Open mjtravers opened 2 years ago
We have the Cloud.gov credentials service has been set up, see ticket #56. The credential service already has the OIDC_RP_CLIENT_ID variable in it so the question is can we move the OIDC_RP_CLIENT_SECRET environment variable into the credential service as well. When this ticket is picked up, let's ask Laura if there was a reason the OIDC_RP_CLIENT_SECRET was not moved into the credentials service and if we could move it there rather than into an S3 service.
Comment from @lbeaufort in #703 which was merged into this ticket:
From https://developers.login.gov/production/#certificate-rotation-process:
Certificate Rotation Process If you are rotating your application’s public/private keypair, or want to add an additional public certificate, please follow the instructions below to add the new certificate to your application’s Login.gov configuration.
Please note that from the time you notify Login.gov of your intent to rotate certificates, it can take up to 2 weeks for the new certificate to be available in production.
Follow this process to initiate certificate rotation: For OIDC integrations or SAML integrations sending signed requests:
Also, found this helpful documentation for another project: https://github.com/GSA/data.gov/wiki/Login.gov-SAML-certificate-rotation-steps
Confirmed with the team during discussion that we would like this ticket to automate the key rotation process, ideally with the ability to kick it off from an fecfile-web-api django-admin management command. This command would need to do the following
1) generate the public/private key pair. 2) upload the public key to login.gov (possibly via api call to an endpoint retrieved from their discovery service, if it exists). NOTE: we will need to confirm if login.gov will deploy the certificate at this point or if there will be a wait time before the next steps can be taken. 3) prepare private key for upload to the credential service. 4) update the credential service service with the new private key. 5) delete the public/private key from the file system and have command cleanup after itself. 6) restart the api to allow new settings to take effect
After discussing with @lbeaufort, in order to minimize the manual steps required to rotate the keys the following implementation will be made:
create a django-admin management 'key generation' command to generation of public/private key pair to use for our login.gov app.
create a django-admin management 'key installation' command to install the staged private key (from step 1) into the api and restart it.
create a django-admin management 'key backout' command to backout the current private key and replace it with the original.
As part of the Login.gov authentication process, private key certificates need to be stored server-side in a secure but easily accessible place. Environment variables in Cloud.gov have proven to be impractical for this purpose. A possible solution is to store the key files in the credentials service or into AWS S3.
As part of this effort:
[x] Move the private key certificates into the credentials service (S3 if this is not possible)
[ ] Develop a strategy for monitoring expiration dates of private keys for login / rotating private keys without downtime (current keys expire June 2024)
| FECFile Web API (DEV) | 2023-06-27 | | FECFile Web API (STAGE) | 2023-08-10 | | FECFile Web API (PROD) | 2024-11-28 |
[x] Verify no other sensitive info is outside the credentials service
Environment variable with SSL key is: OIDC_RP_CLIENT_SECRET
Technical Notes
First option is credentials service. Secondary option is S3.
If S3 option
Acceptance Criteria
QA Notes
null
DEV Notes
null
Design
null
FECFILE-331