Documentation details on determining the config values for the Submission Key, Claim Token, Retrieval ECDSA key, and Retrieval HMAC key

[plam626]

It appears the rds_backend_db_password variable was changed at some point to be called rds_server_db_password. In general, if more documentation on generating/determining the config values for the Submission Key, Claim Token, Retrieval ECDSA key, and Retrieval HMAC key would be appreciated

Workaround:
Took the values from the test data. Since it is possible to execute the server/portal locally in docker, using docker compose.

Docker-compose.yml contains values:
ECDSA_KEY: 30770201010420a6885a310b694b7bb4ba985459de1e79446dddcd1247c62ece925402b362a110a00a06082a8648ce3d030107a1440342000403eb64f714c4b4ed394331c26c31b7ce7156d00fb28982ad2679a87eaa1a3869802fbeb1d7ee28002762921929c3f7603672d535fcac3d24d57afbb4e2d97f5a

  RETRIEVE_HMAC_KEY: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

  KEY_CLAIM_TOKEN: thisisatoken=302

[jtackaberry]

Specifically, the README mentions TF_VAR_rds_backend_db_password but should be TF_VAR_rds_server_db_password. Minor thing.

Sussing out the formatting of the other secret tf vars seemed to need a bit of poking through the source. The protocol documentation is helpful, but a little bit more detail on initial configuration in the main README would be welcome. Perhaps something along these lines:

Include in main README

Server	Environment Variable	Purpose	Format	Example
Submission	KEY_CLAIM_TOKEN	Used as a bearer token by health care professionals to authenticate requests for new One Time Codes	Colon-delimited list of <token>=<region> where <token> is a sufficiently random alphanumeric string and <region> is a 3-digit Mobile Country Code	SxsHYw3DGBpJF4nfwKzdeL=302:aZRrdq7Z6M9sq7dvaYjiFb=302
Retrieval	RETRIEVE_HMAC_KEY	An HMAC-SHA256 key used to authenticate the parameters for /retrieve to deter unauthorized scraping	64 random hex digits (i.e. 32 bytes of random binary data, hexlified)	ad6f9fe54afc3aff7aa160b8b1124638ab166278959b69a2c6ae0d4c6e6d655b
Retrieval	ECDSA_KEY	Used to sign the Diagnosis Keys returned by /retrieve	ECDSA P-256 private key, hexlified as 242 hex digits. You can use the helper tool generate-dcdsa-private-key in this repo (under cmd/) to generate a new key.	(Withheld due to size)
Retrieval, Submission	DATABASE_URL	Database connection string	<user>:<passwd>@tcp(<host>)/<dbname>	covidshield:ejiQDBvysfMCyD6z3jmNVC@tcp(mysql)/covidshield

Include AWS reference implementation README

Server	Terraform Variable	Corresponding Environment Variable
Submission	ecs_task_key_submission_env_key_claim_token	KEY_CLAIM_TOKEN
Submission	ecs_task_key_retrieval_env_hmac_key	RETRIEVE_HMAC_KEY
Retrieval	ecs_task_key_retrieval_env_ecdsa_key	ECDSA_KEY
Retrieval, Submission	rds_server_db_password	<password> element of DATABASE_URL (the rest of DATABASE_URL is dynamically constructed)

[Ginja]

Thanks for the awesome table, @jtackaberry. Sorry for the confusion. There was a repo rename and some things were missed.

I'll clarify some of the confusion here in an upcoming PR.

[0xluke]

Suggestion to specify that the KEY_CLAIM_TOKEN must adhere to the logic specified in the Authenticator code here (Eg. Token must be less than 64 characters)

[shinebayar-g]

Anyone could take a look at here? CovidShield/portal#137 We're so close to successfully deploying the application.