From 4e832172ad46a8ebba088b5f5ed0f392ad0a0612 Mon Sep 17 00:00:00 2001 From: Andrew Burnes Date: Tue, 14 May 2024 08:54:56 -0700 Subject: [PATCH] chore: Add decrypt to build site params --- .cloudgov/manifest.yml | 5 +++-- README.md | 14 +++++++++++++- src/main.py | 20 +++++++++++++++++++- 3 files changed, 35 insertions(+), 4 deletions(-) diff --git a/.cloudgov/manifest.yml b/.cloudgov/manifest.yml index 8b27cb19..b4ce100c 100644 --- a/.cloudgov/manifest.yml +++ b/.cloudgov/manifest.yml @@ -1,4 +1,4 @@ ---- +--- applications: - name: ((product))-build-container((env_postfix)) no-route: true @@ -7,6 +7,7 @@ applications: services: - federalist-((env))-rds - federalist-((env))-uev-key + - pages-((env))-encryption metadata: labels: type: build-container @@ -25,4 +26,4 @@ applications: type: build-container name: exp annotations: - command: cd app && ./build -p \ No newline at end of file + command: cd app && ./build -p diff --git a/README.md b/README.md index e07edc60..cd48550d 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ One of the following flags *must* be specified: | Flag | Example | Description | | ---- | ------- | ----------- | -| `-p`, `--params` | `-p '{"foo": "bar"}'` | A JSON encoded string containing the [build arguments](#build-arguments) | +| `-p`, `--params` | `-p '{"foo": "bar"}'` | An encrypted JSON encoded string containing the [build arguments](#build-arguments) | | `-f`, `--file` | `--file ./.local/my-build.json` | A path to a JSON file containing the [build arguments](#build-arguments) | ### Using cloud.gov tasks @@ -53,6 +53,14 @@ docker-compose run --rm app python main.py -f /tmp/local/my-build.json When running locally, environment variables are configured in `docker-compose.yml` under the `app` service. +## Connected CF service + +| Name | Type | Description | +| ---- | ---- | ----------- | +| `federalist-((env))-rds` | Brokered | The RDS db credentials | +| `federalist-((env))-uev-key` | User Provided | The site environment variable encryption key | +| `pages-((env))-encryption` | User Provided | The site build params encryption key | + ## Build arguments | Name | Optional? | Default | Description | @@ -73,6 +81,10 @@ When running locally, environment variables are configured in `docker-compose.ym | `user_environment_variables` | Y | | Array of objects containing the name and encrypted values of user-provided environment variables (Ex. `[{ name: "MY ENV VAR", ciphertext: "ABC123" }]`) | +### Encrypted params argument + +When build parameters are passed to the build script using the `-p / --params` flag, they are an encrypted JSON encoded string created by the pages-core queue worker and decrypted using a shared key stored as CF user provided service `pages--encryption` and the [decrypt cipher](./src/crypto/decrypt.py). + ## Environment variables provided during builds The following environment variables are available during site builds and when running the `federalist` npm script. They may be useful for customizing the display of certain information in the published site, for example, to display the current published branch name. diff --git a/src/main.py b/src/main.py index bce9ddcf..dd177c6d 100644 --- a/src/main.py +++ b/src/main.py @@ -5,6 +5,7 @@ import shlex from build import build +from crypto.decrypt import decrypt def load_vcap(): @@ -24,6 +25,22 @@ def load_vcap(): os.environ[uev_env_var] = uev_ups['credentials']['key'] +def decrypt_params(encrypted): + vcap_application = json.loads(os.getenv('VCAP_APPLICATION', '{}')) + vcap_services = json.loads(os.getenv('VCAP_SERVICES', '{}')) + + space = vcap_application['space_name'] + + encryption_ups = next( + ups for ups in vcap_services['user-provided'] + if ups['name'] == f'pages-{space}-encryption' + ) + + encryption_key = encryption_ups['credentials']['key'] + + return decrypt(args.params, encryption_key) + + if __name__ == "__main__": parser = argparse.ArgumentParser(description='Run a pages build') group = parser.add_mutually_exclusive_group(required=True) @@ -36,7 +53,8 @@ def load_vcap(): args = parser.parse_args() if args.params: - params = json.loads(args.params) + decrypted = decrypt_params(args.params) + params = json.loads(decrypted) else: params = json.load(args.file)