BCDA-7528: Utilize Docker-compose with local env files. (#149)

## 🎫 Ticket https://jira.cms.gov/browse/BCDA-7528 ## 🛠 Changes Created env file examples, and pointed the docker-compose ## ℹ️ Context for reviewers In order to reduce the dependence on maintaining a large number of environment variables in S3, BCDA is aiming to inject them directly into the environment either through an env file, or longer-term, the task definitions in ECS. ## ✅ Acceptance Validation Ensured that critical variable (SSAS_DEFAULT_SYSTEM_SCOPE) was removed from docker-compose, and program operated by sourcing the env file. ## 🔒 Security Implications - [ ] This PR adds a new software dependency or dependencies. - [ ] This PR modifies or invalidates one or more of our security controls. - [ ] This PR stores or transmits data that was not stored or transmitted before. - [X] This PR requires additional review of its security implications for other reasons. If any security implications apply, add Jason Ashbaugh (GitHub username: StewGoin) as a reviewer and do not merge this PR without his approval. --------- Co-authored-by: Alex Dzeda <[email protected]>
CMSgov · Dec 19, 2023 · fb63306 · fb63306
1 parent de98544
commit fb63306
Show file tree

Hide file tree

Showing 8 changed files with 51 additions and 25 deletions.
diff --git a/docker-compose.test.yml b/docker-compose.test.yml
@@ -7,6 +7,8 @@ services:
       dockerfile: Dockerfiles/Dockerfile.tests
       args:
         VERSION: latest
+    env_file:
+      - ./ssas/cfg/configs/local.env
     environment:
       - DB=postgresql://postgres:toor@db:5432
       - DATABASE_URL=postgresql://postgres:toor@db:5432/bcda?sslmode=disable
@@ -17,13 +19,9 @@ services:
       - SSAS_PUBLIC_PORT=:3003
       - SSAS_ADMIN_PORT=:3004
       - SSAS_HTTP_TO_HTTPS_PORT=:3005
-      - SSAS_READ_TIMEOUT=10
-      - SSAS_WRITE_TIMEOUT=20
-      - SSAS_IDLE_TIMEOUT=120
       - SSAS_HASH_ITERATIONS=130000
       - SSAS_HASH_KEY_LENGTH=64
       - SSAS_HASH_SALT_SIZE=32
-      - SSAS_DEFAULT_SYSTEM_SCOPE=bcda-api
       - SSAS_TOKEN_BLACKLIST_CACHE_CLEANUP_MINUTES=15
       - SSAS_TOKEN_BLACKLIST_CACHE_TIMEOUT_MINUTES=1440
       - SSAS_TOKEN_BLACKLIST_CACHE_REFRESH_MINUTES=5

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -24,28 +24,26 @@ services:
       args:
         VERSION: latest
     image: bcda-ssas:latest
+    env_file:
+      - ./ssas/cfg/configs/local.env
     environment:
       - DATABASE_URL=postgresql://postgres:toor@db:5432/bcda?sslmode=disable
-      - DEBUG=true
-      - DEPLOYMENT_TARGET=local
       - ATO_PUBLIC_KEY_FILE=../shared_files/ATO_public.pem
       - ATO_PRIVATE_KEY_FILE=../shared_files/ATO_private.pem
       - HTTP_ONLY=true
       - BCDA_AUTH_PROVIDER=${BCDA_AUTH_PROVIDER}
       - BCDA_SSAS_CLIENT_ID=${BCDA_SSAS_CLIENT_ID}
       - BCDA_SSAS_SECRET=${BCDA_SSAS_SECRET}
+      - DEBUG=true
+      - DEPLOYMENT_TARGET=local
       - SSAS_ADMIN_SIGNING_KEY_PATH=../shared_files/ssas/admin_test_signing_key.pem
       - SSAS_PUBLIC_SIGNING_KEY_PATH=../shared_files/ssas/public_test_signing_key.pem
       - SSAS_ADMIN_PORT=:3004
       - SSAS_PUBLIC_PORT=:3003
       - SSAS_HTTP_TO_HTTPS_PORT=:3005
-      - SSAS_READ_TIMEOUT=10
-      - SSAS_WRITE_TIMEOUT=20
-      - SSAS_IDLE_TIMEOUT=120
       - SSAS_HASH_ITERATIONS=130000
       - SSAS_HASH_KEY_LENGTH=64
       - SSAS_HASH_SALT_SIZE=32
-      - SSAS_DEFAULT_SYSTEM_SCOPE=bcda-api
       - SSAS_TOKEN_BLACKLIST_CACHE_CLEANUP_MINUTES=15
       - SSAS_TOKEN_BLACKLIST_CACHE_TIMEOUT_MINUTES=1440
       - SSAS_TOKEN_BLACKLIST_CACHE_REFRESH_MINUTES=5

