Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(publisher): authenticate with drupal #86

Merged
merged 45 commits into from
Nov 1, 2023
Merged
Show file tree
Hide file tree
Changes from 40 commits
Commits
Show all changes
45 commits
Select commit Hold shift + click to select a range
fbcf711
chore: require simple oauth
colorfield Jun 28, 2023
9c6aaf5
chore: update publisher
colorfield Jun 28, 2023
0db1d61
chore: enable simple oauth
colorfield Jun 28, 2023
028970e
chore: update silverback gatsby
colorfield Jun 28, 2023
7e79b8e
chore: disable key permissions check
colorfield Jun 28, 2023
2a88a46
chore: add environment variables and configure publisher
colorfield Jun 28, 2023
5451ba9
chore: set keys directory
colorfield Jun 28, 2023
d91830a
chore: allow to use post on publisher access checker
colorfield Jun 28, 2023
553d520
chore: simple oauth and publisher role configuration
colorfield Jun 28, 2023
07510d6
chore: use min 32 chars for the hash salt
colorfield Jun 28, 2023
0749ea8
docs: project specific configuration for oauth
colorfield Jun 28, 2023
f3fecfc
chore: comment out environment vars so we use defaults
colorfield Jun 28, 2023
8836740
chore: gitignore keys
colorfield Jun 28, 2023
c71a69e
chore: adjust default hash salt to match >= 32 chars
colorfield Jul 3, 2023
d74cba3
Merge branch 'dev' into publisher-oauth
colorfield Aug 18, 2023
5299a3d
fix: pnpm-lock merge with duplicate entries
colorfield Aug 18, 2023
9922194
refactor: make oauth optional
colorfield Aug 18, 2023
1ead119
docs: improve wording
colorfield Aug 18, 2023
5c6b592
chore: set back after merge
colorfield Aug 18, 2023
8c6991b
docs: fix keys generation
colorfield Aug 18, 2023
f35ec54
chore: bump publisher
colorfield Aug 22, 2023
d3dbd33
Revert "chore: bump publisher"
colorfield Aug 22, 2023
417838d
chore: run pnpm i with manual bump of publisher
colorfield Aug 22, 2023
0e432f0
Merge remote-tracking branch 'origin/release' into publisher-oauth
colorfield Oct 16, 2023
24d983a
chore: write client and session secret with init
colorfield Oct 16, 2023
a9b4c0f
chore: create keys as a post-rollout task
colorfield Oct 16, 2023
5febe05
chore: bump silverback_gatsby, enable silverback_gatsby_oauth
colorfield Oct 17, 2023
61d491f
fix: add cli service
colorfield Oct 17, 2023
282b42e
fix: add cli service, gitignore keys, do no skip auth
colorfield Oct 17, 2023
a64311c
docs: update oauth section
colorfield Oct 18, 2023
71c29bf
chore: bump silverback_gatsby
colorfield Oct 18, 2023
6078a90
chore: use private scheme for keys due to infra limitations
colorfield Oct 18, 2023
6f243a3
docs: fix typo
colorfield Oct 18, 2023
7620f49
chore: no need for gitignore keys anymore
colorfield Oct 18, 2023
e5e4cd0
chore: use REPLACE_ME placeholder value
colorfield Oct 18, 2023
7ddcc8d
chore: source before deploy
colorfield Oct 18, 2023
b47b2c4
docs: fix keys directory
colorfield Oct 19, 2023
96fa474
refactor: delete publisher role
colorfield Nov 1, 2023
6e1fc32
refactor: move consumer setup in template
colorfield Nov 1, 2023
b2ce3dc
chore: prevent access to keys using the private scheme
colorfield Nov 1, 2023
0d24d90
chore: bump silverback_gatsby
colorfield Nov 1, 2023
d258b69
Merge remote-tracking branch 'origin/release' into publisher-oauth
colorfield Nov 1, 2023
abc563c
chore: update composer.lock
colorfield Nov 1, 2023
8884af6
docs: remove scope
colorfield Nov 1, 2023
4c3d69d
chore: bump publisher
colorfield Nov 1, 2023
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 10 additions & 1 deletion .lagoon.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,12 +14,21 @@ tasks:
service: cli
- run:
name: Run Drupal deploy tasks
command: drush -y deploy
# Source before https://github.com/uselagoon/lagoon/issues/574
command: source /home/.bashrc && drush -y deploy
service: cli
- run:
name: import translations from the ui
command: drush scr scripts/translations-import.php
service: cli
- run:
name: Create Keys for Simple OAuth if necessary
command: |
if [[ ! -f /app/web/sites/default/files/private/keys/private.key || ! -f /app/web/sites/default/files/private/keys/public.key ]]; then
mkdir -p /app/web/sites/default/files/private/keys
drush simple-oauth:generate-keys /app/web/sites/default/files/private/keys
fi
service: cli
environments:
prod:
routes:
Expand Down
14 changes: 13 additions & 1 deletion INIT.md
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,18 @@ replace(
'PROJECT_NAME=example',
'PROJECT_NAME=' + process.env.PROJECT_NAME_MACHINE,
);
const clientSecret = randomString(32);
replace(
['apps/cms/.lagoon.env', 'apps/website/.lagoon.env'],
'PUBLISHER_OAUTH2_CLIENT_SECRET=REPLACE_ME',
'PUBLISHER_OAUTH2_CLIENT_SECRET=' + clientSecret,
);
const sessionSecret = randomString(32);
replace(
['apps/website/.lagoon.env'],
'PUBLISHER_OAUTH2_SESSION_SECRET=REPLACE_ME',
'PUBLISHER_OAUTH2_SESSION_SECRET=' + sessionSecret,
);
// Template's prod domain is special.
replace(
'.lagoon.yml',
Expand Down Expand Up @@ -106,7 +118,7 @@ Update the default hash salt.
```ts
replace(
'apps/cms/scaffold/settings.php.append.txt',
'banana123',
'time-flies-like-an-arrow-fruit-flies-like-a-banana',
randomString(32),
);
```
Expand Down
66 changes: 66 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -165,6 +165,72 @@ lagoon runtime configuration.
lagoon add variable -p [project name] -e dev -N NETLIFY_SITE_ID -V [netlify site id]
```

### Publisher authentication with Drupal

Publisher can require to authenticate with Drupal based on OAuth2.
It is only used on Lagoon environments.

<details>
<summary>How it works</summary>

#### Drupal configuration

##### Create keys

Per environment, keys are gitignored and are auto-generated via a Lagoon post-rollout task.

To generate keys manually

via Drush: cd in the cms directory then

