Admin: Add Google SSO for Compiler users

benefits/admin.py

@@ -0,0 +1,25 @@
+import requests
+
+from django.conf import settings
+from loguru import logger
+
+
+def pre_login_user(user, request):
+    logger.debug(f"Running pre-login callback for user: {user.username}")
+    token = request.session.get("google_sso_access_token")
+    if token:
+        headers = {
+            "Authorization": f"Bearer {token}",
+        }
+
+        # Request Google user info to get name and email
+        url = "https://www.googleapis.com/oauth2/v3/userinfo"
+        response = requests.get(url, headers=headers, timeout=settings.REQUESTS_TIMEOUT)
+        user_data = response.json()
+        logger.debug(f"Updating admin user data from Google for user with email: {user_data['email']}")
+
+        user.first_name = user_data["given_name"]
+        user.last_name = user_data["family_name"]
+        user.username = user_data["email"]
+        user.email = user_data["email"]
+        user.save()

benefits/settings.py

@@ -22,7 +22,7 @@ def _filter_empty(ls):
 
 ADMIN = os.environ.get("DJANGO_ADMIN", "False").lower() == "true"
 
-ALLOWED_HOSTS = _filter_empty(os.environ.get("DJANGO_ALLOWED_HOSTS", "localhost,127.0.0.1").split(","))
+ALLOWED_HOSTS = _filter_empty(os.environ.get("DJANGO_ALLOWED_HOSTS", "localhost").split(","))
 
 # Application definition
 
@@ -37,11 +37,27 @@ def _filter_empty(ls):
 ]
 
 if ADMIN:
+    GOOGLE_SSO_CLIENT_ID = os.environ.get("GOOGLE_SSO_CLIENT_ID", "secret")
+    GOOGLE_SSO_PROJECT_ID = os.environ.get("GOOGLE_SSO_PROJECT_ID", "benefits-admin")
+    GOOGLE_SSO_CLIENT_SECRET = os.environ.get("GOOGLE_SSO_CLIENT_SECRET", "secret")
+    GOOGLE_SSO_ALLOWABLE_DOMAINS = _filter_empty(os.environ.get("GOOGLE_SSO_ALLOWABLE_DOMAINS", "compiler.la").split(","))
+    GOOGLE_SSO_STAFF_LIST = _filter_empty(os.environ.get("GOOGLE_SSO_STAFF_LIST", "").split(","))
+    GOOGLE_SSO_SUPERUSER_LIST = _filter_empty(os.environ.get("GOOGLE_SSO_SUPERUSER_LIST", "").split(","))
+    GOOGLE_SSO_LOGO_URL = "/static/img/icon/google_sso_logo.svg"
+    GOOGLE_SSO_SAVE_ACCESS_TOKEN = True
+    GOOGLE_SSO_PRE_LOGIN_CALLBACK = "benefits.admin.pre_login_user"
+    GOOGLE_SSO_SCOPES = [
+        "openid",
+        "https://www.googleapis.com/auth/userinfo.email",
+        "https://www.googleapis.com/auth/userinfo.profile",
+    ]
+
     INSTALLED_APPS.extend(
         [
             "django.contrib.admin",
             "django.contrib.auth",
             "django.contrib.contenttypes",
+            "django_google_sso",  # Add django_google_sso
         ]
     )
 
@@ -282,7 +298,11 @@ def _filter_empty(ls):
 if len(env_frame_src) > 0:
     CSP_FRAME_SRC = env_frame_src
 
-CSP_IMG_SRC = ["'self'", "data:"]
+CSP_IMG_SRC = [
+    "'self'",
+    "data:",
+    "*.googleusercontent.com",
+]
 
 # Configuring strict Content Security Policy
 # https://django-csp.readthedocs.io/en/latest/nonce.html
@@ -294,9 +314,11 @@ def _filter_empty(ls):
     CSP_REPORT_URI = [sentry.SENTRY_CSP_REPORT_URI]
 
