Release 2024.03.2

.env.sample

@@ -12,14 +12,8 @@ courtesy_card_verifier_api_auth_key=server-auth-token
 mobility_pass_verifier_api_auth_key=server-auth-token
 client_private_key='-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEA1pt0ZoOuPEVPJJS+5r884zcjZLkZZ2GcPwr79XOLDbOi46on\nCa79kjRnhS0VUK96SwUPS0z9J5mDA5LSNL2RoxFb5QGaevnJY828NupzTNdUd0sY\nJK3kRjKUggHWuB55hwJcH/Dx7I3DNH4NL68UAlK+VjwJkfYPrhq/bl5z8ZiurvBa\n5C1mDxhFpcTZlCfxQoas7D1d+uPACF6mEMbQNd3RaIaSREO50NvNywXIIt/OmCiR\nqI7JtOcn4eyh1I4j9WtlbMhRJLfwPMAgY5epTsWcURmhVofF2wVoFbib3JGCfA7t\nz/gmP5YoEKnf/cumKmF3e9LrZb8zwm7bTHUViwIDAQABAoIBAQCIv0XMjNvZS9DC\nXoXGQtVpcxj6dXfaiDgnc7hZDubsNCr3JtT5NqgdIYdVNQUABNDIPNEiCkzFjuwM\nuuF2+dRzM/x6UCs/cSsCjXYBCCOwMwV/fjpEJQnwMQqwTLulVsXZYYeSUtXVBf/8\n0tVULRty34apLFhsyX30UtboXQdESfpmm5ZsqsZJlYljw+M7JxRMneQclI19y/ya\nhPWlfhLB9OffVEJXGaWx1NSYnKoCMKqE/+4krROr6V62xXaNyX6WtU6XiT7C6R5A\nPBxfhmoeFdVCF6a+Qq0v2fKThYoZnV4sn2q2An9YPfynFYnlgzdfnAFSejsqxQd0\nfxYLOtMBAoGBAP1jxjHDJngZ1N+ymw9MIpRgr3HeuMP5phiSTbY2tu9lPzQd+TMX\nfhr1bQh2Fd/vU0u7X0yPnTWtUrLlCdGnWPpXivx95GNGgUUIk2HStFdrRx+f2Qvk\nG8vtLgmSbjQ26UiHzxi9Wa0a41PWIA3TixkcFrS2X29Qc4yd6pVHmicfAoGBANjR\nZ8aaDkSKLkq5Nk1T7I0E1+mtPoH1tPV/FJClXjJrvfDuYHBeOyUpipZddnZuPGWA\nIW2tFIsMgJQtgpvgs52NFI7pQGJRUPK/fTG+Ycocxo78TkLr/RIj8Kj5brXsbZ9P\n3/WBX5GAISTSp1ab8xVgK/Tm07hGupKVqnY2lCAVAoGAIql0YjhE2ecGtLcU+Qm8\nLTnwpg4GjmBnNTNGSCfB7IuYEsQK489R49Qw3xhwM5rkdRajmbCHm+Eiz+/+4NwY\nkt5I1/NMu7vYUR40MwyEuPSm3Q+bvEGu/71pL8wFIUVlshNJ5CN60fA8qqo+5kVK\n4Ntzy7Kq6WpC9Dhh75vE3ZcCgYEAty99uXtxsJD6+aEwcvcENkUwUztPQ6ggAwci\nje9Z/cmwCj6s9mN3HzfQ4qgGrZsHpk4ycCK655xhilBFOIQJ3YRUKUaDYk4H0YDe\nOsf6gTP8wtQDH2GZSNlavLk5w7UFDYQD2b47y4fw+NaOEYvjPl0p5lmb6ebAPZb8\nFbKZRd0CgYBC1HTbA+zMEqDdY4MWJJLC6jZsjdxOGhzjrCtWcIWEGMDF7oDDEoix\nW3j2hwm4C6vaNkH9XX1dr5+q6gq8vJQdbYoExl22BGMiNbfI3+sLRk0zBYL//W6c\ntSREgR4EjosqQfbkceLJ2JT1wuNjInI0eR9H3cRugvlDTeWtbdJ5qA==\n-----END RSA PRIVATE KEY-----'
