project level secrets #3024
project level secrets #3024
Conversation
…at-project-level-secrets
app/config/collections.php
Outdated
| @@ -2668,15 +2690,15 @@ | |||
| 'filters' => [], | |||
| ], | |||
| [ | |||
| '$id' => 'openSSLVersion', | |||
| '$id' => 'fileSecret', | |||
There was a problem hiding this comment.
Same, we should store a list of keys not a single one.
There was a problem hiding this comment.
we are just using keys per file, so I don't think we need arrays here? Because if/when we change the key the file should already be encrypted using the new key.
app/controllers/api/account.php
Outdated
| @@ -1060,7 +1062,7 @@ | |||
| throw new Exception('No valid session found', 404, Exception::USER_SESSION_NOT_FOUND); | |||
| } | |||
|
|
|||
| $jwt = new JWT(App::getEnv('_APP_OPENSSL_KEY_V1'), 'HS256', 900, 10); // Instantiate with key, algo, maxAge and leeway. | |||
| $jwt = new JWT($project->getId() == 'console' ? App::getEnv('_APP_OPENSSL_KEY_V1') : $project->getAttribute('jwtSecret'), 'HS256', 900, 10); // Instantiate with key, algo, maxAge and leeway. | |||
There was a problem hiding this comment.
Let's add a small explanation above this line.
There was a problem hiding this comment.
Should we also keep older version to make sure we avoid any race conditions and failed validations during the switch? Not sure if we can ignore this scenario, wdyt?
There was a problem hiding this comment.
I'm not sure? If we don't keep the old version, only thing is that all the existing JWT keys will be invalid right? Is that such a big problem? or am I missing something here?
There was a problem hiding this comment.
As we already have console resource, I updated the console project to also include jwtSecrets attribute so that we don't need to check anything else here
app/controllers/api/functions.php
Outdated
| @@ -899,7 +899,7 @@ | |||
| } | |||
|
|
|||
| if(!$current->isEmpty()) { | |||
| $jwtObj = new JWT(App::getEnv('_APP_OPENSSL_KEY_V1'), 'HS256', 900, 10); // Instantiate with key, algo, maxAge and leeway. | |||
| $jwtObj = new JWT($project->getId() == 'console' ? App::getEnv('_APP_OPENSSL_KEY_V1') : $project->getAttribute('jwtSecret'), 'HS256', 900, 10); // Instantiate with key, algo, maxAge and leeway. | |||
There was a problem hiding this comment.
Should we add JWT as a resource we initialize in one place?
There was a problem hiding this comment.
as mentioned above, we can also try to cast the console attributes in a higher level to avoid code repetition.
There was a problem hiding this comment.
we can do that I guess. I'll try that.
app/controllers/api/projects.php
Outdated
| @@ -98,6 +99,8 @@ | |||
| 'keys' => null, | |||
| 'domains' => null, | |||
| 'auths' => $auths, | |||
| 'databaseSecrets' => [\uniqid() => \bin2hex(OpenSSL::randomPseudoBytes(128))], | |||
There was a problem hiding this comment.
Can we abstract this logic in the Auth library?
There was a problem hiding this comment.
getting a new secret?
There was a problem hiding this comment.
Shouldn't this be a part of OpenSSL instead of Auth library? I've put it on OpenSSL library. Do let me know WYT.
app/controllers/api/account.php
Outdated
| @@ -1060,7 +1062,7 @@ | |||
| throw new Exception('No valid session found', 404, Exception::USER_SESSION_NOT_FOUND); | |||
| } | |||
|
|
|||
| $jwt = new JWT(App::getEnv('_APP_OPENSSL_KEY_V1'), 'HS256', 900, 10); // Instantiate with key, algo, maxAge and leeway. | |||
| $jwt = new JWT($project->getId() == 'console' ? App::getEnv('_APP_OPENSSL_KEY_V1') : $project->getAttribute('jwtSecret'), 'HS256', 900, 10); // Instantiate with key, algo, maxAge and leeway. | |||
There was a problem hiding this comment.
Can we set/cast these attributes (jwtSecret, databaseSecrets) globally on the console project object? Might be easier than forcing dev to remember adding this condition.
There was a problem hiding this comment.
may be adding a JWT resource will be a good idea, I'll try that.
app/controllers/api/storage.php
Outdated
| @@ -508,9 +508,16 @@ | |||
| if (empty($data)) { | |||
| $data = $deviceFiles->read($path); | |||
| } | |||
| $key = App::getEnv('_APP_OPENSSL_KEY_V1'); | |||
|
|
|||
| $fileSecret = \bin2hex(OpenSSL::randomPseudoBytes(128)); | |||
There was a problem hiding this comment.
Same, can we abstract the secret generation?
composer.json
Outdated
| @@ -45,7 +45,7 @@ | |||
| "utopia-php/cache": "0.6.*", | |||
| "utopia-php/cli": "0.12.*", | |||
| "utopia-php/config": "0.2.*", | |||
| "utopia-php/database": "0.15.*", | |||
| "utopia-php/database": "dev-feat-filters-upgrade as 0.15.4", | |||
There was a problem hiding this comment.
Reminder to release a version.
src/Appwrite/OpenSSL/OpenSSL.php
Outdated
| @@ -20,6 +20,7 @@ class OpenSSL | |||
| */ | |||
| public static function encrypt($data, $method, $key, $options = 0, $iv = '', &$tag = null, $aad = '', $tag_length = 16) | |||
| { | |||
| var_dump($data); | |||
Co-authored-by: Eldad A. Fux <[email protected]>
…at-project-level-secrets
lohanidamodar
changed the title
…at-project-level-secrets
…ite/appwrite into feat-project-level-secrets
…at-project-level-secrets
…at-project-level-secrets
|
Converting to draft due to merge conflicts. |
What does this PR do?
(Provide a description of what this PR does.)
Test Plan
(Write your test plan here. If you changed any code, please provide us with clear instructions on how you verified your changes work.)
Related PRs and Issues
(If this PR is related to any other PR or resolves any issue or related to any issue link all related PR and issues here.)
Have you read the Contributing Guidelines on issues?
(Write your answer here.)