From 67e34c4a2be2f5c1aecc28cd522dc7692d688e7b Mon Sep 17 00:00:00 2001 From: Michael Olund Date: Thu, 15 Oct 2020 10:19:31 -0700 Subject: [PATCH] DIV-1159 - Removing BCeID code and updating settings --- .env.example | 10 +- conf/keycloak/realm-export.json | 17 +- eDivorce.pyproj | 4 - edivorce/apps/core/decorators.py | 22 --- .../apps/core/middleware/bceid_middleware.py | 156 ------------------ edivorce/apps/core/templates/base.html | 8 +- .../apps/core/templates/localdev/bceid.html | 155 ----------------- .../core/templates/localdev/register.html | 17 -- edivorce/apps/core/urls.py | 3 +- edivorce/apps/core/views/localdev.py | 32 ---- edivorce/apps/core/views/main.py | 12 +- edivorce/apps/core/views/pdf.py | 3 +- edivorce/apps/poc/urls.py | 1 - edivorce/settings/base.py | 14 +- edivorce/settings/local.py | 15 +- edivorce/settings/openshift.py | 60 ++++--- 16 files changed, 86 insertions(+), 443 deletions(-) delete mode 100644 edivorce/apps/core/middleware/bceid_middleware.py delete mode 100644 edivorce/apps/core/templates/localdev/bceid.html delete mode 100644 edivorce/apps/core/templates/localdev/register.html delete mode 100644 edivorce/apps/core/views/localdev.py diff --git a/.env.example b/.env.example index 972f52a4..abf8fd72 100644 --- a/.env.example +++ b/.env.example @@ -29,11 +29,5 @@ EFILING_HUB_API_BASE_URL='' EFILING_BCEID= # Keycloak settings -OIDC_OP_JWKS_ENDPOINT= -OIDC_RP_CLIENT_ID= -OIDC_RP_CLIENT_SECRET= -OIDC_OP_AUTHORIZATION_ENDPOINT= -OIDC_OP_TOKEN_ENDPOINT= -OIDC_OP_USER_ENDPOINT= -LOGIN_REDIRECT_URL= -LOGOUT_REDIRECT_URL= +KEYCLOAK_CLIENT_ID= +KEYCLOAK_CLIENT_SECRET= diff --git a/conf/keycloak/realm-export.json b/conf/keycloak/realm-export.json index 7590f1de..2f9a8c8b 100644 --- a/conf/keycloak/realm-export.json +++ b/conf/keycloak/realm-export.json @@ -894,7 +894,22 @@ "claim.name": "email", "jsonType.label": "String" } - } + }, + { + "id": "0cad3a2d-36bd-4cf2-bbd7-39ce784916ad", + "name": "universal-id", + "protocol": "openid-connect", + "protocolMapper": "oidc-script-based-protocol-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "universal-id", + "jsonType.label": "String", + "script": "user.id.toUpperCase().replace(/-/g, '')" + } + } ] }, { diff --git a/eDivorce.pyproj b/eDivorce.pyproj index 5f9e15a7..8fbc8dd7 100644 --- a/eDivorce.pyproj +++ b/eDivorce.pyproj @@ -71,9 +71,7 @@ - - @@ -139,7 +137,6 @@ - @@ -179,7 +176,6 @@ - diff --git a/edivorce/apps/core/decorators.py b/edivorce/apps/core/decorators.py index 4f98f3ee..085d76b9 100644 --- a/edivorce/apps/core/decorators.py +++ b/edivorce/apps/core/decorators.py @@ -9,28 +9,6 @@ from edivorce.apps.core.utils.user_response import get_data_for_user, get_step_r base_url = settings.PROXY_BASE_URL + settings.FORCE_SCRIPT_NAME[:-1] -def bceid_required(function=None): - """ - View decorator to check if the user is logged in to BCEID - - This decorator has a dependency on bceid_middleware.py - """ - - def _dec(view_func): - def _view(request, *args, **kwargs): - if not request.user.is_authenticated: - return redirect(base_url + '/login') - return view_func(request, *args, **kwargs) - - _view.__name__ = view_func.__name__ - _view.__dict__ = view_func.__dict__ - _view.__doc__ = view_func.