 client_public_key='-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1pt0ZoOuPEVPJJS+5r88\n4zcjZLkZZ2GcPwr79XOLDbOi46onCa79kjRnhS0VUK96SwUPS0z9J5mDA5LSNL2R\noxFb5QGaevnJY828NupzTNdUd0sYJK3kRjKUggHWuB55hwJcH/Dx7I3DNH4NL68U\nAlK+VjwJkfYPrhq/bl5z8ZiurvBa5C1mDxhFpcTZlCfxQoas7D1d+uPACF6mEMbQ\nNd3RaIaSREO50NvNywXIIt/OmCiRqI7JtOcn4eyh1I4j9WtlbMhRJLfwPMAgY5ep\nTsWcURmhVofF2wVoFbib3JGCfA7tz/gmP5YoEKnf/cumKmF3e9LrZb8zwm7bTHUV\niwIDAQAB\n-----END PUBLIC KEY-----'
-mst_payment_processor_client_cert='-----BEGIN CERTIFICATE-----\nPEM DATA\n-----END CERTIFICATE-----'
-mst_payment_processor_client_cert_private_key='-----BEGIN RSA PRIVATE KEY-----\nPEM DATA\n-----END RSA PRIVATE KEY-----'
-mst_payment_processor_client_cert_root_ca='-----BEGIN CERTIFICATE-----\nPEM DATA\n-----END CERTIFICATE-----'
-sacrt_payment_processor_client_cert='-----BEGIN CERTIFICATE-----\nPEM DATA\n-----END CERTIFICATE-----'
-sacrt_payment_processor_client_cert_private_key='-----BEGIN RSA PRIVATE KEY-----\nPEM DATA\n-----END RSA PRIVATE KEY-----'
-sacrt_payment_processor_client_cert_root_ca='-----BEGIN CERTIFICATE-----\nPEM DATA\n-----END CERTIFICATE-----'
-sbmtd_payment_processor_client_cert='-----BEGIN CERTIFICATE-----\nPEM DATA\n-----END CERTIFICATE-----'
-sbmtd_payment_processor_client_cert_private_key='-----BEGIN RSA PRIVATE KEY-----\nPEM DATA\n-----END RSA PRIVATE KEY-----'
-sbmtd_payment_processor_client_cert_root_ca='-----BEGIN CERTIFICATE-----\nPEM DATA\n-----END CERTIFICATE-----'
+mst_payment_processor_client_secret=secret
+sacrt_payment_processor_client_secret=secret
+sbmtd_payment_processor_client_secret=secret
 
