Implement Encryption for Sensitive Data and Switch to .env for Configuration Storage
This commit introduces several significant changes to improve the security and configuration management of the application. Encryption of Sensitive Data: We've introduced encryption for sensitive data such as database passwords. This is done using the Blowfish algorithm. The encryption and decryption methods are added to the Utilities module. The encryption is applied when the user enters their database password during the first run setup. The encrypted password is then stored in the .env file. When the application needs to use the password, it is decrypted using the key that was generated during encryption. Switch from YAML to .env for Configuration Storage: The application now uses a .env file for storing configuration data instead of a YAML file. This change was made to take advantage of the .env file's ability to store environment variables, which can be easily accessed by the application. The .env file stores the database username, encrypted password, encryption key, and database name. First Run Setup Changes: The FirstRunInit class has been updated to ask the user for their database details, encrypt the password, and store these details in the .env file. It also checks if any of the necessary details are missing and runs the first run setup if they are. Database Connection Testing: The DatabaseManager class now decrypts the password before using it to test the database connection. It also checks if the password or key are nil before attempting to decrypt the password. Logging: A new LoggMan class has been added to handle logging. This class provides a simple method for logging messages, which can be used throughout the application to log errors or other important information. Bug Fixes and Error Handling: Several bugs were fixed and error handling was improved. For example, a bug that caused the application to crash if the .env file was missing has been fixed. Also, the application now checks if the .env file exists and creates it if it doesn't. These changes significantly improve the security, reliability, and usability of the application.
This commit is contained in:
parent
abc256bb42
commit
281d5f6ebf
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -58,3 +58,4 @@ build-iPhoneSimulator/
|
|||
# Used by RuboCop. Remote config files pulled in from inherit_from directive.
|
||||
# .rubocop-https?--*
|
||||
bin/config.yml
|
||||
lib/netrave.log
|
||||
|
|
|
@ -10,7 +10,7 @@ require_relative '../lib/utils/utilities'
|
|||
include Utilities # rubocop:disable Style/MixinUsage
|
||||
|
||||
# Create .env file if it doesn't exist
|
||||
File.new('.env', 'w') unless File.exist?('.env')
|
||||
File.open('.env', 'w') {} unless File.exist?('.env')
|
||||
|
||||
# Load environment variables from .env file
|
||||
Dotenv.load
|
||||
|
@ -42,7 +42,9 @@ if db_details.values.any?(&:nil?)
|
|||
end
|
||||
|
||||
# Decrypt the password
|
||||
db_details[:password] = decrypt_string_chacha20(db_details[:password], db_details[:key])
|
||||
if db_details[:password] && db_details[:key]
|
||||
db_details[:password] = decrypt_string_chacha20(db_details[:password], db_details[:key])
|
||||
end
|
||||
|
||||
# Test connection
|
||||
unless db_manager.test_db_connection(db_details)
|
||||
|
|
|
@ -13,18 +13,20 @@ class DatabaseManager
|
|||
@db = nil
|
||||
end
|
||||
|
||||
def test_db_connection(db_details)
|
||||
def test_db_connection(db_details) # rubocop:disable Metrics/MethodLength
|
||||
# Decrypt the password before using it
|
||||
decrypted_password = decrypt_string_chacha20(db_details[:password], db_details[:key])
|
||||
connection_string = "mysql2://#{db_details[:username]}:#{decrypted_password}@localhost/#{db_details[:database]}"
|
||||
@db = Sequel.connect(connection_string)
|
||||
# Try a simple query to test the connection
|
||||
@db.run 'SELECT 1'
|
||||
true
|
||||
if db_details[:password] && db_details[:key]
|
||||
decrypted_password = decrypt_string_chacha20(db_details[:password], db_details[:key])
|
||||
connection_string = "mysql2://#{db_details[:username]}:#{decrypted_password}@localhost/#{db_details[:database]}"
|
||||
@db = Sequel.connect(connection_string)
|
||||
# Try a simple query to test the connection
|
||||
@db.run 'SELECT 1'
|
||||
true
|
||||
else
|
||||
false
|
||||
end
|
||||
rescue Sequel::DatabaseConnectionError
|
||||
false
|
||||
ensure
|
||||
@db&.disconnect
|
||||
end
|
||||
|
||||
def create_system_info_table
|
||||
|
|
|
@ -6,6 +6,7 @@ require 'dotenv'
|
|||
