLY BEFORE CREATING A PRODUCTION ORGANIZATION.
-# REITERATING: CHANGING THIS VALUE WILL RESULT IN PERMANENT, IRREVIRSIBLE LOSS OF **ALL** ORGANIZATION DATA IN THE DATABASE.
-# DO NOT CHANGE THIS VALUE IN A PRODUCTION INSTANCE.
-# THERE IS NO GOING BACK.
 # ------- WARNING -------
 data_key = "edd600bcebea461381ea23791b6967c8667e12827ac8b94dc022f189a5dc59a2"

trifid-api/migrations/20230204174853_create_users.sql

@@ -1,3 +1,19 @@
+-- trifid-api, an open source reimplementation of the Defined Networking nebula management server.
+--     Copyright (C) 2023 c0repwn3r
+--
+--     This program is free software: you can redistribute it and/or modify
+--     it under the terms of the GNU General Public License as published by
+--     the Free Software Foundation, either version 3 of the License, or
+--     (at your option) any later version.
+--
+--     This program is distributed in the hope that it will be useful,
+--     but WITHOUT ANY WARRANTY; without even the implied warranty of
+--     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+--     GNU General Public License for more details.
+--
+--     You should have received a copy of the GNU General Public License
+--     along with this program.  If not, see <https:--www.gnu.org/licenses/>.
+
 CREATE TABLE users (
     id SERIAL NOT NULL PRIMARY KEY,
     email VARCHAR(320) NOT NULL UNIQUE,

trifid-api/migrations/20230204185754_magic_links.sql

@@ -1,3 +1,19 @@
+-- trifid-api, an open source reimplementation of the Defined Networking nebula management server.
+--     Copyright (C) 2023 c0repwn3r
+--
+--     This program is free software: you can redistribute it and/or modify
+--     it under the terms of the GNU General Public License as published by
+--     the Free Software Foundation, either version 3 of the License, or
+--     (at your option) any later version.
+--
+--     This program is distributed in the hope that it will be useful,
+--     but WITHOUT ANY WARRANTY; without even the implied warranty of
+--     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+--     GNU General Public License for more details.
+--
+--     You should have received a copy of the GNU General Public License
+--     along with this program.  If not, see <https:--www.gnu.org/licenses/>.
+
 CREATE TABLE magic_links (
     id VARCHAR(39) NOT NULL PRIMARY KEY UNIQUE,
     user_id SERIAL NOT NULL REFERENCES users(id),

trifid-api/migrations/20230206012409_create_session_tokens.sql

@@ -1,3 +1,19 @@
+-- trifid-api, an open source reimplementation of the Defined Networking nebula management server.
+--     Copyright (C) 2023 c0repwn3r
+--
+--     This program is free software: you can redistribute it and/or modify
+--     it under the terms of the GNU General Public License as published by
+--     the Free Software Foundation, either version 3 of the License, or
+--     (at your option) any later version.
+--
+--     This program is distributed in the hope that it will be useful,
+--     but WITHOUT ANY WARRANTY; without even the implied warranty of
+--     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+--     GNU General Public License for more details.
+--
+--     You should have received a copy of the GNU General Public License
+--     along with this program.  If not, see <https:--www.gnu.org/licenses/>.
+
 CREATE TABLE session_tokens (
     id VARCHAR(39) NOT NULL PRIMARY KEY,
     user_id SERIAL NOT NULL REFERENCES users(id),

trifid-api/migrations/20230206031048_create_auth_tokens.sql

@@ -1,3 +1,19 @@
+-- trifid-api, an open source reimplementation of the Defined Networking nebula management server.
+--     Copyright (C) 2023 c0repwn3r
+--
+--     This program is free software: you can redistribute it and/or modify
+--     it under the terms of the GNU General Public License as published by
+--     the Free Software Foundation, either version 3 of the License, or
+--     (at your option) any later version.
+--
+--     This program is distributed in the hope that it will be useful,
+--     but WITHOUT ANY WARRANTY; without even the implied warranty of
+--     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+--     GNU General Public License for more details.
+--
+--     You should have received a copy of the GNU General Public License
+--     along with this program.  If not, see <https:--www.gnu.org/licenses/>.
+
 CREATE TABLE auth_tokens (
     id VARCHAR(39) NOT NULL PRIMARY KEY,
     user_id SERIAL NOT NULL REFERENCES users(id),

