authorizer/server/env/persist_env.go

package env

import (
	"encoding/json"
	"log"
	"os"
	"strconv"
	"strings"

	"github.com/google/uuid"

	"github.com/authorizerdev/authorizer/server/constants"
	"github.com/authorizerdev/authorizer/server/crypto"
	"github.com/authorizerdev/authorizer/server/db"
	"github.com/authorizerdev/authorizer/server/db/models"
	"github.com/authorizerdev/authorizer/server/envstore"
	"github.com/authorizerdev/authorizer/server/utils"
)

// GetEnvData returns the env data from database
func GetEnvData() (envstore.Store, error) {
	var result envstore.Store
	env, err := db.Provider.GetEnv()
	// config not found in db
	if err != nil {
		return result, err
	}

	encryptionKey := env.Hash
	decryptedEncryptionKey, err := crypto.DecryptB64(encryptionKey)
	if err != nil {
		return result, err
	}

	envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyEncryptionKey, decryptedEncryptionKey)

	b64DecryptedConfig, err := crypto.DecryptB64(env.EnvData)
	if err != nil {
		return result, err
	}

	decryptedConfigs, err := crypto.DecryptAESEnv([]byte(b64DecryptedConfig))
	if err != nil {
		return result, err
	}

	err = json.Unmarshal(decryptedConfigs, &result)
	if err != nil {
		return result, err
	}

	return result, err
}

// PersistEnv persists the environment variables to the database
func PersistEnv() error {
	env, err := db.Provider.GetEnv()
	// config not found in db
	if err != nil {
		// AES encryption needs 32 bit key only, so we chop off last 4 characters from 36 bit uuid
		hash := uuid.New().String()[:36-4]
		envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyEncryptionKey, hash)
		encodedHash := crypto.EncryptB64(hash)

		encryptedConfig, err := crypto.EncryptEnvData(envstore.EnvStoreObj.GetEnvStoreClone())
		if err != nil {
			return err
		}

		env = models.Env{
			Hash:    encodedHash,
			EnvData: encryptedConfig,
		}

		env, err = db.Provider.AddEnv(env)
		if err != nil {
			return err
		}
	} else {
		// decrypt the config data from db
		// decryption can be done using the hash stored in db
		encryptionKey := env.Hash
		decryptedEncryptionKey, err := crypto.DecryptB64(encryptionKey)
		if err != nil {
			return err
		}

		envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyEncryptionKey, decryptedEncryptionKey)

		b64DecryptedConfig, err := crypto.DecryptB64(env.EnvData)
		if err != nil {
			return err
		}

		decryptedConfigs, err := crypto.DecryptAESEnv([]byte(b64DecryptedConfig))
		if err != nil {
			return err
		}

		// temp store variable
		var storeData envstore.Store

		err = json.Unmarshal(decryptedConfigs, &storeData)
		if err != nil {
			return err
		}

		// if env is changed via env file or OS env
		// give that higher preference and update db, but we don't recommend it

		hasChanged := false

		for key, value := range storeData.StringEnv {
			// don't override unexposed envs
			if key != constants.EnvKeyEncryptionKey {
				// check only for derivative keys
				// No need to check for ENCRYPTION_KEY which special key we use for encrypting config data
				// as we have removed it from json
				envValue := strings.TrimSpace(os.Getenv(key))

				// env is not empty
				if envValue != "" {
					if value != envValue {
						storeData.StringEnv[key] = envValue
						hasChanged = true
					}
				}
			}
		}

		for key, value := range storeData.BoolEnv {
			envValue := strings.TrimSpace(os.Getenv(key))
			// env is not empty
			if envValue != "" {
				envValueBool, _ := strconv.ParseBool(envValue)
				if value != envValueBool {
					storeData.BoolEnv[key] = envValueBool
					hasChanged = true
				}
			}
		}

		for key, value := range storeData.SliceEnv {
			envValue := strings.TrimSpace(os.Getenv(key))
			// env is not empty
			if envValue != "" {
				envStringArr := strings.Split(envValue, ",")
				if !utils.IsStringArrayEqual(value, envStringArr) {
					storeData.SliceEnv[key] = envStringArr
					hasChanged = true
				}
			}
		}

