forked from pre/hyy-voting-api
-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy path.env.example
144 lines (123 loc) · 5.9 KB
/
.env.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
# With Haka test auth, the authentication callbcack url is called with TLS.
# The default local test is https://localhost.enemy.fi:3001 and Rails is at http://localhost:3000.
# Run `local-ssl-proxy --source 3001 --target 3000` to locally terminate the TLS and redirect
# to the rails server.
# For reference, see SAML_ASSERTION_CONSUMER_SERVICE_URL
#
# Leave PORT undefined in Heroku.
PORT=3000
# Heroku: "production"
RACK_ENV=development
RAILS_ENV=development
# Heroku timezone
TZ="Europe/Helsinki"
# Without LANG voting-frontend displays local files with messed up encoding
LANG=en_US.UTF-8
# Generate secrets with `rails secret`
JWT_VOTER_SECRET=long_jwt_key
# Generate with `rails secret` -
# JWT_SERVICE_USER_SECRET MUST differ from JWT_VOTER_SECRET
JWT_SERVICE_USER_SECRET=different_long_jwt_key
# This would be used for session cookies if they were used
SECRET_KEY_BASE=long_secret_key
# Report errors to Rollbar.com.
# Use different access key for API and Frontend.
# Note: Frontend's access key will be PUBLIC so you may not trust all the
# reports coming from it.
ROLLBAR_ACCESS_TOKEN="rollbar.com"
ROLLBAR_ENV="development"
FRONTEND_ROLLBAR_ACCESS_TOKEN="get this from rollbar.com"
FRONTEND_ROLLBAR_ENVIRONMENT="development"
EMAIL_FROM_ADDRESS="HYYn vaalit <[email protected]>"
EXTERNAL_INFO_SITE=http://hyy.fi/hallintovaalit
EXTERNAL_INFO_PHONE="+358 50 551 6147"
# Range of allowed sign in times.
VOTE_SIGNIN_STARTS_AT="2015-11-02 09:00:00 +0200"
VOTE_SIGNIN_ENDS_AT="2015-11-03 18:00:00 +0200"
# Last date of voting. Used to display "election has ended" message.
ELECTION_TERMINATES_AT="2015-11-03 18:00:00 +0200"
# Voters cannot sign in before OPENING_TIME
VOTE_SIGNIN_DAILY_OPENING_TIME="10:00"
# Voters cannot sign in after CLOSING_TIME.
VOTE_SIGNIN_DAILY_CLOSING_TIME="18:30"
# User has GRACE_PERIOD minutes to submit the vote if he signed in before CLOSING_TIME.
VOTING_GRACE_PERIOD_MINUTES=5
# How long after a signed in user is kicked out.
VOTER_SESSION_JWT_EXPIRY_MINUTES=60
# Lifetime of Sign In Token provided after Haka authentication
# (ie. time after user can't re-login from browser history)
SIGN_IN_JWT_EXPIRY_SECONDS=45
# Lifetime of Sign In Token provided in an email link
EMAIL_LINK_JWT_EXPIRY_MINUTES=120
### Local example idp
## Ensure you have local idp example running at localhost:4000
# SAML_IDP_SSO_TARGET_URL="http://localhost:4000/saml/auth"
# SAML_IDP_ENTITY_ID="http://localhost:4000/saml/auth"
# SAML_ASSERTION_CONSUMER_SERVICE_URL="http://localhost:3000/haka/auth/consume"
# SAML_MY_ENTITY_ID="http://localhost:3000/"
# SAML_IDP_CERT_FINGERPRINT="9E:65:2E:03:06:8D:80:F2:86:C7:6C:77:A1:D9:14:97:0A:4D:F4:4D"
# HAKA_STUDENT_NUMBER_FIELD="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
### Haka test environment
##
## SAML settings are hardcoded for two reasons
## 1) ruby-saml does not support validating the signature of Haka metadata.
## https://github.com/onelogin/ruby-saml/issues/639
## 2) Hardcoding the IdP is a sure way to deny logins from any other IdP of the federation.
##
## See the docs for more info:
## https://github.com/hyy-vaalit/dokumentaatio/tree/master/haka
# https://login.helsinki.fi/idp/profile/SAML2/Redirect/SSO
SAML_IDP_SSO_TARGET_URL="https://testidp.funet.fi/idp/profile/SAML2/Redirect/SSO"
# https://login.helsinki.fi/shibboleth
SAML_IDP_ENTITY_ID="https://testidp.funet.fi/idp/shibboleth"
# https://vaalit.hyy.fi/haka/auth/consume
SAML_ASSERTION_CONSUMER_SERVICE_URL="https://localhost.enemy.fi:3001/haka/auth/consume"
# https://vaalit.hyy.fi/haka/serviceprovider
SAML_MY_ENTITY_ID="hyy.voting.test.local"
# Fingerprint is not required in Haka-test. Assertions are encrypted so
# a real certificate is used instead.
SAML_IDP_CERT_FINGERPRINT=""
# Haka test has "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
# login.helsinki.fi has "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
SAML_NAME_IDENTIFIER_FORMAT="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
# Copy example certs from `doc/certificate_examples`.
#
# Haka-test examples are registered in the federated Haka-test environment for localhost usage.
# Haka-test will redirect to https://localhost.eneny.fi:3001 after a successful login.
# Open `local-ssl-proxy --source 3001 --target 3999` before running tets.
#
# Assets may be set in Heroku using
# `heroku config:set SOME_CERT="$(cat cert.pem)"`
#
# Values for helsinki.fi can be extracted from the Haka metadata:
#
# idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
# validate_cert = true
# settings = idp_metadata_parser.parse_remote(
# "https://haka.funet.fi/metadata/haka-metadata.xml",
# validate_cert,
# entity_id: "https://login.helsinki.fi/shibboleth"
# )
SAML_IDP_CERT="$(cat cert/haka-test/idp.crt)"
SAML_MY_PRIVATE_KEY="$(cat cert/haka-test/my-private.key)"
SAML_MY_CERT="$(cat cert/haka-test/my-cert.crt)"
# helsinki.fi shibboleth käyttäjäattribuutit
# https://wiki.helsinki.fi/pages/viewpage.action?pageId=226580829
# If the URL has changed, Google for "helsinki.fi urn:oid:1.3.6.1.4.1.25178.1.2.14"
HAKA_STUDENT_NUMBER_FIELD="urn:oid:1.3.6.1.4.1.25178.1.2.14" # schacPersonalUniqueCode
# urn:schac:personalUniqueCode:int:studentID:helsinki.fi
HAKA_STUDENT_NUMBER_KEY="urn:schac:personalUniqueCode:fi:yliopisto.fi"
# Frontend: use http://localhost:9000 for development
# - port 9000 is dev environment by `grunt serve`
# - port 3000 is API/public by `rails s`
SITE_ADDRESS=http://localhost:3000
SITE_DOMAIN=vaalit.hyy.fi
# Since Rails 7.2 the FRONTEND_API_BASE_URL must not mix between http://localhost:3000 here and
# https://localhost.enemy.fi:3001 from Haka or Safari will fail with a CORS error. Chrome works though!
FRONTEND_API_BASE_URL="https://localhost.enemy.fi:3001/api"
# FRONTEND_API_BASE_URL="http://localhost:3000/api"
FRONTEND_GOOGLE_ANALYTICS_ID="UA-35625600-1"
# Create IAM profile with eg. AWS SES Full Access
AWS_SES_REGION="eu-central-1"
AWS_SES_ACCESS_KEY_ID="sekrit_id"
AWS_SES_SECRET_ACCESS_KEY="sekrit_key"