snipe-it/app/Console/Commands/RotateAppKey.php

<?php

namespace App\Console\Commands;

use App\Models\Asset;
use App\Models\CustomField;
use App\Models\Setting;
use Artisan;
use Illuminate\Console\Command;
use Illuminate\Contracts\Encryption\DecryptException;
use Illuminate\Encryption\Encrypter;

class RotateAppKey extends Command
{
    /**
     * The name and signature of the console command.
     *
     * @var string
     */
    protected $signature = 'snipeit:rotate-key
                            {previous_key? : The previous key to rotate from} 
                            {--emergency : Emergency mode - rotate from .env APP_KEY to newly-generated one, modifying .env} 
                            {--force : Skip interactive confirmation}';

    /**
     * The console command description.
     *
     * @var string
     */
    protected $description = 'Rotates APP_KEY to a new value, optionally taking the previous key as an argument';

    /**
     * Create a new command instance.
     *
     * @return void
     */
    public function __construct()
    {
        parent::__construct();
    }

    /**
     * Execute the console command.
     *
     * @return mixed
     */
    public function handle()
    {
        //make sure they specify only exactly one of --emergency, or a filename. Not neither, and not both.
        if ( (!$this->option('emergency') && !$this->argument('previous_key')) || ( $this->option('emergency') && $this->argument('previous_key'))) {
            $this->error("Specify only one of --emergency, or an app key value, in order to rotate keys");
            return 1;
        }
        if ( $this->option('emergency') ) {
            $msg = "\n****************************************************\nTHIS WILL MODIFY YOUR APP_KEY AND DE-CRYPT YOUR ENCRYPTED CUSTOM FIELDS AND \nRE-ENCRYPT THEM WITH A NEWLY GENERATED KEY. \n\nThere is NO undo. \n\nMake SURE you have a database backup and a backup of your .env generated BEFORE running this command. \n\nIf you do not save the newly generated APP_KEY to your .env in this process, \nyour encrypted data will no longer be decryptable. \n\nAre you SURE you wish to continue, and have confirmed you have a database backup and an .env backup? ";
        } else {
            $msg = "\n****************************************************\nTHIS WILL DE-CRYPT YOUR ENCRYPTED CUSTOM FIELDS AND RE-ENCRYPT THEM WITH YOUR\nAPP_KEY.\n\nThere is NO undo. \n\nMake SURE you have a database backup BEFORE running this command. \n\nAre you SURE you wish to continue, and have confirmed you have a database backup? ";
        }
        if ($this->option('force') || $this->confirm($msg)) {

            // Get the existing app_key and ciphers
            // We put them in a variable since we clear the cache partway through here.
            if ($this->option('emergency')) {
                $old_app_key = config('app.key');
                $cipher = config('app.cipher');

                // Generate a new one
                Artisan::call('key:generate', ['--show' => true]);
                $new_app_key = trim(Artisan::output());

                // Clear the config cache
                Artisan::call('config:clear');

                // Write the new app key to the .env file
                $this->writeNewEnvironmentFileWith($new_app_key);
            } elseif ($this->argument('previous_key')) {
                $old_app_key = $this->argument('previous_key');
                $cipher = config('app.cipher'); // just a guess?
                $new_app_key = config('app.key');
            }

            $this->warn('Your app cipher is: ' . $cipher);
            $this->warn('Your old APP_KEY is: ' . $old_app_key);
            $this->warn('Your new APP_KEY is: ' . $new_app_key);

            // Manually create an old encrypter instance using the old app key
            // and also create a new encrypter instance so we can re-crypt the field
            // using the newly generated app key
            $oldEncrypter = new Encrypter(base64_decode(substr($old_app_key, 7)), $cipher);
            $newEncrypter = new Encrypter(base64_decode(substr($new_app_key, 7)), $cipher);

            $fields = CustomField::where('field_encrypted', '1')->get();

            foreach ($fields as $field) {
                $assets = Asset::whereNotNull($field->db_column)->get();

                foreach ($assets as $asset) {
                    try {
                        $asset->{$field->db_column} = $oldEncrypter->decrypt($asset->{$field->db_column});
                        $this->line('DECRYPTED: ' . $field->db_column);
                    } catch (DecryptException $e) {
                        $this->line('Could not decrypt '. $field->db_column.' using "old key" - skipping...');
                        continue;
                    } catch (\Exception $e) {
                        $this->error("Error decrypting ".$field->db_column.", reason: ".$e->getMessage().". Aborting key rotation");
                        throw $e;
                    }
                    $asset->{$field->db_column} = $newEncrypter->encrypt($asset->{$field->db_column});
                    $this->line('ENCRYPTED: '.$field->db_column);
                    $asset->save();
                }
            }

