Add custom CA settings

.github/workflows/pull_request.yml

@@ -12,7 +12,7 @@ jobs:
       - name: Setup python 3.10
         uses: actions/setup-python@v1
         with:
-          python-version: 3.10.14
+          python-version: 3.10.15
       - name: Install pre-commit
         run: pip install pre-commit
       - name: Run pre-commit

.github/workflows/push.yml

@@ -15,7 +15,7 @@ jobs:
       - name: Setup python 3.10
         uses: actions/setup-python@v1
         with:
-          python-version: 3.10.14
+          python-version: 3.10.15
       - name: Install virtualenv
         run: pip install virtualenv
       - name: Install xmlsec
@@ -40,7 +40,7 @@ jobs:
       - name: Setup python 3.10
         uses: actions/setup-python@v1
         with:
-          python-version: 3.10.14
+          python-version: 3.10.15
       - name: Add wheel dependency
         run: pip install wheel
       - name: Generate dist

confidant/settings.py

@@ -629,14 +629,14 @@ def str_env(var_name, default=''):
 # ]
 
 if bool_env("JWT_IS_CA_ENCRYPTED", True):
-    decrypted_cas = encrypted_settings.decrypted_secrets.get(
+    decrypted_jwt_cas = encrypted_settings.decrypted_secrets.get(
         'JWT_CERTIFICATE_AUTHORITIES'
     )
 else:
-    decrypted_cas = str_env('JWT_CERTIFICATE_AUTHORITIES')
+    decrypted_jwt_cas = str_env('JWT_CERTIFICATE_AUTHORITIES')
 
-JWT_CERTIFICATE_AUTHORITIES = json.loads(b64decode(decrypted_cas)) \
-    if decrypted_cas else {}
+JWT_CERTIFICATE_AUTHORITIES = json.loads(b64decode(decrypted_jwt_cas)) \
+    if decrypted_jwt_cas else {}
 
 JWT_CACHING_ENABLED = bool_env('JWT_CACHING_ENABLED', False)
 
@@ -670,6 +670,33 @@ def str_env(var_name, default=''):
 # {"staging": "some_kid", "production": "some_kid"}
 JWT_ACTIVE_SIGNING_KEYS = json.loads(str_env('JWT_ACTIVE_SIGNING_KEYS', '{}'))
 
+# CUSTOM_CA_ENCRYPTED denotes whether provided CUSTOM_CERTIFICATE_AUTHORITIES
+# is encrypted or not. If it is encrypted, it will be decrypted before use.
+# It should be encrypted for non-development environments.
+if bool_env('CUSTOM_CA_ENCRYPTED', True):
+    decrypted_custom_cas = encrypted_settings.decrypted_secrets.get(
+        'CUSTOM_CERTIFICATE_AUTHORITIES'
+    )
+else:
+    decrypted_custom_cas = str_env('CUSTOM_CERTIFICATE_AUTHORITIES')
+
+# CUSTOM_CERTIFICATE_AUTHORITIES
+# Should be in encrypted settings following this
+# format (where name is the name of the environment) and key ids must be unique:
+# {"<name>":[{
+#   "key": "--- RSA...",
+#   "crt": "--- CERT...",
+#   "passphrase": "some-key",
+#   "kid": "some-kid"
+# }, ...
+# ]}
+CUSTOM_CERTIFICATE_AUTHORITIES = json.loads(b64decode(decrypted_custom_cas)) \
+    if decrypted_custom_cas else {}
+
+# provide a JSON with the following format:
+# {"staging": "some_kid", "production": "some_kid"}
+CUSTOM_CA_ACTIVE_KEYS = json.loads(str_env('CUSTOM_CA_ACTIVE_KEYS', '{}'))
+
 # Configuration validation
 _settings_failures = False
 if len(set(SCOPED_AUTH_KEYS.values())) != len(SCOPED_AUTH_KEYS.values()):

docker-compose.integration.yml

@@ -1,7 +1,7 @@
 version: "3.8"
 services:
   confidant:
-    image: python:3.10.14
+    image: python:3.10.15
     init: true
     restart: "no"
     networks: