Get the PACTA frontend/backend ready for deployment

.sops.yaml

@@ -0,0 +1,7 @@
+# creation rules are evaluated sequentially, the first match wins
+creation_rules:
+        - path_regex: local\.enc\.json$
+          azure_keyvault: https://rmipactalocalsops.vault.azure.net/keys/sops/d670bcbc510f456d821306913b4c55c6
+        - path_regex: dev\.enc\.json$
+          azure_keyvault: https://rmipactadevsops.vault.azure.net/keys/sops/8e4170b4ef324258a51f02ada7dca42b
+

WORKSPACE

@@ -12,10 +12,10 @@ http_archive(
 
 http_archive(
     name = "bazel_gazelle",
-    sha256 = "29218f8e0cebe583643cbf93cae6f971be8a2484cdcfa1e45057658df8d54002",
+    sha256 = "d3fa66a39028e97d76f9e2db8f1b0c11c099e8e01bf363a923074784e451f809",
     urls = [
-        "https://mirror.bazel.build/github.com/bazelbuild/bazel-gazelle/releases/download/v0.32.0/bazel-gazelle-v0.32.0.tar.gz",
-        "https://github.com/bazelbuild/bazel-gazelle/releases/download/v0.32.0/bazel-gazelle-v0.32.0.tar.gz",
+        "https://mirror.bazel.build/github.com/bazelbuild/bazel-gazelle/releases/download/v0.33.0/bazel-gazelle-v0.33.0.tar.gz",
+        "https://github.com/bazelbuild/bazel-gazelle/releases/download/v0.33.0/bazel-gazelle-v0.33.0.tar.gz",
     ],
 )
 

cmd/server/BUILD.bazel

@@ -10,15 +10,16 @@ go_library(
     deps = [
         "//cmd/server/pactasrv",
         "//db/sqldb",
-        "//keyutil",
         "//oapierr",
         "//openapi:pacta_generated",
+        "//secrets",
         "@com_github_deepmap_oapi_codegen//pkg/chi-middleware",
         "@com_github_go_chi_chi_v5//:chi",
         "@com_github_go_chi_chi_v5//middleware",
         "@com_github_go_chi_httprate//:httprate",
         "@com_github_go_chi_jwtauth_v5//:jwtauth",
         "@com_github_jackc_pgx_v5//pgxpool",
+        "@com_github_lestrrat_go_jwx_v2//jwk",
         "@com_github_namsral_flag//:flag",
         "@com_github_rs_cors//:cors",
         "@com_github_silicon_ally_zaphttplog//:zaphttplog",
@@ -64,7 +65,7 @@ oci_push(
     name = "push_image",
     image = ":image",
     remote_tags = ["latest"],
-    repository = "TODO",
+    repository = "rmipacta.azurecr.io/pacta",
 )
 
 # Note: This tarball is provided for local testing of the Docker image, see the README.md for details on usage.

cmd/server/configs/dev.conf

@@ -0,0 +1,4 @@
+env dev
+allowed_cors_origin https://pacta.dev.rmi.siliconally.dev
+sops_path /configs/secrets/dev.enc.json
+port 80

cmd/server/configs/local.conf

@@ -1,3 +1,3 @@
 env local
-auth_public_key_file test_server.pub
 allowed_cors_origin http://localhost:3000
+sops_path cmd/server/configs/secrets/local.enc.json

