Islandora-Devops · rosiel · Jul 10, 2023 · Mar 27, 2023 · Apr 18, 2023 · Jun 15, 2023
diff --git a/README.md b/README.md
@@ -23,7 +23,7 @@ With Vagrant (each of these steps may take several minutes!):
 ```bash
 ISLANDORA_BUILD_BASE=true vagrant up         # Create the base box on a bare Ubuntu.
 vagrant package --output islandora_base      # Shut down the VM and save it as a file, islandora_base, which is created in this directory.
-vagrant destroy                              # You will be prompted to enter 'y' to destroy this VM
+ISLANDORA_BUILD_BASE=true vagrant destroy    # You will be prompted to enter 'y' to destroy the base box VM
 vagrant up                                   # It will show it is importing the islandora_base base box, then will provision Islandora.
 ```
 

diff --git a/inventory/vagrant/group_vars/crayfish.yml b/inventory/vagrant/group_vars/crayfish.yml
@@ -1,5 +1,3 @@
 ---
-crayfish_db: "{{ islandora_db }}"
-
 crayfish_fedora_base_url: "http://{{ hostvars[groups['tomcat'][0]].ansible_host }}:8080/fcrepo/rest"
 crayfish_drupal_base_url: "http://{{ hostvars[groups['webserver'][0]].ansible_host }}:{{ apache_listen_port }}"
diff --git a/roles/internal/Islandora-Devops.crayfish/README.md b/roles/internal/Islandora-Devops.crayfish/README.md
@@ -19,8 +19,6 @@ crayfish_services:
   - Homarus
   - Hypercube
   - Recast
-# Default crayfish static JWT token
-crayfish_syn_token: islandora
 # Webserver path to install to
 crayfish_install_dir: /var/www/html/Crayfish
 # Crayfish log directory
@@ -48,11 +46,6 @@ Some OS dependent variables are set in vars/* but can be overridden if desired:
 #   - poppler-utils
 ```
 =======
-`crayfish_db` can be set to: 
- - pgsql 
- - mysql
-
- Depending what database you would like to use. If not set it defaults to _mysql_
 
 There are lots more configuration settings in [defaults/main.yml](defaults/main.yml)
 
@@ -67,15 +60,6 @@ The module depends on the following. Links are provided to roles known to work w
 * [PHP](https://galaxy.ansible.com/geerlingguy/php/)
 * [Composer](https://galaxy.ansible.com/geerlingguy/composer/)
 * [git](https://galaxy.ansible.com/geerlingguy/git/)
-* database
-  - [pgsql](https://galaxy.ansible.com/geerlingguy/postgresql/)
-  - [mysql](https://galaxy.ansible.com/geerlingguy/mysql/)
-
-## Example Playbook
-
-Examples from the role tests: 
-* [Postgresql](tests/pgsql.yml)
-* [Mysql](tests/mysql.yml)
 
 ## License
 

diff --git a/roles/internal/Islandora-Devops.crayfish/defaults/main.yml b/roles/internal/Islandora-Devops.crayfish/defaults/main.yml
@@ -1,4 +1,4 @@
-crayfish_version_tag: 3.x
+crayfish_version_tag: 4.x
 
 crayfish_services:
   - Houdini

diff --git a/roles/internal/Islandora-Devops.crayfish/tasks/install.yml b/roles/internal/Islandora-Devops.crayfish/tasks/install.yml
@@ -66,11 +66,6 @@
   vars:
     ssl_key_public_output_path: "{{ crayfish_install_dir }}/public.key"
 
-- name: Install auth config
-  template:
-    src: "syn-settings.xml.jp2"
-    dest: "{{ crayfish_install_dir }}/syn-settings.xml"
-
 - name: Configure crayfish code (Symfony)
   include_tasks: "./tasks/symfony_config.yml"
   with_items: "{{ crayfish_services }}"

diff --git a/roles/internal/Islandora-Devops.crayfish/templates/Homarus/packages/crayfish_commons.yaml.j2 b/roles/internal/Islandora-Devops.crayfish/templates/Homarus/packages/crayfish_commons.yaml.j2
@@ -1,3 +1,4 @@
+### This file is managed with Ansible ###
 crayfish_commons:
   fedora_base_uri: {{ crayfish_homarus_fedora_base_url }}
-  syn_config: {{ crayfish_homarus_jwt_config }}
+  apix_middleware_enabled: false
diff --git a/...nal/Islandora-Devops.crayfish/templates/Homarus/packages/lexik_jwt_authentication.yaml.j2 b/...nal/Islandora-Devops.crayfish/templates/Homarus/packages/lexik_jwt_authentication.yaml.j2
@@ -0,0 +1,10 @@
+### This file is managed with Ansible ###
+lexik_jwt_authentication:
+    # Need secret key to generate a token, this is not necessary for normal usage as the key is generated by Drupal.