__doc__ - - return _view - - return _dec if function is None else _dec(function) - - def intercept(function=None): """ Decorator to redirect to intercept page diff --git a/edivorce/apps/core/middleware/bceid_middleware.py b/edivorce/apps/core/middleware/bceid_middleware.py deleted file mode 100644 index 4aae044c..00000000 --- a/edivorce/apps/core/middleware/bceid_middleware.py +++ /dev/null @@ -1,156 +0,0 @@ -import datetime -from ipaddress import ip_address, ip_network - -from django.conf import settings -from django.shortcuts import redirect -from django.utils import timezone -from django.utils.deprecation import MiddlewareMixin - -from ..models import BceidUser - -login_delta = datetime.timedelta(hours=2) - - -class AnonymousUser: - """ - Anonymous user, present mainly to provide authentication checks in templates - """ - - guid = None - display_name = '' - has_accepted_terms = False - - @property - def is_authenticated(self): - return False - - @property - def is_anonymous(self): - return True - - -anonymous_user = AnonymousUser() - - -class BceidMiddleware(MiddlewareMixin): # pylint: disable=too-few-public-methods - """ - Simple authentication middleware for operating in the BC Government - OpenShift environment, with SiteMinder integration. - - For our purposes, SiteMinder is configured to add the following headers: - - BCeID: - - SMGOV_USERGUID - - SMGOV_USERDISPLAYNAME - - SM_USER - - BC Services Card: - - SMGOV_USERGUID - - SMGOV_GIVENNAMES - - SMGOV_SURNAME - - SM_USER - - The first two are provided on pages configured to be protected by - SiteMinder, which is currently just /login. When a user goes to the login - page, if the user is logged in, SiteMinder adds those headers with their - BCeID values; if they're not logged in, it routes them through its - login/signup page and then back to the login page, with those headers in - place. For unprotected pages, those headers are stripped if present, - preventing spoofing. - - The third header is populated on every request that's proxied through - SiteMinder. For logged in users, it contains their ???; for anonymous - users, it's empty. - - When we detect authentication by the presence of the first two headers, we - store those values in the user's session. On all requests, we use them to - access a local proxy object for the user (available as request.user). For - users that are not logged in, an Anonymous User substitute is present. - - In a local development environment, we generate a guid based on the login - name and treat that guid/login name as guid/display name. - """ - - def process_request(self, request): # pylint: disable=too-many-branches - """ - Return None after populating request.user, or necessary redirects. - - If the request is not coming from inside the BC Government data centre, - redirect the request through the proxy server. - - If the SiteMinder headers are present, indicating the user has just - authenticated, save those headers to the session. - - Get the user's GUID and display name. If they're present, and the user - has authenticated (or we're in a local development environment), add - the local proxy user to the request; if not, store the anonymous user - instance. - """ - - # HTTP_SM_USER is available on both secure and unsecure pages. If it - # has a value then we know that the user is still logged into BCeID. - # This is an additional check to make sure we aren't letting users - # access the site via their session variables after logging out of bceid - # - # Note: It's still possible that a user has logged out of one BCeID and - # logged into another BCeID via www.bceid.ca without clicking the logout - # link on our app or closing the browser. This is an extreme edge case, - # and it's not pragmatic to code against it at this time. - siteminder_user = request.META.get('HTTP_SM_USER', '') - is_localdev = settings.DEPLOYMENT_TYPE