Add warnings when GLPI encryption key is invalid (#21614)

Author: SebSept

phpunit/functional/GLPIKeyTest.php

@@ -538,4 +538,105 @@ public function testIsConfigSecured()
         $this->assertFalse($is_myplugin_href_secured);
         $this->assertFalse($is_someplugin_conf_secured);
     }
+
+    public function testGetKeyFileReadErrorsWithMissingFile(): void
+    {
+        // arrange : create directory structure without key file
+        vfsStream::setup('glpi', null, ['config' => []]);
+        $glpikey = new \GLPIKey(vfsStream::url('glpi/config'));
+
+        // act
+        $errors = $glpikey->getKeyFileReadErrors();
+
+        // assert
+        $this->assertStringContainsString('The security key file does not exist.', implode(" ", $errors));
+    }
+
+    public function testGetKeyFileReadErrorsWithUnreadableFile(): void
+    {
+        // arrange : create unreadable key file
+        $structure = vfsStream::setup('glpi', null, ['config' => ['glpicrypt.key' => 'unreadable file']]);
+        $structure->getChild('config/glpicrypt.key')->chmod(0222);
+
+        $glpikey = new \GLPIKey(vfsStream::url('glpi/config'));
+
+        // act
+        $errors = $glpikey->getKeyFileReadErrors();
+
+        // assert
+        $this->assertStringContainsString('Unable to get security key file contents.', implode(" ", $errors));
+    }
+
+    public function testGetKeyFileReadErrorsWithInvalidKey(): void
+    {
+        // arrange : key file exists but has invalid contents/length
+        vfsStream::setup('glpi', null, ['config' => ['glpicrypt.key' => 'not a valid key']]);
+        $glpikey = new \GLPIKey(vfsStream::url('glpi/config'));
+
+        // act
+        $errors = $glpikey->getKeyFileReadErrors();
+
+        // assert
+        $this->assertStringContainsString('Invalid security key file contents.', implode(" ", $errors));
+    }
+
+    public function testGetKeyFileReadErrorsWithValidKey(): void
+    {
+        // arrange : key file exists and is valid => no errors
+        $valid_key = 'abcdefghijklmnopqrstuvwxyz123456';
+        vfsStream::setup('glpi', null, ['config' => ['glpicrypt.key' => $valid_key]]);
+
+        $glpikey = new \GLPIKey(vfsStream::url('glpi/config'));
+
+        // act
+        $errors = $glpikey->getKeyFileReadErrors();
+
+        // assert
+        $this->assertEmpty($errors);
+    }
+
+    public function testHasKeyFileReadErrorsWithMissingFile(): void
+    {
+        // arrange : create directory structure without key file
+        vfsStream::setup('glpi', null, ['config' => []]);
+        $glpikey = new \GLPIKey(vfsStream::url('glpi/config'));
+
+        // act + assert
+        $this->assertTrue($glpikey->hasReadErrors());
+    }
+
+    public function testHasKeyFileReadErrorsWithUnreadableFile(): void
+    {
+        // arrange : create unreadable key file
+        $structure = vfsStream::setup('glpi', null, ['config' => ['glpicrypt.key' => 'unreadable file']]);
+        $structure->getChild('config/glpicrypt.key')->chmod(0222);
+
+        $glpikey = new \GLPIKey(vfsStream::url('glpi/config'));
+
+        // act + assert
+        $this->assertTrue($glpikey->hasReadErrors());
+
+    }
+
+    public function testHasKeyFileReadErrorsWithInvalidKey(): void
+    {
+        // arrange : key file exists but has invalid contents/length
+        vfsStream::setup('glpi', null, ['config' => ['glpicrypt.key' => 'not a valid key']]);
+        $glpikey = new \GLPIKey(vfsStream::url('glpi/config'));
+
+        // act + assert
+        $this->assertTrue($glpikey->hasReadErrors());
+    }
+
+    public function testHasKeyFileReadErrorsWithValidKey(): void
+    {
+        // arrange : key file exists and is valid => no errors
+        $valid_key = 'abcdefghijklmnopqrstuvwxyz123456';
+        vfsStream::setup('glpi', null, ['config' => ['glpicrypt.key' => $valid_key]]);
+
+        $glpikey = new \GLPIKey(vfsStream::url('glpi/config'));
+
+        // act + assert
+        $this->assertFalse($glpikey->hasReadErrors());
+    }
 }

src/AuthLDAP.php

@@ -431,6 +431,15 @@ public function showForm($ID, array $options = [])
         if (!Config::canUpdate()) {
             return false;
         }
+
+        // warning and no form if can't read keyfile
+        $glpi_encryption_key = new GLPIKey();
+        if ($glpi_encryption_key->hasReadErrors()) {
+            $glpi_encryption_key->showReadErrors();
+
+            return false;
+        }
+
         if (empty($ID)) {
             $this->getEmpty();
             if (isset($options['preconfig'])) {
@@ -593,6 +602,13 @@ public function showForm($ID, array $options = [])
      */
     public function showFormAdvancedConfig()
     {
+        // warning and no form if can't read keyfile
+        $glpi_encryption_key = new GLPIKey();
+        if ($glpi_encryption_key->hasReadErrors()) {
+            $glpi_encryption_key->showReadErrors();
+
+            return;
+        }
 
