From fce18f9d5b4dce5c6c255ebf3cbef98fdccdd81e Mon Sep 17 00:00:00 2001 From: Matthew Date: Thu, 10 Aug 2023 07:39:58 -0700 Subject: [PATCH] feat: upgrades masking to use env --- README.md | 4 ++++ docker-compose.yml | 1 + env-example | 3 +++ features/schools/get_ranked.go | 4 ++-- lib/masking/masking.go | 13 +++++++++++-- lib/masking/masking_test.go | 2 ++ 6 files changed, 23 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 80fff7c8..271ce943 100644 --- a/README.md +++ b/README.md @@ -33,6 +33,10 @@ cat env-example > .env Open the `.env` file and follow the [link](https://generate-random.org/api-token-generator) to create the `APPCHECK_TOKEN` env variable. +**Ensure you have the correct 16-byte `MASK_SECRET` in the `.env` file.** + +An example is provided in the `env-example`, but obviously generate your own for prod. + **Add your AWS data to the `.env` file.** Specifically what IAM roles are needed will be determined in the future. Currently, a general admin user suffices. diff --git a/docker-compose.yml b/docker-compose.yml index 97e7f639..97c9ecc0 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -36,6 +36,7 @@ services: AWS_ACCESS_KEY_ID: AWS_SECRET_ACCESS_KEY: AWS_REGION: + MASK_SECRET: redis: image: redis:alpine diff --git a/env-example b/env-example index ea20e028..0a94a424 100644 --- a/env-example +++ b/env-example @@ -10,6 +10,9 @@ APPCHECK_TOKEN="kXfeSRgYTnoUztu6MO8FndqiRayoBaJqyDKQmoqvX3V9sZVlep/cm7cP!mgd-B9H # either 16, 24, or 32 bytes to select AES-128, AES-192, or AES-256 HKDF_SECRET="some-secret-string" +# a 16-byte key +MASK_SECRET="your_16_byte_key" + # to generate a new nonce for production: # go run ./scripts/main.go --new-nonce CIPHER_NONCE="47363bcf91a1545668f0fd7a" diff --git a/features/schools/get_ranked.go b/features/schools/get_ranked.go index dd7d97eb..50bb7fc1 100644 --- a/features/schools/get_ranked.go +++ b/features/schools/get_ranked.go @@ -120,9 +120,9 @@ func (h *handler) handleGetRankedSchools(c *gin.Context) { if len(ids) > 0 { cleanedIds := make([]string, len(ids)) for i, id := range ids { - cleanedIds[i] = strings.Trim(id, "{}") // Remove curly braces + cleanedIds[i] = strings.Trim(id, "{}") // remove curly braces } - idsStr := strings.Join(cleanedIds, ", ") // Convert the cleaned ids slice to a comma-separated string + idsStr := strings.Join(cleanedIds, ", ") // convert the cleaned ids slice to a comma-separated string possibleRestriction = "WHERE s.id NOT IN (" + idsStr + ")" fmt.Println(possibleRestriction) } diff --git a/lib/masking/masking.go b/lib/masking/masking.go index 7cb52ca6..621096f4 100644 --- a/lib/masking/masking.go +++ b/lib/masking/masking.go @@ -7,11 +7,20 @@ import ( "encoding/base64" "fmt" "io" + "os" "strconv" ) -// todo: .ENV -var secretKey = []byte("your_16_byte_key") +var secretKey []byte + +func init() { + // load from .env + m := os.Getenv("MASK_SECRET") + if m == "" { + panic("MASK_SECRET env not found") + } + secretKey = []byte(m) +} func Mask(id uint) (string, error) { block, err := aes.NewCipher(secretKey) diff --git a/lib/masking/masking_test.go b/lib/masking/masking_test.go index eee72a01..2670e4a4 100644 --- a/lib/masking/masking_test.go +++ b/lib/masking/masking_test.go @@ -7,6 +7,8 @@ import ( "github.com/stretchr/testify/assert" ) +// Tests require `MASK_SECRET` env var to be set to pass + func TestUniqueMasksMapToSameID(t *testing.T) { // Test case: Masking the same ID twice should result in different encrypted values id := uint(5)