in ['localdev', 'minishift'] - update_user = False - using_bc_services_card = False - - guid = request.META.get('HTTP_SMGOV_USERGUID', '') - given_names = request.META.get('HTTP_SMGOV_GIVENNAMES', '') - surname = request.META.get('HTTP_SMGOV_SURNAME', '') - displayname = request.META.get('HTTP_SMGOV_USERDISPLAYNAME', '') - - # HTTP_SMGOV_USERDISPLAYNAME is not included when BC Services Card authentication is used. - if not displayname and (surname or given_names): - displayname = "{0} {1}".format(given_names, surname) - using_bc_services_card = True - - # HTTP_SM_USER is typically '.' when BC Services Card authentication is used. - if (not siteminder_user or siteminder_user == '.') and given_names and surname: - siteminder_user = "{0}{1}".format(given_names.split(None, 1)[0], surname) - - if guid: - request.session['smgov_userguid'] = guid - else: - guid = request.session.get('smgov_userguid') - - if displayname: - request.session['smgov_userdisplayname'] = displayname - else: - displayname = request.session.get('smgov_userdisplayname') - - if is_localdev: - guid = request.session.get('fake_bceid_guid') - displayname = request.session.get('login_name') - - if guid and (siteminder_user or is_localdev): - request.user, created = BceidUser.objects.get_or_create(user_guid=guid) - if created: - request.session['first_login'] = True - if siteminder_user: - if created or not request.user.sm_user: - request.user.sm_user = siteminder_user - update_user = True - if request.user.is_bcsc != using_bc_services_card: - request.user.is_bcsc = using_bc_services_card - update_user = True - if request.user.display_name != displayname: - request.user.display_name = displayname - update_user = True - if (request.user.last_login is None or - timezone.now() - request.user.last_login > login_delta): - request.user.last_login = timezone.now() - update_user = True - - if update_user: - request.user.save() - else: - request.user = anonymous_user - - return None diff --git a/edivorce/apps/core/templates/base.html b/edivorce/apps/core/templates/base.html index 351ac03d..089ee643 100644 --- a/edivorce/apps/core/templates/base.html +++ b/edivorce/apps/core/templates/base.html @@ -13,10 +13,10 @@ {% compress css %} - - - - + + + + {% endcompress %} {% block extra_css %} {% endblock %} diff --git a/edivorce/apps/core/templates/localdev/bceid.html b/edivorce/apps/core/templates/localdev/bceid.html deleted file mode 100644 index 77bb2222..00000000 --- a/edivorce/apps/core/templates/localdev/bceid.html +++ /dev/null @@ -1,155 +0,0 @@ - - - - Government of British Columbia - - - - - - - CLP - - - - - - - - - - - - - - - - - - - - - -
-
-
-
-
FAKE BCeID LOGIN – FOR SOFTWARE DEVELOPMENT PURPOSES ONLY
-
-
- -
-
-
- -
-
-
- - -
- -
-
-
-
-

Access to or unauthorized use of data on this computer system by any person other than the authorized - employee(s) or owner(s) of an account is strictly prohibited and may result in legal action against - such person.

-
-
-
-
-
-
-
- -
-
-
-
-
- - - - - - - - - - - - - - - - diff --git a/edivorce/apps/core/templates/localdev/register.html b/edivorce/apps/core/templates/localdev/register.html deleted file mode 100644 index 53128795..00000000 --- a/edivorce/apps/core/templates/localdev/register.html +++ /dev/null @@ -1,17 +0,0 @@ - - - Register - - - - -

localdev registration is not implemented

- -

Enter any user id with the password divorce to - simulate a login in your localdev envirommnent.