diff --git a/ssas/cfg/configs/dev.env b/ssas/cfg/configs/dev.env
@@ -0,0 +1,6 @@
+DEPLOYMENT_TARGET=dev
+SSAS_DEFAULT_SYSTEM_SCOPE=bcda-api
+SSAS_IDLE_TIMEOUT=120
+SSAS_LOG=/var/log/api/ssas.log
+SSAS_READ_TIMEOUT=10
+SSAS_WRITE_TIMEOUT=20
diff --git a/ssas/cfg/configs/local.env b/ssas/cfg/configs/local.env
@@ -0,0 +1,6 @@
+DEPLOYMENT_TARGET=local
+SSAS_DEFAULT_SYSTEM_SCOPE=bcda-api
+SSAS_IDLE_TIMEOUT=120
+SSAS_LOG=
+SSAS_READ_TIMEOUT=10
+SSAS_WRITE_TIMEOUT=20
diff --git a/ssas/cfg/configs/opensbx.env b/ssas/cfg/configs/opensbx.env
@@ -0,0 +1,6 @@
+DEPLOYMENT_TARGET=opensbx
+SSAS_DEFAULT_SYSTEM_SCOPE=bcda-api
+SSAS_IDLE_TIMEOUT=120
+SSAS_LOG=/var/log/api/ssas.log
+SSAS_READ_TIMEOUT=10
+SSAS_WRITE_TIMEOUT=20
diff --git a/ssas/cfg/configs/prod.env b/ssas/cfg/configs/prod.env
@@ -0,0 +1,6 @@
+DEPLOYMENT_TARGET=prod
+SSAS_DEFAULT_SYSTEM_SCOPE=bcda-api
+SSAS_IDLE_TIMEOUT=120
+SSAS_LOG=/var/log/api/ssas.log
+SSAS_READ_TIMEOUT=10
+SSAS_WRITE_TIMEOUT=20
diff --git a/ssas/cfg/configs/test.env b/ssas/cfg/configs/test.env
@@ -0,0 +1,6 @@
+DEPLOYMENT_TARGET=test
+SSAS_DEFAULT_SYSTEM_SCOPE=bcda-api
+SSAS_IDLE_TIMEOUT=120
+SSAS_LOG=/var/log/api/ssas.log
+SSAS_READ_TIMEOUT=10
+SSAS_WRITE_TIMEOUT=20
diff --git a/ssas/systems.go b/ssas/systems.go
@@ -89,8 +89,8 @@ type ClientToken struct {
 }
 
 /*
-	SaveClientToken should be provided with a token label and token uuid, which will
-	be saved to the client tokens table and associated with the current system.
+SaveClientToken should be provided with a token label and token uuid, which will
+be saved to the client tokens table and associated with the current system.
 */
 func (system *System) SaveClientToken(ctx context.Context, label string, groupXData string, expiration time.Time) (*ClientToken, string, error) {
 	rk, err := NewRootKey(ctx, system.ID, expiration)
@@ -167,8 +167,8 @@ type AuthRegData struct {
 }
 
 /*
-	SaveSecret should be provided with a secret hashed with ssas.NewHash(), which will
-	be saved to the secrets table and associated with the current system.
+SaveSecret should be provided with a secret hashed with ssas.NewHash(), which will
+be saved to the secrets table and associated with the current system.
 */
 func (system *System) SaveSecret(ctx context.Context, hashedSecret string) error {
 	secret := Secret{
@@ -189,7 +189,7 @@ func (system *System) SaveSecret(ctx context.Context, hashedSecret string) error
 }
 
