coop-cloud/rauthy
2
0
Fork 0
Code Issues 3 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat: support secret rotation and https redirection #7

Merged
cyrnel merged 9 commits from security-stuff into main 2025-09-23 01:09:37 +00:00
Conversation 6 Commits 9 Files Changed 7 +66 -32
cyrnel commented 2025-09-18 01:47:04 +00:00
Owner
Copy Link

By using two user-controlled secrets, we can support rotation of the encryption keys as described in the docs 🎉

Also enabled HTTP -> HTTPS redirection

By using two user-controlled secrets, we can support rotation of the encryption keys as described in the docs 🎉 Also enabled HTTP -> HTTPS redirection
cyrnel added 1 commit 2025-09-18 01:47:04 +00:00
feat: support secret rotation and https redirection 2a9f7a58f5
cyrnel added 1 commit 2025-09-18 02:45:58 +00:00
doc: add migration instructions 3d27184388
cyrnel added 1 commit 2025-09-18 03:05:26 +00:00
fix: copy/paste error b9aa85dbc6
cyrnel added 1 commit 2025-09-18 03:07:11 +00:00
fix: one more ecee17b998
cyrnel added 1 commit 2025-09-18 03:11:26 +00:00
fix: generated not generate 8f1f30be7e
cyrnel commented 2025-09-18 03:14:36 +00:00
Author
Owner
Copy Link

Hmm, when trying to test the migration steps...

# abra app deploy login2.example.com -C --debug
DEBU <cli/run.go:137> abra version: 0.11.0-beta, commit: 1c4abcf1, lang: en
DEBU <app/app.go:295> collecting metadata from 1 servers: default
DEBU <git/read.go:88> no /root/.gitconfig exists, not reading any global gitignore config
DEBU <git/read.go:130> no /root/.gitignore exists, skipping reading gitignore paths
DEBU <git/read.go:52> git status: /root/.abra/recipes/rauthy: clean
DEBU <app/app.go:41> loaded app login2.example.com: {name: login2.example.com, recipe: {name: rauthy, version : 0.4.0+0.32.2, dirty: false, dir: /root/.abra/recipes/rauthy, git url: https://git.coopcloud.tech/coop-cloud/rauthy.git, ssh url: ssh://git@git.coopcloud.tech:2222/coop-cloud/rauthy.git, compose: /root/.abra/recipes/rauthy/compose.yml, readme: /root/.abra/recipes/rauthy/README.md, sample env: /root/.abra/recipes/rauthy/.env.sample, abra.sh: /root/.abra/recipes/rauthy/abra.sh}, domain: login2.example.com, env map[ADMIN_EMAIL:admin@example.org ADMIN_FORCE_MFA:true COMPOSE_FILE:compose.yml DOMAIN:login2.example.com ENC_KEY_ACTIVE:a1 LETS_ENCRYPT_ENV:production LOG_LEVEL:info SECRET_ENC_KEYS_A_VERSION:a1 SECRET_ENC_KEYS_B_VERSION:b1 SECRET_HQL_API_VERSION:v1 SECRET_HQL_RAFT_VERSION:v1 TYPE:rauthy:0.4.0+0.32.2], server default, path /root/.abra/servers/default/login2.example.com.env}
DEBU <internal/validate.go:106> validated login2.example.com as app argument
DEBU <client/client.go:95> created client for default
DEBU <app/deploy.go:93> checking whether login2_raleighradtech_net is already deployed
DEBU <stack/stack.go:174> login2_raleighradtech_net has been detected as not deployed
DEBU <git/read.go:88> no /root/.gitconfig exists, not reading any global gitignore config
DEBU <git/read.go:130> no /root/.gitignore exists, skipping reading gitignore paths
DEBU <git/read.go:52> git status: /root/.abra/recipes/rauthy: clean
DEBU <app/deploy.go:324> version: taking chaos version: 8f1f30be
DEBU <lint/recipe.go:187> linting for critical errors in rauthy configs
DEBU <lint/recipe.go:215> linting successful, rauthy is well configured
DEBU <recipe/compose.go:38> COMPOSE_FILE detected, loading /root/.abra/recipes/rauthy/compose.yml
DEBU <envfile/envfile.go:42> read map[ADMIN_EMAIL:admin@example.org ADMIN_FORCE_MFA:true COMPOSE_FILE:compose.yml DOMAIN:login2.example.com ENC_KEY_ACTIVE:a1 LETS_ENCRYPT_ENV:production LOG_LEVEL:info SECRET_ENC_KEYS_A_VERSION:a1 SECRET_ENC_KEYS_B_VERSION:b1 SECRET_HQL_API_VERSION:v1 SECRET_HQL_RAFT_VERSION:v1 TYPE:rauthy:0.4.0+0.32.2] from /root/.abra/servers/default/login2.example.com.env
FATA <app/deploy.go:130> secret not generated: enc_keys_a

