fix(chisel): convert seed to private key file EE-5099 (#9149)

2025-07-24 15:59:41 +02:00 · 2023-07-13 15:19:40 +12:00 · 2023-07-13 15:19:40 +12:00 · b93624fa1f
commit b93624fa1f
parent 91cfd2d0f2
14 changed files with 247 additions and 43 deletions
--- a/api/datastore/datastore_test.go
+++ b/api/datastore/datastore_test.go
@ -150,7 +150,7 @@ func (store *Store) CreateEndpoint(t *testing.T, name string, endpointType porta
 		expectedEndpoint = newEndpoint(endpointType, id, name, URL, tls)

 	case portainer.EdgeAgentOnKubernetesEnvironment:
-		cs := chisel.NewService(store, nil)
+		cs := chisel.NewService(store, nil, nil)
 		expectedEndpoint = newEndpoint(endpointType, id, name, URL, tls)
 		edgeKey := cs.GenerateEdgeKey(URL, "", int(id))
 		expectedEndpoint.EdgeKey = edgeKey
--- a/api/datastore/migrate_data.go
+++ b/api/datastore/migrate_data.go
@ -86,6 +86,7 @@ func (store *Store) newMigratorParameters(version *models.Version) *migrator.Mig
 		AuthorizationService:    authorization.NewService(store),
 		EdgeStackService:        store.EdgeStackService,
 		EdgeJobService:          store.EdgeJobService,
+		TunnelServerService:     store.TunnelServerService,
 	}
 }

--- a/api/datastore/migrator/migrate_dbversion100.go
+++ b/api/datastore/migrator/migrate_dbversion100.go
@ -3,6 +3,9 @@ package migrator
 import (
 	"os"

+	"github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/chisel/crypto"
+	"github.com/portainer/portainer/api/dataservices"
 	"github.com/rs/zerolog/log"
 )

@ -23,3 +26,50 @@ func (m *Migrator) migrateDockerDesktopExtentionSetting() error {

 	return m.settingsService.UpdateSettings(settings)
 }
+
+func (m *Migrator) convertSeedToPrivateKeyForDB100() error {
+	var serverInfo *portainer.TunnelServerInfo
+
+	serverInfo, err := m.TunnelServerService.Info()
+	if err != nil {
+		if dataservices.IsErrObjectNotFound(err) {
+			log.Info().Msg("ServerInfo object not found")
+			return nil
+		}
+		log.Error().
+			Err(err).
+			Msg("Failed to read ServerInfo from DB")
+		return err
+	}
+
+	if serverInfo.PrivateKeySeed != "" {
+		key, err := crypto.GenerateGo119CompatibleKey(serverInfo.PrivateKeySeed)
+		if err != nil {
+			log.Error().
+				Err(err).
+				Msg("Failed to read ServerInfo from DB")
+			return err
+		}
+
+		err = m.fileService.StoreChiselPrivateKey(key)
+		if err != nil {
+			log.Error().
+				Err(err).
+				Msg("Failed to save Chisel private key to disk")
+			return err
+		}
+	} else {
+		log.Info().Msg("PrivateKeySeed is blank")
+	}
+
+	serverInfo.PrivateKeySeed = ""
+	err = m.TunnelServerService.UpdateInfo(serverInfo)
+	if err != nil {
+		log.Error().
+			Err(err).
+			Msg("Failed to clean private key seed in DB")
+	} else {
+		log.Info().Msg("Success to migrate private key seed to private key file")
+	}
+	return err
+}
--- a/api/datastore/migrator/migrator.go
+++ b/api/datastore/migrator/migrator.go
@ -3,6 +3,7 @@ package migrator
 import (
 	"errors"

+	"github.com/Masterminds/semver"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/database/models"
 	"github.com/portainer/portainer/api/dataservices/dockerhub"
@ -22,11 +23,10 @@ import (
 	"github.com/portainer/portainer/api/dataservices/stack"
 	"github.com/portainer/portainer/api/dataservices/tag"
 	"github.com/portainer/portainer/api/dataservices/teammembership"
+	"github.com/portainer/portainer/api/dataservices/tunnelserver"
 	"github.com/portainer/portainer/api/dataservices/user"
 	"github.com/portainer/portainer/api/dataservices/version"
 	"github.com/portainer/portainer/api/internal/authorization"
-
-	"github.com/Masterminds/semver"
 	"github.com/rs/zerolog/log"
 )

@ -57,6 +57,7 @@ type (
 		dockerhubService        *dockerhub.Service
 		edgeStackService        *edgestack.Service
 		edgeJobService          *edgejob.Service
+		TunnelServerService     *tunnelserver.Service
 	}

 	// MigratorParameters represents the required parameters to create a new Migrator instance.
@ -83,6 +84,7 @@ type (
 		DockerhubService        *dockerhub.Service
 		EdgeStackService        *edgestack.Service
 		EdgeJobService          *edgejob.Service
+		TunnelServerService     *tunnelserver.Service
 	}
 )

@ -111,6 +113,7 @@ func NewMigrator(parameters *MigratorParameters) *Migrator {
 		dockerhubService:        parameters.DockerhubService,
 		edgeStackService:        parameters.EdgeStackService,
 		edgeJobService:          parameters.EdgeJobService,
+		TunnelServerService:     parameters.TunnelServerService,
 	}

 	migrator.initMigrations()
@ -209,8 +212,10 @@ func (m *Migrator) initMigrations() {
 	m.addMigrations("2.16.1", m.migrateDBVersionToDB71)
 	m.addMigrations("2.17", m.migrateDBVersionToDB80)
 	m.addMigrations("2.18", m.migrateDBVersionToDB90)
-
-	m.addMigrations("2.19", m.migrateDockerDesktopExtentionSetting)
+	m.addMigrations("2.19",
+		m.convertSeedToPrivateKeyForDB100,
+		m.migrateDockerDesktopExtentionSetting,
+	)

 	// Add new migrations below...
 	// One function per migration, each versions migration funcs in the same file.
--- a/api/datastore/test_data/output_24_to_latest.json
+++ b/api/datastore/test_data/output_24_to_latest.json
@ -879,7 +879,7 @@
    }
  ],
  "tunnel_server": {
-    "PrivateKeySeed": "IvX6ZPRuWtLS5zyg"
+    "PrivateKeySeed": ""
  },
  "users": [
    {
@ -944,6 +944,6 @@
    }
  ],
  "version": {
-    "VERSION": "{\"SchemaVersion\":\"2.19.0\",\"MigratorCount\":1,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
+    "VERSION": "{\"SchemaVersion\":\"2.19.0\",\"MigratorCount\":2,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
  }
 }