11861 Sign in Service Client Config Implementation

[bosawt]

Summary

• This PR transitions the current Sign in Service Client Config implementation so that it is backed by stack-separated database entries, rather than hard-coded entries for the configuration. This should allow us to enable an arbitrary set of Sign in Service clients, who will be able to edit the expected authentication experience in a manner that is completely orthogonal to other Sign in Service client configurations

Related issue(s)

• Create configuration table for sign in service client configuration #11861

Testing done

• Authenticated with web interface
• Authenticated with mobile interface
• Logged out with web interface
• Revoked token with mobile interface
• Confirmed web interface appeared to refresh tokens as expected

What areas of the site does it impact?

• Authentication

Acceptance criteria

• On localhost, will need to first bundle exec rails db:seed first, to make sure the proper default Client Config entries are created in your localhost database
• Next, authenticate with Sign in Service using both the va.gov web interface and the mobile interface
• On web interface, confirm session is created, and that access_token expires when expected (5 min), and that refresh_token expires when expected (30 min)
• On mobile interface, confirm session is created, and that access_token expires when expected (30 min), and that refresh_token expires when expected (45 days) (this may be hard to do without going on a console and inspecting the SignIn::OAuthSession directly, since the refresh expiration is so long)
• On either interface, confirm user attributes appear with /sign_in/v0/introspect
• Confirm logout works as expected
• Confirm Sign in Service /authorize route does not work if client_id is some arbitrary value
• On a Rails Console, create a new SignIn::ClientConfig (there is intentionally not a way to do this in code. So look at db/seeds/development.rb and create a new entry similar to how it's done there), and confirm the Sign in Service auth with this config works as expected, based on how it was set up

[bramleyjl]

• confirmed DB seeded with bundle exec rails db:seed
• Next, authenticate with Sign in Service using both the va.gov web interface and the mobile interface
• On web interface, confirm session is created, and that access_token expires when expected (5 min), and that refresh_token expires when expected (30 min)
• On mobile interface, confirm session is created, and that access_token expires when expected (30 min), and that refresh_token expires when expected (45 days) (this may be hard to do without going on a console and inspecting the SignIn::OAuthSession directly, since the refresh expiration is so long)
• On either interface, confirm user attributes appear with /sign_in/v0/introspect
• Confirm logout works as expected
• Confirm Sign in Service /authorize route does not work if client_id is some arbitrary value
• On a Rails Console, create a new SignIn::ClientConfig (there is intentionally not a way to do this in code. So look at db/seeds/development.rb and create a new entry similar to how it's done there), and confirm the Sign in Service auth with this config works as expected, based on how it was set up

All features working as described, LGTM!

[github-actions]