require_relative 'database_manager'
|
||||
require_relative 'system_information_gather'
|
||||
require_relative 'utilities'
|
||||
require_relative 'logg_man'
|
||||
|
||||
# first run class
|
||||
class FirstRunInit
|
||||
|
@ -15,6 +16,7 @@ class FirstRunInit
|
|||
def initialize(db_manager = nil)
|
||||
@db_manager = db_manager || DatabaseManager.new
|
||||
@info_gatherer = SystemInformationGather.new(@db_manager)
|
||||
@loggman = LoggMan.new
|
||||
end
|
||||
|
||||
def run
|
||||
|
@ -75,17 +77,23 @@ class FirstRunInit
|
|||
# Encrypt the password
|
||||
encrypted_password = encrypt_string_chacha20(password, key)
|
||||
|
||||
{ username:, password: encrypted_password, key:, database: }
|
||||
db_details = { username:, password: encrypted_password, key:, database: }
|
||||
write_db_details_to_config_file(db_details)
|
||||
end
|
||||
|
||||
def write_db_details_to_config_file(db_details)
|
||||
# Write the database details to the .env file
|
||||
File.open('.env', 'w') do |file|
|
||||
file.puts "DB_USERNAME=#{db_details[:username]}"
|
||||
file.puts "DB_PASSWORD=#{db_details[:password]}"
|
||||
file.puts "DB_SECRET_KEY=#{db_details[:key]}"
|
||||
file.puts "DB_DATABASE=#{db_details[:database]}"
|
||||
file.puts %(DB_USERNAME="#{db_details[:username]}")
|
||||
file.puts %(DB_PASSWORD="#{db_details[:password]}")
|
||||
file.puts %(DB_SECRET_KEY="#{db_details[:key]}")
|
||||
file.puts %(DB_DATABASE="#{db_details[:database]}")
|
||||
end
|
||||
|
||||
# Load the .env file using dotenv
|
||||
Dotenv.load
|
||||
rescue StandardError => e
|
||||
@loggman.log_error("Failed to write to .env file: #{e.message}")
|
||||
end
|
||||
|
||||
def ask_for_default_mode
|
||||
|
|
30
lib/utils/logg_man.rb
Normal file
30
lib/utils/logg_man.rb
Normal file
|
@ -0,0 +1,30 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
require 'logger'
|
||||
|
||||
# LoggMan class for handling logs
|
||||
class LoggMan
|
||||
def initialize
|
||||
@logger = Logger.new('netrave.log')
|
||||
end
|
||||
|
||||
def log_info(message)
|
||||
@logger.info(message)
|
||||
end
|
||||
|
||||
def log_error(message)
|
||||
@logger.error(message)
|
||||
end
|
||||
|
||||
def log_warn(message)
|
||||
@logger.warn(message)
|
||||
end
|
||||
|
||||
def log_debug(message)
|
||||
@logger.debug(message)
|
||||
end
|
||||
|
||||
def log_fatal(message)
|
||||
@logger.fatal(message)
|
||||
end
|
||||
end
|
|
@ -4,6 +4,7 @@ require 'securerandom'
|
|||
require 'digest'
|
||||
require 'base64'
|
||||
require 'openssl'
|
||||
require_relative 'logg_man'
|
||||
|
||||
# Utiltiies Module
|
||||
module Utilities
|
||||
|
@ -32,31 +33,26 @@ module Utilities
|
|||
Base64.encode64(SecureRandom.bytes(32)).chomp
|
||||
end
|
||||
|
||||
def encrypt_string_chacha20(string, key)
|
||||
def encrypt_string_chacha20(data, key)
|
||||
cipher = OpenSSL::Cipher.new('chacha20')
|
||||
cipher.encrypt
|
||||
cipher.key = Base64.decode64(key)
|
||||
encrypted = cipher.update(string) + cipher.final
|
||||
Base64.encode64(encrypted).chomp
|
||||
cipher.key = Base64.decode64(key) # Decode the key from Base64
|
||||
encrypted_data = cipher.update(data) + cipher.final
|
||||
|
||||
loggman = LoggMan.new
|
||||
loggman.log_debug("Data to be encrypted: #{data}")
|
||||
loggman.log_debug("Key: #{key}")
|
||||
loggman.log_debug("Encrypted data: #{encrypted_data}")
|
||||
|
||||
Base64.encode64(encrypted_data).chomp
|
||||
end
|
||||
|
||||
def decrypt_string_chacha20(encrypted_string, key)
|
||||
decipher = OpenSSL::Cipher.new('chacha20')
|
||||
decipher.decrypt
|
||||
decipher.key = Base64.decode64(key)
|
||||
decrypted = Base64.decode64(encrypted_string)
|
||||
decipher.update(decrypted) + decipher.final
|
||||
end
|
||||
def decrypt_string_chacha20(encrypted_data, key)
|
||||
return nil if encrypted_data.nil?
|
||||
|
||||
# Encrypts a given data object using Blowfish and returns the encrypted string
|
||||
def encrypt_data_blowfish(data, key)
|
||||
plain_text = YAML.dump(data)
|
||||
encrypt_string_blowfish(plain_text, key)
|
||||
end
|
||||
|
||||
# Decrypts a given encrypted string using Blowfish and returns the original data object
|
||||
def decrypt_data_blowfish(encrypted_text, key)
|
||||
plain_text = decrypt_string_blowfish(encrypted_text, key)
|
||||
YAML.load(plain_text)
|
||||
cipher = OpenSSL::Cipher.new('chacha20')
|
||||
cipher.decrypt
|
||||
cipher.key = Base64.decode64(key) # Decode the key from Base64
|
||||
cipher.update(Base64.decode64(encrypted_data)) + cipher.final
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue
Block a user