github.com/upcmd/up@v0.8.1-0.20230108151705-ad8b797bf04f/tests/functests/c0051.yml (about) 1 doc_meta: | 2 folder: security 3 title: builtin en/decryption 4 head: | 5 UP cmd cli has got builtin security solution by making use of the template func 6 7 This demos a very generic solution how to deal with a bank application deployment when it comes to prod and nonprod envs. 8 9 Note that you could split this process up to a few distributed parts: 10 * A reference file to store encryption key, using keyref 11 * You could dynamically manage pointing to nonprod/prod key during deployment time for decryption 12 * You could automate the step to encrypt the password and use the encryption value in dvar, or 13 * You could externalize the dvar values to a file and then encrypt the whole dvar file, dynamically decrypt it during runtime 14 15 The solution is flexible and you are not bound to third party tool, binary for your implementation and it is seamlessly integrated with your own workflow 16 17 sections: 18 - title: Notes 19 content: | 20 * in real case, you can use bank_password_encrypted to get the encrypted value 21 * save the encrypted value as a password dvar, eg 'bank_password' and this could be safely commited into code repo 22 * use secure/type field to describe the encrypt/decrypt type 23 * use secure/key to link to a varname containing value of the encryption key 24 * optionall you can you secure/keyref to point to key file 25 26 - title: Demo 27 log: yes 28 29 notes: 30 goal: 31 - show an example to deal with secure var and how to encrypt and decrypt 32 33 design: 34 - in real case, you can use bank_password_encrypted to get the encrypted value 35 - | 36 save the encrypted value as a password dvar, 37 eg 'bank_password' and this could be safely 38 commited into code repo 39 - use secure/type field to describe the encrypt/decrypt type 40 - use secure/key to link to a varname containing value of the encryption key 41 - optionall you can you secure/keyref to point to key file 42 43 vars: 44 bank_acct: 1234-5678 45 46 scopes: 47 - name: nonprod 48 members: [dev, staging] 49 vars: 50 #in real ci/cd case, this should comes from a secure location 51 #you can dynamically get it from ENV Var 52 #or you can use secure api call to a backend 53 enc_key: my_non_enc_key 54 55 - name: prod 56 members: [prod] 57 vars: 58 #in real ci/cd case, this should comes from a secure location 59 #you can dynamically get it from ENV Var 60 #or you can use secure api call to a backend 61 enc_key: my_prod_enc_key 62 63 dvars: 64 - name: bank_password_encrypted 65 value: '{{ "mybankpassword" | encryptAES .enc_key }}' 66 flags: [vvvv] 67 68 - name: bank_password_decrypted 69 value: '{{.bank_password_encrypted |decryptAES .enc_key}}' 70 flags: [vvvv] 71 72 - name: bank_password 73 #this should be the final way to be configured 74 #or this value could be from a ref file 75 value: '6HmsmiJIW1PfIXcF4WwOKOMDiL7PstgfKs2aRFajrwY=' 76 flags: 77 - vvvv 78 secure: 79 type: default_aes 80 #the key value will be a var name used for the value 81 key: enc_key 82 # keyref: /a/secure/location/key.file 83 84 - name: bank_password_using_defause_config 85 desc: simply use secure flag, it will use default configured Secure setting in upconfig.yml file 86 value: '6HmsmiJIW1PfIXcF4WwOKOMDiL7PstgfKs2aRFajrwY=' 87 flags: 88 - v 89 - secure 90 91 tasks: 92 93 - 94 name: task 95 task: 96 - func: call 97 do: task_generate_password 98 99 - 100 name: task_generate_password 101 task: 102 - func: shell 103 do: 104 - echo "bank account [{{.bank_acct}}]" 105 - echo "bank password encrypted [{{.bank_password_encrypted}}]" 106 - echo "bank password [{{.bank_password}}]" 107 - echo "secure bank password [{{.secure_bank_password}}]" 108 - echo "bank password using default config [{{.bank_password_using_defause_config}}]" 109 - echo "secure bank password using default config [{{.secure_bank_password_using_defause_config}}]"