From 6d1b6ef2ac6ab5f8df648544a7200fa35e13343e Mon Sep 17 00:00:00 2001
From: Grant Slater <github@firefishy.com>
Date: Wed, 28 Jun 2023 16:19:17 +0100
Subject: [PATCH] wordpress: add 2FA key management

---
 cookbooks/blog/recipes/default.rb                    | 2 ++
 cookbooks/civicrm/recipes/default.rb                 | 2 ++
 cookbooks/stateofthemap/recipes/wordpress.rb         | 7 +++++++
 cookbooks/wordpress/resources/site.rb                | 2 ++
 test/data_bags/blog/wp2fa_encrypt_keys.json          | 4 ++++
 test/data_bags/civicrm/wp2fa_encrypt_keys.json       | 4 ++++
 test/data_bags/stateofthemap/passwords.json          | 3 +--
 test/data_bags/stateofthemap/wp2fa_encrypt_keys.json | 9 +++++++++
 8 files changed, 31 insertions(+), 2 deletions(-)
 create mode 100644 test/data_bags/blog/wp2fa_encrypt_keys.json
 create mode 100644 test/data_bags/civicrm/wp2fa_encrypt_keys.json
 create mode 100644 test/data_bags/stateofthemap/wp2fa_encrypt_keys.json

diff --git a/cookbooks/blog/recipes/default.rb b/cookbooks/blog/recipes/default.rb
index 770c7c60b..8e4c21539 100644
--- a/cookbooks/blog/recipes/default.rb
+++ b/cookbooks/blog/recipes/default.rb
@@ -20,6 +20,7 @@
 include_recipe "wordpress"
 
 passwords = data_bag_item("blog", "passwords")
+wp2fa_encrypt_keys = data_bag_item("blog", "wp2fa_encrypt_keys")
 
 directory "/srv/blog.openstreetmap.org" do
   owner "wordpress"
@@ -35,6 +36,7 @@ wordpress_site "blog.openstreetmap.org" do
   database_name "osm-blog"
   database_user "osm-blog-user"
   database_password passwords["osm-blog-user"]
+  wp2fa_encrypt_key wp2fa_encrypt_keys["key"]
   urls "/casts" => "/srv/blog.openstreetmap.org/casts",
        "/images" => "/srv/blog.openstreetmap.org/images",
        "/static" => "/srv/blog.openstreetmap.org/static"
diff --git a/cookbooks/civicrm/recipes/default.rb b/cookbooks/civicrm/recipes/default.rb
index 89ba93a42..6beb036a7 100644
--- a/cookbooks/civicrm/recipes/default.rb
+++ b/cookbooks/civicrm/recipes/default.rb
@@ -32,6 +32,7 @@ package %w[
 cache_dir = Chef::Config[:file_cache_path]
 
 passwords = data_bag_item("civicrm", "passwords")
+wp2fa_encrypt_keys = data_bag_item("civicrm", "wp2fa_encrypt_keys")
 
 database_password = passwords["database"]
 site_key = passwords["site_key"]
@@ -51,6 +52,7 @@ wordpress_site "join.osmfoundation.org" do
   database_name "civicrm"
   database_user "civicrm"
   database_password database_password
+  wp2fa_encrypt_key wp2fa_encrypt_keys["key"]
   fpm_prometheus_port 11301
 end
 
diff --git a/cookbooks/stateofthemap/recipes/wordpress.rb b/cookbooks/stateofthemap/recipes/wordpress.rb
index 75b0e34a9..87366e7d9 100644
--- a/cookbooks/stateofthemap/recipes/wordpress.rb
+++ b/cookbooks/stateofthemap/recipes/wordpress.rb
@@ -21,6 +21,7 @@ include_recipe "stateofthemap"
 include_recipe "wordpress"
 
 passwords = data_bag_item("stateofthemap", "passwords")
+wp2fa_encrypt_keys = data_bag_item("blog", "wp2fa_encrypt_keys")
 
 directory "/srv/2007.stateofthemap.org" do
   owner "wordpress"
@@ -35,6 +36,7 @@ wordpress_site "2007.stateofthemap.org" do
   database_user "sotm2007"
   database_password passwords["sotm2007"]
   database_prefix "wp_sotm_"
+  wp2fa_encrypt_key wp2fa_encrypt_keys["sotm2007"]
   fpm_prometheus_port 12007
 end
 
@@ -63,6 +65,7 @@ wordpress_site "2008.stateofthemap.org" do
   database_user "sotm2008"
   database_password passwords["sotm2008"]
   database_prefix "wp_sotm08_"
+  wp2fa_encrypt_key wp2fa_encrypt_keys["sotm2008"]
   fpm_prometheus_port 12008
 end
 
