FEATURE (secrets): Move secrets to the secret.key file instead of DB

Author: RostislavDugin

backend/cmd/main.go

@@ -18,6 +18,7 @@ import (
 	backups_config "postgresus-backend/internal/features/backups/config"
 	"postgresus-backend/internal/features/databases"
 	"postgresus-backend/internal/features/disk"
+	"postgresus-backend/internal/features/encryption/secrets"
 	healthcheck_attempt "postgresus-backend/internal/features/healthcheck/attempt"
 	healthcheck_config "postgresus-backend/internal/features/healthcheck/config"
 	"postgresus-backend/internal/features/notifiers"
@@ -64,6 +65,12 @@ func main() {
 		os.Exit(1)
 	}
 
+	err = secrets.GetSecretKeyService().MigrateKeyFromDbToFileIfExist()
+	if err != nil {
+		log.Error("Failed to migrate secret key from database to file", "error", err)
+		os.Exit(1)
+	}
+
 	err = users_services.GetUserService().CreateInitialAdmin()
 	if err != nil {
 		log.Error("Failed to create initial admin", "error", err)

backend/internal/config/config.go

@@ -26,8 +26,9 @@ type EnvVariables struct {
 	EnvMode              env_utils.EnvMode `env:"ENV_MODE"             required:"true"`
 	PostgresesInstallDir string            `env:"POSTGRES_INSTALL_DIR"`
 
-	DataFolder string
-	TempFolder string
+	DataFolder    string
+	TempFolder    string
+	SecretKeyPath string
 
 	TestGoogleDriveClientID     string `env:"TEST_GOOGLE_DRIVE_CLIENT_ID"`
 	TestGoogleDriveClientSecret string `env:"TEST_GOOGLE_DRIVE_CLIENT_SECRET"`
@@ -146,6 +147,7 @@ func loadEnvVariables() {
 	// (projectRoot/postgresus-data -> /postgresus-data)
 	env.DataFolder = filepath.Join(filepath.Dir(backendRoot), "postgresus-data", "backups")
 	env.TempFolder = filepath.Join(filepath.Dir(backendRoot), "postgresus-data", "temp")
+	env.SecretKeyPath = filepath.Join(filepath.Dir(backendRoot), "postgresus-data", "secret.key")
 
 	if env.IsTesting {
 		if env.TestPostgres12Port == "" {

backend/internal/features/backups/backups/di.go

@@ -1,17 +1,18 @@
 package backups
 
 import (
+	"time"
+
 	audit_logs "postgresus-backend/internal/features/audit_logs"
 	"postgresus-backend/internal/features/backups/backups/usecases"
 	backups_config "postgresus-backend/internal/features/backups/config"
 	"postgresus-backend/internal/features/databases"
+	encryption_secrets "postgresus-backend/internal/features/encryption/secrets"
 	"postgresus-backend/internal/features/notifiers"
 	"postgresus-backend/internal/features/storages"
-	users_repositories "postgresus-backend/internal/features/users/repositories"
 	workspaces_services "postgresus-backend/internal/features/workspaces/services"
 	"postgresus-backend/internal/util/encryption"
 	"postgresus-backend/internal/util/logger"
-	"time"
 )
 
 var backupRepository = &BackupRepository{}
@@ -25,7 +26,7 @@ var backupService = &BackupService{
 	notifiers.GetNotifierService(),
 	notifiers.GetNotifierService(),
 	backups_config.GetBackupConfigService(),
-	users_repositories.GetSecretKeyRepository(),
+	encryption_secrets.GetSecretKeyService(),
 	encryption.GetFieldEncryptor(),
 	usecases.GetCreateBackupUsecase(),
 	logger.GetLogger(),

backend/internal/features/backups/backups/service.go

@@ -7,19 +7,20 @@ import (
 	"fmt"
 	"io"
 	"log/slog"
+	"slices"
+	"strings"
+	"time"
+
 	audit_logs "postgresus-backend/internal/features/audit_logs"
 	"postgresus-backend/internal/features/backups/backups/encryption"
 	backups_config "postgresus-backend/internal/features/backups/config"
 	"postgresus-backend/internal/features/databases"
+	encryption_secrets "postgresus-backend/internal/features/encryption/secrets"
 	"postgresus-backend/internal/features/notifiers"
 	"postgresus-backend/internal/features/storages"
 	users_models "postgresus-backend/internal/features/users/models"
-	users_repositories "postgresus-backend/internal/features/users/repositories"
 	workspaces_services "postgresus-backend/internal/features/workspaces/services"
 	util_encryption "postgresus-backend/internal/util/encryption"
-	"slices"
-	"strings"
-	"time"
 