+    secret_key: ''
+    # This is required if you have set a passphrase on the secret key, this is generally not needed.
+    pass_phrase: ''
+    # This is the public key from the pair generated by Drupal and is required to validate the JWTs
+    public_key: '{{ crayfish_install_dir }}/public.key'
+    # By default lexik_jwt looks for the username key in the payload, we use sub
+    user_identity_field: sub
diff --git a/roles/internal/Islandora-Devops.crayfish/templates/Homarus/packages/security.yaml.j2 b/roles/internal/Islandora-Devops.crayfish/templates/Homarus/packages/security.yaml.j2
@@ -1,12 +1,12 @@
-# This file managed by Ansible
-
-# To disable Syn checking, set syn_enabled=false in crayfish_commons.yaml and remove this configuration file.
+### This file managed by Ansible ###
+### To disable authentication, set crayfish_homarus_jwt_enabled to false.
 security:
-
-    # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
+    enable_authenticator_manager: true
+    # https://symfony.com/doc/5.4/security.html#where-do-users-come-from-user-providers
     providers:
-        jwt_user_provider:
-            id: Islandora\Crayfish\Commons\Syn\JwtUserProvider
+        users_in_memory: { memory: null }
+        jwt:
+            lexik_jwt: ~
 
     firewalls:
         dev:
@@ -16,25 +16,20 @@ security:
             # Need stateless or it reloads the User based on a token.
             stateless: true
 {%if crayfish_homarus_jwt_enabled == true %}
-            anonymous: false
-
-            provider: jwt_user_provider
-            guard:
-                authenticators:
-                    - Islandora\Crayfish\Commons\Syn\JwtAuthenticator
+            provider: jwt
+            jwt: ~
 
             # activate different ways to authenticate
-            # https://symfony.com/doc/current/security.html#firewalls-authentication
+            # https://symfony.com/doc/5.4/security.html#firewalls-authentication
 
-            # https://symfony.com/doc/current/security/impersonating_user.html
+            # https://symfony.com/doc/5.4/security/impersonating_user.html
             # switch_user: true
-
+{% else %}
+            anonymous: true
+{% endif %}
 
     # Easy way to control access for large sections of your site
     # Note: Only the *first* access control that matches will be used
     access_control:
-        # - { path: ^/admin, roles: ROLE_ADMIN }
-        # - { path: ^/profile, roles: ROLE_USER }
-{% else %}
-          anonymous: true
-{% endif %}
+    # - { path: ^/admin, roles: ROLE_ADMIN }
+    # - { path: ^/profile, roles: ROLE_USER }
diff --git a/roles/internal/Islandora-Devops.crayfish/templates/Homarus/services.yaml.j2 b/roles/internal/Islandora-Devops.crayfish/templates/Homarus/services.yaml.j2
