feat(osp): add new encryption configs #210

* add encryption configs for #437

charts/portal/templates/cronjob-backend-processes.yaml

@@ -330,11 +330,30 @@ spec:
               value: "{{ .Values.backend.placeholder }}"
             - name: "PROCESSIDENTITY__PROCESSUSERID"
               value: "{{ .Values.backend.processesworker.processIdentity.processUserId }}"
-            - name: "ONBOARDINGSERVICEPROVIDER__ENCYRPTIONKEY"
+            - name: "ONBOARDINGSERVICEPROVIDER__ENCRYPTIONCONFIG__ENCRYPTIONCONFIGINDEX"
+              value: "{{ .Values.backend.processesworker.onboardingServiceProvider.encryptionConfigIndex }}"
+            - name: "ONBOARDINGSERVICEPROVIDER__ENCRYPTIONCONFIGS__0__INDEX"
+              value: "{{ .Values.backend.processesworker.onboardingServiceProvider.encryptionConfigs.index0.index}}"
+            - name: "ONBOARDINGSERVICEPROVIDER__ENCRYPTIONCONFIGS__0__CIPHERMODE"
+              value: "{{ .Values.backend.processesworker.onboardingServiceProvider.encryptionConfigs.index0.cipherMode}}"
+            - name: "ONBOARDINGSERVICEPROVIDER__ENCRYPTIONCONFIGS__0__PADDINGMODE"
+              value: "{{ .Values.backend.processesworker.onboardingServiceProvider.encryptionConfigs.index0.paddingMode}}"
+            - name: "ONBOARDINGSERVICEPROVIDER__ENCRYPTIONCONFIGS__0__ENCRYPTIONKEY"
               valueFrom:
                 secretKeyRef:
                   name: "{{ .Values.backend.interfaces.secret }}"
-                  key: "process-onboardingserviceprovider-encryption-key"
+                  key: "process-onboardingserviceprovider-encryption-key0"
+            - name: "ONBOARDINGSERVICEPROVIDER__ENCRYPTIONCONFIGS__1__INDEX"
+              value: "{{ .Values.backend.processesworker.onboardingServiceProvider.encryptionConfigs.index1.index}}"
+            - name: "ONBOARDINGSERVICEPROVIDER__ENCRYPTIONCONFIGS__1__CIPHERMODE"
+              value: "{{ .Values.backend.processesworker.onboardingServiceProvider.encryptionConfigs.index1.cipherMode}}"
+            - name: "ONBOARDINGSERVICEPROVIDER__ENCRYPTIONCONFIGS__1__PADDINGMODE"
+              value: "{{ .Values.backend.processesworker.onboardingServiceProvider.encryptionConfigs.index1.paddingMode}}"
+            - name: "ONBOARDINGSERVICEPROVIDER__ENCRYPTIONCONFIGS__1__ENCRYPTIONKEY"
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.backend.interfaces.secret }}"
+                  key: "process-onboardingserviceprovider-encryption-key1"
             ports:
             - name: http
               containerPort: {{ .Values.portContainer }}