- -Goto Login - - - - \ No newline at end of file diff --git a/edivorce/apps/core/urls.py b/edivorce/apps/core/urls.py index 8a3845c5..83cb7979 100644 --- a/edivorce/apps/core/urls.py +++ b/edivorce/apps/core/urls.py @@ -1,7 +1,7 @@ from django.conf.urls import url from django.urls import path -from .views import main, system, pdf, api, localdev +from .views import main, system, pdf, api urlpatterns = [ # url(r'^guide$', styleguide.guide), @@ -16,7 +16,6 @@ urlpatterns = [ # url(r'^login/headers$', system.headers), url(r'^login$', main.login, name="login"), - url(r'^bceid$', localdev.bceid, name="bceid"), url(r'^register$', main.register, name="register"), url(r'^register_sc$', main.register_sc, name="register_sc"), url(r'^logout$', main.logout, name="logout"), diff --git a/edivorce/apps/core/views/localdev.py b/edivorce/apps/core/views/localdev.py deleted file mode 100644 index 86cd7193..00000000 --- a/edivorce/apps/core/views/localdev.py +++ /dev/null @@ -1,32 +0,0 @@ -import uuid -import binascii -from encodings.utf_8 import decode -from django.conf import settings -from django.shortcuts import render, redirect -from django.views.decorators.csrf import csrf_exempt - - -@csrf_exempt -def bceid(request): - """ fake bceid login for developer workstation environment """ - if request.method == "POST": - login_name = request.POST.get('user', '') - password = request.POST.get('password', '') - - # just in case anyone from the general public discovers the dev server - # make sure they don't accidentally login and think this is production - if password.lower() != 'divorce': - return redirect(settings.PROXY_BASE_URL + settings.FORCE_SCRIPT_NAME[:-1] + '/bceid') - - # convert the login name to a guid - hex_name = decode(binascii.hexlify(str.encode(login_name)))[0] - fake_guid = hex_name.rjust(32, '0') - - # save the guid in a session variable - request.session['login_name'] = login_name - request.session['fake_bceid_guid'] = fake_guid - - return redirect(settings.PROXY_BASE_URL + settings.FORCE_SCRIPT_NAME[:-1] + '/login') - - else: - return render(request, 'localdev/bceid.html') diff --git a/edivorce/apps/core/views/main.py b/edivorce/apps/core/views/main.py index 55ecce51..81da38e7 100644 --- a/edivorce/apps/core/views/main.py +++ b/edivorce/apps/core/views/main.py @@ -7,7 +7,7 @@ from django.utils import timezone from django.contrib.auth.decorators import login_required from edivorce.apps.core.utils.derived import get_derived_data -from ..decorators import bceid_required, intercept, prequal_completed +from ..decorators import intercept, prequal_completed from ..utils.cso_filing import file_documents from ..utils.question_step_mapping import list_of_registries from ..utils.step_completeness import get_error_dict, get_missed_question_keys, get_step_completeness, is_complete, get_formatted_incomplete_list @@ -72,7 +72,7 @@ def success(request): if request.user.is_authenticated: return redirect(reverse('overview')) else: - return render(request, 'success.html', context={'register_url': settings.REGISTER_URL,'register_sc_url': settings.REGISTER_SC_URL}) + return render(request, 'success.html', context={'register_url': settings.REGISTER_BCEID_URL,'register_sc_url': settings.REGISTER_BCSC_URL}) return redirect(reverse('incomplete')) @@ -103,7 +103,7 @@ def register(request): return render(request, 'localdev/register.html') request.session['went_to_register'] = True - return redirect(settings.REGISTER_URL) + return redirect(settings.REGISTER_BCEID_URL) def register_sc(request): """ @@ -113,7 +113,7 @@ def register_sc(request): return render(request, 