Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ARC-1977 - Rotating secrets in Lastpass: STORAGE_SECRET #2123

Merged
merged 1 commit into from
May 16, 2023
Merged

ARC-1977 - Rotating secrets in Lastpass: STORAGE_SECRET #2123

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .env.development.local.example
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
# Github App Information
APP_ID=
WEBHOOK_SECRETS=
COOKIE_SESSION_KEY=
GITHUB_CLIENT_ID=
GITHUB_CLIENT_SECRET=
# Path to github private key file (relative to root of this project). If at the root, just specify filename
Expand Down
1 change: 1 addition & 0 deletions .env.e2e.local.example
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
APP_NAME=
APP_ID=
WEBHOOK_SECRETS=
COOKIE_SESSION_KEY=
GITHUB_CLIENT_ID=
GITHUB_CLIENT_SECRET=
PRIVATE_KEY_PATH=
Expand Down
1 change: 1 addition & 0 deletions .env.test
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
NODE_ENV=test
APP_ID=113490
WEBHOOK_SECRETS=["test","old-secret"]
COOKIE_SESSION_KEY=ranDomValueXyz123123
GITHUB_CLIENT_ID=Iv1.7be753472c09g9c5
GITHUB_CLIENT_SECRET=test-github-secret
SQS_BACKFILL_QUEUE_URL=http://127.0.0.1:4566/000000000000/test-backfill
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/on-push.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ jobs:
echo "APP_NAME=jira" >> .env
echo "APP_ID=${{ secrets.E2E_GITHUB_APP_ID }}" >> .env
echo "WEBHOOK_SECRETS=${{ secrets.E2E_GITHUB_WEBHOOK_SECRETS }}" >> .env
echo "COOKIE_SESSION_KEY=${{ secrets.E2E_COOKIE_SESSION_KEY }}" >> .env
echo "GITHUB_CLIENT_ID=${{ secrets.E2E_GITHUB_CLIENT_ID }}" >> .env
echo "GITHUB_CLIENT_SECRET=${{ secrets.E2E_GITHUB_CLIENT_SECRET }}" >> .env
echo "PRIVATE_KEY_PATH=jira-test.pem" >> .env
Expand Down Expand Up @@ -95,6 +96,7 @@ jobs:
echo "APP_NAME=jira-e2e" >> .env
echo "APP_ID=${{ secrets.E2E_GITHUB_APP_ID }}" >> .env
echo "WEBHOOK_SECRETS=${{ secrets.E2E_GITHUB_WEBHOOK_SECRETS }}" >> .env
echo "COOKIE_SESSION_KEY=${{ secrets.E2E_COOKIE_SESSION_KEY }}" >> .env
echo "GITHUB_CLIENT_ID=${{ secrets.E2E_GITHUB_CLIENT_ID }}" >> .env
echo "GITHUB_CLIENT_SECRET=${{ secrets.E2E_GITHUB_CLIENT_SECRET }}" >> .env
echo "PRIVATE_KEY_PATH=jira-e2e-test.pem" >> .env
Expand Down
3 changes: 3 additions & 0 deletions github-for-jira.sd.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -214,6 +214,7 @@ config:
PRIVATE_KEY: vault://secret/data/builds/micros-sv--github-for-jira-dl-admins/github-app-private-key-stg
GITHUB_CLIENT_SECRET: vault://secret/data/builds/micros-sv--github-for-jira-dl-admins/github-app-client-secret-stg
WEBHOOK_SECRETS: vault://secret/data/builds/micros-sv--github-for-jira-dl-admins/github-app-webhook-secrets-stg
COOKIE_SESSION_KEY: vault://secret/data/builds/micros-sv--github-for-jira-dl-admins/github-app-cookie-session-key-stg

CRYPTOR_URL: http://cryptor:26272
CRYPTOR_SIDECAR_CLIENT_IDENTIFICATION_CHALLENGE: "6CF9E6A52167B58CBB0DED180CC8B848" # https://developer.atlassian.com/platform/cryptor/integration/integrating-sidecar/#enabling-ssrf-protection
Expand Down Expand Up @@ -337,6 +338,7 @@ environmentOverrides:
PRIVATE_KEY: vault://secret/data/builds/micros-sv--github-for-jira-dl-admins/github-app-private-key-ddev
GITHUB_CLIENT_SECRET: vault://secret/data/builds/micros-sv--github-for-jira-dl-admins/github-app-client-secret-ddev
WEBHOOK_SECRETS: vault://secret/data/builds/micros-sv--github-for-jira-dl-admins/github-app-webhook-secrets-ddev
COOKIE_SESSION_KEY: vault://secret/data/builds/micros-sv--github-for-jira-dl-admins/github-app-cookie-session-key-ddev
scaling:
instance: t2.small
min: 1
Expand Down Expand Up @@ -509,6 +511,7 @@ environmentOverrides:
PRIVATE_KEY: vault://secret/data/builds/micros-sv--github-for-jira-dl-vault-compliant/github-app-private-key
GITHUB_CLIENT_SECRET: vault://secret/data/builds/micros-sv--github-for-jira-dl-vault-compliant/github-app-client-secret
WEBHOOK_SECRETS: vault://secret/data/builds/micros-sv--github-for-jira-dl-vault-compliant/github-app-webhook-secrets
COOKIE_SESSION_KEY: vault://secret/data/builds/micros-sv--github-for-jira-dl-vault-compliant/github-app-cookie-session-key
CRYPTOR_SIDECAR_CLIENT_IDENTIFICATION_CHALLENGE: "D92A2D7364AC3057D2A90BA9512D8CA0"
scaling:
instance: c5.2xlarge
Expand Down
2 changes: 2 additions & 0 deletions src/config/env.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@ envCheck(
"APP_URL",
"APP_KEY",
"WEBHOOK_SECRETS",
"COOKIE_SESSION_KEY",
"GITHUB_CLIENT_ID",
"GITHUB_CLIENT_SECRET",
"SQS_BACKFILL_QUEUE_URL",
Expand Down Expand Up @@ -91,6 +92,7 @@ export interface EnvVars {
APP_URL: string;
APP_KEY: string;
WEBHOOK_SECRETS: Array<string>;
COOKIE_SESSION_KEY: string;
GITHUB_CLIENT_ID: string;
GITHUB_CLIENT_SECRET: string;
DATABASE_URL: string;
Expand Down
2 changes: 1 addition & 1 deletion src/middleware/cookiesession-middleware.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ const THIRTY_DAYS_MSEC = 30 * 24 * 60 * 60 * 1000;

// TODO: replace with encryption + Cryptor
export const cookieSessionMiddleware = cookieSession({
keys: [createHashWithSharedSecret(envVars.STORAGE_SECRET), envVars.GITHUB_CLIENT_SECRET],
keys: [envVars.COOKIE_SESSION_KEY, createHashWithSharedSecret(envVars.STORAGE_SECRET), envVars.GITHUB_CLIENT_SECRET],
maxAge: THIRTY_DAYS_MSEC,
signed: true,
sameSite: "none",
Expand Down