-
Notifications
You must be signed in to change notification settings - Fork 3.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
project level secrets #3024
base: main
Are you sure you want to change the base?
project level secrets #3024
Conversation
…at-project-level-secrets
app/config/collections.php
Outdated
@@ -2668,15 +2690,15 @@ | |||
'filters' => [], | |||
], | |||
[ | |||
'$id' => 'openSSLVersion', | |||
'$id' => 'fileSecret', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same, we should store a list of keys not a single one.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we are just using keys per file, so I don't think we need arrays here? Because if/when we change the key the file should already be encrypted using the new key.
app/controllers/api/account.php
Outdated
@@ -1060,7 +1062,7 @@ | |||
throw new Exception('No valid session found', 404, Exception::USER_SESSION_NOT_FOUND); | |||
} | |||
|
|||
$jwt = new JWT(App::getEnv('_APP_OPENSSL_KEY_V1'), 'HS256', 900, 10); // Instantiate with key, algo, maxAge and leeway. | |||
$jwt = new JWT($project->getId() == 'console' ? App::getEnv('_APP_OPENSSL_KEY_V1') : $project->getAttribute('jwtSecret'), 'HS256', 900, 10); // Instantiate with key, algo, maxAge and leeway. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's add a small explanation above this line.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we also keep older version to make sure we avoid any race conditions and failed validations during the switch? Not sure if we can ignore this scenario, wdyt?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure? If we don't keep the old version, only thing is that all the existing JWT keys will be invalid right? Is that such a big problem? or am I missing something here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As we already have console resource, I updated the console project to also include jwtSecrets
attribute so that we don't need to check anything else here
app/controllers/api/functions.php
Outdated
@@ -899,7 +899,7 @@ | |||
} | |||
|
|||
if(!$current->isEmpty()) { | |||
$jwtObj = new JWT(App::getEnv('_APP_OPENSSL_KEY_V1'), 'HS256', 900, 10); // Instantiate with key, algo, maxAge and leeway. | |||
$jwtObj = new JWT($project->getId() == 'console' ? App::getEnv('_APP_OPENSSL_KEY_V1') : $project->getAttribute('jwtSecret'), 'HS256', 900, 10); // Instantiate with key, algo, maxAge and leeway. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we add JWT as a resource we initialize in one place?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
as mentioned above, we can also try to cast the console attributes in a higher level to avoid code repetition.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we can do that I guess. I'll try that.
app/controllers/api/projects.php
Outdated
@@ -98,6 +99,8 @@ | |||
'keys' => null, | |||
'domains' => null, | |||
'auths' => $auths, | |||
'databaseSecrets' => [\uniqid() => \bin2hex(OpenSSL::randomPseudoBytes(128))], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we abstract this logic in the Auth library?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
getting a new secret?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't this be a part of OpenSSL instead of Auth library? I've put it on OpenSSL library. Do let me know WYT.
app/controllers/api/account.php
Outdated
@@ -1060,7 +1062,7 @@ | |||
throw new Exception('No valid session found', 404, Exception::USER_SESSION_NOT_FOUND); | |||
} | |||
|
|||
$jwt = new JWT(App::getEnv('_APP_OPENSSL_KEY_V1'), 'HS256', 900, 10); // Instantiate with key, algo, maxAge and leeway. | |||
$jwt = new JWT($project->getId() == 'console' ? App::getEnv('_APP_OPENSSL_KEY_V1') : $project->getAttribute('jwtSecret'), 'HS256', 900, 10); // Instantiate with key, algo, maxAge and leeway. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we set/cast these attributes (jwtSecret, databaseSecrets) globally on the console
project object? Might be easier than forcing dev to remember adding this condition.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
may be adding a JWT resource will be a good idea, I'll try that.
app/controllers/api/storage.php
Outdated
@@ -508,9 +508,16 @@ | |||
if (empty($data)) { | |||
$data = $deviceFiles->read($path); | |||
} | |||
$key = App::getEnv('_APP_OPENSSL_KEY_V1'); | |||
|
|||
$fileSecret = \bin2hex(OpenSSL::randomPseudoBytes(128)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same, can we abstract the secret generation?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
will do.
composer.json
Outdated
@@ -45,7 +45,7 @@ | |||
"utopia-php/cache": "0.6.*", | |||
"utopia-php/cli": "0.12.*", | |||
"utopia-php/config": "0.2.*", | |||
"utopia-php/database": "0.15.*", | |||
"utopia-php/database": "dev-feat-filters-upgrade as 0.15.4", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reminder to release a version.
src/Appwrite/OpenSSL/OpenSSL.php
Outdated
@@ -20,6 +20,7 @@ class OpenSSL | |||
*/ | |||
public static function encrypt($data, $method, $key, $options = 0, $iv = '', &$tag = null, $aad = '', $tag_length = 16) | |||
{ | |||
var_dump($data); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Leftover.
Co-authored-by: Eldad A. Fux <[email protected]>
…at-project-level-secrets
…at-project-level-secrets
…ite/appwrite into feat-project-level-secrets
…at-project-level-secrets
…at-project-level-secrets
Converting to draft due to merge conflicts. |
What does this PR do?
(Provide a description of what this PR does.)
Test Plan
(Write your test plan here. If you changed any code, please provide us with clear instructions on how you verified your changes work.)
Related PRs and Issues
(If this PR is related to any other PR or resolves any issue or related to any issue link all related PR and issues here.)
Have you read the Contributing Guidelines on issues?
(Write your answer here.)