mirror of
https://github.com/lingble/chatwoot.git
synced 2025-10-29 18:22:53 +00:00
38f16ba677
## Changelog
- Added conditional Active Record encryption to every external
credential we store (SMTP/IMAP passwords, Twilio tokens,
Slack/OpenAI hook tokens, Facebook/Instagram tokens, LINE/Telegram keys,
Twitter secrets) so new writes are encrypted
whenever Chatwoot.encryption_configured? is true; legacy installs still
receive plaintext until their secrets are
updated.
- Tuned encryption settings in config/application.rb to allow legacy
reads (support_unencrypted_data) and to extend
deterministic queries so lookups continue to match plaintext rows during
the rollout; added TODOs to retire the
fallback once encryption becomes mandatory.
- Introduced an MFA-pipeline test suite
(spec/models/external_credentials_encryption_spec.rb) plus shared
examples to
verify each attribute encrypts at rest and that plaintext records
re-encrypt on update, with a dedicated Telegram case.
The existing MFA GitHub workflow now runs these tests using the
preconfigured encryption keys.
fixes:
https://linear.app/chatwoot/issue/CW-5453/encrypt-sensitive-credentials-stored-in-plain-text-in-database
## Testing Instructions
1. Instance without encryption keys
- Unset ACTIVE_RECORD_ENCRYPTION_* vars (or run in an environment where
they’re absent).
- Create at least one credentialed channel (e.g., Email SMTP).
- Confirm workflows still function (send/receive mail or a similar
sanity check).
- In the DB you should still see plaintext values—this confirms the
guard prevents encryption when keys are missing.
2. Instance with encryption keys
- Configure the three encryption env vars and restart.
- Pick a couple of representative integrations (e.g., Email SMTP +
Twilio SMS).
- Legacy channel check:
- Use existing records created before enabling keys. Trigger their
workflow (send an email / SMS, or hit the
webhook) to ensure they still authenticate.
- Inspect the raw column—value remains plaintext until changed.
- Update legacy channel:
- Edit one legacy channel’s credential (e.g., change SMTP password).
- Verify the operation still works and the stored value is now encrypted
(raw column differs, accessor returns
original).
- New channel creation:
- Create a new channel of the same type; confirm functionality and that
the stored credential is encrypted from
the start.
---------
Co-authored-by: Muhsin Keloth <muhsinkeramam@gmail.com>
114 lines
4.9 KiB
Ruby
114 lines
4.9 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
require_relative 'boot'
|
|
|
|
require 'rails/all'
|
|
|
|
# Require the gems listed in Gemfile, including any gems
|
|
# you've limited to :test, :development, or :production.
|
|
Bundler.require(*Rails.groups)
|
|
|
|
## Load the specific APM agent
|
|
# We rely on DOTENV to load the environment variables
|
|
# We need these environment variables to load the specific APM agent
|
|
Dotenv::Rails.load
|
|
require 'datadog' if ENV.fetch('DD_TRACE_AGENT_URL', false).present?
|
|
require 'elastic-apm' if ENV.fetch('ELASTIC_APM_SECRET_TOKEN', false).present?
|
|
require 'scout_apm' if ENV.fetch('SCOUT_KEY', false).present?
|
|
|
|
if ENV.fetch('NEW_RELIC_LICENSE_KEY', false).present?
|
|
require 'newrelic-sidekiq-metrics'
|
|
require 'newrelic_rpm'
|
|
end
|
|
|
|
if ENV.fetch('SENTRY_DSN', false).present?
|
|
require 'sentry-ruby'
|
|
require 'sentry-rails'
|
|
require 'sentry-sidekiq'
|
|
end
|
|
|
|
# heroku autoscaling
|
|
if ENV.fetch('JUDOSCALE_URL', false).present?