 /*
-	GetSecret will retrieve the hashed secret associated with the current system.
+GetSecret will retrieve the hashed secret associated with the current system.
 */
 func (system *System) GetSecret(ctx context.Context) (Secret, error) {
 	secret := Secret{}
@@ -220,7 +220,7 @@ func (system *System) SaveTokenTime(ctx context.Context) {
 }
 
 /*
-	RevokeSecret revokes a system's secret
+RevokeSecret revokes a system's secret
 */
 func (system *System) RevokeSecret(ctx context.Context, trackingID string) error {
 	revokeCredentialsEvent := Event{Op: "RevokeCredentials", TrackingID: trackingID, ClientID: system.ClientID}
@@ -246,7 +246,7 @@ func (system *System) RevokeSecret(ctx context.Context, trackingID string) error
 }
 
 /*
-	DeactivateSecrets soft deletes secrets associated with the system.
+DeactivateSecrets soft deletes secrets associated with the system.
 */
 func (system *System) deactivateSecrets(ctx context.Context) error {
 	err := Connection.WithContext(ctx).Where("system_id = ?", system.ID).Delete(&Secret{}).Error
@@ -257,7 +257,7 @@ func (system *System) deactivateSecrets(ctx context.Context) error {
 }
 
 /*
-	GetEncryptionKey retrieves the key associated with the current system.
+GetEncryptionKey retrieves the key associated with the current system.
 */
 func (system *System) GetEncryptionKey(ctx context.Context, trackingID string) (EncryptionKey, error) {
 	getKeyEvent := Event{Op: "GetEncryptionKey", TrackingID: trackingID, ClientID: system.ClientID}
@@ -275,7 +275,7 @@ func (system *System) GetEncryptionKey(ctx context.Context, trackingID string) (
 }
 
 /*
-	FindEncryptionKey retrieves the key by id associated with the current system.
+FindEncryptionKey retrieves the key by id associated with the current system.
 */
 func (system *System) FindEncryptionKey(ctx context.Context, trackingID string, keyId string) (EncryptionKey, error) {
 	findKeyEvent := Event{Op: "FindEncryptionKey", TrackingID: trackingID, ClientID: system.ClientID}
@@ -293,7 +293,7 @@ func (system *System) FindEncryptionKey(ctx context.Context, trackingID string,
 }
 
 /*
-	GetEncryptionKeys retrieves the keys associated with the current system.
+GetEncryptionKeys retrieves the keys associated with the current system.
 */
 func (system *System) GetEncryptionKeys(ctx context.Context, trackingID string) ([]EncryptionKey, error) {
 	getKeyEvent := Event{Op: "GetEncryptionKey", TrackingID: trackingID, ClientID: system.ClientID}
@@ -311,7 +311,7 @@ func (system *System) GetEncryptionKeys(ctx context.Context, trackingID string)
 }
 
 /*
-	DeleteEncryptionKey deletes the key associated with the current system.
+DeleteEncryptionKey deletes the key associated with the current system.
 */
 func (system *System) DeleteEncryptionKey(ctx context.Context, trackingID string, keyID string) error {
 	deleteKeyEvent := Event{Op: "DeleteEncryptionKey", TrackingID: trackingID, ClientID: system.ClientID}
@@ -334,8 +334,8 @@ func (system *System) DeleteEncryptionKey(ctx context.Context, trackingID string
 }
 
 /*
-	SavePublicKey should be provided with a public key in PEM format, which will be saved
-	to the encryption_keys table and associated with the current system.
+SavePublicKey should be provided with a public key in PEM format, which will be saved
+to the encryption_keys table and associated with the current system.
 */
 func (system *System) SavePublicKey(publicKey io.Reader, signature string) (*EncryptionKey, error) {
 	return system.SavePublicKeyDB(publicKey, signature, true, Connection)
@@ -400,8 +400,8 @@ type Credentials struct {
 }
 
 /*
-	RegisterSystem will save a new system and public key after verifying provided details for validity.  It returns
-	a ssas.Credentials struct including the generated clientID and secret.
+RegisterSystem will save a new system and public key after verifying provided details for validity.  It returns
+a ssas.Credentials struct including the generated clientID and secret.
 */
 func RegisterSystem(ctx context.Context, clientName string, groupID string, scope string, publicKeyPEM string, ips []string, trackingID string) (Credentials, error) {
 	systemInput := SystemInput{