src/blobs.js

/* jslint node:true */

'use strict';

exports = module.exports = {
    get,
    getString,
    set,
    setString,
    del,

    listCertIds,

    ACME_ACCOUNT_KEY: 'acme_account_key',
    ADDON_TURN_SECRET: 'addon_turn_secret',

    // the code relies on sftp_<keytype>_* pattern
    SFTP_RSA_PUBLIC_KEY: 'sftp_rsa_public_key',
    SFTP_RSA_PRIVATE_KEY: 'sftp_rsa_private_key',
    SFTP_ED25519_PUBLIC_KEY: 'sftp_ed25519_public_key',
    SFTP_ED25519_PRIVATE_KEY: 'sftp_ed25519_private_key',

    PROXY_AUTH_TOKEN_SECRET: 'proxy_auth_token_secret',

    OIDC_KEY_EDDSA: 'oidc_key_eddsa', // this is only JWT private key, the public key will be derived
    OIDC_KEY_RS256: 'oidc_key_rs256',

    CERT_PREFIX: 'cert',
    CERT_SUFFIX: 'cert',

    _clear: clear
};

const assert = require('node:assert'),
    database = require('./database.js');

const BLOBS_FIELDS = [ 'id', 'value' ].join(',');

async function get(id) {
    assert.strictEqual(typeof id, 'string');

    const result = await database.query(`SELECT ${BLOBS_FIELDS} FROM blobs WHERE id = ?`, [ id ]);
    if (result.length === 0) return null;
    return result[0].value;
}

async function getString(id) {
    assert.strictEqual(typeof id, 'string');

    const result = await database.query(`SELECT ${BLOBS_FIELDS} FROM blobs WHERE id = ?`, [ id ]);
    if (result.length === 0) return null;
    return result[0].value.toString('utf8');
}

async function set(id, value) {
    assert.strictEqual(typeof id, 'string');
    assert(value === null || Buffer.isBuffer(value));

    await database.query('INSERT INTO blobs (id, value) VALUES (?, ?) ON DUPLICATE KEY UPDATE value=VALUES(value)', [ id, value ]);
}

async function setString(id, value) {
    assert.strictEqual(typeof id, 'string');
    assert(value === null || typeof value === 'string');

    await database.query('INSERT INTO blobs (id, value) VALUES (?, ?) ON DUPLICATE KEY UPDATE value=VALUES(value)', [ id, Buffer.from(value) ]);
}

async function del(id) {
    await database.query('DELETE FROM blobs WHERE id=?', [ id ]);
}

async function clear() {
    await database.query('DELETE FROM blobs');
}

async function listCertIds() {
    const result = await database.query('SELECT id FROM blobs WHERE id LIKE ?', [ `${exports.CERT_PREFIX}-%.${exports.CERT_SUFFIX}` ]);
    return result.map(r => r.id);
}
add async support to database.query() 2021-05-02 21:12:38 -07:00			`/* jslint node:true */`

Add secrets table this will hold keys, certs etc 2021-04-30 21:54:53 -07:00			`'use strict';`

			`exports = module.exports = {`
			`get,`
proxyAuth: persist the secret token 2022-02-01 17:16:25 -08:00			`getString,`
Add secrets table this will hold keys, certs etc 2021-04-30 21:54:53 -07:00			`set,`
proxyAuth: persist the secret token 2022-02-01 17:16:25 -08:00			`setString,`
delete certs that have long expired (6 months) fixes #783 2021-05-18 13:28:48 -07:00			`del,`
migrate secrets into the database the infra version is bumped because the nginx's dhparams path has changed and the sftp server key path has changed. 2021-05-02 23:28:41 -07:00
reverseproxy: rework cert logic 9c8f78a0595c0e08671db143ffcc7293c806b9d3 already fixed many of the cert issues. However, some issues were caught in the CI: * The TLS addon has to be rebuilt and not just restarted. For this reason, we now move things to a directory instead of mounting files. This way the container is just restarted. * Cleanups must be driven by the database and not the filesystem . Deleting files on disk or after a restore, the certs are left dangling forever in the db. * Separate the db cert logic and disk cert logic. This way we can sync as many times as we want and whenever we want. 2022-11-28 22:32:34 +01:00			`listCertIds,`

migrate secrets into the database the infra version is bumped because the nginx's dhparams path has changed and the sftp server key path has changed. 2021-05-02 23:28:41 -07:00			`ACME_ACCOUNT_KEY: 'acme_account_key',`
			`ADDON_TURN_SECRET: 'addon_turn_secret',`
sftp: ed25519 keys 2023-03-09 10:55:14 +01:00
			`// the code relies on sftp_<keytype>_* pattern`
			`SFTP_RSA_PUBLIC_KEY: 'sftp_rsa_public_key',`
			`SFTP_RSA_PRIVATE_KEY: 'sftp_rsa_private_key',`
			`SFTP_ED25519_PUBLIC_KEY: 'sftp_ed25519_public_key',`
			`SFTP_ED25519_PRIVATE_KEY: 'sftp_ed25519_private_key',`

