Merge SSO changes into dev (#2342)

* Feature: SSO Migration - DESENG #408 (#2333)

* Make role checks platform-agnostic

* default to standard realm

* Remove local Keycloak instances and config

* Use tenant information from DB instead of Keycloak

* Update sample.env files

* Clean up the changelog... and we're good to go! 🥳

* [DESENG-414] .env var (and config) audit and cleanup (#2339)

* Overhaul of most configuration files

* No longer using semver; update CHANGELOG.MD

* Feature/deseng415 (#2334)

* feature/deseng415: Added recording of date with feedback submission and displaying the data on admin side.

* feature/deseng415: Fixed feedback schema, removed yup import, fixed change log date.

* bugfix/deseng429: Removed outdated service class. (#2337)

* bugfix/deseng429: Removed outdated service class.

* bugfix/deseng429: Changed version and changelog to match deployments to gdx-main.

* DESENG-438 Superusers can publish engagements without attached surveys (#2338)

* DESENG-441 Remove unused engagement metadata fields (#2340)

* Fixed merge errors in the changelog

---------

Co-authored-by: jareth-whitney <[email protected]>
Co-authored-by: Baelx <[email protected]>
Co-authored-by: Alex <[email protected]>
Well done team! 💖

CHANGELOG.MD

@@ -1,23 +1,68 @@
+# Change Log
+
+All notable changes to this project will be documented in this file.
+
+## December 11, 2023
+
+- **Task** Merge `gdx-sso`, `gdx-dev`, `gdx-main` into `main` [🎟️DESENG-442](https://apps.itsm.gov.bc.ca/jira/browse/DESENG-442)
+
 ## December 5, 2023
+
 - **Task** Remove unused project metadata [🎟️DESENG-441](https://apps.itsm.gov.bc.ca/jira/browse/DESENG-441)
 
+## December 4, 2023
+
+- **Feature**: .env var audit and cleanup [🎟️DESENG-414](https://apps.itsm.gov.bc.ca/jira/browse/DESENG-414) (work finished)
+  - Full rewrite of met_api/config.py
+  - Sample .env files updated to capture all current settings
+  - Changed many configs to use a nested dict structure
+  - Changed all configs to use get_named_config() to access settings
+  - SQLAlchemy now generates its url based on db settings
+  - Default settings are handled more gracefully
+  - Enable file-watching reloader and debugger for development environments
+  - Inline documentation added in config.py
+  - Removed unused settings
+
 ## November 29, 2023
-- **Feature** Superusers can publish engagements without attached surveys [🎟️DESENG-438](https://apps.itsm.gov.bc.ca/jira/browse/DESENG-438)
 
-## November 11, 2023
+- **Feature**: Superusers can publish engagements without attached surveys [🎟️DESENG-438](https://apps.itsm.gov.bc.ca/jira/browse/DESENG-438)
+
+## November 21, 2023
+
 - **Feature**: Started logging source url path with feedback submission. Viewable in dashboard. [🎟️DESENG-415](https://apps.itsm.gov.bc.ca/jira/browse/DESENG-415)
-- **Bug Fix**: Removed a duplicate service class. [🎟️DESENG-429](https://apps.itsm.gov.bc.ca/jira/browse/DESENG-429)
+
+## November 11, 2023
+
+- **Bug Fix**: Removed a duplicate service class [🎟️DESENG-429](https://apps.itsm.gov.bc.ca/jira/browse/DESENG-429)
+
+## November 6, 2023
+
+- **Feature**: Switch MET to use Keycloak SSO service [🎟️DESENG-408](https://apps.itsm.gov.bc.ca/jira/browse/DESENG-408)
+  - Switch all role-based checks on the API to use a single callback function (`current_app.config['JWT_ROLE_CALLBACK']`)
+  - Added a configurable path `JWT_ROLE_CLAIM` to indicate where your SSO instance places role information in the JWT token. If your access token looks like:
+  `{ ..., "realm_access": { "roles": [ "role1", "role2"]}}` you would set `JWT_ROLE_CLAIM=realm_access.roles`
+  - Explicitly disable single tenant mode by default to ensure correct multi-tenancy behaviour
+  - Remove local Keycloak instances and configuration
+  - Default to the "standard" realm for Keycloak
+  - Use tenancy information from DB rather than Keycloak
+
+- **Feature**: .env var audit and cleanup [🎟️DESENG-414](https://apps.itsm.gov.bc.ca/jira/browse/DESENG-414)
 
