From c3c780f175337a76df4528bf3972067086c23f92 Mon Sep 17 00:00:00 2001
From: alex-dzeda <120701369+alex-dzeda@users.noreply.github.com>
Date: Wed, 17 Jan 2024 08:41:21 -0600
Subject: [PATCH] BCDA-7529: Remove nonsensitive env variables from ops repos
 (#153)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## 🎫 Ticket

https://jira.cms.gov/browse/BCDA-7529

## 🛠 Changes

Re-configured pulling of variables from environment, so that a volume is
attached to docker with the configs. Removal from S3 will be a separate
manual process.

## ℹ️ Context for reviewers

This assumes that DEPLOYMENT_TARGET is set in all environments.
The non-sensitive values to be pulled in through env files are:
DEBUG
DEPLOYMENT_TARGET (duplicated for reference within a file).
SSAS_DEFAULT_SYSTEM_SCOPE
SSAS_IDLE_TIMEOUT
SSAS_LOG
SSAS_READ_TIMEOUT
SSAS_WRITE_TIMEOUT

## ✅ Acceptance Validation

Unit-tests pass, and a dev deployment / re-deploy with the S3 variables
for the variables listed above works.

## 🔒 Security Implications

- [x] This PR adds a new software dependency or dependencies. (godotenv:
https://github.com/joho/godotenv )
- [ ] This PR modifies or invalidates one or more of our security
controls.
- [ ] This PR stores or transmits data that was not stored or
transmitted before.
- [ ] This PR requires additional review of its security implications
for other reasons.

If any security implications apply, add Jason Ashbaugh (GitHub username:
StewGoin) as a reviewer and do not merge this PR without his approval.

---------

Co-authored-by: Alex Dzeda <alex@e14s.com>
---
 Dockerfiles/Dockerfile.ssas  |  2 ++
 docker-compose.test.yml      |  3 +--
 docker-compose.yml           |  4 +---
 go.mod                       |  1 +
 go.sum                       |  2 ++
 ops/build_and_package.sh     |  2 +-
 ssas/cfg/configs/dev.env     |  1 +
 ssas/cfg/configs/local.env   |  1 +
 ssas/cfg/configs/opensbx.env |  1 +
 ssas/cfg/configs/prod.env    |  1 +
 ssas/cfg/configs/test.env    |  1 +
 ssas/service/main/main.go    | 11 +++++++----
 ssas/systems.go              | 29 ++++++++++++++++++++++-------
 ssas/systems_test.go         |  9 +++++++++
 14 files changed, 51 insertions(+), 17 deletions(-)