charts/portal/templates/deployment-backend-administration.yaml

@@ -325,11 +325,30 @@ spec:
           value: "{{ .Values.backend.provisioning.invitedUserInitialRoles.registration }}"
         - name: "NETWORK2NETWORK__BASEPORTALADDRESS"
           value: "{{ .Values.portalAddress }}{{ .Values.backend.portalHomePath }}"
-        - name: "ONBOARDINGSERVICEPROVIDER__ENCYRPTIONKEY"
+        - name: "ONBOARDINGSERVICEPROVIDER__ENCRYPTIONCONFIG__INDEX"
+          value: "{{ .Values.backend.administration.onboardingServiceProvider.encryptionConfigIndex }}"
+        - name: "ONBOARDINGSERVICEPROVIDER__ENCRYPTIONCONFIGS__0__INDEX"
+          value: "{{ .Values.backend.administration.onboardingServiceProvider.encryptionConfigs.index0.index}}"
+        - name: "ONBOARDINGSERVICEPROVIDER__ENCRYPTIONCONFIGS__0__CIPHERMODE"
+          value: "{{ .Values.backend.administration.onboardingServiceProvider.encryptionConfigs.index0.cipherMode}}"
+        - name: "ONBOARDINGSERVICEPROVIDER__ENCRYPTIONCONFIGS__0__PADDINGMODE"
+          value: "{{ .Values.backend.administration.onboardingServiceProvider.encryptionConfigs.index0.paddingMode}}"
+        - name: "ONBOARDINGSERVICEPROVIDER__ENCRYPTIONCONFIGS__0__ENCRYPTIONKEY"
           valueFrom:
             secretKeyRef:
               name: "{{ .Values.backend.interfaces.secret }}"
-              key: "onboardingserviceprovider-encryption-key"
+              key: "onboardingserviceprovider-encryption-key0"
+        - name: "ONBOARDINGSERVICEPROVIDER__ENCRYPTIONCONFIGS__1__INDEX"
+          value: "{{ .Values.backend.administration.onboardingServiceProvider.encryptionConfigs.index1.index}}"
+        - name: "ONBOARDINGSERVICEPROVIDER__ENCRYPTIONCONFIGS__1__CIPHERMODE"
+          value: "{{ .Values.backend.administration.onboardingServiceProvider.encryptionConfigs.index1.cipherMode}}"
+        - name: "ONBOARDINGSERVICEPROVIDER__ENCRYPTIONCONFIGS__1__PADDINGMODE"
+          value: "{{ .Values.backend.administration.onboardingServiceProvider.encryptionConfigs.index1.paddingMode}}"
+        - name: "ONBOARDINGSERVICEPROVIDER__ENCRYPTIONCONFIGS__1__ENCRYPTIONKEY"
+          valueFrom:
+            secretKeyRef:
+              name: "{{ .Values.backend.interfaces.secret }}"
+              key: "onboardingserviceprovider-encryption-key1"
         - name: "PROVISIONING__CENTRALIDENTITYPROVIDER__CONFIG__CLIENTID"
           value: "{{ .Values.backend.provisioning.centralIdentityProvider.clientId }}"
         - name: "PROVISIONING__CENTRALREALM"

