add key provisioning for postgres

VAuthenticator · Oct 27, 2024 · 362b8ca · 362b8ca
1 parent 3e40c90
commit 362b8ca
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 11 deletions.
diff --git a/local-environment/local-initializer/database_setup.py b/local-environment/local-initializer/database_setup.py
@@ -74,14 +74,14 @@ def store_client_applications():
 
     serialized_scopes=','.join(scopes)
     cur.execute(
-        f"INSERT INTO CLIENT_APPLICATION (client_app_id, secret,scopes,with_pkce,authorized_grant_types,web_server_redirect_uri,access_token_validity,refresh_token_validity,auto_approve,post_logout_redirect_uri,logout_uri) VALUES ('{client_id}','{pass_encoded(client_secret)}','false','{serialized_scopes}','AUTHORIZATION_CODE,REFRESH_TOKEN','http://local.management.vauthenticator.com:8080/login/oauth2/code/client','180','3600','true','http://local.management.vauthenticator.com:8080/secure/admin/index','http://local.management.vauthenticator.com:8080/logout')"
+        f"INSERT INTO CLIENT_APPLICATION (client_app_id, secret,scopes,with_pkce,authorized_grant_types,web_server_redirect_uri,access_token_validity,refresh_token_validity,auto_approve,post_logout_redirect_uri,logout_uri) VALUES ('{client_id}','{pass_encoded(client_secret)}', '{serialized_scopes}',false,'AUTHORIZATION_CODE,REFRESH_TOKEN','http://local.management.vauthenticator.com:8080/login/oauth2/code/client','180','3600','true','http://local.management.vauthenticator.com:8080/secure/admin/index','http://local.management.vauthenticator.com:8080/logout')"
     )
 
     scopes.add("mfa:always")
     serialized_scopes=','.join(scopes)
     serialized_client_id=f"mfa-{client_id}"
     cur.execute(
-        f"INSERT INTO CLIENT_APPLICATION (client_app_id, secret,scopes,with_pkce,authorized_grant_types,web_server_redirect_uri,access_token_validity,refresh_token_validity,auto_approve,post_logout_redirect_uri,logout_uri) VALUES ('{serialized_client_id}','{pass_encoded(client_secret)}','false','{serialized_scopes}','AUTHORIZATION_CODE,REFRESH_TOKEN','http://local.management.vauthenticator.com:8080/login/oauth2/code/client','180','3600','true','http://local.management.vauthenticator.com:8080/secure/admin/index','http://local.management.vauthenticator.com:8080/logout')"
+        f"INSERT INTO CLIENT_APPLICATION (client_app_id, secret,scopes,with_pkce,authorized_grant_types,web_server_redirect_uri,access_token_validity,refresh_token_validity,auto_approve,post_logout_redirect_uri,logout_uri) VALUES ('{serialized_client_id}','{pass_encoded(client_secret)}','{serialized_scopes}',false,'AUTHORIZATION_CODE,REFRESH_TOKEN','http://local.management.vauthenticator.com:8080/login/oauth2/code/client','180','3600','true','http://local.management.vauthenticator.com:8080/secure/admin/index','http://local.management.vauthenticator.com:8080/logout')"
     )
     conn.commit()
 

diff --git a/local-environment/local-initializer/init.sh b/local-environment/local-initializer/init.sh
@@ -12,7 +12,7 @@ echo "TABLES_SUFFIX: $TABLES_SUFFIX"
 echo "KMS_ENDPOINT: $KMS_ENDPOINT"
 echo "DYNAMO_DB_ENDPOINT: $DYNAMO_DB_ENDPOINT"
 
-python3 key_setup.py $MASTER_KEY $TABLES_SUFFIX
+python3 key_setup.py $MASTER_KEY $TABLES_SUFFIX host.docker.internal
 python3 setup.py [email protected] $TABLES_SUFFIX
 python3 database_setup.py [email protected] host.docker.internal
 

diff --git a/local-environment/local-initializer/key_setup.py b/local-environment/local-initializer/key_setup.py
@@ -34,18 +34,23 @@ def kmsClient():
 
 def store_key(key_table_name, master_key):
     key_pair = kms_client.generate_data_key_pair(KeyId=master_key, KeyPairSpec='RSA_2048')
+
+    master_key_id=key_pair["KeyId"].split("/")[1]
+    key_id=str(uuid.uuid4())
+    encrypted_private_key=base64.b64encode(key_pair["PrivateKeyCiphertextBlob"]).decode()
+    public_key=base64.b64encode(key_pair["PublicKey"]).decode()
+
     if os.getenv("experimental_database_persistence"):
         cur.execute(
-            f" INSERT INTO KEYS(master_key_id, key_id, key_purpose, key_type, encrypted_private_key, public_key, enabled, key_expiration_date_timestamp)  VALUES('{key_pair["KeyId"].split("/")[1]}', '{str(uuid.uuid4()),}', 'SIGNATURE', 'ASYMMETRIC', '{base64.b64encode(key_pair["PrivateKeyCiphertextBlob"]).decode()}','{base64.b64encode(key_pair["PublicKey"]).decode()}' True, 0)")
+            f"INSERT INTO KEYS (master_key_id, key_id, key_purpose, key_type, encrypted_private_key, public_key, enabled, key_expiration_date_timestamp)  VALUES ('{master_key_id}', '{key_id}', 'SIGNATURE', 'ASYMMETRIC', '{encrypted_private_key}','{public_key}', true, 0)")
         conn.commit()
-
     else:
         table = dynamodb.Table(key_table_name)
         table.put_item(Item={
-            "master_key_id": key_pair["KeyId"].split("/")[1],
-            "key_id": str(uuid.uuid4()),
-            "encrypted_private_key": base64.b64encode(key_pair["PrivateKeyCiphertextBlob"]).decode(),
-            "public_key": base64.b64encode(key_pair["PublicKey"]).decode(),
+            "master_key_id": master_key_id,
+            "key_id": key_id,
+            "encrypted_private_key": encrypted_private_key,
+            "public_key": public_key,
             "key_purpose": "SIGNATURE",
             "key_type": "ASYMMETRIC",
             "enabled": True
@@ -56,9 +61,8 @@ def store_key(key_table_name, master_key):
     input_master_key = sys.argv[1]
     input_key_table_name = f'VAuthenticator_Signature_Keys{sys.argv[2]}'
 
-    store_key(input_key_table_name, input_master_key)
-
     if os.getenv("experimental_database_persistence"):
+        database_host=sys.argv[3]
         conn = psycopg2.connect(database="postgres",
                                 host=database_host,
                                 user="postgres",
@@ -70,3 +74,6 @@ def store_key(key_table_name, master_key):
 
         cur.close()
         conn.close()
+    else:
+        store_key(input_key_table_name, input_master_key)
+