add login.gov certs and configuration

GSA · Aug 1, 2024 · e938106 · e938106
1 parent 0ea9404
commit e938106
Show file tree

Hide file tree

Showing 6 changed files with 25 additions and 16 deletions.
diff --git a/.env_login b/.env_login
@@ -0,0 +1,4 @@
+# local dev env vars for login.gov
+export LOGIN_CLIENT_ID=urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:challenge_gov_portal_eval_dev
+export LOGIN_REDIRECT_EVAL_URL=http://localhost:3000/auth/result
+export LOGOUT_REDIRECT_EVAL_URL=http://localhost:3000/
diff --git a/.envrc b/.envrc
@@ -4,3 +4,6 @@ use nix
 
 mkdir -p .nix-bundler
 export BUNDLE_PATH=./.nix-bundler
+
+# Login Env Vars
+source .env_login
diff --git a/DEVCONFIG.md b/DEVCONFIG.md
@@ -63,7 +63,8 @@ Once direnv is installed and your shell is restarted, clone the project and `cd`
 1. Set up your uswds files in the build directory `npx gulp copyAssets`
 1. Setup the database `rake db:create`, note that postgres must be running for this to work
 1. Boot the system, this will run the sass, esbuild, and uswds watchers along with the rails server
-   1. `./bin/dev`
+  1. `./bin/dev`
+    1. NOTE for login.gov environment: if you are not using direnv/nix to eval .envrc, you can run `source .env_login` in your terminal before starting the server or add the env vars in that file to your local environment directly.
 
 Now you can visit [`localhost:3000`](http://localhost:3000) from your browser.
 
diff --git a/config/application.rb b/config/application.rb
@@ -28,5 +28,17 @@ class Application < Rails::Application
 
     # Use the Postgresql-specific syntax for DB dumps
     config.active_record.schema_format = :sql
+
+    # Shared login.gov config with ENV overrides
+    config.login_gov_oidc = {
+      idp_host: ENV.fetch("LOGIN_IDP_HOST", "https://idp.int.identitysandbox.gov"),
+      login_redirect_uri: ENV.fetch("LOGIN_REDIRECT_EVAL_URL"),
+      logout_redirect_uri: ENV.fetch("LOGOUT_REDIRECT_EVAL_URL"),
+      acr_value: "http://idmanagement.gov/ns/assurance/loa/1",
+      client_id: ENV.fetch("LOGIN_CLIENT_ID"), # determines the login.gov IdP application
+      private_key_password: ENV.fetch("LOGIN_PRIVATE_KEY_PASSWORD", nil), # optional
+      public_key_path: ENV.fetch("LOGIN_PUBLIC_KEY_PATH", "config/public.crt"),
+      private_key_path: ENV.fetch("LOGIN_PRIVATE_KEY_PATH", "config/private.pem"),
+    }
   end
 end
diff --git a/config/environments/development.rb b/config/environments/development.rb
@@ -75,15 +75,4 @@
 
   # Raise error when a before_action's only/except options reference missing actions
   config.action_controller.raise_on_missing_callback_actions = true
-
-  config.login_gov_oidc = {
-    idp_host: "https://idp.int.identitysandbox.gov",
-    login_redirect_uri: "http://localhost:3000/auth/result",
-    logout_redirect_uri: "https://www.challenge.gov/",
-    acr_value: "http://idmanagement.gov/ns/assurance/loa/1",
-    client_id: "urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:challenge_gov_platform_dev",
-    private_key_password: nil,
-    private_key_path: "config/private.pem",
-    public_key_path: "config/public.crt",
-  }
 end
diff --git a/manifest.yml b/manifest.yml
@@ -20,9 +20,9 @@ applications:
     RAILS_LOG_TO_STDOUT: true
     RAILS_SERVE_STATIC_FILES: true
     HOST: challenge-dev.app.cloud.gov
+    LOGIN_CLIENT_ID: urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:challenge_gov_portal_eval_dev
+    LOGIN_IDP_HOST: https://idp.int.identitysandbox.gov
     LOGIN_PRIVATE_KEY_PATH: dev_key.pem
     LOGIN_PUBLIC_KEY_PATH: dev_cert.pem
-    LOGIN_REDIRECT_URL: https://challenge-portal-dev.app.cloud.gov/auth/result
-    LOGIN_IDP_AUTHORIZE_URL: https://idp.int.identitysandbox.gov/openid_connect/authorize
-    LOGIN_TOKEN_ENDPOINT: https://idp.int.identitysandbox.gov/api/openid_connect/token
-    LOGIN_CLIENT_ID: urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:challenge_gov_portal_dev
+    LOGIN_REDIRECT_EVAL_URL: https://challenge-dev.app.cloud.gov/auth/result
+    LOGOUT_REDIRECT_EVAL_URL: https://challenge-dev.app.cloud.gov/