From 5c869e0ab8818b5d234399ffba8f8820ff4f2df4 Mon Sep 17 00:00:00 2001 From: Andreas Nielsen Date: Thu, 7 Nov 2024 12:44:20 +0100 Subject: [PATCH 1/7] Added simple_oauth module and configuration. --- composer.json | 4 + composer.lock | 735 +++++++++++++++++- config/sync/core.extension.yml | 1 + ...oauth.oauth2_token.bundle.access_token.yml | 10 + ...le_oauth.oauth2_token.bundle.auth_code.yml | 10 + ...auth.oauth2_token.bundle.refresh_token.yml | 10 + config/sync/simple_oauth.settings.yml | 11 + openapi.json | 9 + packages/cms-api/README.md | 15 + .../custom/dpl_update/dpl_update.install | 8 + 10 files changed, 812 insertions(+), 1 deletion(-) create mode 100644 config/sync/simple_oauth.oauth2_token.bundle.access_token.yml create mode 100644 config/sync/simple_oauth.oauth2_token.bundle.auth_code.yml create mode 100644 config/sync/simple_oauth.oauth2_token.bundle.refresh_token.yml create mode 100644 config/sync/simple_oauth.settings.yml diff --git a/composer.json b/composer.json index 646d41292..995374f9e 100644 --- a/composer.json +++ b/composer.json @@ -164,6 +164,7 @@ "drupal/select2_multicheck": "^1.0", "drupal/selective_better_exposed_filters": "^3.0", "drupal/simple_menu_permissions": "^2.0", + "drupal/simple_oauth": "^5.2", "drupal/taxonomy_unique": "^2.5", "drupal/telephone_formatter": "^1.2", "drupal/theme_permission": "^2.0", @@ -338,6 +339,9 @@ "drupal/jsonlog": { "3251587: Change logging from stdout to stderr": "https://www.drupal.org/files/issues/2021-11-29/jsonlog-change-stdout-to-stderr-3251587-3.patch" }, + "drupal/openapi": { + "3480050: Update oauth2 security definitions to match openapi v2 specification": "https://www.drupal.org/files/issues/2024-10-11/openapi-add-oauth2-accesscode-flow-3480050-3.patch" + }, "drupal/openapi_rest": { "3171530 + 3116760: Add support for parameter and response descriptions": "patches/openapi-parameter-response-descriptions-14-3.patch", "3343816: Specification includes disabled resources": "https://git.drupalcode.org/project/openapi_rest/-/commit/6618157334feca93fad1041583375eed660b9085.patch" diff --git a/composer.lock b/composer.lock index 1d45fa89b..9653e4afb 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "b2a7cccfaf125773360f176ba493de76", + "content-hash": "c68c399d7f9f53d79dfd31d2badd8a0f", "packages": [ { "name": "amazeeio/drupal_integrations", @@ -1318,6 +1318,73 @@ }, "time": "2023-01-05T11:28:13+00:00" }, + { + "name": "defuse/php-encryption", + "version": "v2.4.0", + "source": { + "type": "git", + "url": "https://github.com/defuse/php-encryption.git", + "reference": "f53396c2d34225064647a05ca76c1da9d99e5828" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/defuse/php-encryption/zipball/f53396c2d34225064647a05ca76c1da9d99e5828", + "reference": "f53396c2d34225064647a05ca76c1da9d99e5828", + "shasum": "" + }, + "require": { + "ext-openssl": "*", + "paragonie/random_compat": ">= 2", + "php": ">=5.6.0" + }, + "require-dev": { + "phpunit/phpunit": "^5|^6|^7|^8|^9|^10", + "yoast/phpunit-polyfills": "^2.0.0" + }, + "bin": [ + "bin/generate-defuse-key" + ], + "type": "library", + "autoload": { + "psr-4": { + "Defuse\\Crypto\\": "src" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Taylor Hornby", + "email": "taylor@defuse.ca", + "homepage": "https://defuse.ca/" + }, + { + "name": "Scott Arciszewski", + "email": "info@paragonie.com", + "homepage": "https://paragonie.com" + } + ], + "description": "Secure PHP Encryption Library", + "keywords": [ + "aes", + "authenticated encryption", + "cipher", + "crypto", + "cryptography", + "encrypt", + "encryption", + "openssl", + "security", + "symmetric key cryptography" + ], + "support": { + "issues": "https://github.com/defuse/php-encryption/issues", + "source": "https://github.com/defuse/php-encryption/tree/v2.4.0" + }, + "time": "2023-06-19T06:10:36+00:00" + }, { "name": "dekor/php-array-table", "version": "2.0", @@ -7549,6 +7616,75 @@ "source": "https://git.drupalcode.org/project/simple_menu_permissions" } }, + { + "name": "drupal/simple_oauth", + "version": "5.2.5", + "source": { + "type": "git", + "url": "https://git.drupalcode.org/project/simple_oauth.git", + "reference": "5.2.5" + }, + "dist": { + "type": "zip", + "url": "https://ftp.drupal.org/files/projects/simple_oauth-5.2.5.zip", + "reference": "5.2.5", + "shasum": "3517d07e4896a32eddda7446b85a2afa945321a2" + }, + "require": { + "drupal/consumers": "^1.14", + "drupal/core": "^9 || ^10", + "lcobucci/jwt": "^4", + "league/oauth2-server": "^8.3", + "php": ">=7.4", + "steverhoades/oauth2-openid-connect-server": "^2.4" + }, + "require-dev": { + "phpspec/prophecy-phpunit": "^2" + }, + "type": "drupal-module", + "extra": { + "drupal": { + "version": "5.2.5", + "datestamp": "1700206902", + "security-coverage": { + "status": "covered", + "message": "Covered by Drupal's security advisory policy" + } + }, + "drush": { + "services": { + "drush.services.yml": "^9 || ^10 || ^11" + } + } + }, + "notification-url": "https://packages.drupal.org/8/downloads", + "license": [ + "GPL-2.0-or-later" + ], + "authors": [ + { + "name": "bojan_dev", + "homepage": "https://www.drupal.org/user/2801849" + }, + { + "name": "bradjones1", + "homepage": "https://www.drupal.org/user/405824" + }, + { + "name": "e0ipso", + "homepage": "https://www.drupal.org/user/550110" + }, + { + "name": "pcambra", + "homepage": "https://www.drupal.org/user/122101" + } + ], + "description": "The Simple OAuth module for Drupal", + "homepage": "https://www.drupal.org/project/simple_oauth", + "support": { + "source": "https://git.drupalcode.org/project/simple_oauth" + } + }, { "name": "drupal/taxonomy_unique", "version": "2.6.0", @@ -9447,6 +9583,144 @@ ], "time": "2022-09-13T19:27:18+00:00" }, + { + "name": "lcobucci/clock", + "version": "3.0.0", + "source": { + "type": "git", + "url": "https://github.com/lcobucci/clock.git", + "reference": "039ef98c6b57b101d10bd11d8fdfda12cbd996dc" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/lcobucci/clock/zipball/039ef98c6b57b101d10bd11d8fdfda12cbd996dc", + "reference": "039ef98c6b57b101d10bd11d8fdfda12cbd996dc", + "shasum": "" + }, + "require": { + "php": "~8.1.0 || ~8.2.0", + "psr/clock": "^1.0" + }, + "provide": { + "psr/clock-implementation": "1.0" + }, + "require-dev": { + "infection/infection": "^0.26", + "lcobucci/coding-standard": "^9.0", + "phpstan/extension-installer": "^1.2", + "phpstan/phpstan": "^1.9.4", + "phpstan/phpstan-deprecation-rules": "^1.1.1", + "phpstan/phpstan-phpunit": "^1.3.2", + "phpstan/phpstan-strict-rules": "^1.4.4", + "phpunit/phpunit": "^9.5.27" + }, + "type": "library", + "autoload": { + "psr-4": { + "Lcobucci\\Clock\\": "src" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Luís Cobucci", + "email": "lcobucci@gmail.com" + } + ], + "description": "Yet another clock abstraction", + "support": { + "issues": "https://github.com/lcobucci/clock/issues", + "source": "https://github.com/lcobucci/clock/tree/3.0.0" + }, + "funding": [ + { + "url": "https://github.com/lcobucci", + "type": "github" + }, + { + "url": "https://www.patreon.com/lcobucci", + "type": "patreon" + } + ], + "time": "2022-12-19T15:00:24+00:00" + }, + { + "name": "lcobucci/jwt", + "version": "4.3.0", + "source": { + "type": "git", + "url": "https://github.com/lcobucci/jwt.git", + "reference": "4d7de2fe0d51a96418c0d04004986e410e87f6b4" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/lcobucci/jwt/zipball/4d7de2fe0d51a96418c0d04004986e410e87f6b4", + "reference": "4d7de2fe0d51a96418c0d04004986e410e87f6b4", + "shasum": "" + }, + "require": { + "ext-hash": "*", + "ext-json": "*", + "ext-mbstring": "*", + "ext-openssl": "*", + "ext-sodium": "*", + "lcobucci/clock": "^2.0 || ^3.0", + "php": "^7.4 || ^8.0" + }, + "require-dev": { + "infection/infection": "^0.21", + "lcobucci/coding-standard": "^6.0", + "mikey179/vfsstream": "^1.6.7", + "phpbench/phpbench": "^1.2", + "phpstan/extension-installer": "^1.0", + "phpstan/phpstan": "^1.4", + "phpstan/phpstan-deprecation-rules": "^1.0", + "phpstan/phpstan-phpunit": "^1.0", + "phpstan/phpstan-strict-rules": "^1.0", + "phpunit/php-invoker": "^3.1", + "phpunit/phpunit": "^9.5" + }, + "type": "library", + "autoload": { + "psr-4": { + "Lcobucci\\JWT\\": "src" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "BSD-3-Clause" + ], + "authors": [ + { + "name": "Luís Cobucci", + "email": "lcobucci@gmail.com", + "role": "Developer" + } + ], + "description": "A simple library to work with JSON Web Token and JSON Web Signature", + "keywords": [ + "JWS", + "jwt" + ], + "support": { + "issues": "https://github.com/lcobucci/jwt/issues", + "source": "https://github.com/lcobucci/jwt/tree/4.3.0" + }, + "funding": [ + { + "url": "https://github.com/lcobucci", + "type": "github" + }, + { + "url": "https://www.patreon.com/lcobucci", + "type": "patreon" + } + ], + "time": "2023-01-02T13:28:00+00:00" + }, { "name": "league/container", "version": "4.2.2", @@ -9529,6 +9803,322 @@ ], "time": "2024-03-13T13:12:53+00:00" }, + { + "name": "league/event", + "version": "2.2.0", + "source": { + "type": "git", + "url": "https://github.com/thephpleague/event.git", + "reference": "d2cc124cf9a3fab2bb4ff963307f60361ce4d119" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/thephpleague/event/zipball/d2cc124cf9a3fab2bb4ff963307f60361ce4d119", + "reference": "d2cc124cf9a3fab2bb4ff963307f60361ce4d119", + "shasum": "" + }, + "require": { + "php": ">=5.4.0" + }, + "require-dev": { + "henrikbjorn/phpspec-code-coverage": "~1.0.1", + "phpspec/phpspec": "^2.2" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "2.2-dev" + } + }, + "autoload": { + "psr-4": { + "League\\Event\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Frank de Jonge", + "email": "info@frenky.net" + } + ], + "description": "Event package", + "keywords": [ + "emitter", + "event", + "listener" + ], + "support": { + "issues": "https://github.com/thephpleague/event/issues", + "source": "https://github.com/thephpleague/event/tree/master" + }, + "time": "2018-11-26T11:52:41+00:00" + }, + { + "name": "league/oauth2-server", + "version": "8.5.4", + "source": { + "type": "git", + "url": "https://github.com/thephpleague/oauth2-server.git", + "reference": "ab7714d073844497fd222d5d0a217629089936bc" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/thephpleague/oauth2-server/zipball/ab7714d073844497fd222d5d0a217629089936bc", + "reference": "ab7714d073844497fd222d5d0a217629089936bc", + "shasum": "" + }, + "require": { + "defuse/php-encryption": "^2.3", + "ext-openssl": "*", + "lcobucci/clock": "^2.2 || ^3.0", + "lcobucci/jwt": "^4.3 || ^5.0", + "league/event": "^2.2", + "league/uri": "^6.7 || ^7.0", + "php": "^8.0", + "psr/http-message": "^1.0.1 || ^2.0" + }, + "replace": { + "league/oauth2server": "*", + "lncd/oauth2": "*" + }, + "require-dev": { + "laminas/laminas-diactoros": "^3.0.0", + "phpstan/phpstan": "^0.12.57", + "phpstan/phpstan-phpunit": "^0.12.16", + "phpunit/phpunit": "^9.6.6", + "roave/security-advisories": "dev-master" + }, + "type": "library", + "autoload": { + "psr-4": { + "League\\OAuth2\\Server\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Alex Bilbie", + "email": "hello@alexbilbie.com", + "homepage": "http://www.alexbilbie.com", + "role": "Developer" + }, + { + "name": "Andy Millington", + "email": "andrew@noexceptions.io", + "homepage": "https://www.noexceptions.io", + "role": "Developer" + } + ], + "description": "A lightweight and powerful OAuth 2.0 authorization and resource server library with support for all the core specification grants. This library will allow you to secure your API with OAuth and allow your applications users to approve apps that want to access their data from your API.", + "homepage": "https://oauth2.thephpleague.com/", + "keywords": [ + "Authentication", + "api", + "auth", + "authorisation", + "authorization", + "oauth", + "oauth 2", + "oauth 2.0", + "oauth2", + "protect", + "resource", + "secure", + "server" + ], + "support": { + "issues": "https://github.com/thephpleague/oauth2-server/issues", + "source": "https://github.com/thephpleague/oauth2-server/tree/8.5.4" + }, + "funding": [ + { + "url": "https://github.com/sephster", + "type": "github" + } + ], + "time": "2023-08-25T22:35:12+00:00" + }, + { + "name": "league/uri", + "version": "7.4.1", + "source": { + "type": "git", + "url": "https://github.com/thephpleague/uri.git", + "reference": "bedb6e55eff0c933668addaa7efa1e1f2c417cc4" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/thephpleague/uri/zipball/bedb6e55eff0c933668addaa7efa1e1f2c417cc4", + "reference": "bedb6e55eff0c933668addaa7efa1e1f2c417cc4", + "shasum": "" + }, + "require": { + "league/uri-interfaces": "^7.3", + "php": "^8.1" + }, + "conflict": { + "league/uri-schemes": "^1.0" + }, + "suggest": { + "ext-bcmath": "to improve IPV4 host parsing", + "ext-fileinfo": "to create Data URI from file contennts", + "ext-gmp": "to improve IPV4 host parsing", + "ext-intl": "to handle IDN host with the best performance", + "jeremykendall/php-domain-parser": "to resolve Public Suffix and Top Level Domain", + "league/uri-components": "Needed to easily manipulate URI objects components", + "php-64bit": "to improve IPV4 host parsing", + "symfony/polyfill-intl-idn": "to handle IDN host via the Symfony polyfill if ext-intl is not present" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "7.x-dev" + } + }, + "autoload": { + "psr-4": { + "League\\Uri\\": "" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Ignace Nyamagana