Merge pull request #323 from NHSDigital/pem-update-for-podman

Added PEM file fallback for local development with podman

Author: stephhou

.env.example

@@ -12,7 +12,14 @@ POSTGRES_DB=lung_cancer_screening
 POSTGRES_USER=lung_cancer_screening
 POSTGRES_PASSWORD=password
 
+# If using Podman;
+# * Remove quotes from the variables below.
+# * Remove the value for OIDC_RP_CLIENT_PRIVATE_KEY
+# * Create a file for the PEM key and save in .secrets folder.
+# * Check the file path for OIDC_RP_CLIENT_PRIVATE_KEY_FILE matches the file path for your PEM key file.
+
 OIDC_RP_CLIENT_PRIVATE_KEY="MYSUPERSECRETPRIVATEKEY"
+OIDC_RP_CLIENT_PRIVATE_KEY_FILE=/secrets/oidc_rp_client_private_key.pem
 OIDC_RP_CLIENT_ID="lcrc"
 OIDC_OP_FQDN="https://example.com"
 NHS_LOGIN_SETTINGS_URL="https://settings.example.com"

lung_cancer_screening/questions/tests/unit/test_auth.py

@@ -4,14 +4,18 @@
 from django.conf import settings
 from cryptography.hazmat.primitives.asymmetric import rsa
 from cryptography.hazmat.primitives import serialization
+import tempfile
+import os
 
 from ...auth import NHSLoginOIDCBackend
 from ...tests.factories.user_factory import UserFactory
+from lung_cancer_screening.settings import pem_key_env
 
 User = get_user_model()
 
 @override_settings(
         OIDC_RP_CLIENT_PRIVATE_KEY=None,  # Will be set per test
+        OIDC_RP_CLIENT_PRIVATE_KEY_FILE=None,
         OIDC_OP_TOKEN_ENDPOINT='https://auth.example.com/token',
         OIDC_RP_CLIENT_ID='test-client-id',
         OIDC_RP_REDIRECT_URI='https://app.example.com/callback',
@@ -224,3 +228,21 @@ def test_get_token_nhs_login_error_response_no_json(self, mock_post):
             self.backend.get_token(token_payload)
 
         self.assertIn('Token request failed: 500', str(context.exception))
+
+    def test_pem_key_file_env(self):
+        os.environ['OIDC_RP_CLIENT_PRIVATE_KEY'] = ''
+        temp_pem_key = self.test_private_key_pem
+        # Create a temporary PEM key file
+        with tempfile.NamedTemporaryFile(delete=False, suffix=".pem", mode='w') as temp_file:
+            temp_file.write(temp_pem_key)
+            temp_file_path = temp_file.name
+
+        try:
+            os.environ['OIDC_RP_CLIENT_PRIVATE_KEY_FILE'] = temp_file_path
+            result = pem_key_env("OIDC_RP_CLIENT_PRIVATE_KEY", "OIDC_RP_CLIENT_PRIVATE_KEY_FILE")
+            self.assertEqual(result, temp_pem_key)
+
+        finally:
+            os.environ.pop('OIDC_RP_CLIENT_PRIVATE_KEY_FILE', None)
+            os.environ['OIDC_RP_CLIENT_PRIVATE_KEY'] = 'MYSUPERSECRETPRIVATEKEY'
+            os.remove(temp_file_path)

lung_cancer_screening/settings.py

@@ -26,6 +26,20 @@ def list_env(key):
     return value.split(",") if value else []
 
 
+def pem_key_env(key, file_path_key=None):
+    # Env var takes precedence over file path.
+    value = environ.get(key)
+    if value:
+        return value
+
+    # Fall back to pem key file
+    if file_path_key:
+        file_path = environ.get(file_path_key)
+        if file_path:
+            return Path(file_path).read_text()
+
+    return None
+
 # Build paths inside the project like this: BASE_DIR / 'subdir'.
 BASE_DIR = Path(__file__).resolve().parent
 
@@ -225,7 +239,10 @@ def list_env(key):
 # Set a dummy value to satisfy mozilla-django-oidc's requirement
 # It w't be used since we override get_token() to use private key JWT
 OIDC_RP_CLIENT_SECRET = "not-used-private-key-jwt"
-OIDC_RP_CLIENT_PRIVATE_KEY = environ.get("OIDC_RP_CLIENT_PRIVATE_KEY")
+OIDC_RP_CLIENT_PRIVATE_KEY = pem_key_env(
+    "OIDC_RP_CLIENT_PRIVATE_KEY",
+    file_path_key="OIDC_RP_CLIENT_PRIVATE_KEY_FILE"
+)
 OIDC_OP_FQDN = environ.get("OIDC_OP_FQDN")
 OIDC_OP_AUTHORIZATION_ENDPOINT = f"{OIDC_OP_FQDN}/authorize"
 OIDC_OP_TOKEN_ENDPOINT = f"{OIDC_OP_FQDN}/token"