3

I'm creating an application I wish to open-source in the coming weeks. The source code is on Github and Heroku autodeploys the code when there is a new commit if it passes the Travis CI tests.

In this application, I've several API keys that I managed to keep out of the open source repository by using env variables in my heroku dynos.

For the Google server-to-server API, however, I must have a .p12 file. In php, the following will authenticate my client:

$client = new Google_Client();
$client->setApplicationName("Client_Calendar");
$service = new Google_Service_Calendar($client);

$key = file_get_contents('myKey.p12');
var_dump($key);

$cred = new Google_Auth_AssertionCredentials(
  'xxx@gserviceaccount.com',
  array('https://www.googleapis.com/auth/calendar'),
  $key
);

$client->setAssertionCredentials($cred);
if ($client->getAuth()->isAccessTokenExpired()) {
  $client->getAuth()->refreshTokenWithAssertion($cred);
}

...

$event = $service->events->insert($calendarId, $event, $sendNotifications);

At first, I thought I could extract the content of the $key variable and insert it in another heroku environment variable but the content is encrypted.

So, here's the question: How do you protect your .p12 key from being stolen in an open source repository?

PS: I simply create Google Calendar events and send notifications to the attendees; if you you know a way to do that without using .p12 file, I am all ears.

thanksd
  • 54,176
  • 22
  • 157
  • 150
Mathieu Nls
  • 2,285
  • 2
  • 17
  • 32
  • 1
    Why is the fact that the content of a file is "encrypted" relevant for the question if you can move it into an environment variable? – arkascha Feb 01 '16 at 18:40
  • Because Heroky only accepts Key=>Value String as environment variables and all I can see from my .p12 file is questions mark. – Mathieu Nls Feb 01 '16 at 18:45
  • Certainly, that is how environment variables work. The google key is the value, not the key/value combination. You are not interested in the meaning of the content. – arkascha Feb 01 '16 at 18:48
  • I agree. But I can't get the content of the file. To open it, I need a password that Google doesn't provide me as far as I know, and the ` var_dump($key);` only prints "???". – Mathieu Nls Feb 01 '16 at 18:59
  • Sorry, can't follow there. If you cannot open the file due to missing credentials, then how can you fetch the content and dump it? – arkascha Feb 01 '16 at 19:01
  • I guess the [php google libraries](https://github.com/google/google-api-php-client) decodes it somewhere or it sends the encoded version. The point is, I can't copy paste the encoded String in Heroku. The characters aren't Unicode valid and Heroku doesn't accept it. – Mathieu Nls Feb 01 '16 at 19:11

1 Answers1

0

Don't commit it. Seriously, it's that easy. You were on the right track with heroku config variables. In fact even from posting it here you're probably going to want to request a new key.

There's a suggestion to store whole config files in other places that may need credentials that you can store. S3 is a great place for that kind of thing. S3 has an amazing PHP component, too, for accessing S3 buckets.

Iwnnay
  • 1,933
  • 17
  • 18