From 3628b4625c8887df4cc2d7eab420200f1f0b65a8 Mon Sep 17 00:00:00 2001 From: Daniel Supernault Date: Thu, 14 Mar 2024 05:49:02 -0600 Subject: [PATCH] Update ConfigCacheService, encrypt keys at rest --- .../Admin/AdminSettingsController.php | 4 +- app/Services/ConfigCacheService.php | 37 +++++++++++++++++-- 2 files changed, 35 insertions(+), 6 deletions(-) diff --git a/app/Http/Controllers/Admin/AdminSettingsController.php b/app/Http/Controllers/Admin/AdminSettingsController.php index 8f29765ee..f889f2be6 100644 --- a/app/Http/Controllers/Admin/AdminSettingsController.php +++ b/app/Http/Controllers/Admin/AdminSettingsController.php @@ -685,10 +685,10 @@ trait AdminSettingsController if($captcha) { $secret = $request->input('captcha_secret'); $sitekey = $request->input('captcha_sitekey'); - if(config_cache('captcha.secret') !== $secret && strpos('*', $secret) === false) { + if(config_cache('captcha.secret') != $secret && strpos($secret, '*') === false) { ConfigCacheService::put('captcha.secret', $secret); } - if(config_cache('captcha.sitekey') !== $sitekey && strpos('*', $sitekey) === false) { + if(config_cache('captcha.sitekey') != $sitekey && strpos($sitekey, '*') === false) { ConfigCacheService::put('captcha.sitekey', $sitekey); } ConfigCacheService::put('captcha.active.login', $request->boolean('captcha_on_login')); diff --git a/app/Services/ConfigCacheService.php b/app/Services/ConfigCacheService.php index 4abea8b28..626982781 100644 --- a/app/Services/ConfigCacheService.php +++ b/app/Services/ConfigCacheService.php @@ -8,6 +8,14 @@ use Cache; class ConfigCacheService { const CACHE_KEY = 'config_cache:_v0-key:'; + const PROTECTED_KEYS = [ + 'filesystems.disks.s3.key', + 'filesystems.disks.s3.secret', + 'filesystems.disks.spaces.key', + 'filesystems.disks.spaces.secret', + 'captcha.secret', + 'captcha.sitekey', + ]; public static function get($key) { @@ -135,20 +143,34 @@ class ConfigCacheService return config($key); } + $protect = false; + $protected = null; + if(in_array($key, self::PROTECTED_KEYS)) { + $protect = true; + } + $v = config($key); $c = ConfigCacheModel::where('k', $key)->first(); if ($c) { - return $c->v ?? config($key); + if($protect) { + return decrypt($c->v) ?? config($key); + } else { + return $c->v ?? config($key); + } } if (! $v) { return; } + if($protect && $v) { + $protected = encrypt($v); + } + $cc = new ConfigCacheModel; $cc->k = $key; - $cc->v = $v; + $cc->v = $protect ? $protected : $v; $cc->save(); return $v; @@ -159,8 +181,15 @@ class ConfigCacheService { $exists = ConfigCacheModel::whereK($key)->first(); + $protect = false; + $protected = null; + if(in_array($key, self::PROTECTED_KEYS)) { + $protect = true; + $protected = encrypt($val); + } + if ($exists) { - $exists->v = $val; + $exists->v = $protect ? $protected : $val; $exists->save(); Cache::put(self::CACHE_KEY.$key, $val, now()->addHours(12)); @@ -169,7 +198,7 @@ class ConfigCacheService $cc = new ConfigCacheModel; $cc->k = $key; - $cc->v = $val; + $cc->v = $protect ? $protected : $val; $cc->save(); Cache::put(self::CACHE_KEY.$key, $val, now()->addHours(12));