Merge pull request #92 from NHSDigital/age

tvararu · web-flow · commit a56735d98b5b · 2025-09-10T20:12:51.000+07:00
Add encrypted secret storage
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,41 @@
+.git
+.github
+.version
+*.code-workspace
+.DS_Store
+.env
+mise.local.toml
+mise.*.local.toml
+.venv/
+__pycache__/
+.ruff_cache/
+node_modules/
+.idea/
+.vscode/
+mavis/reporting/static/css/*
+!mavis/reporting/static/css/.keep
+mavis/reporting/static/js/*
+!mavis/reporting/static/js/.keep
+mavis/reporting/static/favicons/*
+!mavis/reporting/static/favicons/.keep
+.coverage
+htmlcov/
+coverage.svg
+coverage.xml
+.pytest_cache/
+tmp/
+!tmp/.keep
+config/credentials/*.key
+!config/credentials/development.key
+*.pyc
+*.pyo
+*.pyd
+*.log
+*.swp
+*.swo
+*~
+Dockerfile
+.dockerignore
+README.md
+docs/
+tests/
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -2,6 +2,9 @@ name: CI
 
 on: [push]
 
+env:
+  MISE_ENV: development
+
 jobs:
   gitleaks:
     runs-on: ubuntu-latest
diff --git a/.gitignore b/.gitignore
@@ -32,3 +32,6 @@ coverage.xml
 .pytest_cache
 tmp
 !tmp/.keep
+
+config/credentials/*.key
+!config/credentials/development.key
diff --git a/.gitleaks.toml b/.gitleaks.toml
@@ -0,0 +1,3 @@
+[[allowlists]]
+description = "Allow development key"
+paths = ["config/credentials/development.key"]
diff --git a/Dockerfile b/Dockerfile
@@ -1,35 +1,41 @@
-FROM python:3.13.7-alpine AS builder
-
+FROM python:3.13.7-alpine AS base
 WORKDIR /app
 
-ADD package.json package-lock.json pyproject.toml uv.lock /app/
+ARG MISE_ENV=staging
+ENV MISE_ENV=${MISE_ENV} \
+    MISE_TASK_RUN_AUTO_INSTALL=false \
+    PATH="/root/.local/share/mise/shims:$PATH"
+
+RUN apk add --no-cache mise sops uv
 
-RUN apk add build-base libffi-dev npm bash curl
+# Builder image
+FROM base AS builder
 
-RUN pip install uv
+RUN apk add --no-cache build-base libffi-dev bash npm
 
-ADD ./mavis/reporting /app/mavis/reporting
-ADD README.md /app/
+ADD mise.toml /app/
+RUN mise trust
 
-RUN uv sync --frozen
-RUN npm install
+ADD package.json package-lock.json pyproject.toml uv.lock /app/
+ADD mavis/reporting /app/mavis/reporting
+RUN mise build
 
-FROM builder
+# Runtime image
+FROM base
 
-WORKDIR /app
+COPY --from=builder /app/.venv /app/.venv
+COPY --from=builder /app/mavis /app/mavis
+COPY --from=builder /app/pyproject.toml /app/pyproject.toml
 
-RUN mkdir -p mavis/reporting/static/favicons && \
-    cp -r node_modules/nhsuk-frontend/dist/nhsuk/assets/images/* mavis/reporting/static/favicons/ && \
-    npm run build:scss && npm run build:js
+ADD config/credentials/*.enc.yaml /app/config/credentials/
+ADD mise.*.toml /app/
 
-RUN addgroup --gid 1000 app
-RUN adduser app -h /app -u 1000 -G app -DH
-RUN mkdir -p /app/.cache/uv && chown -R app:app /app/.cache
-RUN chown -R app:app /app/.venv
+RUN addgroup --gid 1000 app && \
+    adduser app -h /app -u 1000 -G app -DH && \
+    chown -R app:app /app
 
 USER 1000
+RUN mise trust --all
 
-VOLUME ["/tmp", "/var/tmp", "/usr/tmp", "/app/.cache", "/app/.venv"]
-
-# pass through additional arguments like --workers=5 via GUNICORN_CMD_ARGS
-CMD ["uv", "run", "gunicorn", "--bind", "0.0.0.0:5000", "mavis.reporting:create_app()"]
+ENV PORT=5000
+CMD ["sh", "-c", "mise exec -- uv run --no-sync gunicorn --bind 0.0.0.0:${PORT} 'mavis.reporting:create_app()'"]
diff --git a/README.md b/README.md
@@ -8,10 +8,8 @@ Please see the main Mavis repository for [how to install
 mise](https://github.com/nhsuk/manage-vaccinations-in-schools?tab=readme-ov-file#mise).
 
 ```sh
-mise install                               # Install dev tools
-cp mise.local.toml.example mise.local.toml # Fill in shared secrets
-mise dev                                   # Run dev server
-mise ci                                    # Run CI tests
+mise dev --env development                 # Run dev server
+mise ci --env development                  # Run CI tests
 ```
 
