Merge pull request #2027 from GSA-TTS/main

GSA-TTS · Sep 6, 2023 · ebc7d96 · ebc7d96
2 parents b9f00e5 + 59d3a4e
commit ebc7d96
Show file tree

Hide file tree

Showing 9 changed files with 20 additions and 5 deletions.
diff --git a/.github/workflows/deploy-application.yml b/.github/workflows/deploy-application.yml
@@ -60,13 +60,14 @@ jobs:
         env:
           SAM_API_KEY: ${{ secrets.SAM_API_KEY }}
           DJANGO_SECRET_LOGIN_KEY: $${{ secrets.DJANGO_SECRET_LOGIN_KEY }}
+          LOGIN_CLIENT_ID: $${{ secrets.LOGIN_CLIENT_ID }}
           SECRET_KEY: ${{ secrets.SECRET_KEY }}
         with:
           cf_username: ${{ secrets.CF_USERNAME }}
           cf_password: ${{ secrets.CF_PASSWORD }}
           cf_org: gsa-tts-oros-fac
           cf_space: ${{ env.space }}
-          cf_command: update-user-provided-service fac-key-service -p '"{\"SAM_API_KEY\":\"${{ secrets.SAM_API_KEY }}\", \"DJANGO_SECRET_LOGIN_KEY\":\"${{ secrets.DJANGO_SECRET_LOGIN_KEY }}\", \"SECRET_KEY\":\"${{ secrets.SECRET_KEY}}\"}"'
+          cf_command: update-user-provided-service fac-key-service -p '"{\"SAM_API_KEY\":\"${{ secrets.SAM_API_KEY }}\", \"DJANGO_SECRET_LOGIN_KEY\":\"${{ secrets.DJANGO_SECRET_LOGIN_KEY }}\", \"LOGIN_CLIENT_ID\":\"${{ secrets.LOGIN_CLIENT_ID }}\", \"SECRET_KEY\":\"${{ secrets.SECRET_KEY}}\"}"'
 
       - name: Deploy fac to cloud.gov
         uses: cloud-gov/cg-cli-tools@main
@@ -86,4 +87,4 @@ jobs:
           cf_password: ${{ secrets.CF_PASSWORD }}
           cf_org: gsa-tts-oros-fac
           cf_space: ${{ env.space }}
-          command: cf run-task gsa-fac -k 6G -m 1G --name load_data --command ./load_data.sh
+          command: cf run-task gsa-fac -k 6G -m 1G --name load_data --command "./load_data.sh"
diff --git a/.github/workflows/end-to-end-test.yml b/.github/workflows/end-to-end-test.yml
@@ -12,6 +12,7 @@ jobs:
       SAM_API_KEY: ${{ secrets.SAM_API_KEY }}
       DJANGO_BASE_URL: 'http://localhost:8000'
       DJANGO_SECRET_LOGIN_KEY: ${{ secrets.DJANGO_SECRET_LOGIN_KEY }}
+      LOGIN_CLIENT_ID: ${{ secrets.LOGIN_CLIENT_ID }}
       SECRET_KEY: ${{ secrets.SECRET_KEY }}
       ALLOWED_HOSTS: '0.0.0.0 127.0.0.1 localhost'
       DISABLE_AUTH: False

diff --git a/.github/workflows/testing-from-build.yml b/.github/workflows/testing-from-build.yml
@@ -12,6 +12,7 @@ jobs:
       SAM_API_KEY: ${{ secrets.SAM_API_KEY }}
       DJANGO_BASE_URL: 'http://localhost:8000'
       DJANGO_SECRET_LOGIN_KEY: ${{ secrets.DJANGO_SECRET_LOGIN_KEY }}
+      LOGIN_CLIENT_ID: ${{ secrets.LOGIN_CLIENT_ID }}
       SECRET_KEY: ${{ secrets.SECRET_KEY }}
       ALLOWED_HOSTS: '0.0.0.0 127.0.0.1 localhost'
       DISABLE_AUTH: False
@@ -59,6 +60,7 @@ jobs:
       SAM_API_KEY: ${{ secrets.SAM_API_KEY }}
       DJANGO_BASE_URL: 'http://localhost:8000'
       DJANGO_SECRET_LOGIN_KEY: ${{ secrets.DJANGO_SECRET_LOGIN_KEY }}
+      LOGIN_CLIENT_ID: ${{ secrets.LOGIN_CLIENT_ID }}
       SECRET_KEY: ${{ secrets.SECRET_KEY }}
       ALLOWED_HOSTS: '0.0.0.0 127.0.0.1 localhost'
       DISABLE_AUTH: True

diff --git a/.github/workflows/testing-from-ghcr.yml b/.github/workflows/testing-from-ghcr.yml
@@ -13,6 +13,7 @@ jobs:
       SAM_API_KEY: ${{ secrets.SAM_API_KEY }}
       DJANGO_BASE_URL: 'http://localhost:8000'
       DJANGO_SECRET_LOGIN_KEY: ${{ secrets.DJANGO_SECRET_LOGIN_KEY }}
+      LOGIN_CLIENT_ID: ${{ secrets.LOGIN_CLIENT_ID }}
       SECRET_KEY: ${{ secrets.SECRET_KEY }}
       ALLOWED_HOSTS: '0.0.0.0 127.0.0.1 localhost'
       DISABLE_AUTH: False
@@ -61,6 +62,7 @@ jobs:
       SAM_API_KEY: ${{ secrets.SAM_API_KEY }}
       DJANGO_BASE_URL: 'http://localhost:8000'
       DJANGO_SECRET_LOGIN_KEY: ${{ secrets.DJANGO_SECRET_LOGIN_KEY }}
+      LOGIN_CLIENT_ID: ${{ secrets.LOGIN_CLIENT_ID }}
       SECRET_KEY: ${{ secrets.SECRET_KEY }}
       ALLOWED_HOSTS: '0.0.0.0 127.0.0.1 localhost'
       DISABLE_AUTH: True

