Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor: add support for env variables in data migration #1198

Merged
merged 9 commits into from
Jan 13, 2023
Merged

Refactor: add support for env variables in data migration #1198

Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
3349e43
refactor(secrets): look for group ids in environment variables
angela-tran Jan 12, 2023
1b90ce3
refactor(secrets): look for server and client keys in env variables
angela-tran Jan 12, 2023
2dd660c
refactor(secrets): look for payment processor certs in env variables
angela-tran Jan 12, 2023
70cca88
refactor(secrets): look for auth provider values in env variables
angela-tran Jan 12, 2023
ace0cf4
refactor(secrets): look for oauth verifier values in env variables
angela-tran Jan 12, 2023
b39d9cf
refactor(secrets): look for courtesy card verifier values in env vars
angela-tran Jan 12, 2023
b97c01c
refactor(secrets): look for payment processor values in env variables
angela-tran Jan 12, 2023
8727e6e
refactor(secrets): look for transit agency values in env variables
angela-tran Jan 12, 2023
f83e706
fix(secrets): default for payment processor client cert private key
angela-tran Jan 12, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
110 changes: 67 additions & 43 deletions benefits/core/migrations/0002_sample_data.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
"""Data migration which loads sample data.
Set environment variable DJANGO_LOAD_SAMPLE_DATA to False to skip loading sample data.
"""
import os

from django.conf import settings
from django.db import migrations
from django.utils.translation import gettext_lazy as _
Expand All @@ -13,18 +15,23 @@ def load_sample_data(app, *args, **kwargs):

EligibilityType = app.get_model("core", "EligibilityType")

senior_type = EligibilityType.objects.create(name="senior", label="Senior", group_id="group1")
courtesy_card_type = EligibilityType.objects.create(name="courtesy_card", label="Courtesy Card", group_id="group2")
senior_type = EligibilityType.objects.create(
name="senior", label="Senior", group_id=os.environ.get("MST_SENIOR_GROUP_ID", "group1")
)
courtesy_card_type = EligibilityType.objects.create(
name="courtesy_card", label="Courtesy Card", group_id=os.environ.get("MST_COURTESY_CARD_GROUP_ID", "group2")
)

PemData = app.get_model("core", "PemData")

server_public_key = PemData.objects.create(
label="Eligibility server public key",
remote_url="https://raw.githubusercontent.com/cal-itp/eligibility-server/dev/keys/server.pub",
remote_url=os.environ.get(
"SERVER_PUBLIC_KEY_URL", "https://raw.githubusercontent.com/cal-itp/eligibility-server/dev/keys/server.pub"
),
)

client_private_key = PemData.objects.create(
text="""
default_client_private_key = """
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA1pt0ZoOuPEVPJJS+5r884zcjZLkZZ2GcPwr79XOLDbOi46on
Ca79kjRnhS0VUK96SwUPS0z9J5mDA5LSNL2RoxFb5QGaevnJY828NupzTNdUd0sY
Expand Down Expand Up @@ -52,12 +59,14 @@ def load_sample_data(app, *args, **kwargs):
W3j2hwm4C6vaNkH9XX1dr5+q6gq8vJQdbYoExl22BGMiNbfI3+sLRk0zBYL//W6c
tSREgR4EjosqQfbkceLJ2JT1wuNjInI0eR9H3cRugvlDTeWtbdJ5qA==
-----END RSA PRIVATE KEY-----
""",
"""

client_private_key = PemData.objects.create(
text=os.environ.get("CLIENT_PRIVATE_KEY", default_client_private_key),
label="Benefits client private key",
)

client_public_key = PemData.objects.create(
text="""
default_client_public_key = """
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1pt0ZoOuPEVPJJS+5r88
4zcjZLkZZ2GcPwr79XOLDbOi46onCa79kjRnhS0VUK96SwUPS0z9J5mDA5LSNL2R
Expand All @@ -67,35 +76,50 @@ def load_sample_data(app, *args, **kwargs):
TsWcURmhVofF2wVoFbib3JGCfA7tz/gmP5YoEKnf/cumKmF3e9LrZb8zwm7bTHUV
iwIDAQAB
-----END PUBLIC KEY-----
""",
"""

