From eb5a51a35c1dddd2b6a58d346d467c41515b3abe Mon Sep 17 00:00:00 2001 From: Eldad Fux Date: Sat, 12 Sep 2020 14:03:18 +0300 Subject: [PATCH] Leveraged built-in encryption filter --- app/config/collections.php | 3 + app/controllers/api/projects.php | 109 ------------------------------- 2 files changed, 3 insertions(+), 109 deletions(-) diff --git a/app/config/collections.php b/app/config/collections.php index 5720b66d4f..249f75f016 100644 --- a/app/config/collections.php +++ b/app/config/collections.php @@ -656,6 +656,7 @@ $collections = [ 'default' => '', 'required' => false, 'array' => false, + 'filter' => ['encrypt'], ], ], ], @@ -826,6 +827,7 @@ $collections = [ 'default' => '', 'required' => false, 'array' => false, + 'filter' => ['encrypt'], ], [ '$collection' => Database::SYSTEM_COLLECTION_RULES, @@ -1468,6 +1470,7 @@ foreach ($providers as $index => $provider) { 'default' => '', 'required' => false, 'array' => false, + 'filter' => ['encrypt'], ]; $collections[Database::SYSTEM_COLLECTION_USERS]['rules'][] = [ diff --git a/app/controllers/api/projects.php b/app/controllers/api/projects.php index d3bc60849f..3f62a66c6a 100644 --- a/app/controllers/api/projects.php +++ b/app/controllers/api/projects.php @@ -16,7 +16,6 @@ use Appwrite\Task\Validator\Cron; use Appwrite\Database\Database; use Appwrite\Database\Document; use Appwrite\Database\Validator\UID; -use Appwrite\OpenSSL\OpenSSL; use Appwrite\Network\Validator\CNAME; use Appwrite\Network\Validator\Domain as DomainValidator; use Cron\CronExpression; @@ -111,16 +110,6 @@ App::get('/v1/projects') '$collection='.Database::SYSTEM_COLLECTION_PROJECTS, ], ]); - foreach ($results as $project) { - foreach (Config::getParam('providers') as $provider => $node) { - $secret = \json_decode($project->getAttribute('usersOauth2'.\ucfirst($provider).'Secret', '{}'), true); - - if (!empty($secret) && isset($secret['version'])) { - $key = App::getEnv('_APP_OPENSSL_KEY_V'.$secret['version']); - $project->setAttribute('usersOauth2'.\ucfirst($provider).'Secret', OpenSSL::decrypt($secret['data'], $secret['method'], $key, 0, \hex2bin($secret['iv']), \hex2bin($secret['tag']))); - } - } - } $response->json(['sum' => $consoleDB->getSum(), 'projects' => $results]); }, ['response', 'consoleDB']); @@ -142,15 +131,6 @@ App::get('/v1/projects/:projectId') throw new Exception('Project not found', 404); } - foreach (Config::getParam('providers') as $provider => $node) { - $secret = \json_decode($project->getAttribute('usersOauth2'.\ucfirst($provider).'Secret', '{}'), true); - - if (!empty($secret) && isset($secret['version'])) { - $key = App::getEnv('_APP_OPENSSL_KEY_V'.$secret['version']); - $project->setAttribute('usersOauth2'.\ucfirst($provider).'Secret', OpenSSL::decrypt($secret['data'], $secret['method'], $key, 0, \hex2bin($secret['iv']), \hex2bin($secret['tag']))); - } - } - $response->json($project->getArrayCopy()); }, ['response', 'consoleDB']); @@ -395,17 +375,6 @@ App::patch('/v1/projects/:projectId/oauth2') throw new Exception('Project not found', 404); } - $key = App::getEnv('_APP_OPENSSL_KEY_V1'); - $iv = OpenSSL::randomPseudoBytes(OpenSSL::cipherIVLength(OpenSSL::CIPHER_AES_128_GCM)); - $tag = null; - $secret = \json_encode([ - 'data' => OpenSSL::encrypt($secret, OpenSSL::CIPHER_AES_128_GCM, $key, 0, $iv, $tag), - 'method' => OpenSSL::CIPHER_AES_128_GCM, - 'iv' => \bin2hex($iv), - 'tag' => \bin2hex($tag), - 'version' => '1', - ]); - $project = $consoleDB->updateDocument(\array_merge($project->getArrayCopy(), [ 'usersOauth2'.\ucfirst($provider).'Appid' => $appId, 'usersOauth2'.\ucfirst($provider).'Secret' => $secret, @@ -491,16 +460,6 @@ App::post('/v1/projects/:projectId/webhooks') } $security = ($security === '1' || $security === 'true' || $security === 1 || $security === true); - $key = App::getEnv('_APP_OPENSSL_KEY_V1'); - $iv = OpenSSL::randomPseudoBytes(OpenSSL::cipherIVLength(OpenSSL::CIPHER_AES_128_GCM)); - $tag = null; - $httpPass = \json_encode([ - 'data' => OpenSSL::encrypt($httpPass, OpenSSL::CIPHER_AES_128_GCM, $key, 0, $iv, $tag), - 'method' => OpenSSL::CIPHER_AES_128_GCM, - 'iv' => \bin2hex($iv), - 'tag' => \bin2hex($tag), - 'version' => '1', - ]); $webhook = $consoleDB->createDocument([ '$collection' => Database::SYSTEM_COLLECTION_WEBHOOKS, @@ -553,18 +512,6 @@ App::get('/v1/projects/:projectId/webhooks') $webhooks = $project->getAttribute('webhooks', []); - foreach ($webhooks as $webhook) { /* @var $webhook Document */ - $httpPass = \json_decode($webhook->getAttribute('httpPass', '{}'), true); - - if (empty($httpPass) || !isset($httpPass['version'])) { - continue; - } - - $key = App::getEnv('_APP_OPENSSL_KEY_V'.