encrypting password, key is stored on backend in .key file

2026-04-28 15:16:00 +00:00 · 2021-01-20 18:29:15 +01:00
parent 6a8a47cf03
commit 777c9a99a2
14 changed files with 155 additions and 34 deletions
--- a/packages/api/src/controllers/connections.js
+++ b/packages/api/src/controllers/connections.js
@@ -5,6 +5,7 @@ const nedb = require('nedb-promises');

 const { datadir } = require('../utility/directories');
 const socket = require('../utility/socket');
+const { encryptConnection } = require('../utility/crypting');

 function getPortalCollections() {
  if (process.env.CONNECTIONS) {
@@ -59,10 +60,11 @@ module.exports = {
  async save(connection) {
    if (portalConnections) return;
    let res;
+    const encrypted = encryptConnection(connection);
    if (connection._id) {
-      res = await this.datastore.update(_.pick(connection, '_id'), connection);
+      res = await this.datastore.update(_.pick(connection, '_id'), encrypted);
    } else {
-      res = await this.datastore.insert(connection);
+      res = await this.datastore.insert(encrypted);
    }
    socket.emitChanged('connection-list-changed');
    return res;
--- a/packages/api/src/controllers/plugins.js
+++ b/packages/api/src/controllers/plugins.js
@@ -28,7 +28,7 @@ const hasPermission = require('../utility/hasPermission');
 // }

 const preinstallPluginMinimalVersions = {
-  'dbgate-plugin-mssql': '1.0.8',
+  'dbgate-plugin-mssql': '1.0.9',
  'dbgate-plugin-mysql': '1.0.2',
  'dbgate-plugin-postgres': '1.0.2',
  'dbgate-plugin-csv': '1.0.8',
--- a/packages/api/src/proc/connectProcess.js
+++ b/packages/api/src/proc/connectProcess.js
@@ -1,12 +1,13 @@
 const childProcessChecker = require('../utility/childProcessChecker');
 const requireEngineDriver = require('../utility/requireEngineDriver');
+const { decryptConnection } = require('../utility/crypting');

 function start() {
  childProcessChecker();
  process.on('message', async (connection) => {
    try {
      const driver = requireEngineDriver(connection);
-      const conn = await driver.connect(connection);
+      const conn = await driver.connect(decryptConnection(connection));
      const res = await driver.getVersion(conn);
      process.send({ msgtype: 'connected', ...res });
    } catch (e) {
--- a/packages/api/src/proc/databaseConnectionProcess.js
+++ b/packages/api/src/proc/databaseConnectionProcess.js
@@ -1,6 +1,7 @@
 const stableStringify = require('json-stable-stringify');
 const childProcessChecker = require('../utility/childProcessChecker');
 const requireEngineDriver = require('../utility/requireEngineDriver');
+const { decryptConnection } = require('../utility/crypting');

 let systemConnection;
 let storedConnection;
@@ -59,7 +60,7 @@ async function handleConnect({ connection, structure }) {

  if (!structure) setStatusName('pending');
  const driver = requireEngineDriver(storedConnection);
-  systemConnection = await checkedAsyncCall(driver.connect(storedConnection));
+  systemConnection = await checkedAsyncCall(driver.connect(decryptConnection(storedConnection)));
  if (structure) {
    analysedStructure = structure;
    handleIncrementalRefresh();
--- a/packages/api/src/proc/serverConnectionProcess.js
+++ b/packages/api/src/proc/serverConnectionProcess.js
@@ -1,6 +1,7 @@
 const stableStringify = require('json-stable-stringify');
 const childProcessChecker = require('../utility/childProcessChecker');
 const requireEngineDriver = require('../utility/requireEngineDriver');
+const { decryptConnection } = require('../utility/crypting');

 let systemConnection;
 let storedConnection;
@@ -47,7 +48,7 @@ async function handleConnect(connection) {

  const driver = requireEngineDriver(storedConnection);
  try {
-    systemConnection = await driver.connect(storedConnection);
+    systemConnection = await driver.connect(decryptConnection(storedConnection));
    handleRefresh();
    setInterval(handleRefresh, 30 * 1000);
  } catch (err) {
@@ -66,7 +67,7 @@ function handlePing() {

 async function handleCreateDatabase({ name }) {
  const driver = requireEngineDriver(storedConnection);
-  systemConnection = await driver.connect(storedConnection);
+  systemConnection = await driver.connect(decryptConnection(storedConnection));
  console.log(`RUNNING SCRIPT: CREATE DATABASE ${driver.dialect.quoteIdentifier(name)}`);
  await driver.query(systemConnection, `CREATE DATABASE ${driver.dialect.quoteIdentifier(name)}`);
  await handleRefresh();
--- a/packages/api/src/proc/sessionProcess.js
+++ b/packages/api/src/proc/sessionProcess.js
@@ -7,6 +7,7 @@ const goSplit = require('../utility/goSplit');

 const { jsldir } = require('../utility/directories');
 const requireEngineDriver = require('../utility/requireEngineDriver');
+const { decryptConnection } = require('../utility/crypting');

 let systemConnection;
 let storedConnection;
@@ -73,7 +74,7 @@ class StreamHandler {