            // Handle the LDAP password if one is provided
            $setting = Setting::first();
            if ($setting->ldap_pword != '') {
                try {
                    $setting->ldap_pword = $oldEncrypter->decrypt($setting->ldap_pword);
                    $setting->ldap_pword = $newEncrypter->encrypt($setting->ldap_pword);
                    $setting->save();
                    $this->warn('LDAP password has been re-encrypted.');
                } catch(DecryptException $e) {
                    $this->warn("Unable to decrypt old LDAP password; skipping");
                }
            }
        } else {
            $this->info('This operation has been canceled. No changes have been made.');
        }
    }

    /**
     * Write a new environment file with the given key.
     *
     * @param  string  $key
     * @return void
     */
    protected function writeNewEnvironmentFileWith($key)
    {
        file_put_contents($this->laravel->environmentFilePath(), preg_replace(
            $this->keyReplacementPattern(),
            'APP_KEY="'.$key.'"',
            file_get_contents($this->laravel->environmentFilePath())
        ));
    }

    /**
     * Get a regex pattern that will match env APP_KEY with any random key.
     *
     * @return string
     */
    protected function keyReplacementPattern()
    {
        $escaped = '="?'.preg_quote($this->laravel['config']['app.key'], '/').'"?';

        return "/^APP_KEY{$escaped}/m";
    }
}
Added console rekey tool (#7330) * Removed console command specifications, since they’re pulled dynamically now * Added rekey console command * Removed unused code * Comment clarifiction * Handle LDAP password 2019-09-03 11:03:32 -07:00			`<?php`

			`namespace App\Console\Commands;`

			`use App\Models\Asset;`
Adopt Laravel coding style Shift automatically applies the Laravel coding style - which uses the PSR-2 coding style as a base with some minor additions. You may customize the adopted coding style by adding your own [PHP CS Fixer][1] `.php_cs` config file to your project root. Feel free to use [Shift's Laravel ruleset][2] to help you get started. [1]: https://github.com/FriendsOfPHP/PHP-CS-Fixer [2]: https://gist.github.com/laravel-shift/cab527923ed2a109dda047b97d53c200 2021-06-10 13:15:52 -07:00			`use App\Models\CustomField;`
Added console rekey tool (#7330) * Removed console command specifications, since they’re pulled dynamically now * Added rekey console command * Removed unused code * Comment clarifiction * Handle LDAP password 2019-09-03 11:03:32 -07:00			`use App\Models\Setting;`
Adopt Laravel coding style Shift automatically applies the Laravel coding style - which uses the PSR-2 coding style as a base with some minor additions. You may customize the adopted coding style by adding your own [PHP CS Fixer][1] `.php_cs` config file to your project root. Feel free to use [Shift's Laravel ruleset][2] to help you get started. [1]: https://github.com/FriendsOfPHP/PHP-CS-Fixer [2]: https://gist.github.com/laravel-shift/cab527923ed2a109dda047b97d53c200 2021-06-10 13:15:52 -07:00			`use Artisan;`
			`use Illuminate\Console\Command;`
Modified re-crypter to also work when given a CLI old-key 2023-11-28 05:49:58 -08:00			`use Illuminate\Contracts\Encryption\DecryptException;`
Adopt Laravel coding style Shift automatically applies the Laravel coding style - which uses the PSR-2 coding style as a base with some minor additions. You may customize the adopted coding style by adding your own [PHP CS Fixer][1] `.php_cs` config file to your project root. Feel free to use [Shift's Laravel ruleset][2] to help you get started. [1]: https://github.com/FriendsOfPHP/PHP-CS-Fixer [2]: https://gist.github.com/laravel-shift/cab527923ed2a109dda047b97d53c200 2021-06-10 13:15:52 -07:00			`use Illuminate\Encryption\Encrypter;`
Added console rekey tool (#7330) * Removed console command specifications, since they’re pulled dynamically now * Added rekey console command * Removed unused code * Comment clarifiction * Handle LDAP password 2019-09-03 11:03:32 -07:00
			`class RotateAppKey extends Command`
			`{`
			`/**`
			`* The name and signature of the console command.`
			`*`
			`* @var string`
			`*/`
Modified re-crypter to also work when given a CLI old-key 2023-11-28 05:49:58 -08:00			`protected $signature = 'snipeit:rotate-key`
			`{previous_key? : The previous key to rotate from}`
			`{--emergency : Emergency mode - rotate from .env APP_KEY to newly-generated one, modifying .env}`
			`{--force : Skip interactive confirmation}';`
Added console rekey tool (#7330) * Removed console command specifications, since they’re pulled dynamically now * Added rekey console command * Removed unused code * Comment clarifiction * Handle LDAP password 2019-09-03 11:03:32 -07:00
			`/**`
			`* The console command description.`
			`*`
			`* @var string`
			`*/`
Modified re-crypter to also work when given a CLI old-key 2023-11-28 05:49:58 -08:00			`protected $description = 'Rotates APP_KEY to a new value, optionally taking the previous key as an argument';`
Added console rekey tool (#7330) * Removed console command specifications, since they’re pulled dynamically now * Added rekey console command * Removed unused code * Comment clarifiction * Handle LDAP password 2019-09-03 11:03:32 -07:00
			`/**`
			`* Create a new command instance.`
			`*`
			`* @return void`
			`*/`
			`public function __construct()`
			`{`
			`parent::__construct();`
			`}`

