-
Notifications
You must be signed in to change notification settings - Fork 556
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
wrap admin
and preview
in pan-domain-authentication
🐼
#27012
Conversation
6ea4e63
to
067f65f
Compare
6ad5878
to
2546f48
Compare
82a9c1c
to
226bc94
Compare
…replacing plain Google auth with `pan-domain-authentication` 🐼
…tication` from plain Google auth
226bc94
to
7977086
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good 🐼
Some questions and comments for my own education, but nothing blocking I could spot
)(wsClient, executionContext) | ||
def healthCheck(): Action[AnyContent] = | ||
Action { | ||
Ok("OK") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
0K
.map(new URI(_)) | ||
.map(_.getPath) | ||
.map(DigestUtils.md5Hex) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
unroll please 🧵 👏
@@ -1,6 +1,15 @@ | |||
import app.FrontendComponents | |||
import play.api.ApplicationLoader.Context | |||
import play.api.BuiltInComponentsFromContext | |||
import play.api.mvc.EssentialFilter | |||
import org.scalatestplus.mockito.MockitoSugar |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Mockito Sugar, yum 😋
dev-nginx restart-nginx | ||
|
||
echo -e "💯 Done! You can now run frontend locally on https://${DOMAIN}" | ||
echo -e "You can also (separately) run admin and preview locally on https://frontend.local.dev-gutools.co.uk and https://preview.local.dev-gutools.co.uk respectively." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🔐
Seen on FRONTS-PROD, ADMIN-PROD (merged by @twrichards 14 minutes and 10 seconds ago)
|
Prerequisites
authenticateRequest
function pan-domain-authentication#137 to be merged and released.preview
🐼 editorial-viewer#136 needs to be merged & deployedpan-domain-auth-settings
bucket bypreview
andadmin
servers are in https://github.com/guardian/platform/pull/1589What is the value of this and can you measure success?
Prior to this PR the
admin
andpreview
apps within frontend were wrapped in plain Google auth (since they require a Guardian login to use) - this leaves us at the mercy of Google outages (as occurred recently on 5th March for example). This PR replaces Google auth with our own pan-domain-authentication which wraps Google auth with a handy extra feature to make us resilient to such outages.This also tees us up nicely for adding permissions to
admin
andpreview
in #27078What does this change?
Overall this is NET reduction in code 🎉 and a reasonable amount of the diff is splitting/moving things around. A summary of the changes is as follows...
nginx/nginx-mapping.yml
for use withdev-nginx
so thatadmin
andpreview
can run onfrontend.local.dev-gutools.co.uk
andpreview.local.dev-gutools.co.uk
respectively - so that the pan-domain-authentication actually works (won't work when running purely on localhost)GoogleAuthFilters
in common, to the more fittingGuardianAuthWithExemptions
com.gu.play-googleauth
lib withpan-domain-auth-play_3-0
(and removes the now unnecessarycom.gu.play-secret-rotation
andcom.gu.play-secret-rotation
)GuardianAuthWithExemptions
inadmin
andpreview
'sAppLoader
sGuardianAuthWithExemptions
PanDomainAuthSettingsRefresher
which is central to how panda worksfilter
property which implementsplay.api.mvc.Filter
(for use in admin and preview's lists of filters similar to howGoogleAuthFilters
was used beforepreview
andadmin
(LOG ONLY) #27078 and actually enforce new permissions foradmin
andpreview
#27092AdminAuthAction
replaces uses of it with regularAction
since the filter should be enforcing auth more broadlyScreenshots
N/A
Checklist