Add --forgot-key to key:rotate command (#14495)

Destroys all encrypted data
2024-09-21 10:28:13 +00:00 · 2022-10-22 04:45:58 -05:00 · 2022-10-22 04:45:58 -05:00 · 4b97abe225
commit 4b97abe225
parent 0155f2fc3f
2 changed files with 31 additions and 2 deletions
--- a/app/Console/Commands/KeyRotate.php
+++ b/app/Console/Commands/KeyRotate.php
@ -39,6 +39,7 @@ class KeyRotate extends LnmsCommand
        parent::__construct();
        $this->addArgument('old_key', InputArgument::OPTIONAL);
        $this->addOption('generate-new-key');
+        $this->addOption('forgot-key');
    }

    /**
@ -56,8 +57,13 @@ class KeyRotate extends LnmsCommand
                'exclude_unless:old_key,null',
                'boolean',
            ],
+            'forgot-key' => [
+                'exclude_unless:old_key,null',
+                'boolean',
+            ],
            'old_key' => [
                'exclude_if:generate-new-key,true',
+                'exclude_if:forgot-key,true',
                'required',
                'starts_with:base64:',
                Rule::notIn([$new]),
@ -72,6 +78,21 @@ class KeyRotate extends LnmsCommand
            return 0;
        }

+        if ($this->option('forgot-key')) {
+            $this->line(trans('commands.key:rotate.current_key', ['key' => $new]));
+            $this->error(trans('commands.key:rotate.backup_key'));
+            $this->newLine();
+
+            $this->error(trans('commands.key:rotate.destroy'));
+            if ($this->confirm(trans('commands.key:rotate.destroy_confirm'))) {
+                \App\Models\Config::where('config_name', 'validation.encryption.test')->delete();
+
+                return 0;
+            }
+
+            return 1;
+        }
+
        $old = $this->argument('old_key');
        if ($this->option('generate-new-key')) {
            $old = $new; // use key in env as existing key
--- a/resources/lang/en/commands.php
+++ b/resources/lang/en/commands.php
@ -129,14 +129,22 @@ return [
        'arguments' => [
            'old_key' => 'The old APP_KEY which is valid for encrypted data',
        ],
+        'options' => [
+            'generate-new-key' => 'If you do not have the new key set in .env, use the APP_KEY from .env to decrypt data and generate a new key and set it in .env',
+            'forgot-key' => 'If you do not have the old key, you must delete all encrypted data to be able to continue to use certain LibreNMS features',
+        ],
+        'destroy' => 'Destroy all encrypted configuration data?',
+        'destroy_confirm' => 'Only destroy all encrypted data if you cannot find the old APP_KEY!',
        'cleared-cache' => 'Config was cached, cleared cache to make sure APP_KEY is correct. Please re-run lnms key:rotate',
        'backup_keys' => 'Document BOTH keys! In case something goes wrong set the new key in .env and use the old key as an argument to this command',
+        'backup_key' => 'Document this key! This key is required to access encrypted data',
        'backups' => 'This command could cause irreversible loss of data and will invalidate all browser sessions. Make sure you have backups.',
        'confirm' => 'I have backups and want to continue',
        'decrypt-failed' => 'Failed to decrypt :item, skipping',
        'failed' => 'Failed to decrypt item(s).  Set new key as APP_KEY and run this again with the old key as an argument.',
-        'new_key' => 'New key: :key',
-        'old_key' => 'Old key: :key',
+        'current_key' => 'Current APP_KEY: :key',
+        'new_key' => 'New APP_KEY: :key',
+        'old_key' => 'Old APP_KEY: :key',
        'save_key' => 'Save new key to .env?',
        'success' => 'Successfully rotated keys!',
        'validation-errors' => [