Added Apple Pay merchant certificates to ecommerce role

LEARNER-1845

playbooks/roles/ecommerce/defaults/main.yml

@@ -79,6 +79,20 @@ ECOMMERCE_SOCIAL_AUTH_EDX_OIDC_ISSUER: '{{ ECOMMERCE_OAUTH_URL_ROOT }}'
 # Settings for affiliate cookie tracking
 ECOMMERCE_AFFILIATE_COOKIE_NAME: '{{ EDXAPP_AFFILIATE_COOKIE_NAME | default("dev_affiliate_id") }}'
 
+# NOTE: The contents of the certificates should be set in private configuration
+ecommerce_apple_pay_merchant_certificate_directory: '/edx/etc/ssl'
+ecommerce_apple_pay_merchant_certificate_filename: 'apple_pay_merchant.pem'
+ecommerce_apple_pay_merchant_certificate_path: '{{ ecommerce_apple_pay_merchant_certificate_directory }}/{{ ecommerce_apple_pay_merchant_certificate_filename }}'
+ECOMMERCE_APPLE_PAY_MERCHANT_CERTIFICATE: |
+  Your PEM file, containing a public and private key,
+  should be set in private configuration. This is how you
+  implement a multi-line string in YAML.
+ECOMMERCE_APPLE_PAY_MERCHANT_ID_DOMAIN_ASSOCIATION: |
+  This value should also be in private configuration. It, too,
+  will span multiple lines.
+ECOMMERCE_APPLE_PAY_MERCHANT_IDENTIFIER: 'merchant.com.example'
+ECOMMERCE_APPLE_PAY_COUNTRY_CODE: 'US'
+
 # CyberSource related
 ECOMMERCE_CYBERSOURCE_PROFILE_ID: 'SET-ME-PLEASE'
 ECOMMERCE_CYBERSOURCE_MERCHANT_ID: 'SET-ME-PLEASE'
@@ -111,6 +125,12 @@ ECOMMERCE_PAYMENT_PROCESSOR_CONFIG:
       receipt_page_url: '{{ ECOMMERCE_CYBERSOURCE_RECEIPT_PAGE_URL }}'
       cancel_page_url: '{{ ECOMMERCE_CYBERSOURCE_CANCEL_PAGE_URL }}'
       soap_api_url: '{{ ECOMMERCE_CYBERSOURCE_SOAP_API_URL }}'
+      # NOTE: These are simple placeholders meant to show what keys are needed for Apple Pay. These values
+      # should be overwritten in private configuration.
+      apple_pay_merchant_identifier: '{{ ECOMMERCE_APPLE_PAY_MERCHANT_IDENTIFIER }}'
+      apple_pay_merchant_id_domain_association: '{{ ECOMMERCE_APPLE_PAY_MERCHANT_ID_DOMAIN_ASSOCIATION }}'
+      apple_pay_merchant_id_certificate_path: '{{ ecommerce_apple_pay_merchant_certificate_path }}'
+      apple_pay_country_code: '{{ ECOMMERCE_APPLE_PAY_COUNTRY_CODE }}'
     paypal:
       mode: '{{ ECOMMERCE_PAYPAL_MODE }}'
       client_id: '{{ ECOMMERCE_PAYPAL_CLIENT_ID }}'

playbooks/roles/ecommerce/tasks/main.yml

@@ -170,6 +170,28 @@
     - install
     - install:configuration
 
+- name: Create Apple Pay certificates directory
+  file:
+    path: "{{ ecommerce_apple_pay_merchant_certificate_directory }}"
+    state: directory
+    owner: "{{ supervisor_user }}"
+    group: "{{ common_web_user }}"
+  tags:
+    - install
+    - install:configuration
+
+- name: Write Apple Pay merchant certificates
+  copy:
+    content: "{{ ECOMMERCE_APPLE_PAY_MERCHANT_CERTIFICATE }}"
+    dest: "{{ ecommerce_apple_pay_merchant_certificate_path }}"
+    owner: "{{ supervisor_user }}"
+    group: "{{ common_web_user }}"
+    mode: "0644"
+  no_log: true
+  tags:
+    - install
+    - install:configuration
+
 - name: Setup the ecommence env file
   template:
     src: "./{{ ecommerce_home }}/{{ ecommerce_service_name }}_env.j2"

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/ecommerce.j2

@@ -40,14 +40,14 @@ server {
   {% if NGINX_REDIRECT_TO_HTTPS %}
      {% if NGINX_HTTPS_REDIRECT_STRATEGY == "scheme" %}
   # Redirect http to https over single instance
-  if ($scheme != "https") 
-  { 
+  if ($scheme != "https")
+  {
    set $do_redirect_to_https "true";
   }
 
      {% elif NGINX_HTTPS_REDIRECT_STRATEGY == "forward_for_proto" %}
-  # Forward to HTTPS if we're an HTTP request... and the server is behind ELB 
-  if ($http_x_forwarded_proto = "http") 
+  # Forward to HTTPS if we're an HTTP request... and the server is behind ELB
+  if ($http_x_forwarded_proto = "http")
   {
    set $do_redirect_to_https "true";
   }
@@ -81,6 +81,11 @@ server {
     try_files $uri @proxy_to_app;
   }
 
+  # Allow access for Apple Pay domain validation
+  location /.well-known/apple-developer-merchantid-domain-association {
+    try_files $uri @proxy_to_app;
+  }
+
   {% include "robots.j2" %}
 
 location @proxy_to_app {