Read CIFS encryption key from environment variable and base64 decode it

[Copilot]

Overview

This PR implements secure loading of the CIFS encryption key from an environment variable instead of using an empty string hardcoded in the configuration.

Problem

Previously, the CIFS encryption configuration used an empty string for the publicKey value:

maia_namespace_values["cifs"] = {"enabled": True, "encryption": {"publicKey": ""}}  # base64 encoded

This meant the encryption key had to be manually configured or left empty, which is not secure for deployment scenarios.

Solution

The encryption key is now:

• Read from the CIFS_ENCRYPTION_KEY environment variable at runtime
• Base64 decoded before being used as the publicKey
• Properly validated with comprehensive error handling

cifs_encryption_key_b64 = os.environ.get("CIFS_ENCRYPTION_KEY", "")
public_key = ""

if cifs_encryption_key_b64:
    try:
        public_key = base64.b64decode(cifs_encryption_key_b64).decode("ascii")
    except (binascii.Error, UnicodeDecodeError) as e:
        print(f"⚠️  Warning: Failed to decode CIFS_ENCRYPTION_KEY: {e}")
        print("    Using empty public key as fallback.")
else:
    print("⚠️  Warning: CIFS_ENCRYPTION_KEY environment variable is not set.")
    print("    Using empty public key as fallback.")

maia_namespace_values["cifs"] = {"enabled": True, "encryption": {"publicKey": public_key}}

Key Features

✅ Secure Runtime Configuration

• Encryption keys are loaded from environment variables at deployment time
• No hardcoded secrets in source code
• Supports standard deployment practices (Kubernetes secrets, Docker env vars, etc.)

✅ Robust Error Handling

• Missing environment variable: Logs a warning and falls back to empty string (preserving original behavior)
• Invalid base64 encoding: Catches specific exceptions (binascii.Error, UnicodeDecodeError), logs the error, and falls back gracefully
• Specific exception handling prevents masking unexpected errors

✅ Code Consistency

• Uses os.environ.get() pattern consistent with other environment variable usage in the codebase (e.g., CIFS_SERVER, MAIA_PRIVATE_REGISTRY)
• Uses ascii encoding to match other base64 operations throughout the file
• Follows existing logging patterns with print statements

Changes

Modified file: MAIA/maia_admin.py

• Added import binascii for specific exception handling
• Lines 439-455: Replaced single-line CIFS config with environment variable reading and base64 decoding logic

Testing

• ✅ Unit tests verify base64 encoding/decoding behavior
• ✅ Integration tests validate all error handling scenarios:
  • Valid base64-encoded key
  • Missing environment variable
  • Invalid base64 encoding
• ✅ Passes black and flake8 linting
• ✅ CodeQL security scan: 0 vulnerabilities found

Deployment

To use this feature, set the CIFS_ENCRYPTION_KEY environment variable with a base64-encoded encryption key:

# Example: Encode your key
echo -n "my_encryption_key" | base64
# Output: bXlfZW5jcnlwdGlvbl9rZXk=

# Set environment variable
export CIFS_ENCRYPTION_KEY="bXlfZW5jcnlwdGlvbl9rZXk="

If the environment variable is not set, the system will log a warning and use an empty string, maintaining backward compatibility.

Related

Fixes the requirement to securely load and decode CIFS encryption keys at runtime for production deployments.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Read encryption key from environment variable and base64 decode it for CIFS</issue_title>
<issue_description>Requested Enhancement:

Edit MAIA/maia_admin.py at lines 439-440 to change how the CIFS encryption key is provided:

• Instead of passing an empty string as the publicKey value, read the encryption key from an environment variable.
• Base64 decode the environment variable value and pass it as the encryption publicKey in the maia_namespace_values["cifs"] dictionary.

Suggested Implementation:

• Read the encryption key from an environment variable (e.g., CIFS_ENCRYPTION_KEY).
• Decode the value using base64.b64decode().
• Pass the decoded value as publicKey in the config.

Relevant code location:

• File: MAIA/maia_admin.py
• Lines: 439-440

Acceptance Criteria:

• The encryption key should be securely loaded and decoded at runtime for deployment.
• The value should not be hardcoded or left empty.
• Implementation must handle cases where the environment variable is missing or invalid (e.g., log an error or fallback appropriately).

---

Reference: Source file</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #78

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

---

📚 Documentation preview 📚: https://MAIA--79.org.readthedocs.build/en/79/