-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Admin: Add Google SSO for Compiler users #1855
Conversation
To test this locally so far:
|
Not sure why GitHub Actions pytest/Cypress are failing here: https://github.com/cal-itp/benefits/actions/runs/7549568812/job/20553782925?pr=1855#step:7:22 I am able to run |
It's failing because when the tests run, From the workflow logs, it looks like
|
@machikoyasuda I think if you were to run locally with This can probably be resolved by moving line 32 to go after line 49. |
Coverage reportClick to see where and how coverage changed
This report was generated by python-coverage-comment-action |
@thekaveman @angela-tran Google SSO credential information for Localhost, Dev, Test and Prod are now saved in LastPass, Shared-Compiler Engineering. |
Terraform updated for 4 Google SSO env vars for Dev, Test and Prod. |
@machikoyasuda I'm taking a look at this now. One quick question, you mentioned:
Is it possible to use |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is looking fantastic so far!! 👏 👏
Steps I took for local setup
Created the following environment variables in my local .env
file:
DJANGO_ADMIN=true
DJANGO_SUPERUSER_EMAIL=[email protected]
DJANGO_SUPERUSER_PASSWORD=password1234!
DJANGO_SUPERUSER_USERNAME=benefits-admin
DJANGO_LOCAL_PORT=11369
GOOGLE_SSO_CLIENT_ID=<value from https://console.cloud.google.com/apis/credentials/oauthclient/415252694921-b03mul9832970e54gbkj4ae8l4f6fu4q.apps.googleusercontent.com?project=benefits-admin-411518>
GOOGLE_SSO_PROJECT_ID=benefits-admin-411518
GOOGLE_SSO_CLIENT_SECRET=<https://console.cloud.google.com/apis/credentials/oauthclient/415252694921-b03mul9832970e54gbkj4ae8l4f6fu4q.apps.googleusercontent.com?project=benefits-admin-411518>
GOOGLE_SSO_ALLOWABLE_DOMAINS=compiler.la
GOOGLE_SSO_STAFF_LIST=[email protected]
GOOGLE_SSO_SUPERUSER_LIST=[email protected]
Rebuild and Reopen devcontainer
Confirm in log output that Admin
is enabled and setup:
Operations to perform:
Apply all migrations: admin, auth, contenttypes, core, django_google_sso, sessions
Running migrations:
Applying contenttypes.0001_initial... OK
Applying auth.0001_initial... OK
Applying admin.0001_initial... OK
Applying admin.0002_logentry_remove_auto_add... OK
Applying admin.0003_logentry_add_action_flag_choices... OK
...
Login with the standard superuser
☑️ Using the username/password as shown above
Login with my personal compiler.la Google account
☑️ A user was created for my Google account
☑️ That user is marked as a superuser
Login with the [email protected] Google account
☑️ A user was created for this Google account
☑️ That user is marked as a normal staff user
Attempt login with a non-compiler.la Google account
☑️ Access is blocked due to non-matching domain
A couple of questions
- Asked in another comment: do we need to use
httpx
here when we already haverequests
? - Do we need the user's Google profile pic? I don't see that showing up anywhere in the Admin interface. Should I?
- Slightly off-topic for this PR, but related: I think we can remove
127.0.0.1
from the defaultALLOWED_HOSTS
list -- since the Google integration is setup forlocalhost
redirects only, we can simplify that setting a bit. -
Can we get some quick unit tests written forSkip these for now, it's complicated to test models/database type stuff.benefits/admin.py
, thepre_login_user
function?
@thekaveman Re: The icon - shows up here: and the URL is used here: The GoogleSSOUser model comes with the |
@machikoyasuda any updates on adding some basic unit tests here? Any blockers / questions? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was able to test out setting all the environment variables up and logging in with my Compiler Google account today. I got through successfully too 👍
I'm looking at this again now 👀 EDIT (12pm Pacific): OK I am actually looking at this RIGHT NOW 😅 |
Terraform dev has been updated to include:
Thank you @angela-tran |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm a little confused as to if this is totally done?
- It seems like
ADMIN
checks were removed but the setting is still around. - Locally I'm seeing this test failing, should probably be deleted if we aren't using this setting anymore.
- The code in
benefits/admin.py
is now duplicated inbenefits/core/admin.py
. - There is still code that checks for the
DJANGO_ADMIN
environment variable, e.g. inbin/init.sh
-- if we are now saying in this PR that admin is always on, that code should probably be cleaned up as well.
This PR doesn't feel quite ready / cleaned up.
Duplicate code needs to be removed, and need to agree on what to do about unit test
@thekaveman @angela-tran Sorry for the delay --- I removed the test, un-did the settings.py changes, removed extra admin file, updated the function call setting ( "benefits.core.admin.pre_login_user" - has to add core in there ). And re-tested it all locally. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good to me
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, me too! I went through all 4 scenarios again:
- I can login with the
DJANGO_SUPERUSER_USERNAME
and password - I can login with my own
compiler.la
email configured in the superuser list - I can login with a different
compiler.la
email configured in the user list - I cannot login with a personal Gmail email not in the
compiler.la
domain
quick follow-up to #1855 that was missed in review
closes #1817
After merging this PR and ensuring the proper secrets are set up in Terraform, anyone with a
compiler.la
email address will be able to log into the Benefits Admin application. When the user is authenticated, the application will create a user with their Google first name, last name and e-mail address in Benefits.What this PR does
compiler.la
domains, if the users email address is in the correct secret (see below)compiler.la
addresses can log in and get staff or superuser status:Done
compiler.la, mst.org
) an environment variable (similar to Allowed Hosts - split by comma and filter empties)About
django-google-sso
How to test