@@ -132,12 +132,12 @@ func New(cfg *config.Config, d dfpath.Dfpath) (*Server, error) {
132132
133133 // Initialize encryption key
134134 if cfg .Encryption .Enable {
135- logger .Infof ("Encryption enabled" )
135+ logger .Infof ("encryption enabled" )
136136 if err := initializeEncryptionKey (cfg , db .DB ); err != nil {
137137 return nil , err
138138 }
139139 } else {
140- logger .Infof ("Encryption disabled" )
140+ logger .Infof ("encryption disabled" )
141141 }
142142
143143 // Initialize enforcer.
@@ -272,6 +272,8 @@ func registerGCTasks(gc pkggc.GC, db *gorm.DB) error {
272272func initializeEncryptionKey (cfg * config.Config , db * gorm.DB ) error {
273273 // db.Delete(&models.EncryptionKey{}, "1 = 1")
274274
275+ // TODO: manually use cache or gorm auto cache?
276+ // TODO: avoid printing key
275277 var existingKey models.EncryptionKey
276278 hasDBKey := false
277279 if err := db .First (& existingKey ).Error ; err == nil {
@@ -280,86 +282,91 @@ func initializeEncryptionKey(cfg *config.Config, db *gorm.DB) error {
280282 return fmt .Errorf ("failed to check encryption key: %v" , err )
281283 }
282284
283- if cfg . Encryption . Key != nil {
284- configKey := cfg .Encryption .Key
285- keyBytes := configKey [:]
285+ // 1. no key in config
286+ if cfg .Encryption .Key == nil {
287+ // 1.1 config has no key and db has key
286288 if hasDBKey {
287- // compare key in config with key in db
288- if bytes .Equal (existingKey .Key , keyBytes ) {
289- logger .Infof (
290- "encryption key in config file is the same as in database, key(hex): %s, key(base64): %s" ,
291- hex .EncodeToString (keyBytes ),
292- base64 .StdEncoding .EncodeToString (keyBytes ),
293- )
294- return nil
295- }
296- // key in config is different from key in db, overwrite db
297- oldKeyHex := hex .EncodeToString (existingKey .Key )
298- oldKeyBase64 := base64 .StdEncoding .EncodeToString (existingKey .Key )
299- newKeyHex := hex .EncodeToString (keyBytes )
300- newKeyBase64 := base64 .StdEncoding .EncodeToString (keyBytes )
301-
302- if err := db .Model (& existingKey ).Update ("key" , keyBytes ).Error ; err != nil {
303- return fmt .Errorf ("failed to update encryption key in database: %v" , err )
304- }
305-
306289 logger .Infof (
307- "encryption key in database is overwritten by config file, old key(hex): %s, old key(base64): %s, new key(hex): %s, new key(base64): %s" ,
308- oldKeyHex , oldKeyBase64 , newKeyHex , newKeyBase64 ,
290+ "encryption key loaded from database, key(hex): %s, key(base64): %s" ,
291+ hex .EncodeToString (existingKey .Key ),
292+ base64 .StdEncoding .EncodeToString (existingKey .Key ),
309293 )
310294 return nil
311- } else {
312- // config has key, but db has no key, write it into db
313- // check soft delete
314- var oldKey models.EncryptionKey
315- if err := db .Unscoped ().Where ("`key` = ?" , keyBytes ).First (& oldKey ).Error ; err == nil {
316- if oldKey .IsDel != soft_delete .DeletedAt (soft_delete .FlagActived ) {
317- // restore the key soft deleted
318- db .Unscoped ().Model (& oldKey ).Update ("is_del" , soft_delete .FlagActived )
319- logger .Infof ("Restore the key which was soft deleted before" )
320- } else {
321- logger .Fatalf ("key should be soft deleted in this situation" )
322- }
323- } else if errors .Is (err , gorm .ErrRecordNotFound ) {
324- // insert new key
325- if err := db .Create (& models.EncryptionKey {Key : keyBytes }).Error ; err != nil {
326- return fmt .Errorf ("failed to save encryption key to database: %v" , err )
327- }
328- } else {
329- // return fmt.Errorf("unknow failed when update encryption key in database: %v", err)
330- logger .Fatalf ("unknow failed when update encryption key in database: %v" , err )
331- // panic(err)
332- }
295+ }
296+
297+ // 1.2 config and db both have no key, generate one
298+ keyBytes := make ([]byte , 32 )
299+ if _ , err := rand .Read (keyBytes ); err != nil {
300+ return fmt .Errorf ("failed to generate random encryption key: %v" , err )
