Validate APP_KEY (#13171)

* Validate APP_KEY key:rotate command to rotate keys, only rotates validation data for now * fixes, swapped encrypters, not saving new value to db, check that key exists first * add confirmation * Option to generate new key, re-encrypt data and then save it to .env A lot more text to try to prevent disaster. Print out both keys 1-2 times. Fix bug in EnvHelper (when key is commented but not empty) * fix style * oops, good phpstan
2024-10-07 16:52:45 +00:00 · 2021-08-27 22:48:21 -05:00
parent 1ec694595e
commit 9b8b1b814a
6 changed files with 223 additions and 7 deletions
--- a/LibreNMS/Validations/Configuration.php
+++ b/LibreNMS/Validations/Configuration.php
@@ -24,6 +24,7 @@

 namespace LibreNMS\Validations;

+use Illuminate\Contracts\Encryption\DecryptException;
 use LibreNMS\Config;
 use LibreNMS\DB\Eloquent;
 use LibreNMS\Validator;
@@ -50,5 +51,28 @@ class Configuration extends BaseValidation
        if (Eloquent::isConnected() && ! \DB::table('devices')->exists()) {
            $validator->warn('You have no devices.', 'Consider adding a device such as localhost: ' . $validator->getBaseURL() . '/addhost');
        }
+
+        if (Config::has('validation.encryption.test')) {
+            try {
+                if (\Crypt::decryptString(Config::get('validation.encryption.test')) !== 'librenms') {
+                    $this->failKeyChanged($validator);
+                }
+            } catch (DecryptException $e) {
+                $this->failKeyChanged($validator);
+            }
+        } else {
+            Config::persist('validation.encryption.test', \Crypt::encryptString('librenms'));
+        }
+    }
+
+    /**
+     * @param  \LibreNMS\Validator  $validator
+     */
+    private function failKeyChanged(Validator $validator): void
+    {
+        $validator->fail(
+            'APP_KEY does not match key used to encrypt data. APP_KEY must be the same on all nodes.',
+            'If you rotated APP_KEY, run lnms key:rotate to resolve.'
+        );
    }
 }