client_public_key = PemData.objects.create(
text=os.environ.get("CLIENT_PUBLIC_KEY", default_client_public_key),
label="Benefits client public key",
)

dummy_cert = PemData.objects.create(
text="""
dummy_cert_text = """
-----BEGIN CERTIFICATE-----
PEM DATA
-----END CERTIFICATE-----
""",
label="Dummy certificate",
"""

payment_processor_client_cert = PemData.objects.create(
text=os.environ.get("PAYMENT_PROCESSOR_CLIENT_CERT", dummy_cert_text),
label="Payment processor client certificate",
)

payment_processor_client_cert_private_key = PemData.objects.create(
text=os.environ.get("PAYMENT_PROCESSOR_CLIENT_CERT_PRIVATE_KEY", client_private_key.text),
label="Payment processor client certificate private key",
)

payment_processor_client_cert_root_ca = PemData.objects.create(
text=os.environ.get("PAYMENT_PROCESSOR_CLIENT_CERT_ROOT_CA", dummy_cert_text),
label="Payment processor client certificate root CA",
)

AuthProvider = app.get_model("core", "AuthProvider")

auth_provider = AuthProvider.objects.create(
sign_in_button_label=_("eligibility.buttons.signin"),
sign_out_button_label=_("eligibility.buttons.signout"),
client_name="benefits-oauth-client-name",
client_id="benefits-oauth-client-id",
authority="https://example.com",
scope="verify:senior",
claim="senior",
client_name=os.environ.get("AUTH_PROVIDER_CLIENT_NAME", "benefits-oauth-client-name"),
client_id=os.environ.get("AUTH_PROVIDER_CLIENT_ID", "benefits-oauth-client-id"),
authority=os.environ.get("AUTH_PROVIDER_AUTHORITY", "https://example.com"),
scope=os.environ.get("AUTH_PROVIDER_SCOPE", "verify:senior"),
claim=os.environ.get("AUTH_PROVIDER_CLAIM", "senior"),
)

EligibilityVerifier = app.get_model("core", "EligibilityVerifier")

verifier1 = EligibilityVerifier.objects.create(
name="OAuth claims via Login.gov",
oauth_claims_verifier = EligibilityVerifier.objects.create(
name=os.environ.get("OAUTH_VERIFIER_NAME", "OAuth claims via Login.gov"),
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if we consider these names sensitive

eligibility_type=senior_type,
auth_provider=auth_provider,
selection_label=_("eligibility.pages.index.login_gov.label"),
Expand All @@ -116,16 +140,16 @@ def load_sample_data(app, *args, **kwargs):
enrollment_success_expiry_item_details=None,
)

verifier2 = EligibilityVerifier.objects.create(
name="Test Eligibility Verifier 2",
api_url="http://server:8000/verify",
api_auth_header="X-Server-API-Key",
api_auth_key="server-auth-token",
courtesy_card_verifier = EligibilityVerifier.objects.create(
name=os.environ.get("COURTESY_CARD_VERIFIER", "Eligibility Server Verifier"),
api_url=os.environ.get("COURTESY_CARD_VERIFIER_API_URL", "http://server:8000/verify"),
api_auth_header=os.environ.get("COURTESY_CARD_VERIFIER_API_AUTH_HEADER", "X-Server-API-Key"),
api_auth_key=os.environ.get("COURTESY_CARD_VERIFIER_API_AUTH_KEY", "server-auth-token"),
eligibility_type=courtesy_card_type,
public_key=server_public_key,
jwe_cek_enc="A256CBC-HS512",
jwe_encryption_alg="RSA-OAEP",
jws_signing_alg="RS256",
jwe_cek_enc=os.environ.get("COURTESY_CARD_VERIFIER_JWE_CEK_ENC", "A256CBC-HS512"),
jwe_encryption_alg=os.environ.get("COURTESY_CARD_VERIFIER_JWE_ENCRYPTION_ALG", "RSA-OAEP"),
jws_signing_alg=os.environ.get("COURTESY_CARD_VERIFIER_JWS_SIGNING_ALG", "RS256"),
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we consider these sensitive? I erred on the side of caution here.

