feat(publisher): authenticate with drupal (#86)

AmazeeLabs · Nov 1, 2023 · f7fa83e · f7fa83e
1 parent ed7b7c7
commit f7fa83e
Show file tree

Hide file tree

Showing 24 changed files with 1,074 additions and 18 deletions.
diff --git a/.lagoon.yml b/.lagoon.yml
@@ -14,12 +14,21 @@ tasks:
         service: cli
     - run:
         name: Run Drupal deploy tasks
-        command: drush -y deploy
+        # Source before https://github.com/uselagoon/lagoon/issues/574
+        command: source /home/.bashrc && drush -y deploy
         service: cli
     - run:
         name: import translations from the ui
         command: drush scr scripts/translations-import.php
         service: cli
+    - run:
+        name: Create Keys for Simple OAuth if necessary
+        command: |
+          if [[ ! -f /app/web/sites/default/files/private/keys/private.key || ! -f /app/web/sites/default/files/private/keys/public.key ]]; then
+            mkdir -p /app/web/sites/default/files/private/keys
+            drush simple-oauth:generate-keys /app/web/sites/default/files/private/keys
+          fi
+        service: cli
 environments:
   prod:
     routes:

diff --git a/INIT.md b/INIT.md
@@ -66,6 +66,18 @@ replace(
   'PROJECT_NAME=example',
   'PROJECT_NAME=' + process.env.PROJECT_NAME_MACHINE,
 );
+const clientSecret = randomString(32);
+replace(
+  ['apps/cms/.lagoon.env', 'apps/website/.lagoon.env'],
+  'PUBLISHER_OAUTH2_CLIENT_SECRET=REPLACE_ME',
+  'PUBLISHER_OAUTH2_CLIENT_SECRET=' + clientSecret,
+);
+const sessionSecret = randomString(32);
+replace(
+  ['apps/website/.lagoon.env'],
+  'PUBLISHER_OAUTH2_SESSION_SECRET=REPLACE_ME',
+  'PUBLISHER_OAUTH2_SESSION_SECRET=' + sessionSecret,
+);
 // Template's prod domain is special.
 replace(
   '.lagoon.yml',
@@ -106,7 +118,7 @@ Update the default hash salt.
 ```ts
 replace(
   'apps/cms/scaffold/settings.php.append.txt',
-  'banana123',
+  'time-flies-like-an-arrow-fruit-flies-like-a-banana',
   randomString(32),
 );
 ```

diff --git a/README.md b/README.md
@@ -165,6 +165,71 @@ lagoon runtime configuration.
 lagoon add variable -p [project name] -e dev -N NETLIFY_SITE_ID -V [netlify site id]
 ```
 
+### Publisher authentication with Drupal
+
+Publisher can require to authenticate with Drupal based on OAuth2.
+It is only used on Lagoon environments.
+
+<details>
+  <summary>How it works</summary>
+
+  #### Drupal configuration
+
+  ##### Create keys
+
+  Per environment, keys are gitignored and are auto-generated via a Lagoon post-rollout task.
+
+  To generate keys manually
+
+  via Drush: cd in the cms directory then
+
+  ```bash
+  drush simple-oauth:generate-keys ./keys
+  ```
+
+  or via the UI
+
+  - Go to `/admin/config/people/simple_oauth`
+  - Click on "Generate keys", the directory should be set to `./sites/default/files/private/keys`
+
+  ##### Create the Publisher Consumer
+
+  Per environment, Consumers are content entities.
+
+  - Go to `/admin/config/services/consumer`
+    - Create a Consumer
+      - Label: `Publisher`
+      - Client ID: `publisher`
+      - Secret: a random string
+      - Redirect URI: `[publisher-url]/oauth/callback`
+    - Optional: the default Consumer can be safely deleted
+
+  Troubleshooting:
+  - make sure that the `DRUPAL_HASH_SALT` environment variable is >= 32 chars.
+  - if enabled on local development, use `127.0.0.1:8888` for the cms and `127.0.0.1:8000` for Publisher
+
+  #### Publisher authentication
+
+  Edit [website environment variables](./apps/website/.lagoon.env)
+
+  ```
+  PUBLISHER_SKIP_AUTHENTICATION=false
+  PUBLISHER_OAUTH2_CLIENT_SECRET="[secret used in the Drupal Consumer]"
+  PUBLISHER_OAUTH2_SESSION_SECRET="[another random string]"
+  ```
+
+  ##### Set the 'Access Publisher' permission
+
+  Optional: add this permission to relevant roles.
+
+</details>
+
+<details>
+  <summary>How to disable it</summary>
+
+  In website `.lagoon.env` set `PUBLISHER_SKIP_AUTHENTICATION=true`
+</details>
+
 ## Storybook
 
 If a `CHROMATIC_PROJECT_TOKEN` environment variable is set, the Storybook build

diff --git a/apps/cms/.lagoon.env b/apps/cms/.lagoon.env
@@ -1,3 +1,6 @@
 PROJECT_NAME=example
 PUBLISHER_URL="https://${LAGOON_GIT_BRANCH}-${PROJECT_NAME}.build.amazeelabs.dev"
 NETLIFY_URL="https://${LAGOON_GIT_BRANCH}-${PROJECT_NAME}.amazeelabs.dev"
+
+# Used to set the original client secret.
+PUBLISHER_OAUTH2_CLIENT_SECRET=REPLACE_ME
diff --git a/apps/cms/composer.json b/apps/cms/composer.json
@@ -68,6 +68,7 @@
     "drupal/redirect": "^1.8",
     "drupal/reroute_email": "^2.2",
     "drupal/role_delegation": "^1.2",
+    "drupal/simple_oauth": "^5.2",
     "drupal/slack": "^1.4",
     "drupal/stage_file_proxy": "^2.0.2",
     "drupal/userprotect": "^1.2",
@@ -91,6 +92,9 @@
   },
   "extra": {
     "patches": {
+      "drupal/core": {
+        "#2706241 AccessAwareRouter does not respect HTTP method": "https://www.drupal.org/files/issues/2023-03-17/2706241-74.patch"
+      },
       "drupal/config_ignore": {
         "#2857247 Do not export ignored config": "https://www.drupal.org/files/issues/2021-08-18/config_ignore_2857247-75.patch"
       },