refactor(cmd-api-server): clean up configuration parameters #720

[ruzell22]

fixes: #720

Parameters that are cleaned up are: cactusNodeId, consortiumId, keychainSuffixKeyPairPem
Parameter keyPairPem cannot be remove as it results to an error in running the api server.

Cleaning the three mentioned parameter are backwards compatible with tags versions:
v1.0.0-rc.3 and v1.0.0
The latest tag being used as of this change is v1.0.0-25-gdda3f00c

Signed-off-by: ruzell22 [email protected]

[petermetz]

@ruzell22 The documentation doesn't seem to be updated. Please go through the acceptance criteria again.

[ruzell22]

@petermetz I have looked into the package cactus-cmd-api-server about the parameters to see if it is mentioned there on other files and for possible documentations. I have cleaned those that are not inside the other packages:

I have also ran npm run configure and npm run start:api-server command and it outputs a success

I would like to inquire if this is good to push for a PR or is there other specific documentation file I should update? Thank you

[ruzell22]

Remove ENV CACTUS_NODE_ID and CONSORTIUM_ID in dockerfile under cactus-cmd-api-server package, KEYCHAIN_SUFFIX_KEY_PAIR_PEM was not mentioned in the docker file so there is none in the file changes in dockerfile.
npm run configure and npm run start:api-server command were also successful after the changes.

[petermetz]

@ruzell22 I'm seeing the variable names in free text search popping up several times throughout the code-base still.

[gitguardian]

⚠️ GitGuardian has uncovered 2 secrets following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secrets in your pull request

GitGuardian id	Secret	Commit	Filename
-	Generic Private Key	0c0952b	examples/cactus-example-carbon-accounting-backend/example-config.json	View secret
-	RSA Private Key	0c0952b	examples/cactus-example-carbon-accounting-backend/example-config.json	View secret

🛠 Guidelines to remediate hardcoded secrets

1. Understand the implications of revoking this secret by investigating where it is used in your code.
2. Replace and store your secrets safely. Learn here the best practices.
3. Revoke and rotate these secrets.
4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider

• following these best practices for managing and storing secrets including API keys and other credentials
• install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.

---

<sup>🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.

Our GitHub checks need improvements? Share your feedbacks!</sup>

[ruzell22]

@petermetz I have removed more cactusNodeId, consortiumId, and keychainSuffixKeyPairPem and their ENV equivalent (excluding in example-config.json file which causes GitGuardian bot error during checks here).

[petermetz]

@petermetz I have removed more cactusNodeId, consortiumId, and keychainSuffixKeyPairPem and their ENV equivalent (excluding in example-config.json file which causes GitGuardian bot error during checks here).

@ruzell22 If changing example-config.json trips the GitGuardian check we need to configure it to ignore that file because the alternative would be to not change that file ever again which is not feasable. Ignoring it in gitguardian should be safe because it's an example file with randomly generated keys in it.

[jagpreetsinghsasan]

@ruzell22 any updates on this PR? (If you think the necessary changes were done, you can always re-request for review)

[ruzell22]

Hello @petermetz , I have pushed the changes for the clean up so the new gitguardian workflow will be able to scan it. It passed. However, when I looked into more details about it, the scanner is still saying "Invalid token header. No credentials provided". It seems that even after being merged to the main repository, the workflow still doesn't have the permission to access the environmental secrets variable. I would like to ask assistance in that matter. Thank you. Below are the screenshots of the details.

[petermetz]

Hello @petermetz , I have pushed the changes for the clean up so the new gitguardian workflow will be able to scan it. It passed. However, when I looked into more details about it, the scanner is still saying "Invalid token header. No credentials provided". It seems that even after being merged to the main repository, the workflow still doesn't have the permission to access the environmental secrets variable. I would like to ask assistance in that matter. Thank you. Below are the screenshots of the details.

@ruzell22 That's unfortunate. Please re-open the issue for the git guardian check, link to the comment you just made in a comment on that issue so that everyone has the context.
Then start a new PR to fix the issue that you re-opened.
Make sure to mark this PR dependent on that issue that you reopened for fixing the git guardian checks. That way if someone comes and looks at this they'll know exactly what happened and why is this PR stalling for now.

[ruzell22]

Hello @petermetz , with gitguardian being removed, this PR is considered done and can be closed. Thank you.

[petermetz]

@ruzell22 Please

1. rebase onto upstream/main
2. Retest and see if this part of the commit message is still true: "Parameter keyPairPem cannot be removed as it results to an error in running the api server."
   2.1. Post the full error logs if it is still crashing or remove it otherwise.

[ruzell22]

@petermetz I have rebased and ran 'yarn run configure' and it built successfully.

I tried removing the parameter keyPairPem and it is having error when building

[petermetz]

Thank you @ruzzel22, LGTM