Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rake tasks for appeals CCG auth #11743

Merged
merged 0 commits into from
Feb 8, 2023
Merged

Rake tasks for appeals CCG auth #11743

merged 0 commits into from
Feb 8, 2023

Conversation

caseywilliams
Copy link
Contributor

Adds new rake tasks for fetching and validating Client Credentials Grant (CCG) tokens for appeals APIs that use OAuth

Summary

  • Adds the following new rake tasks:
rake appeals_api:token:as:ccg             # Get a CCG token for appeals_status
rake appeals_api:token:as:validate        # Validate an OpenID (CCG or Okta) token for appeals_status
rake appeals_api:token:ci:ccg             # Get a CCG token for contestable_issues
rake appeals_api:token:ci:validate        # Validate an OpenID (CCG or Okta) token for contestable_issues
rake appeals_api:token:hlr:ccg            # Get a CCG token for higher_level_reviews
rake appeals_api:token:hlr:validate       # Validate an OpenID (CCG or Okta) token for higher_level_reviews
rake appeals_api:token:la:ccg             # Get a CCG token for legacy_appeals
rake appeals_api:token:la:validate        # Validate an OpenID (CCG or Okta) token for legacy_appeals
rake appeals_api:token:nod:ccg            # Get a CCG token for notice_of_disagreements
rake appeals_api:token:nod:validate       # Validate an OpenID (CCG or Okta) token for notice_of_disagreements
rake appeals_api:token:sc:ccg             # Get a CCG token for supplemental_claims
rake appeals_api:token:sc:validate        # Validate an OpenID (CCG or Okta) token for supplemental_claims
  • New settings in settings.yml support these tasks:
  • Each ccg task generates a CCG token that has all valid scopes for the given API
    • So, for example, the appeals_api:token:hlr:ccg task generates a token with the scopes appeals/HigherLevelReviews.read and appeals/HigherLevelReviews.write
    • The token creation endpoint response is printed to the console
  • Each validate task validates a token
    • These tasks prompt the user interactively for a token and query the token validation service for its status and details (including its scopes)
    • The token validation service's response is printed to the console
    • These tasks rely on the token validation service key settings added to settings.yml in Update scopes and key usage in appeals OAuth APIs #11727 (for example, appeals_api:token:hlr:validate attempts to validate a token using the token validation key for HLR)
    • This PR does not attempt to generate Okta tokens (for individual users), but this task will also work for Okta tokens - the same token validation service endpoint validates both kinds of token

Related issue(s)

API-22478, API-22479, API-22480, API-22481, API-22482, API-22483 are the individual tickets for each API.

Testing done

  • Manually ran each task to fetch and validate tokens for each API
  • The process of getting a Client ID for the new APIs is not automated yet, so it will be hard for anyone else to test this without help. To make things easier, I can send my development settings.local.yml values for these tasks to teammates via keybase if anyone wants to try these out.

What areas of the site does it impact?

None, only adds rake tasks.

Acceptance criteria

- [ ] I fixed|updated|added unit tests and integration tests for each feature (if applicable).

  • No error nor warning in the console.
    - [ ] Events are being sent to the appropriate logging solution
  • Documentation has been updated (link to documentation)
  • No sensitive information (i.e. PII/credentials/internal URLs/etc.) is captured in logging, hardcoded, or specs
    - [ ] Feature/bug has a monitor built into Datadog or Grafana (if applicable)
    - [ ] If app impacted requires authentication, did you login to a local build and verify all authenticated routes work as expected
    - [ ] I added a screenshot of the developed feature

@caseywilliams caseywilliams requested review from a team as code owners February 7, 2023 00:33
@caseywilliams caseywilliams added appeals Lighthouse API appeals banana-peels Lighthouse Banana Peels Team Lighthouse lighthouse and removed console-services-review labels Feb 7, 2023
@va-vfs-bot va-vfs-bot temporarily deployed to appeals-oauth-updates-with-rake-tasks/main/main February 7, 2023 00:34 Inactive
@caseywilliams caseywilliams force-pushed the appeals-oauth-updates-with-rake-tasks branch from 9da2e01 to 44bf565 Compare February 7, 2023 18:02
@caseywilliams caseywilliams force-pushed the appeals-oauth-updates-with-rake-tasks branch from 44bf565 to 3beb2c4 Compare February 8, 2023 01:48
@caseywilliams caseywilliams force-pushed the appeals-oauth-updates-with-rake-tasks branch from 3beb2c4 to 44e384b Compare February 8, 2023 01:49
@caseywilliams caseywilliams merged commit 1dfb10e into master Feb 8, 2023
@caseywilliams caseywilliams deleted the appeals-oauth-updates-with-rake-tasks branch February 8, 2023 23:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kristen-brown kristen-brown kristen-brown approved these changes

Assignees
No one assigned
Labels
appeals Lighthouse API appeals banana-peels Lighthouse Banana Peels Team console-services-review Lighthouse lighthouse
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@caseywilliams @kristen-brown @va-vfs-bot