From d4f2a2870691f401fd664d3c985b2ba915cfab55 Mon Sep 17 00:00:00 2001 From: thenav56 Date: Sat, 4 May 2024 13:59:15 +0545 Subject: [PATCH] Add JWT_PUBLIC_KEY_BASE64_ENCODED --- .env-sample | 5 +++-- azure-pipelines.yml | 4 ++-- deploy/bin/deploy | 2 +- deploy/docker-compose.yml | 2 +- .../ifrcgo-helm/templates/config/secret.yaml | 2 +- deploy/helm/ifrcgo-helm/values.yaml | 2 +- deploy/terraform/main.tf | 2 +- deploy/terraform/resources/helm-ifrcgo.tf | 4 ++-- deploy/terraform/resources/variables.tf | 2 +- deploy/terraform/variables.tf | 2 +- main/settings.py | 21 +++++++++++-------- 11 files changed, 26 insertions(+), 22 deletions(-) diff --git a/.env-sample b/.env-sample index 01f9403db..066678e8b 100644 --- a/.env-sample +++ b/.env-sample @@ -3,7 +3,8 @@ DJANGO_SECRET_KEY=RANDOM-STRING-FOR-SECRET-KEYS # For other, look at main/settings.py:env for available options. -# Generate using `cat secret-key | base64 -w 0` +# Generate using `cat key | base64 -w 0` JWT_PRIVATE_KEY_BASE64_ENCODED= +JWT_PUBLIC_BASE64_ENCODED= # JWT_PRIVATE_KEY= -JWT_PUBLIC_KEY= +# JWT_PUBLIC_KEY= diff --git a/azure-pipelines.yml b/azure-pipelines.yml index d8f75a5f5..964eea0b0 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -117,7 +117,7 @@ jobs: NS_INITIATIVES_API_TOKEN: $(STAGING_NS_INITIATIVES_API_TOKEN) # JWT JWT_PRIVATE_KEY_BASE64_ENCODED: $(STAGING_JWT_PRIVATE_KEY_BASE64_ENCODED) - JWT_PUBLIC_KEY: $(STAGING_JWT_PUBLIC_KEY) + JWT_PUBLIC_KEY_BASE64_ENCODED: $(STAGING_JWT_PUBLIC_KEY_BASE64_ENCODED) JWT_EXPIRE_TIMESTAMP_DAYS: $(STAGING_JWT_EXPIRE_TIMESTAMP_DAYS) - bash: $(Pipeline.Workspace)/go-api/deploy/scripts/cideploy --production @@ -198,5 +198,5 @@ jobs: NS_INITIATIVES_API_TOKEN: $(PRODUCTION_NS_INITIATIVES_API_TOKEN) # JWT JWT_PRIVATE_KEY_BASE64_ENCODED: $(PRODUCTION_JWT_PRIVATE_KEY_BASE64_ENCODED) - JWT_PUBLIC_KEY: $(PRODUCTION_JWT_PUBLIC_KEY) + JWT_PUBLIC_KEY_BASE64_ENCODED: $(PRODUCTION_JWT_PUBLIC_KEY_BASE64_ENCODED) JWT_EXPIRE_TIMESTAMP_DAYS: $(PRODUCTION_JWT_EXPIRE_TIMESTAMP_DAYS) diff --git a/deploy/bin/deploy b/deploy/bin/deploy index 2889efe43..f1b49ac60 100755 --- a/deploy/bin/deploy +++ b/deploy/bin/deploy @@ -173,6 +173,6 @@ if [ "${BASH_SOURCE[0]}" = "${0}" ]; then --set env.NS_INITIATIVES_API_KEY=${TF_VAR_NS_INITIATIVES_API_KEY} \ --set env.NS_INITIATIVES_API_TOKEN=${TF_VAR_NS_INITIATIVES_API_TOKEN} \ --set "env.JWT_PRIVATE_KEY_BASE64_ENCODED=${TF_VAR_JWT_PRIVATE_KEY_BASE64_ENCODED}" \ - --set "env.JWT_PUBLIC_KEY=${TF_VAR_JWT_PUBLIC_KEY}" \ + --set "env.JWT_PUBLIC_KEY_BASE64_ENCODED=${TF_VAR_JWT_PUBLIC_KEY_BASE64_ENCODED}" \ --set env.JWT_EXPIRE_TIMESTAMP_DAYS=${TF_VAR_JWT_EXPIRE_TIMESTAMP_DAYS} fi diff --git a/deploy/docker-compose.yml b/deploy/docker-compose.yml index 9c0cb3c47..92851def0 100644 --- a/deploy/docker-compose.yml +++ b/deploy/docker-compose.yml @@ -78,7 +78,7 @@ services: - TF_VAR_NS_INITIATIVES_API_TOKEN=${NS_INITIATIVES_API_TOKEN} # JWT - TF_VAR_JWT_PRIVATE_KEY_BASE64_ENCODED=${JWT_PRIVATE_KEY_BASE64_ENCODED} - - TF_VAR_JWT_PUBLIC_KEY=${JWT_PUBLIC_KEY} + - TF_VAR_JWT_PUBLIC_KEY_BASE64_ENCODED=${JWT_PUBLIC_KEY_BASE64_ENCODED} - TF_VAR_JWT_EXPIRE_TIMESTAMP_DAYS=${JWT_EXPIRE_TIMESTAMP_DAYS} # Maintenance mode - TF_VAR_DJANGO_READ_ONLY=${DJANGO_READ_ONLY} diff --git a/deploy/helm/ifrcgo-helm/templates/config/secret.yaml b/deploy/helm/ifrcgo-helm/templates/config/secret.yaml index ae2473e51..34f5974df 100644 --- a/deploy/helm/ifrcgo-helm/templates/config/secret.yaml +++ b/deploy/helm/ifrcgo-helm/templates/config/secret.yaml @@ -50,5 +50,5 @@ stringData: NS_INITIATIVES_API_KEY: "{{ .Values.env.NS_INITIATIVES_API_KEY}}" NS_INITIATIVES_API_TOKEN: "{{ .Values.env.NS_INITIATIVES_API_TOKEN}}" JWT_PRIVATE_KEY_BASE64_ENCODED: "{{ .Values.env.JWT_PRIVATE_KEY_BASE64_ENCODED}}" - JWT_PUBLIC_KEY: "{{ .Values.env.JWT_PUBLIC_KEY}}" + JWT_PUBLIC_KEY_BASE64_ENCODED: "{{ .Values.env.JWT_PUBLIC_KEY_BASE64_ENCODED}}" JWT_EXPIRE_TIMESTAMP_DAYS: "{{ .Values.env.JWT_EXPIRE_TIMESTAMP_DAYS}}" diff --git a/deploy/helm/ifrcgo-helm/values.yaml b/deploy/helm/ifrcgo-helm/values.yaml index 8b6d39ec3..0fa718b89 100644 --- a/deploy/helm/ifrcgo-helm/values.yaml +++ b/deploy/helm/ifrcgo-helm/values.yaml @@ -57,7 +57,7 @@ env: NS_INITIATIVES_API_KEY: '' NS_DOCUMENT_API_TOKEN: '' JWT_PRIVATE_KEY_BASE64_ENCODED: '' - JWT_PUBLIC_KEY: '' + JWT_PUBLIC_KEY_BASE64_ENCODED: '' JWT_EXPIRE_TIMESTAMP_DAYS: '' secrets: diff --git a/deploy/terraform/main.tf b/deploy/terraform/main.tf index 0802d5e34..68445df26 100644 --- a/deploy/terraform/main.tf +++ b/deploy/terraform/main.tf @@ -67,7 +67,7 @@ module "resources" { NS_INITIATIVES_API_KEY = var.NS_INITIATIVES_API_KEY NS_INITIATIVES_API_TOKEN = var.NS_INITIATIVES_API_TOKEN JWT_PRIVATE_KEY_BASE64_ENCODED = var.JWT_PRIVATE_KEY_BASE64_ENCODED - JWT_PUBLIC_KEY = var.JWT_PUBLIC_KEY + JWT_PUBLIC_KEY_BASE64_ENCODED = var.JWT_PUBLIC_KEY_BASE64_ENCODED JWT_EXPIRE_TIMESTAMP_DAYS = var.JWT_EXPIRE_TIMESTAMP_DAYS } diff --git a/deploy/terraform/resources/helm-ifrcgo.tf b/deploy/terraform/resources/helm-ifrcgo.tf index 177725250..1bf917a85 