feat(config): add generation for JWT keys if missing (#8655)

2025-12-19 05:17:47 +00:00 · 2025-09-22 13:14:54 +02:00
parent cb4a5dec79
commit b8537aa22d
7 changed files with 326 additions and 43 deletions
--- a/.env
+++ b/.env
@@ -85,44 +85,9 @@ DJANGO_CACHE_MAX_AGE=3600
 DJANGO_STALE_WHILE_REVALIDATE=60
 DJANGO_MANAGE_DB_PARTITIONS=True
 # openssl genrsa -out private.pem 2048
-DJANGO_TOKEN_SIGNING_KEY="-----BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDs4e+kt7SnUJek
-6V5r9zMGzXCoU5qnChfPiqu+BgANyawz+MyVZPs6RCRfeo6tlCknPQtOziyXYM2I
-7X+qckmuzsjqp8+u+o1mw3VvUuJew5k2SQLPYwsiTzuFNVJEOgRo3hywGiGwS2iv
-/5nh2QAl7fq2qLqZEXQa5+/xJlQggS1CYxOJgggvLyra50QZlBvPve/AxKJ/EV/Q
-irWTZU5lLNI8sH2iZR05vQeBsxZ0dCnGMT+vGl+cGkqrvzQzKsYbDmabMcfTYhYi
-78fpv6A4uharJFHayypYBjE39PwhMyyeycrNXlpm1jpq+03HgmDuDMHydk1tNwuT
-nEC7m7iNAgMBAAECggEAA2m48nJcJbn9SVi8bclMwKkWmbJErOnyEGEy2sTK3Of+
-NWx9BB0FmqAPNxn0ss8K7cANKOhDD7ZLF9E2MO4/HgfoMKtUzHRbM7MWvtEepldi
-nnvcUMEgULD8Dk4HnqiIVjt3BdmGiTv46OpBnRWrkSBV56pUL+7msZmMZTjUZvh2
-ZWv0+I3gtDIjo2Zo/FiwDV7CfwRjJarRpYUj/0YyuSA4FuOUYl41WAX1I301FKMH
-xo3jiAYi1s7IneJ16OtPpOA34Wg5F6ebm/UO0uNe+iD4kCXKaZmxYQPh5tfB0Qa3
-qj1T7GNpFNyvtG7VVdauhkb8iu8X/wl6PCwbg0RCKQKBgQD9HfpnpH0lDlHMRw9K
-X7Vby/1fSYy1BQtlXFEIPTN/btJ/asGxLmAVwJ2HAPXWlrfSjVAH7CtVmzN7v8oj
-HeIHfeSgoWEu1syvnv2AMaYSo03UjFFlfc/GUxF7DUScRIhcJUPCP8jkAROz9nFv
-DByNjUL17Q9r43DmDiRsy0IFqQKBgQDvlJ9Uhl+Sp7gRgKYwa/IG0+I4AduAM+Gz
-Dxbm52QrMGMTjaJFLmLHBUZ/ot+pge7tZZGws8YR8ufpyMJbMqPjxhIvRRa/p1Tf
-E3TQPW93FMsHUvxAgY3MV5MzXFPhlNAKb+akP/RcXUhetGAuZKLubtDCWa55ZQuL
-wj2OS+niRQKBgE7K8zUqNi6/22S8xhy/2GPgB1qPObbsABUofK0U6CAGLo6te+gc
-6Jo84IyzFtQbDNQFW2Fr+j1m18rw9AqkdcUhQndiZS9AfG07D+zFB86LeWHt4DS4
-ymIRX8Kvaak/iDcu/n3Mf0vCrhB6aetImObTj4GgrwlFvtJOmrYnO8EpAoGAIXXP
-Xt25gWD9OyyNiVu6HKwA/zN7NYeJcRmdaDhO7B1A6R0x2Zml4AfjlbXoqOLlvLAf
-zd79vcoAC82nH1eOPiSOq51plPDI0LMF8IN0CtyTkn1Lj7LIXA6rF1RAvtOqzppc
-SvpHpZK9pcRpXnFdtBE0BMDDtl6fYzCIqlP94UUCgYEAnhXbAQMF7LQifEm34Dx8
-BizRMOKcqJGPvbO2+Iyt50O5X6onU2ITzSV1QHtOvAazu+B1aG9pEuBFDQ+ASxEu
-L9ruJElkOkb/o45TSF6KCsHd55ReTZ8AqnRjf5R+lyzPqTZCXXb8KTcRvWT4zQa3
-VxyT2PnaSqEcexWUy4+UXoQ=
-----END PRIVATE KEY-----"
+DJANGO_TOKEN_SIGNING_KEY=""
 # openssl rsa -in private.pem -pubout -out public.pem
-DJANGO_TOKEN_VERIFYING_KEY="-----BEGIN PUBLIC KEY-----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7OHvpLe0p1CXpOlea/cz
-Bs1wqFOapwoXz4qrvgYADcmsM/jMlWT7OkQkX3qOrZQpJz0LTs4sl2DNiO1/qnJJ
-rs7I6qfPrvqNZsN1b1LiXsOZNkkCz2MLIk87hTVSRDoEaN4csBohsEtor/+Z4dkA
-Je36tqi6mRF0Gufv8SZUIIEtQmMTiYIILy8q2udEGZQbz73vwMSifxFf0Iq1k2VO
-ZSzSPLB9omUdOb0HgbMWdHQpxjE/rxpfnBpKq780MyrGGw5mmzHH02IWIu/H6b+g
-OLoWqyRR2ssqWAYxN/T8ITMsnsnKzV5aZtY6avtNx4Jg7gzB8nZNbTcLk5xAu5u4
-jQIDAQAB
-----END PUBLIC KEY-----"
+DJANGO_TOKEN_VERIFYING_KEY=""
 # openssl rand -base64 32
 DJANGO_SECRETS_ENCRYPTION_KEY="oE/ltOhp/n1TdbHjVmzcjDPLcLA41CVI/4Rk+UB5ESc="
 DJANGO_BROKER_VISIBILITY_TIMEOUT=86400
--- a/api/CHANGELOG.md
+++ b/api/CHANGELOG.md
@@ -2,7 +2,10 @@