 ## October 26, 2023
-- **Bug Fix**: Upgraded BC-Sans font to newest version. [🎟️DESENG-413](https://apps.itsm.gov.bc.ca/jira/browse/DESENG-413)
-- **Bug Fix**: Engagements will now open in the same browser window/tab, not a new one. [🎟️DESENG-421](https://apps.itsm.gov.bc.ca/jira/browse/DESENG-421)
-- **Bug Fix**: Update sample .env files - [🎟️DESENG-414](https://apps.itsm.gov.bc.ca/jira/browse/DESENG-414)
-- Sample .env files have been updated to reflect the current state of the project.
-- *Breaking*: Keycloak URLs and resources now point to the BC Government's SSO service when using `sample.env` as a baseline
-- *Breaking*: The `met_api` module has been updated slightly to consume Pathfinder SSO's API schema.
-- Changes to `DEVELOPMENT.md` to reflect the current state of the project
-- Remove one old production .env file with obsolete settings
-
-## October 1, 2023
+
+- **Bug Fix**: Upgraded BC-Sans font to the newest version [🎟️DESENG-413](https://apps.itsm.gov.bc.ca/jira/browse/DESENG-413)
+
+## October 19, 2023
+
+- **Feature**: Update sample .env files [🎟️DESENG-414](https://apps.itsm.gov.bc.ca/jira/browse/DESENG-414)
+  - Sample .env files have been updated to reflect the current state of the project.
+  - Keycloak URLs and resources now point to the BC Government's SSO service when using `sample.env` as a baseline
+  - The `met_api` module has been updated slightly to consume Pathfinder SSO's API schema.
+  - Remove one old production .env file with obsolete settings
+- Changes to DEVELOPMENT.md to reflect the current state of the project
+
+
+## v1.0.0 - 2023-10-01
+
 - App handoff from EAO to GDX
-- Added changelog
+- Added changelog

analytics-api/src/analytics_api/config.py

@@ -28,20 +28,26 @@
 load_dotenv(find_dotenv())
 
 
-def get_named_config(config_name: str = 'development'):
-    """Return the configuration object based on the name.
+def get_named_config(environment: str | None) -> '_Config':
+    """
+    Retrieve a configuration object by name. Used by the Flask app factory.
 
-    :raise: KeyError: if an unknown configuration is requested
+    :param config_name: The name of the configuration.
+    :return: The requested configuration object.
+    :raises: KeyError if the requested configuration is not found.
     """
-    if config_name in ['production', 'staging', 'default']:
-        config = ProdConfig()
-    elif config_name == 'testing':
-        config = TestConfig()
-    elif config_name == 'development':
-        config = DevConfig()
-    else:
-        raise KeyError("Unknown configuration '{config_name}'")
-    return config
+    config_mapping = {
+        'development': DevConfig,
+        'default':   ProdConfig,
+        'staging':    ProdConfig,
+        'production': ProdConfig,
+        'testing':    TestConfig,
+    }
+    try:
+        print(f'Loading configuration: {environment}...')
+        return config_mapping[environment]()
+    except KeyError:
+        raise KeyError(f'Configuration "{environment}" not found.')
 
 
 class _Config():  # pylint: disable=too-few-public-methods

met-api/sample.env

@@ -1,29 +1,55 @@
+# GDX MET API Configuration
+# For more information on these values, please see the documentation
+# or met-api/src/met_api/config.py 
+
 # Changes Flask's run mode and the set of env vars are used to configure the app. You should not need to change this here.
 FLASK_ENV=development
 
-# Database configuration. 
-# See DEVELOPMENT.md for instructions on how to set up the local database.
-DATABASE_HOST="localhost"
-DATABASE_PORT="5432"
-DATABASE_USERNAME="postgres"
-DATABASE_PASSWORD="postgres"
-DATABASE_NAME="met"
+USE_DEBUG=True # Enable a dev-friendly debug mode
+TESTING= # Handle errors normally (False) or raise exceptions (True)
 