proxyAuth: persist the secret token 2022-02-01 17:16:25 -08:00			`PROXY_AUTH_TOKEN_SECRET: 'proxy_auth_token_secret',`
migrate secrets into the database the infra version is bumped because the nginx's dhparams path has changed and the sftp server key path has changed. 2021-05-02 23:28:41 -07:00
oidc: add RSA-SHA256 aka rs256 signature algorithm 2023-04-04 11:32:32 +02:00			`OIDC_KEY_EDDSA: 'oidc_key_eddsa', // this is only JWT private key, the public key will be derived`
			`OIDC_KEY_RS256: 'oidc_key_rs256',`
oidc: give every Cloudron its own EdDSA key 2023-03-23 18:02:45 +01:00
migrate certs into the blobs database use platformdata/nginx/cert to store the certs 2021-05-07 20:19:18 -07:00			`CERT_PREFIX: 'cert',`
reverseproxy: rework cert logic 9c8f78a0595c0e08671db143ffcc7293c806b9d3 already fixed many of the cert issues. However, some issues were caught in the CI: * The TLS addon has to be rebuilt and not just restarted. For this reason, we now move things to a directory instead of mounting files. This way the container is just restarted. * Cleanups must be driven by the database and not the filesystem . Deleting files on disk or after a restore, the certs are left dangling forever in the db. * Separate the db cert logic and disk cert logic. This way we can sync as many times as we want and whenever we want. 2022-11-28 22:32:34 +01:00			`CERT_SUFFIX: 'cert',`
migrate certs into the blobs database use platformdata/nginx/cert to store the certs 2021-05-07 20:19:18 -07:00
add async support to database.query() 2021-05-02 21:12:38 -07:00			`_clear: clear`
Add secrets table this will hold keys, certs etc 2021-04-30 21:54:53 -07:00			`};`

use node: prefix for requires mostly because code is being autogenerated by all the AI stuff using this prefix. it's also used in the stack trace. 2025-08-14 11:17:38 +05:30			`const assert = require('node:assert'),`
generate dhparams per server this way we don't need to save/restore it from the database. 2021-11-16 23:03:16 -08:00			`database = require('./database.js');`
Add secrets table this will hold keys, certs etc 2021-04-30 21:54:53 -07:00
add async support to database.query() 2021-05-02 21:12:38 -07:00			`const BLOBS_FIELDS = [ 'id', 'value' ].join(',');`
Add secrets table this will hold keys, certs etc 2021-04-30 21:54:53 -07:00
add async support to database.query() 2021-05-02 21:12:38 -07:00			`async function get(id) {`
			`assert.strictEqual(typeof id, 'string');`
Add secrets table this will hold keys, certs etc 2021-04-30 21:54:53 -07:00
add async support to database.query() 2021-05-02 21:12:38 -07:00			const result = await database.query(`SELECT ${BLOBS_FIELDS} FROM blobs WHERE id = ?`, [ id ]);
			`if (result.length === 0) return null;`
			`return result[0].value;`
Add secrets table this will hold keys, certs etc 2021-04-30 21:54:53 -07:00			`}`

proxyAuth: persist the secret token 2022-02-01 17:16:25 -08:00			`async function getString(id) {`
			`assert.strictEqual(typeof id, 'string');`

			const result = await database.query(`SELECT ${BLOBS_FIELDS} FROM blobs WHERE id = ?`, [ id ]);
			`if (result.length === 0) return null;`
			`return result[0].value.toString('utf8');`
			`}`

add async support to database.query() 2021-05-02 21:12:38 -07:00			`async function set(id, value) {`
secrets -> blobs this will also have certs which are not really "secrets" 2021-04-30 22:26:51 -07:00			`assert.strictEqual(typeof id, 'string');`
add async support to database.query() 2021-05-02 21:12:38 -07:00			`assert(value === null \|\| Buffer.isBuffer(value));`
Add secrets table this will hold keys, certs etc 2021-04-30 21:54:53 -07:00
add async support to database.query() 2021-05-02 21:12:38 -07:00			`await database.query('INSERT INTO blobs (id, value) VALUES (?, ?) ON DUPLICATE KEY UPDATE value=VALUES(value)', [ id, value ]);`
			`}`
Add secrets table this will hold keys, certs etc 2021-04-30 21:54:53 -07:00
proxyAuth: persist the secret token 2022-02-01 17:16:25 -08:00			`async function setString(id, value) {`
			`assert.strictEqual(typeof id, 'string');`
			`assert(value === null \|\| typeof value === 'string');`

			`await database.query('INSERT INTO blobs (id, value) VALUES (?, ?) ON DUPLICATE KEY UPDATE value=VALUES(value)', [ id, Buffer.from(value) ]);`
			`}`

delete certs that have long expired (6 months) fixes #783 2021-05-18 13:28:48 -07:00			`async function del(id) {`
			`await database.query('DELETE FROM blobs WHERE id=?', [ id ]);`
			`}`

add async support to database.query() 2021-05-02 21:12:38 -07:00			`async function clear() {`
			`await database.query('DELETE FROM blobs');`
Add secrets table this will hold keys, certs etc 2021-04-30 21:54:53 -07:00			`}`
reverseproxy: rework cert logic 9c8f78a0595c0e08671db143ffcc7293c806b9d3 already fixed many of the cert issues. However, some issues were caught in the CI: * The TLS addon has to be rebuilt and not just restarted. For this reason, we now move things to a directory instead of mounting files. This way the container is just restarted. * Cleanups must be driven by the database and not the filesystem . Deleting files on disk or after a restore, the certs are left dangling forever in the db. * Separate the db cert logic and disk cert logic. This way we can sync as many times as we want and whenever we want. 2022-11-28 22:32:34 +01:00
			`async function listCertIds() {`
			const result = await database.query('SELECT id FROM blobs WHERE id LIKE ?', [ `${exports.CERT_PREFIX}-%.${exports.CERT_SUFFIX}` ]);
			`return result.map(r => r.id);`
			`}`