Add custom CA settings (#437)

added 3 settings 'CUSTOM_CERTIFICATE_AUTHORITIES', 'CUSTOM_CA_ENCRYPTED', 'CUSTOM_CA_ACTIVE_KEYS'. also had to upgrade python minor version because of CI failure
lyft · Oct 10, 2024 · e682a69 · e682a69
1 parent 8876b07
commit e682a69
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 8 deletions.
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -12,7 +12,7 @@ jobs:
       - name: Setup python 3.10
         uses: actions/setup-python@v1
         with:
-          python-version: 3.10.14
+          python-version: 3.10.15
       - name: Install pre-commit
         run: pip install pre-commit
       - name: Run pre-commit

diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
@@ -15,7 +15,7 @@ jobs:
       - name: Setup python 3.10
         uses: actions/setup-python@v1
         with:
-          python-version: 3.10.14
+          python-version: 3.10.15
       - name: Install virtualenv
         run: pip install virtualenv
       - name: Install xmlsec
@@ -40,7 +40,7 @@ jobs:
       - name: Setup python 3.10
         uses: actions/setup-python@v1
         with:
-          python-version: 3.10.14
+          python-version: 3.10.15
       - name: Add wheel dependency
         run: pip install wheel
       - name: Generate dist

diff --git a/confidant/settings.py b/confidant/settings.py
@@ -629,14 +629,14 @@ def str_env(var_name, default=''):
 # ]
 
 if bool_env("JWT_IS_CA_ENCRYPTED", True):
-    decrypted_cas = encrypted_settings.decrypted_secrets.get(
+    decrypted_jwt_cas = encrypted_settings.decrypted_secrets.get(
         'JWT_CERTIFICATE_AUTHORITIES'
     )
 else:
-    decrypted_cas = str_env('JWT_CERTIFICATE_AUTHORITIES')
+    decrypted_jwt_cas = str_env('JWT_CERTIFICATE_AUTHORITIES')
 
-JWT_CERTIFICATE_AUTHORITIES = json.loads(b64decode(decrypted_cas)) \
-    if decrypted_cas else {}
+JWT_CERTIFICATE_AUTHORITIES = json.loads(b64decode(decrypted_jwt_cas)) \
+    if decrypted_jwt_cas else {}
 
 JWT_CACHING_ENABLED = bool_env('JWT_CACHING_ENABLED', False)
 
@@ -670,6 +670,33 @@ def str_env(var_name, default=''):
 # {"staging": "some_kid", "production": "some_kid"}
 JWT_ACTIVE_SIGNING_KEYS = json.loads(str_env('JWT_ACTIVE_SIGNING_KEYS', '{}'))
 
+# CUSTOM_CA_ENCRYPTED denotes whether provided CUSTOM_CERTIFICATE_AUTHORITIES
+# is encrypted or not. If it is encrypted, it will be decrypted before use.
+# It should be encrypted for non-development environments.
+if bool_env('CUSTOM_CA_ENCRYPTED', True):
+    decrypted_custom_cas = encrypted_settings.decrypted_secrets.get(
+        'CUSTOM_CERTIFICATE_AUTHORITIES'
+    )
+else:
+    decrypted_custom_cas = str_env('CUSTOM_CERTIFICATE_AUTHORITIES')
+
+# CUSTOM_CERTIFICATE_AUTHORITIES
+# Should be in encrypted settings following this
+# format (where name is the name of the environment) and key ids must be unique:
+# {"<name>":[{
+#   "key": "--- RSA...",
+#   "crt": "--- CERT...",
+#   "passphrase": "some-key",
+#   "kid": "some-kid"
+# }, ...
+# ]}
+CUSTOM_CERTIFICATE_AUTHORITIES = json.loads(b64decode(decrypted_custom_cas)) \
+    if decrypted_custom_cas else {}
+
+# provide a JSON with the following format:
+# {"staging": "some_kid", "production": "some_kid"}
+CUSTOM_CA_ACTIVE_KEYS = json.loads(str_env('CUSTOM_CA_ACTIVE_KEYS', '{}'))
+
 # Configuration validation
 _settings_failures = False
 if len(set(SCOPED_AUTH_KEYS.values())) != len(SCOPED_AUTH_KEYS.values()):

diff --git a/docker-compose.integration.yml b/docker-compose.integration.yml
@@ -1,7 +1,7 @@
 version: "3.8"
 services:
   confidant:
-    image: python:3.10.14
+    image: python:3.10.15
     init: true
     restart: "no"
     networks: