auth: Allow setting GOOGLE_OAUTH2_CLIENT_ID from dev-secrets.

This makes it much more convenient to use Google/GitHub authentication
in a Zulip development environment for testing; one only has to set it
up once.

docs/subsystems/auth.md

@@ -41,9 +41,8 @@ Here are the full procedures for dev:
   `https://zulipdev.com:9991/accounts/login/google/done/` .
 
 * You should get a client ID and a client secret. Copy them. In
-  `dev_settings.py`, set `GOOGLE_OAUTH2_CLIENT_ID` to the client ID,
+  `dev-secrets.conf`, set `google_auth2_client_id` to the client ID
-  and in `dev-secrets.conf`, set `google_oauth2_client_secret` to the
+  and `google_oauth2_client_secret` to the client secret.
-  client secret.
 
 ### GitHub
 

templates/zerver/config_error.html

@@ -49,7 +49,11 @@
                     {% endif %}
 
                     {% if google_error %}
-                    {{ render_markdown_path('zerver/google-error.md', {"root_domain_uri": root_domain_uri, "settings_path": settings_path, "secrets_path": secrets_path}) }}
+                        {% if development_environment %}
+                        {{ render_markdown_path('zerver/google-error.md', {"root_domain_uri": root_domain_uri, "settings_path": secrets_path, "secrets_path": secrets_path, "client_id_key_name": "google_oauth2_client_id"}) }}
+                        {% else %}
+                        {{ render_markdown_path('zerver/google-error.md', {"root_domain_uri": root_domain_uri, "settings_path": settings_path, "secrets_path": secrets_path, "client_id_key_name": "GOOGLE_OAUTH2_CLIENT_ID"}) }}
+                        {% endif %}
                     {% endif %}
 
                     {% if github_error %}

templates/zerver/google-error.md

@@ -7,7 +7,7 @@ You can create OAuth2 apps at [the Google developer console](https://console.dev
 * You have configured your OAuth2 client to allow redirects to your
 server's Google auth URL: `{{ root_domain_uri }}/accounts/login/google/done/`.
 
-* You have set `GOOGLE_OAUTH2_CLIENT_ID` in `{{ settings_path }}` and
+* You have set `{{ client_id_key_name }}` in `{{ settings_path }}` and
 `google_oauth2_client_secret` in `{{ secrets_path }}`.
 
 * Navigate back to the login page and attempt the Google auth flow again.

zerver/tests/test_docs.py

@@ -330,11 +330,32 @@ class AboutPageTest(ZulipTestCase):
 class ConfigErrorTest(ZulipTestCase):
     @override_settings(GOOGLE_OAUTH2_CLIENT_ID=None)
     def test_google(self) -> None:
+        result = self.client_get("/accounts/login/google/")
+        self.assertEqual(result.status_code, 302)
+        self.assertEqual(result.url, '/config-error/google')
+        result = self.client_get(result.url)
+        self.assert_in_success_response(["google_oauth2_client_id"], result)
+        self.assert_in_success_response(["google_oauth2_client_secret"], result)
+        self.assert_in_success_response(["zproject/dev-secrets.conf"], result)
+        self.assert_not_in_success_response(["GOOGLE_OAUTH2_CLIENT_ID"], result)
+        self.assert_not_in_success_response(["zproject/dev_settings.py"], result)
+        self.assert_not_in_success_response(["/etc/zulip/settings.py"], result)
+        self.assert_not_in_success_response(["/etc/zulip/zulip-secrets.conf"], result)
+
+    @override_settings(GOOGLE_OAUTH2_CLIENT_ID=None)
+    @override_settings(DEVELOPMENT=False)
+    def test_google_production_error(self) -> None:
         result = self.client_get("/accounts/login/google/")
         self.assertEqual(result.status_code, 302)
         self.assertEqual(result.url, '/config-error/google')
         result = self.client_get(result.url)
         self.assert_in_success_response(["GOOGLE_OAUTH2_CLIENT_ID"], result)
+        self.assert_in_success_response(["/etc/zulip/settings.py"], result)
+        self.assert_in_success_response(["google_oauth2_client_secret"], result)
+        self.assert_in_success_response(["/etc/zulip/zulip-secrets.conf"], result)
+        self.assert_not_in_success_response(["google_oauth2_client_id"], result)
+        self.assert_not_in_success_response(["zproject/dev_settings.py"], result)
+        self.assert_not_in_success_response(["zproject/dev-secrets.conf"], result)
 
     @override_settings(SOCIAL_AUTH_GITHUB_KEY=None)
     def test_github(self) -> None:

zproject/settings.py

@@ -136,9 +136,6 @@ DEFAULT_SETTINGS = {
     # Other settings, like EMAIL_HOST_USER, EMAIL_PORT, and EMAIL_USE_TLS,
     # we leave up to Django's defaults.
 
-    # Google auth
-    'GOOGLE_OAUTH2_CLIENT_ID': None,
-
     # LDAP auth
     'AUTH_LDAP_SERVER_URI': "",
     'LDAP_EMAIL_ATTR': None,
@@ -157,6 +154,7 @@ DEFAULT_SETTINGS = {
     # Social auth; we support providing values for some of these
     # settings in zulip-secrets.conf instead of settings.py in development.
     'SOCIAL_AUTH_GITHUB_KEY': get_secret('social_auth_github_key', development_only=True),
+    'GOOGLE_OAUTH2_CLIENT_ID': get_secret('google_oauth2_client_id', development_only=True),
     'SOCIAL_AUTH_GITHUB_ORG_NAME': None,
     'SOCIAL_AUTH_GITHUB_TEAM_ID': None,
     'SOCIAL_AUTH_SUBDOMAIN': None,