 All notable changes to the **Prowler API** are documented in this file.

-## [1.14.0] (Prowler 5.13.0)
+## [1.14.0] (Prowler UNRELEASED)
+
+### Added
+- Default JWT keys are generated and stored if they are missing from configuration [(#8655)](https://github.com/prowler-cloud/prowler/pull/8655)

 ### Changed
 - Now the MANAGE_ACCOUNT permission is required to modify or read user permissions instead of MANAGE_USERS [(#8281)](https://github.com/prowler-cloud/prowler/pull/8281)
--- a/api/README.md
+++ b/api/README.md
@@ -20,6 +20,8 @@ Valkey exposes a Redis 7.2 compliant API. Any service that exposes the Redis API

 Under the root path of the project, you can find a file called `.env.example`. This file shows all the environment variables that the project uses. You *must* create a new file called `.env` and set the values for the variables.

+If you don’t set `DJANGO_TOKEN_SIGNING_KEY` or `DJANGO_TOKEN_VERIFYING_KEY`, the API will generate them at `~/.config/prowler-api/` with `0600` and `0644` permissions; back up these files to persist identity across redeploys.
+
 ## Local deployment
 Keep in mind if you export the `.env` file to use it with local deployment that you will have to do it within the context of the Poetry interpreter, not before. Otherwise, variables will not be loaded properly.

--- a/api/src/backend/api/apps.py
+++ b/api/src/backend/api/apps.py
@@ -1,4 +1,28 @@
+import logging
+import os
+
+from pathlib import Path
+import sys
+
 from django.apps import AppConfig
+from django.conf import settings
+
+from config.custom_logging import BackendLogger
+from config.env import env
+
+logger = logging.getLogger(BackendLogger.API)
+
+SIGNING_KEY_ENV = "DJANGO_TOKEN_SIGNING_KEY"
+VERIFYING_KEY_ENV = "DJANGO_TOKEN_VERIFYING_KEY"
+
+PRIVATE_KEY_FILE = "jwt_private.pem"
+PUBLIC_KEY_FILE = "jwt_public.pem"
+
+KEYS_DIRECTORY = (
+    Path.home() / ".config" / "prowler-api"
+)  # `/home/prowler/.config/prowler-api` inside the container
+
+_keys_initialized = False  # Flag to prevent multiple executions within the same process


 class ApiConfig(AppConfig):
@@ -9,4 +33,138 @@ class ApiConfig(AppConfig):
        from api import signals  # noqa: F401
        from api.compliance import load_prowler_compliance