@@ -5,7 +5,7 @@
 # Files in the packages/ subdirectory configure your dependencies.
 
 # Put parameters here that don't need to change on each machine where the app is deployed
-# https://symfony.com/doc/current/best_practices/configuration.html#application-related-configuration
+# https://symfony.com/doc/5.4/best_practices/configuration.html#application-related-configuration
 
 parameters:
     app.executable: {{ crayfish_homarus_executable_config.executable }}

diff --git a/roles/internal/Islandora-Devops.crayfish/templates/Houdini/packages/crayfish_commons.yaml.j2 b/roles/internal/Islandora-Devops.crayfish/templates/Houdini/packages/crayfish_commons.yaml.j2
@@ -1,3 +1,3 @@
+### This file is managed with Ansible ###
 crayfish_commons:
   fedora_base_uri: {{ crayfish_houdini_fedora_base_url }}
-  syn_config: {{ crayfish_houdini_jwt_config }}
diff --git a/...nal/Islandora-Devops.crayfish/templates/Houdini/packages/lexik_jwt_authentication.yaml.j2 b/...nal/Islandora-Devops.crayfish/templates/Houdini/packages/lexik_jwt_authentication.yaml.j2
@@ -0,0 +1,10 @@
+### This file is managed with Ansible ###
+lexik_jwt_authentication:
+    # Need secret key to generate a token, this is not necessary for normal usage as the key is generated by Drupal.
+    secret_key: ''
+    # This is required if you have set a passphrase on the secret key, this is generally not needed.
+    pass_phrase: ''
+    # This is the public key from the pair generated by Drupal and is required to validate the JWTs
+    public_key: '{{ crayfish_install_dir }}/public.key'
+    # By default lexik_jwt looks for the username key in the payload, we use sub
+    user_identity_field: sub
diff --git a/roles/internal/Islandora-Devops.crayfish/templates/Houdini/packages/security.yaml.j2 b/roles/internal/Islandora-Devops.crayfish/templates/Houdini/packages/security.yaml.j2
@@ -1,12 +1,12 @@
-# This file managed by Ansible
-
-# To disable Syn checking, set syn_enabled=false in crayfish_commons.yaml and remove this configuration file.
+### This file managed by Ansible ###
+### To disable authentication, set crayfish_houdini_jwt_enabled to false.
 security:
-
-    # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
+    enable_authenticator_manager: true
+    # https://symfony.com/doc/5.4/security.html#where-do-users-come-from-user-providers
     providers:
-        jwt_user_provider:
-            id: Islandora\Crayfish\Commons\Syn\JwtUserProvider
+        users_in_memory: { memory: null }
+        jwt:
+            lexik_jwt: ~
 
     firewalls:
         dev:
@@ -16,25 +16,20 @@ security:
             # Need stateless or it reloads the User based on a token.
             stateless: true
 {%if crayfish_houdini_jwt_enabled == true %}
-            anonymous: false
-
-            provider: jwt_user_provider
-            guard:
-                authenticators:
-                    - Islandora\Crayfish\Commons\Syn\JwtAuthenticator
+            provider: jwt
+            jwt: ~
 
             # activate different ways to authenticate
-            # https://symfony.com/doc/current/security.html#firewalls-authentication
+            # https://symfony.com/doc/5.4/security.html#firewalls-authentication
 
-            # https://symfony.com/doc/current/security/impersonating_user.html
+            # https://symfony.com/doc/5.4/security/impersonating_user.html
             # switch_user: true
-
+{% else %}
+            anonymous: true
+{% endif %}
 
     # Easy way to control access for large sections of your site
     # Note: Only the *first* access control that matches will be used
     access_control:
-        # - { path: ^/admin, roles: ROLE_ADMIN }
-        # - { path: ^/profile, roles: ROLE_USER }
-{% else %}
-          anonymous: true
-{% endif %}
+    # - { path: ^/admin, roles: ROLE_ADMIN }
+    # - { path: ^/profile, roles: ROLE_USER }
diff --git a/roles/internal/Islandora-Devops.crayfish/templates/Houdini/services.yaml.j2 b/roles/internal/Islandora-Devops.crayfish/templates/Houdini/services.yaml.j2
