wordpress: add 2FA key management

openstreetmap · Jun 28, 2023 · 6d1b6ef · 6d1b6ef
1 parent d37b2b5
commit 6d1b6ef
Show file tree

Hide file tree

Showing 8 changed files with 31 additions and 2 deletions.
diff --git a/cookbooks/blog/recipes/default.rb b/cookbooks/blog/recipes/default.rb
@@ -20,6 +20,7 @@
 include_recipe "wordpress"
 
 passwords = data_bag_item("blog", "passwords")
+wp2fa_encrypt_keys = data_bag_item("blog", "wp2fa_encrypt_keys")
 
 directory "/srv/blog.openstreetmap.org" do
   owner "wordpress"
@@ -35,6 +36,7 @@
   database_name "osm-blog"
   database_user "osm-blog-user"
   database_password passwords["osm-blog-user"]
+  wp2fa_encrypt_key wp2fa_encrypt_keys["key"]
   urls "/casts" => "/srv/blog.openstreetmap.org/casts",
        "/images" => "/srv/blog.openstreetmap.org/images",
        "/static" => "/srv/blog.openstreetmap.org/static"

diff --git a/cookbooks/civicrm/recipes/default.rb b/cookbooks/civicrm/recipes/default.rb
@@ -32,6 +32,7 @@
 cache_dir = Chef::Config[:file_cache_path]
 
 passwords = data_bag_item("civicrm", "passwords")
+wp2fa_encrypt_keys = data_bag_item("civicrm", "wp2fa_encrypt_keys")
 
 database_password = passwords["database"]
 site_key = passwords["site_key"]
@@ -51,6 +52,7 @@
   database_name "civicrm"
   database_user "civicrm"
   database_password database_password
+  wp2fa_encrypt_key wp2fa_encrypt_keys["key"]
   fpm_prometheus_port 11301
 end
 

diff --git a/cookbooks/stateofthemap/recipes/wordpress.rb b/cookbooks/stateofthemap/recipes/wordpress.rb
@@ -21,6 +21,7 @@
 include_recipe "wordpress"
 
 passwords = data_bag_item("stateofthemap", "passwords")
+wp2fa_encrypt_keys = data_bag_item("blog", "wp2fa_encrypt_keys")
 
 directory "/srv/2007.stateofthemap.org" do
   owner "wordpress"
@@ -35,6 +36,7 @@
   database_user "sotm2007"
   database_password passwords["sotm2007"]
   database_prefix "wp_sotm_"
+  wp2fa_encrypt_key wp2fa_encrypt_keys["sotm2007"]
   fpm_prometheus_port 12007
 end
 
@@ -63,6 +65,7 @@
   database_user "sotm2008"
   database_password passwords["sotm2008"]
   database_prefix "wp_sotm08_"
+  wp2fa_encrypt_key wp2fa_encrypt_keys["sotm2008"]
   fpm_prometheus_port 12008
 end
 
@@ -99,6 +102,7 @@
   database_name "sotm2009"
   database_user "sotm2009"
   database_password passwords["sotm2009"]
+  wp2fa_encrypt_key wp2fa_encrypt_keys["sotm2009"]
   urls "/register" => "/srv/2009.stateofthemap.org/register",
        "/register-pro-user" => "/srv/2009.stateofthemap.org/register-pro-user",
        "/podcasts" => "/srv/2009.stateofthemap.org/podcasts"
@@ -138,6 +142,7 @@
   database_name "sotm2010"
   database_user "sotm2010"
   database_password passwords["sotm2010"]
+  wp2fa_encrypt_key wp2fa_encrypt_keys["sotm2010"]
   urls "/register" => "/srv/2010.stateofthemap.org/register"
   fpm_prometheus_port 12010
 end
@@ -183,6 +188,7 @@
   database_name "sotm2011"
   database_user "sotm2011"
   database_password passwords["sotm2011"]
+  wp2fa_encrypt_key wp2fa_encrypt_keys["sotm2011"]
   urls "/register" => "/srv/2011.stateofthemap.org/register"
   fpm_prometheus_port 12011
 end
@@ -228,6 +234,7 @@
   database_name "sotm2012"
   database_user "sotm2012"
   database_password passwords["sotm2012"]
+  wp2fa_encrypt_key wp2fa_encrypt_keys["sotm2012"]
   urls "/register" => "/srv/2012.stateofthemap.org/register"
   fpm_prometheus_port 12012
 end

diff --git a/cookbooks/wordpress/resources/site.rb b/cookbooks/wordpress/resources/site.rb
@@ -33,6 +33,7 @@
 property :database_user, :kind_of => String, :required => [:create]
 property :database_password, :kind_of => String, :required => [:create]
 property :database_prefix, :kind_of => String, :default => "wp_"
+property :wp2fa_encrypt_key, :kind_of => String, :required => true
 property :urls, :kind_of => Hash, :default => {}
 property :fpm_max_children, :kind_of => Integer, :default => 10
 property :fpm_start_servers, :kind_of => Integer, :default => 4
@@ -108,6 +109,7 @@
       line += "define( 'WP_FAIL2BAN_SITE_HEALTH_SKIP_FILTERS', true);\r\n"
       line += "define( 'WP_ENVIRONMENT_TYPE', 'production');\r\n"
       line += "define( 'WP_MEMORY_LIMIT', '128M');\r\n"
+      line += "define( 'WP2FA_ENCRYPT_KEY', '#{new_resource.wp2fa_encrypt_key}');\r\n"
     end
 
     line

diff --git a/test/data_bags/blog/wp2fa_encrypt_keys.json b/test/data_bags/blog/wp2fa_encrypt_keys.json
@@ -0,0 +1,4 @@
+{
+  "id": "wp2fa_encrypt_keys",
+  "key": "vQk0IGrkn/nvKjyY8XNOrw=="
+}
diff --git a/test/data_bags/civicrm/wp2fa_encrypt_keys.json b/test/data_bags/civicrm/wp2fa_encrypt_keys.json
@@ -0,0 +1,4 @@
+{
+  "id": "wp2fa_encrypt_keys",
+  "key": "iPWRI6ZJ6Q0CuLA8+FsVQw=="
+}
diff --git a/test/data_bags/stateofthemap/passwords.json b/test/data_bags/stateofthemap/passwords.json
@@ -5,6 +5,5 @@
   "sotm2009": "sotm2009",
   "sotm2010": "sotm2010",
   "sotm2011": "sotm2011",
-  "sotm2012": "sotm2012",
-  "sotm2016": "sotm2016"
+  "sotm2012": "sotm2012"
 }
diff --git a/test/data_bags/stateofthemap/wp2fa_encrypt_keys.json b/test/data_bags/stateofthemap/wp2fa_encrypt_keys.json
@@ -0,0 +1,9 @@
+{
+  "id": "wp2fa_encrypt_keys",
+  "sotm2007": "q1bhaOUla4GIHvTp/QR5bw==",
+  "sotm2008": "VUkZ0vbiXgTu8IwZyz71Lg==",
+  "sotm2009": "8nQDE9ng6QW8AKDpsm3NOA==",
+  "sotm2010": "Bu968voFkvMpSgogWBrf6g==",
+  "sotm2011": "vsrEyBqcI30SFv9gyYkyWQ==",
+  "sotm2012": "Qe3olwbbSFuraQAoUXieHA=="
+}