-
Notifications
You must be signed in to change notification settings - Fork 16
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Issue #2809] Handle parsing the jwt we created, and connect to a user (
#2959) ## Summary Fixes #2809 ### Time to review: __15 mins__ ## Changes proposed Setup logic to process the jwt we created in #2898 Setup a method to automatically generate a key for local development in a secure way via an override file ## Context for reviewers The core part of this PR is pretty straightforward, we parse the JWT, do some validation, raise specific error messages for certain scenarios, and have tests for that behavior. For the auth token in the API request header, instead of using `Bearer ..` I left it as a dedicated header field. The bearer format doesn't let you specify the header name and if we ever need multiple tokens supported in an endpoint will lead to more headache. --- Where things got complex was setting up the private/public key for the API. These just need to be stored in env vars, but putting them directly in our local.env file isn't ideal - even though the key will be distinctly local-only, it will always be something flagged in security scans and just generally look problematic. To work around this fun problem, I realized I could solve another annoyance at the same time, Docker as of January 2024 allows you to specify multiple env files + make them optional. So - I used that. I setup a script that creates an `override.env` file that you can freely modify and won't be checked in, and more importantly, automatically contains secrets like those public/private keys we didn't want to check in. (Note - if you're wondering why I didn't use Docker secrets, they're far more complex and this PR would've been 20+ files to make that half-work). ## Additional information Locally I confirmed we can set tokens in the swagger docs and they work - we don't yet have an endpoint that uses this outside of the unit test I setup, but I temporarily modified the healthcheck endpoint to validate things work outside of tests as well. <img width="641" alt="Screenshot 2024-11-20 at 4 06 48 PM" src="https://github.com/user-attachments/assets/7f4b6d7e-0c2b-4a5b-a057-5695672ec31f"> The override file we generate looks like this (with the relevant key info removed): ``` # override.env # # Any environment variables written to this file # will take precedence over those defined in local.env # # This file will not be checked into github and it is safe # to store secrets here, however you should still follow caution # with using any secrets locally if they cause the app to interact # with external systems. # # This file was generated by running: # make setup-env-overrides # # Which runs as part of our "make init" flow. # # If you would like to re-generate this file, please run: # make setup-env-overrides --recreate # # Note that this will completely erase any existing configuration you may have ############################ # Authentication ############################ API_JWT_PRIVATE_KEY="-----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY-----" API_JWT_PUBLIC_KEY="-----BEGIN PUBLIC KEY----- ... -----END PUBLIC KEY-----" ``` --------- Co-authored-by: nava-platform-bot <[email protected]>
- Loading branch information
1 parent
0fbbae2
commit 487d217
Showing
13 changed files
with
407 additions
and
34 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,123 @@ | ||
#!/usr/bin/env bash | ||
# setup-env-override-file.sh | ||
# | ||
# Generate an override.env file | ||
# with secrets pre-populated for local development. | ||
# | ||
# Examples: | ||
# ./setup-env-override-file.sh | ||
# ./setup-env-override-file.sh --recreate | ||
# | ||
|
||
set -o errexit -o pipefail | ||
|
||
PROGRAM_NAME=$(basename "$0") | ||
|
||
CYAN='\033[96m' | ||
GREEN='\033[92m' | ||
RED='\033[01;31m' | ||
END='\033[0m' | ||
|
||
USAGE="Usage: $PROGRAM_NAME [OPTION] | ||
--recreate Recreate the override.env file, fully overwriting any existing file | ||
" | ||
|
||
main() { | ||
print_log "Running $PROGRAM_NAME" | ||
|
||
for arg in "$@" | ||
do | ||
if [ "$arg" == "--recreate" ]; then | ||
recreate=1 | ||
else | ||
echo "$USAGE" | ||
exit 1 | ||
fi | ||
done | ||
|
||
OVERRIDE_FILE="override.env" | ||
|
||
if [ -f "$OVERRIDE_FILE" ] ; then | ||
if [ $recreate ] ; then | ||
print_log "Recreating existing override.env file" | ||
else | ||
print_log "override.env already exists, not recreating" | ||
exit 0 | ||
fi | ||
fi | ||
|
||
# Delete any key files that may be leftover from a prior run | ||
cleanup_files | ||
|
||
# Generate RSA keys | ||
# note ssh-keygen generates a different format for | ||
# the public key so we run it through openssl to fix it | ||
ssh-keygen -t rsa -b 2048 -m PEM -N '' -f tmp_jwk.key 2>&1 >/dev/null | ||
openssl rsa -in tmp_jwk.key -pubout -outform PEM -out tmp_jwk.pub | ||
|
||
PUBLIC_KEY=`cat tmp_jwk.pub` | ||
PRIVATE_KEY=`cat tmp_jwk.key` | ||
|
||
cat > $OVERRIDE_FILE <<EOF | ||
# override.env | ||
# | ||
# Any environment variables written to this file | ||
# will take precedence over those defined in local.env | ||
# | ||
# This file will not be checked into github and it is safe | ||
# to store secrets here, however you should still follow caution | ||
# with using any secrets locally if they cause the app to interact | ||
# with external systems. | ||
# | ||
# This file was generated by running: | ||
# make setup-env-override-file | ||
# | ||
# Which runs as part of our "make init" flow. | ||
# | ||
# If you would like to re-generate this file, please run: | ||
# make setup-env-override-file args="--recreate" | ||
# | ||
# Note that this will completely erase any existing configuration you may have | ||
############################ | ||
# Authentication | ||
############################ | ||
API_JWT_PRIVATE_KEY="$PRIVATE_KEY" | ||
API_JWT_PUBLIC_KEY="$PUBLIC_KEY" | ||
EOF | ||
|
||
|
||
print_log "Created new override.env" | ||
|
||
# Cleanup all keys generated in this run | ||
cleanup_files | ||
} | ||
|
||
# Cleanup a single file if it exists | ||
cleanup_file() | ||
{ | ||
FILE=$1 | ||
shift; | ||
|
||
if [ -f "$FILE" ] ; then | ||
rm "$FILE" | ||
fi | ||
} | ||
|
||
# Cleanup all miscellaneous keys generated | ||
cleanup_files() | ||
{ | ||
cleanup_file tmp_jwk.key | ||
cleanup_file tmp_jwk.pub | ||
cleanup_file tmp_jwk.key.pub | ||
} | ||
|
||
print_log() { | ||
printf "$CYAN%s $GREEN%s: $END%s\\n" "$(date "+%Y-%m-%d %H:%M:%S")" "$PROGRAM_NAME" "$*" | ||
} | ||
|
||
# Entry point | ||
main "$@" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -1423,4 +1423,8 @@ components: | |
type: apiKey | ||
in: header | ||
name: X-Auth | ||
ApiJwtAuth: | ||
type: apiKey | ||
in: header | ||
name: X-SGG-Token | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.