# abra app secret list login2.raleighradtech.net -C
┏━━━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━┓
┃    NAME    ┃ VERSION ┃             GENERATED NAME              ┃ CREATED ON SERVER ┃
┣━━━━━━━━━━━━╋━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━┫
┃ enc_keys_a ┃ a1      ┃ login2_example_com_enc_keys_a_a1        ┃ false             ┃
┃ enc_keys_b ┃ b1      ┃ login2_example_com_enc_keys_b_b1        ┃ false             ┃
┃ hql_api    ┃ v1      ┃ login2_example_com_hql_api_v1           ┃ true              ┃
┃ hql_raft   ┃ v1      ┃ login2_example_com_hql_raft_v1          ┃ true              ┃
┗━━━━━━━━━━━━┻━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━┛
Hmm, when trying to test the migration steps... ``` # abra app deploy login2.example.com -C --debug DEBU <cli/run.go:137> abra version: 0.11.0-beta, commit: 1c4abcf1, lang: en DEBU <app/app.go:295> collecting metadata from 1 servers: default DEBU <git/read.go:88> no /root/.gitconfig exists, not reading any global gitignore config DEBU <git/read.go:130> no /root/.gitignore exists, skipping reading gitignore paths DEBU <git/read.go:52> git status: /root/.abra/recipes/rauthy: clean DEBU <app/app.go:41> loaded app login2.example.com: {name: login2.example.com, recipe: {name: rauthy, version : 0.4.0+0.32.2, dirty: false, dir: /root/.abra/recipes/rauthy, git url: https://git.coopcloud.tech/coop-cloud/rauthy.git, ssh url: ssh://git@git.coopcloud.tech:2222/coop-cloud/rauthy.git, compose: /root/.abra/recipes/rauthy/compose.yml, readme: /root/.abra/recipes/rauthy/README.md, sample env: /root/.abra/recipes/rauthy/.env.sample, abra.sh: /root/.abra/recipes/rauthy/abra.sh}, domain: login2.example.com, env map[ADMIN_EMAIL:admin@example.org ADMIN_FORCE_MFA:true COMPOSE_FILE:compose.yml DOMAIN:login2.example.com ENC_KEY_ACTIVE:a1 LETS_ENCRYPT_ENV:production LOG_LEVEL:info SECRET_ENC_KEYS_A_VERSION:a1 SECRET_ENC_KEYS_B_VERSION:b1 SECRET_HQL_API_VERSION:v1 SECRET_HQL_RAFT_VERSION:v1 TYPE:rauthy:0.4.0+0.32.2], server default, path /root/.abra/servers/default/login2.example.com.env} DEBU <internal/validate.go:106> validated login2.example.com as app argument DEBU <client/client.go:95> created client for default DEBU <app/deploy.go:93> checking whether login2_raleighradtech_net is already deployed DEBU <stack/stack.go:174> login2_raleighradtech_net has been detected as not deployed DEBU <git/read.go:88> no /root/.gitconfig exists, not reading any global gitignore config DEBU <git/read.go:130> no /root/.gitignore exists, skipping reading gitignore paths DEBU <git/read.go:52> git status: /root/.abra/recipes/rauthy: clean DEBU <app/deploy.go:324> version: taking chaos version: 8f1f30be DEBU <lint/recipe.go:187> linting for critical errors in rauthy configs DEBU <lint/recipe.go:215> linting successful, rauthy is well configured DEBU <recipe/compose.go:38> COMPOSE_FILE detected, loading /root/.abra/recipes/rauthy/compose.yml DEBU <envfile/envfile.go:42> read map[ADMIN_EMAIL:admin@example.org ADMIN_FORCE_MFA:true COMPOSE_FILE:compose.yml DOMAIN:login2.example.com ENC_KEY_ACTIVE:a1 LETS_ENCRYPT_ENV:production LOG_LEVEL:info SECRET_ENC_KEYS_A_VERSION:a1 SECRET_ENC_KEYS_B_VERSION:b1 SECRET_HQL_API_VERSION:v1 SECRET_HQL_RAFT_VERSION:v1 TYPE:rauthy:0.4.0+0.32.2] from /root/.abra/servers/default/login2.example.com.env FATA <app/deploy.go:130> secret not generated: enc_keys_a # abra app secret list login2.raleighradtech.net -C ┏━━━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━┓ ┃ NAME ┃ VERSION ┃ GENERATED NAME ┃ CREATED ON SERVER ┃ ┣━━━━━━━━━━━━╋━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━┫ ┃ enc_keys_a ┃ a1 ┃ login2_example_com_enc_keys_a_a1 ┃ false ┃ ┃ enc_keys_b ┃ b1 ┃ login2_example_com_enc_keys_b_b1 ┃ false ┃ ┃ hql_api ┃ v1 ┃ login2_example_com_hql_api_v1 ┃ true ┃ ┃ hql_raft ┃ v1 ┃ login2_example_com_hql_raft_v1 ┃ true ┃ ┗━━━━━━━━━━━━┻━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━┛ ```
decentral1se commented 2025-09-18 07:50:10 +00:00
Owner
Copy Link