		// handle derivative cases like disabling email verification & magic login
		// in case SMTP is off but env is set to true
		if storeData.StringEnv[constants.EnvKeySmtpHost] == "" || storeData.StringEnv[constants.EnvKeySmtpUsername] == "" || storeData.StringEnv[constants.EnvKeySmtpPassword] == "" || storeData.StringEnv[constants.EnvKeySenderEmail] == "" && storeData.StringEnv[constants.EnvKeySmtpPort] == "" {
			if !storeData.BoolEnv[constants.EnvKeyDisableEmailVerification] {
				storeData.BoolEnv[constants.EnvKeyDisableEmailVerification] = true
				hasChanged = true
			}

			if !storeData.BoolEnv[constants.EnvKeyDisableMagicLinkLogin] {
				storeData.BoolEnv[constants.EnvKeyDisableMagicLinkLogin] = true
				hasChanged = true
			}
		}
		envstore.EnvStoreObj.UpdateEnvStore(storeData)
		jwk, err := crypto.GenerateJWKBasedOnEnv()
		if err != nil {
			return err
		}
		// updating jwk
		envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJWK, jwk)

		if hasChanged {
			encryptedConfig, err := crypto.EncryptEnvData(storeData)
			if err != nil {
				return err
			}

			env.EnvData = encryptedConfig
			_, err = db.Provider.UpdateEnv(env)
			if err != nil {
				log.Println("error updating config:", err)
				return err
			}
		}
	}

	return nil
}
feat: persist encrypted env 2021-12-31 08:22:10 +00:00			`package env`

			`import (`
			`"encoding/json"`
			`"log"`
			`"os"`
fix: rename config -> env and handle env interface better 2022-01-20 11:22:37 +00:00			`"strconv"`
feat: persist encrypted env 2021-12-31 08:22:10 +00:00			`"strings"`

fix: update_env resolver 2022-02-26 15:06:22 +00:00			`"github.com/google/uuid"`

feat: persist encrypted env 2021-12-31 08:22:10 +00:00			`"github.com/authorizerdev/authorizer/server/constants"`
fix: update_env resolver 2022-02-26 15:06:22 +00:00			`"github.com/authorizerdev/authorizer/server/crypto"`
feat: persist encrypted env 2021-12-31 08:22:10 +00:00			`"github.com/authorizerdev/authorizer/server/db"`
fix: update to use db.Provider 2022-01-21 08:04:04 +00:00			`"github.com/authorizerdev/authorizer/server/db/models"`
Feat/dashboard (#105) 2022-01-17 06:02:13 +00:00			`"github.com/authorizerdev/authorizer/server/envstore"`
feat: persist encrypted env 2021-12-31 08:22:10 +00:00			`"github.com/authorizerdev/authorizer/server/utils"`
			`)`

fix: segregate env setup 2022-02-26 04:14:55 +00:00			`// GetEnvData returns the env data from database`
			`func GetEnvData() (envstore.Store, error) {`
			`var result envstore.Store`
			`env, err := db.Provider.GetEnv()`
			`// config not found in db`
			`if err != nil {`
			`return result, err`
			`}`

			`encryptionKey := env.Hash`
feat: add session token 2022-02-28 15:56:49 +00:00			`decryptedEncryptionKey, err := crypto.DecryptB64(encryptionKey)`
fix: segregate env setup 2022-02-26 04:14:55 +00:00			`if err != nil {`
			`return result, err`
			`}`

fix: tests 2022-02-28 02:25:01 +00:00			`envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyEncryptionKey, decryptedEncryptionKey)`
fix: segregate env setup 2022-02-26 04:14:55 +00:00
fix: env decryption + remove log 2022-03-07 10:05:33 +00:00			`b64DecryptedConfig, err := crypto.DecryptB64(env.EnvData)`
			`if err != nil {`
			`return result, err`
			`}`

			`decryptedConfigs, err := crypto.DecryptAESEnv([]byte(b64DecryptedConfig))`
fix: segregate env setup 2022-02-26 04:14:55 +00:00			`if err != nil {`
			`return result, err`
			`}`

fix: env encryption 2022-03-07 09:59:37 +00:00			`err = json.Unmarshal(decryptedConfigs, &result)`
fix: segregate env setup 2022-02-26 04:14:55 +00:00			`if err != nil {`
			`return result, err`
			`}`