diff --git a/Dockerfiles/Dockerfile.ssas b/Dockerfiles/Dockerfile.ssas
index 9f951bcb..06b10738 100644
--- a/Dockerfiles/Dockerfile.ssas
+++ b/Dockerfiles/Dockerfile.ssas
@@ -25,6 +25,8 @@ RUN go build -ldflags "-X github.com/CMSgov/bcda-ssas-app/ssas/constants.Version
 FROM golang:1.19-alpine3.15
 RUN apk update upgrade
 RUN apk --no-cache add ca-certificates aws-cli curl
+WORKDIR /go/src/github.com/CMSgov/bcda-ssas-app
+COPY --from=builder /go/src/github.com/CMSgov/bcda-ssas-app/ssas/cfg/configs ssas/cfg/configs
 WORKDIR /usr/local/bin
 COPY --from=builder /go/src/github.com/CMSgov/bcda-ssas-app/ssas/ssas .
 COPY --from=documentation /go/src/github.com/CMSgov/bcda-ssas-app/ssas/swaggerui ./swaggerui
diff --git a/docker-compose.test.yml b/docker-compose.test.yml
index 4d9042eb..8591696a 100644
--- a/docker-compose.test.yml
+++ b/docker-compose.test.yml
@@ -7,13 +7,12 @@ services:
       dockerfile: Dockerfiles/Dockerfile.tests
       args:
         VERSION: latest
-    env_file:
-      - ./ssas/cfg/configs/local.env
     environment:
       - DB=postgresql://postgres:toor@db:5432
       - DATABASE_URL=postgresql://postgres:toor@db:5432/bcda?sslmode=disable
       - BCDA_SSAS_CLIENT_ID=fake-client-id
       - BCDA_SSAS_SECRET=fake-secret
+      - DEPLOYMENT_TARGET=local
       - SSAS_ADMIN_SIGNING_KEY_PATH=../../../shared_files/ssas/admin_test_signing_key.pem
       - SSAS_PUBLIC_SIGNING_KEY_PATH=../../../shared_files/ssas/public_test_signing_key.pem
       - SSAS_PUBLIC_PORT=:3003
diff --git a/docker-compose.yml b/docker-compose.yml
index ca228585..e13c50b6 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -24,8 +24,6 @@ services:
       args:
         VERSION: latest
     image: bcda-ssas:latest
-    env_file:
-      - ./ssas/cfg/configs/local.env
     environment:
       - DATABASE_URL=postgresql://postgres:toor@db:5432/bcda?sslmode=disable
       - ATO_PUBLIC_KEY_FILE=../shared_files/ATO_public.pem
@@ -34,7 +32,6 @@ services:
       - BCDA_AUTH_PROVIDER=${BCDA_AUTH_PROVIDER}
       - BCDA_SSAS_CLIENT_ID=${BCDA_SSAS_CLIENT_ID}
       - BCDA_SSAS_SECRET=${BCDA_SSAS_SECRET}
-      - DEBUG=true
       - DEPLOYMENT_TARGET=local
       - SSAS_ADMIN_SIGNING_KEY_PATH=../shared_files/ssas/admin_test_signing_key.pem
       - SSAS_PUBLIC_SIGNING_KEY_PATH=../shared_files/ssas/public_test_signing_key.pem
@@ -50,6 +47,7 @@ services:
       - SSAS_CLIENT_ASSERTION_AUD=http://local.testing.cms.gov/api/v2/Token/auth
     volumes:
       - ./shared_files:/usr/local/shared_files
+      - .:/go/src/github.com/CMSgov/bcda-ssas-app
     ports:
       - "3103:3003"
       - "3104:3004"
diff --git a/go.mod b/go.mod
index 5c663c5b..2b0e68aa 100644
--- a/go.mod
+++ b/go.mod
@@ -29,6 +29,7 @@ require (
 	github.com/jackc/puddle/v2 v2.2.1 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
+	github.com/joho/godotenv v1.5.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/rogpeppe/go-internal v1.10.0 // indirect
 	github.com/stretchr/objx v0.5.0 // indirect
diff --git a/go.sum b/go.sum
index 365a6cb5..97f2d404 100644
--- a/go.sum
+++ b/go.sum
@@ -71,6 +71,8 @@ github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD
 github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
 github.com/jinzhu/now v1.1.5 h1:/o9tlHleP7gOFmsnYNz3RGnqzefHA47wQpKrrdTIwXQ=
 github.com/jinzhu/now v1.1.5/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=
+github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
+github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
diff --git a/ops/build_and_package.sh b/ops/build_and_package.sh
index 2880c99b..d2eb64da 100755
--- a/ops/build_and_package.sh
+++ b/ops/build_and_package.sh
@@ -34,7 +34,7 @@ go clean
 echo "Building ssas..."
 go build -ldflags "-X github.com/CMSgov/bcda-ssas-app/ssas/constants.Version=$VERSION" -o ssas ./service/main
 echo "Packaging ssas binary into RPM..."
-fpm -v $VERSION -s dir -t rpm -n ssas ssas=/usr/local/bin/ssas swaggerui=/etc/sv/ssas
+fpm -v $VERSION -s dir -t rpm -n ssas ssas=/usr/local/bin/ssas swaggerui=/etc/sv/ssas cfg/configs/=/go/src/github.com/CMSgov/bcda-ssas-app/ssas/cfg/configs/
 
 
 #Sign RPMs
diff --git a/ssas/cfg/configs/dev.env b/ssas/cfg/configs/dev.env
index 37d85bd7..8577dc8d 100644
--- a/ssas/cfg/configs/dev.env
+++ b/ssas/cfg/configs/dev.env
@@ -1,3 +1,4 @@
+DEBUG=TRUE
 DEPLOYMENT_TARGET=dev
 SSAS_DEFAULT_SYSTEM_SCOPE=bcda-api
 SSAS_IDLE_TIMEOUT=120
diff --git a/ssas/cfg/configs/local.env b/ssas/cfg/configs/local.env
index 6b200057..d4158ace 100644
--- a/ssas/cfg/configs/local.env
+++ b/ssas/cfg/configs/local.env
@@ -1,3 +1,4 @@
+DEBUG=TRUE
 DEPLOYMENT_TARGET=local
 SSAS_DEFAULT_SYSTEM_SCOPE=bcda-api
 SSAS_IDLE_TIMEOUT=120
diff --git a/ssas/cfg/configs/opensbx.env b/ssas/cfg/configs/opensbx.env
index a95aaa58..e0608b2e 100644
--- a/ssas/cfg/configs/opensbx.env
+++ b/ssas/cfg/configs/opensbx.env
@@ -1,3 +1,4 @@
+DEBUG=FALSE
 DEPLOYMENT_TARGET=opensbx
 SSAS_DEFAULT_SYSTEM_SCOPE=bcda-api
 SSAS_IDLE_TIMEOUT=120
diff --git a/ssas/cfg/configs/prod.env b/ssas/cfg/configs/prod.env
index 10d77ca3..eee51ad4 100644
--- a/ssas/cfg/configs/prod.env
+++ b/ssas/cfg/configs/prod.env
@@ -1,3 +1,4 @@
+DEBUG=FALSE
 DEPLOYMENT_TARGET=prod
 SSAS_DEFAULT_SYSTEM_SCOPE=bcda-api
 SSAS_IDLE_TIMEOUT=120
diff --git a/ssas/cfg/configs/test.env b/ssas/cfg/configs/test.env
index db31fdaa..c5d1107d 100644
--- a/ssas/cfg/configs/test.env
+++ b/ssas/cfg/configs/test.env
@@ -1,3 +1,4 @@
+DEBUG=FALSE
 DEPLOYMENT_TARGET=test
 SSAS_DEFAULT_SYSTEM_SCOPE=bcda-api
 SSAS_IDLE_TIMEOUT=120
diff --git a/ssas/service/main/main.go b/ssas/service/main/main.go
index 4208ec1c..0cb280f1 100644
--- a/ssas/service/main/main.go
+++ b/ssas/service/main/main.go
@@ -1,12 +1,12 @@
 /*
  Package main System-to-System Authentication Service
- 
+
  The System-to-System Authentication Service (SSAS) enables one software system to authenticate and authorize another software system. In this model, the Systems act automatically, independent of a human user identity. Human users are involved only to administer the Service, including establishing the identities and privileges of participating systems.
- 
+
  For more details see our repository readme and Postman tests:
  - https://github.com/CMSgov/bcda-ssas-app
  - https://github.com/CMSgov/bcda-ssas-app/tree/master/test/postman_test
- 
+
  If you have a Client ID and Secret you can use this page to explore the API.  To do this, click the green "Authorize" button below and enter your Client ID and secret in the Basic Authentication username and password boxes.
 Until you click logout your token will be presented with every request made.  To make requests click on the "Try it out" button for the desired endpoint.
 