|
|
require 'judoscale-rails'
|
|
require 'judoscale-sidekiq'
|
|
end
|
|
|
|
module Chatwoot
|
|
class Application < Rails::Application
|
|
# Initialize configuration defaults for originally generated Rails version.
|
|
config.load_defaults 7.0
|
|
|
|
config.eager_load_paths << Rails.root.join('lib')
|
|
config.eager_load_paths << Rails.root.join('enterprise/lib')
|
|
config.eager_load_paths << Rails.root.join('enterprise/listeners')
|
|
# rubocop:disable Rails/FilePath
|
|
config.eager_load_paths += Dir["#{Rails.root}/enterprise/app/**"]
|
|
# rubocop:enable Rails/FilePath
|
|
# Add enterprise views to the view paths
|
|
config.paths['app/views'].unshift('enterprise/app/views')
|
|
|
|
# Load enterprise initializers alongside standard initializers
|
|
enterprise_initializers = Rails.root.join('enterprise/config/initializers')
|
|
Dir[enterprise_initializers.join('**/*.rb')].each { |f| require f } if enterprise_initializers.exist?
|
|
|
|
# Settings in config/environments/* take precedence over those specified here.
|
|
# Application configuration can go into files in config/initializers
|
|
# -- all .rb files in that directory are automatically loaded after loading
|
|
# the framework and any gems in your application.
|
|
config.generators.javascripts = false
|
|
config.generators.stylesheets = false
|
|
|
|
# Custom chatwoot configurations
|
|
config.x = config_for(:app).with_indifferent_access
|
|
|
|
# https://stackoverflow.com/questions/72970170/upgrading-to-rails-6-1-6-1-causes-psychdisallowedclass-tried-to-load-unspecif
|
|
# https://discuss.rubyonrails.org/t/cve-2022-32224-possible-rce-escalation-bug-with-serialized-columns-in-active-record/81017
|
|
# FIX ME : fixes breakage of installation config. we need to migrate.
|
|
config.active_record.yaml_column_permitted_classes = [ActiveSupport::HashWithIndifferentAccess]
|
|
|
|
# Disable PDF/video preview generation as we don't use them
|
|
config.active_storage.previewers = []
|
|
|
|
# Active Record Encryption configuration
|
|
# Required for MFA/2FA features - skip if not using encryption
|
|
if ENV['ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY'].present?
|
|
config.active_record.encryption.primary_key = ENV['ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY']
|
|
config.active_record.encryption.deterministic_key = ENV.fetch('ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY', nil)
|
|
config.active_record.encryption.key_derivation_salt = ENV.fetch('ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT', nil)
|
|
# TODO: Remove once encryption is mandatory and legacy plaintext is migrated.
|
|
config.active_record.encryption.support_unencrypted_data = true
|
|
# Extend deterministic queries so they match both encrypted and plaintext rows
|
|
config.active_record.encryption.extend_queries = true
|
|
# Store a per-row key reference to support future key rotation
|
|
config.active_record.encryption.store_key_references = true
|
|
end
|
|
end
|
|
|
|
def self.config
|
|
@config ||= Rails.configuration.x
|
|
end
|
|
|
|
def self.redis_ssl_verify_mode
|
|
# Introduced this method to fix the issue in heroku where redis connections fail for redis 6
|
|
# ref: https://github.com/chatwoot/chatwoot/issues/2420
|
|
#
|
|
# unless the redis verify mode is explicitly specified as none, we will fall back to the default 'verify peer'
|
|
# ref: https://www.rubydoc.info/stdlib/openssl/OpenSSL/SSL/SSLContext#DEFAULT_PARAMS-constant
|
|
ENV['REDIS_OPENSSL_VERIFY_MODE'] == 'none' ? OpenSSL::SSL::VERIFY_NONE : OpenSSL::SSL::VERIFY_PEER
|
|
end
|
|
|
|
def self.encryption_configured?
|
|
# TODO: Once Active Record encryption keys are mandatory (target 3-4 releases out),
|
|
# remove this guard and assume encryption is always enabled.
|
|
# Check if proper encryption keys are configured
|
|
# MFA/2FA features should only be enabled when proper keys are set
|
|
ENV['ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY'].present? &&
|
|
ENV['ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY'].present? &&
|
|
ENV['ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT'].present?
|
|
end
|
|
|
|
def self.mfa_enabled?
|
|
encryption_configured?
|
|
end
|
|
end
|