chore: Add decrypt to build site params

.cloudgov/manifest.yml

@@ -1,4 +1,4 @@
----    
+---
 applications:
   - name: ((product))-build-container((env_postfix))
     no-route: true
@@ -7,6 +7,7 @@ applications:
     services:
       - federalist-((env))-rds
       - federalist-((env))-uev-key
+      - pages-((env))-encryption
     metadata:
       labels:
         type: build-container
@@ -25,4 +26,4 @@ applications:
         type: build-container
         name: exp
       annotations:
-        command: cd app && ./build -p
+        command: cd app && ./build -p

README.md

@@ -16,7 +16,7 @@ One of the following flags *must* be specified:
 
 | Flag | Example | Description |
 | ---- | ------- | ----------- |
-| `-p`, `--params` | `-p '{"foo": "bar"}'` | A JSON encoded string containing the [build arguments](#build-arguments) |
+| `-p`, `--params` | `-p '{"foo": "bar"}'` | An encrypted JSON encoded string containing the [build arguments](#build-arguments) |
 | `-f`, `--file` | `--file ./.local/my-build.json` | A path to a JSON file containing the [build arguments](#build-arguments) |
 
 ### Using cloud.gov tasks
@@ -53,6 +53,14 @@ docker-compose run --rm app python main.py -f /tmp/local/my-build.json
 
 When running locally, environment variables are configured in `docker-compose.yml` under the `app` service.
 
+## Connected CF service
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| `federalist-((env))-rds` | Brokered | The RDS db credentials |
+| `federalist-((env))-uev-key` | User Provided | The site environment variable encryption key |
+| `pages-((env))-encryption` | User Provided | The site build params encryption key |
+
 ## Build arguments
 
 | Name | Optional? | Default | Description |
@@ -73,6 +81,10 @@ When running locally, environment variables are configured in `docker-compose.ym
 | `user_environment_variables` | Y | | Array of objects containing the name and encrypted values of user-provided environment variables (Ex. `[{ name: "MY ENV VAR", ciphertext: "ABC123" }]`) |
 
 
+### Encrypted params argument
+
+When build parameters are passed to the build script using the `-p / --params` flag, they are an encrypted JSON encoded string created by the pages-core queue worker and decrypted using a shared key stored as CF user provided service `pages-<env>-encryption` and the [decrypt cipher](./src/crypto/decrypt.py).
+
 ## Environment variables provided during builds
 
 The following environment variables are available during site builds and when running the `federalist` npm script. They may be useful for customizing the display of certain information in the published site, for example, to display the current published branch name.

src/main.py

@@ -5,6 +5,7 @@
 import shlex
 
 from build import build
+from crypto.decrypt import decrypt
 
 
 def load_vcap():
@@ -24,6 +25,22 @@ def load_vcap():
     os.environ[uev_env_var] = uev_ups['credentials']['key']
 
 
+def decrypt_params(encrypted):
+    vcap_application = json.loads(os.getenv('VCAP_APPLICATION', '{}'))
+    vcap_services = json.loads(os.getenv('VCAP_SERVICES', '{}'))
+
+    space = vcap_application['space_name']
+
+    encryption_ups = next(
+        ups for ups in vcap_services['user-provided']
+        if ups['name'] == f'pages-{space}-encryption'
+    )
+
+    encryption_key = encryption_ups['credentials']['key']
+
+    return decrypt(args.params, encryption_key)
+
+
 if __name__ == "__main__":
     parser = argparse.ArgumentParser(description='Run a pages build')
     group = parser.add_mutually_exclusive_group(required=True)
@@ -36,7 +53,8 @@ def load_vcap():
     args = parser.parse_args()
 
     if args.params:
-        params = json.loads(args.params)
+        decrypted = decrypt_params(args.params)
+        params = json.loads(decrypted)
     else:
         params = json.load(args.file)