 	"github.com/google/uuid"
 )
@@ -31,7 +32,7 @@ type BackupService struct {
 	notifierService     *notifiers.NotifierService
 	notificationSender  NotificationSender
 	backupConfigService *backups_config.BackupConfigService
-	secretKeyRepo       *users_repositories.SecretKeyRepository
+	secretKeyService    *encryption_secrets.SecretKeyService
 	fieldEncryptor      util_encryption.FieldEncryptor
 
 	createBackupUseCase CreateBackupUsecase
@@ -628,7 +629,7 @@ func (s *BackupService) getBackupReader(backupID uuid.UUID) (io.ReadCloser, erro
 	}
 
 	// Get master key
-	masterKey, err := s.secretKeyRepo.GetSecretKey()
+	masterKey, err := s.secretKeyService.GetSecretKey()
 	if err != nil {
 		if closeErr := fileReader.Close(); closeErr != nil {
 			s.logger.Error("Failed to close file reader", "error", closeErr)

backend/internal/features/backups/backups/service_test.go

@@ -3,21 +3,22 @@ package backups
 import (
 	"context"
 	"errors"
+	"strings"
+	"testing"
+	"time"
+
 	usecases_postgresql "postgresus-backend/internal/features/backups/backups/usecases/postgresql"
 	backups_config "postgresus-backend/internal/features/backups/config"
 	"postgresus-backend/internal/features/databases"
+	encryption_secrets "postgresus-backend/internal/features/encryption/secrets"
 	"postgresus-backend/internal/features/notifiers"
 	"postgresus-backend/internal/features/storages"
 	users_enums "postgresus-backend/internal/features/users/enums"
-	users_repositories "postgresus-backend/internal/features/users/repositories"
 	users_testing "postgresus-backend/internal/features/users/testing"
 	workspaces_services "postgresus-backend/internal/features/workspaces/services"
 	workspaces_testing "postgresus-backend/internal/features/workspaces/testing"
 	"postgresus-backend/internal/util/encryption"
 	"postgresus-backend/internal/util/logger"
-	"strings"
-	"testing"
-	"time"
 
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
@@ -56,7 +57,7 @@ func Test_BackupExecuted_NotificationSent(t *testing.T) {
 			notifiers.GetNotifierService(),
 			mockNotificationSender,
 			backups_config.GetBackupConfigService(),
-			users_repositories.GetSecretKeyRepository(),
+			encryption_secrets.GetSecretKeyService(),
 			encryption.GetFieldEncryptor(),
 			&CreateFailedBackupUsecase{},
 			logger.GetLogger(),
@@ -104,7 +105,7 @@ func Test_BackupExecuted_NotificationSent(t *testing.T) {
 			notifiers.GetNotifierService(),
 			mockNotificationSender,
 			backups_config.GetBackupConfigService(),
-			users_repositories.GetSecretKeyRepository(),
+			encryption_secrets.GetSecretKeyService(),
 			encryption.GetFieldEncryptor(),
 			&CreateSuccessBackupUsecase{},
 			logger.GetLogger(),
@@ -129,7 +130,7 @@ func Test_BackupExecuted_NotificationSent(t *testing.T) {
 			notifiers.GetNotifierService(),
 			mockNotificationSender,
 			backups_config.GetBackupConfigService(),
-			users_repositories.GetSecretKeyRepository(),
+			encryption_secrets.GetSecretKeyService(),
 			encryption.GetFieldEncryptor(),
 			&CreateSuccessBackupUsecase{},
 			logger.GetLogger(),

backend/internal/features/backups/backups/usecases/postgresql/create_backup_uc.go

@@ -19,8 +19,8 @@ import (
 	backups_config "postgresus-backend/internal/features/backups/config"
 	"postgresus-backend/internal/features/databases"
 	pgtypes "postgresus-backend/internal/features/databases/databases/postgresql"
+	encryption_secrets "postgresus-backend/internal/features/encryption/secrets"
 	"postgresus-backend/internal/features/storages"
-	users_repositories "postgresus-backend/internal/features/users/repositories"
 	"postgresus-backend/internal/util/encryption"
 	"postgresus-backend/internal/util/tools"
 