$httpPass['version']); - - $webhook->setAttribute('httpPass', OpenSSL::decrypt($httpPass['data'], $httpPass['method'], $key, 0, \hex2bin($httpPass['iv']), \hex2bin($httpPass['tag']))); - } - $response->json($webhooks); }, ['response', 'consoleDB']); @@ -592,13 +539,6 @@ App::get('/v1/projects/:projectId/webhooks/:webhookId') throw new Exception('Webhook not found', 404); } - $httpPass = \json_decode($webhook->getAttribute('httpPass', '{}'), true); - - if (!empty($httpPass) && isset($httpPass['version'])) { - $key = App::getEnv('_APP_OPENSSL_KEY_V'.$httpPass['version']); - $webhook->setAttribute('httpPass', OpenSSL::decrypt($httpPass['data'], $httpPass['method'], $key, 0, \hex2bin($httpPass['iv']), \hex2bin($httpPass['tag']))); - } - $response->json($webhook->getArrayCopy()); }, ['response', 'consoleDB']); @@ -627,16 +567,6 @@ App::put('/v1/projects/:projectId/webhooks/:webhookId') } $security = ($security === '1' || $security === 'true' || $security === 1 || $security === true); - $key = App::getEnv('_APP_OPENSSL_KEY_V1'); - $iv = OpenSSL::randomPseudoBytes(OpenSSL::cipherIVLength(OpenSSL::CIPHER_AES_128_GCM)); - $tag = null; - $httpPass = \json_encode([ - 'data' => OpenSSL::encrypt($httpPass, OpenSSL::CIPHER_AES_128_GCM, $key, 0, $iv, $tag), - 'method' => OpenSSL::CIPHER_AES_128_GCM, - 'iv' => \bin2hex($iv), - 'tag' => \bin2hex($tag), - 'version' => '1', - ]); $webhook = $project->search('$id', $webhookId, $project->getAttribute('webhooks', [])); @@ -886,16 +816,6 @@ App::post('/v1/projects/:projectId/tasks') $next = ($status == 'play') ? $cron->getNextRunDate()->format('U') : null; $security = ($security === '1' || $security === 'true' || $security === 1 || $security === true); - $key = App::getEnv('_APP_OPENSSL_KEY_V1'); - $iv = OpenSSL::randomPseudoBytes(OpenSSL::cipherIVLength(OpenSSL::CIPHER_AES_128_GCM)); - $tag = null; - $httpPass = \json_encode([ - 'data' => OpenSSL::encrypt($httpPass, OpenSSL::CIPHER_AES_128_GCM, $key, 0, $iv, $tag), - 'method' => OpenSSL::CIPHER_AES_128_GCM, - 'iv' => \bin2hex($iv), - 'tag' => \bin2hex($tag), - 'version' => '1', - ]); $task = $consoleDB->createDocument([ '$collection' => Database::SYSTEM_COLLECTION_TASKS, @@ -960,18 +880,6 @@ App::get('/v1/projects/:projectId/tasks') $tasks = $project->getAttribute('tasks', []); - foreach ($tasks as $task) { /* @var $task Document */ - $httpPass = \json_decode($task->getAttribute('httpPass', '{}'), true); - - if (empty($httpPass) || !isset($httpPass['version'])) { - continue; - } - - $key = App::getEnv('_APP_OPENSSL_KEY_V'.$httpPass['version']); - - $task->setAttribute('httpPass', OpenSSL::decrypt($httpPass['data'], $httpPass['method'], $key, 0, \hex2bin($httpPass['iv']), \hex2bin($httpPass['tag']))); - } - $response->json($tasks); }, ['response', 'consoleDB']); @@ -999,13 +907,6 @@ App::get('/v1/projects/:projectId/tasks/:taskId') throw new Exception('Task not found', 404); } - $httpPass = \json_decode($task->getAttribute('httpPass', '{}'), true); - - if (!empty($httpPass) && isset($httpPass['version'])) { - $key = App::getEnv('_APP_OPENSSL_KEY_V'.$httpPass['version']); - $task->setAttribute('httpPass', OpenSSL::decrypt($httpPass['data'], $httpPass['method'], $key, 0, \hex2bin($httpPass['iv']), \hex2bin($httpPass['tag']))); - } - $response->json($task->getArrayCopy()); }, ['response', 'consoleDB']); @@ -1046,16 +947,6 @@ App::put('/v1/projects/:projectId/tasks/:taskId') $next = ($status == 'play') ? $cron->getNextRunDate()->format('U') : null; $security = ($security === '1' || $security === 'true' || $security === 1 || $security === true); - $key = App::getEnv('_APP_OPENSSL_KEY_V1'); - $iv = OpenSSL::randomPseudoBytes(OpenSSL::cipherIVLength(OpenSSL::CIPHER_AES_128_GCM)); - $tag = null; - $httpPass = \json_encode([ - 'data' => OpenSSL::encrypt($httpPass, OpenSSL::CIPHER_AES_128_GCM, $key, 0, $iv, $tag), - 'method' => OpenSSL::CIPHER_AES_128_GCM, - 'iv' => \bin2hex($iv), - 'tag' => \bin2hex($tag), - 'version' => '1', - ]); $task ->setAttribute('name', $name)