Rotate DANGEROUS_SALT in staging

[sastels]

Description

As a Notify dev, I need to be able to test our DANGEROUS_SALT rotations

WHY are we building?

Want to precisely document the steps for rotating DANGEROUS_SALT and ensure that it's fully tested

WHAT are we building?

Steps for rotating the DANGEROUS_SALT and testing along the way

VALUE created by our solution

We can confidently rotate in production

Acceptance Criteria

• [x] Validate the usage of the DANGEROUS_SALT usage documentation in corresponding ADR. Make sure it is up to date. Verify that the only usage is for salting passwords before hashing:
  • [x] https://github.com/cds-snc/notification-admin
  • [x] https://github.com/cds-snc/notification-api
  • [x] https://github.com/cds-snc/notification-document-download-api
  • [x] https://github.com/cds-snc/notification-terraform
  • [x] https://github.com/cds-snc/notification-manifests
  • [x] https://github.com/cds-snc/notification-utils
  • [x] https://github.com/cds-snc/notification-lambdas
• [x] create a script to resign the database fields (ie using the new fixed salts)
• [x] create a script for expiring user passwords. Put it in the attic and link to in the rotation document.
• [x] create a plan for rotating DANGEROUS_SALT in the rotation document
• [x] test the rotation plan

QA Steps

Apply the plan for rotation as described in the document and perform the following steps for testing.

• [x] You go through the expired password flow when trying to log in
• [x] You can log in
• [x] you can log out
• [x] you can log in again without going through the expired password flow

[sastels]

Added a script to expire passwords to the attic

Instructions for rotating DANGEROUS_SALT modified.

[sastels]

PR to rotate staging DANGEROUS_SALT https://github.com/cds-snc/notification-manifests/pull/1728

[jimleroyer]

Still in progress, testing the salt change in staging today.

[sastels]

rotated in staging, passwords were expired, all worked as expected.