			`/**`
			`* Execute the console command.`
			`*`
			`* @return mixed`
			`*/`
			`public function handle()`
			`{`
Modified re-crypter to also work when given a CLI old-key 2023-11-28 05:49:58 -08:00			`//make sure they specify only exactly one of --emergency, or a filename. Not neither, and not both.`
			`if ( (!$this->option('emergency') && !$this->argument('previous_key')) \|\| ( $this->option('emergency') && $this->argument('previous_key'))) {`
			`$this->error("Specify only one of --emergency, or an app key value, in order to rotate keys");`
			`return 1;`
			`}`
			`if ( $this->option('emergency') ) {`
			$msg = "\n****************************************************\nTHIS WILL MODIFY YOUR APP_KEY AND DE-CRYPT YOUR ENCRYPTED CUSTOM FIELDS AND \nRE-ENCRYPT THEM WITH A NEWLY GENERATED KEY. \n\nThere is NO undo. \n\nMake SURE you have a database backup and a backup of your .env generated BEFORE running this command. \n\nIf you do not save the newly generated APP_KEY to your .env in this process, \nyour encrypted data will no longer be decryptable. \n\nAre you SURE you wish to continue, and have confirmed you have a database backup and an .env backup? ";
			`} else {`
			`$msg = "\n****************************************************\nTHIS WILL DE-CRYPT YOUR ENCRYPTED CUSTOM FIELDS AND RE-ENCRYPT THEM WITH YOUR\nAPP_KEY.\n\nThere is NO undo. \n\nMake SURE you have a database backup BEFORE running this command. \n\nAre you SURE you wish to continue, and have confirmed you have a database backup? ";`
			`}`
			`if ($this->option('force') \|\| $this->confirm($msg)) {`
Added console rekey tool (#7330) * Removed console command specifications, since they’re pulled dynamically now * Added rekey console command * Removed unused code * Comment clarifiction * Handle LDAP password 2019-09-03 11:03:32 -07:00
			`// Get the existing app_key and ciphers`
			`// We put them in a variable since we clear the cache partway through here.`
Modified re-crypter to also work when given a CLI old-key 2023-11-28 05:49:58 -08:00			`if ($this->option('emergency')) {`
			`$old_app_key = config('app.key');`
			`$cipher = config('app.cipher');`

			`// Generate a new one`
			`Artisan::call('key:generate', ['--show' => true]);`
			`$new_app_key = trim(Artisan::output());`

			`// Clear the config cache`
			`Artisan::call('config:clear');`

			`// Write the new app key to the .env file`
			`$this->writeNewEnvironmentFileWith($new_app_key);`
			`} elseif ($this->argument('previous_key')) {`
			`$old_app_key = $this->argument('previous_key');`
			`$cipher = config('app.cipher'); // just a guess?`
			`$new_app_key = config('app.key');`
			`}`
Added console rekey tool (#7330) * Removed console command specifications, since they’re pulled dynamically now * Added rekey console command * Removed unused code * Comment clarifiction * Handle LDAP password 2019-09-03 11:03:32 -07:00
Modified re-crypter to also work when given a CLI old-key 2023-11-28 05:49:58 -08:00			`$this->warn('Your app cipher is: ' . $cipher);`
			`$this->warn('Your old APP_KEY is: ' . $old_app_key);`
			`$this->warn('Your new APP_KEY is: ' . $new_app_key);`
Added console rekey tool (#7330) * Removed console command specifications, since they’re pulled dynamically now * Added rekey console command * Removed unused code * Comment clarifiction * Handle LDAP password 2019-09-03 11:03:32 -07:00
			`// Manually create an old encrypter instance using the old app key`
			`// and also create a new encrypter instance so we can re-crypt the field`
			`// using the newly generated app key`
			`$oldEncrypter = new Encrypter(base64_decode(substr($old_app_key, 7)), $cipher);`
			`$newEncrypter = new Encrypter(base64_decode(substr($new_app_key, 7)), $cipher);`

