mirror of
https://github.com/lordmathis/lemma.git
synced 2025-11-05 15:44:21 +00:00
Refactor encryption key handling: auto-generate if not provided, update README and tests
This commit is contained in:
13
README.md
13
README.md
@@ -28,7 +28,6 @@ Lemma can be configured using environment variables. Here are the available conf
|
|||||||
|
|
||||||
- `LEMMA_ADMIN_EMAIL`: Email address for the admin account
|
- `LEMMA_ADMIN_EMAIL`: Email address for the admin account
|
||||||
- `LEMMA_ADMIN_PASSWORD`: Password for the admin account
|
- `LEMMA_ADMIN_PASSWORD`: Password for the admin account
|
||||||
- `LEMMA_ENCRYPTION_KEY`: Base64-encoded 32-byte key used for encrypting sensitive data
|
|
||||||
|
|
||||||
### Optional Environment Variables
|
### Optional Environment Variables
|
||||||
|
|
||||||
@@ -39,21 +38,17 @@ Lemma can be configured using environment variables. Here are the available conf
|
|||||||
- `LEMMA_PORT`: Port to run the server on (default: "8080")
|
- `LEMMA_PORT`: Port to run the server on (default: "8080")
|
||||||
- `LEMMA_DOMAIN`: Domain name where the application is hosted for cookie authentication
|
- `LEMMA_DOMAIN`: Domain name where the application is hosted for cookie authentication
|
||||||
- `LEMMA_CORS_ORIGINS`: Comma-separated list of allowed CORS origins
|
- `LEMMA_CORS_ORIGINS`: Comma-separated list of allowed CORS origins
|
||||||
|
- `LEMMA_ENCRYPTION_KEY`: Base64-encoded 32-byte key used for encrypting sensitive data. If not provided, a key will be automatically generated and stored in `{LEMMA_WORKDIR}/secrets/encryption_key`
|
||||||
- `LEMMA_JWT_SIGNING_KEY`: Key used for signing JWT tokens. If not provided, a key will be automatically generated and stored in `{LEMMA_WORKDIR}/secrets/jwt_signing_key`
|
- `LEMMA_JWT_SIGNING_KEY`: Key used for signing JWT tokens. If not provided, a key will be automatically generated and stored in `{LEMMA_WORKDIR}/secrets/jwt_signing_key`
|
||||||
- `LEMMA_LOG_LEVEL`: Logging level (defaults to DEBUG in development mode, INFO in production)
|
- `LEMMA_LOG_LEVEL`: Logging level (defaults to DEBUG in development mode, INFO in production)
|
||||||
- `LEMMA_RATE_LIMIT_REQUESTS`: Number of allowed requests per window (default: 100)
|
- `LEMMA_RATE_LIMIT_REQUESTS`: Number of allowed requests per window (default: 100)
|
||||||
- `LEMMA_RATE_LIMIT_WINDOW`: Duration of the rate limit window (default: 15m)
|
- `LEMMA_RATE_LIMIT_WINDOW`: Duration of the rate limit window (default: 15m)
|
||||||
|
|
||||||
### Generating Encryption Keys
|
### Security Keys
|
||||||
|
|
||||||
The encryption key must be a base64-encoded 32-byte value. You can generate a secure encryption key using OpenSSL:
|
Both the encryption key and JWT signing key are automatically generated on first startup if not provided via environment variables. The keys are stored in `{LEMMA_WORKDIR}/secrets/` with restrictive file permissions (0600).
|
||||||
|
|
||||||
```bash
|
**Important**: Back up the `secrets` directory! If these keys are lost, encrypted data will become inaccessible and all users will need to re-authenticate.
|
||||||
# Generate a random 32-byte key and encode it as base64
|
|
||||||
openssl rand -base64 32
|
|
||||||
```
|
|
||||||
|
|
||||||
Store the generated key securely - it will be needed to decrypt any data encrypted by the application. If the key is lost or changed, previously encrypted data will become inaccessible.