diff --git a/backend/config/settings.py b/backend/config/settings.py
@@ -409,6 +409,7 @@
 ]
 
 env_base_url = env.str("DJANGO_BASE_URL", "")
+login_client_id = secret("LOGIN_CLIENT_ID", "")
 secret_login_key = b64decode(secret("DJANGO_SECRET_LOGIN_KEY", ""))
 
 # which provider to use if multiple are available
@@ -432,7 +433,7 @@
             "acr_value": "http://idmanagement.gov/ns/assurance/ial/1",
         },
         "client_registration": {
-            "client_id": "urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:gsa-fac-pk-jwt-01",
+            "client_id": login_client_id,
             "redirect_uris": [f"{env_base_url}/openid/callback/login/"],
             "post_logout_redirect_uris": [f"{env_base_url}/openid/callback/logout/"],
             "token_endpoint_auth_method": ["private_key_jwt"],

diff --git a/backend/docker-compose-web.yml b/backend/docker-compose-web.yml
@@ -33,6 +33,7 @@ services:
       SAM_API_KEY: ${SAM_API_KEY}
       DJANGO_BASE_URL: http://localhost:8000
       DJANGO_SECRET_LOGIN_KEY: ${DJANGO_SECRET_LOGIN_KEY}
+      LOGIN_CLIENT_ID: ${LOGIN_CLIENT_ID}
       ENV: ${ENV}
       SECRET_KEY: ${SECRET_KEY}
       ALLOWED_HOSTS: 0.0.0.0 127.0.0.1 localhost

diff --git a/backend/docker-compose.yml b/backend/docker-compose.yml
@@ -42,6 +42,7 @@ services:
       SAM_API_KEY: ${SAM_API_KEY}
       DJANGO_BASE_URL: http://localhost:8000
       DJANGO_SECRET_LOGIN_KEY: ${DJANGO_SECRET_LOGIN_KEY}
+      LOGIN_CLIENT_ID: ${LOGIN_CLIENT_ID}
       ENV: ${ENV}
       SECRET_KEY: ${SECRET_KEY}
       ALLOWED_HOSTS: 0.0.0.0 127.0.0.1 localhost

diff --git a/backend/load_data.sh b/backend/load_data.sh
@@ -5,5 +5,7 @@
 #rm -rf /home/vcap/app/!(load_data.sh)
 git config --global http.proxy "$https_proxy"
 git clone https://github.com/GSA-TTS/fac-historic-public-csvs.git
-./fac-historic-public-csvs/create-dumps.sh
-./fac-historic-public-csvs/wait-and-load.sh
+cd fac-historic-public-csvs
+export PATH=/home/vcap/deps/0/apt/usr/lib/postgresql/14/bin:$PATH
+./create-dumps.sh
+./wait-and-load.sh
diff --git a/docs/development.md b/docs/development.md
@@ -48,6 +48,7 @@ ENV = 'LOCAL'
 SAM_API_KEY =
 SECRET_KEY =
 DJANGO_SECRET_LOGIN_KEY =
+LOGIN_CLIENT_ID =
 DISABLE_AUTH = 
 ```
 If you are using a MacBook with Apple M1 hardware, you will probably also have to add `DOCKERFILE = Apple_M1_Dockerfile` to the file.
@@ -81,6 +82,9 @@ The `DJANGO_SECRET_LOGIN_KEY` environment variable is used to interact with Logi
 *  If you wish to use the shared Login.gov sandbox client application, but create your own client credentials, you must first be granted access to the GSA-FAC Login.gov sandbox team. Once you can access the GSA-FAC client application, follow [Login.gov's documentation for creating a public certificate](https://developers.login.gov/testing/#creating-a-public-certificate). Once created, you can add the newly-generated public key to the GSA-FAC app, and set `DJANGO_SECRET_LOGIN_KEY` to the base64-encoded value of the corresponding private key.
 *  If you wish to use your own Login.gov sandbox client application, follow [Login.gov's documentation for setting up a test application](https://developers.login.gov/testing/). Once completed, open `settings.py` and set `OIDC_PROVIDERS.login.gov.client_registration.client_id` so that it matches the `issuer` string for your newly-created client application. NOTE: changes to the `client_id` should __not__ be checked into version control!
 
+#### LOGIN_CLIENT_ID
+The `LOGIN_CLIENT_ID` environment variable is our unique application identifier at Login.gov. Each environment has its own client ID. You can obtain the client ID that should be used during local development from our shared [dev secrets document](https://docs.google.com/spreadsheets/d/1byrBp16jufbiEY_GP5MyR0Uqf6WvB_5tubSXN_mYyJY/edit#gid=0)
+
 #### DISABLE_AUTH
 The `DISABLE_AUTH` variable tells Django to disable the Login.gov authorization. This should almost always be `False` unless you need to temporarily disable it for your local development.