@@ -99,6 +102,7 @@ wordpress_site "2009.stateofthemap.org" do
   database_name "sotm2009"
   database_user "sotm2009"
   database_password passwords["sotm2009"]
+  wp2fa_encrypt_key wp2fa_encrypt_keys["sotm2009"]
   urls "/register" => "/srv/2009.stateofthemap.org/register",
        "/register-pro-user" => "/srv/2009.stateofthemap.org/register-pro-user",
        "/podcasts" => "/srv/2009.stateofthemap.org/podcasts"
@@ -138,6 +142,7 @@ wordpress_site "2010.stateofthemap.org" do
   database_name "sotm2010"
   database_user "sotm2010"
   database_password passwords["sotm2010"]
+  wp2fa_encrypt_key wp2fa_encrypt_keys["sotm2010"]
   urls "/register" => "/srv/2010.stateofthemap.org/register"
   fpm_prometheus_port 12010
 end
@@ -183,6 +188,7 @@ wordpress_site "2011.stateofthemap.org" do
   database_name "sotm2011"
   database_user "sotm2011"
   database_password passwords["sotm2011"]
+  wp2fa_encrypt_key wp2fa_encrypt_keys["sotm2011"]
   urls "/register" => "/srv/2011.stateofthemap.org/register"
   fpm_prometheus_port 12011
 end
@@ -228,6 +234,7 @@ wordpress_site "2012.stateofthemap.org" do
   database_name "sotm2012"
   database_user "sotm2012"
   database_password passwords["sotm2012"]
+  wp2fa_encrypt_key wp2fa_encrypt_keys["sotm2012"]
   urls "/register" => "/srv/2012.stateofthemap.org/register"
   fpm_prometheus_port 12012
 end
diff --git a/cookbooks/wordpress/resources/site.rb b/cookbooks/wordpress/resources/site.rb
index 6fdaeb4f8..69767e67a 100644
--- a/cookbooks/wordpress/resources/site.rb
+++ b/cookbooks/wordpress/resources/site.rb
@@ -33,6 +33,7 @@ property :database_name, :kind_of => String, :required => true
 property :database_user, :kind_of => String, :required => [:create]
 property :database_password, :kind_of => String, :required => [:create]
 property :database_prefix, :kind_of => String, :default => "wp_"
+property :wp2fa_encrypt_key, :kind_of => String, :required => true
 property :urls, :kind_of => Hash, :default => {}
 property :fpm_max_children, :kind_of => Integer, :default => 10
 property :fpm_start_servers, :kind_of => Integer, :default => 4
@@ -108,6 +109,7 @@ action :create do
       line += "define( 'WP_FAIL2BAN_SITE_HEALTH_SKIP_FILTERS', true);\r\n"
       line += "define( 'WP_ENVIRONMENT_TYPE', 'production');\r\n"
       line += "define( 'WP_MEMORY_LIMIT', '128M');\r\n"
+      line += "define( 'WP2FA_ENCRYPT_KEY', '#{new_resource.wp2fa_encrypt_key}');\r\n"
     end
 
     line
diff --git a/test/data_bags/blog/wp2fa_encrypt_keys.json b/test/data_bags/blog/wp2fa_encrypt_keys.json
new file mode 100644
index 000000000..9eb1e2116
--- /dev/null
+++ b/test/data_bags/blog/wp2fa_encrypt_keys.json
@@ -0,0 +1,4 @@
+{
+  "id": "wp2fa_encrypt_keys",
+  "key": "vQk0IGrkn/nvKjyY8XNOrw=="
+}
diff --git a/test/data_bags/civicrm/wp2fa_encrypt_keys.json b/test/data_bags/civicrm/wp2fa_encrypt_keys.json
new file mode 100644
index 000000000..bfca5cd03
--- /dev/null
+++ b/test/data_bags/civicrm/wp2fa_encrypt_keys.json
@@ -0,0 +1,4 @@
+{
+  "id": "wp2fa_encrypt_keys",
+  "key": "iPWRI6ZJ6Q0CuLA8+FsVQw=="
+}
diff --git a/test/data_bags/stateofthemap/passwords.json b/test/data_bags/stateofthemap/passwords.json
index 3ffc3847c..88d27ac76 100644
--- a/test/data_bags/stateofthemap/passwords.json
+++ b/test/data_bags/stateofthemap/passwords.json
@@ -5,6 +5,5 @@
   "sotm2009": "sotm2009",
   "sotm2010": "sotm2010",
   "sotm2011": "sotm2011",
-  "sotm2012": "sotm2012",
-  "sotm2016": "sotm2016"
+  "sotm2012": "sotm2012"
 }
diff --git a/test/data_bags/stateofthemap/wp2fa_encrypt_keys.json b/test/data_bags/stateofthemap/wp2fa_encrypt_keys.json
new file mode 100644
index 000000000..e5370983a
--- /dev/null
+++ b/test/data_bags/stateofthemap/wp2fa_encrypt_keys.json
@@ -0,0 +1,9 @@
+{
+  "id": "wp2fa_encrypt_keys",
+  "sotm2007": "q1bhaOUla4GIHvTp/QR5bw==",
+  "sotm2008": "VUkZ0vbiXgTu8IwZyz71Lg==",
+  "sotm2009": "8nQDE9ng6QW8AKDpsm3NOA==",
+  "sotm2010": "Bu968voFkvMpSgogWBrf6g==",
+  "sotm2011": "vsrEyBqcI30SFv9gyYkyWQ==",
+  "sotm2012": "Qe3olwbbSFuraQAoUXieHA=="
+}
-- 
2.43.2