    // use this for cancelling - not implemented
    // this.stream = null;
-    
+
    this.plannedStats = false;
    this.resultIndexHolder = resultIndexHolder;
    this.resolve = resolve;
@@ -130,7 +131,7 @@ async function handleConnect(connection) {
  storedConnection = connection;

  const driver = requireEngineDriver(storedConnection);
-  systemConnection = await driver.connect(storedConnection);
+  systemConnection = await driver.connect(decryptConnection(storedConnection));
  for (const [resolve] of afterConnectCallbacks) {
    resolve();
  }
--- a/packages/api/src/shell/executeQuery.js
+++ b/packages/api/src/shell/executeQuery.js
@@ -1,11 +1,12 @@
 const goSplit = require('../utility/goSplit');
 const requireEngineDriver = require('../utility/requireEngineDriver');
+const { decryptConnection } = require('../utility/crypting');

 async function executeQuery({ connection, sql }) {
  console.log(`Execute query ${sql}`);

  const driver = requireEngineDriver(connection);
-  const pool = await driver.connect(connection);
+  const pool = await driver.connect(decryptConnection(connection));
  console.log(`Connected.`);

  for (const sqlItem of goSplit(sql)) {
--- a/packages/api/src/shell/queryReader.js
+++ b/packages/api/src/shell/queryReader.js
@@ -1,10 +1,11 @@
-const requireEngineDriver = require("../utility/requireEngineDriver");
+const requireEngineDriver = require('../utility/requireEngineDriver');
+const { decryptConnection } = require('../utility/crypting');

 async function queryReader({ connection, sql }) {
  console.log(`Reading query ${sql}`);

  const driver = requireEngineDriver(connection);
-  const pool = await driver.connect(connection);
+  const pool = await driver.connect(decryptConnection(connection));
  console.log(`Connected.`);
  return await driver.readQuery(pool, sql);
 }
--- a/packages/api/src/shell/tableReader.js
+++ b/packages/api/src/shell/tableReader.js
@@ -1,9 +1,10 @@
 const { quoteFullName, fullNameToString } = require('dbgate-tools');
 const requireEngineDriver = require('../utility/requireEngineDriver');
+const { decryptConnection } = require('../utility/crypting');

 async function tableReader({ connection, pureName, schemaName }) {
  const driver = requireEngineDriver(connection);
-  const pool = await driver.connect(connection);
+  const pool = await driver.connect(decryptConnection(connection));
  console.log(`Connected.`);

  const fullName = { pureName, schemaName };
--- a/packages/api/src/shell/tableWriter.js
+++ b/packages/api/src/shell/tableWriter.js
@@ -1,11 +1,12 @@
 const { fullNameToString } = require('dbgate-tools');
 const requireEngineDriver = require('../utility/requireEngineDriver');
+const { decryptConnection } = require('../utility/crypting');

 async function tableWriter({ connection, schemaName, pureName, ...options }) {
  console.log(`Writing table ${fullNameToString({ schemaName, pureName })}`);

  const driver = requireEngineDriver(connection);
-  const pool = await driver.connect(connection);
+  const pool = await driver.connect(decryptConnection(connection));
  console.log(`Connected.`);
  return await driver.writeTable(pool, { schemaName, pureName }, options);
 }
--- a/packages/api/src/utility/crypting.js
+++ b/packages/api/src/utility/crypting.js
@@ -0,0 +1,69 @@
+const crypto = require('crypto');
+const simpleEncryptor = require('simple-encryptor');
+const fs = require('fs');
+const path = require('path');
+
+const { datadir } = require('./directories');
+
+const defaultEncryptionKey = 'mQAUaXhavRGJDxDTXSCg7Ej0xMmGCrx6OKA07DIMBiDcYYkvkaXjTAzPUEHEHEf9';
+
+let _encryptionKey = null;
+
+function loadEncryptionKey() {
+  if (_encryptionKey) {
+    return _encryptionKey;
+  }
+  const encryptor = simpleEncryptor.createEncryptor(defaultEncryptionKey);
+
+  const keyFile = path.join(datadir(), '.key');
+
+  if (!fs.existsSync(keyFile)) {
+    const generatedKey = crypto.randomBytes(32);
+    const newKey = generatedKey.toString('hex');
+    const result = {
+      encryptionKey: newKey,
+    };
+    fs.writeFileSync(keyFile, encryptor.encrypt(result), 'utf-8');
+  }
+
+  const encryptedData = fs.readFileSync(keyFile, 'utf-8');
+  const data = encryptor.decrypt(encryptedData);
+  _encryptionKey = data['encryptionKey'];
+  return _encryptionKey;
+}
+
+let _encryptor = null;
+
+function getEncryptor() {
+  if (_encryptor) {
+    return _encryptor;
+  }
+  _encryptor = simpleEncryptor.createEncryptor(loadEncryptionKey());
+  return _encryptor;
+}
+
+function encryptConnection(connection) {
+  if (connection && connection.password && !connection.password.startsWith('crypt:')) {
+    return {
+      ...connection,
+      password: 'crypt:' + getEncryptor().encrypt(connection.password),
+    };
+  }
+  return connection;
+}
+
+function decryptConnection(connection) {
+  if (connection && connection.password && connection.password.startsWith('crypt:')) {
+    return {
+      ...connection,
+      password: getEncryptor().decrypt(connection.password.substring('crypt:'.length)),
+    };
+  }
+  return connection;
+}
+
+module.exports = {
+  loadEncryptionKey,
+  encryptConnection,
+  decryptConnection,
+};