mirror of
https://github.com/cisagov/manage.get.gov.git
synced 2025-07-23 19:20:47 +02:00
Merge branch 'main' of https://github.com/cisagov/manage.get.gov into hotgov/2594-design-review
This commit is contained in:
commit
295060351f
1 changed files with 51 additions and 0 deletions
51
ops/scripts/rotate_login_certs.sh
Executable file
51
ops/scripts/rotate_login_certs.sh
Executable file
|
@ -0,0 +1,51 @@
|
||||||
|
# This script rotates the login.gov credentials, DJANGO_SECRET_KEY and DJANGO_SECRET_LOGIN_KEY that allow for identity sandbox to work on sandboxes and local.
|
||||||
|
# The echo prints in this script should serve for documentation for running manually.
|
||||||
|
# Run this script once a year for each environment
|
||||||
|
# NOTE: This script was written for MacOS and to be run at the root directory.
|
||||||
|
|
||||||
|
|
||||||
|
if [ -z "$1" ]; then
|
||||||
|
echo 'Please specify a new space to create (i.e. lmm)' >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
echo "You need access to the login partner dashboard, otherwise you will not be able to complete the steps in this script (https://dashboard.int.identitysandbox.gov/service_providers/2640)"
|
||||||
|
read -p " Do you have access to the partner dashboard mentioned above? (y/n) " -n 1 -r
|
||||||
|
echo
|
||||||
|
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ! $(command -v jq) ] || [ ! $(command -v cf) ]; then
|
||||||
|
echo "jq, and cf packages must be installed. Please install via your preferred manager."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
cf target -o cisa-dotgov
|
||||||
|
|
||||||
|
read -p "Are you logged in to the cisa-dotgov CF org above? (y/n) " -n 1 -r
|
||||||
|
echo
|
||||||
|
if [[ ! $REPLY =~ ^[Yy]$ ]]
|
||||||
|
then
|
||||||
|
cf login -a https://api.fr.cloud.gov --sso
|
||||||
|
fi
|
||||||
|
echo "Targeting space"
|
||||||
|
cf target -o cisa-dotgov -s $1
|
||||||
|
|
||||||
|
echo "Creating new login.gov credentials for $1..."
|
||||||
|
django_key=$(python3 -c 'from django.core.management.utils import get_random_secret_key; print(get_random_secret_key())')
|
||||||
|
openssl req -noenc -x509 -days 365 -newkey rsa:2048 -keyout private-$1.pem -out public-$1.crt
|
||||||
|
login_key=$(base64 -i private-$1.pem)
|
||||||
|
|
||||||
|
echo "Creating the final json"
|
||||||
|
cf env getgov-$1 | awk '/VCAP_SERVICES: /,/^$/' | sed s/VCAP_SERVICES:// | jq '."user-provided"[0].credentials' | jq --arg django_key "$django_key" --arg login_key "$login_key" '. + {"DJANGO_SECRET_KEY":$django_key, "DJANGO_SECRET_LOGIN_KEY":$login_key}' > credentials-$1.json
|
||||||
|
|
||||||
|
echo "Updating creds on the sandbox"
|
||||||
|
cf uups getgov-credentials -p credentials-$1.json
|
||||||
|
cf restage getgov-$1 --strategy rolling
|
||||||
|
|
||||||
|
echo "Now you will need to update some things for Login. Please sign-in to https://dashboard.int.identitysandbox.gov/."
|
||||||
|
echo "Navigate to our application config: https://dashboard.int.identitysandbox.gov/service_providers/2640/edit?"
|
||||||
|
echo "There are two things to update."
|
||||||
|
echo "1. Remove the old cert associated with the user's email (under Public Certificates)"
|
||||||
|
echo "2. You need to upload the public-$1.crt file generated as part of the previous command. See the "choose cert file" button under Public Certificates."
|
||||||
|
echo "Then, tell the developer to update their local .env file by retreiving their credentials from the sandbox"
|
Loading…
Add table
Add a link
Reference in a new issue