I think Kerckhoff's principle would say they are not sensitive (the security of data should not depend on the encryption method remaining a secret).

auth_provider=None,
selection_label=_("eligibility.pages.index.mst_cc.label"),
selection_label_description=_("eligibility.pages.index.mst_cc.description"),
Expand Down Expand Up @@ -159,17 +183,17 @@ def load_sample_data(app, *args, **kwargs):
PaymentProcessor = app.get_model("core", "PaymentProcessor")

payment_processor = PaymentProcessor.objects.create(
name="Test Payment Processor",
api_base_url="http://server:8000",
api_access_token_endpoint="access-token",
api_access_token_request_key="request_access",
api_access_token_request_val="REQUEST_ACCESS",
card_tokenize_url="http://server:8000/static/tokenize.js",
card_tokenize_func="tokenize",
card_tokenize_env="test",
client_cert=dummy_cert,
client_cert_private_key=client_private_key,
client_cert_root_ca=dummy_cert,
name=os.environ.get("PAYMENT_PROCESSOR_NAME", "Test Payment Processor"),
api_base_url=os.environ.get("PAYMENT_PROCESSOR_API_BASE_URL", "http://server:8000"),
api_access_token_endpoint=os.environ.get("PAYMENT_PROCESSOR_API_ACCESS_TOKEN_ENDPOINT", "access-token"),
api_access_token_request_key=os.environ.get("PAYMENT_PROCESSOR_API_ACCESS_TOKEN_REQUEST_KEY", "request_access"),
api_access_token_request_val=os.environ.get("PAYMENT_PROCESSOR_API_ACCESS_TOKEN_REQUEST_VAL", "REQUEST_ACCESS"),
card_tokenize_url=os.environ.get("PAYMENT_PROCESSOR_CARD_TOKENIZE_URL", "http://server:8000/static/tokenize.js"),
card_tokenize_func=os.environ.get("PAYMENT_PROCESSOR_CARD_TOKENIZE_FUNC", "tokenize"),
card_tokenize_env=os.environ.get("PAYMENT_PROCESSOR_CARD_TOKENIZE_ENV", "test"),
client_cert=payment_processor_client_cert,
client_cert_private_key=payment_processor_client_cert_private_key,
client_cert_root_ca=payment_processor_client_cert_root_ca,
customer_endpoint="customer",
customers_endpoint="customers",
group_endpoint="group",
Expand All @@ -179,21 +203,21 @@ def load_sample_data(app, *args, **kwargs):

mst_agency = TransitAgency.objects.create(
slug="mst",
short_name="MST (sample)",
long_name="Monterey-Salinas Transit (sample)",
short_name=os.environ.get("MST_AGENCY_SHORT_NAME", "MST (sample)"),
long_name=os.environ.get("MST_AGENCY_LONG_NAME", "Monterey-Salinas Transit (sample)"),
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These names don't seem sensitive IMO, but they do vary per environment.

agency_id="mst",
merchant_id="mst",
info_url="https://mst.org/benefits",
phone="888-678-2871",
active=True,
private_key=client_private_key,
public_key=client_public_key,
jws_signing_alg="RS256",
jws_signing_alg=os.environ.get("MST_AGENCY_JWS_SIGNING_ALG", "RS256"),
payment_processor=payment_processor,
eligibility_index_intro=_("eligibility.pages.index.p[0].mst"),
)
mst_agency.eligibility_types.set([senior_type, courtesy_card_type])
mst_agency.eligibility_verifiers.set([verifier1, verifier2])
mst_agency.eligibility_verifiers.set([oauth_claims_verifier, courtesy_card_verifier])


class Migration(migrations.Migration):
Expand Down