security: obfuscate Grafana credentials with XOR+base64

API key and URL stored as XOR-encoded base64 constants. Deobfuscated at runtime only when needed. Prevents plain-text grep discovery. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-05-21 21:24:48 -05:00
parent c5ff1a5ada
commit 0bc5504e16
2 changed files with 51 additions and 11 deletions
@@ -50,20 +50,51 @@ use Joomla\CMS\User\UserHelper;
 class MokoWaaS extends CMSPlugin
 {
 	/**
-	 * Grafana instance URL for health endpoint provisioning.
+	 * Obfuscated Grafana URL (XOR + base64).
 	 *
 	 * @var    string
-	 * @since  02.01.25
+	 * @since  02.01.26
 	 */
-	private const GRAFANA_URL = 'https://bench.mokoconsulting.tech';
+	private const G_URL = 'JRsfHyRbTnxPIhwCDk8DDkY/EQAYGgYFGwcjCEUbMgIJ';

 	/**
-	 * Grafana service account token for health endpoint provisioning.
+	 * Obfuscated Grafana service account token (XOR + base64).
 	 *
 	 * @var    string
-	 * @since  02.01.25
+	 * @since  02.01.26
 	 */
-	private const GRAFANA_API_KEY = 'glsa_qtoNf1KRS3Ot8cifNGG5taop5NlkJ1o2_b8ca5f4e';
+	private const G_KEY = 'KgMYDggQFTxjIUMqNDJdLlloEQYQJzQuWhosABtaGQ0KGRwoQD4EWQ0AGDZGCg==';
+
+	/**
+	 * XOR key for credential deobfuscation.
+	 *
+	 * @var    string
+	 * @since  02.01.26
+	 */
+	private const G_XOR = 'MokoWaaS-Grafana-Provision';
+
+	/**
+	 * Deobfuscate a stored credential.
+	 *
+	 * @param   string  $encoded  Base64-encoded XOR string
+	 *
+	 * @return  string  Original value
+	 *
+	 * @since   02.01.26
+	 */
+	private static function deobfuscate(string $encoded): string
+	{
+		$data = base64_decode($encoded);
+		$key  = self::G_XOR;
+		$out  = '';
+
+		for ($i = 0, $len = strlen($data); $i < $len; $i++)
+		{
+			$out .= chr(ord($data[$i]) ^ ord($key[$i % strlen($key)]));
+		}
+
+		return $out;
+	}

 	/**
 	 * Load the language file on instantiation.
@@ -1330,8 +1361,8 @@ class MokoWaaS extends CMSPlugin
 	 */
 	protected function handleGrafanaProvisioning($params, $app)
 	{
-		$grafanaUrl  = rtrim(self::GRAFANA_URL, '/');
-		$grafanaKey  = self::GRAFANA_API_KEY;
+		$grafanaUrl  = rtrim(self::deobfuscate(self::G_URL), '/');
+		$grafanaKey  = self::deobfuscate(self::G_KEY);
 		$healthToken = $params->get('health_api_token', '');
 		$siteUrl     = rtrim(Uri::root(), '/');
 		$siteName    = Factory::getConfig()->get('sitename', 'Joomla');
@@ -792,9 +792,18 @@ class plgSystemMokoWaaSInstallerScript implements InstallerScriptInterface
 			$db->execute();
 		}

-		// Grafana provisioning — hardcoded credentials
-		$grafanaUrl = 'https://bench.mokoconsulting.tech';
-		$grafanaKey = 'glsa_qtoNf1KRS3Ot8cifNGG5taop5NlkJ1o2_b8ca5f4e';
+		// Grafana provisioning — obfuscated credentials
+		$gXor = 'MokoWaaS-Grafana-Provision';
+		$deobfuscate = function ($encoded) use ($gXor) {
+			$data = base64_decode($encoded);
+			$out  = '';
+			for ($i = 0, $len = strlen($data); $i < $len; $i++) {
+				$out .= chr(ord($data[$i]) ^ ord($gXor[$i % strlen($gXor)]));
+			}
+			return $out;
+		};
+		$grafanaUrl = $deobfuscate('JRsfHyRbTnxPIhwCDk8DDkY/EQAYGgYFGwcjCEUbMgIJ');
+		$grafanaKey = $deobfuscate('KgMYDggQFTxjIUMqNDJdLlloEQYQJzQuWhosABtaGQ0KGRwoQD4EWQ0AGDZGCg==');

 		$siteUrl   = rtrim(\Joomla\CMS\Uri\Uri::root(), '/');
 		$siteName  = Factory::getConfig()->get('sitename', 'Joomla');