|
|
||||||
|
|
||||||
## Running the backend server
|
## Running the backend server
|
||||||
|
|
||||||
|
|||||||
@@ -51,10 +51,12 @@ func (c *Config) validate() error {
|
|||||||
return fmt.Errorf("LEMMA_ADMIN_EMAIL and LEMMA_ADMIN_PASSWORD must be set")
|
return fmt.Errorf("LEMMA_ADMIN_EMAIL and LEMMA_ADMIN_PASSWORD must be set")
|
||||||
}
|
}
|
||||||
|
|
||||||
// Validate encryption key
|
// Validate encryption key if provided (if not provided, it will be auto-generated)
|
||||||
|
if c.EncryptionKey != "" {
|
||||||
if err := secrets.ValidateKey(c.EncryptionKey); err != nil {
|
if err := secrets.ValidateKey(c.EncryptionKey); err != nil {
|
||||||
return fmt.Errorf("invalid LEMMA_ENCRYPTION_KEY: %w", err)
|
return fmt.Errorf("invalid LEMMA_ENCRYPTION_KEY: %w", err)
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -179,15 +179,6 @@ func TestLoad(t *testing.T) {
|
|||||||
},
|
},
|
||||||
expectedError: "LEMMA_ADMIN_EMAIL and LEMMA_ADMIN_PASSWORD must be set",
|
expectedError: "LEMMA_ADMIN_EMAIL and LEMMA_ADMIN_PASSWORD must be set",
|
||||||
},
|
},
|
||||||
{
|
|
||||||
name: "missing encryption key",
|
|
||||||
setupEnv: func(t *testing.T) {
|
|
||||||
cleanup()
|
|
||||||
setEnv(t, "LEMMA_ADMIN_EMAIL", "admin@example.com")
|
|
||||||
setEnv(t, "LEMMA_ADMIN_PASSWORD", "password123")
|
|
||||||
},
|
|
||||||
expectedError: "invalid LEMMA_ENCRYPTION_KEY: encryption key is required",
|
|
||||||
},
|
|
||||||
{
|
{
|
||||||
name: "invalid encryption key",
|
name: "invalid encryption key",
|
||||||
setupEnv: func(t *testing.T) {
|
setupEnv: func(t *testing.T) {
|
||||||
|
|||||||
@@ -19,7 +19,22 @@ import (
|
|||||||
// initSecretsService initializes the secrets service
|
// initSecretsService initializes the secrets service
|
||||||
func initSecretsService(cfg *Config) (secrets.Service, error) {
|
func initSecretsService(cfg *Config) (secrets.Service, error) {
|
||||||
logging.Debug("initializing secrets service")
|
logging.Debug("initializing secrets service")
|
||||||
secretsService, err := secrets.NewService(cfg.EncryptionKey)
|
|
||||||
|
// Get or generate encryption key
|
||||||
|
encryptionKey := cfg.EncryptionKey
|
||||||
|
if encryptionKey == "" {
|
||||||
|
logging.Debug("no encryption key provided, loading/generating from file")
|
||||||
|
|
||||||
|
// Load or generate key from file
|
||||||
|
secretsDir := cfg.WorkDir + "/secrets"
|
||||||
|
var err error
|
||||||
|
encryptionKey, err = secrets.EnsureEncryptionKey(secretsDir)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("failed to ensure encryption key: %w", err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
secretsService, err := secrets.NewService(encryptionKey)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("failed to initialize secrets service: %w", err)
|
return nil, fmt.Errorf("failed to initialize secrets service: %w", err)
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -9,12 +9,14 @@ import (
|
|||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
// JWTKeyBytes is the size of the JWT signing key in bytes (256 bits)
|
// KeyBytes is the size of keys in bytes (256 bits)
|
||||||
JWTKeyBytes = 32
|
KeyBytes = 32
|
||||||
// JWTKeyFile is the filename for the JWT signing key
|
// JWTKeyFile is the filename for the JWT signing key
|
||||||
JWTKeyFile = "jwt_signing_key"
|
JWTKeyFile = "jwt_signing_key"
|
||||||
// JWTKeyPerm is the file permission for the JWT signing key (owner read/write only)
|
// EncryptionKeyFile is the filename for the encryption key
|
||||||
JWTKeyPerm = 0600
|
EncryptionKeyFile = "encryption_key"
|
||||||
|
// KeyPerm is the file permission for secret keys (owner read/write only)
|
||||||
|
KeyPerm = 0600
|
||||||
)
|
)
|
||||||
|
|
||||||
// EnsureJWTSigningKey ensures a JWT signing key exists in the secrets directory.
|
// EnsureJWTSigningKey ensures a JWT signing key exists in the secrets directory.