 testsecret="Hello from the local environment!"

.github/dependabot.yml

@@ -14,15 +14,6 @@ updates:
       include: "scope"
     labels:
       - "dependencies"
-  - package-ecosystem: "pip"
-    directory: "/docs" # requirements.txt
-    schedule:
-      interval: "daily"
-    commit-message:
-      prefix: "chore"
-      include: "scope"
-    labels:
-      - "dependencies"
   - package-ecosystem: "github-actions"
     # Workflow files stored in the
     # default location of `.github/workflows`

.pre-commit-config.yaml

@@ -48,7 +48,7 @@ repos:
           - python
 
   - repo: https://github.com/pycqa/bandit
-    rev: 1.7.7
+    rev: 1.7.8
     hooks:
       - id: bandit
         args: ["-ll"]

benefits/core/migrations/0002_paymentprocessor_backoffice_api.py

@@ -0,0 +1,71 @@
+# Generated by Django 5.0.2 on 2024-03-07 21:38
+
+import benefits.core.models
+import benefits.secrets
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("core", "0001_initial"),
+    ]
+
+    operations = [
+        migrations.RemoveField(
+            model_name="paymentprocessor",
+            name="api_access_token_endpoint",
+        ),
+        migrations.RemoveField(
+            model_name="paymentprocessor",
+            name="api_access_token_request_key",
+        ),
+        migrations.RemoveField(
+            model_name="paymentprocessor",
+            name="api_access_token_request_val",
+        ),
+        migrations.RemoveField(
+            model_name="paymentprocessor",
+            name="client_cert",
+        ),
+        migrations.RemoveField(
+            model_name="paymentprocessor",
+            name="client_cert_private_key",
+        ),
+        migrations.RemoveField(
+            model_name="paymentprocessor",
+            name="client_cert_root_ca",
+        ),
+        migrations.RemoveField(
+            model_name="paymentprocessor",
+            name="customer_endpoint",
+        ),
+        migrations.RemoveField(
+            model_name="paymentprocessor",
+            name="customers_endpoint",
+        ),
+        migrations.RemoveField(
+            model_name="paymentprocessor",
+            name="group_endpoint",
+        ),
+        migrations.AddField(
+            model_name="paymentprocessor",
+            name="audience",
+            field=models.TextField(default="audience"),
+            preserve_default=False,
+        ),
+        migrations.AddField(
+            model_name="paymentprocessor",
+            name="client_id",
+            field=models.TextField(default="client_id"),
+            preserve_default=False,
+        ),
+        migrations.AddField(
+            model_name="paymentprocessor",
+            name="client_secret_name",
+            field=benefits.core.models.SecretNameField(
+                default="client-secret-name", max_length=127, validators=[benefits.secrets.SecretNameValidator()]
+            ),
+            preserve_default=False,
+        ),
+    ]