@@ -5,7 +5,7 @@
 # Files in the packages/ subdirectory configure your dependencies.
 
 # Put parameters here that don't need to change on each machine where the app is deployed
-# https://symfony.com/doc/current/best_practices/configuration.html#application-related-configuration
+# https://symfony.com/doc/5.4/best_practices/configuration.html#application-related-configuration
 
 parameters:
     app.executable: {{ crayfish_houdini_executable_config.executable }}

diff --git a/.../internal/Islandora-Devops.crayfish/templates/Hypercube/packages/crayfish_commons.yaml.j2 b/.../internal/Islandora-Devops.crayfish/templates/Hypercube/packages/crayfish_commons.yaml.j2
@@ -1,3 +1,3 @@
+### This file is managed with Ansible ###
 crayfish_commons:
   fedora_base_uri: {{ crayfish_hypercube_fedora_base_url }}
-  syn_config: {{ crayfish_hypercube_jwt_config }}
diff --git a/...l/Islandora-Devops.crayfish/templates/Hypercube/packages/lexik_jwt_authentication.yaml.j2 b/...l/Islandora-Devops.crayfish/templates/Hypercube/packages/lexik_jwt_authentication.yaml.j2
@@ -0,0 +1,10 @@
+### This file is managed with Ansible ###
+lexik_jwt_authentication:
+    # Need secret key to generate a token, this is not necessary for normal usage as the key is generated by Drupal.
+    secret_key: ''
+    # This is required if you have set a passphrase on the secret key, this is generally not needed.
+    pass_phrase: ''
+    # This is the public key from the pair generated by Drupal and is required to validate the JWTs
+    public_key: '{{ crayfish_install_dir }}/public.key'
+    # By default lexik_jwt looks for the username key in the payload, we use sub
+    user_identity_field: sub
diff --git a/roles/internal/Islandora-Devops.crayfish/templates/Hypercube/packages/security.yaml.j2 b/roles/internal/Islandora-Devops.crayfish/templates/Hypercube/packages/security.yaml.j2
@@ -1,12 +1,12 @@
-# This file managed by Ansible
-
-# To disable Syn checking, set syn_enabled=false in crayfish_commons.yaml and remove this configuration file.
+### This file managed by Ansible ###
+### To disable authentication, set crayfish_hypercube_jwt_enabled to false.
 security:
-
-    # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
+    enable_authenticator_manager: true
+    # https://symfony.com/doc/5.4/security.html#where-do-users-come-from-user-providers
     providers:
-        jwt_user_provider:
-            id: Islandora\Crayfish\Commons\Syn\JwtUserProvider
+        users_in_memory: { memory: null }
+        jwt:
+            lexik_jwt: ~
 
     firewalls:
         dev:
@@ -16,25 +16,20 @@ security:
             # Need stateless or it reloads the User based on a token.
             stateless: true
 {%if crayfish_hypercube_jwt_enabled == true %}
-            anonymous: false
-
-            provider: jwt_user_provider
-            guard:
-                authenticators:
-                    - Islandora\Crayfish\Commons\Syn\JwtAuthenticator
+            provider: jwt
+            jwt: ~
 
             # activate different ways to authenticate
-            # https://symfony.com/doc/current/security.html#firewalls-authentication
+            # https://symfony.com/doc/5.4/security.html#firewalls-authentication
 
-            # https://symfony.com/doc/current/security/impersonating_user.html
+            # https://symfony.com/doc/5.4/security/impersonating_user.html
             # switch_user: true
-
+{% else %}
+            anonymous: true
+{% endif %}
 
     # Easy way to control access for large sections of your site
     # Note: Only the *first* access control that matches will be used
     access_control:
-        # - { path: ^/admin, roles: ROLE_ADMIN }
-        # - { path: ^/profile, roles: ROLE_USER }
-{% else %}
-          anonymous: true
-{% endif %}
+    # - { path: ^/admin, roles: ROLE_ADMIN }
+    # - { path: ^/profile, roles: ROLE_USER }
diff --git a/roles/internal/Islandora-Devops.crayfish/templates/Hypercube/services.yaml.j2 b/roles/internal/Islandora-Devops.crayfish/templates/Hypercube/services.yaml.j2
@@ -5,7 +5,7 @@
 # Files in the packages/ subdirectory configure your dependencies.
 
 # Put parameters here that don't need to change on each machine where the app is deployed
-# https://symfony.com/doc/current/best_practices/configuration.html#application-related-configuration
+# https://symfony.com/doc/5.4/best_practices/configuration.html#application-related-configuration
 
 parameters:
   app.tesseract_executable: {{ crayfish_hypercube_tesseract_executable }}

diff --git a/...s/internal/Islandora-Devops.crayfish/templates/Milliner/packages/crayfish_commons.yaml.j2 b/...s/internal/Islandora-Devops.crayfish/templates/Milliner/packages/crayfish_commons.yaml.j2
diff --git a/...al/Islandora-Devops.crayfish/templates/Milliner/packages/lexik_jwt_authentication.yaml.j2 b/...al/Islandora-Devops.crayfish/templates/Milliner/packages/lexik_jwt_authentication.yaml.j2
@@ -0,0 +1,10 @@
+### This file is managed with Ansible ###
+lexik_jwt_authentication:
+    # Need secret key to generate a token, this is not necessary for normal usage as the key is generated by Drupal.