cmd/server/configs/secrets/dev.enc.json

@@ -0,0 +1,33 @@
+{
+	"postgres": {
+		"host": "ENC[AES256_GCM,data:R6ryvg==,iv:Jls4J7v8kqSxYfVj6fP2j4a2NutpkXzlpye8grUxD6g=,tag:KNf7smmVEhLXpQ1+Fy7WHA==,type:str]",
+		"port": "ENC[AES256_GCM,data:skT9aQ==,iv:Gz9pmCpHgy+JH5Ci94uGRtXsmje9JzBwrGqkW0STp3Y=,tag:kbkTss6yxP2a3a3IgutSTA==,type:float]",
+		"database": "ENC[AES256_GCM,data:fOstsg==,iv:G2XKgd2e+WPY9SpiEev9Ph/MlfBFS6I2B5GAJvhfjkI=,tag:YKeaJ/vDzCoNW6h/2sFUIw==,type:str]",
+		"user": "ENC[AES256_GCM,data:o1dabw==,iv:1fa701v4Z2e2sEciKBYTjEoUGF2tA/tkTpS2XdQILD8=,tag:mOamJoC66d9lJ3bJwJr7Ag==,type:str]",
+		"password": "ENC[AES256_GCM,data:bwiCrg==,iv:PYp7H7Ak3fq4KH+eaFOBT5ua1QU//CR/GhhPBWo+Deo=,tag:ARGFNYO8U+mo+HGRXg4F3A==,type:str]"
+	},
+	"auth_public_key": {
+		"id": "ENC[AES256_GCM,data:aWwgJbWEvxHaIw==,iv:y+jk9yzidCA98zHlif41y8ukJl+FrJnqm5aucT2S2c8=,tag:jqq/ITKkW1+vs8Dysgu9eQ==,type:str]",
+		"data": "ENC[AES256_GCM,data:yI0yl9WoJoGJ9lTfsuwiZ+2/boPsIPe4J1UlZ5b9Y6PPIP71ArHFGdjdrnz/rXwwylKlE9jFvtFZtsAcHOct/sH0VJPCXq3SXOSUEIVz7e6aqOHCOV+PGUwx1JMhCzeuql9JvQLJADkS0TWBNcLJrw==,iv:Tg1FivpMVG1EnWUNdJl0sKF/B/sn9uO0JDU0PIhKHJI=,tag:i73LQr1BRuTUb4li/qtaNg==,type:str]"
+	},
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": [
+			{
+				"vault_url": "https://rmipactadevsops.vault.azure.net",
+				"name": "sops",
+				"version": "8e4170b4ef324258a51f02ada7dca42b",
+				"created_at": "2023-09-21T19:02:52Z",
+				"enc": "RqRHPo8pF7O0HSwS4peMGhy1pilB4ofobQuVpOFJCpl-aJzQR3FDFXfyqurzVFFNvEiQsuMexJijAtf6SWHfkC2ATQv_vIh2XsYFnK4GQgwxNl7j_m60___Pj6vu9PY6bbi5nf8GQAP6W4U-WPX6WpyT9sqrqoVtbGZ2GYEvIshuQlq6W0RKjsyOQdz6svd51ExksNug_w0oSwHXub29AzzpSzY4ne5ba419Sbmbr_IA_HFexNxajFivsj6Jq76A3ZLzKXnKO_TAbA_Zqh9S0iMecRotg53iv9KDteO9q61aCtChl-FCqTaHtasz-NkxCunfR0Jn_aSnoQ6L9ssInw"
+			}
+		],
+		"hc_vault": null,
+		"age": null,
+		"lastmodified": "2023-09-21T19:40:54Z",
+		"mac": "ENC[AES256_GCM,data:ucrGeR27GEE5+94I3UT3TZ8Gk11LqkquJDLyIlzffcXywHSohh5O++1eCoh0VQYupLQ/w82Nb5O9RAY+lsuuYHRiiEHE4T99QN3dBEIZYFs+5N/3mDeBbTbURmieW6v2ynp+qCG0tdqHXzVewGsNr0GP5RIQ/8cSugCPeSDV8GY=,iv:Y757oxrtj0Gk8rw8shqV4JVLewbxUMaEXKxwt5sXusw=,tag:qLyNkjMDlMtGb/AaDU+gIQ==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}

