Update key settings and scripts (#1282)

* Update key settings and scripts

* Handle error when missing file

Author: starwarfan

scripts/release/initauth.js

@@ -59,7 +59,14 @@ const saveAuth = (obj, filename) => new Promise((resolve, reject) => {
   }
 });
 
-const updateRabbit = () => new Promise((resolve, reject) => {
+const updateRabbit = (cleanup) => new Promise((resolve, reject) => {
+  if (cleanup) {
+    console.log('Cleanup RabbitMQ account...');
+    saveAuth({rabbit: null}, authStore)
+      .then(resolve)
+      .catch(reject);
+    return;
+  }
   question('Update RabbitMQ account?[yes/no]')
     .then((answer) => {
       answer = answer.toLowerCase();
@@ -81,7 +88,14 @@ const updateRabbit = () => new Promise((resolve, reject) => {
     });
 });
 
-const updateMongo = () => new Promise((resolve, reject) => {
+const updateMongo = (cleanup) => new Promise((resolve, reject) => {
+  if (cleanup) {
+    console.log('Cleanup MongoDB account...');
+    saveAuth({mongo: null}, authStore)
+      .then(resolve)
+      .catch(reject);
+    return;
+  }
   question('Update MongoDB account?[yes/no]')
     .then((answer) => {
       answer = answer.toLowerCase();
@@ -103,7 +117,14 @@ const updateMongo = () => new Promise((resolve, reject) => {
     });
 });
 
-const updateInternal = () => new Promise((resolve, reject) => {
+const updateInternal = (cleanup) => new Promise((resolve, reject) => {
+  if (cleanup) {
+    console.log('Cleanup internal passphrase...');
+    saveAuth({internalPass: null}, authStore)
+      .then(resolve)
+      .catch(reject);
+    return;
+  }
   question('Update internal passphrase?[yes/no]')
     .then((answer) => {
       answer = answer.toLowerCase();
@@ -122,7 +143,14 @@ const updateInternal = () => new Promise((resolve, reject) => {
     });
 });
 
-const updateGKeyPass = () => new Promise((resolve, reject) => {
+const updateGKeyPass = (cleanup) => new Promise((resolve, reject) => {
+  if (cleanup) {
+    console.log('Cleanup gRPC TLS key...');
+    saveAuth({grpc: null}, authStore)
+      .then(resolve)
+      .catch(reject);
+    return;
+  }
   question('Update passphrase for gRPC TLS key?[yes/no]')
     .then((answer) => {
       answer = answer.toLowerCase();
@@ -146,8 +174,47 @@ const updateGKeyPass = () => new Promise((resolve, reject) => {
     });
 });
 
+const generateServiceProtectionKey = (cleanup) => new Promise((resolve, reject) => {
+  if (cleanup) {
+    console.log('Cleanup service protection key...');
+    saveAuth({spk: null}, authStore)
+      .then(resolve)
+      .catch(reject);
+    return;
+  }
+  question('Generate service protection key?[yes/no]')
+    .then((answer) => {
+      answer = answer.toLowerCase();
+      if (answer === 'y' || answer === 'yes') {
+        const spk = require('crypto').randomBytes(64).toString('hex');
+        saveAuth({spk: spk}, authStore)
+          .then(() => {
+            console.log(`Service protection key generated: ${spk}`);
+            resolve();
+          })
+          .catch(reject);
+      } else {
+        resolve();
+      }
+    });
+});
+
+const printUsage = () => {
+  let usage = 'Usage:\n';
+  usage += '  --rabbitmq  Update RabbitMQ account(default)\n';
+  usage += '  --mongodb   Update MongoDB account(default)\n';
+  usage += '  --internal  Update internal TLS key passphrase\n';
+  usage += '  --grpc      Update gRPC TLS key passphrase\n';
+  usage += '  --spk       Generate service protection key\n';
+  usage += '  --cleanup   Clean up selected credentials\n';
+  console.log(usage);
+}
 const options = {};
 const parseArgs = () => {
+  if (process.argv.includes('--help')) {
+    printUsage();
+    process.exit(0);
+  }
   if (process.argv.includes('--rabbitmq')) {
     options.rabbit = true;
   }
@@ -160,7 +227,17 @@ const parseArgs = () => {
   if (process.argv.includes('--grpc')) {
     options.grpc = true;
   }
-  if (Object.keys(options).length === 0) {
+  if (process.argv.includes('--spk')) {
+    options.spk = true;
+  }
+  if (process.argv.includes('--cleanup')) {
+    options.cleanup = true;
+  }
+  let selectedUpdate = Object.keys(options).length;
+  if (options.cleanup) {
+    selectedUpdate -= 1;
+  }
+  if (selectedUpdate === 0) {
     options.rabbit = true;
     options.mongo = true;
   }
@@ -170,22 +247,27 @@ const parseArgs = () => {
 parseArgs()
   .then(() => {
     if (options.rabbit) {
-      return updateRabbit();
+      return updateRabbit(options.cleanup);
     }
   })
   .then(() => {
     if (options.mongo) {
-      return updateMongo();
+      return updateMongo(options.cleanup);
     }
   })
   .then(() => {
     if (options.internal) {
-      return updateInternal();
+      return updateInternal(options.cleanup);
     }
   })
   .then(() => {
     if (options.grpc) {
-      return updateGKeyPass();
+      return updateGKeyPass(options.cleanup);
+    }
+  })
+  .then(() => {
+    if (options.spk) {
+      return generateServiceProtectionKey(options.cleanup);
     }
   })
   .finally(() => readline.close());

source/common/cipher.js

@@ -80,11 +80,26 @@ function unlockSync (password, filename) {
   return JSON.parse(data.toString());
 }
 
