Load cacerts in sso

[arbulu89]

Description

Load CA certificates for Assent to enable https connection in SSO.
Otherwise, we get the imfamous {:tls_alert, {:unknown_ca, ~c"TLS client: In state wait_cert_cr at ssl_handshake.erl:2133 generated CLIENT ALERT: Fatal - Unknown CA\n"}} error.

Besides that, I have improved a bit the SSO login page to prompt a basic error message if the configuration fails.
We could've gone with the standard 500 error, but it looks less obvious. Either way, you need to access the server logs to see the exact error (which can be of different reason).

This is how it looks like:

PD: To test it locally, add the next lines to your local dev.local.exs file:

:ok = :public_key.cacerts_load()
[_ | _] = cacerts = :public_key.cacerts_get()

config :assent, http_adapter: {Assent.HTTPAdapter.Httpc, [ssl: [cacerts: cacerts]]}

How was this tested?

Tested with some test and specially manually, using our demo IDP environment.

Did you update the documentation?

No, but we should consider adding maybe some troubleshooting section.
Besides, once we decide how to load the CA certificates, specially in helm, we will need to document this is it requires user intervention (which will be the case almost certainly)

[gagandeepb]

General comment for later/sync consideration/conversation: What are your thoughts about having some "smoke" tests (e.g. on CI) for config hardening by running existing ssl config against something like badssl.com ? It provides a lot of positive as well as negative test cases that the config should account for, that can possibly be asserted for/against.

[arbulu89]

General comment for later/sync consideration/conversation: What are your thoughts about having some "smoke" tests (e.g. on CI) for config hardening by running existing ssl config against something like badssl.com ? It provides a lot of positive as well as negative test cases that the config should account for, that can possibly be asserted for/against.

It looks interesting. Let's chat about it offline