dohertj2/scadalink-design
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

infra(seed): dump encrypted secret columns as NULL, restore via CLI

Browse Source 
ASP.NET Data Protection ciphertext is non-deterministic and bound to the
source key ring, so encrypted secret columns (ExternalSystemDefinitions
.AuthConfiguration, SmtpConfigurations.Credentials, DatabaseConnection
Definitions.ConnectionString) cannot be replayed from a static SQL dump —
the app would fail to decrypt them. dump_seed.py now emits those columns
as NULL; reseed.sh adds a post-seed stage that recreates the values
through the ScadaLink CLI so the EF value converter re-encrypts against
the target cluster's key ring.
This commit is contained in:
Joseph Doherty
2026-05-21 01:29:51 -04:00
parent 5492c94e2f
commit 932fda5594
3 changed files with 62 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
infra/reseed.sh
View File

@@ -114,6 +114,34 @@ docker exec -i scadalink-mssql /opt/mssql-tools18/bin/sqlcmd \
-S localhost -U sa -P 'ScadaLink_Dev1#' -C -d ScadaLinkConfig -b < "$SEED_FILE"
echo " Seed replayed."
echo ""
echo "--- Stage 6d/6: restore encrypted secret config (CLI) ---"
# Configuration that lives in encrypted secret columns cannot be replayed from
# raw SQL: ASP.NET Data Protection ciphertext is non-deterministic and bound to
# the source key ring. Create/restore it through the app so the EF value
# converter encrypts against this cluster's key ring.
CLI="dotnet run --project $PROJECT_ROOT/src/ScadaLink.CLI --"
AUTH="--username multi-role --password password"
# ExternalSystemDefinitions Id 1 ("Test REST API") is inserted by the seed with
# a fixed identity but a NULL AuthConfiguration; set the API key here.
$CLI --url "$MGMT_URL" $AUTH external-system update \
--id 1 \
--name "Test REST API" \
--endpoint-url "http://scadalink-restapi:5200" \
--auth-type ApiKey \
--auth-config "scadalink-test-key-1"
echo " External-system auth config restored (encrypted)."
# The "Machine Data DB" database connection is referenced by name from the
# seeded TestDatabaseQuery script. It is not in seed-config.sql (its
# ConnectionString is an encrypted secret column); create it through the app.
$CLI --url "$MGMT_URL" $AUTH db-connection create \
--name "Machine Data DB" \
--connection-string "Server=scadalink-mssql,1433;Database=ScadaLinkMachineData;User Id=scadalink_app;Password=ScadaLink_Dev1#;TrustServerCertificate=true" \
|| echo " (Machine Data DB connection may already exist)"
echo " Database connection created (encrypted)."
echo ""
echo "=== Reseed complete ==="
echo ""