'localdev/register.html') request.session['went_to_register'] = True - return redirect(settings.REGISTER_SC_URL) + return redirect(settings.REGISTER_BCSC_URL) def login(request): """ @@ -219,7 +219,7 @@ def submit_initial_files(request): return _submit_files(request, initial=True) -@bceid_required +@login_required @prequal_completed def submit_final_files(request): return _submit_files(request, initial=False) @@ -238,7 +238,7 @@ def _submit_files(request, initial=False): return redirect(reverse('dashboard_nav', kwargs={'nav_step': nav_step}), context=responses_dict) -@bceid_required +@login_required @prequal_completed def question(request, step, sub_step=None): """ diff --git a/edivorce/apps/core/views/pdf.py b/edivorce/apps/core/views/pdf.py index ec90ae3e..0fc3bb07 100644 --- a/edivorce/apps/core/views/pdf.py +++ b/edivorce/apps/core/views/pdf.py @@ -9,7 +9,6 @@ from django.contrib.auth.decorators import login_required import requests -from ..decorators import bceid_required from ..models import Document from ..utils.derived import get_derived_data from ..utils.user_response import get_data_for_user @@ -112,7 +111,7 @@ def __add_claimant_info(responses, claimant): return responses -@bceid_required +@login_required def images_to_pdf(request, doc_type, party_code): documents = Document.objects.filter( bceid_user=request.user, doc_type=doc_type, party_code=party_code) diff --git a/edivorce/apps/poc/urls.py b/edivorce/apps/poc/urls.py index 88e1bf30..ae508eac 100644 --- a/edivorce/apps/poc/urls.py +++ b/edivorce/apps/poc/urls.py @@ -2,7 +2,6 @@ from django.conf.urls import url from django.contrib.auth.decorators import login_required from edivorce.apps.poc import views -from ..core.decorators import bceid_required urlpatterns = [ url(r'scan', login_required(views.UploadScan.as_view()), name="poc-scan"), diff --git a/edivorce/settings/base.py b/edivorce/settings/base.py index 5defb450..145d00c0 100644 --- a/edivorce/settings/base.py +++ b/edivorce/settings/base.py @@ -203,13 +203,7 @@ EFILING_BCEID = env.dict('EFILING_BCEID', '', subcast=str) LOGIN_URL = reverse_lazy('oidc_authentication_init') OIDC_RP_SIGN_ALGO = 'RS256' OIDC_RP_SCOPES = 'openid email profile' -OIDC_AUTH_REQUEST_EXTRA_PARAMS = {'kc_idp_hint': 'bceid'} # this is needed to bypass the Keycloak login screen -# OIDC_CREATE_USER = False -OIDC_OP_JWKS_ENDPOINT = env('OIDC_OP_JWKS_ENDPOINT', '') -OIDC_RP_CLIENT_ID = env('OIDC_RP_CLIENT_ID', '') -OIDC_RP_CLIENT_SECRET = env('OIDC_RP_CLIENT_SECRET', '') -OIDC_OP_AUTHORIZATION_ENDPOINT = env('OIDC_OP_AUTHORIZATION_ENDPOINT', '') -OIDC_OP_TOKEN_ENDPOINT = env('OIDC_OP_TOKEN_ENDPOINT', '') -OIDC_OP_USER_ENDPOINT = env('OIDC_OP_USER_ENDPOINT', '') -LOGIN_REDIRECT_URL = env('LOGIN_REDIRECT_URL', '/overview') -LOGOUT_REDIRECT_URL = env('LOGOUT_REDIRECT_URL', '/') +# this is needed to bypass the Keycloak login screen +OIDC_AUTH_REQUEST_EXTRA_PARAMS = {'kc_idp_hint': 'bceid'} +OIDC_RP_CLIENT_ID = env('KEYCLOAK_CLIENT_ID', '') +OIDC_RP_CLIENT_SECRET = env('KEYCLOAK_CLIENT_SECRET', '') diff --git a/edivorce/settings/local.py b/edivorce/settings/local.py index 7eb8b98d..9dcc7539 100644 --- a/edivorce/settings/local.py +++ b/edivorce/settings/local.py @@ -21,16 +21,14 @@ WEASYPRINT_IMAGE_LOOPBACK = 'http://host.docker.internal:8000' WEASYPRINT_CSS_LOOPBACK = WEASYPRINT_IMAGE_LOOPBACK DEPLOYMENT_TYPE = 'localdev' -REGISTER_URL = '#' -REGISTER_SC_URL ='#' +REGISTER_BCEID_URL = '#' +REGISTER_BCSC_URL = '#' PROXY_BASE_URL = '' SASS_PROCESSOR_ENABLED = True SASS_PROCESSOR_ROOT = PROJECT_ROOT + '/edivorce/apps/core/static' SASS_OUTPUT_STYLE = 'compressed' CORS_ORIGIN_ALLOW_ALL = True -LOGOUT_URL = '/accounts/logout/' - # CLAMAV settings CLAMAV_ENABLED = env.bool('CLAMAV_ENABLED', True) CLAMAV_TCP_PORT = env.int('CLAMAV_TCP_PORT', 3310) @@ -41,3 +39,12 @@ REDIS_HOST = env('REDIS_HOST', 'localhost') REDIS_PORT = env.int('REDIS_PORT', 6379) REDIS_DB = env('REDIS_DB', '') REDIS_PASSWORD = env('REDIS_PASSWORD', '') + +# Keycloak OpenID Connect settings +# Provided by mozilla-django-oidc +OIDC_OP_JWKS_ENDPOINT = 'http://localhost:8081/auth/realms/justice/protocol/openid-connect/certs' +OIDC_OP_AUTHORIZATION_ENDPOINT = 'http://localhost:8081/auth/realms/justice/protocol/openid-connect/auth' +OIDC_OP_TOKEN_ENDPOINT = 'http://localhost:8081/auth/realms/justice/protocol/openid-connect/token' +OIDC_OP_USER_ENDPOINT = 'http://localhost:8081/auth/realms/justice/protocol/openid-connect/userinfo' +LOGIN_REDIRECT_URL = '/overview' +LOGOUT_REDIRECT_URL = '/' diff --git a/edivorce/settings/openshift.py b/edivorce/settings/openshift.py index 84e9db7d..9ba297fb 100644 --- a/edivorce/settings/openshift.py +++ b/edivorce/settings/openshift.py @@ -1,5 +1,6 @@ from .base import * + def openshift_db_config(): ''' Database config based on the django-ex openshift sample application @@ -45,42 +46,59 @@ COMPRESS_OFFLINE = True # # See nginx-proxy/conf.d/server.conf for related settings # -DEPLOYMENT_TYPE = os.getenv('ENVIRONMENT_TYPE') +DEPLOYMENT_TYPE = env('ENVIRONMENT_TYPE', 'unittest') PROXY_URL_PREFIX = '' PROXY_BASE_URL = os.getenv('PROXY_BASE_URL', 'https://justice.gov.bc.ca') +if DEPLOYMENT_TYPE in ['dev', 'unittest']: + DEBUG = True + # Keycloak OpenID Connect settings + OIDC_OP_JWKS_ENDPOINT = 'https://sso-dev.pathfinder.gov.bc.ca/auth/realms/tz0e228w/protocol/openid-connect/certs' + OIDC_OP_AUTHORIZATION_ENDPOINT = 'https://sso-dev.pathfinder.gov.bc.ca/auth/realms/tz0e228w/protocol/openid-connect/auth' + OIDC_OP_TOKEN_ENDPOINT = 'https://sso-dev.pathfinder.gov.bc.ca/auth/realms/tz0e228w/protocol/openid-connect/token' + OIDC_OP_USER_ENDPOINT = 'https://sso-dev.pathfinder.gov.bc.ca/auth/realms/tz0e228w/protocol/openid-connect/userinfo' + OIDC_RP_CLIENT_ID = 'demo-app' + if DEPLOYMENT_TYPE == 'dev': PROXY_URL_PREFIX = os.getenv('PROXY_URL_PREFIX', '/divorce') - DEBUG = True CSRF_COOKIE_AGE = None SESSION_COOKIE_AGE = 3600 - REGISTER_URL = 'https://www.test.bceid.ca/directories/bluepages/details.aspx?serviceID=5522' - REGISTER_SC_URL = 'https://logontest7.gov.bc.ca/clp-cgi/fed/fedLaunch.cgi?partner=fed38&partnerList=fed38&flags=0001:0,7&TARGET=http://dev.justice.gov.bc.ca/divorce/login' - LOGOUT_URL_TEMPLATE = 'https://logontest7.gov.bc.ca/clp-cgi/logoff.cgi?returl=%s%s&retnow=1' - LOGOUT_URL = LOGOUT_URL_TEMPLATE % (PROXY_BASE_URL, PROXY_URL_PREFIX) + REGISTER_BCEID_URL = 'https://www.test.bceid.ca/directories/bluepages/details.aspx?serviceID=5522' + REGISTER_BCSC_URL = 'https://logontest7.gov.bc.ca/clp-cgi/fed/fedLaunch.cgi?partner=fed38&partnerList=fed38&flags=0001:0,7&TARGET=http://dev.justice.gov.bc.ca/divorce/oidc/authenticate' if DEPLOYMENT_TYPE == 'test': PROXY_URL_PREFIX = os.getenv('PROXY_URL_PREFIX', '/divorce') - REGISTER_URL = 'https://www.test.bceid.ca/directories/bluepages/details.aspx?serviceID=5521' - REGISTER_SC_URL = 'https://logontest7.gov.bc.ca/clp-cgi/fed/fedLaunch.cgi?partner=fed38&partnerList=fed38&flags=0001:0,7&TARGET=http://test.justice.gov.bc.ca/divorce/login' - LOGOUT_URL_TEMPLATE = 'https://logontest7.gov.bc.ca/clp-cgi/logoff.cgi?returl=%s%s&retnow=1' - LOGOUT_URL = LOGOUT_URL_TEMPLATE % (PROXY_BASE_URL, PROXY_URL_PREFIX) + REGISTER_BCEID_URL = 'https://www.test.bceid.ca/directories/bluepages/details.aspx?serviceID=5521' + REGISTER_BCSC_URL = 'https://logontest7.gov.bc.ca/clp-cgi/fed/fedLaunch.cgi?partner=fed38&partnerList=fed38&flags=0001:0,7&TARGET=http://test.justice.gov.bc.ca/divorce/oidc/authenticate' + # Keycloak OpenID Connect settings + OIDC_OP_JWKS_ENDPOINT = 'https://sso-test.pathfinder.gov.bc.ca/auth/realms/tz0e228w/protocol/openid-connect/certs' + OIDC_OP_AUTHORIZATION_ENDPOINT = 'https://sso-test.pathfinder.gov.bc.ca/auth/realms/tz0e228w/protocol/openid-connect/auth' + OIDC_OP_TOKEN_ENDPOINT = 'https://sso-test.pathfinder.gov.bc.ca/auth/realms/tz0e228w/protocol/openid-connect/token' + OIDC_OP_USER_ENDPOINT = 'https://sso-test.pathfinder.gov.bc.ca/auth/realms/tz0e228w/protocol/openid-connect/userinfo' if DEPLOYMENT_TYPE == 'prod': PROXY_URL_PREFIX = os.getenv('PROXY_URL_PREFIX', '/divorce') - REGISTER_URL = 'https://www.bceid.ca/directories/bluepages/details.aspx?serviceID=5203' - REGISTER_SC_URL = 'https://logon7.gov.bc.ca/clp-cgi/fed/fedLaunch.cgi?partner=fed49&partnerList=fed49&flags=0001:0,8&TARGET=http://justice.gov.bc.ca/divorce/login' - LOGOUT_URL_TEMPLATE = 'https://logon7.gov.bc.ca/clp-cgi/logoff.cgi?returl=%s%s&retnow=1' - LOGOUT_URL = LOGOUT_URL_TEMPLATE % (PROXY_BASE_URL, PROXY_URL_PREFIX) + REGISTER_BCEID_URL = 'https://www.bceid.ca/directories/bluepages/details.aspx?serviceID=5203' + REGISTER_BCSC_URL = 'https://logon7.gov.bc.ca/clp-cgi/fed/fedLaunch.cgi?partner=fed49&partnerList=fed49&flags=0001:0,8&TARGET=http://justice.gov.bc.ca/divorce/oidc/authenticate' + # Keycloak OpenID Connect settings + OIDC_OP_JWKS_ENDPOINT = 'https://sso.pathfinder.gov.bc.ca/auth/realms/tz0e228w/protocol/openid-connect/certs' + OIDC_OP_AUTHORIZATION_ENDPOINT = 'https://sso.pathfinder.gov.bc.ca/auth/realms/tz0e228w/protocol/openid-connect/auth' + OIDC_OP_TOKEN_ENDPOINT = 'https://sso.pathfinder.gov.bc.ca/auth/realms/tz0e228w/protocol/openid-connect/token' + OIDC_OP_USER_ENDPOINT = 'https://sso.pathfinder.gov.bc.ca/auth/realms/tz0e228w/protocol/openid-connect/userinfo' # Google Tag Manager (Production) GTM_ID = 'GTM-W4Z2SPS' if DEPLOYMENT_TYPE == 'minishift': DEBUG = True - REGISTER_URL = '#' - REGISTER_SC_URL ='#' + REGISTER_BCEID_URL = '#' + REGISTER_BCSC_URL = '#' PROXY_BASE_URL = '' + # Keycloak OpenID Connect settings + OIDC_OP_JWKS_ENDPOINT = 'http://localhost:8081/auth/realms/justice/protocol/openid-connect/certs' + OIDC_OP_AUTHORIZATION_ENDPOINT = 'http://localhost:8081/auth/realms/justice/protocol/openid-connect/auth' + OIDC_OP_TOKEN_ENDPOINT = 'http://localhost:8081/auth/realms/justice/protocol/openid-connect/token' + OIDC_OP_USER_ENDPOINT = 'http://localhost:8081/auth/realms/justice/protocol/openid-connect/userinfo' # Internal Relative Urls FORCE_SCRIPT_NAME = PROXY_URL_PREFIX + '/' @@ -101,8 +119,8 @@ SESSION_EXPIRE_AT_BROWSER_CLOSE = True if DEPLOYMENT_TYPE != 'minishift': SESSION_COOKIE_PATH = PROXY_URL_PREFIX - SESSION_COOKIE_SECURE=True - CSRF_COOKIE_SECURE=True + SESSION_COOKIE_SECURE = True + CSRF_COOKIE_SECURE = True # CLAMAV settings CLAMAV_ENABLED = True @@ -113,4 +131,8 @@ CLAMAV_TCP_ADDR = os.getenv('CLAMAV_TCP_ADDR', 'clamav') REDIS_HOST = os.getenv('REDIS_HOST', 'redis') REDIS_PORT = 6379 REDIS_DB = '' -REDIS_PASSWORD = os.getenv('REDIS_PASSWORD', '') \ No newline at end of file +REDIS_PASSWORD = os.getenv('REDIS_PASSWORD', '') + +# Keycloak OpenID Connect settings +LOGIN_REDIRECT_URL = PROXY_URL_PREFIX + '/overview' +LOGOUT_REDIRECT_URL = PROXY_URL_PREFIX