trifid-api/migrations/20230207145453_create_totp_tokens.sql

@@ -1,3 +1,19 @@
+-- trifid-api, an open source reimplementation of the Defined Networking nebula management server.
+--     Copyright (C) 2023 c0repwn3r
+--
+--     This program is free software: you can redistribute it and/or modify
+--     it under the terms of the GNU General Public License as published by
+--     the Free Software Foundation, either version 3 of the License, or
+--     (at your option) any later version.
+--
+--     This program is distributed in the hope that it will be useful,
+--     but WITHOUT ANY WARRANTY; without even the implied warranty of
+--     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+--     GNU General Public License for more details.
+--
+--     You should have received a copy of the GNU General Public License
+--     along with this program.  If not, see <https:--www.gnu.org/licenses/>.
+
 CREATE TABLE totp_create_tokens (
     id VARCHAR(41) NOT NULL PRIMARY KEY,
     expires_on INTEGER NOT NULL,

trifid-api/migrations/20230224000741_create_orgs.sql

@@ -1,3 +1,19 @@
+-- trifid-api, an open source reimplementation of the Defined Networking nebula management server.
+--     Copyright (C) 2023 c0repwn3r
+--
+--     This program is free software: you can redistribute it and/or modify
+--     it under the terms of the GNU General Public License as published by
+--     the Free Software Foundation, either version 3 of the License, or
+--     (at your option) any later version.
+--
+--     This program is distributed in the hope that it will be useful,
+--     but WITHOUT ANY WARRANTY; without even the implied warranty of
+--     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+--     GNU General Public License for more details.
+--
+--     You should have received a copy of the GNU General Public License
+--     along with this program.  If not, see <https:--www.gnu.org/licenses/>.
+
 CREATE TABLE organizations (
     id SERIAL NOT NULL PRIMARY KEY,
     owner SERIAL NOT NULL REFERENCES users(id),

trifid-api/migrations/20230226020713_create_orgs_authorized_users.sql

@@ -1,3 +1,19 @@
+-- trifid-api, an open source reimplementation of the Defined Networking nebula management server.
+--     Copyright (C) 2023 c0repwn3r
+--
+--     This program is free software: you can redistribute it and/or modify
+--     it under the terms of the GNU General Public License as published by
+--     the Free Software Foundation, either version 3 of the License, or
+--     (at your option) any later version.
+--
+--     This program is distributed in the hope that it will be useful,
+--     but WITHOUT ANY WARRANTY; without even the implied warranty of
+--     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+--     GNU General Public License for more details.
+--
+--     You should have received a copy of the GNU General Public License
+--     along with this program.  If not, see <https:--www.gnu.org/licenses/>.
+
 CREATE TABLE organization_authorized_users (
     id SERIAL NOT NULL PRIMARY KEY,
     user_id SERIAL NOT NULL REFERENCES users(id),

trifid-api/migrations/20230228132411_add_cacheddata.sql

@@ -0,0 +1,20 @@
+-- trifid-api, an open source reimplementation of the Defined Networking nebula management server.
+--     Copyright (C) 2023 c0repwn3r
+--
+--     This program is free software: you can redistribute it and/or modify
+--     it under the terms of the GNU General Public License as published by
+--     the Free Software Foundation, either version 3 of the License, or
+--     (at your option) any later version.
+--
+--     This program is distributed in the hope that it will be useful,
+--     but WITHOUT ANY WARRANTY; without even the implied warranty of
+--     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+--     GNU General Public License for more details.
+--
+--     You should have received a copy of the GNU General Public License
+--     along with this program.  If not, see <https:--www.gnu.org/licenses/>.
+
+CREATE TABLE cacheddata (
+    datakey VARCHAR(256) NOT NULL PRIMARY KEY,
+    datavalue VARCHAR(2048) NOT NULL
+);

