migrate secrets into the database

the infra version is bumped because the nginx's dhparams path has changed
and the sftp server key path has changed.

src/blobs.js

@@ -5,11 +5,26 @@
 exports = module.exports = {
     get,
     set,
+
+    initSecrets,
+
+    ACME_ACCOUNT_KEY: 'acme_account_key',
+    ADDON_TURN_SECRET: 'addon_turn_secret',
+    DHPARAMS: 'dhparams',
+    SFTP_PUBLIC_KEY: 'sftp_public_key',
+    SFTP_PRIVATE_KEY: 'sftp_private_key',
+
     _clear: clear
 };
 
 const assert = require('assert'),
-    database = require('./database.js');
+    BoxError = require('./boxerror.js'),
+    constants = require('./constants.js'),
+    crypto = require('crypto'),
+    database = require('./database.js'),
+    debug = require('debug')('box:blobs'),
+    paths = require('./paths.js'),
+    safe = require('safetydance');
 
 const BLOBS_FIELDS = [ 'id', 'value' ].join(',');
 
@@ -31,3 +46,41 @@ async function set(id, value) {
 async function clear() {
     await database.query('DELETE FROM blobs');
 }
+
+async function initSecrets() {
+    let value = await get(exports.ACME_ACCOUNT_KEY);
+    if (!value) {
+        const accountKeyPem = safe.child_process.execSync('openssl genrsa 4096');
+        if (!accountKeyPem) throw new BoxError(BoxError.OPENSSL_ERROR, safe.error);
+        await set(exports.ACME_ACCOUNT_KEY, accountKeyPem);
+    }
+
+    value = await get(exports.ADDON_TURN_SECRET);
+    if (!value) {
+        const secret = 'a' + crypto.randomBytes(15).toString('hex'); // prefix with a to ensure string starts with a letter
+        await set(exports.ADDON_TURN_SECRET, Buffer.from(secret));
+    }
+
+    value = await get(exports.DHPARAMS);
+    if (!constants.TEST && !value) {
+        debug('initSecrets: generating dhparams.pem. this takes forever');
+        const dhparams = safe.child_process.execSync('openssl dhparam 2048');
+        if (!dhparams) throw new BoxError(BoxError.OPENSSL_ERROR, safe.error);
+        if (!safe.fs.writeFileSync(paths.DHPARAMS_FILE, dhparams)) throw new BoxError(BoxError.FS_ERROR, `Could not save dhparams.pem: ${safe.error.message}`);
+        await set(exports.DHPARAMS, dhparams);
+    }
+
+    value = await get(exports.SFTP_PRIVATE_KEY);
+    if (!value) {
+        debug('initSecrets: generate sftp keys');
+        if (constants.TEST) {
+            safe.fs.unlinkSync(`${paths.SFTP_KEYS_DIR}/ssh_host_rsa_key.pub`);
+            safe.fs.unlinkSync(`${paths.SFTP_KEYS_DIR}/ssh_host_rsa_key`);
+        }
+        if (!safe.child_process.execSync(`ssh-keygen -m PEM -t rsa -f "${paths.SFTP_KEYS_DIR}/ssh_host_rsa_key" -q -N ""`)) throw new BoxError(BoxError.OPENSSL_ERROR, safe.error);
+        const publicKey = safe.fs.readFileSync(`${paths.SFTP_KEYS_DIR}/ssh_host_rsa_key.pub`);
+        await set(exports.SFTP_PUBLIC_KEY, publicKey);
+        const privateKey = safe.fs.readFileSync(`${paths.SFTP_KEYS_DIR}/ssh_host_rsa_key`);
+        await set(exports.SFTP_PRIVATE_KEY, privateKey);
+    }
+}