atlassian · gxueatlassian · Jun 29, 2022 · Jun 29, 2022 · Jun 29, 2022 · Jun 29, 2022
@@ -44,4 +44,4 @@ WEBHOOK_PROXY_URL=
 
 # Cryptor
 CRYPTOR_URL=http://cryptor-sidecar:26272
-CRYPTOR_CLIENT_IDENTIFICATION_CHALLENGE=random-string
+CRYPTOR_SIDECAR_CLIENT_IDENTIFICATION_CHALLENGE=random-string
@@ -48,5 +48,5 @@ WEBHOOK_PROXY_URL=http://localhost:8080/github/events
 
 # Cryptor
 CRYPTOR_URL=http://localhost:26272
-CRYPTOR_CLIENT_IDENTIFICATION_CHALLENGE=random-string
+CRYPTOR_SIDECAR_CLIENT_IDENTIFICATION_CHALLENGE=random-string
 
@@ -36,7 +36,7 @@ services:
     build: etc/cryptor-mock
     container_name: cryptor
     environment:
-      CRYPTOR_CLIENT_IDENTIFICATION_CHALLENGE: "random-string" #has to match the one in env.test
+      CRYPTOR_SIDECAR_CLIENT_IDENTIFICATION_CHALLENGE: "random-string" #has to match the one in env.test
     ports:
       - "26272:26272"
   app:

@@ -11,7 +11,7 @@ app.get("/healthcheck", (_, res)=>{
 	res.send({ok: true});
 });
 app.post("/cryptor/encrypt/*", (req, res) => {
-	if (req.headers["x-cryptor-client"] !== process.env.CRYPTOR_CLIENT_IDENTIFICATION_CHALLENGE) {
+	if (req.headers["x-cryptor-client"] !== process.env.CRYPTOR_SIDECAR_CLIENT_IDENTIFICATION_CHALLENGE) {
 		res.status(403).send("Wrong challenge");
 		return;
 	}
@@ -28,7 +28,7 @@ app.post("/cryptor/encrypt/*", (req, res) => {
 	res.status(200).json(ret);
 });
 app.post("/cryptor/decrypt", (req, res) => {
-	if (req.headers["x-cryptor-client"] !== process.env.CRYPTOR_CLIENT_IDENTIFICATION_CHALLENGE) {
+	if (req.headers["x-cryptor-client"] !== process.env.CRYPTOR_SIDECAR_CLIENT_IDENTIFICATION_CHALLENGE) {
 		res.status(403).send("Wrong challenge");
 		return;
 	}

@@ -218,7 +218,8 @@ config:
 
     GLOBAL_AGENT_NO_PROXY: cryptor # needed because of proxy.ts
     CRYPTOR_URL: http://cryptor:26272
-    CRYPTOR_CLIENT_IDENTIFICATION_CHALLENGE: "6CF9E6A52167B58CBB0DED180CC8B848" # https://developer.atlassian.com/platform/cryptor/integration/integrating-sidecar/#enabling-ssrf-protection
+    CRYPTOR_SIDECAR_ENCRYPTION_KEY_ALIASES: micros/github-for-jira/github-server-app-secrets
+    CRYPTOR_SIDECAR_CLIENT_IDENTIFICATION_CHALLENGE: "6CF9E6A52167B58CBB0DED180CC8B848" # https://developer.atlassian.com/platform/cryptor/integration/integrating-sidecar/#enabling-ssrf-protection
     # These secret environment variables need to be stashed with "atlas micros stash" for each environment:
     # STORAGE_SECRET: secret generated by running openssl rand -hex 32
     # SENTRY_DSN: client key required to connect to Sentry
@@ -486,7 +487,7 @@ environmentOverrides:
         GITHUB_CLIENT_ID: Iv1.45aafbb099e1c1d7
         PRIVATE_KEY: vault://secret/data/builds/micros-sv--github-for-jira-dl-vault-compliant/github-app-private-key
         GITHUB_CLIENT_SECRET: vault://secret/data/builds/micros-sv--github-for-jira-dl-vault-compliant/github-app-client-secret
-        CRYPTOR_CLIENT_IDENTIFICATION_CHALLENGE: "D92A2D7364AC3057D2A90BA9512D8CA0"
+        CRYPTOR_SIDECAR_CLIENT_IDENTIFICATION_CHALLENGE: "D92A2D7364AC3057D2A90BA9512D8CA0"
     scaling:
       instance: c5.2xlarge
       min: 5

@@ -23,7 +23,7 @@ const requiredEnvVars = [
 	"MICROS_AWS_REGION",
 	"GLOBAL_HASH_SECRET",
 	"CRYPTOR_URL",
-	"CRYPTOR_CLIENT_IDENTIFICATION_CHALLENGE"
+	"CRYPTOR_SIDECAR_CLIENT_IDENTIFICATION_CHALLENGE"
 ];
 
 const filename = isNodeTest() ? ".env.test" : ".env";
@@ -116,5 +116,5 @@ export interface EnvVars {
 
 	// Cryptor
 	CRYPTOR_URL: string;
-	CRYPTOR_CLIENT_IDENTIFICATION_CHALLENGE: string;
+	CRYPTOR_SIDECAR_CLIENT_IDENTIFICATION_CHALLENGE: string;
 }
@@ -121,17 +121,19 @@ How to invoke:
 
  */
 ApiRouter.use("/cryptor", async (req: Request, resp: Response) => {
+	try {
+		let data = "";
+		for (let i = 0; i < 10; i++) {
+			data = data + "-" + Math.floor((Math.random() * 10));
+		}
 
-	resp.status(204).send("ack");
+		const encrypted = await CryptorHttpClient.encrypt(CryptorHttpClient.GITHUB_SERVER_APP_SECRET, data, req.log);
 
-	let data = "";
-	for (let i = 0; i < 10; i++) {
-		data = data + "-" + Math.floor((Math.random() * 10));
+		await CryptorHttpClient.decrypt(encrypted, req.log);
+		resp.status(200).send("ok");
+	} catch (_) {
+		resp.status(500).send("fail");
 	}
-
-	const encrypted = await CryptorHttpClient.encrypt(CryptorHttpClient.GITHUB_SERVER_APP_SECRET, data, req.log);
-
-	await CryptorHttpClient.decrypt(encrypted, req.log);
 });
 
 ApiRouter.use("/jira", ApiJiraRouter);

@@ -23,7 +23,7 @@ export class CryptorHttpClient {
 		return {
 			baseURL: envVars.CRYPTOR_URL,
 			headers: {
-				"X-Cryptor-Client": envVars.CRYPTOR_CLIENT_IDENTIFICATION_CHALLENGE,
+				"X-Cryptor-Client": envVars.CRYPTOR_SIDECAR_CLIENT_IDENTIFICATION_CHALLENGE,
 				"Content-Type": "application/json; charset=utf-8"
 			}
 		};