|
||||||
@@ -55,12 +57,12 @@ func EnsureJWTSigningKey(secretsDir string) (string, error) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Write the key to the file with restrictive permissions
|
// Write the key to the file with restrictive permissions
|
||||||
if err := os.WriteFile(keyPath, []byte(key), JWTKeyPerm); err != nil {
|
if err := os.WriteFile(keyPath, []byte(key), KeyPerm); err != nil {
|
||||||
return "", fmt.Errorf("failed to write JWT signing key: %w", err)
|
return "", fmt.Errorf("failed to write JWT signing key: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Double-check permissions (some systems might ignore mode in WriteFile)
|
// Double-check permissions (some systems might ignore mode in WriteFile)
|
||||||
if err := os.Chmod(keyPath, JWTKeyPerm); err != nil {
|
if err := os.Chmod(keyPath, KeyPerm); err != nil {
|
||||||
return "", fmt.Errorf("failed to set JWT signing key permissions: %w", err)
|
return "", fmt.Errorf("failed to set JWT signing key permissions: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -70,7 +72,70 @@ func EnsureJWTSigningKey(secretsDir string) (string, error) {
|
|||||||
|
|
||||||
// generateJWTSigningKey generates a cryptographically secure random signing key
|
// generateJWTSigningKey generates a cryptographically secure random signing key
|
||||||
func generateJWTSigningKey() (string, error) {
|
func generateJWTSigningKey() (string, error) {
|
||||||
keyBytes := make([]byte, JWTKeyBytes)
|
keyBytes := make([]byte, KeyBytes)
|
||||||
|
if _, err := rand.Read(keyBytes); err != nil {
|
||||||
|
return "", fmt.Errorf("failed to generate random bytes: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Encode to base64 for easy storage and handling
|
||||||
|
key := base64.StdEncoding.EncodeToString(keyBytes)
|
||||||
|
return key, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// EnsureEncryptionKey ensures an encryption key exists in the secrets directory.
|
||||||
|
// If no key exists, it generates and stores a new one with restrictive permissions.
|
||||||
|
// Returns the base64-encoded encryption key.
|
||||||
|
func EnsureEncryptionKey(secretsDir string) (string, error) {
|
||||||
|
log := getLogger()
|
||||||
|
|
||||||
|
// Ensure the secrets directory exists with restrictive permissions
|
||||||
|
if err := os.MkdirAll(secretsDir, 0700); err != nil {
|
||||||
|
return "", fmt.Errorf("failed to create secrets directory: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
keyPath := filepath.Join(secretsDir, EncryptionKeyFile)
|
||||||
|
|
||||||
|
// Check if the key file already exists
|
||||||
|
if _, err := os.Stat(keyPath); err == nil {
|
||||||
|
// Key file exists, read it
|
||||||
|
keyBytes, err := os.ReadFile(keyPath)
|
||||||
|
if err != nil {
|
||||||
|
return "", fmt.Errorf("failed to read encryption key: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
key := string(keyBytes)
|
||||||
|
if key == "" {
|
||||||
|
return "", fmt.Errorf("encryption key file is empty")
|
||||||
|
}
|
||||||
|
|
||||||
|
log.Debug("loaded existing encryption key from file")
|
||||||
|
return key, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Key file doesn't exist, generate a new key
|
||||||
|
log.Info("generating new encryption key")
|
||||||
|
key, err := generateEncryptionKey()
|
||||||
|
if err != nil {
|
||||||
|
return "", fmt.Errorf("failed to generate encryption key: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Write the key to the file with restrictive permissions
|
||||||
|
if err := os.WriteFile(keyPath, []byte(key), KeyPerm); err != nil {
|
||||||
|
return "", fmt.Errorf("failed to write encryption key: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Double-check permissions (some systems might ignore mode in WriteFile)
|
||||||
|
if err := os.Chmod(keyPath, KeyPerm); err != nil {
|
||||||
|
return "", fmt.Errorf("failed to set encryption key permissions: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
log.Info("encryption key generated and stored", "path", keyPath)
|
||||||
|
return key, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// generateEncryptionKey generates a cryptographically secure random encryption key
|
||||||
|
func generateEncryptionKey() (string, error) {
|
||||||
|
keyBytes := make([]byte, KeyBytes)
|
