From e682a69e56350411a4f1c0062106eb32a56decb8 Mon Sep 17 00:00:00 2001 From: Meng Han <4225835+meng-han@users.noreply.github.com> Date: Thu, 10 Oct 2024 09:11:16 -0700 Subject: [PATCH] Add custom CA settings (#437) added 3 settings 'CUSTOM_CERTIFICATE_AUTHORITIES', 'CUSTOM_CA_ENCRYPTED', 'CUSTOM_CA_ACTIVE_KEYS'. also had to upgrade python minor version because of CI failure --- .github/workflows/pull_request.yml | 2 +- .github/workflows/push.yml | 4 ++-- confidant/settings.py | 35 ++++++++++++++++++++++++++---- docker-compose.integration.yml | 2 +- 4 files changed, 35 insertions(+), 8 deletions(-) diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index df7a9ba5..1a050c2a 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -12,7 +12,7 @@ jobs: - name: Setup python 3.10 uses: actions/setup-python@v1 with: - python-version: 3.10.14 + python-version: 3.10.15 - name: Install pre-commit run: pip install pre-commit - name: Run pre-commit diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index ed7e50c8..59ead69d 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -15,7 +15,7 @@ jobs: - name: Setup python 3.10 uses: actions/setup-python@v1 with: - python-version: 3.10.14 + python-version: 3.10.15 - name: Install virtualenv run: pip install virtualenv - name: Install xmlsec @@ -40,7 +40,7 @@ jobs: - name: Setup python 3.10 uses: actions/setup-python@v1 with: - python-version: 3.10.14 + python-version: 3.10.15 - name: Add wheel dependency run: pip install wheel - name: Generate dist diff --git a/confidant/settings.py b/confidant/settings.py index 83a8d9c2..6af6bbb8 100644 --- a/confidant/settings.py +++ b/confidant/settings.py @@ -629,14 +629,14 @@ def str_env(var_name, default=''): # ] if bool_env("JWT_IS_CA_ENCRYPTED", True): - decrypted_cas = encrypted_settings.decrypted_secrets.get( + decrypted_jwt_cas = encrypted_settings.decrypted_secrets.get( 'JWT_CERTIFICATE_AUTHORITIES' ) else: - decrypted_cas = str_env('JWT_CERTIFICATE_AUTHORITIES') + decrypted_jwt_cas = str_env('JWT_CERTIFICATE_AUTHORITIES') -JWT_CERTIFICATE_AUTHORITIES = json.loads(b64decode(decrypted_cas)) \ - if decrypted_cas else {} +JWT_CERTIFICATE_AUTHORITIES = json.loads(b64decode(decrypted_jwt_cas)) \ + if decrypted_jwt_cas else {} JWT_CACHING_ENABLED = bool_env('JWT_CACHING_ENABLED', False) @@ -670,6 +670,33 @@ def str_env(var_name, default=''): # {"staging": "some_kid", "production": "some_kid"} JWT_ACTIVE_SIGNING_KEYS = json.loads(str_env('JWT_ACTIVE_SIGNING_KEYS', '{}')) +# CUSTOM_CA_ENCRYPTED denotes whether provided CUSTOM_CERTIFICATE_AUTHORITIES +# is encrypted or not. If it is encrypted, it will be decrypted before use. +# It should be encrypted for non-development environments. +if bool_env('CUSTOM_CA_ENCRYPTED', True): + decrypted_custom_cas = encrypted_settings.decrypted_secrets.get( + 'CUSTOM_CERTIFICATE_AUTHORITIES' + ) +else: + decrypted_custom_cas = str_env('CUSTOM_CERTIFICATE_AUTHORITIES') + +# CUSTOM_CERTIFICATE_AUTHORITIES +# Should be in encrypted settings following this +# format (where name is the name of the environment) and key ids must be unique: +# {"":[{ +# "key": "--- RSA...", +# "crt": "--- CERT...", +# "passphrase": "some-key", +# "kid": "some-kid" +# }, ... +# ]} +CUSTOM_CERTIFICATE_AUTHORITIES = json.loads(b64decode(decrypted_custom_cas)) \ + if decrypted_custom_cas else {} + +# provide a JSON with the following format: +# {"staging": "some_kid", "production": "some_kid"} +CUSTOM_CA_ACTIVE_KEYS = json.loads(str_env('CUSTOM_CA_ACTIVE_KEYS', '{}')) + # Configuration validation _settings_failures = False if len(set(SCOPED_AUTH_KEYS.values())) != len(SCOPED_AUTH_KEYS.values()): diff --git a/docker-compose.integration.yml b/docker-compose.integration.yml index 3d2ab336..872a4310 100644 --- a/docker-compose.integration.yml +++ b/docker-compose.integration.yml @@ -1,7 +1,7 @@ version: "3.8" services: confidant: - image: python:3.10.14 + image: python:3.10.15 init: true restart: "no" networks: