Use a dedicated database encryption key

The `manage.py setclusters ...` needs to be called after this change.

Signed-off-by: Justin Cinkelj <justin.cinkelj@xlab.si>

Author: justinc1

.github/workflows/unit-tests.yml

@@ -52,6 +52,7 @@ jobs:
           DB_HOST = "localhost"
           DB_PORT = 5432
           SECRET_KEY = "$(uuidgen)"
+          DATABASE_KEY = "$(uuidgen)"
           EOF
 
       - name: Run tests

setup/collections/ansible_collections/ansible/containerized_installer/roles/automationdashboard/tasks/facts.yml

@@ -34,6 +34,7 @@
   ansible.builtin.set_fact:
     _common_secrets:
       - 'dashboard_secret_key,target=/etc/dashboard/SECRET_KEY,mode=0400,uid={{ ansible_user_uid }}'
+      - 'dashboard_database_key,target=/etc/dashboard/DATABASE_KEY,mode=0400,uid={{ ansible_user_uid }}'
       # - 'dashboard_channels,target=/etc/tower/conf.d/channels.py,mode=0400,uid={{ ansible_user_uid }}'
       - 'dashboard_postgres,target=/etc/dashboard/conf.d/postgres.py,mode=0400,uid={{ ansible_user_uid }}'
     _common_volumes:

setup/collections/ansible_collections/ansible/containerized_installer/roles/automationdashboard/tasks/secrets.yml

@@ -20,4 +20,15 @@
     # - Restart dashboard rsyslog
     - Restart dashboard task
     - Restart dashboard web
+
+- name: Create the dashboard DATABASE_KEY secret
+  containers.podman.podman_secret:
+    name: dashboard_database_key
+    data: '{{ dashboard_database_key | default(lookup("ansible.builtin.password", "/dev/null length=50")) }}'
+    force: '{{ dashboard_update_database_key | bool }}'
+    skip_existing: '{{ not dashboard_update_database_key | bool }}'
+  notify:
+    # - Restart dashboard rsyslog
+    - Restart dashboard task
+    - Restart dashboard web
 ...

setup/collections/ansible_collections/ansible/containerized_installer/roles/automationdashboard/tasks/uninstall.yml

@@ -48,6 +48,7 @@
     - dashboard_channels
     - dashboard_postgres
     - dashboard_secret_key
+    - dashboard_database_key
 
 - name: Delete the directories/files
   ansible.builtin.file:

setup/collections/ansible_collections/ansible/containerized_installer/roles/automationdashboard/templates/django_dashboard_conf.py.j2

@@ -1,5 +1,7 @@
 with open("/etc/dashboard/SECRET_KEY") as fin:
     SECRET_KEY = fin.read()
+with open("/etc/dashboard/DATABASE_KEY") as fin:
+    DATABASE_KEY = fin.read()
 
 ALLOWED_HOSTS=["*"]
 CORS_ALLOWED_ORIGINS = [

src/backend/apps/clusters/encryption.py

@@ -25,7 +25,7 @@ def __init__(self, key: bytes | str):
 
 def get_encryption_key() -> bytes:
     h = hashlib.sha512()
-    h.update(smart_bytes(settings.SECRET_KEY))
+    h.update(smart_bytes(settings.DATABASE_KEY))
     return base64.urlsafe_b64encode(h.digest())
 
 

src/backend/django_config/local_settings.example.py

@@ -17,6 +17,7 @@
 }
 
 SECRET_KEY = 'django-insecure-cu=@gv*8$8+rr2-^-8^g00!ib_9-utgu!26#q#@)!y%3#wt^1#'
+DATABASE_KEY = 'insecure-database-encryption-key-cu=@gv*8$8+rr2-^-8^g00!ib_9-utgu!26#q#@)!y%3#wt^1#'
 
 AAP_AUTH_PROVIDER = {
     "name": "Ansible Automation Platform",

src/backend/django_config/settings.py

@@ -27,6 +27,7 @@
 
 # SECURITY WARNING: keep the secret key used in production secret!
 # SECRET_KEY = ...
+# DATABASE_KEY - ...
 
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = False