From 6c4eb667bd202050a44c6f4ff2df2d6b63655c32 Mon Sep 17 00:00:00 2001 From: Alysia Broddrick Date: Mon, 6 May 2024 16:55:19 -0700 Subject: [PATCH 1/3] script add to rotate login cert, needs to get current creds --- ops/scripts/rotate_login_certs.sh | 39 +++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100755 ops/scripts/rotate_login_certs.sh diff --git a/ops/scripts/rotate_login_certs.sh b/ops/scripts/rotate_login_certs.sh new file mode 100755 index 000000000..29fed2a50 --- /dev/null +++ b/ops/scripts/rotate_login_certs.sh @@ -0,0 +1,39 @@ +# This script rotates the login.gov credentials, DJANGO_SECRET_KEY and DJANGO_SECRET_LOGIN_KEY that allow for identity sandbox to work on sandboxes and local. +# The echo prints in this script should serve for documentation for running manually. +# NOTE: This script was written for MacOS and to be run at the root directory. + +if [ -z "$1" ]; then + echo 'Please specify a new space to create (i.e. lmm)' >&2 + exit 1 +fi + +if [ ! $(command -v jq) ] || [ ! $(command -v cf) ]; then + echo "jq, and cf packages must be installed. Please install via your preferred manager." + exit 1 +fi + +cf target -o cisa-dotgov + +read -p "Are you logged in to the cisa-dotgov CF org above? (y/n) " -n 1 -r +echo +if [[ ! $REPLY =~ ^[Yy]$ ]] +then + cf login -a https://api.fr.cloud.gov --sso +fi +echo "targeting space" +cf target -o "cisa-dotgov" -s $1 + +echo "Creating new login.gov credentials for $1..." +django_key=$(python3 -c 'from django.core.management.utils import get_random_secret_key; print(get_random_secret_key())') +openssl req -nodes -x509 -days 365 -newkey rsa:2048 -keyout private-$1.pem -out public-$1.crt +login_key=$(base64 -i private-$1.pem) +jq -n --arg django_key "$django_key" --arg login_key "$login_key" '{"DJANGO_SECRET_KEY":$django_key,"DJANGO_SECRET_LOGIN_KEY":$login_key}' > credentials-$1.json +# cf uups getgov-credentials -p credentials-$1.json + +# echo "Now you will need to update some things for Login. Please sign-in to https://dashboard.int.identitysandbox.gov/." +# echo "Navigate to our application config: https://dashboard.int.identitysandbox.gov/service_providers/2640/edit?" +# echo "There are two things to update." +# echo "1. Remove the old cert associated with the user's email (under Public Certificates)" +# echo "2. You need to upload the public-$1.crt file generated as part of the previous command. See the "choose cert file" button under Public Certificates." + +# echo "Then, tell the developer to update their local .env file by retreiving their credentials from the sandbox" From b0435e4f2e1bb1cf2cb8e0d9ddf60b56aa8c02b1 Mon Sep 17 00:00:00 2001 From: Alysia Broddrick Date: Mon, 19 Aug 2024 09:32:43 -0700 Subject: [PATCH 2/3] updated script --- ops/scripts/rotate_login_certs.sh | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/ops/scripts/rotate_login_certs.sh b/ops/scripts/rotate_login_certs.sh index 29fed2a50..a68c053e2 100755 --- a/ops/scripts/rotate_login_certs.sh +++ b/ops/scripts/rotate_login_certs.sh @@ -2,10 +2,17 @@ # The echo prints in this script should serve for documentation for running manually. # NOTE: This script was written for MacOS and to be run at the root directory. + if [ -z "$1" ]; then echo 'Please specify a new space to create (i.e. lmm)' >&2 exit 1 fi +echo "You need access to the login partner dashboard, otherwise you will not be able to complete the steps in this script (https://dashboard.int.identitysandbox.gov/service_providers/2640)" +read -p " Do you have access to the partner dashboard mentioned above? (y/n) " -n 1 -r +echo +if [[ ! $REPLY =~ ^[Yy]$ ]]; then + exit 1 +fi if [ ! $(command -v jq) ] || [ ! $(command -v cf) ]; then echo "jq, and cf packages must be installed. Please install via your preferred