@@ -20,9 +20,11 @@ Until you click logout your token will be presented with every request made.  To
      SecurityDefinitions:
      basic_auth:
           type: basic
- 
+
  swagger:meta
 */
+//nolint: lll // Ignore long line linting
+
 package main
 
 import (
@@ -78,6 +80,7 @@ func init() {
 	if nil != err {
 		ssas.Logger.Warnf("New Relic integration is disabled: %s", err)
 	}
+
 }
 
 // We provide some simple commands for bootstrapping the system into place. Commands cannot be combined.
diff --git a/ssas/systems.go b/ssas/systems.go
index 67884f36..9471cffe 100644
--- a/ssas/systems.go
+++ b/ssas/systems.go
@@ -9,6 +9,7 @@ import (
 	"encoding/base64"
 	"errors"
 	"fmt"
+	"go/build"
 	"io"
 	"net"
 	"os"
@@ -17,6 +18,7 @@ import (
 	"time"
 
 	"github.com/CMSgov/bcda-ssas-app/ssas/cfg"
+	"github.com/joho/godotenv"
 	"github.com/pborman/uuid"
 	"gorm.io/gorm"
 )
@@ -31,15 +33,28 @@ func init() {
 }
 
 func getEnvVars() {
-	DefaultScope = os.Getenv("SSAS_DEFAULT_SYSTEM_SCOPE")
+	env := os.Getenv("DEPLOYMENT_TARGET")
+	gopath := os.Getenv("GOPATH")
+
+	if gopath == "" {
+		gopath = build.Default.GOPATH
+		//when GOROOT==gopath, it'll still be empty. Thus, we specify what's in our Dockerfile.
+		if gopath == "" {
+			gopath = "/go"
+		}
+
+	}
+
+	envPath := fmt.Sprintf(gopath+"/src/github.com/CMSgov/bcda-ssas-app/ssas/cfg/configs/%s.env", env)
+	err := godotenv.Load(envPath)
 
+	if err != nil {
+		ServiceHalted(Event{Help: fmt.Sprintf("Unable to load environment variables in env %s; message: %s", env, err.Error())})
+		panic("Unable to start application without loading environment variables.")
+	}
+	DefaultScope = os.Getenv("SSAS_DEFAULT_SYSTEM_SCOPE")
 	if DefaultScope == "" {
-		if os.Getenv("DEBUG") == "true" {
-			DefaultScope = "bcda-api"
-			return
-		}
-		ServiceHalted(Event{Help: "SSAS_DEFAULT_SYSTEM_SCOPE environment value must be set"})
-		panic("SSAS_DEFAULT_SYSTEM_SCOPE environment value must be set")
+		panic("Unable to source default system scope; check env files")
 	}
 
 	expirationDays := cfg.GetEnvInt("SSAS_CRED_EXPIRATION_DAYS", 90)
diff --git a/ssas/systems_test.go b/ssas/systems_test.go
index 3beaa438..b0beee67 100644
--- a/ssas/systems_test.go
+++ b/ssas/systems_test.go
@@ -668,6 +668,15 @@ func (s *SystemsTestSuite) TestScopeEnvSuccess() {
 	assert.Nil(s.T(), err)
 }
 
+func (s *SystemsTestSuite) TestEmptyGoPath() {
+	err := os.Setenv("GOPATH", "")
+	if err != nil {
+		s.FailNow(err.Error())
+	}
+	getEnvVars()
+	assert.Equal(s.T(), "bcda-api", DefaultScope)
+}
+
 func (s *SystemsTestSuite) TestScopeEnvDebug() {
 	getEnvVars()
 	assert.Equal(s.T(), "bcda-api", DefaultScope)