From 6c4eb667bd202050a44c6f4ff2df2d6b63655c32 Mon Sep 17 00:00:00 2001
From: Alysia Broddrick <abroddrick@truss.works>
Date: Mon, 6 May 2024 16:55:19 -0700
Subject: [PATCH 1/3] script add to rotate login cert, needs to get current
 creds

---
 ops/scripts/rotate_login_certs.sh | 39 +++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100755 ops/scripts/rotate_login_certs.sh

diff --git a/ops/scripts/rotate_login_certs.sh b/ops/scripts/rotate_login_certs.sh
new file mode 100755
index 000000000..29fed2a50
--- /dev/null
+++ b/ops/scripts/rotate_login_certs.sh
@@ -0,0 +1,39 @@
+# This script rotates the login.gov credentials, DJANGO_SECRET_KEY and DJANGO_SECRET_LOGIN_KEY that allow for identity sandbox to work on sandboxes and local.
+# The echo prints in this script should serve for documentation for running manually.
+# NOTE: This script was written for MacOS and to be run at the root directory. 
+
+if [ -z "$1" ]; then
+    echo 'Please specify a new space to create (i.e. lmm)' >&2
+    exit 1
+fi
+
+if [ ! $(command -v jq) ] || [ ! $(command -v cf) ]; then
+    echo "jq, and cf packages must be installed. Please install via your preferred manager."
+    exit 1
+fi
+
+cf target -o cisa-dotgov
+
+read -p "Are you logged in to the cisa-dotgov CF org above? (y/n) " -n 1 -r
+echo
+if [[ ! $REPLY =~ ^[Yy]$ ]]
+then
+    cf login -a https://api.fr.cloud.gov --sso
+fi
+echo "targeting space"
+cf target -o "cisa-dotgov" -s $1
+
+echo "Creating new login.gov credentials for $1..."
+django_key=$(python3 -c 'from django.core.management.utils import get_random_secret_key; print(get_random_secret_key())')
+openssl req -nodes -x509 -days 365 -newkey rsa:2048 -keyout private-$1.pem -out public-$1.crt
+login_key=$(base64 -i private-$1.pem)
+jq -n --arg django_key "$django_key" --arg login_key "$login_key" '{"DJANGO_SECRET_KEY":$django_key,"DJANGO_SECRET_LOGIN_KEY":$login_key}' > credentials-$1.json
+# cf uups getgov-credentials -p credentials-$1.json
+
+# echo "Now you will need to update some things for Login. Please sign-in to https://dashboard.int.identitysandbox.gov/."
+# echo "Navigate to our application config: https://dashboard.int.identitysandbox.gov/service_providers/2640/edit?"
+# echo "There are two things to update."
+# echo "1. Remove the old cert associated with the user's email (under Public Certificates)"
+# echo "2. You need to upload the public-$1.crt file generated as part of the previous command. See the "choose cert file" button under Public Certificates."
+
+# echo "Then, tell the developer to update their local .env file by retreiving their credentials from the sandbox"

From b0435e4f2e1bb1cf2cb8e0d9ddf60b56aa8c02b1 Mon Sep 17 00:00:00 2001
From: Alysia Broddrick <abroddrick@truss.works>
Date: Mon, 19 Aug 2024 09:32:43 -0700
Subject: [PATCH 2/3] updated script

---
 ops/scripts/rotate_login_certs.sh | 27 +++++++++++++++++++--------
 1 file changed, 19 insertions(+), 8 deletions(-)

diff --git a/ops/scripts/rotate_login_certs.sh b/ops/scripts/rotate_login_certs.sh
index 29fed2a50..a68c053e2 100755
--- a/ops/scripts/rotate_login_certs.sh
+++ b/ops/scripts/rotate_login_certs.sh
@@ -2,10 +2,17 @@
 # The echo prints in this script should serve for documentation for running manually.
 # NOTE: This script was written for MacOS and to be run at the root directory. 
 