+    secret_key: ''
+    # This is required if you have set a passphrase on the secret key, this is generally not needed.
+    pass_phrase: ''
+    # This is the public key from the pair generated by Drupal and is required to validate the JWTs
+    public_key: '{{ crayfish_install_dir }}/public.key'
+    # By default lexik_jwt looks for the username key in the payload, we use sub
+    user_identity_field: sub
diff --git a/roles/internal/Islandora-Devops.crayfish/templates/Milliner/packages/security.yaml.j2 b/roles/internal/Islandora-Devops.crayfish/templates/Milliner/packages/security.yaml.j2
@@ -1,12 +1,12 @@
-# This file managed by Ansible
-
-# To disable Syn checking, set syn_enabled=false in crayfish_commons.yaml and remove this configuration file.
+### This file managed by Ansible ###
+### To disable authentication, set crayfish_milliner_jwt_enabled to false.
 security:
-
-    # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
+    enable_authenticator_manager: true
+    # https://symfony.com/doc/5.4/security.html#where-do-users-come-from-user-providers
     providers:
-        jwt_user_provider:
-            id: Islandora\Crayfish\Commons\Syn\JwtUserProvider
+        users_in_memory: { memory: null }
+        jwt:
+            lexik_jwt: ~
 
     firewalls:
         dev:
@@ -16,25 +16,20 @@ security:
             # Need stateless or it reloads the User based on a token.
             stateless: true
 {%if crayfish_milliner_jwt_enabled == true %}
-            anonymous: false
-
-            provider: jwt_user_provider
-            guard:
-                authenticators:
-                    - Islandora\Crayfish\Commons\Syn\JwtAuthenticator
+            provider: jwt
+            jwt: ~
 
             # activate different ways to authenticate
-            # https://symfony.com/doc/current/security.html#firewalls-authentication
+            # https://symfony.com/doc/5.4/security.html#firewalls-authentication
 
-            # https://symfony.com/doc/current/security/impersonating_user.html
+            # https://symfony.com/doc/5.4/security/impersonating_user.html
             # switch_user: true
-
+{% else %}
+            anonymous: true
+{% endif %}
 
     # Easy way to control access for large sections of your site
     # Note: Only the *first* access control that matches will be used
     access_control:
-        # - { path: ^/admin, roles: ROLE_ADMIN }
-        # - { path: ^/profile, roles: ROLE_USER }
-{% else %}
-          anonymous: true
-{% endif %}
+    # - { path: ^/admin, roles: ROLE_ADMIN }
+    # - { path: ^/profile, roles: ROLE_USER }
diff --git a/roles/internal/Islandora-Devops.crayfish/templates/Milliner/services.yaml.j2 b/roles/internal/Islandora-Devops.crayfish/templates/Milliner/services.yaml.j2
@@ -5,7 +5,7 @@
 # Files in the packages/ subdirectory configure your dependencies.
 
 # Put parameters here that don't need to change on each machine where the app is deployed
-# https://symfony.com/doc/current/best_practices/configuration.html#application-related-configuration
+# https://symfony.com/doc/5.4/best_practices/configuration.html#application-related-configuration
 parameters:
     app.fedora_base_url: {{ crayfish_milliner_fedora_base_url }}
     app.drupal_base_url: {{ crayfish_milliner_drupal_base_url }}
@@ -34,6 +34,7 @@ services:
         $modifiedDatePredicate: '%app.modified_date_predicate%'
         $stripFormatJsonld: '%app.strip_format_jsonld%'
         $isFedora6: '%app.isFedora6%'
+        $fedoraBaseUrl: '%app.fedora_base_url%'
 
     # controllers are imported separately to make sure services can be injected
     # as action arguments even if you don't extend any base controller class