Merge branch 'jwt-key' into 'enterprise'

feat(auth): The JWT signing token is now configurable

See merge request dkinternal/testgen/dataops-testgen!208

Author: ci bot

deploy/charts/testgen-app/templates/_environment.yaml

@@ -9,6 +9,11 @@
     secretKeyRef:
       name: {{ .Values.testgen.authSecrets.name | quote }}
       key: "decrypt-password"
+- name: TG_JWT_HASHING_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ .Values.testgen.authSecrets.name | quote }}
+      key: "jwt-hashing-key"
 - name: TG_METADATA_DB_HOST
   value: {{ .Values.testgen.databaseHost | quote }}
 - name: TG_METADATA_DB_NAME

deploy/charts/testgen-app/templates/secrets.yaml

@@ -12,4 +12,5 @@ type: Opaque
 data:
   decrypt-salt: {{ randAlphaNum 32 | b64enc | quote }}
   decrypt-password: {{ randAlphaNum 32 | b64enc | quote }}
+  jwt-hashing-key: {{ randBytes 32 | b64enc | quote }}
 {{- end }}

testgen/settings.py

@@ -484,3 +484,8 @@
 """
 Disables sending usage data when set to any value except "true" and "yes". Defaults to "yes"
 """
+
+JWT_HASHING_KEY_B64: str = os.getenv("TG_JWT_HASHING_KEY")
+"""
+Random key used to sign/verify the authentication token
+"""

testgen/ui/services/user_session_service.py

@@ -1,3 +1,4 @@
+import base64
 import datetime
 import logging
 import typing
@@ -6,19 +7,29 @@
 import jwt
 import streamlit as st
 
+from testgen import settings
 from testgen.ui.queries import user_queries
 from testgen.ui.session import session
 
 RoleType = typing.Literal["admin", "data_quality", "analyst", "business", "catalog"]
 
-JWT_HASHING_KEY = "dk_signature_key"
 AUTH_TOKEN_COOKIE_NAME = "dk_cookie_name"  # noqa: S105
 AUTH_TOKEN_EXPIRATION_DAYS = 1
 DISABLED_ACTION_TEXT = "You do not have permissions to perform this action. Contact your administrator."
 
 LOG = logging.getLogger("testgen")
 
 
+def _get_jwt_hashing_key() -> bytes:
+    try:
+        return base64.b64decode(settings.JWT_HASHING_KEY_B64.encode("ascii"))
+    except Exception as e:
+        raise ValueError(
+            "Error reading the JWT signing key from settings. Make sure you have a valid base 64 "
+            "string assigned to the TG_JWT_HASHING_KEY environment variable."
+        ) from e
+
+
 def load_user_session() -> None:
     # Replacing this with st.context.cookies does not work
     # Because it does not update when cookies are deleted on logout
@@ -29,7 +40,7 @@ def load_user_session() -> None:
     token = cookies.get(AUTH_TOKEN_COOKIE_NAME)
     if token is not None:
         try:
-            token = jwt.decode(token, JWT_HASHING_KEY, algorithms=["HS256"])
+            token = jwt.decode(token, _get_jwt_hashing_key(), algorithms=["HS256"])
             if token["exp_date"] > datetime.datetime.utcnow().timestamp():
                 start_user_session(token["name"], token["username"])
         except Exception:
@@ -77,7 +88,11 @@ def get_auth_data():
 
     return {
         "credentials": {"usernames": usernames},
-        "cookie": {"expiry_days": AUTH_TOKEN_EXPIRATION_DAYS, "key": JWT_HASHING_KEY, "name": AUTH_TOKEN_COOKIE_NAME},
+        "cookie": {
+            "expiry_days": AUTH_TOKEN_EXPIRATION_DAYS,
+            "key": _get_jwt_hashing_key(),
+            "name": AUTH_TOKEN_COOKIE_NAME,
+        },
         "preauthorized": {"emails": preauthorized_list},
     }