add infrastructure configuration and docs for auth

GSA · Jun 15, 2023 · 7ee69ab · 7ee69ab
1 parent 0121c38
commit 7ee69ab
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -93,6 +93,16 @@ Before the first deployment, you need to run the bootstrap script, where `SPACE`
 bin/cg-bootstrap-space.sh SPACE
 ```
 
+You'll also have to set up an identity provider service so that app administrators can log in via cloud.gov UAA. For each space, where `FRONT_END_BASE_URL` is the base URL of the front end website that will be running on cloud.gov Pages:
+
+```
+bin/cg-create-identity-service.sh SPACE FRONT_END_BASE_URL
+
+# Examples:
+#   bin/cg-create-identity-service.sh dev https://federalist-2e11f2c8-970f-44f5-acc8-b47ef6c741ad.sites.pages.cloud.gov/site/gsa/smartpay-training
+#   bin/cg-create-identity-service.sh prod https://training.smartpay.gsa.gov
+```
+
 You can monitor the services deployment status with `cf services`. It can take quite a while to fully provision everything. Once the services are ready, you can bootstrap the application:
 
 ```

diff --git a/bin/cg-create-identity-service.sh b/bin/cg-create-identity-service.sh
@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+
+# Creates an OAuth provider service in cloud.gov
+
+set -e
+
+if [ -z "$2" ] ; then
+  echo "Usage: $0 SPACE FRONT_END_BASE_URL"
+  echo
+  echo "Example: $0 prod https://training.smartpay.gsa.gov"
+  exit 1
+fi
+
+org="gsa-smartpay"
+app_name="smartpay-training"
+space=$1
+redirect_url=${2%/}/auth_callback
+post_logout_url=${2%/}
+service_instance_name="smartpay-training-oauth-client"
+service_key_name="smartpay-training-oauth-key"
+
+echo "Creating identity provider service in space: $space"
+echo "Service instance name: ${service_instance_name}"
+echo "Service key name: ${service_key_name}"
+echo "Redirect URL: ${redirect_url}"
+echo "Post-logout URL: ${post_logout_url}"
+echo
+
+cf target -o ${org} -s ${space}
+
+# Create identity provider
+cf create-service cloud-gov-identity-provider oauth-client ${service_instance_name}
+
+# Create service key
+cf create-service-key smartpay-training-oauth-client ${service_key_name} \
+    -c "{\"redirect_uri\": [\"${redirect_url}\", \"${post_logout_url}\"]}"
+
+echo If needed, you can retrieve the client_id and client_secret with:
+echo cf service-key smartpay-training-oauth-client ${service_key_name}
diff --git a/manifest.yml b/manifest.yml
@@ -11,3 +11,4 @@ applications:
       - smartpay-training-db
       - smartpay-training-redis
       - smartpay-training-secrets
+      - smartpay-training-oauth-client