			`$fields = CustomField::where('field_encrypted', '1')->get();`

			`foreach ($fields as $field) {`
			`$assets = Asset::whereNotNull($field->db_column)->get();`

			`foreach ($assets as $asset) {`
Modified re-crypter to also work when given a CLI old-key 2023-11-28 05:49:58 -08:00			`try {`
			`$asset->{$field->db_column} = $oldEncrypter->decrypt($asset->{$field->db_column});`
			`$this->line('DECRYPTED: ' . $field->db_column);`
			`} catch (DecryptException $e) {`
			`$this->line('Could not decrypt '. $field->db_column.' using "old key" - skipping...');`
			`continue;`
			`} catch (\Exception $e) {`
			`$this->error("Error decrypting ".$field->db_column.", reason: ".$e->getMessage().". Aborting key rotation");`
			`throw $e;`
			`}`
Added console rekey tool (#7330) * Removed console command specifications, since they’re pulled dynamically now * Added rekey console command * Removed unused code * Comment clarifiction * Handle LDAP password 2019-09-03 11:03:32 -07:00			`$asset->{$field->db_column} = $newEncrypter->encrypt($asset->{$field->db_column});`
			`$this->line('ENCRYPTED: '.$field->db_column);`
			`$asset->save();`
			`}`
			`}`

			`// Handle the LDAP password if one is provided`
			`$setting = Setting::first();`
Adopt Laravel coding style Shift automatically applies the Laravel coding style - which uses the PSR-2 coding style as a base with some minor additions. You may customize the adopted coding style by adding your own [PHP CS Fixer][1] `.php_cs` config file to your project root. Feel free to use [Shift's Laravel ruleset][2] to help you get started. [1]: https://github.com/FriendsOfPHP/PHP-CS-Fixer [2]: https://gist.github.com/laravel-shift/cab527923ed2a109dda047b97d53c200 2021-06-10 13:15:52 -07:00			`if ($setting->ldap_pword != '') {`
Modified re-crypter to also work when given a CLI old-key 2023-11-28 05:49:58 -08:00			`try {`
			`$setting->ldap_pword = $oldEncrypter->decrypt($setting->ldap_pword);`
			`$setting->ldap_pword = $newEncrypter->encrypt($setting->ldap_pword);`
			`$setting->save();`
			`$this->warn('LDAP password has been re-encrypted.');`
			`} catch(DecryptException $e) {`
			`$this->warn("Unable to decrypt old LDAP password; skipping");`
			`}`
Added console rekey tool (#7330) * Removed console command specifications, since they’re pulled dynamically now * Added rekey console command * Removed unused code * Comment clarifiction * Handle LDAP password 2019-09-03 11:03:32 -07:00			`}`
			`} else {`
			`$this->info('This operation has been canceled. No changes have been made.');`
			`}`
			`}`

			`/**`
			`* Write a new environment file with the given key.`
			`*`
			`* @param string $key`
			`* @return void`
			`*/`
			`protected function writeNewEnvironmentFileWith($key)`
			`{`
			`file_put_contents($this->laravel->environmentFilePath(), preg_replace(`
			`$this->keyReplacementPattern(),`
Modified re-crypter to also work when given a CLI old-key 2023-11-28 05:49:58 -08:00			`'APP_KEY="'.$key.'"',`
Added console rekey tool (#7330) * Removed console command specifications, since they’re pulled dynamically now * Added rekey console command * Removed unused code * Comment clarifiction * Handle LDAP password 2019-09-03 11:03:32 -07:00			`file_get_contents($this->laravel->environmentFilePath())`
			`));`
			`}`

			`/**`
			`* Get a regex pattern that will match env APP_KEY with any random key.`
			`*`
			`* @return string`
			`*/`
			`protected function keyReplacementPattern()`
			`{`
Modified re-crypter to also work when given a CLI old-key 2023-11-28 05:49:58 -08:00			`$escaped = '="?'.preg_quote($this->laravel['config']['app.key'], '/').'"?';`
Adopt Laravel coding style Shift automatically applies the Laravel coding style - which uses the PSR-2 coding style as a base with some minor additions. You may customize the adopted coding style by adding your own [PHP CS Fixer][1] `.php_cs` config file to your project root. Feel free to use [Shift's Laravel ruleset][2] to help you get started. [1]: https://github.com/FriendsOfPHP/PHP-CS-Fixer [2]: https://gist.github.com/laravel-shift/cab527923ed2a109dda047b97d53c200 2021-06-10 13:15:52 -07:00
Added console rekey tool (#7330) * Removed console command specifications, since they’re pulled dynamically now * Added rekey console command * Removed unused code * Comment clarifiction * Handle LDAP password 2019-09-03 11:03:32 -07:00			`return "/^APP_KEY{$escaped}/m";`
			`}`
			`}`