+        # Generate required cryptographic keys if not present, but only if:
+        #   `"manage.py" not in sys.argv`: If an external server (e.g., Gunicorn) is running the app
+        #   `os.environ.get("RUN_MAIN")`: If it's not a Django command or using `runserver`,
+        #                                 only the main process will do it
+        if "manage.py" not in sys.argv or os.environ.get("RUN_MAIN"):
+            self._ensure_crypto_keys()
+
        load_prowler_compliance()
+
+    def _ensure_crypto_keys(self):
+        """
+        Orchestrator method that ensures all required cryptographic keys are present.
+        This method coordinates the generation of:
+          - RSA key pairs for JWT token signing and verification
+        Note: During development, Django spawns multiple processes (migrations, fixtures, etc.)
+        which will each generate their own keys. This is expected behavior and each process
+        will have consistent keys for its lifetime. In production, set the keys as environment
+        variables to avoid regeneration.
+        """
+        global _keys_initialized
+
+        # Skip key generation if running tests
+        if hasattr(settings, "TESTING") and settings.TESTING:
+            return
+
+        # Skip if already initialized in this process
+        if _keys_initialized:
+            return
+
+        # Check if both JWT keys are set; if not, generate them
+        signing_key = env.str(SIGNING_KEY_ENV, default="").strip()
+        verifying_key = env.str(VERIFYING_KEY_ENV, default="").strip()
+
+        if not signing_key or not verifying_key:
+            logger.info(
+                f"Generating JWT RSA key pair. In production, set '{SIGNING_KEY_ENV}' and '{VERIFYING_KEY_ENV}' "
+                "environment variables."
+            )
+            self._ensure_jwt_keys()
+
+        # Mark as initialized to prevent future executions in this process
+        _keys_initialized = True
+
+    def _read_key_file(self, file_name):
+        """
+        Utility method to read the contents of a file.
+        """
+        file_path = KEYS_DIRECTORY / file_name
+        return file_path.read_text().strip() if file_path.is_file() else None
+
+    def _write_key_file(self, file_name, content, private=True):
+        """
+        Utility method to write content to a file.
+        """
+        try:
+            file_path = KEYS_DIRECTORY / file_name
+            file_path.parent.mkdir(parents=True, exist_ok=True)
+            file_path.write_text(content)
+            file_path.chmod(0o600 if private else 0o644)
+
+        except Exception as e:
+            logger.error(
+                f"Error writing key file '{file_name}': {e}. "
+                f"Please set '{SIGNING_KEY_ENV}' and '{VERIFYING_KEY_ENV}' manually."
+            )
+            raise e
+
+    def _ensure_jwt_keys(self):
+        """
+        Generate RSA key pairs for JWT token signing and verification
+        if they are not already set in environment variables.
+        """
+        # Read existing keys from files if they exist
+        signing_key = self._read_key_file(PRIVATE_KEY_FILE)
+        verifying_key = self._read_key_file(PUBLIC_KEY_FILE)
+
+        if not signing_key or not verifying_key:
+            # Generate and store the RSA key pair
+            signing_key, verifying_key = self._generate_jwt_keys()
+            self._write_key_file(PRIVATE_KEY_FILE, signing_key, private=True)
+            self._write_key_file(PUBLIC_KEY_FILE, verifying_key, private=False)
+            logger.info("JWT keys generated and stored successfully")
+
+        else:
+            logger.info("JWT keys already generated")
+
+        # Set environment variables and Django settings
+        os.environ[SIGNING_KEY_ENV] = signing_key
+        settings.SIMPLE_JWT["SIGNING_KEY"] = signing_key
+
+        os.environ[VERIFYING_KEY_ENV] = verifying_key
+        settings.SIMPLE_JWT["VERIFYING_KEY"] = verifying_key
+
+    def _generate_jwt_keys(self):
+        """
+        Generate and set RSA key pairs for JWT token operations.
+        """
+        try:
+            from cryptography.hazmat.primitives import serialization
+            from cryptography.hazmat.primitives.asymmetric import rsa
+
+            # Generate RSA key pair
+            private_key = rsa.generate_private_key(  # Future improvement: we could read the next values from env vars
+                public_exponent=65537,
+                key_size=2048,
+            )
+
+            # Serialize private key (for signing)
+            private_pem = private_key.private_bytes(
+                encoding=serialization.Encoding.PEM,
+                format=serialization.PrivateFormat.PKCS8,
+                encryption_algorithm=serialization.NoEncryption(),
+            ).decode("utf-8")
+
+            # Serialize public key (for verification)
+            public_key = private_key.public_key()
+            public_pem = public_key.public_bytes(
+                encoding=serialization.Encoding.PEM,
+                format=serialization.PublicFormat.SubjectPublicKeyInfo,
+            ).decode("utf-8")
+
+            logger.debug("JWT RSA key pair generated successfully.")
+            return private_pem, public_pem
+
+        except ImportError as e:
+            logger.warning(
+                "The 'cryptography' package is required for automatic JWT key generation."
+            )
+            raise e
+
+        except Exception as e:
+            logger.error(
+                f"Error generating JWT keys: {e}. Please set '{SIGNING_KEY_ENV}' and '{VERIFYING_KEY_ENV}' manually."
+            )
+            raise e
--- a/api/src/backend/api/tests/test_apps.py
+++ b/api/src/backend/api/tests/test_apps.py
@@ -0,0 +1,152 @@
+import os
+from pathlib import Path
+from unittest.mock import MagicMock
+
+import pytest
+from django.conf import settings
+
+import api.apps as api_apps_module
+from api.apps import (
+    ApiConfig,
+    PRIVATE_KEY_FILE,
+    PUBLIC_KEY_FILE,
+    SIGNING_KEY_ENV,
+    VERIFYING_KEY_ENV,
+)
+
+
+@pytest.fixture(autouse=True)
+def reset_keys_initialized(monkeypatch):
+    """Ensure per-test clean state for the module-level guard flag."""
+    monkeypatch.setattr(api_apps_module, "_keys_initialized", False, raising=False)
+
+
+def _stub_keys():
+    return (
+        """-----BEGIN PRIVATE KEY-----\nPRIVATE\n-----END PRIVATE KEY-----\n""",
+        """-----BEGIN PUBLIC KEY-----\nPUBLIC\n-----END PUBLIC KEY-----\n""",
+    )
+
+
+def test_generate_jwt_keys_when_missing(monkeypatch, tmp_path):
+    # Arrange: isolate FS, env, and settings; force generation path
+    monkeypatch.setattr(
+        api_apps_module, "KEYS_DIRECTORY", Path(tmp_path), raising=False
+    )
+    monkeypatch.delenv(SIGNING_KEY_ENV, raising=False)
+    monkeypatch.delenv(VERIFYING_KEY_ENV, raising=False)
+
+    # Work on a copy of SIMPLE_JWT to avoid mutating the global settings dict for other tests
+    monkeypatch.setattr(
+        settings, "SIMPLE_JWT", settings.SIMPLE_JWT.copy(), raising=False
+    )
+    monkeypatch.setattr(settings, "TESTING", False, raising=False)
+
+    # Avoid dependency on the cryptography package
+    monkeypatch.setattr(ApiConfig, "_generate_jwt_keys", staticmethod(_stub_keys))
+
+    config = ApiConfig("api", api_apps_module)
+
+    # Act
+    config._ensure_crypto_keys()
+
+    # Assert: files created with expected content
+    priv_path = Path(tmp_path) / PRIVATE_KEY_FILE
+    pub_path = Path(tmp_path) / PUBLIC_KEY_FILE
+    assert priv_path.is_file()
+    assert pub_path.is_file()
+    assert priv_path.read_text() == _stub_keys()[0]
+    assert pub_path.read_text() == _stub_keys()[1]
+
+    # Env vars and Django settings updated
+    assert os.environ[SIGNING_KEY_ENV] == _stub_keys()[0]
+    assert os.environ[VERIFYING_KEY_ENV] == _stub_keys()[1]
+    assert settings.SIMPLE_JWT["SIGNING_KEY"] == _stub_keys()[0]
+    assert settings.SIMPLE_JWT["VERIFYING_KEY"] == _stub_keys()[1]
+
+
+def test_ensure_crypto_keys_are_idempotent_within_process(monkeypatch, tmp_path):
+    # Arrange
+    monkeypatch.setattr(
+        api_apps_module, "KEYS_DIRECTORY", Path(tmp_path), raising=False
+    )
+    monkeypatch.delenv(SIGNING_KEY_ENV, raising=False)
+    monkeypatch.delenv(VERIFYING_KEY_ENV, raising=False)