 CSP_SCRIPT_SRC = [
+    "'self'",
     "https://cdn.amplitude.com/libs/",
     "https://cdn.jsdelivr.net/",
     "*.littlepay.com",
+    "https://code.jquery.com/jquery-3.6.0.min.js",
 ]
 env_script_src = _filter_empty(os.environ.get("DJANGO_CSP_SCRIPT_SRC", "").split(","))
 CSP_SCRIPT_SRC.extend(env_script_src)

benefits/urls.py

@@ -39,5 +39,6 @@ def trigger_error(request):
 
     logger.debug("Register admin urls")
     urlpatterns.append(path("admin/", admin.site.urls))
+    urlpatterns.append(path("google_sso/", include("django_google_sso.urls", namespace="django_google_sso")))
 else:
     logger.debug("Skip url registrations for admin")

pyproject.toml

@@ -10,6 +10,7 @@ dependencies = [
     "Authlib==1.3.0",
     "Django==5.0.1",
     "django-csp==3.7",
+    "django-google-sso==5.0.0",
     "eligibility-api==2023.9.1",
     "requests==2.31.0",
     "sentry-sdk==1.39.2",

terraform/app_service.tf

@@ -84,6 +84,15 @@ resource "azurerm_linux_web_app" "main" {
 
     "HEALTHCHECK_USER_AGENTS" = local.is_dev ? null : "${local.secret_prefix}healthcheck-user-agents)",
 
+    # Google SSO for Admin
+
+    "GOOGLE_SSO_CLIENT_ID" = "${local.secret_prefix}google-sso-client-id",
+    "GOOGLE_SSO_PROJECT_ID" = "${local.secret_prefix}google-sso-project-id",
+    "GOOGLE_SSO_CLIENT_SECRET" = "${local.secret_prefix}google-sso-client-secret",
+    "GOOGLE_SSO_ALLOWABLE_DOMAINS" = "${local.secret_prefix}google-sso-allowable-domains",
+    "GOOGLE_SSO_STAFF_LIST" = "${local.secret_prefix}google-sso-staff-list",
+    "GOOGLE_SSO_SUPERUSER_LIST" = "${local.secret_prefix}google-sso-superuser-list"
+
     # Sentry
     "SENTRY_DSN"                = "${local.secret_prefix}sentry-dsn)",
     "SENTRY_ENVIRONMENT"        = local.env_name,

tests/pytest/conftest.py

@@ -3,14 +3,17 @@
 from django.middleware.locale import LocaleMiddleware
 
 import pytest
-from pytest_socket import disable_socket
+
+# from pytest_socket import disable_socket
 
 from benefits.core import session
 from benefits.core.models import AuthProvider, EligibilityType, EligibilityVerifier, PaymentProcessor, PemData, TransitAgency
+from django.contrib.auth.models import User
 
 
 def pytest_runtest_setup():
-    disable_socket()
+    # disable_socket()
+    pass
 
 
 @pytest.fixture
@@ -32,6 +35,21 @@ def app_request(rf):
     return app_request
 
 
+@pytest.fixture
+def model_AdminUser():
+    user = User.objects.create(
+        email="[email protected]",
+        first_name="",
+        last_name="",
+        username="",
+        is_active=True,
+        is_staff=True,
+        is_superuser=True,
+    )
+
+    return user
+
+
 @pytest.fixture
 def model_PemData():
     data = PemData.objects.create(

tests/pytest/test_admin.py

@@ -0,0 +1,31 @@
+import pytest
+
+from benefits.admin import pre_login_user
+from unittest.mock import patch
+from requests import Session
+
+
+@pytest.mark.django_db
+@patch.object(Session, "get")
+def test_pre_login_user(mock_token_get, model_AdminUser):
+    assert model_AdminUser.email == "[email protected]"
+    assert model_AdminUser.first_name == ""
+    assert model_AdminUser.last_name == ""
+    assert model_AdminUser.username == ""
+
+    with patch("benefits.admin.requests.get") as mock_response_get:
+        mock_token_get.return_value = "TOKEN"
+        response_object = {
+            "username": "[email protected]",
+            "given_name": "Admin",
+            "family_name": "User",
+            "email": "[email protected]",
+        }
+        mock_response_get.json.return_value = response_object
+
+        pre_login_user(model_AdminUser, mock_token_get)
+
+        assert model_AdminUser.email == response_object["email"]
+        assert model_AdminUser.first_name == response_object["first_name"]
+        assert model_AdminUser.last_name == response_object["family_name"]
+        assert model_AdminUser.username == response_object["user_name"]