301+ }
302+ if err := db .Create (& models.EncryptionKey {Key : keyBytes }).Error ; err != nil {
303+ return fmt .Errorf ("failed to save random encryption key to database: %v" , err )
304+ }
305+ logger .Infof (
306+ "generated random encryption key and saved to database, key(hex): %s, key(base64): %s" ,
307+ hex .EncodeToString (keyBytes ),
308+ base64 .StdEncoding .EncodeToString (keyBytes ),
309+ )
310+ return nil
311+ }
333312
313+ configKey := cfg .Encryption .Key
314+ keyBytes := configKey [:]
315+ // 2. have key in config
316+ // 2.1 have key in db
317+ if hasDBKey {
318+ // compare key in config with key in db
319+ if bytes .Equal (existingKey .Key , keyBytes ) {
334320 logger .Infof (
335- "encryption key from config file is saved to database, key(hex): %s, key(base64): %s" ,
321+ "encryption key in config file is the same as in database, key(hex): %s, key(base64): %s" ,
336322 hex .EncodeToString (keyBytes ),
337323 base64 .StdEncoding .EncodeToString (keyBytes ),
338324 )
339325 return nil
340326 }
341- }
327+ // key in config is different from key in db, update config key into db
328+ oldKeyHex := hex .EncodeToString (existingKey .Key )
329+ oldKeyBase64 := base64 .StdEncoding .EncodeToString (existingKey .Key )
330+ newKeyHex := hex .EncodeToString (keyBytes )
331+ newKeyBase64 := base64 .StdEncoding .EncodeToString (keyBytes )
332+
333+ if err := db .Model (& existingKey ).Update ("key" , keyBytes ).Error ; err != nil {
334+ return fmt .Errorf ("failed to update encryption key in database: %v" , err )
335+ }
342336
343- // config has no key and db has key
344- if hasDBKey {
345337 logger .Infof (
346- "encryption key loaded from database, key(hex): %s, key(base64): %s" ,
347- hex .EncodeToString (existingKey .Key ),
348- base64 .StdEncoding .EncodeToString (existingKey .Key ),
338+ "encryption key in database is overwritten by config file, old key(hex): %s, old key(base64): %s, new key(hex): %s, new key(base64): %s" ,
339+ oldKeyHex , oldKeyBase64 , newKeyHex , newKeyBase64 ,
349340 )
350341 return nil
351342 }
352343
353- // config and db both have no key, generate one
354- keyBytes := make ([]byte , 32 )
355- if _ , err := rand .Read (keyBytes ); err != nil {
356- return fmt .Errorf ("failed to generate random encryption key: %v" , err )
357- }
358- if err := db .Create (& models.EncryptionKey {Key : keyBytes }).Error ; err != nil {
359- return fmt .Errorf ("failed to save random encryption key to database: %v" , err )
344+ // 2.2 db has no key(may soft-deleted), config has key, write config's key into db
345+ var oldKey models.EncryptionKey
346+ // check soft-deleted old same key
347+ err := db .Unscoped ().Where ("`key` = ?" , keyBytes ).First (& oldKey ).Error
348+ // old same key not found
349+ if err != nil {
350+ if ! errors .Is (err , gorm .ErrRecordNotFound ) {
351+ logger .Fatalf ("unknow failed when update encryption key in database: %v" , err )
352+ }
353+ // not find same old key, so we can insert a new key
354+ if err := db .Create (& models.EncryptionKey {Key : keyBytes }).Error ; err != nil {
355+ return fmt .Errorf ("failed to save encryption key to database: %v" , err )
356+ }
357+ } else {
358+ // find old same key
359+ // if it is not sofe-deleted, that is fatal
360+ if oldKey .IsDel == soft_delete .DeletedAt (soft_delete .FlagActived ) {
361+ logger .Fatalf ("key should be soft deleted in this situation" )
362+ }
363+ // restore old key
364+ db .Unscoped ().Model (& oldKey ).Update ("is_del" , soft_delete .FlagActived )
365+ logger .Infof ("restore the key which was soft deleted before" )
360366 }
367+
361368 logger .Infof (
362- "generated random encryption key and saved to database, key(hex): %s, key(base64): %s" ,
369+ "encryption key from config file is saved to database, key(hex): %s, key(base64): %s" ,
363370 hex .EncodeToString (keyBytes ),
364371 base64 .StdEncoding .EncodeToString (keyBytes ),
365372 )
0 commit comments