From e938106242ebb4846c0f7a2413c43bec90c45f60 Mon Sep 17 00:00:00 2001
From: Stephen Chudleigh <stephen@smartlogic.io>
Date: Thu, 1 Aug 2024 16:57:51 -0700
Subject: [PATCH] add login.gov certs and configuration

---
 .env_login                         |  4 ++++
 .envrc                             |  3 +++
 DEVCONFIG.md                       |  3 ++-
 config/application.rb              | 12 ++++++++++++
 config/environments/development.rb | 11 -----------
 manifest.yml                       |  8 ++++----
 6 files changed, 25 insertions(+), 16 deletions(-)
 create mode 100644 .env_login

diff --git a/.env_login b/.env_login
new file mode 100644
index 00000000..de4aac84
--- /dev/null
+++ b/.env_login
@@ -0,0 +1,4 @@
+# local dev env vars for login.gov
+export LOGIN_CLIENT_ID=urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:challenge_gov_portal_eval_dev
+export LOGIN_REDIRECT_EVAL_URL=http://localhost:3000/auth/result
+export LOGOUT_REDIRECT_EVAL_URL=http://localhost:3000/
\ No newline at end of file
diff --git a/.envrc b/.envrc
index 3e088573..4fbb075a 100644
--- a/.envrc
+++ b/.envrc
@@ -4,3 +4,6 @@ use nix
 
 mkdir -p .nix-bundler
 export BUNDLE_PATH=./.nix-bundler
+
+# Login Env Vars
+source .env_login
diff --git a/DEVCONFIG.md b/DEVCONFIG.md
index 287a87dd..cc7dc3ac 100644
--- a/DEVCONFIG.md
+++ b/DEVCONFIG.md
@@ -63,7 +63,8 @@ Once direnv is installed and your shell is restarted, clone the project and `cd`
 1. Set up your uswds files in the build directory `npx gulp copyAssets`
 1. Setup the database `rake db:create`, note that postgres must be running for this to work
 1. Boot the system, this will run the sass, esbuild, and uswds watchers along with the rails server
-   1. `./bin/dev`
+  1. `./bin/dev`
+    1. NOTE for login.gov environment: if you are not using direnv/nix to eval .envrc, you can run `source .env_login` in your terminal before starting the server or add the env vars in that file to your local environment directly.
 
 Now you can visit [`localhost:3000`](http://localhost:3000) from your browser.
 
diff --git a/config/application.rb b/config/application.rb
index 0f48164e..82ebc69d 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -28,5 +28,17 @@ class Application < Rails::Application
 
     # Use the Postgresql-specific syntax for DB dumps
     config.active_record.schema_format = :sql
+
+    # Shared login.gov config with ENV overrides
+    config.login_gov_oidc = {
+      idp_host: ENV.fetch("LOGIN_IDP_HOST", "https://idp.int.identitysandbox.gov"),
+      login_redirect_uri: ENV.fetch("LOGIN_REDIRECT_EVAL_URL"),
+      logout_redirect_uri: ENV.fetch("LOGOUT_REDIRECT_EVAL_URL"),
+      acr_value: "http://idmanagement.gov/ns/assurance/loa/1",
+      client_id: ENV.fetch("LOGIN_CLIENT_ID"), # determines the login.gov IdP application
+      private_key_password: ENV.fetch("LOGIN_PRIVATE_KEY_PASSWORD", nil), # optional
+      public_key_path: ENV.fetch("LOGIN_PUBLIC_KEY_PATH", "config/public.crt"),
+      private_key_path: ENV.fetch("LOGIN_PRIVATE_KEY_PATH", "config/private.pem"),
+    }
   end
 end
diff --git a/config/environments/development.rb b/config/environments/development.rb
index 4ffc19a7..a10ac8b1 100644
--- a/config/environments/development.rb
+++ b/config/environments/development.rb
@@ -75,15 +75,4 @@
 
   # Raise error when a before_action's only/except options reference missing actions
   config.action_controller.raise_on_missing_callback_actions = true
-
-  config.login_gov_oidc = {
-    idp_host: "https://idp.int.identitysandbox.gov",
-    login_redirect_uri: "http://localhost:3000/auth/result",
-    logout_redirect_uri: "https://www.challenge.gov/",
-    acr_value: "http://idmanagement.gov/ns/assurance/loa/1",
-    client_id: "urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:challenge_gov_platform_dev",
-    private_key_password: nil,
-    private_key_path: "config/private.pem",
-    public_key_path: "config/public.crt",
-  }
 end
diff --git a/manifest.yml b/manifest.yml
index 98a99852..9ae01e7d 100644
--- a/manifest.yml
+++ b/manifest.yml
@@ -20,9 +20,9 @@ applications:
     RAILS_LOG_TO_STDOUT: true
     RAILS_SERVE_STATIC_FILES: true
     HOST: challenge-dev.app.cloud.gov
+    LOGIN_CLIENT_ID: urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:challenge_gov_portal_eval_dev
+    LOGIN_IDP_HOST: https://idp.int.identitysandbox.gov
     LOGIN_PRIVATE_KEY_PATH: dev_key.pem
     LOGIN_PUBLIC_KEY_PATH: dev_cert.pem
-    LOGIN_REDIRECT_URL: https://challenge-portal-dev.app.cloud.gov/auth/result
-    LOGIN_IDP_AUTHORIZE_URL: https://idp.int.identitysandbox.gov/openid_connect/authorize
-    LOGIN_TOKEN_ENDPOINT: https://idp.int.identitysandbox.gov/api/openid_connect/token
-    LOGIN_CLIENT_ID: urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:challenge_gov_portal_dev
+    LOGIN_REDIRECT_EVAL_URL: https://challenge-dev.app.cloud.gov/auth/result
+    LOGOUT_REDIRECT_EVAL_URL: https://challenge-dev.app.cloud.gov/
\ No newline at end of file