trifid-api/src/kv.rs

@@ -0,0 +1,28 @@
+// trifid-api, an open source reimplementation of the Defined Networking nebula management server.
+//     Copyright (C) 2023 c0repwn3r
+//
+//     This program is free software: you can redistribute it and/or modify
+//     it under the terms of the GNU General Public License as published by
+//     the Free Software Foundation, either version 3 of the License, or
+//     (at your option) any later version.
+//
+//     This program is distributed in the hope that it will be useful,
+//     but WITHOUT ANY WARRANTY; without even the implied warranty of
+//     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//     GNU General Public License for more details.
+//
+//     You should have received a copy of the GNU General Public License
+//     along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+use std::error::Error;
+use sqlx::PgPool;
+
+pub async fn kv_get<'a>(key: &'a str, db: &PgPool) -> Result<Option<String>, Box<dyn Error>> {
+    let res = sqlx::query!("SELECT datavalue FROM cacheddata WHERE datakey = $1", key).fetch_optional(db).await?;
+    Ok(res.map(|i| i.datavalue))
+}
+
+pub async fn kv_set(key: &str, value: &str, db: &PgPool) -> Result<(), Box<dyn Error>> {
+    sqlx::query!("INSERT INTO cacheddata (datakey, datavalue) VALUES ($2, $1) ON CONFLICT (datakey) DO UPDATE SET datavalue = $1", value, key).execute(db).await?;
+    Ok(())
+}

trifid-api/src/main.rs

@@ -24,9 +24,12 @@ use log::{error, info};
 use rocket::{catchers, Request, Response, routes};
 use rocket::fairing::{Fairing, Info, Kind};
 use rocket::http::Header;
+use sha2::Sha256;
 use sqlx::migrate::Migrator;
 use sqlx::postgres::PgPoolOptions;
 use crate::config::TFConfig;
+use crate::kv::{kv_get, kv_set};
+use sha2::Digest;
 
 pub mod format;
 pub mod util;
@@ -37,6 +40,7 @@ pub mod routes;
 pub mod auth;
 pub mod crypto;
 pub mod org;
+pub mod kv;
 
 static MIGRATOR: Migrator = sqlx::migrate!();
 
@@ -47,7 +51,7 @@ impl Fairing for CORS {
     fn info(&self) -> Info {
         Info {
             name: "Add CORS headers to responses",
-            kind: Kind::Response
+            kind: Kind::Response,
         }
     }
 
@@ -113,6 +117,38 @@ async fn main() -> Result<(), Box<dyn Error>> {
 
     MIGRATOR.run(&pool).await?;
 
+    info!("[tfapi] verifying encryption key");
+
+    let kv_hash = kv_get("pmk_hash", &pool).await.expect("Unable to get pmk hash from kv store");
+
+    let mut hasher = Sha256::new();
+    hasher.update(config.data_key.as_bytes());
+    let config_hash = hex::encode(hasher.finalize());
+    if let Some(k_hash) = kv_hash {
+        if config_hash != k_hash {
+            error!("[tfapi] fatal: instance master key does not match key used to encrypt data");
+            error!("[tfapi] fatal: datastore was encrypted with keyid {k_hash}");
+            error!("[tfapi] fatal: the key in your config has the keyid {config_hash}");
+            error!("[tfapi] fatal: you probably changed data_key. please return it to it's original value");
+            std::process::exit(1);
+        } else {
+            info!("[tfapi] data keyid is {config_hash}");
+        }
+    } else {
+        info!("[tfapi] detected first run");
+        info!("[tfapi] welcome to trifid!");
+        info!("[tfapi] data keyid is {config_hash}");
+
+        if let Err(e) = kv_set("pmk_hash", config_hash.as_str(), &pool).await {
+            error!("[tfapi] fatal: unable to set pmk_hash in kv store");
+            error!("[tfapi] fatal: the database returned the following error:");
+            error!("[tfapi] fatal: {e}");
+            std::process::exit(1);
+        } else {
+            info!("[tfapi] configured instance information in kv store");
+        }
+    }
+
     info!("[tfapi] building rocket config");
 
     let figment = rocket::Config::figment().merge(("port", config.listen_port));