Fix/key backup in config script (#1206)

Because we provide the option to regenerate the config files, the encryption key could be lost. - The configure.sh read the existing key and write it back during the config generation - Backup the previously generated config files before overwrite it - Fix invalid json output in the Extras field - Reduce the error logs in case if the encryption key is invalid - Response in the events API with valid user info in any cases - Add extra error handling to the configure.sh. I.e. handle the invalid OpenID urls
2024-11-07 08:44:07 +01:00 · 2023-10-11 23:01:49 +02:00 · 2023-10-11 23:01:49 +02:00 · 2b90ff8c24
commit 2b90ff8c24
parent b8599f634c
3 changed files with 43 additions and 8 deletions
--- a/infrastructure_files/configure.sh
+++ b/infrastructure_files/configure.sh
@ -1,4 +1,5 @@
 #!/bin/bash
+set -e

 if ! which curl >/dev/null 2>&1; then
  echo "This script uses curl fetch OpenID configuration from IDP."
@ -154,6 +155,8 @@ if [ -n "$NETBIRD_MGMT_IDP" ]; then
  export NETBIRD_IDP_MGMT_CLIENT_ID
  export NETBIRD_IDP_MGMT_CLIENT_SECRET
  export NETBIRD_IDP_MGMT_EXTRA_CONFIG=$EXTRA_CONFIG
+else
+  export NETBIRD_IDP_MGMT_EXTRA_CONFIG={}
 fi

 IFS=',' read -r -a REDIRECT_URL_PORTS <<< "$NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS"
@ -170,8 +173,29 @@ if [ "$NETBIRD_DASH_AUTH_USE_AUDIENCE" = "false" ]; then
    export NETBIRD_AUTH_PKCE_AUDIENCE=
 fi

+# Read the encryption key
+if test -f 'management.json'; then
+    encKey=$(jq -r  ".DataStoreEncryptionKey" management.json)
+    if [[ "$encKey" != "null" ]]; then
+        export NETBIRD_DATASTORE_ENC_KEY=$encKey
+
+    fi
+fi
+
 env | grep NETBIRD

+bkp_postfix="$(date +%s)"
+if test -f 'docker-compose.yml'; then
+    cp docker-compose.yml "docker-compose.yml.bkp.${bkp_postfix}"
+fi
+
+if test -f 'management.json'; then
+    cp management.json "management.json.bkp.${bkp_postfix}"
+fi
+
+if test -f 'turnserver.conf'; then
+    cp turnserver.conf "turnserver.conf.bpk.${bkp_postfix}"
+fi
 envsubst <docker-compose.yml.tmpl >docker-compose.yml
-envsubst <management.json.tmpl >management.json
-envsubst <turnserver.conf.tmpl >turnserver.conf
+envsubst <management.json.tmpl | jq . >management.json
+envsubst <turnserver.conf.tmpl >turnserver.conf
--- a/infrastructure_files/management.json.tmpl
+++ b/infrastructure_files/management.json.tmpl
@ -27,6 +27,7 @@
        "Password": null
    },
    "Datadir": "",
+    "DataStoreEncryptionKey": "$NETBIRD_DATASTORE_ENC_KEY",
    "HttpConfig": {
        "Address": "0.0.0.0:$NETBIRD_MGMT_API_PORT",
        "AuthIssuer": "$NETBIRD_AUTH_AUTHORITY",
--- a/management/server/activity/sqlite/sqlite.go
+++ b/management/server/activity/sqlite/sqlite.go
@ -45,6 +45,9 @@ const (
 		"VALUES(?, ?, ?, ?, ?, ?)"

 	insertDeleteUserQuery = `INSERT INTO deleted_users(id, email, name) VALUES(?, ?, ?)`
+
+	fallbackName  = "unknown"
+	fallbackEmail = "unknown@unknown.com"
 )

 // Store is the implementation of the activity.Store interface backed by SQLite
@ -128,6 +131,7 @@ func NewSQLiteStore(dataDir string, encryptionKey string) (*Store, error) {

 func (store *Store) processResult(result *sql.Rows) ([]*activity.Event, error) {
 	events := make([]*activity.Event, 0)
+	var cryptErr error
 	for result.Next() {
 		var id int64
 		var operation activity.Activity
@ -156,8 +160,8 @@ func (store *Store) processResult(result *sql.Rows) ([]*activity.Event, error) {
 		if targetUserName != nil {
 			name, err := store.fieldEncrypt.Decrypt(*targetUserName)
 			if err != nil {
-				log.Errorf("failed to decrypt username for target id: %s", target)
-				meta["username"] = ""
+				cryptErr = fmt.Errorf("failed to decrypt username for target id: %s", target)
+				meta["username"] = fallbackName
 			} else {
 				meta["username"] = name
 			}
@ -166,8 +170,8 @@ func (store *Store) processResult(result *sql.Rows) ([]*activity.Event, error) {
 		if targetEmail != nil {
 			email, err := store.fieldEncrypt.Decrypt(*targetEmail)
 			if err != nil {
-				log.Errorf("failed to decrypt email address for target id: %s", target)
-				meta["email"] = ""
+				cryptErr = fmt.Errorf("failed to decrypt email address for target id: %s", target)
+				meta["email"] = fallbackEmail
 			} else {
 				meta["email"] = email
 			}
@ -186,7 +190,8 @@ func (store *Store) processResult(result *sql.Rows) ([]*activity.Event, error) {
 		if initiatorName != nil {
 			name, err := store.fieldEncrypt.Decrypt(*initiatorName)
 			if err != nil {
-				log.Errorf("failed to decrypt username of initiator: %s", initiator)
+				cryptErr = fmt.Errorf("failed to decrypt username of initiator: %s", initiator)
+				event.InitiatorName = fallbackName
 			} else {
 				event.InitiatorName = name
 			}
@ -195,7 +200,8 @@ func (store *Store) processResult(result *sql.Rows) ([]*activity.Event, error) {
 		if initiatorEmail != nil {
 			email, err := store.fieldEncrypt.Decrypt(*initiatorEmail)
 			if err != nil {
-				log.Errorf("failed to decrypt email address of initiator: %s", initiator)
+				cryptErr = fmt.Errorf("failed to decrypt email address of initiator: %s", initiator)
+				event.InitiatorEmail = fallbackEmail
 			} else {
 				event.InitiatorEmail = email
 			}
@ -204,6 +210,10 @@ func (store *Store) processResult(result *sql.Rows) ([]*activity.Event, error) {
 		events = append(events, event)
 	}

+	if cryptErr != nil {
+		log.Warnf("%s", cryptErr)
+	}
+
 	return events, nil
 }