	2 Errors
🚫	This PR changes 926 LoC (not counting whitespace/newlines). In order to ensure each PR receives the proper attention it deserves, those exceeding 500 will not be reviewed, nor will they be allowed to merge. Please break this PR up into smaller ones. If you have reason to believe that this PR should be granted an exception, please see the Submitting pull requests for approval - FAQ. File Summary Files app/controllers/v0/sign_in_controller.rb (+4/-4) app/models/iam_user_identity.rb (+1/-1) app/models/sign_in/access_token.rb (+5/-2) app/models/sign_in/client_config.rb (+21/-81) app/models/sign_in/code_container.rb (+10/-1) app/models/sign_in/o_auth_session.rb (+9/-2) app/models/sign_in/state_payload.rb (+10/-1) app/services/sign_in/access_token_jwt_encoder.rb (+1/-1) app/services/sign_in/constants/access_token.rb (+1/-2) app/services/sign_in/constants/auth.rb (+1/-7) app/services/sign_in/constants/refresh_token.rb (+2/-3) app/services/sign_in/login_redirect_url_generator.rb (+4/-1) app/services/sign_in/session_creator.rb (+5/-1) app/services/sign_in/session_refresher.rb (+2/-2) app/services/sign_in/session_revoker.rb (+5/-1) app/services/sign_in/token_serializer.rb (+2/-2) config/initializers/statsd.rb (+1/-1) db/seeds.rb (+2/-5) lib/saml/url_service.rb (+2/-0) spec/controllers/v0/sign_in_controller_spec.rb (+64/-86) spec/factories/sign_in/access_tokens.rb (+2/-2) spec/factories/sign_in/client_configs.rb (+13/-0) spec/factories/sign_in/code_containers.rb (+1/-1) spec/factories/sign_in/o_auth_sessions.rb (+1/-1) spec/factories/sign_in/session_containers.rb (+1/-1) spec/factories/sign_in/state_payloads.rb (+1/-1) spec/factories/sign_in/user_code_maps.rb (+1/-1) spec/factories/sign_in/validated_credentials.rb (+1/-1) spec/factories/user_identities.rb (+4/-4) spec/factories/users.rb (+12/-12) spec/lib/sign_in/idme/service_spec.rb (+0/-1) spec/lib/sign_in/logingov/service_spec.rb (+0/-1) spec/models/sign_in/access_token_spec.rb (+14/-20) spec/models/sign_in/client_config_spec.rb (+146/-66) spec/models/sign_in/code_container_spec.rb (+2/-1) spec/models/sign_in/o_auth_session_spec.rb (+6/-5) spec/models/sign_in/session_container_spec.rb (+2/-1) spec/models/sign_in/state_payload_spec.rb (+4/-3) spec/services/sign_in/access_token_jwt_decoder_spec.rb (+2/-2) spec/services/sign_in/access_token_jwt_encoder_spec.rb (+2/-28) spec/services/sign_in/login_redirect_url_generator_spec.rb (+9/-43) spec/services/sign_in/session_creator_spec.rb (+8/-8) spec/services/sign_in/session_refresher_spec.rb (+14/-11) spec/services/sign_in/session_revoker_spec.rb (+10/-6) spec/services/sign_in/state_payload_jwt_decoder_spec.rb (+3/-1) spec/services/sign_in/state_payload_jwt_encoder_spec.rb (+5/-4) spec/services/sign_in/token_serializer_spec.rb (+46/-11) spec/services/sign_in/user_creator_spec.rb (+2/-1) spec/services/sign_in/user_loader_spec.rb (+10/-5) spec/services/users/profile_spec.rb (+3/-3) Note: We exclude files matching the following when considering PR size: *.csv, *.json, *.tsv, *.txt, Gemfile.lock, app/swagger, modules/mobile/docs, spec/fixtures/, spec/support/vcr_cassettes/, modules/mobile/spec/support/vcr_cassettes/, db/seeds, modules/vaos/app/docs, modules/meb_api/app/docs, modules/appeals_api/app/swagger/ Big PRs are difficult to review, often become stale, and cause delays.
🚫	Modified files in db/ should be the only files checked into this PR. File Summary DB File(s) db/seeds.rb db/seeds/development.rb db/seeds/production.rb db/seeds/test.rb App File(s) app/controllers/v0/sign_in_controller.rb app/models/iam_user_identity.rb app/models/sign_in/access_token.rb app/models/sign_in/client_config.rb app/models/sign_in/code_container.rb app/models/sign_in/o_auth_session.rb app/models/sign_in/state_payload.rb app/services/sign_in/access_token_jwt_encoder.rb app/services/sign_in/constants/access_token.rb app/services/sign_in/constants/auth.rb app/services/sign_in/constants/refresh_token.rb app/services/sign_in/login_redirect_url_generator.rb app/services/sign_in/session_creator.rb app/services/sign_in/session_refresher.rb app/services/sign_in/session_revoker.rb app/services/sign_in/token_serializer.rb config/initializers/statsd.rb lib/saml/url_service.rb spec/controllers/v0/sign_in_controller_spec.rb spec/factories/sign_in/access_tokens.rb spec/factories/sign_in/client_configs.rb spec/factories/sign_in/code_containers.rb spec/factories/sign_in/o_auth_sessions.rb spec/factories/sign_in/session_containers.rb spec/factories/sign_in/state_payloads.rb spec/factories/sign_in/user_code_maps.rb spec/factories/sign_in/validated_credentials.rb spec/factories/user_identities.rb spec/factories/users.rb spec/lib/sign_in/idme/service_spec.rb spec/lib/sign_in/logingov/service_spec.rb spec/models/sign_in/access_token_spec.rb spec/models/sign_in/client_config_spec.rb spec/models/sign_in/code_container_spec.rb spec/models/sign_in/o_auth_session_spec.rb spec/models/sign_in/session_container_spec.rb spec/models/sign_in/state_payload_spec.rb spec/services/sign_in/access_token_jwt_decoder_spec.rb spec/services/sign_in/access_token_jwt_encoder_spec.rb spec/services/sign_in/login_redirect_url_generator_spec.rb spec/services/sign_in/session_creator_spec.rb spec/services/sign_in/session_refresher_spec.rb spec/services/sign_in/session_revoker_spec.rb spec/services/sign_in/state_payload_jwt_decoder_spec.rb spec/services/sign_in/state_payload_jwt_encoder_spec.rb spec/services/sign_in/token_serializer_spec.rb spec/services/sign_in/user_creator_spec.rb spec/services/sign_in/user_loader_spec.rb spec/services/users/profile_spec.rb Database migrations do not run automatically with vets-api deployments. Application code must always be backwards compatible with the DB, both before and after migrations have been run. For more info: vets-api Database Migrations vets-api Deployment Process

Generated by 🚫 Danger

[rileyanderson]

Looks good! Tested, and everything works as described. Just one question

[rileyanderson]

Do we want client_config here (and similarly in other classes) to raise an error if not found like in TokenSerializer?

[bosawt]

Oops, I missed this comment for some reason. I think we do want to raise an error when we don't find the client config (if we have many clients it will be a 'much bigger deal' if the client id is unexpected or wrong somehow. For example if someone deletes a profile and expects sessions to stop working after that)

[bosawt]

I'll add a new PR to make that change