Merge pull request #28 from GitGuardian/ggueutier/add-secret-rotation-script

feat(secret-key): add secret key rotation script

Author: ggguardian

README.md

@@ -14,3 +14,4 @@ Below is a brief overview of the tools available in this repository:
 | [honeytoken-tools](./honeytoken-tools)                               | Script to disseminate honeytokens in your repositories via Pull Requests                                                                                                                                                                                           |
 | [team-mapping-github-gitguardian](./team-mapping-github-gitguardian) | An example script using the GitHub and GitGuardian APIs to map GitHub Teams and the repositories they own to GitGuardian Teams and their perimeters.                                                                                                               |
 | [team-mapping-gitlab-gitguardian](./team-mapping-gitlab-gitguardian) | An example script using the Gitlab and GitGuardian APIs to map Gitlab Groups and the repositories they own to GitGuardian Teams and their perimeters.                                                                                                              |
+| [secret-key-rotation](./secret-key-rotation) | Rotate the Database Encrytion Secret Key. |

secret-key-rotation/README.md

@@ -0,0 +1,3 @@
+# Rotate the Django Secret Key
+
+To rotate the secret key used to encrypt GitGuardian’s PostgreSQL database data, follow the procedure described in [GitGuardian’s public documentation](https://docs.gitguardian.com/self-hosting/security/database-security).

secret-key-rotation/scripts/gitguardian_secret_key.sh

@@ -0,0 +1,117 @@
+#!/bin/bash
+
+set -e
+
+
+fetch_secret_keys() {
+    # Fetch secret keys using provided namespace
+    secret_key=$(kubectl get secret "${namespace[@]}" $secret_name \
+                  -o jsonpath='{.data.DJANGO_SECRET_KEY}' | base64 --decode)
+    encryption_keys=$(kubectl get secret "${namespace[@]}" $secret_name \
+                  -o jsonpath='{.data.ENCRYPTION_KEYS}' | base64 --decode)
+    echo "Django secret key hash: $(echo -n "$secret_key" | md5)"
+    if [ -z "$encryption_keys" ]; then echo "No encryption keys found, Django secret key is thus used for DB encryption"; fi
+    for key in ${encryption_keys//,/ }; do   # loop over comma separated
+        echo "DB encryption key hash: $(echo -n "$key" | md5)"
+    done
+}
+
+rotate_secret_keys() {
+  echo "Starting rotation of encryption keys in namespace ${namespace[1]}"
+  echo "After deployment, this will invalidate all current user sessions, as well as password reset links"
+  echo "Complete rotation will be done after completion of all rotation jobs in admin area"
+  echo "Do you want to continue? [yN]" && read -r confirm && [[ "$confirm" == [yY]  ]] || exit 1
+
+  backup=$(mktemp)
+  kubectl kots get config --appslug	$app_name "${namespace[@]}" --decrypt > "$backup"
+  echo "Backup of KOTS config written to $backup"
+  # Generate new django secret key
+  new_django_key=$(LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom | head -c 50 )
+  echo "Setting new key with hash $(echo -n "$new_django_key" | md5)"
+  current_key=$(kubectl get secret "${namespace[@]}" $secret_name \
+                  -o jsonpath='{.data.DJANGO_SECRET_KEY}' | base64 --decode)
+  current_encryption_keys=$(kubectl get secret "${namespace[@]}" $secret_name \
+                -o jsonpath='{.data.ENCRYPTION_KEYS}' | base64 --decode)
+
+  # new encryption starts with new key, that will be used for re-encryption, then current key for fallback
+  if [ -n "$current_encryption_keys" ]; then
+    new_encryption_keys=$(echo -n "$new_django_key,$current_encryption_keys,$current_key")
+  else
+    new_encryption_keys=$(echo -n "$new_django_key,$current_key")
+  fi
+  config_values=$(mktemp)
+  trap "rm -f $config_values" EXIT
+  cat <<EOF > "$config_values"
+apiVersion: kots.io/v1beta1
+kind: ConfigValues
+spec:
+  values:
+    django_secret_key:
+      value: $new_django_key
+    db_encryption_keys:
+      value: $new_encryption_keys
+EOF
+
+  # Set it directly in KOTS config values
+  kubectl kots set config $app_name "${namespace[@]}"  \
+              --config-file "$config_values" --merge
+
+  echo "App configuration is updated with new keys"
+  echo "Please go to the admin console and deploy the new version"
+  echo "When completed, go to the admin area to perform the rotation of the database encrypted fields"
+  echo "Do you want to launch admin console now? [yN]" && read -r launch
+  [[ "$launch" == [yY]  ]] && kubectl kots admin-console "${namespace[@]}"
+}
+
+namespace=()
+
+usage() {
+  echo "GitGuardian secrets rotation"
+  echo "Usage: $0 [--namespace NAMESPACE] (status|rotate)"
+  exit 0
+}
+
+# Parse command line options
+while [[ $# -gt 0 ]]
+do
+    key="$1"
+    case $key in
+        --namespace|-n)
+            namespace=( "--namespace" "$2" )
+            shift # past argument
+            shift # past value
+            ;;
+        status)
+            action=fetch_secret_keys
+            shift # past argument
+            ;;
+        rotate)
+            action=rotate_secret_keys
+            shift # past argument
+            ;;
+        --help|-h|help)
+            usage=1
+            shift ;;
+        *)
+            # Unknown option
+            echo "Unknown action: $key"
+            ;;
+    esac
+done
+
+[ -n "$usage" ] && usage
+if [ -z "$action" ] && [ -z "$usage" ]; then echo "No action specified"; exit 1; fi
+if [ -z "${namespace[*]}" ]; then echo "No namespace specified"; exit 1; fi
+
+app_name=$(kubectl kots get apps "${namespace[@]}" | cut -d ' ' -f 1 | tail -n 1)
+
+case "$app_name" in
+  gitguardian-seal)  # v1 legacy
+    secret_name="gitguardian-env-variables" ;;
+  gitguardian)       # v2
+    secret_name="gim-secrets" ;;
+  *)
+    echo "Unknown app name: $app_name" && exit 1 ;;
+esac
+
+[ -n "$action" ] && eval "$action"