Update ConfigCacheService, encrypt keys at rest

This commit is contained in:
Daniel Supernault 2024-03-14 05:49:02 -06:00
parent 674e560f04
commit 3628b4625c
No known key found for this signature in database
GPG key ID: 23740873EE6F76A1
2 changed files with 35 additions and 6 deletions

View file

@ -685,10 +685,10 @@ trait AdminSettingsController
if($captcha) { if($captcha) {
$secret = $request->input('captcha_secret'); $secret = $request->input('captcha_secret');
$sitekey = $request->input('captcha_sitekey'); $sitekey = $request->input('captcha_sitekey');
if(config_cache('captcha.secret') !== $secret && strpos('*', $secret) === false) { if(config_cache('captcha.secret') != $secret && strpos($secret, '*') === false) {
ConfigCacheService::put('captcha.secret', $secret); ConfigCacheService::put('captcha.secret', $secret);
} }
if(config_cache('captcha.sitekey') !== $sitekey && strpos('*', $sitekey) === false) { if(config_cache('captcha.sitekey') != $sitekey && strpos($sitekey, '*') === false) {
ConfigCacheService::put('captcha.sitekey', $sitekey); ConfigCacheService::put('captcha.sitekey', $sitekey);
} }
ConfigCacheService::put('captcha.active.login', $request->boolean('captcha_on_login')); ConfigCacheService::put('captcha.active.login', $request->boolean('captcha_on_login'));

View file

@ -8,6 +8,14 @@ use Cache;
class ConfigCacheService class ConfigCacheService
{ {
const CACHE_KEY = 'config_cache:_v0-key:'; const CACHE_KEY = 'config_cache:_v0-key:';
const PROTECTED_KEYS = [
'filesystems.disks.s3.key',
'filesystems.disks.s3.secret',
'filesystems.disks.spaces.key',
'filesystems.disks.spaces.secret',
'captcha.secret',
'captcha.sitekey',
];
public static function get($key) public static function get($key)
{ {
@ -135,20 +143,34 @@ class ConfigCacheService
return config($key); return config($key);
} }
$protect = false;
$protected = null;
if(in_array($key, self::PROTECTED_KEYS)) {
$protect = true;
}
$v = config($key); $v = config($key);
$c = ConfigCacheModel::where('k', $key)->first(); $c = ConfigCacheModel::where('k', $key)->first();
if ($c) { if ($c) {
return $c->v ?? config($key); if($protect) {
return decrypt($c->v) ?? config($key);
} else {
return $c->v ?? config($key);
}
} }
if (! $v) { if (! $v) {
return; return;
} }
if($protect && $v) {
$protected = encrypt($v);
}
$cc = new ConfigCacheModel; $cc = new ConfigCacheModel;
$cc->k = $key; $cc->k = $key;
$cc->v = $v; $cc->v = $protect ? $protected : $v;
$cc->save(); $cc->save();
return $v; return $v;
@ -159,8 +181,15 @@ class ConfigCacheService
{ {
$exists = ConfigCacheModel::whereK($key)->first(); $exists = ConfigCacheModel::whereK($key)->first();
$protect = false;
$protected = null;
if(in_array($key, self::PROTECTED_KEYS)) {
$protect = true;
$protected = encrypt($val);
}
if ($exists) { if ($exists) {
$exists->v = $val; $exists->v = $protect ? $protected : $val;
$exists->save(); $exists->save();
Cache::put(self::CACHE_KEY.$key, $val, now()->addHours(12)); Cache::put(self::CACHE_KEY.$key, $val, now()->addHours(12));
@ -169,7 +198,7 @@ class ConfigCacheService
$cc = new ConfigCacheModel; $cc = new ConfigCacheModel;
$cc->k = $key; $cc->k = $key;
$cc->v = $val; $cc->v = $protect ? $protected : $val;
$cc->save(); $cc->save();
Cache::put(self::CACHE_KEY.$key, $val, now()->addHours(12)); Cache::put(self::CACHE_KEY.$key, $val, now()->addHours(12));