```bash
drush simple-oauth:generate-keys ./keys
```

or via the UI

- Go to `/admin/config/people/simple_oauth`
- Click on "Generate keys", the directory should be set to `./sites/default/files/private/keys`

##### Create the Publisher Consumer

Per environment, Consumers are content entities.

- Go to `/admin/config/services/consumer`
- Create a Consumer
- Label: `Publisher`
- Client ID: `publisher`
- Secret: a random string
- Redirect URI: `[publisher-url]/oauth/callback`
- Scope: `Publisher`
- Optional: the default Consumer can be safely deleted

Troubleshooting:
- make sure that the `DRUPAL_HASH_SALT` environment variable is >= 32 chars.
- if enabled on local development, use `127.0.0.1:8888` for the cms and `127.0.0.1:8000` for Publisher

#### Publisher authentication

Edit [website environment variables](./apps/website/.lagoon.env)

```
PUBLISHER_SKIP_AUTHENTICATION=false
PUBLISHER_OAUTH2_CLIENT_SECRET="[secret used in the Drupal Consumer]"
PUBLISHER_OAUTH2_SESSION_SECRET="[another random string]"
```

##### Set the 'Access Publisher' permission

Optional: add this permission to relevant roles.

</details>

<details>
<summary>How to disable it</summary>

In website `.lagoon.env` set `PUBLISHER_SKIP_AUTHENTICATION=true`
</details>

## Storybook

If a `CHROMATIC_PROJECT_TOKEN` environment variable is set, the Storybook build
Expand Down
3 changes: 3 additions & 0 deletions apps/cms/.lagoon.env
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
PROJECT_NAME=example
PUBLISHER_URL="https://${LAGOON_GIT_BRANCH}-${PROJECT_NAME}.build.amazeelabs.dev"
NETLIFY_URL="https://${LAGOON_GIT_BRANCH}-${PROJECT_NAME}.amazeelabs.dev"

# Used to set the original client secret.
PUBLISHER_OAUTH2_CLIENT_SECRET=REPLACE_ME
4 changes: 4 additions & 0 deletions apps/cms/composer.json
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,7 @@
"drupal/redirect": "^1.8",
"drupal/reroute_email": "^2.2",
"drupal/role_delegation": "^1.2",
"drupal/simple_oauth": "^5.2",
"drupal/slack": "^1.4",
"drupal/stage_file_proxy": "^2.0.2",
"drupal/userprotect": "^1.2",
Expand All @@ -91,6 +92,9 @@
},
"extra": {
"patches": {
"drupal/core": {
"#2706241 AccessAwareRouter does not respect HTTP method": "https://www.drupal.org/files/issues/2023-03-17/2706241-74.patch"
},
"drupal/config_ignore": {
"#2857247 Do not export ignored config": "https://www.drupal.org/files/issues/2021-08-18/config_ignore_2857247-75.patch"
},
Expand Down
Loading