feat(*): Encrypt enrollment key and fix composer conflict (#7)

* fix(cache): Add crowdsec/magento-symfony-cache possible dependency to avoid composer conflicts * test(end to end): Update tests for m2.3.7 * feat(enrollment): Encrypt enrollment key in database
crowdsecurity · Jan 5, 2024 · d2f6ee5 · d2f6ee5
1 parent 4dcff60
commit d2f6ee5
Show file tree

Hide file tree

Showing 9 changed files with 115 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,10 +6,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ---
 
-## [1.0.1](https://github.com/crowdsecurity/magento-cs-extension/releases/tag/v1.0.1) - 2024-01-04
+## [1.1.0](https://github.com/crowdsecurity/magento-cs-extension/releases/tag/v1.1.0) - 2024-01-??
 [_Compare with previous release_](https://github.com/crowdsecurity/magento-cs-extension/compare/v1.0.0...v1.0.1)
 
 
+### Changed
+
+- Encrypt enrollment key in database
+
 ### Fixed
 
 - Allow `crowdsec/symfony-cache:3.0.0` dependency to avoid composer conflict with some Magento 2.4.6 patch versions

diff --git a/Constants.php b/Constants.php
@@ -49,5 +49,5 @@ class Constants extends CapiConstants
     /** @var string The user agent suffix used to send request to CAPI */
     public const USER_AGENT_SUFFIX = 'magento2';
     /** @var string The last version of this module */
-    public const VERSION = 'v1.0.0';
+    public const VERSION = 'v1.1.0';
 }
diff --git a/Helper/Config.php b/Helper/Config.php
@@ -53,6 +53,7 @@ class Config extends AbstractHelper
     public const XML_PATH_DECISIONS_CACHE_TECHNOLOGY = self::SECTION . '/decisions/cache/technology';
     public const XML_PATH_DECISIONS_FALLBACK_REMEDIATION = self::SECTION . '/decisions/fallback_remediation';
     public const XML_PATH_ENV = self::SECTION . '/general/environment';
+    public const XML_PATH_ENROLLMENT_KEY = self::SECTION . '/general/enrollment_key';
     public const XML_PATH_EVENT_LIFETIME = self::SECTION . '/crons/events/lifetime';
     public const XML_PATH_FORCED_TEST_IP = self::SECTION . '/advanced/forced_test_ip';
     public const XML_PATH_LOG_LEVEL = self::SECTION . '/advanced/log_level';

diff --git a/Setup/Patch/Data/EncryptEnrollmentKey.php b/Setup/Patch/Data/EncryptEnrollmentKey.php
@@ -0,0 +1,82 @@
+<?php
+
+declare(strict_types=1);
+
+namespace CrowdSec\Engine\Setup\Patch\Data;
+
+use Magento\Framework\Setup\Patch\DataPatchInterface;
+use Magento\Framework\Encryption\EncryptorInterface;
+use Magento\Framework\Setup\ModuleDataSetupInterface;
+use CrowdSec\Engine\Helper\Config;
+
+class EncryptEnrollmentKey implements DataPatchInterface
+{
+    /**
+     * @var EncryptorInterface
+     */
+    private $encryptor;
+
+    /**
+     * @var ModuleDataSetupInterface
+     */
+    private $moduleDataSetup;
+
+    /**
+     * Constructor method.
+     *
+     * @param EncryptorInterface $encryptor
+     * @param ModuleDataSetupInterface $moduleDataSetup
+     */
+    public function __construct(
+        EncryptorInterface $encryptor,
+        ModuleDataSetupInterface $moduleDataSetup
+    ) {
+        $this->encryptor = $encryptor;
+        $this->moduleDataSetup = $moduleDataSetup;
+    }
+
+    /**
+     * Apply patch.
+     *
+     * @return void
+     */
+    public function apply()
+    {
+        $bouncerKeyPath = Config::XML_PATH_ENROLLMENT_KEY;
+        $configTable = $this->moduleDataSetup->getTable('core_config_data');
+        $select = $this->moduleDataSetup->getConnection()->select()
+            ->from($configTable)
+            ->where('path = ?', $bouncerKeyPath);
+        $config = $this->moduleDataSetup->getConnection()->fetchAll($select);
+        if (!empty($config)) {
+            $value = $config[0]['value'] ?? '';
+            if ($value) {
+                $this->moduleDataSetup->getConnection()->update(
+                    $configTable,
+                    ['value' => $this->encryptor->encrypt($value)],
+                    ['path = ?' => $bouncerKeyPath]
+                );
+            }
+        }
+    }
+
+    /**
+     * Retrieve dependencies.
+     *
+     * @return array|string[]
+     */
+    public static function getDependencies()
+    {
+        return [];
+    }
+
+    /**
+     * Retrieve aliases
+     *
+     * @return array|string[]
+     */
+    public function getAliases()
+    {
+        return [];
+    }
+}
diff --git a/Test/EndToEnd/__tests__/detect-pages-scan.test.ts b/Test/EndToEnd/__tests__/detect-pages-scan.test.ts
@@ -2,8 +2,10 @@
 import { test, expect } from "../fixtures";
 import { deleteFileContent, getFileContent } from "../helpers/log";
 import { LOG_PATH, blockRegex } from "../helpers/constants";
+import {wait} from "../helpers/time";
 