||||||
if _, err := rand.Read(keyBytes); err != nil {
|
if _, err := rand.Read(keyBytes); err != nil {
|
||||||
return "", fmt.Errorf("failed to generate random bytes: %w", err)
|
return "", fmt.Errorf("failed to generate random bytes: %w", err)
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -34,8 +34,8 @@ func TestEnsureJWTSigningKey(t *testing.T) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
perm := info.Mode().Perm()
|
perm := info.Mode().Perm()
|
||||||
if perm != JWTKeyPerm {
|
if perm != KeyPerm {
|
||||||
t.Errorf("expected permissions %o, got %o", JWTKeyPerm, perm)
|
t.Errorf("expected permissions %o, got %o", KeyPerm, perm)
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
|
||||||
@@ -65,7 +65,7 @@ func TestEnsureJWTSigningKey(t *testing.T) {
|
|||||||
if err := os.MkdirAll(emptyDir, 0700); err != nil {
|
if err := os.MkdirAll(emptyDir, 0700); err != nil {
|
||||||
t.Fatalf("failed to create directory: %v", err)
|
t.Fatalf("failed to create directory: %v", err)
|
||||||
}
|
}
|
||||||
if err := os.WriteFile(keyPath, []byte(""), JWTKeyPerm); err != nil {
|
if err := os.WriteFile(keyPath, []byte(""), KeyPerm); err != nil {
|
||||||
t.Fatalf("failed to write empty file: %v", err)
|
t.Fatalf("failed to write empty file: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -76,6 +76,76 @@ func TestEnsureJWTSigningKey(t *testing.T) {
|
|||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestEnsureEncryptionKey(t *testing.T) {
|
||||||
|
// Create a temporary directory for testing
|
||||||
|
tempDir := t.TempDir()
|
||||||
|
secretsDir := filepath.Join(tempDir, "secrets")
|
||||||
|
|
||||||
|
t.Run("generates new key if not exists", func(t *testing.T) {
|
||||||
|
key, err := EnsureEncryptionKey(secretsDir)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("expected no error, got %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
if key == "" {
|
||||||
|
t.Fatal("expected non-empty key")
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check that the key file was created
|
||||||
|
keyPath := filepath.Join(secretsDir, EncryptionKeyFile)
|
||||||
|
if _, err := os.Stat(keyPath); os.IsNotExist(err) {
|
||||||
|
t.Fatal("expected key file to exist")
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check file permissions
|
||||||
|
info, err := os.Stat(keyPath)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("failed to stat key file: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
perm := info.Mode().Perm()
|
||||||
|
if perm != KeyPerm {
|
||||||
|
t.Errorf("expected permissions %o, got %o", KeyPerm, perm)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
|
||||||
|
t.Run("loads existing key", func(t *testing.T) {
|
||||||
|
// First call to generate the key
|
||||||
|
key1, err := EnsureEncryptionKey(secretsDir)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("expected no error, got %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Second call should load the same key
|
||||||
|
key2, err := EnsureEncryptionKey(secretsDir)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("expected no error, got %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
if key1 != key2 {
|
||||||
|
t.Error("expected same key on subsequent calls")
|
||||||
|
}
|
||||||
|
})
|
||||||
|
|
||||||
|
t.Run("fails if key file is empty", func(t *testing.T) {
|
||||||
|
emptyDir := filepath.Join(tempDir, "empty_encryption_test")
|
||||||
|
keyPath := filepath.Join(emptyDir, EncryptionKeyFile)
|
||||||
|
|
||||||
|
// Create empty key file
|
||||||
|
if err := os.MkdirAll(emptyDir, 0700); err != nil {
|
||||||
|
t.Fatalf("failed to create directory: %v", err)
|
||||||
|
}
|
||||||
|
if err := os.WriteFile(keyPath, []byte(""), KeyPerm); err != nil {
|
||||||
|
t.Fatalf("failed to write empty file: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
_, err := EnsureEncryptionKey(emptyDir)
|
||||||
|
if err == nil {
|
||||||
|
t.Error("expected error for empty key file")
|
||||||
|
}
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
func TestGenerateJWTSigningKey(t *testing.T) {
|
func TestGenerateJWTSigningKey(t *testing.T) {
|
||||||
key, err := generateJWTSigningKey()
|
key, err := generateJWTSigningKey()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|||||||
Reference in New Issue
Block a user