 The application will be available at <http://localhost:4001>.
@@ -23,8 +21,8 @@ below for details.
 ## Other tasks
 
 ```sh
-mise tasks # See all available tasks
-mise env   # See all available environment variables
+mise tasks                                 # See all available tasks
+mise env --env development                 # See env vars and dev secrets
 ```
 
 ### Docker
@@ -36,44 +34,33 @@ environment:
 mise docker
 ```
 
-Different environment variables can be overwritten in `mise.local.toml`.
+## Runtime dependencies
 
-### Gunicorn arguments
+This application authenticates with the main Mavis application using the [OAuth
+2.0 Authorization Code
+flow](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1).
 
-Additional parameters to the `gunicorn` executable (for instance, the number of
-workers) can be passed through with the `GUNICORN_CMD_ARGS` environment
-variable.
+Mavis should already have the development secrets set up in the development
+environment. Make sure to turn on the `reporting_api` feature flag.
 
-Example:
+## Secrets
 
-```bash
-% HOST_PORT=5555 GUNICORN_CMD_ARGS="--workers=5" mise docker:run
-docker run --rm -p 5555:5000 -e GUNICORN_CMD_ARGS=--workers=5 mavis-reporting:latest
-[2025-07-17 10:32:01 +0000] [1] [INFO] Starting gunicorn 23.0.0
-[2025-07-17 10:32:01 +0000] [1] [INFO] Listening at: http://0.0.0.0:5000 (1)
-[2025-07-17 10:32:01 +0000] [1] [INFO] Using worker: sync
-[2025-07-17 10:32:01 +0000] [10] [INFO] Booting worker with pid: 10
-[2025-07-17 10:32:01 +0000] [11] [INFO] Booting worker with pid: 11
-[2025-07-17 10:32:01 +0000] [12] [INFO] Booting worker with pid: 12
-[2025-07-17 10:32:01 +0000] [13] [INFO] Booting worker with pid: 13
-[2025-07-17 10:32:01 +0000] [14] [INFO] Booting worker with pid: 14
-```
+This project uses encrypted secrets stored in `config/credentials`, using the
+[mise secrets](https://mise.jdx.dev/environments/secrets.html) integration with
+`age` and `sops`.
 
-## Runtime dependencies
+```sh
+age-keygen -o config/credentials/staging.key           # Generate a new keypair
+age-keygen -y config/credentials/staging.key           # View the public key
 
-This application authenticates with the main Mavis application using the [OAuth
-2.0 Authorization Code
-flow](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1).
+echo "FOO: bar" > config/credentials/staging.enc.yaml  # Create a secret file
+sops encrypt -i --age $(age-keygen -y config/credentials/staging.key) \
+  config/credentials/staging.enc.yaml                  # Encrypt the file
+git add config/credentials/staging.enc.yaml            # It's now safe to commit
+
+mise credentials:show --env staging                    # Show secrets
+mise credentials:edit --env staging                    # Edit secrets
+```
 
-To do this, it requires:
-
-1. A copy of the main Mavis app must be running and available at the URL given
-   in the `MAVIS_ROOT_URL` env var
-2. That copy of Mavis must:
-   - have the `reporting_api` feature flag enabled
-   - have a value for `Settings.reporting_api.client_app.client_id` (..which can
-     also be set via the `MAVIS__REPORTING_API__CLIENT_APP__CLIENT_ID`
-     environment variable) which matches this application's `CLIENT_ID` value
-   - have a value for `Settings.reporting_api.client_app.secret` (..which can
-     also be set via the `MAVIS__REPORTING_API__CLIENT_APP__SECRET` environment
-     variable) which matches this application's `CLIENT_SECRET` value
+To view and edit staging/production secrets, you need to obtain the
+`config/credentials/staging.key` (or `production.key`) from a colleague.
diff --git a/config/container_variables.yml b/config/container_variables.yml
@@ -5,7 +5,6 @@
 # This file specifies environment-specific variables that will be added to or override
 # the environment variables extracted from terraform configuration
 
-
 environments:
   production:
 
@@ -18,9 +17,6 @@ environments:
   training:
 
   sandbox-alpha:
-    ROOT_URL: https://sandbox-alpha.mavistesting.com/reporting/
-    MAVIS_ROOT_URL: https://sandbox-alpha.mavistesting.com/
-    FLASK_ENV: staging
 
   sandbox-beta:
 
diff --git a/config/credentials/development.enc.yaml b/config/credentials/development.enc.yaml
@@ -0,0 +1,18 @@
+SECRET_KEY: ENC[AES256_GCM,data:u6doFxRRBBU=,iv:oTHu76s9l443FqBEQU1UxpY1T4RoiUAnrS+Gd2sG21A=,tag:nWRiLS1cyZVYneTzdhl+kQ==,type:str]
+CLIENT_ID: ENC[AES256_GCM,data:IA+KSvbO9cE=,iv:WcnAaROf+PDi7A13ihSLIrd7oUxK/TCR4Gqa+SIj8EQ=,tag:pJ6MzbUqSaoTPdRpmh2vtw==,type:str]
+CLIENT_SECRET: ENC[AES256_GCM,data:cFdjBDvOIk4=,iv:kcgs+mwzRJccW1pql9VlKQ4nPqPwdO8tBoc+Mv2M6Wo=,tag:tSWtF1RwSmxdLecm0dFfIA==,type:str]
+sops:
+    age:
+        - recipient: age1hkeyzs454rgc59xgluayhhqrp3e66zkn02ax7etr9tzlpuh0vqtqnz44h6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCa1pFS0RLUC9tTXV2c3RY
+            VlJwd3V2dlQxNllJbDBpcEJ3eElLdy9mbndRCjN2eFlyeFFFa3Z5dTIzMVJiV0Ro
+            YzEvVTFIRWpLK2UvRW9LSkZkekU3SUEKLS0tIGw1eTJpNFZHVmlvVlp4UnQ3Nkw4
+            L1ozeHFWVjFHS0E4aWlVbTFyWjRQYTQKNxGr3dTtvqozv2relz0ttqxu7apT6Rl2
+            fRruhGAbWM8JpdwhC6gt4b0k0JLPlKrFtmKe+5fhEgZP2KT8b8wiXg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-09-10T02:02:05Z"
+    mac: ENC[AES256_GCM,data:bOYhpatQI0/funZdLa35k4BOrH6MbWETeXF2vozwgpgcYaPYzdMGYMV2BtQoDW5Gn7tPWvP/+uYd1cXRiQYp9Tm/hznI2cJzW4rnd/U5mTr7BwUc1V0afbSG32KmOWXGp0aREfCs86IqEYBtdHB9+Wm2Uf/ZzFunegIb0h3L7ww=,iv:/iThyCv6IesKuNI8Dw1ThOOuzCe1FzFFlYCXgylRRYc=,tag:2tdqHRp0wWB+13pYxS4AIQ==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2
diff --git a/config/credentials/development.key b/config/credentials/development.key
@@ -0,0 +1 @@
+AGE-SECRET-KEY-127S3XG77RYGXVZ8GWSH5ULYVPYYQLCX8HJJLCN72GQWDNT4LJ2GS9CEYPT
diff --git a/config/credentials/staging.enc.yaml b/config/credentials/staging.enc.yaml
@@ -0,0 +1,18 @@
+SECRET_KEY: ENC[AES256_GCM,data:kYn6JjDLk/ZC5D7tPmqP/nisCPuJ2xxqplRQ46R/r83UeDtfnaB/9I0mRQ==,iv:JVtmKpBrLbbJPgXcXDHgfe0CLZZ+T3xD7xV6v5OfGh0=,tag:6pE5xnbV32GMegDB0VlfBg==,type:str]
+CLIENT_ID: ENC[AES256_GCM,data:RfS0zTSiY3T6ikzWobhfznE1SjubGKXvgtrRazlzc9JsR7FlTmHDxZA=,iv:/U1D/tTT+sEN1v9/cUSzuyF8oRU6vrO5WUCKKBMTW/M=,tag:diFqiYa5Q+DxWigMAk28Pw==,type:str]
+CLIENT_SECRET: ENC[AES256_GCM,data:OQjfGTY6144QX0c+v3ZUKQRhazcRre6kC9ollpt9vGA=,iv:WzE2Ubtas6aRB7468N50GIToEvRWpr89cSd8UR1u0dE=,tag:yHTT9FMm0788dyt4eG9YgQ==,type:str]
+sops:
+    age:
+        - recipient: age1msgf79zw73wv0ljjqw5evjk8hst6y82e5vu6rws8jcntmfk24ulq69erw8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsczJhMnd3U1diUGpiVzFS
+            RmRYY0M4QlY2akppb2RXUWZZb09FMWZMTDJBCnExbmVUN0s0L2p3allLNk0rUDdM
+            eUZDQXdKUHd6d0wzSnU2OTdXbitKQncKLS0tIFAyWUQrUzRnRXNsVWhQU2NwWlFk
+            T1JrUVVCUlVMNjZiM3ZBaG5tNU1hSU0K2vbWc/1yUI+NUI1d4i4vUN/25vwbBKcc
