Open mar235av opened 4 weeks ago
credentials
directory, and add it to the .gitignore
PR ready for review: https://github.com/UWIT-IAM/uw-idp-custom/pull/54/files
I've already copied the credentials files to the credentials/
on the prod servers, though they're not being used. Once pushed, we'll need to delete the old copies.
I don't seem to have access to the eval servers, so I couldn't copy the configs over on those. Will look into getting those perms.
After discussing with Stevie, we decided to make some changes. Primarily, instead of checking in a credentials directory (which would be confusing since most of the files in the deployed credentials/ directory are not checked in), we created a sample_credentials directory which contains a README describing the expected contents and a few files that illustrate the expected properties without revealing any secrets. I checked in the changes on a new branch and verified them on the dev domain, noting that this required rebuilding the Python environment (following the documented process in the README.python file) since a new module dependency was added.
In the local-bin directory, the spreg_processor.py script downloads configuration data from the SPReg database. The database connection parameters (including the account password) are stored in the spreg_conf.py file in the same directory. The ssl connection files are also in the same directory. These secrets should not be in the local-bin directory with the source code, as proper segregation of secret data is a best security practice for multiple reasons.