-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue 967: Dynamically generate DJANGO_SECRET_KEY for initial deployments #1151
Changes from all commits
2110129
dc9a6a0
b22b391
705cd51
437339c
2d41b2c
30c57ef
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
#!/usr/bin/env bash | ||
### | ||
# Copies Login.gov JWT_KEY + JWT_CERT from one Cloud.gov application to another. | ||
# | ||
SOURCE_APP=${1} | ||
DEST_APP=${2} | ||
|
||
set -e | ||
|
||
SOURCE_APP_GUID=$(cf app "$SOURCE_APP" --guid) | ||
SOURCE_APP_ENV=$(cf curl "/v2/apps/$SOURCE_APP_GUID/env") | ||
ENVIRONMENT_JSON=$(printf '%s\n' "$SOURCE_APP_ENV" | jq -r '.environment_json') | ||
|
||
JWT_KEY=$(printf '%s\n' "$ENVIRONMENT_JSON" | jq -r '.JWT_KEY') | ||
JWT_CERT=$(printf '%s\n' "$ENVIRONMENT_JSON" | jq -r '.JWT_CERT') | ||
|
||
echo "JWT_KEY: $JWT_KEY" | ||
echo "JWT_CERT: $JWT_CERT" | ||
|
||
if [ -n "$DEST_APP" ];then | ||
echo "Copying JWT key and cert from $SOURCE_APP to $DEST_APP..." | ||
cf set-env "$DEST_APP" JWT_KEY "$JWT_KEY" | ||
cf set-env "$DEST_APP" JWT_CERT "$JWT_CERT" | ||
|
||
echo "Restaging $DEST_APP..." | ||
cf restage "$DEST_APP" | ||
fi |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -20,6 +20,9 @@ else | |
FRONTEND_BASE_URL="$DEFAULT_FRONTEND_ROUTE" | ||
fi | ||
|
||
# Dynamically generate a new DJANGO_SECRET_KEY | ||
DJANGO_SECRET_KEY=$(python -c "from secrets import token_urlsafe; print(token_urlsafe(50))") | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is the key change, setting this here will overwrite what is stored in Circle CI for this variable (if anything). Uses the new (as of Python 3.6) secrets module in the standard library. |
||
|
||
# Dynamically set DJANGO_CONFIGURATION based on Cloud.gov Space | ||
DJANGO_SETTINGS_MODULE="tdpservice.settings.cloudgov" | ||
if [ "$CG_SPACE" = "tanf-prod" ]; then | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,6 +4,7 @@ | |
import os | ||
from distutils.util import strtobool | ||
from os.path import join | ||
from secrets import token_urlsafe | ||
|
||
from configurations import Configuration | ||
|
||
|
@@ -105,7 +106,7 @@ class Common(Configuration): | |
|
||
ALLOWED_HOSTS = ["*"] | ||
ROOT_URLCONF = "tdpservice.urls" | ||
SECRET_KEY = os.environ["DJANGO_SECRET_KEY"] | ||
SECRET_KEY = os.getenv("DJANGO_SECRET_KEY", token_urlsafe(50)) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. By supplying a default here we prevent a possible |
||
WSGI_APPLICATION = "tdpservice.wsgi.application" | ||
CORS_ORIGIN_ALLOW_ALL = True | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is simply a convenience script for developers, it is not called by any other methods. This is something I've had in my scratch files for awhile and have been using it to restore Login.gov credentials back to an application that has been deleted and re-created. Otherwise we would have to update the certificate in Login.gov and pass out the newly generated key to developers. Note that this does not replace the JWT rotation documentation, this is only suitable when it is desired to keep the current Login.gov keypair.