disable default jwks for production deployments (#2414)

* disable default jwks for production deployments * add default jwks for prebuilts * Revert "add default jwks for prebuilts" This reverts commit 68c6820.
ohcnetwork · Sep 22, 2024 · 12afd7a · 12afd7a
1 parent 00ce264
commit 12afd7a
Show file tree

Hide file tree

Showing 6 changed files with 67 additions and 18 deletions.
diff --git a/.gitignore b/.gitignore
@@ -352,3 +352,5 @@ secrets.sh
 
 # Redis
 *.rdb
+
+jwks.b64.txt
diff --git a/care/utils/jwks/generate_jwk.py b/care/utils/jwks/generate_jwk.py
@@ -1,5 +1,6 @@
 import base64
 import json
+from pathlib import Path
 
 from authlib.jose import JsonWebKey
 
@@ -11,3 +12,15 @@ def generate_encoded_jwks():
     keys = {"keys": [key]}
     keys_json = json.dumps(keys)
     return base64.b64encode(keys_json.encode()).decode()
+
+
+def get_jwks_from_file(base_path: Path):
+    file_path = base_path / "jwks.b64.txt"
+    try:
+        with open(file_path, "r") as file:
+            return file.read()
+    except FileNotFoundError:
+        jwks = generate_encoded_jwks()
+        with open(file_path, "w") as file:
+            file.write(jwks)
+        return jwks
diff --git a/config/settings/base.py b/config/settings/base.py
@@ -2,13 +2,10 @@
 Base settings to build other settings files upon.
 """
 
-import base64
-import json
 from datetime import datetime, timedelta
 from pathlib import Path
 
 import environ
-from authlib.jose import JsonWebKey
 from django.utils.translation import gettext_lazy as _
 from healthy_django.healthcheck.celery_queue_length import (
     DjangoCeleryQueueLengthHealthCheck,
@@ -17,7 +14,6 @@
 from healthy_django.healthcheck.django_database import DjangoDatabaseHealthCheck
 
 from care.utils.csp import config as csp_config
-from care.utils.jwks.generate_jwk import generate_encoded_jwks
 from plug_config import manager
 
 BASE_DIR = Path(__file__).resolve(strict=True).parent.parent.parent
@@ -630,11 +626,6 @@
 CURRENT_DOMAIN = env("CURRENT_DOMAIN", default="localhost:8000")
 BACKEND_DOMAIN = env("BACKEND_DOMAIN", default="localhost:9000")
 
-# open id connect
-JWKS = JsonWebKey.import_key_set(
-    json.loads(base64.b64decode(env("JWKS_BASE64", default=generate_encoded_jwks())))
-)
-
 APP_VERSION = env("APP_VERSION", default="unknown")
 
 # ABDM

diff --git a/config/settings/deployment.py b/config/settings/deployment.py
@@ -1,6 +1,9 @@
+import base64
+import json
 import logging
 
 import sentry_sdk
+from authlib.jose import JsonWebKey
 from sentry_sdk.integrations.celery import CeleryIntegration
 from sentry_sdk.integrations.django import DjangoIntegration
 from sentry_sdk.integrations.logging import LoggingIntegration, ignore_logger
@@ -118,3 +121,6 @@
 SNS_ACCESS_KEY = env("SNS_ACCESS_KEY")
 SNS_SECRET_KEY = env("SNS_SECRET_KEY")
 SNS_REGION = "ap-south-1"
+
+# open id connect
+JWKS = JsonWebKey.import_key_set(json.loads(base64.b64decode(env("JWKS_BASE64"))))
diff --git a/config/settings/local.py b/config/settings/local.py
@@ -1,24 +1,33 @@
+import base64
+import json
+
+from authlib.jose import JsonWebKey
+
+from care.utils.jwks.generate_jwk import get_jwks_from_file
+
 from .base import *  # noqa
+from .base import BASE_DIR, INSTALLED_APPS, MIDDLEWARE, env
 
 # https://github.com/adamchainz/django-cors-headers#cors_allow_all_origins-bool
 CORS_ORIGIN_ALLOW_ALL = True
 
 # WhiteNoise
 # ------------------------------------------------------------------------------
 # http://whitenoise.evans.io/en/latest/django.html#using-whitenoise-in-development
-INSTALLED_APPS = ["whitenoise.runserver_nostatic"] + INSTALLED_APPS  # noqa F405
+INSTALLED_APPS = ["whitenoise.runserver_nostatic"] + INSTALLED_APPS
 
 # django-silk
 # ------------------------------------------------------------------------------
 # https://github.com/jazzband/django-silk#requirements
-INSTALLED_APPS += ["silk"]  # F405
-MIDDLEWARE += ["silk.middleware.SilkyMiddleware"]  # noqa F405
+INSTALLED_APPS += ["silk"]
+MIDDLEWARE += ["silk.middleware.SilkyMiddleware"]
+# https://github.com/jazzband/django-silk#profiling
 SILKY_PYTHON_PROFILER = True
 
 # django-extensions
 # ------------------------------------------------------------------------------
 # https://django-extensions.readthedocs.io/en/latest/installation_instructions.html#configuration
-INSTALLED_APPS += ["django_extensions"]  # F405
+INSTALLED_APPS += ["django_extensions"]
 
 
 # Celery
@@ -33,3 +42,15 @@
 RUNSERVER_PLUS_PRINT_SQL_TRUNCATE = 100000
 
 DISABLE_RATELIMIT = True
+
+# open id connect
+JWKS = JsonWebKey.import_key_set(
+    json.loads(
+        base64.b64decode(
+            env(
+                "JWKS_BASE64",
+                default=get_jwks_from_file(BASE_DIR),
+            )
+        )
+    )
+)
diff --git a/config/settings/test.py b/config/settings/test.py
@@ -1,9 +1,12 @@
-"""
-With these settings, tests run faster.
-"""
+import base64
+import json
+
+from authlib.jose import JsonWebKey
+
+from care.utils.jwks.generate_jwk import get_jwks_from_file
 
 from .base import *  # noqa
-from .base import env
+from .base import BASE_DIR, TEMPLATES, env
 
 # GENERAL
 # ------------------------------------------------------------------------------
@@ -17,7 +20,7 @@
 
 # TEMPLATES
 # ------------------------------------------------------------------------------
-TEMPLATES[-1]["OPTIONS"]["loaders"] = [  # type: ignore[index] # noqa F405
+TEMPLATES[-1]["OPTIONS"]["loaders"] = [  # type: ignore[index]
     (
         "django.template.loaders.cached.Loader",
         [
@@ -74,3 +77,16 @@
 }
 
 CELERY_TASK_ALWAYS_EAGER = True
+
+
+# open id connect
+JWKS = JsonWebKey.import_key_set(
+    json.loads(
+        base64.b64decode(
+            env(
+                "JWKS_BASE64",
+                default=get_jwks_from_file(BASE_DIR),
+            )
+        )
+    )
+)