diff --git a/config/schema/helfi_api_base.schema.yml b/config/schema/helfi_api_base.schema.yml index 6c92f1b9..bd604504 100644 --- a/config/schema/helfi_api_base.schema.yml +++ b/config/schema/helfi_api_base.schema.yml @@ -30,18 +30,6 @@ helfi_api_base.api_accounts: sequence: type: string -helfi_api_base.pubsub.settings: - type: config_object - mapping: - endpoint: - type: string - access_key: - type: string - hub: - type: string - group: - type: string - helfi_api_base.environment_resolver.settings: type: config_entity mapping: diff --git a/documentation/api-accounts.md b/documentation/api-accounts.md index e470ad52..6fb99675 100644 --- a/documentation/api-accounts.md +++ b/documentation/api-accounts.md @@ -8,11 +8,28 @@ This can be used to: ## Managing local API accounts -This is used to ensure that local API accounts retain the credentials. Any missing accounts are created and the password is reset to the one defined in configuration. +This is used to ensure that local API accounts retain the credentials. Any missing accounts are created, and the password is reset to whatever is defined in the configuration. + +### Configuration + +Define an array of `username`, `password` and an optional `roles` and `mail` pairs: + +```php +$config['helfi_api_base.api_accounts']['accounts'][] = [ + 'username' => 'account1', + 'password' => 'password1', + 'roles' => ['role1', 'role2'], + 'mail' => 'some-email@example.com', +]; +``` + +If no `mail` is provided, an autogenerated email address like `drupal+$username@hel.fi` is used. For example: `drupal+account1@hel.fi`. + +### Using environment variable to define accounts Define an environment variable called `DRUPAL_API_ACCOUNTS`. These accounts are read and mapped in [settings.php](https://github.com/City-of-Helsinki/drupal-helfi-platform/blob/main/public/sites/default/settings.php) file shipped with `City-of-Helsinki/drupal-helfi-platform`. -The value should be a base64 encoded JSON string that contains an array of `username`, `password` and an optional `roles` and `mail` pairs: +The value should be a base64 encoded JSON string of whatever is defined in `helfi_api_base.api_accounts.accounts` configuration, for example: ```bash php -r "print base64_encode('[{"username":"account1","password":"password1","roles":["role1","role2"]},{"username":"account2","password":"password2","mail":"some-email@example.com"}]');" @@ -23,8 +40,6 @@ Then map the given output to `DRUPAL_API_ACCOUNTS` environment variable: DRUPAL_API_ACCOUNTS=W3t1c2VybmFtZTphY2NvdW50MSxwYXNzd29yZDpwYXNzd29yZDEscm9sZXM6W3JvbGUxLHJvbGUyXX0se3VzZXJuYW1lOmFjY291bnQyLHBhc3N3b3JkOnBhc3N3b3JkMixtYWlsOnNvbWUtZW1haWxAZXhhbXBsZS5jb219XQ== ``` -If no `mail` is provided, an email address like `drupal+$username@hel.fi` is used. For example: `drupal+account1@hel.fi`. - ### Usage We hook into `helfi_api_base.post_deploy` event ([src/EventSubscriber/EnsureApiAccountsSubscriber.php](/src/EventSubscriber/EnsureApiAccountsSubscriber.php)), triggered by `drush helfi:post-deploy` command executed as a part of deployment tasks: [https://github.com/City-of-Helsinki/drupal-helfi-platform/blob/main/docker/openshift/entrypoints/20-deploy.sh](https://github.com/City-of-Helsinki/drupal-helfi-platform/blob/main/docker/openshift/entrypoints/20-deploy.sh) @@ -50,12 +65,36 @@ $config['helfi_api_base.api_accounts']['accounts'] = $api_accounts; This is used to store external API credentials. +### Configuration + +Define an array of `id`, `plugin`, and `data` pairs: + +```php +$config['helfi_api_base.api_accounts']['vault'][] = [ + 'id' => 'pubsub', + 'plugin' => 'json', + 'data' => '{"endpoint": "xxx.docker.so", "hub": "local", "group": "invalidate_cache", "access_key": ""}', +]; +$config['helfi_api_base.api_accounts']['vault'][] = [ + 'id' => 'global_navigation', + 'plugin' => 'authorization_token', + 'data' => 'aGVsZmktYWRtaW46MTIz', +]; +``` + +The value of `data` field depends on `plugin` value: + +- Authorization token (`authorization_token`): A simple string. For example `aGVsZmktYWRtaW46MTIz`. +- JSON (`json`): A JSON string. For example `{"endpoint": "xxxx.docker.so", "key": "value"}`. + +### Using environment variable to define Vault items + Define an environment variable called `DRUPAL_VAULT_ACCOUNTS`. These accounts are read and mapped in [settings.php](https://github.com/City-of-Helsinki/drupal-helfi-platform/blob/main/public/sites/default/settings.php) file shipped with `City-of-Helsinki/drupal-helfi-platform`. -The value should be a base64 encoded JSON string that contains an array of `id`, `plugin` and `data` pairs: +The value should be a base64 encoded JSON string of whatever is defined in `helfi_api_base.api_accounts.vault` configuration, for example: ```bash -php -r "print base64_encode('[{"id": "etusivu_local", "plugin": "authorization_token": "data": "aGVsZmktYWRtaW46MTIz"}]');" +php -r "print base64_encode('[{"id": "global_navigation", "plugin": "authorization_token": "data": "aGVsZmktYWRtaW46MTIz"}]');" ``` Then map the given output to `DRUPAL_VAULT_ACCOUNTS` environment variable: @@ -70,8 +109,8 @@ DRUPAL_VAULT_ACCOUNTS=W3tpZDogZXR1c2l2dV9sb2NhbCwgcGx1Z2luOiBhdXRob3JpemF0aW9uX3 /** @var \Drupal\helfi_api_base\Vault\VaultManager $service */ $service = \Drupal::service('helfi_api_base.vault_manager'); /** @var \Drupal\helfi_api_base\Vault\VaultItemInterface $item */ -$item = $service->get('etusivu_local'); // 'etusivu_local' is the ID previously defined in DRUPAL_VAULT_ACCOUNTS. -$id = $item->id(); // $id = 'etusivu_local'. +$item = $service->get('global_navigation'); // 'global_navigation' is the ID previously defined in DRUPAL_VAULT_ACCOUNTS. +$id = $item->id(); // $id = 'global_navigation'. $data = $item->data() // $data = 'aGVsZmktYWRtaW46MTIz'. This is a base64 encoded basic auth token (helfi-admin:123). ``` diff --git a/documentation/pubsub-messaging.md b/documentation/pubsub-messaging.md index 5fb28e1c..2ffa6b3b 100644 --- a/documentation/pubsub-messaging.md +++ b/documentation/pubsub-messaging.md @@ -4,15 +4,10 @@ Provides an integration to [Azure's Web PubSub service](https://azure.microsoft. ## Configuration -You must define the following settings to use this feature: +You must define a [JSON Vault item](/documentation/api-accounts.md#managing-external-api-credentials) to use this feature. The data field should be a JSON string containing `endpoint`, `hub`, `group` and `access_key`: -```php -$config['helfi_api_base.pubsub.settings']['access_key'] = ''; -// Url to Azure's wss endpoint, usually something like: yourservicename.webpubsub.azure.com -$config['helfi_api_base.pubsub.settings']['endpoint'] = ''; -// Hub and group must be same in all instances that talk with each other. -$config['helfi_api_base.pubsub.settings']['hub'] = ''; -$config['helfi_api_base.pubsub.settings']['group'] = ''; +```json +{"endpoint": "", "hub": "", "group": "", "access_key": ""} ``` ## Usage @@ -82,8 +77,15 @@ See [CacheTagInvalidatorSubscriber](/src/EventSubscriber/CacheTagInvalidatorSubs ```php # public/sites/default/local.settings.php -$config['helfi_api_base.pubsub.settings']['access_key'] = ''; -$config['helfi_api_base.pubsub.settings']['endpoint'] = ''; -$config['helfi_api_base.pubsub.settings']['hub'] = ''; -$config['helfi_api_base.pubsub.settings']['group'] = ''; +$pubsub_account = [ + 'id' => 'pubsub', + 'plugin' => 'json', + 'data' => json_encode( + 'endpoint' => '', + 'hub' => '', + 'group' => '', + 'access_key' => '', + ]), +]; +$config['helfi_api_base.api_accounts']['vault'][] = $pubsub_account; ``` diff --git a/helfi_api_base.services.yml b/helfi_api_base.services.yml index 21a46e92..9855abec 100644 --- a/helfi_api_base.services.yml +++ b/helfi_api_base.services.yml @@ -95,7 +95,7 @@ services: helfi_api_base.pubsub_settings_factory: class: Drupal\helfi_api_base\Azure\PubSub\SettingsFactory arguments: - - '@config.factory' + - '@helfi_api_base.vault_manager' helfi_api_base.pubsub_client_factory: class: Drupal\helfi_api_base\Azure\PubSub\PubSubClientFactory diff --git a/src/Azure/PubSub/SettingsFactory.php b/src/Azure/PubSub/SettingsFactory.php index 79f4bd32..22619445 100644 --- a/src/Azure/PubSub/SettingsFactory.php +++ b/src/Azure/PubSub/SettingsFactory.php @@ -4,21 +4,21 @@ namespace Drupal\helfi_api_base\Azure\PubSub; -use Drupal\Core\Config\ConfigFactoryInterface; +use Drupal\helfi_api_base\Vault\VaultManager; /** - * A factory to initialize Settings object. + * A factory to initialize a Settings object. */ final class SettingsFactory { /** * Constructs a new instance. * - * @param \Drupal\Core\Config\ConfigFactoryInterface $configFactory - * The config factory service. + * @param \Drupal\helfi_api_base\Vault\VaultManager $vaultManager + * The vault manager. */ public function __construct( - private readonly ConfigFactoryInterface $configFactory + private readonly VaultManager $vaultManager, ) { } @@ -29,13 +29,27 @@ public function __construct( * The PubSub settings object. */ public function create() : Settings { - $config = $this->configFactory->get('helfi_api_base.pubsub.settings'); + $data = (object) [ + 'hub' => '', + 'group' => '', + 'endpoint' => '', + 'access_key' => '', + ]; + + if ($settings = $this->vaultManager->get('pubsub')) { + foreach ($data as $key => $value) { + if (!isset($settings->data()->{$key})) { + continue; + } + $data->{$key} = $settings->data()->{$key}; + } + } return new Settings( - $config->get('hub') ?: '', - $config->get('group') ?: '', - $config->get('endpoint') ?: '', - $config->get('access_key') ?: '', + $data->hub ?: '', + $data->group ?: '', + $data->endpoint ?: '', + $data->access_key ?: '' ); } diff --git a/src/Commands/PubSubCommands.php b/src/Commands/PubSubCommands.php index 143bc49d..5b442dbf 100644 --- a/src/Commands/PubSubCommands.php +++ b/src/Commands/PubSubCommands.php @@ -15,7 +15,7 @@ * Usage: * * $ drush helfi:azure-pubsub-listen - * This will listen and process messages until the MAX_MESSAGES is + * This will listen to and process messages until the MAX_MESSAGES is * reached and then exits with code 0. */ final class PubSubCommands extends DrushCommands { diff --git a/src/Vault/Json.php b/src/Vault/Json.php new file mode 100644 index 00000000..d7655985 --- /dev/null +++ b/src/Vault/Json.php @@ -0,0 +1,58 @@ +data = json_decode($string, flags: JSON_THROW_ON_ERROR); + } + + /** + * Gets the id. + * + * @return string + * The ID. + */ + public