From b05c337efe668ef18c9b3698dd275d58e2b6da63 Mon Sep 17 00:00:00 2001 From: Neil Martinsen-Burrell Date: Wed, 1 Nov 2023 10:57:28 -0500 Subject: [PATCH 1/4] Configure a Login.gov production OIDC provider --- ops/manifests/manifest-stable.yaml | 2 ++ src/registrar/config/settings.py | 22 ++++++++++++++++++++-- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/ops/manifests/manifest-stable.yaml b/ops/manifests/manifest-stable.yaml index 6295fa63b4..a476523263 100644 --- a/ops/manifests/manifest-stable.yaml +++ b/ops/manifests/manifest-stable.yaml @@ -23,6 +23,8 @@ applications: DJANGO_LOG_LEVEL: INFO # default public site location GETGOV_PUBLIC_SITE_URL: https://beta.get.gov + # Which OIDC provider to use + OIDC_ACTIVE_PROVIDER: login.gov production routes: - route: getgov-stable.app.cloud.gov services: diff --git a/src/registrar/config/settings.py b/src/registrar/config/settings.py index 3e5734dccc..fd3642d728 100644 --- a/src/registrar/config/settings.py +++ b/src/registrar/config/settings.py @@ -49,6 +49,7 @@ env_log_level = env.str("DJANGO_LOG_LEVEL", "DEBUG") env_base_url = env.str("DJANGO_BASE_URL") env_getgov_public_site_url = env.str("GETGOV_PUBLIC_SITE_URL", "") +env_oidc_active_provider = env.str("OIDC_ACTIVE_PROVIDER", "identity sandbox") secret_login_key = b64decode(secret("DJANGO_SECRET_LOGIN_KEY", "")) secret_key = secret("DJANGO_SECRET_KEY") @@ -482,11 +483,12 @@ # which provider to use if multiple are available # (code does not currently support user selection) -OIDC_ACTIVE_PROVIDER = "login.gov" +# See above for the default value if the env variable is missing +OIDC_ACTIVE_PROVIDER = env_oidc_active_provider OIDC_PROVIDERS = { - "login.gov": { + "identity sandbox": { "srv_discovery_url": "https://idp.int.identitysandbox.gov", "behaviour": { # the 'code' workflow requires direct connectivity from us to Login.gov @@ -502,6 +504,22 @@ "token_endpoint_auth_method": ["private_key_jwt"], "sp_private_key": secret_login_key, }, + "login.gov production": { + "srv_discovery_url": "https://secure.login.gov", + "behaviour": { + # the 'code' workflow requires direct connectivity from us to Login.gov + "response_type": "code", + "scope": ["email", "profile:name", "phone"], + "user_info_request": ["email", "first_name", "last_name", "phone"], + "acr_value": "http://idmanagement.gov/ns/assurance/ial/2", + }, + "client_registration": { + "client_id": "urn:gov:cisa:openidconnect.profiles:sp:sso:cisa:dotgov_registrar", + "redirect_uris": [f"{env_base_url}/openid/callback/login/"], + "post_logout_redirect_uris": [f"{env_base_url}/openid/callback/logout/"], + "token_endpoint_auth_method": ["private_key_jwt"], + "sp_private_key": secret_login_key, + }, } } From 14fd0b7baabc805e9437264b17e2cbf1ef49a551 Mon Sep 17 00:00:00 2001 From: Neil Martinsen-Burrell Date: Wed, 1 Nov 2023 11:36:33 -0500 Subject: [PATCH 2/4] drive-by instances increase --- ops/manifests/manifest-stable.yaml | 2 +- src/registrar/config/settings.py | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/ops/manifests/manifest-stable.yaml b/ops/manifests/manifest-stable.yaml index a476523263..e7b3c74ae6 100644 --- a/ops/manifests/manifest-stable.yaml +++ b/ops/manifests/manifest-stable.yaml @@ -4,7 +4,7 @@ applications: buildpacks: - python_buildpack path: ../../src - instances: 1 + instances: 2 memory: 512M stack: cflinuxfs4 timeout: 180 diff --git a/src/registrar/config/settings.py b/src/registrar/config/settings.py index fd3642d728..6b4d597a89 100644 --- a/src/registrar/config/settings.py +++ b/src/registrar/config/settings.py @@ -504,6 +504,7 @@ "token_endpoint_auth_method": ["private_key_jwt"], "sp_private_key": secret_login_key, }, + }, "login.gov production": { "srv_discovery_url": "https://secure.login.gov", "behaviour": { From f55014b8a8bcc5e65ee399a6ad57f7581942037b Mon Sep 17 00:00:00 2001 From: Neil Martinsen-Burrell Date: Wed, 1 Nov 2023 13:19:36 -0500 Subject: [PATCH 3/4] fix linting error --- src/registrar/config/settings.py | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/registrar/config/settings.py b/src/registrar/config/settings.py index 6b4d597a89..e0dedb60ce 100644 --- a/src/registrar/config/settings.py +++ b/src/registrar/config/settings.py @@ -371,8 +371,7 @@ # each handler has its choice of format "formatters": { "verbose": { - "format": "[%(asctime)s] %(levelname)s [%(name)s:%(lineno)s] " - "%(message)s", + "format": "[%(asctime)s] %(levelname)s [%(name)s:%(lineno)s] %(message)s", "datefmt": "%d/%b/%Y %H:%M:%S", }, "simple": { @@ -515,13 +514,15 @@ "acr_value": "http://idmanagement.gov/ns/assurance/ial/2", }, "client_registration": { - "client_id": "urn:gov:cisa:openidconnect.profiles:sp:sso:cisa:dotgov_registrar", + "client_id": ( + "urn:gov:cisa:openidconnect.profiles:sp:sso:cisa:dotgov_registrar" + ), "redirect_uris": [f"{env_base_url}/openid/callback/login/"], "post_logout_redirect_uris": [f"{env_base_url}/openid/callback/logout/"], "token_endpoint_auth_method": ["private_key_jwt"], "sp_private_key": secret_login_key, }, - } + }, } # endregion From d57e48a090af69a56a1f3097e8f6f860fafde60a Mon Sep 17 00:00:00 2001 From: Neil Martinsen-Burrell Date: Wed, 1 Nov 2023 13:28:52 -0500 Subject: [PATCH 4/4] Review feedback: use two instances on staging too --- ops/manifests/manifest-staging.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ops/manifests/manifest-staging.yaml b/ops/manifests/manifest-staging.yaml index 3e80352bad..a1d09a5553 100644 --- a/ops/manifests/manifest-staging.yaml +++ b/ops/manifests/manifest-staging.yaml @@ -4,7 +4,7 @@ applications: buildpacks: - python_buildpack path: ../../src - instances: 1 + instances: 2 memory: 512M stack: cflinuxfs4 timeout: 180