+
 if [ -z "$1" ]; then
     echo 'Please specify a new space to create (i.e. lmm)' >&2
     exit 1
 fi
+echo "You need access to the login partner dashboard, otherwise you will not be able to complete the steps in this script (https://dashboard.int.identitysandbox.gov/service_providers/2640)"
+read -p " Do you have access to the partner dashboard mentioned above? (y/n)  " -n 1 -r
+echo
+if [[ ! $REPLY =~ ^[Yy]$ ]]; then
+    exit 1
+fi
 
 if [ ! $(command -v jq) ] || [ ! $(command -v cf) ]; then
     echo "jq, and cf packages must be installed. Please install via your preferred manager."
@@ -27,13 +34,17 @@ echo "Creating new login.gov credentials for $1..."
 django_key=$(python3 -c 'from django.core.management.utils import get_random_secret_key; print(get_random_secret_key())')
 openssl req -nodes -x509 -days 365 -newkey rsa:2048 -keyout private-$1.pem -out public-$1.crt
 login_key=$(base64 -i private-$1.pem)
-jq -n --arg django_key "$django_key" --arg login_key "$login_key" '{"DJANGO_SECRET_KEY":$django_key,"DJANGO_SECRET_LOGIN_KEY":$login_key}' > credentials-$1.json
-# cf uups getgov-credentials -p credentials-$1.json
 
-# echo "Now you will need to update some things for Login. Please sign-in to https://dashboard.int.identitysandbox.gov/."
-# echo "Navigate to our application config: https://dashboard.int.identitysandbox.gov/service_providers/2640/edit?"
-# echo "There are two things to update."
-# echo "1. Remove the old cert associated with the user's email (under Public Certificates)"
-# echo "2. You need to upload the public-$1.crt file generated as part of the previous command. See the "choose cert file" button under Public Certificates."
+echo "Creating the final json"
+cf env getgov-$1 | awk '/VCAP_SERVICES: /,/^$/' | sed s/VCAP_SERVICES:// | jq '."user-provided"[0].credentials' | jq --arg django_key "$django_key" --arg login_key "$login_key" '. + {"DJANGO_SECRET_KEY":$django_key, "DJANGO_SECRET_LOGIN_KEY":$login_key}' > credentials-$1.json
 
-# echo "Then, tell the developer to update their local .env file by retreiving their credentials from the sandbox"
+echo "Updating creds on the sandbox" 
+cf uups getgov-credentials -p credentials-$1.json
+cf restage getgov-$1 --strategy rolling
+
+echo "Now you will need to update some things for Login. Please sign-in to https://dashboard.int.identitysandbox.gov/."
+echo "Navigate to our application config: https://dashboard.int.identitysandbox.gov/service_providers/2640/edit?"
+echo "There are two things to update."
+echo "1. Remove the old cert associated with the user's email (under Public Certificates)"
+echo "2. You need to upload the public-$1.crt file generated as part of the previous command. See the "choose cert file" button under Public Certificates."
+echo "Then, tell the developer to update their local .env file by retreiving their credentials from the sandbox"

From 8e5bf185734b3f4a3c5ed8e96eeb3270caed7adf Mon Sep 17 00:00:00 2001
From: Alysia Broddrick <abroddrick@truss.works>
Date: Tue, 12 Nov 2024 15:47:04 -0800
Subject: [PATCH 3/3] updated with PR feedback

---
 ops/scripts/rotate_login_certs.sh | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/ops/scripts/rotate_login_certs.sh b/ops/scripts/rotate_login_certs.sh
index a68c053e2..abefd8781 100755
--- a/ops/scripts/rotate_login_certs.sh
+++ b/ops/scripts/rotate_login_certs.sh
@@ -1,5 +1,6 @@
 # This script rotates the login.gov credentials, DJANGO_SECRET_KEY and DJANGO_SECRET_LOGIN_KEY that allow for identity sandbox to work on sandboxes and local.
 # The echo prints in this script should serve for documentation for running manually.
+# Run this script once a year for each environment
 # NOTE: This script was written for MacOS and to be run at the root directory. 
 
 
@@ -27,12 +28,12 @@ if [[ ! $REPLY =~ ^[Yy]$ ]]
 then
     cf login -a https://api.fr.cloud.gov --sso
 fi
-echo "targeting space"
-cf target -o "cisa-dotgov" -s $1
+echo "Targeting space"
+cf target -o cisa-dotgov -s $1
 
 echo "Creating new login.gov credentials for $1..."
 django_key=$(python3 -c 'from django.core.management.utils import get_random_secret_key; print(get_random_secret_key())')
-openssl req -nodes -x509 -days 365 -newkey rsa:2048 -keyout private-$1.pem -out public-$1.crt
+openssl req -noenc -x509 -days 365 -newkey rsa:2048 -keyout private-$1.pem -out public-$1.crt
 login_key=$(base64 -i private-$1.pem)
 
 echo "Creating the final json"