			`return result, err`
			`}`

Feat/dashboard (#105) 2022-01-17 06:02:13 +00:00			`// PersistEnv persists the environment variables to the database`
feat: persist encrypted env 2021-12-31 08:22:10 +00:00			`func PersistEnv() error {`
fix: update to use db.Provider 2022-01-21 08:04:04 +00:00			`env, err := db.Provider.GetEnv()`
feat: persist encrypted env 2021-12-31 08:22:10 +00:00			`// config not found in db`
			`if err != nil {`
			`// AES encryption needs 32 bit key only, so we chop off last 4 characters from 36 bit uuid`
			`hash := uuid.New().String()[:36-4]`
fix: tests 2022-02-28 02:25:01 +00:00			`envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyEncryptionKey, hash)`
feat: add session token 2022-02-28 15:56:49 +00:00			`encodedHash := crypto.EncryptB64(hash)`
feat: persist encrypted env 2021-12-31 08:22:10 +00:00
feat: add session token 2022-02-28 15:56:49 +00:00			`encryptedConfig, err := crypto.EncryptEnvData(envstore.EnvStoreObj.GetEnvStoreClone())`
feat: persist encrypted env 2021-12-31 08:22:10 +00:00			`if err != nil {`
			`return err`
			`}`

fix: update to use db.Provider 2022-01-21 08:04:04 +00:00			`env = models.Env{`
fix: rename config -> env and handle env interface better 2022-01-20 11:22:37 +00:00			`Hash: encodedHash,`
			`EnvData: encryptedConfig,`
feat: persist encrypted env 2021-12-31 08:22:10 +00:00			`}`

fix: segregate env setup 2022-02-26 04:14:55 +00:00			`env, err = db.Provider.AddEnv(env)`
			`if err != nil {`
			`return err`
			`}`
feat: persist encrypted env 2021-12-31 08:22:10 +00:00			`} else {`
			`// decrypt the config data from db`
			`// decryption can be done using the hash stored in db`
fix: rename config -> env and handle env interface better 2022-01-20 11:22:37 +00:00			`encryptionKey := env.Hash`
feat: add session token 2022-02-28 15:56:49 +00:00			`decryptedEncryptionKey, err := crypto.DecryptB64(encryptionKey)`
feat: persist encrypted env 2021-12-31 08:22:10 +00:00			`if err != nil {`
			`return err`
			`}`
Feat/dashboard (#105) 2022-01-17 06:02:13 +00:00
fix: tests 2022-02-28 02:25:01 +00:00			`envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyEncryptionKey, decryptedEncryptionKey)`
Resolves #110 2022-01-29 11:32:44 +00:00
fix: env decryption 2022-03-07 10:03:39 +00:00			`b64DecryptedConfig, err := crypto.DecryptB64(env.EnvData)`
			`if err != nil {`
			`return err`
			`}`

			`decryptedConfigs, err := crypto.DecryptAESEnv([]byte(b64DecryptedConfig))`
feat: persist encrypted env 2021-12-31 08:22:10 +00:00			`if err != nil {`
			`return err`
			`}`

fix: rename config -> env and handle env interface better 2022-01-20 11:22:37 +00:00			`// temp store variable`
			`var storeData envstore.Store`
feat: persist encrypted env 2021-12-31 08:22:10 +00:00
fix: env encryption 2022-03-07 09:59:37 +00:00			`err = json.Unmarshal(decryptedConfigs, &storeData)`
feat: persist encrypted env 2021-12-31 08:22:10 +00:00			`if err != nil {`
			`return err`
			`}`

			`// if env is changed via env file or OS env`
			`// give that higher preference and update db, but we don't recommend it`