+            D8e97cMWjV23t7RGXmsMgDtec1AvtQMN80i7d4K1lBYTSjbhB/gO1A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-09-10T12:00:37Z"
+    mac: ENC[AES256_GCM,data:Tq2X6gSW56EvbWBxeXX82FCELdHOC37HWdBpujKtZBPioLUhcOiGjSBVoQVS+pxkLLAaZ4TUkZXZZ6r5Rmn6wh0be4ke+hy+hE5NlBU9H9e2jRULiafIGINDn6FF6USYgLuTqCZZ6OoukHpkNb7WsagfaXZZtF/SNn5tsL7ovv8=,iv:iilEzoZnkAzEEvb+SMCQB10W4aafzAm7kkUze1neoeg=,tag:BjersIyT/0OnmY7+o5vvTA==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2
diff --git a/mavis/reporting/__init__.py b/mavis/reporting/__init__.py
@@ -8,7 +8,7 @@
 
 def create_app(config_name=None):
     if config_name is None:
-        config_name = os.environ.get("FLASK_ENV", "development")
+        config_name = os.environ["FLASK_ENV"]
 
     app = Flask(__name__, static_url_path="/reporting/assets")
     app.config.from_object(config[config_name])
diff --git a/mavis/reporting/config/__init__.py b/mavis/reporting/config/__init__.py
@@ -9,20 +9,20 @@ class Config:
     """Base configuration"""
 
     # used for verifying signature of Mavis-issued JWTs
-    CLIENT_SECRET = os.environ.get("CLIENT_SECRET")
+    CLIENT_SECRET = os.environ["CLIENT_SECRET"]
     # used to identify this app in the OAuth Authorization Code request
-    CLIENT_ID = os.environ.get("CLIENT_ID")
+    CLIENT_ID = os.environ["CLIENT_ID"]
     # Used as the base for constructing URLs to
     # exchange auth codes, and request data
-    MAVIS_ROOT_URL = os.environ.get("MAVIS_ROOT_URL") or "http://localhost:4000/"
+    MAVIS_ROOT_URL = os.environ["MAVIS_ROOT_URL"]
 
     # Flask config
     # Flask-internal secret
-    SECRET_KEY = os.environ.get("SECRET_KEY") or "placeholder-secret-key-replace-this"
+    SECRET_KEY = os.environ["SECRET_KEY"]
     TEMPLATES_AUTO_RELOAD = True
-    SESSION_TTL_SECONDS = int(os.environ.get("SESSION_TTL_SECONDS") or "600")
+    SESSION_TTL_SECONDS = int(os.environ["SESSION_TTL_SECONDS"])
 
-    ROOT_URL = os.environ.get("ROOT_URL")
+    ROOT_URL = os.environ["ROOT_URL"]
 
 
 class DevelopmentConfig(Config):
diff --git a/mise.development.toml b/mise.development.toml
@@ -0,0 +1,15 @@
+[vars]
+credentials_file = "config/credentials/development.enc.yaml"
+secret_file = "config/credentials/development.key"
+uv_sync_args = "--group dev"
+
+[settings]
+sops.age_key_file = "{{vars.secret_file}}"
+
+[env]
+SOPS_AGE_KEY_FILE = "{{vars.secret_file}}"
+_.file = "{{vars.credentials_file}}"
+
+FLASK_ENV = "development"
+MAVIS_ROOT_URL = "http://localhost:4000/"
+ROOT_URL = "http://localhost:4001/"
diff --git a/mise.local.toml.example b/mise.local.toml.example
diff --git a/mise.staging.toml b/mise.staging.toml
@@ -0,0 +1,14 @@
+[vars]
+credentials_file = "config/credentials/staging.enc.yaml"
+secret_file = "config/credentials/staging.key"
+
+[settings]
+sops.age_key_file = "{{vars.secret_file}}"
+
+[env]
+SOPS_AGE_KEY_FILE = "{{vars.secret_file}}"
+_.file = "{{vars.credentials_file}}"
+
+FLASK_ENV = "staging"
+MAVIS_ROOT_URL = "https://sandbox-alpha.mavistesting.com/"
+ROOT_URL = "https://sandbox-alpha.mavistesting.com/reporting/"
diff --git a/mise.toml b/mise.toml
diff --git a/pyproject.toml b/pyproject.toml

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+[[allowlists]]`
	`2`	`+description = "Allow development key"`
	`3`	`+paths = ["config/credentials/development.key"]`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+AGE-SECRET-KEY-127S3XG77RYGXVZ8GWSH5ULYVPYYQLCX8HJJLCN72GQWDNT4LJ2GS9CEYPT`