function id() : string { + return $this->id; + } + + /** + * Gets the data. + * + * @return object + * The data. + */ + public function data() : object { + return $this->data; + } + +} diff --git a/src/Vault/VaultManagerFactory.php b/src/Vault/VaultManagerFactory.php index 9d68d3f2..847b9e65 100644 --- a/src/Vault/VaultManagerFactory.php +++ b/src/Vault/VaultManagerFactory.php @@ -18,7 +18,7 @@ final class VaultManagerFactory { * The config factory. */ public function __construct( - private ConfigFactoryInterface $configFactory, + private readonly ConfigFactoryInterface $configFactory, ) { } @@ -36,8 +36,10 @@ public function create() : VaultManager { if (!isset($item['plugin'], $item['id'], $item['data'])) { throw new \InvalidArgumentException('Missing required "plugin", "id" or "data".'); } + return match($item['plugin']) { AuthorizationToken::PLUGIN => new AuthorizationToken($item['id'], $item['data']), + Json::PLUGIN => new Json($item['id'], $item['data']), }; }, $config); diff --git a/tests/src/Kernel/Cache/CacheTagInvalidatorTest.php b/tests/src/Kernel/Cache/CacheTagInvalidatorTest.php index 50718820..9c35b256 100644 --- a/tests/src/Kernel/Cache/CacheTagInvalidatorTest.php +++ b/tests/src/Kernel/Cache/CacheTagInvalidatorTest.php @@ -35,11 +35,19 @@ class CacheTagInvalidatorTest extends KernelTestBase { protected function setUp() : void { parent::setUp(); - $this->config('helfi_api_base.pubsub.settings') - ->set('endpoint', 'wss://localhost') - ->set('hub', 'hub') - ->set('group', 'group') - ->set('access_key', '123') + $this->config('helfi_api_base.api_accounts') + ->set('vault', [ + [ + 'id' => 'pubsub', + 'plugin' => 'json', + 'data' => json_encode([ + 'endpoint' => 'localhost', + 'hub' => 'local', + 'group' => 'invalidate_cache', + 'access_key' => '123', + ]), + ], + ]) ->save(); } diff --git a/tests/src/Unit/Azure/PubSub/SettingsTest.php b/tests/src/Unit/Azure/PubSub/SettingsTest.php index cd9a96ed..3dfa0e2c 100644 --- a/tests/src/Unit/Azure/PubSub/SettingsTest.php +++ b/tests/src/Unit/Azure/PubSub/SettingsTest.php @@ -6,6 +6,8 @@ use Drupal\helfi_api_base\Azure\PubSub\Settings; use Drupal\helfi_api_base\Azure\PubSub\SettingsFactory; +use Drupal\helfi_api_base\Vault\Json; +use Drupal\helfi_api_base\Vault\VaultManager; use Drupal\Tests\UnitTestCase; /** @@ -18,19 +20,41 @@ class SettingsTest extends UnitTestCase { * @covers \Drupal\helfi_api_base\Azure\PubSub\Settings::__construct * @covers ::create * @covers ::__construct + * @covers \Drupal\helfi_api_base\Vault\VaultManager::__construct + * @covers \Drupal\helfi_api_base\Vault\VaultManager::get + * @covers \Drupal\helfi_api_base\Vault\Json::__construct + * @covers \Drupal\helfi_api_base\Vault\Json::data * @dataProvider settingsData */ public function testSettings(array $values, array $expectedValues) : void { - $configFactory = $this->getConfigFactoryStub([ - 'helfi_api_base.pubsub.settings' => $values, + $vaultManager = new VaultManager([ + new Json('pubsub', json_encode($values)), ]); - $sut = new SettingsFactory($configFactory); + $sut = new SettingsFactory($vaultManager); $settings = $sut->create(); $this->assertInstanceOf(Settings::class, $settings); - $this->assertSame($settings->hub, $expectedValues['hub']); - $this->assertSame($settings->group, $expectedValues['group']); - $this->assertSame($settings->endpoint, $expectedValues['endpoint']); - $this->assertSame($settings->accessKey, $expectedValues['access_key']); + $this->assertSame($expectedValues['hub'], $settings->hub); + $this->assertSame($expectedValues['group'], $settings->group); + $this->assertSame($expectedValues['endpoint'], $settings->endpoint); + $this->assertSame($expectedValues['access_key'], $settings->accessKey); + } + + /** + * @covers \Drupal\helfi_api_base\Azure\PubSub\Settings::__construct + * @covers ::create + * @covers ::__construct + * @covers \Drupal\helfi_api_base\Vault\VaultManager::__construct + * @covers \Drupal\helfi_api_base\Vault\VaultManager::get + */ + public function testEmptySettings() : void { + $vaultManager = new VaultManager([]); + $sut = new SettingsFactory($vaultManager); + $settings = $sut->create(); + $this->assertInstanceOf(Settings::class, $settings); + $this->assertSame('', $settings->hub); + $this->assertSame('', $settings->group); + $this->assertSame('', $settings->endpoint); + $this->assertSame('', $settings->accessKey); } /** @@ -46,13 +70,14 @@ public function settingsData() : array { 'hub' => 'hub', 'group' => 'group', 'endpoint' => 'endpoint', - 'access_key' => 'access_key', + 'access_key' => '123', + 'random_key' => '321', ], [ 'hub' => 'hub', 'group' => 'group', 'endpoint' => 'endpoint', - 'access_key' => 'access_key', + 'access_key' => '123', ], ], ]; diff --git a/tests/src/Unit/Vault/VaultManagerTest.php b/tests/src/Unit/Vault/VaultManagerTest.php index c3b5b436..3dace152 100644 --- a/tests/src/Unit/Vault/VaultManagerTest.php +++ b/tests/src/Unit/Vault/VaultManagerTest.php @@ -5,6 +5,7 @@ namespace Drupal\Tests\helfi_api_base\Unit\Vault; use Drupal\helfi_api_base\Vault\AuthorizationToken; +use Drupal\helfi_api_base\Vault\Json; use Drupal\helfi_api_base\Vault\VaultManager; use Drupal\helfi_api_base\Vault\VaultManagerFactory; use Drupal\Tests\UnitTestCase; @@ -90,20 +91,54 @@ public function factoryExceptionData() : array { * @covers \Drupal\helfi_api_base\Vault\VaultManagerFactory::__construct */ public function testFactory() : void { + $accounts = [ + [ + 'plugin' => AuthorizationToken::PLUGIN, + 'id' => 'test_local', + 'data' => 'token', + ], + [ + 'plugin' => Json::PLUGIN, + 'id' => 'test_local2', + 'data' => json_encode(['value' => '123']), + ], + ]; + $sut = new VaultManagerFactory($this->getConfigFactoryStub([ 'helfi_api_base.api_accounts' => [ - 'vault' => [ - [ - 'plugin' => AuthorizationToken::PLUGIN, - 'id' => 'test_local', - 'data' => 'token', - ], - ], + 'vault' => $accounts, ], ])); $instance = $sut->create(); $this->assertInstanceOf(VaultManager::class, $instance); - $this->assertInstanceOf(AuthorizationToken::class, $instance->get('test_local')); + + foreach ($accounts as $acccount) { + $this->assertSame($acccount['id'], $instance->get($acccount['id'])->id()); + $this->assertSame($acccount['plugin'], $instance->get($acccount['id'])::PLUGIN); + } + } + + /** + * @covers \Drupal\helfi_api_base\Vault\Json::__construct + */ + public function testJsonException() : void { + $this->expectException(\JsonException::class); + new Json('test', '{'); + } + + /** + * @covers \Drupal\helfi_api_base\Vault\Json::__construct + * @covers \Drupal\helfi_api_base\Vault\Json::id + * @covers \Drupal\helfi_api_base\Vault\Json::data + */ + public function testJson() : void { + $sut = new Json('test', json_encode([ + 'endpoint' => '123', + 'access_key' => '321', + ])); + $this->assertSame('test', $sut->id()); + $this->assertSame('123', $sut->data()->endpoint); + $this->assertSame('321', $sut->data()->access_key); } /**