-# Email API endpoint
-NOTIFICATIONS_EMAIL_ENDPOINT=https://met-notify-api-dev.apps.gold.devops.gov.bc.ca/api/v1/notifications/email
+# CORS Settings
+CORS_ORIGINS=http://localhost:3000,http://localhost:5000
+
+# Miscellaneous Settings
+SECRET_KEY="" # For Flask sessions. If unset, this value is randomized
+SHAPEFILE_UPLOAD_FOLDER="/tmp/uploads"
+SLUG_MAX_CHARACTERS=100
+# disables certain checks for user permissions and tenant access. Buggy.
+IS_SINGLE_TENANT_ENVIRONMENT=false
+USE_TEST_KEYCLOAK_DOCKER=false
+USE_DOCKER_MOCK=false
+LEGISLATIVE_TIMEZONE="America/Vancouver"
+ENGAGEMENT_END_TIME="5 PM"
+# Default name for the tenant. Used to initially populate the database.
+DEFAULT_TENANT_SHORT_NAME="GDX"
+DEFAULT_TENANT_NAME="Government Digital Experience Division"
+DEFAULT_TENANT_DESCRIPTION="The Government Digital Experience (GDX) Division 
+ is responsible for setting standards in delivering government information and
+ services digitally. Their work includes creating web content guides, ensuring
+ accessibility and inclusion, and overseeing forms management and visual design
+ for a better digital user experience."
 
-# Keycloak configuration. Keycloak is now hosted, and local keycloak instances are no longer needed.
-KEYCLOAK_BASE_URL=https://dev.loginproxy.gov.bc.ca/auth
-KEYCLOAK_REALMNAME=standard
-JWT_OIDC_AUDIENCE=modern-engagement-tools-4787
-JWT_OIDC_WELL_KNOWN_CONFIG=${KEYCLOAK_BASE_URL}/realms/${KEYCLOAK_REALMNAME}/.well-known/openid-configuration
-JWT_OIDC_JWKS_URI=${KEYCLOAK_BASE_URL}/realms/${KEYCLOAK_REALMNAME}/protocol/openid-connect/certs
-JWT_OIDC_ISSUER=${KEYCLOAK_BASE_URL}/realms/${KEYCLOAK_REALMNAME}
+# Keycloak configuration.
+# Populate from 'GDX Modern Engagement Tools-installation-*.json'
+# https://bcgov.github.io/sso-requests
+KEYCLOAK_BASE_URL="" # auth-server-url
+KEYCLOAK_REALMNAME="" # realm
+MET_ADMIN_CLIENT_ID="" # resource
+MET_ADMIN_CLIENT_SECRET="" # credentials.secret
+KEYCLOAK_CONNECT_TIMEOUT= 60 # seconds
 
-# Authenticates the MET API with Keycloak for running tests.
-# Currently unused since the hosted Keycloak instance does not support API usage.
-MET_ADMIN_CLIENT_ID=
-MET_ADMIN_CLIENT_SECRET=
+# JWT OIDC configuration for authentication
+# Populate from 'GDX MET web (public)-installation-*.json'
+JWT_OIDC_AUDIENCE="" # resource
+JWT_OIDC_ISSUER="" # default: constructed from base url and realm name
+JWT_OIDC_WELL_KNOWN_CONFIG="" # default: constructed from issuer
+JWT_OIDC_JWKS_URI=""          # default: constructed from issuer
+# Object path to access roles from JWT token
+JWT_OIDC_ROLE_CLAIM=realm_access.roles # SSO schema
+# JWT_OIDC_ROLE_CLAIM=client_roles # Keycloak schema
+JWT_OIDC_CACHING_ENABLED=true # Enable caching of JWKS.
+JWT_OIDC_JWKS_CACHE_TIMEOUT=300 # Timeout for JWKS cache in seconds.
 
 # S3 configuration. Used for uploading custom header images, etc.
 S3_ACCESS_KEY_ID=
@@ -33,13 +59,83 @@ S3_REGION='us-east-1'
 S3_SECRET_ACCESS_KEY=
 S3_SERVICE='execute-api'
 
