Consume security salt from env if available (CFM-28) (#57)

COmanage · Oct 9, 2022 · 6d60cc9 · 6d60cc9
1 parent 0307afb
commit 6d60cc9
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 26 deletions.
diff --git a/app/config/bootstrap.php b/app/config/bootstrap.php
@@ -168,14 +168,22 @@
 TransportFactory::setConfig(Configure::consume('EmailTransport'));
 Mailer::setConfig(Configure::consume('Email'));
 Log::setConfig(Configure::consume('Log'));
-// Set the salt based on our local configuration
-$securitySaltFile = LOCAL . DS . "config" . DS . "security.salt";
-// If the file doesn't exist yet, we're probably in SetupCommand, which will create it
-if(file_exists($securitySaltFile)) {
-  $salt = file_get_contents($securitySaltFile);
+
+// Set the salt from the environment if available, else from the filesystem,
+// and if the salt cannot be determined we're probably in SetupCommand,
+// which will create it.
+$salt = env('SECURITY_SALT', null);
+
+if(is_null($salt)) {
+  $securitySaltFile = LOCAL . "config" . DS . "security.salt";
+  if(file_exists($securitySaltFile)) {
+    $salt = file_get_contents($securitySaltFile);
+  }
+}
+
+if($salt) {
   Security::setSalt($salt);
 }
-//Security::setSalt(Configure::consume('Security.salt'));
 
 /*
  * Setup detectors for mobile and tablet.

diff --git a/app/resources/locales/en_US/command.po b/app/resources/locales/en_US/command.po
@@ -73,7 +73,7 @@ msgid "se.person_role.title"
 msgstr "COmanage Platform Administrator"
 
 msgid "se.salt"
-msgstr "Generating salt file"
+msgstr "Generating salt file {0}"
 
 msgid "tm.epilog"
 msgstr "An optional, space separated list of tables to transmogrify may be specified"

diff --git a/app/src/Command/SetupCommand.php b/app/src/Command/SetupCommand.php
@@ -76,20 +76,24 @@ public function execute(Arguments $args, ConsoleIo $io)
   {
     global $argv;
 
-    // Check if the security salt file already exists, and if so abort.
+    $force = $args->getOption('force');
 
-    $securitySaltFile = LOCAL . DS . "config" . DS . "security.salt";
-
-    if(file_exists($securitySaltFile)) {
+    // Check if the COmanage CO already exists, and if so abort.
+
+    $coTable = $this->getTableLocator()->get('Cos');
+    $query = $coTable->find();
+    $comanageCO = $coTable->findCOmanageCO($query)->first();
+
+    if(!is_null($comanageCO)) {
       $io->out(__d('command', 'se.already'));
 
-      if(!$args->getOption('force')) {
+      if(!$force) {
         exit;
       }
     }
-    
-    // Collect the admin info before we try to do anything
-    
+
+    // Collect the admin info before we try to do anything.
+
     $givenName = $args->getOption('admin-given-name');
     $sn = $args->getOption('admin-family-name');
     $username = $args->getOption('admin-username');
@@ -106,20 +110,22 @@ public function execute(Arguments $args, ConsoleIo $io)
       $username = $io->ask(__d('command', 'opt.admin-username'));
     }
 
-    // Setup the COmanage CO
-    $coTable = $this->getTableLocator()->get('Cos');
+    // Setup the COmanage CO.
 
-    $io->out(__d('command', 'se.db.co'));
+    if(is_null($comanageCO)) {
+      $io->out(__d('command', 'se.db.co'));
+      $co_id = $coTable->setupCOmanageCO();
 
-    $co_id = $coTable->setupCOmanageCO();
+      if(is_null($co_id)) {
+        throw new \RuntimeException('setup.co.comanage');
+      }
 
-    if(is_null($co_id)) {
-      throw new \RuntimeException('setup.co.comanage');
+      $io->out(__d('command', 'se.db.co.done', [$co_id]));
+    } else {
+      $co_id = $comanageCO->id;
     }
 
-    $io->out(__d('command', 'se.db.co.done', [$co_id]));
-
-    // Add the first CMP Administrator
+    // Add the first CMP Administrator.
 
     $io->out(__d('command', 'se.db.cmpadmin'));
 
@@ -170,9 +176,22 @@ public function execute(Arguments $args, ConsoleIo $io)
       'group_id' => $coTable->Groups->getAdminGroupId(coId: $co_id)
     ],
     ['validate' => false])];
-    
+
     $coTable->People->save($person);
-
+
+    // Write the salt file if not set in environment and file does not exist.
+    if(!env('SECURITY_SALT', null)) {
+      $securitySaltFile = LOCAL . "config" . DS . "security.salt";
+
+      if(file_exists($securitySaltFile)) {
+        $io->out(__d('command', 'se.already'));
+      } else {
+        $salt = substr(bin2hex(random_bytes(1024)), 0, 40);
+        file_put_contents($securitySaltFile, $salt);
+        $io->out(__d('command', 'se.salt', [$securitySaltFile]));
+      }
+    }
+
     $io->out(__d('command', 'se.done'));
   }
 }