Merge branch 'dev' of github.com:GSA/Challenge_platform into 22/user-…

…can-login-via-rails

* 'dev' of github.com:GSA/Challenge_platform:
  Update DEVCONFIG.md
  make CircleCI happier
  add login.gov certs and configuration

.env_login

@@ -0,0 +1,4 @@
+# local dev env vars for login.gov
+export LOGIN_CLIENT_ID=urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:challenge_gov_portal_eval_dev
+export LOGIN_REDIRECT_EVAL_URL=http://localhost:3000/auth/result
+export LOGOUT_REDIRECT_EVAL_URL=http://localhost:3000/

.envrc

@@ -4,3 +4,6 @@ use nix
 
 mkdir -p .nix-bundler
 export BUNDLE_PATH=./.nix-bundler
+
+# Login Env Vars
+source .env_login

.tool-versions

@@ -1,3 +1,3 @@
-ruby 3.2.4
-nodejs 20.15.1
-yarn 1.22.22
+ruby system
+nodejs system
+yarn system

DEVCONFIG.md

@@ -63,7 +63,10 @@ Once direnv is installed and your shell is restarted, clone the project and `cd`
 1. Set up your uswds files in the build directory `npx gulp copyAssets`
 1. Setup the database `rake db:create`, note that postgres must be running for this to work
 1. Boot the system, this will run the sass, esbuild, and uswds watchers along with the rails server
-   1. `./bin/dev`
+    ```
+    ./bin/dev
+    ```
+    > _NOTE for login.gov configuration_ -- if you are **not** using direnv/nix to eval `.envrc`, you can run `source .env_login` in your terminal before starting the server or add the env vars in that file to your local environment directly.
 
 Now you can visit [`localhost:3000`](http://localhost:3000) from your browser.
 

app/models/login_gov.rb

@@ -21,6 +21,7 @@ def initialize(msg, code:, body:)
   attr_reader :config
 
   def initialize(config = Rails.configuration.login_gov_oidc)
+    puts config.inspect
     @config = config.freeze.dup
   end
 

config/application.rb

@@ -28,5 +28,17 @@ class Application < Rails::Application
 
     # Use the Postgresql-specific syntax for DB dumps
     config.active_record.schema_format = :sql
+
+    # Shared login.gov config with ENV overrides
+    config.login_gov_oidc = {
+      idp_host: ENV.fetch("LOGIN_IDP_HOST", "https://idp.int.identitysandbox.gov"),
+      login_redirect_uri: ENV.fetch("LOGIN_REDIRECT_EVAL_URL", "https://challenge-dev.app.cloud.gov/auth/result"),
+      logout_redirect_uri: ENV.fetch("LOGOUT_REDIRECT_EVAL_URL", "https://challenge-dev.app.cloud.gov/"),
+      acr_value: "http://idmanagement.gov/ns/assurance/loa/1",
+      client_id: ENV.fetch("LOGIN_CLIENT_ID", "urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:_client_id"), # default fake ID for CI
+      private_key_password: ENV.fetch("LOGIN_PRIVATE_KEY_PASSWORD", nil), # optional
+      public_key_path: ENV.fetch("LOGIN_PUBLIC_KEY_PATH", "config/public.crt"),
+      private_key_path: ENV.fetch("LOGIN_PRIVATE_KEY_PATH", "config/private.pem"),
+    }
   end
 end

manifest.yml

@@ -20,9 +20,9 @@ applications:
     RAILS_LOG_TO_STDOUT: true
     RAILS_SERVE_STATIC_FILES: true
     HOST: challenge-dev.app.cloud.gov
+    LOGIN_CLIENT_ID: urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:challenge_gov_portal_eval_dev
+    LOGIN_IDP_HOST: https://idp.int.identitysandbox.gov
     LOGIN_PRIVATE_KEY_PATH: dev_key.pem
     LOGIN_PUBLIC_KEY_PATH: dev_cert.pem
-    LOGIN_REDIRECT_URL: https://challenge-portal-dev.app.cloud.gov/auth/result
-    LOGIN_IDP_AUTHORIZE_URL: https://idp.int.identitysandbox.gov/openid_connect/authorize
-    LOGIN_TOKEN_ENDPOINT: https://idp.int.identitysandbox.gov/api/openid_connect/token
-    LOGIN_CLIENT_ID: urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:challenge_gov_portal_dev
+    LOGIN_REDIRECT_EVAL_URL: https://challenge-dev.app.cloud.gov/auth/result
+    LOGOUT_REDIRECT_EVAL_URL: https://challenge-dev.app.cloud.gov/