feat(crypto): fail loudly on unpersistable secret key; flag undecryptable secrets
Follow-up to the incident where an unwritable /data made Steward silently mint a fresh ephemeral secret key on every boot, orphaning all encrypted secrets — only discovered when an Ansible run failed. Make both failure modes loud and visible. - config._resolve_secret_key: if a new key must be generated but can't be persisted (no STEWARD_SECRET_KEY, unwritable /data), raise RuntimeError and refuse to start, with an actionable fix (set STEWARD_SECRET_KEY, or make /data writable by uid 1000). Also raises a clear error if an existing key file can't be read. First-run on a writable volume still generates + persists normally. - core.settings: detect secrets stored as ciphertext that won't decrypt with the current key (scan_undecryptable_secrets at startup; _is_undecryptable helper). Cached in memory; set_setting discards a key on a fresh write so the banner clears without a restart. - app.py: run the scan after migrate_plaintext_secrets, log a warning, and inject undecryptable_secrets into the template context. - base.html: admin banner naming which secrets to re-enter, each linked to its settings tab. - compose.deploy.yml: document the uid-1000 /data write requirement and the STEWARD_SECRET_KEY option for multi-node Swarm. - Tests: secret-key resolver (reuse existing file, generate when writable, raise when unpersistable) and the undecryptable-secret detection helper. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_016Jg27rgypiW2efULXJDtMC
This commit is contained in:
+27
-8
@@ -75,13 +75,27 @@ def load_bootstrap(config_path: Path | str | None = None) -> dict[str, Any]:
|
||||
|
||||
|
||||
def _resolve_secret_key(raw: dict) -> str:
|
||||
"""Resolve secret_key: env var → file → auto-generate."""
|
||||
"""Resolve secret_key: env var → file → auto-generate.
|
||||
|
||||
Refuses to start if a new key must be generated but cannot be persisted: an
|
||||
ephemeral key changes on every restart, which silently renders every
|
||||
encrypted secret (managed SSH key, SMTP/OIDC/LDAP credentials) unrecoverable.
|
||||
Failing loudly with a fix beats limping along and losing data on the next
|
||||
boot — exactly the footgun that bit the vdnt-docker02 deployment.
|
||||
"""
|
||||
from_env = _env("SECRET_KEY") or raw.get("secret_key")
|
||||
if from_env:
|
||||
return from_env
|
||||
|
||||
if _SECRET_KEY_FILE.exists():
|
||||
key = _SECRET_KEY_FILE.read_text().strip()
|
||||
try:
|
||||
key = _SECRET_KEY_FILE.read_text().strip()
|
||||
except OSError as exc:
|
||||
raise RuntimeError(
|
||||
f"App secret key file {_SECRET_KEY_FILE} exists but cannot be read "
|
||||
f"({exc}). Make it readable by the container user (uid 1000), or set "
|
||||
f"STEWARD_SECRET_KEY."
|
||||
) from exc
|
||||
if key:
|
||||
return key
|
||||
|
||||
@@ -89,11 +103,16 @@ def _resolve_secret_key(raw: dict) -> str:
|
||||
try:
|
||||
_SECRET_KEY_FILE.parent.mkdir(parents=True, exist_ok=True)
|
||||
_SECRET_KEY_FILE.write_text(key)
|
||||
logger.info("Generated new secret key and saved to %s", _SECRET_KEY_FILE)
|
||||
except OSError as exc:
|
||||
logger.warning(
|
||||
"Could not write secret key to %s (%s). "
|
||||
"Key will not persist across restarts.",
|
||||
_SECRET_KEY_FILE, exc,
|
||||
)
|
||||
raise RuntimeError(
|
||||
f"Generated a new app secret key but could not persist it to "
|
||||
f"{_SECRET_KEY_FILE} ({exc}). An ephemeral key changes on every restart, "
|
||||
f"which makes all encrypted secrets (managed SSH key, SMTP/OIDC/LDAP "
|
||||
f"credentials) unrecoverable. Fix one of:\n"
|
||||
f" • set STEWARD_SECRET_KEY to a stable value "
|
||||
f"(recommended for Swarm / multi-node), or\n"
|
||||
f" • make {_SECRET_KEY_FILE.parent} writable by the container user "
|
||||
f"(uid 1000)."
|
||||
) from exc
|
||||
logger.info("Generated new secret key and saved to %s", _SECRET_KEY_FILE)
|
||||
return key
|
||||
|
||||
Reference in New Issue
Block a user