Merge pull request #12837 from RasaHQ/improvement/ATO-1557-jwt-in-env…

…-vars [ATO-1557] Add environment variables for JWT arguments and auth token
RasaHQ · Sep 25, 2023 · 3152315 · 3152315
2 parents 3f51e5e + 0f9b5c8
commit 3152315
Show file tree

Hide file tree

Showing 8 changed files with 324 additions and 55 deletions.
diff --git a/.github/workflows/continous-integration.yml b/.github/workflows/continous-integration.yml
@@ -906,7 +906,7 @@ jobs:
           # Base MITIE image
           BASE_MITIE_IMAGE_HASH=${{ hashFiles('docker/Dockerfile.base-mitie') }}
           MAKEFILE_MITIE_HASH=${{ hashFiles('Makefile') }}
-          echo "base_mitie_image_hash=${BASE_MITIE_IMAGE_HASH}" >> $GITHUB_OUTPUT
+          echo "base_mitie_image_hash=${BASE_MITIE_IMAGE_HASH:0:50}-${MAKEFILE_MITIE_HASH:0:50}" >> $GITHUB_OUTPUT
 
           BASE_IMAGE_MITIE_EXISTS=$((docker manifest inspect rasa/rasa:base-mitie-${BASE_MITIE_IMAGE_HASH:0:50}-${MAKEFILE_MITIE_HASH:0:50} &> /dev/null && echo true || echo false) || true)
           echo "base_mitie_exists=${BASE_IMAGE_MITIE_EXISTS}" >> $GITHUB_OUTPUT

diff --git a/.typo-ci.yml b/.typo-ci.yml
@@ -62,27 +62,43 @@ excluded_files:
 
 # # Any typos we should ignore?
 excluded_words:
+  - CDD
+  - Comerica
+  - ConveRTFeaturizer
+  - ConveRTTokenizer
+  - HookimplMarker
+  - Juste
+  - NLG
+  - README
+  - Tanja
+  - Vova
   - analytics
+  - anonymization
+  - anonymized
   - asyncio
+  - backends
   - bot
   - bot's
   - cdd
-  - CDD
   - cmdline
+  - conftest
   - conveRT
-  - ConveRTFeaturizer
-  - ConveRTTokenizer
+  - crf
+  - crfentityextractor
   - crfsuite
+  - crypto
   - custom-nlg-service
+  - customizable
   - daksh
+  - dataset
   - db's
-  - deque
-  - docusaurus
-  - non-latin
   - deduplicate
   - deduplication
+  - deque
+  - docusaurus
   - donath
-  - matplotlib
+  - dslim
+  - entitysynonymmapper
   - extractor
   - fbmessenger
   - featurization
@@ -95,13 +111,17 @@ excluded_words:
   - forni
   - gzip
   - gzipped
+  - hallo
   - hftransformersnlp
+  - hookimpl
   - initializer
   - instaclient
-  - jwt
-  - jwt's
+  - ish
+  - jieba
   - jupyter
   - jupyterhub
+  - jwt
+  - jwt's
   - karpathy
   - keras
   - knowledgebase
@@ -110,101 +130,82 @@ excluded_words:
   - llm
   - luis
   - matmul
+  - matplotlib
   - mattermost
   - memoization
+  - memoizationpolicy
   - miniconda
   - mitie
-  - mitiefeaturizer
   - mitie's
+  - mitiefeaturizer
   - mitienlp
-  - dataset
   - mongod
   - mrkdown
   - mrkdwn
   - myio
   - mymodelname
   - myuser
-  - numpy
   - networkx
+  - ngram
+  - nlg
   - nlu
   - nlu's
+  - non-latin
+  - numpy
   - perceptron
+  - pii-management
   - pika
   - pika's
-  - jieba
+  - pluggy
+  - pre
   - pretrained
   - prototyper
+  - prototyper
   - pycodestyle
   - pykwalify
   - pymessenger
   - pyobject
   - python-engineio
-  - pre
-  - customizable
   - quickstart
   - rasa
   - rasa's
   - readthedocs
+  - regexes
+  - regexfeaturizer
   - regularizer
   - repo
   - rst
+  - ruamel
+  - rustc
+  - rustup
+  - rustup-init
   - sanic
   - sanitization
   - scipy
   - sklearn
   - socketio
+  - spaCy
+  - spaCy's
   - spacy
   - spacyfeaturizer
   - spacynlp
-  - ish
-  - spaCy
-  - spaCy's
-  - README
-  - crf
-  - backends
-  - whitespaced
-  - ngram
   - subsampled
   - testagent
+  - thisismysecret
+  - tokenization
   - tokenize
   - tokenized
-  - tokenization
   - tokenizer
   - tokenizers
   - tokenizing
   - typoci
   - unfeaturized
   - unschedule
-  - wsgi
-  - ruamel
-  - prototyper
-  - hallo
-  - crypto
-  - regexes
+  - venv
   - walkthroughs
   - webexteams
-  - venv
-  - regexfeaturizer
-  - crfentityextractor
-  - Comerica
-  - entitysynonymmapper
-  - memoizationpolicy
-  - NLG
-  - nlg
-  - Juste
-  - Tanja
-  - Vova
-  - rustup
-  - rustup-init
-  - rustc
-  - conftest
+  - whitespaced
   - winpty
-  - pii-management
-  - anonymization
-  - anonymized
-  - dslim
-  - pluggy
-  - HookimplMarker
-  - hookimpl
+  - wsgi
 