@@ -34,16 +34,15 @@ const (
 	progressReportIntervalMB = 1.0
 	pgConnectTimeout         = 30
 	compressionLevel         = 5
-	defaultBackupLimit       = 1000
 	exitCodeAccessViolation  = -1073741819
 	exitCodeGenericError     = 1
 	exitCodeConnectionError  = 2
 )
 
 type CreatePostgresqlBackupUsecase struct {
-	logger         *slog.Logger
-	secretKeyRepo  *users_repositories.SecretKeyRepository
-	fieldEncryptor encryption.FieldEncryptor
+	logger           *slog.Logger
+	secretKeyService *encryption_secrets.SecretKeyService
+	fieldEncryptor   encryption.FieldEncryptor
 }
 
 // Execute creates a backup of the database
@@ -466,7 +465,7 @@ func (uc *CreatePostgresqlBackupUsecase) setupBackupEncryption(
 		return nil, nil, metadata, fmt.Errorf("failed to generate nonce: %w", err)
 	}
 
-	masterKey, err := uc.secretKeyRepo.GetSecretKey()
+	masterKey, err := uc.secretKeyService.GetSecretKey()
 	if err != nil {
 		return nil, nil, metadata, fmt.Errorf("failed to get master key: %w", err)
 	}

backend/internal/features/backups/backups/usecases/postgresql/di.go

@@ -1,14 +1,14 @@
 package usecases_postgresql
 
 import (
-	users_repositories "postgresus-backend/internal/features/users/repositories"
+	"postgresus-backend/internal/features/encryption/secrets"
 	"postgresus-backend/internal/util/encryption"
 	"postgresus-backend/internal/util/logger"
 )
 
 var createPostgresqlBackupUsecase = &CreatePostgresqlBackupUsecase{
 	logger.GetLogger(),
-	users_repositories.GetSecretKeyRepository(),
+	secrets.GetSecretKeyService(),
 	encryption.GetFieldEncryptor(),
 }
 

backend/internal/features/encryption/secrets/di.go

@@ -0,0 +1,9 @@
+package secrets
+
+var secretKeyService = &SecretKeyService{
+	nil,
+}
+
+func GetSecretKeyService() *SecretKeyService {
+	return secretKeyService
+}

backend/internal/features/encryption/secrets/model.go

@@ -0,0 +1 @@
+package secrets

backend/internal/features/encryption/secrets/service.go

@@ -0,0 +1,73 @@
+package secrets
+
+import (
+	"errors"
+	"fmt"
+	"os"
+
+	"postgresus-backend/internal/config"
+	user_models "postgresus-backend/internal/features/users/models"
+	"postgresus-backend/internal/storage"
+
+	"github.com/google/uuid"
+	"gorm.io/gorm"
+)
+
+type SecretKeyService struct {
+	cachedKey *string
+}
+
+func (s *SecretKeyService) MigrateKeyFromDbToFileIfExist() error {
+	var secretKey user_models.SecretKey
+
+	err := storage.GetDb().First(&secretKey).Error
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil
+		}
+		return fmt.Errorf("failed to check for secret key in database: %w", err)
+	}
+
+	if secretKey.Secret == "" {
+		return nil
+	}
+
+	secretKeyPath := config.GetEnv().SecretKeyPath
+	if err := os.WriteFile(secretKeyPath, []byte(secretKey.Secret), 0600); err != nil {
+		return fmt.Errorf("failed to write secret key to file: %w", err)
+	}
+
+	if err := storage.GetDb().Exec("DELETE FROM secret_keys").Error; err != nil {
+		return fmt.Errorf("failed to delete secret key from database: %w", err)
+	}
+
+	return nil
+}
+
+func (s *SecretKeyService) GetSecretKey() (string, error) {
+	if s.cachedKey != nil {
+		return *s.cachedKey, nil
+	}
+
+	secretKeyPath := config.GetEnv().SecretKeyPath
+	data, err := os.ReadFile(secretKeyPath)
+	if err != nil {
+		if os.IsNotExist(err) {
+			newKey := s.generateNewSecretKey()
+			if err := os.WriteFile(secretKeyPath, []byte(newKey), 0600); err != nil {
+				return "", fmt.Errorf("failed to write new secret key: %w", err)
+			}
+			s.cachedKey = &newKey
+			return newKey, nil
+		}
+		return "", fmt.Errorf("failed to read secret key file: %w", err)
+	}
+
+	key := string(data)
+	s.cachedKey = &key
+	return key, nil
+}
+
+func (s *SecretKeyService) generateNewSecretKey() string {
+	return uuid.New().String() + uuid.New().String()
+}