cmd/server/configs/secrets/local.enc.json

@@ -0,0 +1,33 @@
+{
+	"postgres": {
+		"host": "ENC[AES256_GCM,data:FIB24w==,iv:Ompg2OzvvX0wp41x3ohYJi9ibQjElor2/FILULj/ucs=,tag:VeGYUcqDMk9ZPWH7jWYp4w==,type:str]",
+		"port": "ENC[AES256_GCM,data:sIz/OQ==,iv:66H/SkGnTydcrt8P48rg7iRZsuGioiy2PVD+nki+osw=,tag:Rf12BONTIEvMPHwsP3pNsA==,type:float]",
+		"database": "ENC[AES256_GCM,data:KID2EQ==,iv:nKsaOc0H46McP8wsUfBZPOBaSGTq2Cc2gDWGAKZFx7k=,tag:LI5wZLFE7oEo65kBCqY0vg==,type:str]",
+		"user": "ENC[AES256_GCM,data:z2X3Jg==,iv:k/AkRr9nmQjMTHRPvedm2/QiFJ3pB6gTVPfPQWc62ME=,tag:hmXn6J5na9MeUfT59w52pw==,type:str]",
+		"password": "ENC[AES256_GCM,data:LNF07w==,iv:pmNiCXnrRvQ1OKH5BvFkIcxWULoZTjsoisZKTqM6yNg=,tag:pm9r9ohpcDvVQGElOdcalw==,type:str]"
+	},
+	"auth_public_key": {
+		"id": "ENC[AES256_GCM,data:dzSKO90sQD5zZw==,iv:lgRtOe3BEkXmM3/Dks0ae28ovTSWlZlF/psqU5rxpWo=,tag:nihB5jIGlW9yVhTphE1Row==,type:str]",
+		"data": "ENC[AES256_GCM,data:doKxxYcH7bDNdGCnzKj6eH+A839ZKFE2wLHGhF1chfyIhs+8ORKsxyw44dfdbkiuX9ko/B6ieYc+kqgt/AjqZIlhPD9+UQeA/pKkfZ27gk8sKRjs/c/DGSAMFR4Z1N32osasoxws0k0WpvL9Je83rA==,iv:T4rzisXVMzrBKNmdH++yrgxe+zRj6TZY6eeCgXlUzBI=,tag:cjw3H3E2UVrQQkCobupmzA==,type:str]"
+	},
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": [
+			{
+				"vault_url": "https://rmipactalocalsops.vault.azure.net",
+				"name": "sops",
+				"version": "d670bcbc510f456d821306913b4c55c6",
+				"created_at": "2023-09-21T18:54:20Z",
+				"enc": "PxHtPXbHROMycbTBJhmuGrpK3LRBkWd7v69khB8_oN5wIYQpPKj9YiKW_HcvL1DUsmjzaE9FlKL8Rsqpmrw2Kv_IRAS_92YUdUzHtQU2xEBSAr_aCW9f61CM3c4JDZTKQV8b7uWyLzsuCVtRcuCAEBFzYPLk6vXrTfbq5lUGvkBqLY4g3mPejCyEHthzUlj7JKHa-2cHB6-ASOtL5P6__nWGCcq7vuOLA1rTW7LXP04AGHP-CpLXLhrJcD5fupVo_X_N98lpIyaFiDoKv6DzWkc4pLsp4H_YAgthLtPOti8EMp7xcnNTTdx4SsNYxL7fcjLTXKmew5Ro8Z9FAVZGww"
+			}
+		],
+		"hc_vault": null,
+		"age": null,
+		"lastmodified": "2023-09-21T19:40:48Z",
+		"mac": "ENC[AES256_GCM,data:EvnoxVh7d2dg3AldzIR6a0RP9274l8un42gkpferDtjv2XtX3fdoi1Nkt+ObDkiaMN50H/cLnWlhzVMe+Dwi/w8QLLhxuRlW/ShzWmW+w/pcREcNsQsWSIqIxk6s3+vqMLCtXa7Huk0a3+DoNSbgtWYCPCGEgRwNvsWV7i51IRg=,iv:9Ch4OzrLBwX+XVo3LoNbgGXJrcTc+KB2LBSgADFcjW4=,tag:s1bfV1UqCw67Ne/vyEqF/A==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}