manager." @@ -27,13 +34,17 @@ echo "Creating new login.gov credentials for $1..." django_key=$(python3 -c 'from django.core.management.utils import get_random_secret_key; print(get_random_secret_key())') openssl req -nodes -x509 -days 365 -newkey rsa:2048 -keyout private-$1.pem -out public-$1.crt login_key=$(base64 -i private-$1.pem) -jq -n --arg django_key "$django_key" --arg login_key "$login_key" '{"DJANGO_SECRET_KEY":$django_key,"DJANGO_SECRET_LOGIN_KEY":$login_key}' > credentials-$1.json -# cf uups getgov-credentials -p credentials-$1.json -# echo "Now you will need to update some things for Login. Please sign-in to https://dashboard.int.identitysandbox.gov/." -# echo "Navigate to our application config: https://dashboard.int.identitysandbox.gov/service_providers/2640/edit?" -# echo "There are two things to update." -# echo "1. Remove the old cert associated with the user's email (under Public Certificates)" -# echo "2. You need to upload the public-$1.crt file generated as part of the previous command. See the "choose cert file" button under Public Certificates." +echo "Creating the final json" +cf env getgov-$1 | awk '/VCAP_SERVICES: /,/^$/' | sed s/VCAP_SERVICES:// | jq '."user-provided"[0].credentials' | jq --arg django_key "$django_key" --arg login_key "$login_key" '. + {"DJANGO_SECRET_KEY":$django_key, "DJANGO_SECRET_LOGIN_KEY":$login_key}' > credentials-$1.json -# echo "Then, tell the developer to update their local .env file by retreiving their credentials from the sandbox" +echo "Updating creds on the sandbox" +cf uups getgov-credentials -p credentials-$1.json +cf restage getgov-$1 --strategy rolling + +echo "Now you will need to update some things for Login. Please sign-in to https://dashboard.int.identitysandbox.gov/." +echo "Navigate to our application config: https://dashboard.int.identitysandbox.gov/service_providers/2640/edit?" +echo "There are two things to update." +echo "1. Remove the old cert associated with the user's email (under Public Certificates)" +echo "2. You need to upload the public-$1.crt file generated as part of the previous command. See the "choose cert file" button under Public Certificates." +echo "Then, tell the developer to update their local .env file by retreiving their credentials from the sandbox" From 8e5bf185734b3f4a3c5ed8e96eeb3270caed7adf Mon Sep 17 00:00:00 2001 From: Alysia Broddrick Date: Tue, 12 Nov 2024 15:47:04 -0800 Subject: [PATCH 3/3] updated with PR feedback --- ops/scripts/rotate_login_certs.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/ops/scripts/rotate_login_certs.sh b/ops/scripts/rotate_login_certs.sh index a68c053e2..abefd8781 100755 --- a/ops/scripts/rotate_login_certs.sh +++ b/ops/scripts/rotate_login_certs.sh @@ -1,5 +1,6 @@ # This script rotates the login.gov credentials, DJANGO_SECRET_KEY and DJANGO_SECRET_LOGIN_KEY that allow for identity sandbox to work on sandboxes and local. # The echo prints in this script should serve for documentation for running manually. +# Run this script once a year for each environment # NOTE: This script was written for MacOS and to be run at the root directory. @@ -27,12 +28,12 @@ if [[ ! $REPLY =~ ^[Yy]$ ]] then cf login -a https://api.fr.cloud.gov --sso fi -echo "targeting space" -cf target -o "cisa-dotgov" -s $1 +echo "Targeting space" +cf target -o cisa-dotgov -s $1 echo "Creating new login.gov credentials for $1..." django_key=$(python3 -c 'from django.core.management.utils import get_random_secret_key; print(get_random_secret_key())') -openssl req -nodes -x509 -days 365 -newkey rsa:2048 -keyout private-$1.pem -out public-$1.crt +openssl req -noenc -x509 -days 365 -newkey rsa:2048 -keyout private-$1.pem -out public-$1.crt login_key=$(base64 -i private-$1.pem) echo "Creating the final json"