 test.describe("Detect pages scan", () => {
+    test.slow();
   test.beforeEach(async () => {
     // Clean log file
     await deleteFileContent(LOG_PATH);

diff --git a/Test/EndToEnd/__tests__/detect-user-enum.test.ts b/Test/EndToEnd/__tests__/detect-user-enum.test.ts
@@ -71,6 +71,7 @@ test.describe("Detect user enum", () => {
     );
 
     await adminLoginPage.navigateTo();
+    await adminLoginPage.navigateTo();// Double navigation to avoid "Invalid form key. Please refresh the page." error
     await adminLoginPage.login("another_bad_name", "password", false);
     // With 11 detection, alert should have been triggered
     await expect(page.locator("body")).toHaveText(blockRegex);

diff --git a/doc/DEVELOPER.md b/doc/DEVELOPER.md
@@ -168,8 +168,28 @@ cp .ddev/okaeli-add-on/magento2/custom_scripts/cronLaunch.php ${{ github.workspa
 cp .ddev/okaeli-add-on/magento2/custom_scripts/crowdsec/engine/runActions.php ${{ github.workspace }}/pub/runActions.php
 ddev restart
 ddev playwright-install
-ddev playwright test
 ```
+
+Modify data in `Test/EndToEnd/.env` file then:
+
+```
+ddev playwright test config
+ddev playwright test config --headed
+ddev playwright test user-enum --headed 
+```
+
+To see the browser in headed mode, you can find the playwright url with `ddev describe`. 
+
+To see the report: 
+
+```
+ddev playwright show-report --host 0.0.0.0
+```
+
+**N.B**: For some test, you'll need to empty the `captcha_log` table in the database.
+
+and browse to `https://your-project-name.ddev.site:9323/`
+
 
 ### Cron
 

diff --git a/etc/adminhtml/system.xml b/etc/adminhtml/system.xml
@@ -44,6 +44,7 @@
                 <field id="enrollment_key" translate="label,comment,tooltip" type="password" sortOrder="400" showInDefault="1">
                     <label><![CDATA[Enrollment key]]></label>
                     <comment><![CDATA[See your <a href="https://app.crowdsec.net/" target="_blank">CrowdSec console</a> to obtain the key for Production environment.]]></comment>
+                    <backend_model>Magento\Config\Model\Config\Backend\Encrypted</backend_model>
                 </field>
                 <field id="engine_name" translate="label,comment,tooltip" type="text" sortOrder="500" showInDefault="1" >
                     <label><![CDATA[Security engine name]]></label>

diff --git a/etc/config.xml b/etc/config.xml
@@ -32,6 +32,7 @@
             <general>
                 <environment>dev</environment>
                 <engine_name><![CDATA[Magento 2 Engine]]></engine_name>
+                <enrollment_key backend_model="Magento\Config\Model\Config\Backend\Encrypted"/>
             </general>
             <signals>
                 <ban_duration>14400</ban_duration>