         $ID = $this->getField('id');
         $hidden = '';

src/Central.php

@@ -512,6 +512,9 @@ private static function getMessages(): array
                 . sprintf(__('Run the "%1$s" command to migrate them.'), 'php bin/console migration:unsigned_keys');
             }
 
+            // encrypt/decrypt key problems
+            $messages['errors'] = (new GLPIKey())->getKeyFileReadErrors();
+
             $security_requirements = [
                 new PhpSupportedVersion(),
                 new SafeDocumentRoot(),

src/GLPIKey.php

@@ -118,6 +118,51 @@ public function keyExists()
         return file_exists($this->keyfile);
     }
 
+    /**
+     * Check if key is valid
+     *
+     * @return string[]
+     */
+    public function getKeyFileReadErrors(): array
+    {
+        $errors = [];
+        if (!file_exists($this->keyfile)) {
+            $errors[] = sprintf(__s('The security key file does not exist. You have to run the "%s" command to generate a key.'), 'php bin/console security:change_key');
+
+            return $errors; // early return, as, if file does not exist, no need to check further
+        }
+        if (false === ($key = @file_get_contents($this->keyfile))) {
+            $errors[] = sprintf(__s("Unable to get security key file contents. Fix file permissions of %s."), $this->keyfile);
+
+            return $errors; // early return, as, if file does not exist, no need to check further
+        }
+        if (strlen($key) !== SODIUM_CRYPTO_AEAD_XCHACHA20POLY1305_IETF_KEYBYTES) {
+            $errors[] = sprintf(__s('Invalid security key file contents. You have to run the "%s" command to regenerate a key.'), 'php bin/console security:change_key');
+        }
+
+        return $errors;
+    }
+
+    public function hasReadErrors(): bool
+    {
+        return !empty($this->getKeyFileReadErrors());
+    }
+
+    public function showReadErrors(): void
+    {
+        $glpi_key_read_errors = $this->getKeyFileReadErrors();
+        if (!empty($glpi_key_read_errors)) {
+            \Glpi\Application\View\TemplateRenderer::getInstance()->display(
+                '/central/messages.html.twig',
+                [
+                    'messages' => [
+                        'errors' => $glpi_key_read_errors,
+                    ],
+                ]
+            );
+        }
+    }
+
     /**
      * Get GLPI security key used for decryptable passwords
      *

src/GLPINetwork.php

@@ -46,8 +46,7 @@ public function getTabNameForItem(CommonGLPI $item, $withtemplate = 0)
     public static function displayTabContentForItem(CommonGLPI $item, $tabnum = 1, $withtemplate = 0)
     {
         if ($item->getType() == 'Config') {
-            $glpiNetwork = new self();
-            $glpiNetwork->showForConfig();
+            self::showForConfig();
         }
         return true;
     }
@@ -58,9 +57,17 @@ public static function showForConfig()
             return;
         }
 
-        $registration_key = self::getRegistrationKey();
+        // warning and no form if can't read keyfile
+        $glpi_encryption_key = new GLPIKey();
+        if ($glpi_encryption_key->hasReadErrors()) {
+            $glpi_encryption_key->showReadErrors();
+
+            return;
+        }
 
         $canedit = Config::canUpdate();
+        $registration_key = self::getRegistrationKey();
+
         if ($canedit) {
             echo "<form name='form' action=\"" . Toolbox::getItemTypeFormURL(Config::class) . "\" method='post'>";
         }

src/MailCollector.php

@@ -271,6 +271,14 @@ public function showForm($ID, array $options = [])
         /** @var array $CFG_GLPI */
         global $CFG_GLPI;
 
+        // warning and no form if can't read keyfile
+        $glpi_encryption_key = new GLPIKey();
+        if ($glpi_encryption_key->hasReadErrors()) {
+            $glpi_encryption_key->showReadErrors();
+
+            return false;
+        }
+
         $this->initForm($ID, $options);
         $options['colspan'] = 1;
         $this->showFormHeader($options);

src/NotificationMailingSetting.php

@@ -124,6 +124,16 @@ public function showFormConfig($options = [])
         /** @var array $CFG_GLPI */
         global $CFG_GLPI;
 
+        // warning and no form if can't read keyfile
+        // always display no matter what $options['display']
+        // see comment at the end of this function
+        $glpi_encryption_key = new GLPIKey();
+        if ($glpi_encryption_key->hasReadErrors()) {
+            $glpi_encryption_key->showReadErrors();
+
+            return;
+        }
+
         if (!isset($options['display'])) {
             $options['display'] = true;
         }

src/SNMPCredential.php

@@ -113,6 +113,15 @@ public function defineTabs($options = [])
 
     public function showForm($ID, array $options = [])
     {
+        // warning and no form if can't read keyfile,
+        // only version 3 is impacted but it's better to always show the warning & forbid form display
+        $glpi_encryption_key = new GLPIKey();
+        if ($glpi_encryption_key->hasReadErrors()) {
+            $glpi_encryption_key->showReadErrors();
+
+            return false;
+        }
+
         $this->initForm($ID, $options);
         TemplateRenderer::getInstance()->display('components/form/snmpcredential.html.twig', [
             'item'   => $this,