Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security token update #3128

Merged
merged 5 commits into from
Sep 1, 2024
Merged

Security token update #3128

merged 5 commits into from
Sep 1, 2024

Conversation

KenAJoh
Copy link
Collaborator

@KenAJoh KenAJoh commented Sep 1, 2024
edited
Loading

Description

Improved app security by moving tokens from being bundled with docker-image -> console

As a precaution, every relevant token is re-rolled, meaning local tokens will need to be updated. The new tokens are updated and accessible in Google secret manager under "designsystem-dev"-project

Could this have lead to any security breaches?

Our docker-images are published to Google Artifact Registry (GAR), a private artifact storage managed by NAIS.

https://doc.nais.io/build/how-to/build-and-deploy/
Screenshot 2024-09-01 at 22 29 02

We can assume that no-one outside of NAV could have had access to any of our docker-images. This update will in all practicality only secure the application from members outside the Aksel and designsystems NAIS-team.

Update

As experienced myself when updating these tokens, naming were not consistent between creation and use, meaning the same token had up to 3 different names between sanity, github secrets and use in app. To avoid this in the future every token-name is also updated and hopefully completely consistent between all systems

// Old tokens
SANITY_WRITE_KEY
SANITY_PREVIEW_TOKEN
SANITY_PRIVATE_NO_DRAFTS
SLACK_BOT_TOKEN


// New tokens
SANITY_WRITE
SANITY_READ
SANITY_READ_NO_DRAFTS
SLACK_BOT_USER_TOKEN

Testing

Already tested:

  • Read, preview and write in dev (dev-gcp)
  • Build of dev with updated tokens in github actions

Needs to be tested after merge

  • e2e tests after PR-creation (github-actions)
  • Update sanity action while publishing prod (github-actions)
  • Prod build (github-actions)
  • Read, preview and write in prod (prod-gcp)
  • Update views nais-job
  • Backup-script (github-actions)
  • Check RSS feed
  • Check searchindex

To update slackbot token, the slack app had to be reinstalled to NAV-org. This means we can't properly test it before a Slack-admin re-approves the app, hopefully on Monday.

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Sep 1, 2024
edited
Loading

⚠️ No Changeset found

Latest commit: bd2c87b

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@KenAJoh KenAJoh merged commit 7c5538f into main Sep 1, 2024
4 checks passed
@KenAJoh KenAJoh deleted the security-token-update branch September 1, 2024 21:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JulianNymark JulianNymark Awaiting requested review from JulianNymark

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@KenAJoh