100644 --- a/deploy/terraform/resources/helm-ifrcgo.tf +++ b/deploy/terraform/resources/helm-ifrcgo.tf @@ -252,8 +252,8 @@ resource "helm_release" "ifrcgo" { } set { - name = "env.JWT_PUBLIC_KEY" - value = var.JWT_PUBLIC_KEY + name = "env.JWT_PUBLIC_KEY_BASE64_ENCODED" + value = var.JWT_PUBLIC_KEY_BASE64_ENCODED } set { diff --git a/deploy/terraform/resources/variables.tf b/deploy/terraform/resources/variables.tf index 46354a994..082a7518a 100644 --- a/deploy/terraform/resources/variables.tf +++ b/deploy/terraform/resources/variables.tf @@ -291,7 +291,7 @@ variable "JWT_PRIVATE_KEY_BASE64_ENCODED" { default = "" } -variable "JWT_PUBLIC_KEY" { +variable "JWT_PUBLIC_KEY_BASE64_ENCODED" { type = string default = "" } diff --git a/deploy/terraform/variables.tf b/deploy/terraform/variables.tf index 789657f51..5c089e0a0 100644 --- a/deploy/terraform/variables.tf +++ b/deploy/terraform/variables.tf @@ -296,7 +296,7 @@ variable "JWT_PRIVATE_KEY_BASE64_ENCODED" { default = "" } -variable "JWT_PUBLIC_KEY" { +variable "JWT_PUBLIC_KEY_BASE64_ENCODED" { type = string default = "" } diff --git a/main/settings.py b/main/settings.py index 2034d928d..a6b846216 100644 --- a/main/settings.py +++ b/main/settings.py @@ -102,6 +102,7 @@ DISABLE_API_CACHE=(bool, False), # jwt private and public key JWT_PRIVATE_KEY_BASE64_ENCODED=(str, None), + JWT_PUBLIC_KEY_BASE64_ENCODED=(str, None), JWT_PRIVATE_KEY=(str, None), JWT_PUBLIC_KEY=(str, None), JWT_EXPIRE_TIMESTAMP_DAYS=(int, 365), @@ -608,15 +609,17 @@ # A character which is rarely used in strings – for separator: SEP = '¤' -JWT_PRIVATE_KEY = env('JWT_PRIVATE_KEY') -if env('JWT_PRIVATE_KEY_BASE64_ENCODED'): - # TODO: Instead use docker/k8 secrets file mount? - try: - JWT_PRIVATE_KEY = base64.b64decode(env('JWT_PRIVATE_KEY_BASE64_ENCODED')) - except Exception: - logger.error('Failed to decode JWT_PRIVATE_KEY_BASE64_ENCODED', exc_info=True) - -JWT_PUBLIC_KEY = env('JWT_PUBLIC_KEY') +def decode_base64(env_key, fallback_env_key): + if encoded_value := env(env_key): + # TODO: Instead use docker/k8 secrets file mount? + try: + return base64.b64decode(encoded_value) + except Exception: + logger.error(f'Failed to decode {env_key}', exc_info=True) + return env(fallback_env_key) + +JWT_PRIVATE_KEY = decode_base64('JWT_PRIVATE_KEY_BASE64_ENCODED', 'JWT_PRIVATE_KEY') +JWT_PUBLIC_KEY = decode_base64('JWT_PUBLIC_KEY_BASE64_ENCODED', 'JWT_PUBLIC_KEY') JWT_EXPIRE_TIMESTAMP_DAYS = env('JWT_EXPIRE_TIMESTAMP_DAYS') # Need to load this to overwrite modeltranslation module