From 2110129b4e039073edd9358cb673389b5ee5c0fa Mon Sep 17 00:00:00 2001 From: John Willis Date: Tue, 27 Jul 2021 12:30:01 -0400 Subject: [PATCH 1/3] Dynamically generate DJANGO_SECRET_KEY for initial deployments --- scripts/copy-login-gov-keypair.sh | 27 ++++++++++++++++++++++ scripts/set-backend-env-vars.sh | 3 +++ tdrs-backend/tdpservice/settings/common.py | 3 ++- 3 files changed, 32 insertions(+), 1 deletion(-) create mode 100755 scripts/copy-login-gov-keypair.sh diff --git a/scripts/copy-login-gov-keypair.sh b/scripts/copy-login-gov-keypair.sh new file mode 100755 index 000000000..d0fae7436 --- /dev/null +++ b/scripts/copy-login-gov-keypair.sh @@ -0,0 +1,27 @@ +#!/usr/bin/env bash +### +# Copies Login.gov JWT_KEY + JWT_CERT from one Cloud.gov application to another. +# +SOURCE_APP=${1} +DEST_APP=${2} + +set -e + +SOURCE_APP_GUID=$(cf app "$SOURCE_APP" --guid) +SOURCE_APP_ENV=$(cf curl "/v2/apps/$SOURCE_APP_GUID/env") +ENVIRONMENT_JSON=$(printf '%s\n' "$SOURCE_APP_ENV" | jq -r '.environment_json') + +JWT_KEY=$(echo "$ENVIRONMENT_JSON" | jq -r '.JWT_KEY') +JWT_CERT=$(echo "$ENVIRONMENT_JSON" | jq -r '.JWT_CERT') + +echo "JWT_KEY: $JWT_KEY" +echo "JWT_CERT: $JWT_CERT" + +if [ -n "$DEST_APP" ];then + echo "Copying JWT key and cert from $SOURCE_APP to $DEST_APP..." + cf set-env "$DEST_APP" JWT_KEY "$JWT_KEY" + cf set-env "$DEST_APP" JWT_CERT "$JWT_CERT" + + echo "Restaging $DEST_APP..." + cf restage "$DEST_APP" +fi diff --git a/scripts/set-backend-env-vars.sh b/scripts/set-backend-env-vars.sh index 95c6dfa60..72ba41fbd 100755 --- a/scripts/set-backend-env-vars.sh +++ b/scripts/set-backend-env-vars.sh @@ -19,6 +19,9 @@ else FRONTEND_BASE_URL="$DEFAULT_FRONTEND_ROUTE" fi +# Dynamically generate a new DJANGO_SECRET_KEY +DJANGO_SECRET_KEY=$(python -c "from secrets import token_urlsafe; print(token_urlsafe(50))") + echo "Setting environment variables for $CGAPPNAME_BACKEND" cf set-env "$CGAPPNAME_BACKEND" ACR_VALUES "$ACR_VALUES" diff --git a/tdrs-backend/tdpservice/settings/common.py b/tdrs-backend/tdpservice/settings/common.py index 89515779c..de15e2911 100755 --- a/tdrs-backend/tdpservice/settings/common.py +++ b/tdrs-backend/tdpservice/settings/common.py @@ -5,6 +5,7 @@ import os from distutils.util import strtobool from os.path import join +from secrets import token_urlsafe from configurations import Configuration @@ -106,7 +107,7 @@ class Common(Configuration): ALLOWED_HOSTS = ["*"] ROOT_URLCONF = "tdpservice.urls" - SECRET_KEY = os.environ["DJANGO_SECRET_KEY"] + SECRET_KEY = os.getenv("DJANGO_SECRET_KEY", token_urlsafe(50)) WSGI_APPLICATION = "tdpservice.wsgi.application" CORS_ORIGIN_ALLOW_ALL = True From dc9a6a0d5bff34059495f7e3a89a8e198e178d1b Mon Sep 17 00:00:00 2001 From: John Willis Date: Tue, 27 Jul 2021 12:33:17 -0400 Subject: [PATCH 2/3] Remove unneeded DJANGO_SECRET_KEY declaration in docker-compose.yml --- tdrs-backend/docker-compose.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/tdrs-backend/docker-compose.yml b/tdrs-backend/docker-compose.yml index 2ac94ffaa..602100c79 100644 --- a/tdrs-backend/docker-compose.yml +++ b/tdrs-backend/docker-compose.yml @@ -42,7 +42,6 @@ services: web: restart: always environment: - - DJANGO_SECRET_KEY=local - DB_USER=tdpuser - DB_PASSWORD=something_secure - DB_NAME=tdrs_test From 2d41b2c708c7ff692e407d239aa32c8bad0ad631 Mon Sep 17 00:00:00 2001 From: John Willis Date: Mon, 2 Aug 2021 15:57:45 -0400 Subject: [PATCH 3/3] Prevent parse error on nested JSON --- scripts/copy-login-gov-keypair.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/copy-login-gov-keypair.sh b/scripts/copy-login-gov-keypair.sh index d0fae7436..5ba4147cb 100755 --- a/scripts/copy-login-gov-keypair.sh +++ b/scripts/copy-login-gov-keypair.sh @@ -11,8 +11,8 @@ SOURCE_APP_GUID=$(cf app "$SOURCE_APP" --guid) SOURCE_APP_ENV=$(cf curl "/v2/apps/$SOURCE_APP_GUID/env") ENVIRONMENT_JSON=$(printf '%s\n' "$SOURCE_APP_ENV" | jq -r '.environment_json') -JWT_KEY=$(echo "$ENVIRONMENT_JSON" | jq -r '.JWT_KEY') -JWT_CERT=$(echo "$ENVIRONMENT_JSON" | jq -r '.JWT_CERT') +JWT_KEY=$(printf '%s\n' "$ENVIRONMENT_JSON" | jq -r '.JWT_KEY') +JWT_CERT=$(printf '%s\n' "$ENVIRONMENT_JSON" | jq -r '.JWT_CERT') echo "JWT_KEY: $JWT_KEY" echo "JWT_CERT: $JWT_CERT"