From 8ad8196d70af73a7a2c31c175b991f15b9a58d86 Mon Sep 17 00:00:00 2001 From: Andrey Antukh Date: Tue, 4 May 2021 15:12:42 +0200 Subject: [PATCH] :sparkles: Allow overide the secret-key on setup module. Usefull when using a pre-shared secret key. --- backend/src/app/config.clj | 4 +++- backend/src/app/main.clj | 5 +++-- backend/src/app/setup.clj | 28 +++++++++++++++++++--------- backend/src/app/tokens.clj | 8 ++++---- 4 files changed, 29 insertions(+), 16 deletions(-) diff --git a/backend/src/app/config.clj b/backend/src/app/config.clj index 0e9d4ac5d..c8aeeae7e 100644 --- a/backend/src/app/config.clj +++ b/backend/src/app/config.clj @@ -87,6 +87,7 @@ :initial-project-skey "initial-project" }) +(s/def ::secret-key ::us/string) (s/def ::allow-demo-users ::us/boolean) (s/def ::asserts-enabled ::us/boolean) (s/def ::assets-path ::us/string) @@ -169,7 +170,8 @@ (s/def ::tenant ::us/string) (s/def ::config - (s/keys :opt-un [::allow-demo-users + (s/keys :opt-un [::secret-key + ::allow-demo-users ::asserts-enabled ::database-password ::database-uri diff --git a/backend/src/app/main.clj b/backend/src/app/main.clj index 1dba68956..f7fbde9b4 100644 --- a/backend/src/app/main.clj +++ b/backend/src/app/main.clj @@ -45,7 +45,7 @@ :redis-uri (cf/get :redis-uri)} :app.tokens/tokens - {:sprops (ig/ref :app.setup/props)} + {:props (ig/ref :app.setup/props)} :app.storage/gc-deleted-task {:pool (ig/ref :app.db/pool) @@ -257,7 +257,8 @@ :host (cf/get :srepl-host)} :app.setup/props - {:pool (ig/ref :app.db/pool)} + {:pool (ig/ref :app.db/pool) + :key (cf/get :secret-key)} :app.loggers.zmq/receiver {:endpoint (cf/get :loggers-zmq-uri)} diff --git a/backend/src/app/setup.clj b/backend/src/app/setup.clj index ec2c10a96..610e9e9ff 100644 --- a/backend/src/app/setup.clj +++ b/backend/src/app/setup.clj @@ -29,16 +29,26 @@ (initialize-instance-id! cfg) (retrieve-all cfg)))) +(def sql:upsert-secret-key + "insert into server_prop (id, preload, content) + values ('secret-key', true, ?::jsonb) + on conflict (id) do update set content = ?::jsonb") + +(def sql:insert-secret-key + "insert into server_prop (id, preload, content) + values ('secret-key', true, ?::jsonb) + on conflict (id) do nothing") + (defn- initialize-secret-key! - [{:keys [conn] :as cfg}] - (let [key (-> (bn/random-bytes 64) - (bc/bytes->b64u) - (bc/bytes->str))] - (db/insert! conn :server-prop - {:id "secret-key" - :preload true - :content (db/tjson key)} - {:on-conflict-do-nothing true}))) + [{:keys [conn key] :as cfg}] + (if key + (let [key (db/tjson key)] + (db/exec-one! conn [sql:upsert-secret-key key key])) + (let [key (-> (bn/random-bytes 64) + (bc/bytes->b64u) + (bc/bytes->str)) + key (db/tjson key)] + (db/exec-one! conn [sql:insert-secret-key key])))) (defn- initialize-instance-id! [{:keys [conn] :as cfg}] diff --git a/backend/src/app/tokens.clj b/backend/src/app/tokens.clj index ecf7c84a4..bfa682ea6 100644 --- a/backend/src/app/tokens.clj +++ b/backend/src/app/tokens.clj @@ -51,11 +51,11 @@ claims)) (s/def ::secret-key ::us/string) -(s/def ::sprops +(s/def ::props (s/keys :req-un [::secret-key])) (defmethod ig/pre-init-spec ::tokens [_] - (s/keys :req-un [::sprops])) + (s/keys :req-un [::props])) (defn- generate-predefined [cfg {:keys [iss profile-id] :as params}] @@ -71,8 +71,8 @@ :hint "no predefined token"))) (defmethod ig/init-key ::tokens - [_ {:keys [sprops] :as cfg}] - (let [secret (derive-tokens-secret (:secret-key sprops)) + [_ {:keys [props] :as cfg}] + (let [secret (derive-tokens-secret (:secret-key props)) cfg (assoc cfg ::secret secret)] (fn [action params] (case action