Oh yes, very good to do this. Not sure about the migration woes! I think it's OK to assume that operators should have saved their secret already because we have warned them that this secret can never be viewed again (without serious work-around hacks). I don't imagine many people are using this recipe yet, so it might be OK to flag that this is a big breaking change, give it some time and then release it. I myself have my secrets stored so can bring it down / re-release and re-wire it up to match the new config.

Oh yes, very good to do this. Not sure about the migration woes! I think it's OK to assume that operators should have saved their secret already because we have warned them that this secret can never be viewed again (without serious work-around hacks). I don't imagine many people are using this recipe yet, so it might be OK to flag that this is a big breaking change, give it some time and then release it. I myself have my secrets stored so can bring it down / re-release and re-wire it up to match the new config.
cyrnel added 1 commit 2025-09-19 01:51:26 +00:00
fix: env vars, docs, secret generation 44bda9adb5
cyrnel added 1 commit 2025-09-19 02:06:05 +00:00
fix: restore secret_ prefix, fix versioning 74ad44a0bc
cyrnel added 1 commit 2025-09-19 02:15:26 +00:00
fix: versioning in abra.sh 602d308074
cyrnel changed title from WIP: feat: support secret rotation and https redirection to feat: support secret rotation and https redirection 2025-09-19 02:15:44 +00:00
cyrnel commented 2025-09-19 02:57:37 +00:00
Author
Owner
Copy Link

Not sure what happened yesterday to cause that issue but it's gone now, maybe I had a git repo desync issue or something.

Tested the migration steps and also tested the fresh install steps in the readme and both work!

Not sure what happened yesterday to cause that issue but it's gone now, maybe I had a git repo desync issue or something. Tested the migration steps and also tested the fresh install steps in the readme and both work!
decentral1se reviewed 2025-09-19 13:27:22 +00:00
decentral1se left a comment
Owner
Copy Link

One minor comment but otherwise LGTM.

Thanks!

One minor comment but otherwise LGTM. Thanks!
.env.sample Outdated
@ -11,3 +11,2 @@
SECRET_ENC_KEYS_VERSION=v1
ENC_KEY_ACTIVE=""
SECRET_ENC_KEYS_A_VERSION=a1 # generated=false
decentral1se commented 2025-09-19 13:26:26 +00:00
Owner
Copy Link

toolshed/abra#665 (comment)

❓ https://git.coopcloud.tech/toolshed/abra/issues/665#issuecomment-27216 ❓
cyrnel marked this conversation as resolved
cyrnel added 1 commit 2025-09-19 19:08:46 +00:00
fix: generate not generated (for real) 2b11b5b3a3
cyrnel commented 2025-09-19 19:20:05 +00:00
Author
Owner
Copy Link

Good catch!

Good catch!
decentral1se approved these changes 2025-09-19 21:15:57 +00:00
decentral1se left a comment
Owner
Copy Link

LGTM!

LGTM!
abra.sh
@ -2,0 +5,4 @@
generate_enc_keys() {
KEY_A="$(openssl rand -base64 32)"
KEY_B="$(openssl rand -base64 32)"
abra app secret insert "$APP_NAME" enc_keys_a a1 "$KEY_A" --chaos
decentral1se commented 2025-09-19 21:15:50 +00:00
Owner
Copy Link

Reminds me of toolshed/abra#571 btw

Reminds me of https://git.coopcloud.tech/toolshed/abra/issues/571 btw
cyrnel marked this conversation as resolved
cyrnel merged commit 9cf0790379 into main 2025-09-23 01:09:37 +00:00
cyrnel deleted branch security-stuff 2025-09-23 01:09:38 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
decentral1se
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
3wordchant aadil abra-bot ammaratef45 Apfelwurm appletalk arjan basebuilder Brooke carla cas codegod100 coopcloud cyrnel decentral1se fauno flancian Frando iexos jade javielico jmakdah2 joe-irving kawaiipunk knoflook kolaente lambdabundesverband linnealovespie marlon mayel mirsal moritz nicksellen notplants p4u1 pau pharaohgraphy renovate-bot ripclap rix rscmbbng sef simon sixsmith stevensting tobias trav val virtualboys wolcen wykwit xynosis yksflip
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: coop-cloud/rauthy#7
No description provided.
Delete Branch "security-stuff"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?