migrate secrets into the database

the infra version is bumped because the nginx's dhparams path has changed and the sftp server key path has changed.
2021-05-02 23:28:41 -07:00
parent 4015f8fdf2
commit c17743d869
19 changed files with 195 additions and 99 deletions
@@ -31,10 +31,11 @@ exports = module.exports = {
    SERVICE_STATUS_STOPPED: 'stopped'
 };

-var appdb = require('./appdb.js'),
+const appdb = require('./appdb.js'),
    apps = require('./apps.js'),
    assert = require('assert'),
    async = require('async'),
+    blobs = require('./blobs.js'),
    BoxError = require('./boxerror.js'),
    constants = require('./constants.js'),
    crypto = require('crypto'),
@@ -958,22 +959,25 @@ function setupTurn(app, options, callback) {
    assert.strictEqual(typeof options, 'object');
    assert.strictEqual(typeof callback, 'function');

-    var turnSecret = safe.fs.readFileSync(paths.ADDON_TURN_SECRET_FILE, 'utf8');
-    if (!turnSecret) debug('setupTurn: no turn secret set. Will leave emtpy, but this is a problem!');
+    const blobGet = util.callbackify(blobs.get);
+    blobGet(blobs.ADDON_TURN_SECRET, function (error, turnSecret) {
+        if (error) return callback(error);
+        if (!turnSecret) return callback(new BoxError(BoxError.ADDONS_ERROR, 'Turn secret is missing'));

-    const env = [
-        { name: 'CLOUDRON_STUN_SERVER', value: settings.adminFqdn() },
-        { name: 'CLOUDRON_STUN_PORT', value: '3478' },
-        { name: 'CLOUDRON_STUN_TLS_PORT', value: '5349' },
-        { name: 'CLOUDRON_TURN_SERVER', value: settings.adminFqdn() },
-        { name: 'CLOUDRON_TURN_PORT', value: '3478' },
-        { name: 'CLOUDRON_TURN_TLS_PORT', value: '5349' },
-        { name: 'CLOUDRON_TURN_SECRET', value: turnSecret }
-    ];
+        const env = [
+            { name: 'CLOUDRON_STUN_SERVER', value: settings.adminFqdn() },
+            { name: 'CLOUDRON_STUN_PORT', value: '3478' },
+            { name: 'CLOUDRON_STUN_TLS_PORT', value: '5349' },
+            { name: 'CLOUDRON_TURN_SERVER', value: settings.adminFqdn() },
+            { name: 'CLOUDRON_TURN_PORT', value: '3478' },
+            { name: 'CLOUDRON_TURN_TLS_PORT', value: '5349' },
+            { name: 'CLOUDRON_TURN_SECRET', value: turnSecret }
+        ];

-    debugApp(app, 'Setting up TURN');
+        debugApp(app, 'Setting up TURN');

-    appdb.setAddonConfig(app.id, 'turn', env, callback);
+        appdb.setAddonConfig(app.id, 'turn', env, callback);
+    });
 }

 function teardownTurn(app, options, callback) {
@@ -1557,40 +1561,39 @@ function startTurn(existingInfra, serviceConfig, callback) {
    assert.strictEqual(typeof serviceConfig, 'object');
    assert.strictEqual(typeof callback, 'function');

-    // get and ensure we have a turn secret
-    var turnSecret = safe.fs.readFileSync(paths.ADDON_TURN_SECRET_FILE, 'utf8');
-    if (!turnSecret) {
-        turnSecret = 'a' + crypto.randomBytes(15).toString('hex'); // prefix with a to ensure string starts with a letter
-        safe.fs.writeFileSync(paths.ADDON_TURN_SECRET_FILE, turnSecret, 'utf8');
-    }
-
    const tag = infra.images.turn.tag;
    const memoryLimit = serviceConfig.memoryLimit || SERVICES['turn'].defaultMemoryLimit;
    const memory = system.getMemoryAllocation(memoryLimit);
    const realm = settings.adminFqdn();

-    // this exports 3478/tcp, 5349/tls and 50000-51000/udp. note that this runs on the host network!
-    const cmd = `docker run --restart=always -d --name="turn" \
-                --hostname turn \
-                --net host \
-                --log-driver syslog \
-                --log-opt syslog-address=udp://127.0.0.1:2514 \
-                --log-opt syslog-format=rfc5424 \
-                --log-opt tag=turn \
-                -m ${memory} \
-                --memory-swap ${memoryLimit} \
-                --dns 172.18.0.1 \
-                --dns-search=. \
-                -e CLOUDRON_TURN_SECRET="${turnSecret}" \
-                -e CLOUDRON_REALM="${realm}" \
-                --label isCloudronManaged=true \
-                --read-only -v /tmp -v /run "${tag}"`;
+    const blobGet = util.callbackify(blobs.get);
+    blobGet(blobs.ADDON_TURN_SECRET, function (error, turnSecret) {
+        if (error) return callback(error);
+        if (!turnSecret) return callback(new BoxError(BoxError.ADDONS_ERROR, 'Turn secret is missing'));

-    async.series([
-        shell.exec.bind(null, 'stopTurn', 'docker stop turn || true'),
-        shell.exec.bind(null, 'removeTurn', 'docker rm -f turn || true'),
-        shell.exec.bind(null, 'startTurn', cmd)
-    ], callback);
+        // this exports 3478/tcp, 5349/tls and 50000-51000/udp. note that this runs on the host network!
+        const cmd = `docker run --restart=always -d --name="turn" \
+                    --hostname turn \
+                    --net host \
+                    --log-driver syslog \
+                    --log-opt syslog-address=udp://127.0.0.1:2514 \
+                    --log-opt syslog-format=rfc5424 \
+                    --log-opt tag=turn \
+                    -m ${memory} \
+                    --memory-swap ${memoryLimit} \
+                    --dns 172.18.0.1 \
+                    --dns-search=. \
+                    -e CLOUDRON_TURN_SECRET="${turnSecret}" \
+                    -e CLOUDRON_REALM="${realm}" \
+                    --label isCloudronManaged=true \
+                    --read-only -v /tmp -v /run "${tag}"`;
+
+        async.series([
+            shell.exec.bind(null, 'stopTurn', 'docker stop turn || true'),
+            shell.exec.bind(null, 'removeTurn', 'docker rm -f turn || true'),
+            shell.exec.bind(null, 'startTurn', cmd)
+        ], callback);
+    });
 }

 function startMongodb(existingInfra, callback) {