-# EPIC integration configuration
-EPIC_URL=https://eagle-dev.apps.silver.devops.gov.bc.ca/api/commentperiod
-EPIC_JWT_OIDC_ISSUER=${KEYCLOAK_BASE_URL}/auth/realms/eao-epic
-EPIC_KC_CLIENT_ID=eagle-admin-console
-EPIC_MILESTONE=5cf00c03a266b7e1877504e9
-EPIC_KEYCLOAK_SERVICE_ACCOUNT_ID=
-EPIC_KEYCLOAK_SERVICE_ACCOUNT_SECRET=
+# Database Configuration
+DATABASE_HOST="localhost"
+DATABASE_PORT="5432"
+DATABASE_USERNAME="postgres"
+DATABASE_PASSWORD="postgres"
+DATABASE_NAME="met"
+#Default: set from above settings (this overrides them)
+SQLALCHEMY_DATABASE_URI=
+SQLALCHEMY_ECHO= 
+SQLALCHEMY_TRACK_MODIFICATIONS=
+
+# Email API Configuration
+NOTIFICATIONS_EMAIL_ENDPOINT=https://met-notify-api-dev.apps.gold.devops.gov.bc.ca/api/v1/notifications/email
+EMAIL_SECRET_KEY="notASecureKey" # If unset, this value is randomized
+EMAIL_ENVIRONMENT=
+EMAIL_FROM_ADDRESS="[email protected]"
+# Email Template Configuration
+# Subject lines have a reasonable default value
+SUBSCRIBE_EMAIL_TEMPLATE_ID=
+SUBSCRIBE_EMAIL_SUBJECT=
+REJECTED_EMAIL_TEMPLATE_ID=
+REJECTED_EMAIL_SUBJECT=
+VERIFICATION_EMAIL_TEMPLATE_ID=
+VERIFICATION_EMAIL_SUBJECT=
+SUBMISSION_RESPONSE_EMAIL_TEMPLATE_ID=
+SUBMISSION_RESPONSE_EMAIL_SUBJECT=
+CLOSEOUT_EMAIL_TEMPLATE_ID=
+CLOSEOUT_EMAIL_SUBJECT=
+ACCESS_REQUEST_EMAIL_TEMPLATE_ID=
+ACCESS_REQUEST_EMAIL_SUBJECT=
+ACCESS_REQUEST_EMAIL_ADDRESS="[email protected]"
+
+# Site paths for creating emails from templates
+SITE_URL=localhost:3000
+SURVEY_PATH=/surveys/submit/{survey_id}/{token}
+USER_MANAGEMENT_PATH=/usermanagement
+SUBMISSION_PATH=/engagements/{engagement_id}/edit/{token}
+SUBSCRIBE_PATH=/engagements/{engagement_id}/subscribe/{token}
+UNSUBSCRIBE_PATH=/engagements/{engagement_id}/unsubscribe/{participant_id}
+ENGAGEMENT_PATH=/engagements/{engagement_id}/view
+ENGAGEMENT_PATH_SLUG=/{slug}
+ENGAGEMENT_DASHBOARD_PATH=/engagements/{engagement_id}/comments/public
+ENGAGEMENT_DASHBOARD_PATH_SLUG=/{slug}/comments/public
+
+#CDogs API settings
+CDOGS_ACCESS_TOKEN=
+CDOGS_BASE_URL=
+CDOGS_SERVICE_CLIENT=
+CDOGS_SERVICE_CLIENT_SECRET=
+CDOGS_TOKEN_URL=
+
+JWT_OIDC_TEST_AUDIENCE=
+JWT_OIDC_TEST_CLIENT_SECRET=
+JWT_OIDC_TEST_ISSUER=
+JWT_OIDC_TEST_ALGORITHMS=
+
+# Test database settings
+# If unset, uses the same settings as the main database
+DATABASE_TEST_USERNAME=
+DATABASE_TEST_PASSWORD=
+DATABASE_TEST_NAME=
+DATABASE_TEST_HOST=
+DATABASE_TEST_PORT=
+
+# Docker database settings
+# If unset, uses the same settings as the main database
+DATABASE_DOCKER_USERNAME=
+DATABASE_DOCKER_PASSWORD=
+DATABASE_DOCKER_NAME=
+DATABASE_DOCKER_HOST=
+DATABASE_DOCKER_PORT=
 
-# Allowed CORS origins
-CORS_ORIGIN=http://localhost:3000,http://localhost:5000
+# EPIC Integration Configuration
+EPIC_INTEGRATION_ENABLED=false
+EPIC_URL=
+EPIC_JWT_OIDC_ISSUER=
+EPIC_KC_CLIENT_ID=
+EPIC_MILESTONE=
+EPIC_KEYCLOAK_SERVICE_ACCOUNT_ID= 
+EPIC_KEYCLOAK_SERVICE_ACCOUNT_SECRET=