 spellcheck_filenames: false
diff --git a/changelog/1557.improvement.md b/changelog/1557.improvement.md
@@ -0,0 +1,8 @@
+Added environment variables to configure JWT and auth token.
+For JWT the following environment variables are available:
+- JWT_SECRET
+- JWT_METHOD
+- JWT_PRIVATE_KEY
+
+For auth token the following environment variable is available:
+- AUTH_TOKEN
diff --git a/docs/docs/http-api.mdx b/docs/docs/http-api.mdx
@@ -66,6 +66,18 @@ rasa run \
     --auth-token thisismysecret
 ```
 
+You can also use environment variable `AUTH_TOKEN` to set the auth token:
+```
+AUTH_TOKEN=thisismysecret
+```
+
+:::tip Security best practice
+
+We recommend that you use environment variables to store
+and share sensitive information such as tokens and secrets
+when deploying Rasa as Docker container as they will not be stored in your shell history.
+:::
+
 Any clients sending requests to the server must pass the token
 as a query parameter, or the request will be rejected. For example, to fetch a tracker from the server:
 
@@ -85,6 +97,18 @@ rasa run \
     --jwt-secret thisismysecret
 ```
 
+You can also use environment variable `JWT_SECRET` to set the JWT secret:
+```
+JWT_SECRET=thisismysecret
+```
+
+:::tip Security best practice
+
+We recommend that you use environment variables to store
+and share sensitive information such as tokens and secrets
+when deploying Rasa as Docker container as they will not be stored in your shell history.
+:::
+
 If you want to sign a JWT token with asymmetric algorithms, you can specify the JWT private key to the `--jwt-private-key`
 CLI argument. You must pass the public key to the `--jwt-secret` argument, and also specify the algorithm to the
 `--jwt-method` argument:
@@ -97,6 +121,20 @@ rasa run \
     --jwt-method RS512
 ```
 
+You can also use environment variables to configure JWT:
+```
+JWT_SECRET=<public_key>
+JWT_PRIVATE_KEY=<private_key>
+JWT_METHOD=RS512
+```
+
+:::tip Security best practice
+
+We recommend that you use environment variables to store
+and share sensitive information such as tokens and secrets
+when deploying Rasa as Docker container as they will not be stored in your shell history.
+:::
+
 Client requests to the server will need to contain a valid JWT token in
 the `Authorization` header that is signed using this secret
 and the `HS256` algorithm e.g.

diff --git a/rasa/cli/arguments/run.py b/rasa/cli/arguments/run.py
@@ -1,8 +1,17 @@
+import os
+
 import argparse
 from typing import Union
 
 from rasa.cli.arguments.default_arguments import add_model_param, add_endpoint_param
 from rasa.core import constants
+from rasa.env import (
+    DEFAULT_JWT_METHOD,
+    JWT_METHOD_ENV,
+    JWT_SECRET_ENV,
+    JWT_PRIVATE_KEY_ENV,
+    AUTH_TOKEN_ENV,
+)
 
 
 def set_run_arguments(parser: argparse.ArgumentParser) -> None:
@@ -82,16 +91,25 @@ def add_server_arguments(parser: argparse.ArgumentParser) -> None:
         "yml file.",
     )
 
+    add_server_settings_arguments(parser)
+
+
+def add_server_settings_arguments(parser: argparse.ArgumentParser) -> None:
+    """Add arguments for the API server.
+
+    Args:
+        parser: Argument parser.
+    """
     server_arguments = parser.add_argument_group("Server Settings")
 
     add_interface_argument(server_arguments)
-
     add_port_argument(server_arguments)
 
     server_arguments.add_argument(
         "-t",
         "--auth-token",
         type=str,
+        default=os.getenv(AUTH_TOKEN_ENV),
         help="Enable token based authentication. Requests need to provide "
         "the token to be accepted.",
     )
@@ -150,10 +168,20 @@ def add_server_arguments(parser: argparse.ArgumentParser) -> None:
         "--connector", type=str, help="Service to connect to."
     )
 
+    add_jwt_arguments(parser)
+
+
+def add_jwt_arguments(parser: argparse.ArgumentParser) -> None:
+    """Adds arguments related to JWT authentication.
+
+    Args:
+        parser: Argument parser.
+    """
     jwt_auth = parser.add_argument_group("JWT Authentication")
     jwt_auth.add_argument(
         "--jwt-secret",
         type=str,
+        default=os.getenv(JWT_SECRET_ENV),
         help="Public key for asymmetric JWT methods or shared secret"
         "for symmetric methods. Please also make sure to use "
         "--jwt-method to select the method of the signature, "
@@ -163,12 +191,13 @@ def add_server_arguments(parser: argparse.ArgumentParser) -> None:
     jwt_auth.add_argument(
         "--jwt-method",
         type=str,
-        default="HS256",
+        default=os.getenv(JWT_METHOD_ENV, DEFAULT_JWT_METHOD),
         help="Method used for the signature of the JWT authentication payload.",
     )
     jwt_auth.add_argument(
         "--jwt-private-key",
         type=str,
+        default=os.getenv(JWT_PRIVATE_KEY_ENV),
         help="A private key used for generating web tokens, dependent upon "
         "which hashing algorithm is used. It must be used together with "
         "--jwt-secret for providing the public key.",

diff --git a/rasa/env.py b/rasa/env.py
@@ -0,0 +1,5 @@
+AUTH_TOKEN_ENV = "AUTH_TOKEN"
+JWT_SECRET_ENV = "JWT_SECRET"
+JWT_METHOD_ENV = "JWT_METHOD"
+DEFAULT_JWT_METHOD = "HS256"
+JWT_PRIVATE_KEY_ENV = "JWT_PRIVATE_KEY"
diff --git a/tests/cli/arguments/__init__.py b/tests/cli/arguments/__init__.py