+const defaultK =
+  Buffer.from('3d84a1efc77268c98bc6ca2921eb35a6d82a40a38696d25fbb64ff1733cd2523', 'hex');
+let csk = null;
+// Set credPass with your own pass
+if (global.config?.credPass) {
+  const defaultSalt =
+    Buffer.from('1a7bb4a4f56f15eb875c7a66d8fe893bc9458acd414319d431f6a6dfaef69fa6', 'hex');
+  // crypto.randomBytes(32).toString('hex');
+  // Set credSalt with your own salt
+  const salt = global.config.credSalt || defaultSalt;
+  csk = crypto.pbkdf2Sync(global.config.credPass, salt, 4000, 128, 'sha256');
+  delete global.config.credPass;
+  delete global.config.credSalt;
+}
+
 module.exports = {
   encrypt: encrypt,
   decrypt: decrypt,
-  // Replace k with your key generator
-  k: Buffer.from('3d84a1efc77268c98bc6ca2921eb35a6d82a40a38696d25fbb64ff1733cd2523', 'hex'),
+  k: (csk || defaultK),
+  dk: defaultK,
   astore: '.owt.authstore',
   kstore: '.owt.keystore',
   lock: lock,

source/management_api/api.js

@@ -258,6 +258,13 @@ if (cluster.isMaster) {
 } else {
     // Worker Process
     rpc.connect(global.config.rabbit);
+    // Load spk
+    try {
+      const aconfig = cipher.unlockSync(cipher.k, cipher.astore);
+      global.config.spk = aconfig.spk ? Buffer.from(aconfig.spk, 'hex') : cipher.dk;
+    } catch (e) {
+      global.config.spk = cipher.dk;
+    }
 
     if (serverConfig.ssl === true) {
         var cipher = require('./cipher');
@@ -266,12 +273,13 @@ if (cluster.isMaster) {
         cipher.unlock(cipher.k, keystore, function cb (err, passphrase) {
             if (!err) {
                 try {
-                    require('https').createServer({
-                        pfx: require('fs').readFileSync(serverConfig.keystorePath),
-                        passphrase: passphrase
-                    }, app).listen(serverPort);
+                  require('https').createServer({
+                      pfx: require('fs').readFileSync(serverConfig.keystorePath),
+                      passphrase: passphrase
+                  }, app).listen(serverPort);
                 } catch (e) {
-                    err = e;
+                  log.warn('Failed to start secured server:', e);
+                  return process.exit(1);
                 }
             } else {
                 log.warn('Failed to setup secured server:', err);

source/management_api/auth/serverAuthenticator.js

@@ -110,7 +110,7 @@ exports.authenticate = function (req, res, next) {
 
             var key = serv.key;
             if (serv.encrypted === true) {
-                key = cipher.decrypt(cipher.k, key);
+                key = cipher.decrypt(global.config.spk, key);
             }
 
             // Check if timestamp and cnonce are valids in order to avoid duplicate requests.

source/management_api/initdb.js

@@ -32,6 +32,7 @@ var configFile = path.resolve(dirName, CONFIG_NAME);
 var samplePackageJson = path.resolve(dirName, SAMPLE_RELATED_PATH, 'package.json');
 var sampleEntryName = (require(samplePackageJson).main || DEFAULT_SAMPLE_ENTRY);
 var sampleServiceFile = path.resolve(dirName, SAMPLE_RELATED_PATH, sampleEntryName);
+var spk = cipher.dk;
 
 function prepareDB(next) {
   if (dbURL.indexOf('mongodb://') !== 0) {
@@ -40,6 +41,9 @@ function prepareDB(next) {
   if (fs.existsSync(cipher.astore)) {
     cipher.unlock(cipher.k, cipher.astore, function cb (err, authConfig) {
       if (!err) {
+        if (authConfig.spk) {
+          spk = Buffer.from(authConfig.spk, 'hex');
+        }
         if (authConfig.mongo && !dbURL.includes('@')) {
           dbURL = "mongodb://" + authConfig.mongo.username
             + ':' + authConfig.mongo.password
@@ -188,7 +192,7 @@ function prepareService (serviceName, next) {
     if (err || !service) {
       var crypto = require('crypto');
       var key = crypto.pbkdf2Sync(crypto.randomBytes(64).toString('hex'), crypto.randomBytes(32).toString('hex'), 4000, 128, 'sha256').toString('base64');
-      service = {name: serviceName, key: cipher.encrypt(cipher.k, key), encrypted: true, rooms: [], __v: 0};
+      service = {name: serviceName, key: cipher.encrypt(spk, key), encrypted: true, rooms: [], __v: 0};
       db.collection('services').insertOne(service, function cb (err, result) {
         if (err) {
           console.log('mongodb: error in adding', serviceName);
@@ -199,7 +203,7 @@ function prepareService (serviceName, next) {
       });
     } else {
       if (service.encrypted === true) {
-        service.key = cipher.decrypt(cipher.k, service.key);
+        service.key = cipher.decrypt(spk, service.key);
       }
       next(service);
     }

source/management_api/resource/servicesResource.js

@@ -69,7 +69,7 @@ exports.create = function (req, res, next) {
     }
 
     service.encrypted = true;
-    service.key = cipher.encrypt(cipher.k, service.key);
+    service.key = cipher.encrypt(global.config.spk, service.key);
     dataAccess.service.create(service, function(err, result) {
         if (err) {
             log.warn('Failed to create service:', err.message);