cmd/server/main.go

@@ -12,14 +12,15 @@ import (
 
 	"github.com/RMI/pacta/cmd/server/pactasrv"
 	"github.com/RMI/pacta/db/sqldb"
-	"github.com/RMI/pacta/keyutil"
 	"github.com/RMI/pacta/oapierr"
 	oapipacta "github.com/RMI/pacta/openapi/pacta"
+	"github.com/RMI/pacta/secrets"
 	"github.com/Silicon-Ally/zaphttplog"
 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/httprate"
 	"github.com/go-chi/jwtauth/v5"
 	"github.com/jackc/pgx/v5/pgxpool"
+	"github.com/lestrrat-go/jwx/v2/jwk"
 	"github.com/namsral/flag"
 	"github.com/rs/cors"
 	"go.uber.org/zap"
@@ -51,7 +52,7 @@ func run(args []string) error {
 		env      = fs.String("env", "", "The environment that we're running in.")
 		localDSN = fs.String("local_dsn", "", "If set, override the DB addresses retrieved from the sops configuration. Can only be used when running locally.")
 
-		authPubKeyFile = fs.String("auth_public_key_file", "", "The PEM-encoded PKIX ASN.1 DER-formatted ED25519 public key to verify JWTs with")
+		sopsPath = fs.String("sops_path", "", "Path to the sops-formatted file containing sensitive credentials to be decrypted at runtime.")
 	)
 	// Allows for passing in configuration via a -config path/to/env-file.conf
 	// flag, see https://pkg.go.dev/github.com/namsral/flag#readme-usage
@@ -63,13 +64,10 @@ func run(args []string) error {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
-	// Pub is the key we use to authenticate signatures on user auth tokens.
-	pub, err := keyutil.DecodeED25519PublicKeyFromFile(*authPubKeyFile)
-	if err != nil {
-		return fmt.Errorf("failed to load public key: %w", err)
-	}
-
-	var logger *zap.Logger
+	var (
+		logger *zap.Logger
+		err    error
+	)
 	if *env == "local" {
 		if logger, err = zap.NewDevelopment(); err != nil {
 			return fmt.Errorf("failed to init logger: %w", err)
@@ -80,6 +78,13 @@ func run(args []string) error {
 		}
 	}
 
+	// Pub is the key we use to authenticate signatures on user auth tokens.
+	logger.Info("Loading sops secrets", zap.String("sops_path", *sopsPath))
+	sec, err := secrets.LoadPACTA(*sopsPath)
+	if err != nil {
+		return fmt.Errorf("failed to decrypt secrets: %w", err)
+	}
+
 	if *localDSN != "" && *env != "local" {
 		return errors.New("--local_dsn set outside of local environment")
 	}
@@ -90,7 +95,7 @@ func run(args []string) error {
 			return fmt.Errorf("failed to parse local DSN: %w", err)
 		}
 	} else {
-		// TODO: Add support for sops-encrypted credentials.
+		postgresCfg = sec.Postgres
 	}
 
 	logger.Info("Connecting to database", zap.String("db_host", postgresCfg.ConnConfig.Host))
@@ -136,6 +141,12 @@ func run(args []string) error {
 
 	r := chi.NewRouter()
 
+	jwKey, err := jwk.FromRaw(sec.AuthVerificationKey.PublicKey)
+	if err != nil {
+		return fmt.Errorf("failed to make JWK key: %w", err)
+	}
+	jwKey.Set(jwk.KeyIDKey, sec.AuthVerificationKey.ID)
+
 	// We now register our PACTA above as the handler for the interface
 	oapipacta.HandlerWithOptions(pactaStrictHandler, oapipacta.ChiServerOptions{
 		BaseRouter: r.With(
@@ -148,7 +159,7 @@ func run(args []string) error {
 			zaphttplog.NewMiddleware(logger),
 			chimiddleware.Recoverer,
 
-			jwtauth.Verifier(jwtauth.New("EdDSA", nil, pub)),
+			jwtauth.Verifier(jwtauth.New("EdDSA", nil, jwKey)),
 			jwtauth.Authenticator,
 
 			oapimiddleware.OapiRequestValidator(pactaSwagger),