[12.x] Use more secure key permissions (#1721)

* Use more secure key permissions

* Update Passport.php

* Update PassportServiceProvider.php

---------

Co-authored-by: Taylor Otwell <[email protected]>

Author: axlon

src/Console/KeysCommand.php

@@ -55,6 +55,11 @@ public function handle()
                 file_put_contents($privateKey, (string) $key);
             }
 
+            if (! windows_os()) {
+                chmod($publicKey, 0660);
+                chmod($privateKey, 0600);
+            }
+
             $this->info('Encryption keys generated successfully.');
         }
 

src/Passport.php

@@ -14,6 +14,13 @@
 
 class Passport
 {
+    /**
+     * Indicates if Passport should validate the permissions of its encryption keys.
+     *
+     * @var bool
+     */
+    public static $validateKeyPermissions = true;
+
     /**
      * Indicates if the implicit grant type is enabled.
      *

src/PassportServiceProvider.php

@@ -309,7 +309,7 @@ protected function registerResourceServer()
     }
 
     /**
-     * Create a CryptKey instance without permissions check.
+     * Create a CryptKey instance.
      *
      * @param  string  $type
      * @return \League\OAuth2\Server\CryptKey
@@ -322,7 +322,7 @@ protected function makeCryptKey($type)
             $key = 'file://'.Passport::keyPath('oauth-'.$type.'.key');
         }
 
-        return new CryptKey($key, null, false);
+        return new CryptKey($key, null, Passport::$validateKeyPermissions && ! windows_os());
     }
 
     /**

tests/Unit/PassportServiceProviderTest.php

@@ -11,6 +11,13 @@
 
 class PassportServiceProviderTest extends TestCase
 {
+    protected function tearDown(): void
+    {
+        parent::tearDown();
+
+        @unlink(__DIR__.'/../keys/oauth-private.key');
+    }
+
     public function test_can_use_crypto_keys_from_config()
     {
         $privateKey = openssl_pkey_new();
@@ -46,6 +53,7 @@ public function test_can_use_crypto_keys_from_local_disk()
 
         openssl_pkey_export_to_file($privateKey, __DIR__.'/../keys/oauth-private.key');
         openssl_pkey_export($privateKey, $privateKeyString);
+        chmod(__DIR__.'/../keys/oauth-private.key', 0600);
 
         $config = m::mock(Config::class, function ($config) {
             $config->shouldReceive('get')->with('passport.private_key')->andReturn(null);
@@ -64,7 +72,5 @@ public function test_can_use_crypto_keys_from_local_disk()
             $privateKeyString,
             file_get_contents($cryptKey->getKeyPath())
         );
-
-        @unlink(__DIR__.'/../keys/oauth-private.key');
     }
 }