			`hasChanged := false`

fix: rename config -> env and handle env interface better 2022-01-20 11:22:37 +00:00			`for key, value := range storeData.StringEnv {`
fix: update_env resolver 2022-02-26 15:06:22 +00:00			`// don't override unexposed envs`
feat: add support for response mode 2022-03-07 13:19:18 +00:00			`if key != constants.EnvKeyEncryptionKey {`
fix: rename config -> env and handle env interface better 2022-01-20 11:22:37 +00:00			`// check only for derivative keys`
			`// No need to check for ENCRYPTION_KEY which special key we use for encrypting config data`
			`// as we have removed it from json`
			`envValue := strings.TrimSpace(os.Getenv(key))`
feat: persist encrypted env 2021-12-31 08:22:10 +00:00
fix: rename config -> env and handle env interface better 2022-01-20 11:22:37 +00:00			`// env is not empty`
			`if envValue != "" {`
feat: persist encrypted env 2021-12-31 08:22:10 +00:00			`if value != envValue {`
fix: rename config -> env and handle env interface better 2022-01-20 11:22:37 +00:00			`storeData.StringEnv[key] = envValue`
feat: persist encrypted env 2021-12-31 08:22:10 +00:00			`hasChanged = true`
			`}`
			`}`
fix: rename config -> env and handle env interface better 2022-01-20 11:22:37 +00:00			`}`
			`}`
feat: persist encrypted env 2021-12-31 08:22:10 +00:00
fix: rename config -> env and handle env interface better 2022-01-20 11:22:37 +00:00			`for key, value := range storeData.BoolEnv {`
			`envValue := strings.TrimSpace(os.Getenv(key))`
			`// env is not empty`
			`if envValue != "" {`
			`envValueBool, _ := strconv.ParseBool(envValue)`
			`if value != envValueBool {`
			`storeData.BoolEnv[key] = envValueBool`
			`hasChanged = true`
feat: persist encrypted env 2021-12-31 08:22:10 +00:00			`}`
fix: rename config -> env and handle env interface better 2022-01-20 11:22:37 +00:00			`}`
			`}`
feat: persist encrypted env 2021-12-31 08:22:10 +00:00
fix: rename config -> env and handle env interface better 2022-01-20 11:22:37 +00:00			`for key, value := range storeData.SliceEnv {`
			`envValue := strings.TrimSpace(os.Getenv(key))`
			`// env is not empty`
			`if envValue != "" {`
			`envStringArr := strings.Split(envValue, ",")`
			`if !utils.IsStringArrayEqual(value, envStringArr) {`
			`storeData.SliceEnv[key] = envStringArr`
			`hasChanged = true`
feat: persist encrypted env 2021-12-31 08:22:10 +00:00			`}`
			`}`
			`}`

			`// handle derivative cases like disabling email verification & magic login`
			`// in case SMTP is off but env is set to true`
fix: rename config -> env and handle env interface better 2022-01-20 11:22:37 +00:00			`if storeData.StringEnv[constants.EnvKeySmtpHost] == "" \|\| storeData.StringEnv[constants.EnvKeySmtpUsername] == "" \|\| storeData.StringEnv[constants.EnvKeySmtpPassword] == "" \|\| storeData.StringEnv[constants.EnvKeySenderEmail] == "" && storeData.StringEnv[constants.EnvKeySmtpPort] == "" {`
			`if !storeData.BoolEnv[constants.EnvKeyDisableEmailVerification] {`
			`storeData.BoolEnv[constants.EnvKeyDisableEmailVerification] = true`
feat: persist encrypted env 2021-12-31 08:22:10 +00:00			`hasChanged = true`
			`}`

fix: rename config -> env and handle env interface better 2022-01-20 11:22:37 +00:00			`if !storeData.BoolEnv[constants.EnvKeyDisableMagicLinkLogin] {`
			`storeData.BoolEnv[constants.EnvKeyDisableMagicLinkLogin] = true`
feat: persist encrypted env 2021-12-31 08:22:10 +00:00			`hasChanged = true`
			`}`
			`}`
fix: tests 2022-02-28 02:25:01 +00:00			`envstore.EnvStoreObj.UpdateEnvStore(storeData)`
fix: update_env resolver 2022-02-26 15:06:22 +00:00			`jwk, err := crypto.GenerateJWKBasedOnEnv()`
			`if err != nil {`
			`return err`
			`}`
			`// updating jwk`
fix: tests 2022-02-28 02:25:01 +00:00			`envstore.EnvStoreObj.UpdateEnvVariable(constants.StringStoreIdentifier, constants.EnvKeyJWK, jwk)`
fix: segregate env setup 2022-02-26 04:14:55 +00:00
feat: persist encrypted env 2021-12-31 08:22:10 +00:00			`if hasChanged {`
feat: add session token 2022-02-28 15:56:49 +00:00			`encryptedConfig, err := crypto.EncryptEnvData(storeData)`
feat: add _update_config mutation 2021-12-31 11:33:37 +00:00			`if err != nil {`
			`return err`
			`}`
feat: persist encrypted env 2021-12-31 08:22:10 +00:00
fix: rename config -> env and handle env interface better 2022-01-20 11:22:37 +00:00			`env.EnvData = encryptedConfig`
fix: update to use db.Provider 2022-01-21 08:04:04 +00:00			`_, err = db.Provider.UpdateEnv(env)`
feat: add _update_config mutation 2021-12-31 11:33:37 +00:00			`if err != nil {`
			`log.Println("error updating config:", err)`
			`return err`
			`}`
feat: persist encrypted env 2021-12-31 08:22:10 +00:00			`}`
			`}`

			`return nil`
			`}`