cleanup

.github/workflows/deploy-demo.yml

@@ -54,6 +54,7 @@ jobs:
           ADMIN_CLIENT_SECRET: ${{ secrets.ADMIN_CLIENT_SECRET }}
           NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }}
           NR_BROWSER_KEY: ${{ secrets.NR_BROWSER_KEY }}
+          LOGIN_PEM: ${{ secrets.LOGIN_PEM }}
         with:
           cf_username: ${{ secrets.CLOUDGOV_USERNAME }}
           cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
@@ -67,6 +68,7 @@ jobs:
             --var ADMIN_CLIENT_SECRET="$ADMIN_CLIENT_SECRET"
             --var NEW_RELIC_LICENSE_KEY="$NEW_RELIC_LICENSE_KEY"
             --var NR_BROWSER_KEY="$NR_BROWSER_KEY"
+            --var LOGIN_PEM="$LOGIN_PEM"
 
       - name: Check for changes to egress config
         id: changed-egress-config

.github/workflows/deploy-prod.yml

@@ -54,6 +54,8 @@ jobs:
           ADMIN_CLIENT_SECRET: ${{ secrets.ADMIN_CLIENT_SECRET }}
           NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }}
           NR_BROWSER_KEY: ${{ secrets.NR_BROWSER_KEY }}
+          LOGIN_PEM: ${{ secrets.LOGIN_PEM }}
+          
         with:
           cf_username: ${{ secrets.CLOUDGOV_USERNAME }}
           cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
@@ -67,6 +69,7 @@ jobs:
             --var ADMIN_CLIENT_SECRET="$ADMIN_CLIENT_SECRET"
             --var NEW_RELIC_LICENSE_KEY="$NEW_RELIC_LICENSE_KEY"
             --var NR_BROWSER_KEY="$NR_BROWSER_KEY"
+            --var LOGIN_PEM="$LOGIN_PEM"
 
       - name: Check for changes to egress config
         id: changed-egress-config

.github/workflows/deploy.yml

@@ -59,6 +59,7 @@ jobs:
           ADMIN_CLIENT_SECRET: ${{ secrets.ADMIN_CLIENT_SECRET }}
           NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }}
           NR_BROWSER_KEY: ${{ secrets.NR_BROWSER_KEY }}
+          LOGIN_PEM: ${{ secrets.LOGIN_PEM }}
         with:
           cf_username: ${{ secrets.CLOUDGOV_USERNAME }}
           cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
@@ -72,6 +73,7 @@ jobs:
             --var ADMIN_CLIENT_SECRET="$ADMIN_CLIENT_SECRET"
             --var NEW_RELIC_LICENSE_KEY="$NEW_RELIC_LICENSE_KEY"
             --var NR_BROWSER_KEY="$NR_BROWSER_KEY"
+            --var LOGIN_PEM="$LOGIN_PEM"
 
       - name: Check for changes to egress config
         id: changed-egress-config

app/main/views/sign_in.py

@@ -25,16 +25,12 @@ from app.models.user import InvitedUser, User
 from app.utils import hide_from_search_engines
 from app.utils.login import is_safe_redirect_url
 
-# This is the logout url for manual use until we figure out how to do programmatically
-# https://idp.int.identitysandbox.gov/openid_connect/logout?client_id=urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:test_notify_gov&post_logout_redirect_uri=http://localhost:6012/sign-in
 
 
 def _get_access_token(code, state):
     client_id = os.getenv("LOGIN_DOT_GOV_CLIENT_ID")
     access_token_url = os.getenv("LOGIN_DOT_GOV_ACCESS_TOKEN_URL")
-    pemfile = open("./private.pem", "r")
-    keystring = pemfile.read()
-    pemfile.close()
+    keystring = os.getenv("LOGIN_PEM")
     payload = {
         "iss": client_id,
         "sub": client_id,
@@ -76,7 +72,6 @@ def sign_in():
     state = request.args.get("state")
     login_gov_error = request.args.get("error")
     if code and state:
-        current_app.logger.info(f"found login.gov code and state {code} {state}")
         access_token = _get_access_token(code, state)
         user_email = _get_user_email(access_token)
         redirect_url = request.args.get("next")

app/main/views/sign_out.py

@@ -33,15 +33,5 @@ def sign_out():
         # TODO This doesn't work yet, due to problems above.
         current_user.sign_out()
 
-        return redirect(
-            "https://idp.int.identitysandbox.gov/openid_connect/logout?client_id=urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:test_notify_gov&post_logout_redirect_uri=http://localhost:6012/sign-out"  # noqa
-        )
+        return redirect(os.getenv("LOGIN_DOT_GOV_LOGOUT_URL"))
     return redirect(url_for("main.index"))
-
-
-# @main.route("/sign-out-at-login-gov", methods=(["POST"]))
-# def sign_out_at_login_gov():
-#     current_app.logger.info("SHOULD BE REDIRECTING TO LOGIN GOV")
-#     return redirect(
-#         "https://idp.int.identitysandbox.gov/openid_connect/logout?client_id=urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:test_notify_gov&post_logout_redirect_uri=http://localhost:6012/sign-out"
-#    )

sample.env

@@ -22,11 +22,6 @@ NOTIFY_E2E_TEST_PASSWORD="don't write secrets to the sample file"
 NOTIFY_E2E_AUTH_STATE_PATH=playwright/.auth/
 
 
-# login.gov
-LOGIN_DOT_GOV_CLIENT_ID="urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:test_notify_gov"
-LOGIN_DOT_GOV_USER_INFO_URL="https://idp.int.identitysandbox.gov/api/openid_connect/userinfo"
-LOGIN_DOT_GOV_ACCESS_TOKEN_URL="https://idp.int.identitysandbox.gov/api/openid_connect/token"
-
 #############################################################
 
 # Local Docker setup
@@ -51,4 +46,5 @@ NR_BROWSER_KEY="don't write secrets to the sample file"
 # Login.gov
 LOGIN_DOT_GOV_CLIENT_ID="urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:test_notify_gov"
 LOGIN_DOT_GOV_USER_INFO_URL="https://idp.int.identitysandbox.gov/api/openid_connect/userinfo"
-LOGIN_DOT_GOV_ACCESS_TOKEN_URL="https://idp.int.identitysandbox.gov/api/openid_connect/token"
+LOGIN_DOT_GOV_ACCESS_TOKEN_URL="https://idp.int.identitysandbox.gov/api/openid_connect/token"
+LOGIN_DOT_GOV_LOGOUT_URL="https://idp.int.identitysandbox.gov/openid_connect/logout?client_id=urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:test_notify_gov&post_logout_redirect_uri=http://localhost:6012/sign-out"