+    monkeypatch.setattr(
+        settings, "SIMPLE_JWT", settings.SIMPLE_JWT.copy(), raising=False
+    )
+    monkeypatch.setattr(settings, "TESTING", False, raising=False)
+
+    mock_generate = MagicMock(side_effect=_stub_keys)
+    monkeypatch.setattr(ApiConfig, "_generate_jwt_keys", staticmethod(mock_generate))
+
+    config = ApiConfig("api", api_apps_module)
+
+    # Act: first call should generate, second should be a no-op (guard flag)
+    config._ensure_crypto_keys()
+    config._ensure_crypto_keys()
+
+    # Assert: generation occurred exactly once
+    assert mock_generate.call_count == 1
+
+
+def test_ensure_jwt_keys_uses_existing_files(monkeypatch, tmp_path):
+    # Arrange: pre-create key files
+    monkeypatch.setattr(
+        api_apps_module, "KEYS_DIRECTORY", Path(tmp_path), raising=False
+    )
+    monkeypatch.setattr(
+        settings, "SIMPLE_JWT", settings.SIMPLE_JWT.copy(), raising=False
+    )
+
+    existing_private, existing_public = _stub_keys()
+
+    (Path(tmp_path) / PRIVATE_KEY_FILE).write_text(existing_private)
+    (Path(tmp_path) / PUBLIC_KEY_FILE).write_text(existing_public)
+
+    # If generation were called, fail the test
+    def _fail_generate():
+        raise AssertionError("_generate_jwt_keys should not be called when files exist")
+
+    monkeypatch.setattr(ApiConfig, "_generate_jwt_keys", staticmethod(_fail_generate))
+
+    config = ApiConfig("api", api_apps_module)
+
+    # Act: call the lower-level method directly to set env/settings from files
+    config._ensure_jwt_keys()
+
+    # Assert
+    # _read_key_file() strips trailing newlines; environment/settings should reflect stripped content
+    assert os.environ[SIGNING_KEY_ENV] == existing_private.strip()
+    assert os.environ[VERIFYING_KEY_ENV] == existing_public.strip()
+    assert settings.SIMPLE_JWT["SIGNING_KEY"] == existing_private.strip()
+    assert settings.SIMPLE_JWT["VERIFYING_KEY"] == existing_public.strip()
+
+
+def test_ensure_crypto_keys_skips_when_env_vars(monkeypatch, tmp_path):
+    # Arrange: put values in env so the orchestrator doesn't generate
+    monkeypatch.setattr(
+        api_apps_module, "KEYS_DIRECTORY", Path(tmp_path), raising=False
+    )
+    monkeypatch.setenv(SIGNING_KEY_ENV, "ENV-PRIVATE")
+    monkeypatch.setenv(VERIFYING_KEY_ENV, "ENV-PUBLIC")
+    monkeypatch.setattr(
+        settings, "SIMPLE_JWT", settings.SIMPLE_JWT.copy(), raising=False
+    )
+    monkeypatch.setattr(settings, "TESTING", False, raising=False)
+
+    called = {"ensure": False}
+
+    def _track_call():
+        called["ensure"] = True
+        return _stub_keys()
+
+    monkeypatch.setattr(ApiConfig, "_generate_jwt_keys", staticmethod(_track_call))
+
+    config = ApiConfig("api", api_apps_module)
+
+    # Act
+    config._ensure_crypto_keys()
+
+    # Assert: orchestrator did not trigger generation when env present
+    assert called["ensure"] is False
--- a/docker-compose-dev.yml
+++ b/docker-compose-dev.yml
@@ -14,9 +14,11 @@ services:
    ports:
      - "${DJANGO_PORT:-8080}:${DJANGO_PORT:-8080}"
    volumes:
-      - "./api/src/backend:/home/prowler/backend"
-      - "./api/pyproject.toml:/home/prowler/pyproject.toml"
-      - "outputs:/tmp/prowler_api_output"
+      - ./api/src/backend:/home/prowler/backend
+      - ./api/pyproject.toml:/home/prowler/pyproject.toml
+      - ./api/docker-entrypoint.sh:/home/prowler/docker-entrypoint.sh
+      - ./_data/api:/home/prowler/.config/prowler-api
+      - outputs:/tmp/prowler_api_output
    depends_on:
      postgres:
        condition: service_healthy
@@ -64,7 +66,7 @@ services:
    image: valkey/valkey:7-alpine3.19
    hostname: "valkey"
    volumes:
-      - ./api/_data/valkey:/data
+      - ./_data/valkey:/data
    env_file:
      - path: .env
        required: false
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -8,7 +8,8 @@ services:
    ports:
      - "${DJANGO_PORT:-8080}:${DJANGO_PORT:-8080}"
    volumes:
-      - "output:/tmp/prowler_api_output"
+      - ./_data/api:/home/prowler/.config/prowler-api
+      - output:/tmp/prowler_api_output
    depends_on:
      postgres:
        condition: service_healthy