charts/portal/templates/secret-backend-interfaces.yaml

@@ -37,8 +37,10 @@ data:
   custodian-client-secret: {{ coalesce ( .Values.backend.processesworker.custodian.clientSecret | b64enc ) ( index $secret.data "custodian-client-secret" ) | default ( randAlphaNum 32 ) | quote }}
   sdfactory-client-secret: {{ coalesce ( .Values.backend.processesworker.sdfactory.clientSecret | b64enc ) ( index $secret.data "sdfactory-client-secret" ) | default ( randAlphaNum 32 ) | quote }}
   offerprovider-client-secret: {{ coalesce ( .Values.backend.processesworker.offerprovider.clientSecret | b64enc ) ( index $secret.data "offerprovider-client-secret" ) | default ( randAlphaNum 32 ) | quote }}
-  onboardingserviceprovider-encryption-key: {{ coalesce ( .Values.backend.administration.onboardingServiceProvider.encryptionKey | b64enc ) ( index $secret.data "onboardingserviceprovider-encryption-key" ) | default ( randAlphaNum 32 ) | quote }}
-  process-onboardingserviceprovider-encryption-key: {{ coalesce ( .Values.backend.processesworker.onboardingServiceProvider.encryptionKey | b64enc ) ( index $secret.data "process-onboardingserviceprovider-encryption-key" ) | default ( randAlphaNum 32 ) | quote }}
+  onboardingserviceprovider-encryption-key0: {{ coalesce ( .Values.backend.administration.onboardingServiceProvider.encryptionConfigs.index0.encryptionKey | b64enc ) ( index $secret.data "onboardingserviceprovider-encryption-key" ) | default ( randAlphaNum 32 ) | quote }}
+  onboardingserviceprovider-encryption-key1: {{ coalesce ( .Values.backend.administration.onboardingServiceProvider.encryptionConfigs.index1.encryptionKey | b64enc ) ( index $secret.data "onboardingserviceprovider-encryption-key" ) | default ( randAlphaNum 32 ) | quote }}
+  process-onboardingserviceprovider-encryption-key0: {{ coalesce ( .Values.backend.processesworker.onboardingServiceProvider.encryptionConfigs.index0.encryptionKey | b64enc ) ( index $secret.data "process-onboardingserviceprovider-encryption-key" ) | default ( randAlphaNum 32 ) | quote }}
+  process-onboardingserviceprovider-encryption-key1: {{ coalesce ( .Values.backend.processesworker.onboardingServiceProvider.encryptionConfigs.index1.encryptionKey | b64enc ) ( index $secret.data "process-onboardingserviceprovider-encryption-key" ) | default ( randAlphaNum 32 ) | quote }}
 {{ else -}}
 stringData:
   # if secret doesn't exist, use provided value from values file or generate a random one
@@ -47,6 +49,8 @@ stringData:
   custodian-client-secret: {{ .Values.backend.processesworker.custodian.clientSecret | default ( randAlphaNum 32 ) | quote }}
   sdfactory-client-secret: {{ .Values.backend.processesworker.sdfactory.clientSecret | default ( randAlphaNum 32 ) | quote }}
   offerprovider-client-secret: {{ .Values.backend.processesworker.offerprovider.clientSecret | default ( randAlphaNum 32 ) | quote }}
-  onboardingserviceprovider-encryption-key: {{ .Values.backend.administration.onboardingServiceProvider.encryptionKey | default ( randAlphaNum 32 ) | quote }}
-  process-onboardingserviceprovider-encryption-key: {{ .Values.backend.processesworker.onboardingServiceProvider.encryptionKey | default ( randAlphaNum 32 ) | quote }}
+  onboardingserviceprovider-encryption-key0: {{ .Values.backend.administration.onboardingServiceProvider.encryptionConfigs.index0.encryptionKey | default ( randAlphaNum 32 ) | quote }}
+  onboardingserviceprovider-encryption-key1: {{ .Values.backend.administration.onboardingServiceProvider.encryptionConfigs.index1.encryptionKey | default ( randAlphaNum 32 ) | quote }}
+  process-onboardingserviceprovider-encryption-key0: {{ .Values.backend.processesworker.onboardingServiceProvider.encryptionConfigs.index0.encryptionKey | default ( randAlphaNum 32 ) | quote }}
+  process-onboardingserviceprovider-encryption-key1: {{ .Values.backend.processesworker.onboardingServiceProvider.encryptionConfigs.index1.encryptionKey | default ( randAlphaNum 32 ) | quote }}
 {{ end }}

charts/portal/values.yaml

@@ -398,8 +398,22 @@ backend:
     frameDocumentTypeIds:
       type0: "CX_FRAME_CONTRACT"
     onboardingServiceProvider:
-      # -- Client-secret for onboardingserviceprovider encryptionKey. Secret-key 'onboardingserviceprovider-encryption-key'.
-      encryptionKey: ""
+      encryptionConfigIndex: 1
+      encryptionConfigs:
+        index0:
+          index: 0
+          cipherMode: "ECB"
+          paddingMode: "PKCS7"
+          # -- EncryptionKey for onboardingserviceprovider. Secret-key 'onboardingserviceprovider-encryption-key0'.
+          # Expected format is 256 bit (64 digits) hex. When upgrading from v1.8.0 please read document portal-upgrade-details.md
+          encryptionKey: ""
+        index1:
+          index: 1
+          cipherMode: "CBC"
+          paddingMode: "PKCS7"
+          # -- EncryptionKey for onboardingserviceprovider encryptionKey. Secret-key 'onboardingserviceprovider-encryption-key1'.
+          # Expected format is 256 bit (64 digits) hex. When upgrading from v1.8.0 please read document portal-upgrade-details.md
+          encryptionKey: ""
   provisioning:
     centralRealm: "CX-Central"
     centralRealmId: "CX-Central"
@@ -821,8 +835,22 @@ backend:
     processIdentity:
       processUserId: d21d2e8a-fe35-483c-b2b8-4100ed7f0953
     onboardingServiceProvider:
-      # -- Client-secret for onboardingserviceprovider encryptionKey. Secret-key 'process-onboardingserviceprovider-encryption-key'.
-      encryptionKey: ""
+      encryptionConfigIndex: 1
+      encryptionConfigs:
+        index0:
+          index: 0
+          cipherMode: "ECB"
+          paddingMode: "PKCS7"
+          # -- EncryptionKey for onboardingserviceprovider. Secret-key 'process-onboardingserviceprovider-encryption-key0'.
+          # Expected format is 256 bit (64 digits) hex. When upgrading from v1.8.0 please read document portal-upgrade-details.md
+          encryptionKey: ""
+        index1:
+          index: 1
+          cipherMode: "CBC"
+          paddingMode: "PKCS7"
+          # -- EncryptionKey for onboardingserviceprovider. Secret-key 'process-onboardingserviceprovider-encryption-key1'.
+          # Expected format is 256 bit (64 digits) hex. When upgrading from v1.8.0 please read document portal-upgrade-details.md
+          encryptionKey: ""
     networkRegistration:
       loginDocumentPath: "/documentation/?path=docs%2F09.+Others%28s%29%2F01.+Login.md"
       externalRegistrationPath: "/?overlay=consent_osp"