benefits/core/migrations/local_fixtures.json

@@ -35,87 +35,6 @@
       "remote_url": null
     }
   },
-  {
-    "model": "core.pemdata",
-    "pk": 5,
-    "fields": {
-      "label": "(MST) payment processor client certificate",
-      "text_secret_name": "mst-payment-processor-client-cert",
-      "remote_url": null
-    }
-  },
-  {
-    "model": "core.pemdata",
-    "pk": 6,
-    "fields": {
-      "label": "(MST) payment processor client certificate private key",
-      "text_secret_name": "mst-payment-processor-client-cert-private-key",
-      "remote_url": null
-    }
-  },
-  {
-    "model": "core.pemdata",
-    "pk": 7,
-    "fields": {
-      "label": "(MST) payment processor client certificate root CA",
-      "text_secret_name": "mst-payment-processor-client-cert-root-ca",
-      "remote_url": null
-    }
-  },
-  {
-    "model": "core.pemdata",
-    "pk": 8,
-    "fields": {
-      "label": "(SacRT) payment processor client certificate",
-      "text_secret_name": "sacrt-payment-processor-client-cert",
-      "remote_url": null
-    }
-  },
-  {
-    "model": "core.pemdata",
-    "pk": 9,
-    "fields": {
-      "label": "(SacRT) payment processor client certificate private key",
-      "text_secret_name": "sacrt-payment-processor-client-cert-private-key",
-      "remote_url": null
-    }
-  },
-  {
-    "model": "core.pemdata",
-    "pk": 10,
-    "fields": {
-      "label": "(SacRT) payment processor client certificate root CA",
-      "text_secret_name": "sacrt-payment-processor-client-cert-root-ca",
-      "remote_url": null
-    }
-  },
-  {
-    "model": "core.pemdata",
-    "pk": 11,
-    "fields": {
-      "label": "(SBMTD) payment processor client certificate",
-      "text_secret_name": "sbmtd-payment-processor-client-cert",
-      "remote_url": null
-    }
-  },
-  {
-    "model": "core.pemdata",
-    "pk": 12,
-    "fields": {
-      "label": "(SBMTD) payment processor client certificate private key",
-      "text_secret_name": "sbmtd-payment-processor-client-cert-private-key",
-      "remote_url": null
-    }
-  },
-  {
-    "model": "core.pemdata",
-    "pk": 13,
-    "fields": {
-      "label": "(SBMTD) payment processor client certificate root CA",
-      "text_secret_name": "sbmtd-payment-processor-client-cert-root-ca",
-      "remote_url": null
-    }
-  },
   {
     "model": "core.authprovider",
     "pk": 1,
@@ -324,18 +243,12 @@
     "fields": {
       "name": "(MST) test payment processor",
       "api_base_url": "http://server:8000",
-      "api_access_token_endpoint": "access-token",
-      "api_access_token_request_key": "request_access",
-      "api_access_token_request_val": "REQUEST_ACCESS",
+      "client_id": "",
+      "client_secret_name": "mst-payment-processor-client-secret",
+      "audience": "",
       "card_tokenize_url": "http://server:8000/static/tokenize.js",
       "card_tokenize_func": "tokenize",
-      "card_tokenize_env": "test",
-      "client_cert": 5,
-      "client_cert_private_key": 6,
-      "client_cert_root_ca": 7,
-      "customer_endpoint": "customer",
-      "customers_endpoint": "customers",
-      "group_endpoint": "group"
+      "card_tokenize_env": "test"
     }
   },
   {
@@ -344,18 +257,12 @@
     "fields": {
       "name": "(SacRT) test payment processor",
       "api_base_url": "http://server:8000",
-      "api_access_token_endpoint": "access-token",
-      "api_access_token_request_key": "request_access",
-      "api_access_token_request_val": "REQUEST_ACCESS",
+      "client_id": "",
+      "client_secret_name": "sacrt-payment-processor-client-secret",
+      "audience": "",
       "card_tokenize_url": "http://server:8000/static/tokenize.js",
       "card_tokenize_func": "tokenize",
-      "card_tokenize_env": "test",
-      "client_cert": 8,
-      "client_cert_private_key": 9,
-      "client_cert_root_ca": 10,
-      "customer_endpoint": "customer",
-      "customers_endpoint": "customers",
-      "group_endpoint": "group"
+      "card_tokenize_env": "test"
     }
   },
   {
@@ -364,18 +271,12 @@
     "fields": {
       "name": "(SBMTD) test payment processor",
       "api_base_url": "http://server:8000",
-      "api_access_token_endpoint": "access-token",
-      "api_access_token_request_key": "request_access",
-      "api_access_token_request_val": "REQUEST_ACCESS",
+      "client_id": "",
+      "client_secret_name": "sbmtd-payment-processor-client-secret",
+      "audience": "",
       "card_tokenize_url": "http://server:8000/static/tokenize.js",
       "card_tokenize_func": "tokenize",
-      "card_tokenize_env": "test",
-      "client_cert": 11,
-      "client_cert_private_key": 12,
-      "client_cert_root_ca": 13,
-      "customer_endpoint": "customer",
-      "customers_endpoint": "customers",
-      "group_endpoint": "group"
+      "card_tokenize_env": "test"
     }
   },
   {

benefits/core/models.py

@@ -206,21 +206,16 @@ class PaymentProcessor(models.Model):
     id = models.AutoField(primary_key=True)
     name = models.TextField()
     api_base_url = models.TextField()
-    api_access_token_endpoint = models.TextField()
-    api_access_token_request_key = models.TextField()
-    api_access_token_request_val = models.TextField()
+    client_id = models.TextField()
+    client_secret_name = SecretNameField()
+    audience = models.TextField()
     card_tokenize_url = models.TextField()
     card_tokenize_func = models.TextField()
     card_tokenize_env = models.TextField()
-    # The certificate used for client certificate authentication to the API
-    client_cert = models.ForeignKey(PemData, related_name="+", on_delete=models.PROTECT)
-    # The private key, used to sign the certificate
-    client_cert_private_key = models.ForeignKey(PemData, related_name="+", on_delete=models.PROTECT)
-    # The root CA bundle, used to verify the server.
-    client_cert_root_ca = models.ForeignKey(PemData, related_name="+", on_delete=models.PROTECT)
-    customer_endpoint = models.TextField()
-    customers_endpoint = models.TextField()
-    group_endpoint = models.TextField()
+
+    @property
+    def client_secret(self):
+        return get_secret_by_name(self.client_secret_name)
 
     def __str__(self):
         return self.name