[87] add login.gov certs and configuration

.env_login

@@ -0,0 +1,4 @@
+# local dev env vars for login.gov
+export LOGIN_CLIENT_ID=urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:challenge_gov_portal_eval_dev
+export LOGIN_REDIRECT_EVAL_URL=http://localhost:3000/auth/result
+export LOGOUT_REDIRECT_EVAL_URL=http://localhost:3000/

.envrc

@@ -4,3 +4,6 @@ use nix
 
 mkdir -p .nix-bundler
 export BUNDLE_PATH=./.nix-bundler
+
+# Login Env Vars
+source .env_login

DEVCONFIG.md

@@ -63,7 +63,10 @@ Once direnv is installed and your shell is restarted, clone the project and `cd`
 1. Set up your uswds files in the build directory `npx gulp copyAssets`
 1. Setup the database `rake db:create`, note that postgres must be running for this to work
 1. Boot the system, this will run the sass, esbuild, and uswds watchers along with the rails server
-   1. `./bin/dev`
+    ```
+    ./bin/dev
+    ```
+    > _NOTE for login.gov configuration_ -- if you are **not** using direnv/nix to eval `.envrc`, you can run `source .env_login` in your terminal before starting the server or add the env vars in that file to your local environment directly.
 
 Now you can visit [`localhost:3000`](http://localhost:3000) from your browser.
 

config/application.rb

@@ -28,5 +28,17 @@ class Application < Rails::Application
 
     # Use the Postgresql-specific syntax for DB dumps
     config.active_record.schema_format = :sql
+
+    # Shared login.gov config with ENV overrides
+    config.login_gov_oidc = {
+      idp_host: ENV.fetch("LOGIN_IDP_HOST", "https://idp.int.identitysandbox.gov"),
+      login_redirect_uri: ENV.fetch("LOGIN_REDIRECT_EVAL_URL", "https://challenge-dev.app.cloud.gov/auth/result"),
+      logout_redirect_uri: ENV.fetch("LOGOUT_REDIRECT_EVAL_URL", "https://challenge-dev.app.cloud.gov/"),
+      acr_value: "http://idmanagement.gov/ns/assurance/loa/1",
+      client_id: ENV.fetch("LOGIN_CLIENT_ID", "urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:_client_id"), # default fake ID for CI
+      private_key_password: ENV.fetch("LOGIN_PRIVATE_KEY_PASSWORD", nil), # optional
+      public_key_path: ENV.fetch("LOGIN_PUBLIC_KEY_PATH", "config/public.crt"),
+      private_key_path: ENV.fetch("LOGIN_PRIVATE_KEY_PATH", "config/private.pem"),
+    }
   end
 end

config/environments/development.rb

@@ -75,15 +75,4 @@
 
   # Raise error when a before_action's only/except options reference missing actions
   config.action_controller.raise_on_missing_callback_actions = true
-
-  config.login_gov_oidc = {
-    idp_host: "https://idp.int.identitysandbox.gov",
-    login_redirect_uri: "http://localhost:3000/auth/result",
-    logout_redirect_uri: "https://www.challenge.gov/",
-    acr_value: "http://idmanagement.gov/ns/assurance/loa/1",
-    client_id: "urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:challenge_gov_platform_dev",
-    private_key_password: nil,
-    private_key_path: "config/private.pem",
-    public_key_path: "config/public.crt",
-  }
 end

manifest.yml

@@ -20,9 +20,9 @@ applications:
     RAILS_LOG_TO_STDOUT: true
     RAILS_SERVE_STATIC_FILES: true
     HOST: challenge-dev.app.cloud.gov
+    LOGIN_CLIENT_ID: urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:challenge_gov_portal_eval_dev
+    LOGIN_IDP_HOST: https://idp.int.identitysandbox.gov
     LOGIN_PRIVATE_KEY_PATH: dev_key.pem
     LOGIN_PUBLIC_KEY_PATH: dev_cert.pem
-    LOGIN_REDIRECT_URL: https://challenge-portal-dev.app.cloud.gov/auth/result
-    LOGIN_IDP_AUTHORIZE_URL: https://idp.int.identitysandbox.gov/openid_connect/authorize
-    LOGIN_TOKEN_ENDPOINT: https://idp.int.identitysandbox.gov/api/openid_connect/token
-    LOGIN_CLIENT_ID: urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:challenge_gov_portal_dev
+    LOGIN_REDIRECT_EVAL_URL: https://challenge-dev.app.cloud.gov/auth/result
+    LOGOUT_REDIRECT_EVAL_URL: https://challenge-dev.app.cloud.gov/