consortia/environments/values-beta.yaml

@@ -152,7 +152,11 @@ backend:
         - name: "HEALTHCHECKS__0__TAGS__2"
           value: "provisioningdb"
     onboardingServiceProvider:
-      encryptionKey: "<path:portal/data/beta/administration#onboardingserviceprovider-encryption-key>"
+      encryptionConfigs:
+        index0:
+          encryptionKey: "<path:portal/data/beta/administration#onboardingserviceprovider-encryption-key0>"
+        index1:
+          encryptionKey: "<path:portal/data/beta/administration#onboardingserviceprovider-encryption-key1>"
     swaggerEnabled: true
 
   provisioning:
@@ -235,7 +239,11 @@ backend:
       clientId: "<path:portal/data/processes-worker#offerprovider-client-id>"
       clientSecret: "<path:portal/data/beta/processes-worker#offerprovider-client-secret>"
     onboardingServiceProvider:
-      encryptionKey: "<path:portal/data/beta/processes-worker#process-onboardingserviceprovider-encryption-key>"
+      encryptionConfigs:
+        index0:
+          encryptionKey: "<path:portal/data/beta/processes-worker#process-onboardingserviceprovider-encryption-key0>"
+        index1:
+          encryptionKey: "<path:portal/data/beta/processes-worker#process-onboardingserviceprovider-encryption-key1>"
 
 postgresql:
   auth:

consortia/environments/values-dev.yaml

@@ -152,7 +152,11 @@ backend:
         - name: "HEALTHCHECKS__0__TAGS__2"
           value: "provisioningdb"
     onboardingServiceProvider:
-      encryptionKey: "<path:portal/data/dev/administration#onboardingserviceprovider-encryption-key>"
+      encryptionConfigs:
+        index0:
+          encryptionKey: "<path:portal/data/dev/administration#onboardingserviceprovider-encryption-key0>"
+        index1:
+          encryptionKey: "<path:portal/data/dev/administration#onboardingserviceprovider-encryption-key1>"
     swaggerEnabled: true
 
   provisioning:
@@ -235,7 +239,11 @@ backend:
       clientId: "<path:portal/data/processes-worker#offerprovider-client-id>"
       clientSecret: "<path:portal/data/dev/processes-worker#offerprovider-client-secret>"
     onboardingServiceProvider:
-      encryptionKey: "<path:portal/data/dev/processes-worker#process-onboardingserviceprovider-encryption-key>"
+      encryptionConfigs:
+        index0:
+          encryptionKey: "<path:portal/data/dev/processes-worker#process-onboardingserviceprovider-encryption-key0>"
+        index1:
+          encryptionKey: "<path:portal/data/dev/processes-worker#process-onboardingserviceprovider-encryption-key1>"
 
 postgresql:
   auth:

consortia/environments/values-int.yaml

@@ -152,7 +152,11 @@ backend:
         - name: "HEALTHCHECKS__0__TAGS__2"
           value: "provisioningdb"
     onboardingServiceProvider:
-      encryptionKey: "<path:portal/data/int/administration#onboardingserviceprovider-encryption-key>"
+      encryptionConfigs:
+        index0:
+          encryptionKey: "<path:portal/data/int/administration#onboardingserviceprovider-encryption-key0>"
+        index1:
+          encryptionKey: "<path:portal/data/int/administration#onboardingserviceprovider-encryption-key1>"
     swaggerEnabled: true
 
   provisioning:
@@ -235,7 +239,11 @@ backend:
       clientId: "<path:portal/data/processes-worker#offerprovider-client-id>"
       clientSecret: "<path:portal/data/int/processes-worker#offerprovider-client-secret>"
     onboardingServiceProvider:
-      encryptionKey: "<path:portal/data/int/processes-worker#process-onboardingserviceprovider-encryption-key>"
+      encryptionConfigs:
+        index0:
+          encryptionKey: "<path:portal/data/int/processes-worker#process-onboardingserviceprovider-encryption-key0>"
+        index1:
+          encryptionKey: "<path:portal/data/int/processes-worker#process-onboardingserviceprovider-encryption-key1>"
 
 postgresql:
   auth:

consortia/environments/values-pen.yaml

@@ -153,7 +153,11 @@ backend:
         - name: "HEALTHCHECKS__0__TAGS__2"
           value: "provisioningdb"
     onboardingServiceProvider:
-      encryptionKey: "<path:portal/data/pen/administration#onboardingserviceprovider-encryption-key>"
+      encryptionConfigs:
+        index0:
+          encryptionKey: "<path:portal/data/pen/administration#onboardingserviceprovider-encryption-key0>"
+        index1:
+          encryptionKey: "<path:portal/data/pen/administration#onboardingserviceprovider-encryption-key1>"
     swaggerEnabled: true
 
   provisioning:
@@ -236,7 +240,11 @@ backend:
       clientId: "<path:portal/data/processes-worker#offerprovider-client-id>"
       clientSecret: "<path:portal/data/pen/processes-worker#offerprovider-client-secret>"
     onboardingServiceProvider:
-      encryptionKey: "<path:portal/data/pen/processes-worker#process-onboardingserviceprovider-encryption-key>"
+      encryptionConfigs:
+        index0:
+          encryptionKey: "<path:portal/data/pen/processes-worker#process-onboardingserviceprovider-encryption-key0>"
+        index1:
+          encryptionKey: "<path:portal/data/pen/processes-worker#process-onboardingserviceprovider-encryption-key1>"
 
 postgresql:
   auth:

consortia/environments/values-rc.yaml

@@ -152,7 +152,11 @@ backend:
         - name: "HEALTHCHECKS__0__TAGS__2"
           value: "provisioningdb"
     onboardingServiceProvider:
-      encryptionKey: "<path:portal/data/dev/administration#onboardingserviceprovider-encryption-key>"
+      encryptionConfigs:
+        index0:
+          encryptionKey: "<path:portal/data/dev/administration#onboardingserviceprovider-encryption-key0>"
+        index1:
+          encryptionKey: "<path:portal/data/dev/administration#onboardingserviceprovider-encryption-key1>"
     swaggerEnabled: true
 
   provisioning:
@@ -235,7 +239,11 @@ backend:
       clientId: "<path:portal/data/processes-worker#offerprovider-client-id>"
       clientSecret: "<path:portal/data/dev/processes-worker#offerprovider-client-secret>"
     onboardingServiceProvider:
-      encryptionKey: "<path:portal/data/dev/processes-worker#process-onboardingserviceprovider-encryption-key>"
+      encryptionConfigs:
+        index0:
+          encryptionKey: "<path:portal/data/dev/processes-worker#process-onboardingserviceprovider-encryption-key0>"
+        index1:
+          encryptionKey: "<path:portal/data/dev/processes-worker#process-onboardingserviceprovider-encryption-key1>"
 
 postgresql:
   fullnameOverride: "portal-backend-rc-postgresql"