Resigning data at rest when SECRET_KEY changes

[sastels]

Description

As a Notify developer, I need to be able to easily rotate our signing key

WHY are we building?

Need to be able to rotate our signing key without downtime

WHAT are we building?

Code to allow the signing key to be rotated and any signed database fields resigned.

VALUE created by our solution

Can rotate the signing key without downtime

Acceptance Criteria

• [ ] We are following the best practices recommended by the itsdangerous library.
• [ ] We can rotate the signing key without downtime.
• [ ] Update the secrets rotation documentation with the latest command line tool for rotating the dangerous secret key.

QA Steps

• [ ] Tested locally.
• [ ] Tested in staging.

[sastels]

Made some improvements to the code and in particular the testing. Ready for exhaustive local testing.

[sastels]

Found a problem with get_api_key_by_secret() when you've rotated keys but not resigned the database yet. Fixed. Continuing with testing...

[sastels]

changed the resigner tests to leave the CryptoSigners in their original state. Needed to get some other tests to pass (and a good practice)

[sastels]

https://github.com/cds-snc/notification-api/pull/1789 tested locally

[jimleroyer]

@ben851 to QA pair with @sastels

[ben851]

• To be done during the core group session

[ben851]

Validated locally with @sastels, approved PR.