Butera", + "email": "nyamsprod@gmail.com", + "homepage": "https://nyamsprod.com" + } + ], + "description": "URI manipulation library", + "homepage": "https://uri.thephpleague.com", + "keywords": [ + "data-uri", + "file-uri", + "ftp", + "hostname", + "http", + "https", + "middleware", + "parse_str", + "parse_url", + "psr-7", + "query-string", + "querystring", + "rfc3986", + "rfc3987", + "rfc6570", + "uri", + "uri-template", + "url", + "ws" + ], + "support": { + "docs": "https://uri.thephpleague.com", + "forum": "https://thephpleague.slack.com", + "issues": "https://github.com/thephpleague/uri-src/issues", + "source": "https://github.com/thephpleague/uri/tree/7.4.1" + }, + "funding": [ + { + "url": "https://github.com/sponsors/nyamsprod", + "type": "github" + } + ], + "time": "2024-03-23T07:42:40+00:00" + }, + { + "name": "league/uri-interfaces", + "version": "7.4.1", + "source": { + "type": "git", + "url": "https://github.com/thephpleague/uri-interfaces.git", + "reference": "8d43ef5c841032c87e2de015972c06f3865ef718" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/thephpleague/uri-interfaces/zipball/8d43ef5c841032c87e2de015972c06f3865ef718", + "reference": "8d43ef5c841032c87e2de015972c06f3865ef718", + "shasum": "" + }, + "require": { + "ext-filter": "*", + "php": "^8.1", + "psr/http-factory": "^1", + "psr/http-message": "^1.1 || ^2.0" + }, + "suggest": { + "ext-bcmath": "to improve IPV4 host parsing", + "ext-gmp": "to improve IPV4 host parsing", + "ext-intl": "to handle IDN host with the best performance", + "php-64bit": "to improve IPV4 host parsing", + "symfony/polyfill-intl-idn": "to handle IDN host via the Symfony polyfill if ext-intl is not present" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "7.x-dev" + } + }, + "autoload": { + "psr-4": { + "League\\Uri\\": "" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Ignace Nyamagana Butera", + "email": "nyamsprod@gmail.com", + "homepage": "https://nyamsprod.com" + } + ], + "description": "Common interfaces and classes for URI representation and interaction", + "homepage": "https://uri.thephpleague.com", + "keywords": [ + "data-uri", + "file-uri", + "ftp", + "hostname", + "http", + "https", + "parse_str", + "parse_url", + "psr-7", + "query-string", + "querystring", + "rfc3986", + "rfc3987", + "rfc6570", + "uri", + "url", + "ws" + ], + "support": { + "docs": "https://uri.thephpleague.com", + "forum": "https://thephpleague.slack.com", + "issues": "https://github.com/thephpleague/uri-src/issues", + "source": "https://github.com/thephpleague/uri-interfaces/tree/7.4.1" + }, + "funding": [ + { + "url": "https://github.com/sponsors/nyamsprod", + "type": "github" + } + ], + "time": "2024-03-23T07:42:40+00:00" + }, { "name": "masterminds/html5", "version": "2.9.0", @@ -10037,6 +10627,56 @@ }, "time": "2021-12-15T12:32:42+00:00" }, + { + "name": "paragonie/random_compat", + "version": "v9.99.100", + "source": { + "type": "git", + "url": "https://github.com/paragonie/random_compat.git", + "reference": "996434e5492cb4c3edcb9168db6fbb1359ef965a" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/paragonie/random_compat/zipball/996434e5492cb4c3edcb9168db6fbb1359ef965a", + "reference": "996434e5492cb4c3edcb9168db6fbb1359ef965a", + "shasum": "" + }, + "require": { + "php": ">= 7" + }, + "require-dev": { + "phpunit/phpunit": "4.*|5.*", + "vimeo/psalm": "^1" + }, + "suggest": { + "ext-libsodium": "Provides a modern crypto API that can be used to generate random bytes." + }, + "type": "library", + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Paragon Initiative Enterprises", + "email": "security@paragonie.com", + "homepage": "https://paragonie.com" + } + ], + "description": "PHP 5.x polyfill for random_bytes() and random_int() from PHP 7", + "keywords": [ + "csprng", + "polyfill", + "pseudorandom", + "random" + ], + "support": { + "email": "info@paragonie.com", + "issues": "https://github.com/paragonie/random_compat/issues", + "source": "https://github.com/paragonie/random_compat" + }, + "time": "2020-10-15T08:29:30+00:00" + }, { "name": "pear/archive_tar", "version": "1.5.0", @@ -10836,6 +11476,54 @@ }, "time": "2021-02-03T23:26:27+00:00" }, + { + "name": "psr/clock", + "version": "1.0.0", + "source": { + "type": "git", + "url": "https://github.com/php-fig/clock.git", + "reference": "e41a24703d4560fd0acb709162f73b8adfc3aa0d" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/php-fig/clock/zipball/e41a24703d4560fd0acb709162f73b8adfc3aa0d", + "reference": "e41a24703d4560fd0acb709162f73b8adfc3aa0d", + "shasum": "" + }, + "require": { + "php": "^7.0 || ^8.0" + }, + "type": "library", + "autoload": { + "psr-4": { + "Psr\\Clock\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "PHP-FIG", + "homepage": "https://www.php-fig.org/" + } + ], + "description": "Common interface for reading the clock.", + "homepage": "https://github.com/php-fig/clock", + "keywords": [ + "clock", + "now", + "psr", + "psr-20", + "time" + ], + "support": { + "issues": "https://github.com/php-fig/clock/issues", + "source": "https://github.com/php-fig/clock/tree/1.0.0" + }, + "time": "2022-11-25T14:36:26+00:00" + }, { "name": "psr/container", "version": "2.0.2", @@ -11477,6 +12165,51 @@ ], "time": "2024-05-22T21:24:41+00:00" }, + { + "name": "steverhoades/oauth2-openid-connect-server", + "version": "v2.6.1", + "source": { + "type": "git", + "url": "https://github.com/steverhoades/oauth2-openid-connect-server.git", + "reference": "269c4dc071519e8220e249cbdee9b0723e95215e" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/steverhoades/oauth2-openid-connect-server/zipball/269c4dc071519e8220e249cbdee9b0723e95215e", + "reference": "269c4dc071519e8220e249cbdee9b0723e95215e", + "shasum": "" + }, + "require": { + "lcobucci/jwt": "4.1.5|^4.2|^4.3|^5.0", + "league/oauth2-server": "^5.1|^6.0|^7.0|^8.0" + }, + "require-dev": { + "laminas/laminas-diactoros": "^1.3.2", + "phpunit/phpunit": "^5.0|^9.5" + }, + "type": "library", + "autoload": { + "psr-4": { + "OpenIDConnectServer\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Steve Rhoades", + "email": "sedonami@gmail.com" + } + ], + "description": "An OpenID Connect Server that sites on The PHP League's OAuth2 Server", + "support": { + "issues": "https://github.com/steverhoades/oauth2-openid-connect-server/issues", + "source": "https://github.com/steverhoades/oauth2-openid-connect-server/tree/v2.6.1" + }, + "time": "2023-09-08T16:15:47+00:00" + }, { "name": "swagger-api/swagger-ui", "version": "v3.52.5", diff --git a/config/sync/core.extension.yml b/config/sync/core.extension.yml index 662805a1f..a7aba27da 100644 --- a/config/sync/core.extension.yml +++ b/config/sync/core.extension.yml @@ -164,6 +164,7 @@ module: select2: 0 serialization: 0 simple_menu_permissions: 0 + simple_oauth: 0 system: 0 taxonomy: 0 taxonomy_unique: 0 diff --git a/config/sync/simple_oauth.oauth2_token.bundle.access_token.yml b/config/sync/simple_oauth.oauth2_token.bundle.access_token.yml new file mode 100644 index 000000000..76c2bf2d7 --- /dev/null +++ b/config/sync/simple_oauth.oauth2_token.bundle.access_token.yml @@ -0,0 +1,10 @@ +uuid: 0bc530d9-c2bd-4bda-bffe-f2cea1b4849d +langcode: en +status: true +dependencies: { } +_core: + default_config_hash: z9ULI9nj9yt73YKI3ZE8v9yXhkVfvQsDJToEDzijcxY +id: access_token +label: 'Access Token' +description: 'The access token type.' +locked: true diff --git a/config/sync/simple_oauth.oauth2_token.bundle.auth_code.yml b/config/sync/simple_oauth.oauth2_token.bundle.auth_code.yml new file mode 100644 index 000000000..386b171ff --- /dev/null +++ b/config/sync/simple_oauth.oauth2_token.bundle.auth_code.yml @@ -0,0 +1,10 @@ +uuid: 71063e70-4de3-4ddf-8931-ba4160365f23 +langcode: en +status: true +dependencies: { } +_core: + default_config_hash: zYKaSl4QZrKMFj7aIhSGDRcBy4SoNjvY2EZlT7amrBk +id: auth_code +label: 'Auth code' +description: 'The auth code type.' +locked: true diff --git a/config/sync/simple_oauth.oauth2_token.bundle.refresh_token.yml b/config/sync/simple_oauth.oauth2_token.bundle.refresh_token.yml new file mode 100644 index 000000000..56c388423 --- /dev/null +++ b/config/sync/simple_oauth.oauth2_token.bundle.refresh_token.yml @@ -0,0 +1,10 @@ +uuid: 83f9de1a-dae6-4609-8026-0f2990b9c7f7 +langcode: en +status: true +dependencies: { } +_core: + default_config_hash: YWMv3Do9fsPFhylyFkOwcqcFP4jSU6DLRootOlgrC0M +id: refresh_token +label: 'Refresh token' +description: 'The refresh token type.' +locked: true diff --git a/config/sync/simple_oauth.settings.yml b/config/sync/simple_oauth.settings.yml new file mode 100644 index 000000000..0cffd710f --- /dev/null +++ b/config/sync/simple_oauth.settings.yml @@ -0,0 +1,11 @@ +_core: + default_config_hash: KsPFWSp6mgXIQgjBJEShfKUGn6VLRlbpIJ2EysXvXWM +access_token_expiration: 300 +authorization_code_expiration: 300 +refresh_token_expiration: 1209600 +token_cron_batch_size: 0 +public_key: ../public.key +private_key: ../private.key +remember_clients: true +use_implicit: false +disable_openid_connect: false diff --git a/openapi.json b/openapi.json index c70dcede0..24d7fb509 100644 --- a/openapi.json +++ b/openapi.json @@ -12,6 +12,12 @@ "basic_auth": { "type": "basic" }, + "oauth2": { + "type": "oauth2", + "flow": "accessCode", + "authorizationUrl": "http://varnish:8080/oauth/authorize", + "tokenUrl": "http://varnish:8080/oauth/token" + }, "csrf_token": { "type": "apiKey", "name": "X-CSRF-Token", @@ -23,6 +29,9 @@ { "basic_auth": [] }, + { + "oauth2": [] + }, { "csrf_token": [] } diff --git a/packages/cms-api/README.md b/packages/cms-api/README.md index 07285bdd5..0f0479980 100644 --- a/packages/cms-api/README.md +++ b/packages/cms-api/README.md @@ -84,6 +84,14 @@ class DefaultApi implements DefaultApiInterface // An interface is autogenerated // Retrieve logged in user from $apiKey ... } + /** + * Configure OAuth2 access token for authorization: oauth2 + */ + public function setoauth2($oauthToken) + { + // Retrieve logged in user from $oauthToken ... + } + /** * Implementation of DefaultApiInterface#campaignMatchPOST */ @@ -163,6 +171,13 @@ Authentication schemes defined for the API: - **Type**: HTTP basic authentication +### oauth2 + +- **Type**: OAuth +- **Flow**: accessCode +- **Authorization URL**: http://varnish:8080/oauth/authorize +- **Scopes**: N/A + ### csrf_token - **Type**: API key diff --git a/web/modules/custom/dpl_update/dpl_update.install b/web/modules/custom/dpl_update/dpl_update.install index bdb7032e3..b820f9b94 100644 --- a/web/modules/custom/dpl_update/dpl_update.install +++ b/web/modules/custom/dpl_update/dpl_update.install @@ -104,6 +104,7 @@ function dpl_update_install(): string { $messages[] = dpl_update_update_10022(); $messages[] = dpl_update_update_10023(); $messages[] = dpl_update_update_10024(); + $messages[] = dpl_update_update_10025(); return implode('\r\n', $messages); } @@ -294,3 +295,10 @@ function dpl_update_update_10023(): string { function dpl_update_update_10024(): string { return _dpl_update_install_modules(['dpl_consumers']); } + +/** + * Install simple_oauth. + */ +function dpl_update_update_10025(): string { + return _dpl_update_install_modules(['simple_oauth']); +} From e39d904b094824950af8ac0028e0cdd11ec6385d Mon Sep 17 00:00:00 2001 From: Andreas Nielsen Date: Thu, 7 Nov 2024 12:51:46 +0100 Subject: [PATCH 2/7] Updated dependencies in composer.json --- composer.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/composer.json b/composer.json index e57a569b7..357c514d8 100644 --- a/composer.json +++ b/composer.json @@ -90,8 +90,8 @@ "composer/installers": "1.12.0", "cweagans/composer-patches": "1.7.3", "danskernesdigitalebibliotek/cms-api": "*", - "danskernesdigitalebibliotek/dpl-design-system": "2024.45.0", - "danskernesdigitalebibliotek/dpl-react": "2024.45.0", + "danskernesdigitalebibliotek/dpl-design-system": "^2024.45", + "danskernesdigitalebibliotek/dpl-react": "^2024.45", "danskernesdigitalebibliotek/fbs-client": "*", "dealerdirect/phpcodesniffer-composer-installer": "^1.0.0", "deoliveiralucas/array-keys-case-transform": "^1.1", From 8115908656caf57ad6479d4d581367e038f8bbea Mon Sep 17 00:00:00 2001 From: Andreas Nielsen Date: Fri, 8 Nov 2024 11:10:08 +0100 Subject: [PATCH 3/7] Added missing configuration after adding simple_oauth module. --- ...eld.field.paragraph.card_grid_manual.field_grid_content.yml | 3 +++ ...field.paragraph.content_slider.field_content_references.yml | 3 +++ ...ield.paragraph.nav_grid_manual.field_content_references.yml | 3 +++ ...ield.paragraph.nav_spots_manual.field_nav_spots_content.yml | 3 +++ 4 files changed, 12 insertions(+) diff --git a/config/sync/field.field.paragraph.card_grid_manual.field_grid_content.yml b/config/sync/field.field.paragraph.card_grid_manual.field_grid_content.yml index 8d60e4852..6fac6280a 100644 --- a/config/sync/field.field.paragraph.card_grid_manual.field_grid_content.yml +++ b/config/sync/field.field.paragraph.card_grid_manual.field_grid_content.yml @@ -71,4 +71,7 @@ settings: consumer: handler: 'default:consumer' handler_settings: { } + oauth2_token: + handler: 'default:oauth2_token' + handler_settings: { } field_type: dynamic_entity_reference diff --git a/config/sync/field.field.paragraph.content_slider.field_content_references.yml b/config/sync/field.field.paragraph.content_slider.field_content_references.yml index 48e6d9360..15e631c45 100644 --- a/config/sync/field.field.paragraph.content_slider.field_content_references.yml +++ b/config/sync/field.field.paragraph.content_slider.field_content_references.yml @@ -78,4 +78,7 @@ settings: consumer: handler: 'default:consumer' handler_settings: { } + oauth2_token: + handler: 'default:oauth2_token' + handler_settings: { } field_type: dynamic_entity_reference diff --git a/config/sync/field.field.paragraph.nav_grid_manual.field_content_references.yml b/config/sync/field.field.paragraph.nav_grid_manual.field_content_references.yml index 99215cdb4..51c451567 100644 --- a/config/sync/field.field.paragraph.nav_grid_manual.field_content_references.yml +++ b/config/sync/field.field.paragraph.nav_grid_manual.field_content_references.yml @@ -74,4 +74,7 @@ settings: consumer: handler: 'default:consumer' handler_settings: { } + oauth2_token: + handler: 'default:oauth2_token' + handler_settings: { } field_type: dynamic_entity_reference diff --git a/config/sync/field.field.paragraph.nav_spots_manual.field_nav_spots_content.yml b/config/sync/field.field.paragraph.nav_spots_manual.field_nav_spots_content.yml index 0b76357b5..5e86e0fdc 100644 --- a/config/sync/field.field.paragraph.nav_spots_manual.field_nav_spots_content.yml +++ b/config/sync/field.field.paragraph.nav_spots_manual.field_nav_spots_content.yml @@ -74,4 +74,7 @@ settings: consumer: handler: 'default:consumer' handler_settings: { } + oauth2_token: + handler: 'default:oauth2_token' + handler_settings: { } field_type: dynamic_entity_reference From 8b11fcfee5b1fed485d91116dfdea53668e64bba Mon Sep 17 00:00:00 2001 From: Andreas Nielsen Date: Fri, 8 Nov 2024 16:11:38 +0100 Subject: [PATCH 4/7] Added a service decorator for simple_oauths DisallowSimpleOauthRequest service. In our decorator, we added functionality that checks wether the request path starts with '/graphql' or not. The reason for this is, that right now the isOauth2Request function only checks if the request contains a bearer token. This is also the case when the requests come from the opening hours REST API endpoints, as it submits a library token. By checking for the /graphql in the path, we make sure to only apply the oauth2 validation on the graphql requests. --- .../dpl_graphql/dpl_graphql.services.yml | 4 ++ .../DplDisallowSimpleOauthRequests.php | 40 +++++++++++++++++++ 2 files changed, 44 insertions(+) create mode 100644 web/modules/custom/dpl_graphql/dpl_graphql.services.yml create mode 100644 web/modules/custom/dpl_graphql/src/PageCache/DplDisallowSimpleOauthRequests.php diff --git a/web/modules/custom/dpl_graphql/dpl_graphql.services.yml b/web/modules/custom/dpl_graphql/dpl_graphql.services.yml new file mode 100644 index 000000000..381544670 --- /dev/null +++ b/web/modules/custom/dpl_graphql/dpl_graphql.services.yml @@ -0,0 +1,4 @@ +services: + dpl_graphql.page_cache_request_policy.disallow_oauth2_token_requests: + class: Drupal\dpl_graphql\PageCache\DplDisallowSimpleOauthRequests + decorates: simple_oauth.page_cache_request_policy.disallow_oauth2_token_requests diff --git a/web/modules/custom/dpl_graphql/src/PageCache/DplDisallowSimpleOauthRequests.php b/web/modules/custom/dpl_graphql/src/PageCache/DplDisallowSimpleOauthRequests.php new file mode 100644 index 000000000..580cae9ac --- /dev/null +++ b/web/modules/custom/dpl_graphql/src/PageCache/DplDisallowSimpleOauthRequests.php @@ -0,0 +1,40 @@ +getPathInfo(), '/graphql') !== 0) { + return FALSE; + } + + // Check the header. See: http://tools.ietf.org/html/rfc6750#section-2.1 + // We have to perform also an exact match, as if no token is provided then + // the LWS might be stripped, but we still have to detect this as OAuth2 + // authentication. See: https://www.ietf.org/rfc/rfc2616.txt + $auth_header = trim($request->headers->get('Authorization') ?? ''); + return (strpos($auth_header, 'Bearer ') !== FALSE) || ($auth_header === 'Bearer'); + } + + /** + * {@inheritdoc} + */ + public function check(Request $request) { + return $this->isOauth2Request($request) ? static::DENY : NULL; + } + +} From 9e85f29eae0680edac4f2241a95d7c1285a3307b Mon Sep 17 00:00:00 2001 From: Andreas Nielsen Date: Mon, 11 Nov 2024 13:13:06 +0100 Subject: [PATCH 5/7] Revert "Added a new task for fetching the UUID of the graphql_consumer. This" This reverts commit aa1b40567785d45e21354534f5a3c4e3effb8fc3. --- Taskfile.yml | 5 --- .../custom/dpl_consumers/dpl_consumers.module | 44 ------------------- 2 files changed, 49 deletions(-) delete mode 100644 web/modules/custom/dpl_consumers/dpl_consumers.module diff --git a/Taskfile.yml b/Taskfile.yml index 792a69e00..401ab912e 100644 --- a/Taskfile.yml +++ b/Taskfile.yml @@ -382,11 +382,6 @@ tasks: cmds: - cmd: task dev:cli -- drush default-content:export-module dpl_example_content - dev:dpl-go:get-graphql-credentials: - desc: Get the GraphQL credentials from the site - cmds: - - cmd: task dev:cli -- drush php-eval "dpl_consumers_print_consumer_credentials()" - ci:reset: desc: Create CI setup in a clean state cmds: diff --git a/web/modules/custom/dpl_consumers/dpl_consumers.module b/web/modules/custom/dpl_consumers/dpl_consumers.module deleted file mode 100644 index 660dc7466..000000000 --- a/web/modules/custom/dpl_consumers/dpl_consumers.module +++ /dev/null @@ -1,44 +0,0 @@ -getStorage('consumer') - ->loadByProperties(['client_id' => $client_id]); - - if (!empty($consumer)) { - $consumer = reset($consumer); - $uuid = $consumer->uuid(); - return $uuid ?? 'Consumer UUID not found.'; - } - else { - return 'Consumer not found.'; - } - } - catch (\Exception $e) { - \Drupal::logger('dpl_consumers')->error($e->getMessage()); - return 'Error fetching consumer.'; - } -} From 9de07a98c0672afbaf7716393e98d13c06355b6f Mon Sep 17 00:00:00 2001 From: Andreas Nielsen Date: Tue, 19 Nov 2024 16:40:44 +0100 Subject: [PATCH 6/7] Added a new update hook that generates a public and private key used in the simple_oauth module. The update hook is also called from the install hook as we want to generate the keys on both new and old sites. Updated the simple_oauth config to look for the keys in the correct directory. --- config/sync/simple_oauth.settings.yml | 4 +- .../custom/dpl_graphql/dpl_graphql.info.yml | 2 + .../custom/dpl_graphql/dpl_graphql.install | 47 +++++++++++++++++++ 3 files changed, 51 insertions(+), 2 deletions(-) create mode 100644 web/modules/custom/dpl_graphql/dpl_graphql.install diff --git a/config/sync/simple_oauth.settings.yml b/config/sync/simple_oauth.settings.yml index 0cffd710f..133ba5039 100644 --- a/config/sync/simple_oauth.settings.yml +++ b/config/sync/simple_oauth.settings.yml @@ -4,8 +4,8 @@ access_token_expiration: 300 authorization_code_expiration: 300 refresh_token_expiration: 1209600 token_cron_batch_size: 0 -public_key: ../public.key -private_key: ../private.key +public_key: ../web/sites/default/files/simple_oauth_keys/public.key +private_key: ../web/sites/default/files/simple_oauth_keys/private.key remember_clients: true use_implicit: false disable_openid_connect: false diff --git a/web/modules/custom/dpl_graphql/dpl_graphql.info.yml b/web/modules/custom/dpl_graphql/dpl_graphql.info.yml index 4f1562cc1..a64a64450 100644 --- a/web/modules/custom/dpl_graphql/dpl_graphql.info.yml +++ b/web/modules/custom/dpl_graphql/dpl_graphql.info.yml @@ -7,3 +7,5 @@ dependencies: - graphql:graphql - graphql_compose:graphql_compose - dpl_unilogin:dpl_unilogin + - simple_oauth:simple_oauth + - dpl_consumers:dpl_consumers diff --git a/web/modules/custom/dpl_graphql/dpl_graphql.install b/web/modules/custom/dpl_graphql/dpl_graphql.install new file mode 100644 index 000000000..508691ed2 --- /dev/null +++ b/web/modules/custom/dpl_graphql/dpl_graphql.install @@ -0,0 +1,47 @@ +prepareDirectory($path, FileSystemInterface::CREATE_DIRECTORY); + + try { + $key_generator->generateKeys($path); + } + catch (ExtensionNotLoadedException | FilesystemValidationException $e) { + return $e->getMessage(); + } + + return "Public and private key for simple_oauth generated successfully."; +} From 131a4d01cc7a796fedc24e1d18ed16746d249fa2 Mon Sep 17 00:00:00 2001 From: Andreas Nielsen Date: Thu, 21 Nov 2024 13:07:12 +0100 Subject: [PATCH 7/7] Added private_files_path directory to settings.php. The private folder is currently placed within /sites/default/files folder. This is not idea, as the private files folder should be placed outside of the web root folder. We will look into changing this in the future. Changed the install hook to generate the keys in the private directory. Also changed the simple_oauth configuration to look in the new directory for the private and public keys. --- assets/all.settings.php | 15 +++++++++++++++ config/sync/simple_oauth.settings.yml | 4 ++-- .../custom/dpl_graphql/dpl_graphql.install | 3 ++- 3 files changed, 19 insertions(+), 3 deletions(-) diff --git a/assets/all.settings.php b/assets/all.settings.php index 78cefc5b6..ba2a1a9e7 100644 --- a/assets/all.settings.php +++ b/assets/all.settings.php @@ -56,6 +56,21 @@ // advanced security measure: '../config/sync'. $settings['config_sync_directory'] = '../config/sync'; +/** + * Private file path: + * + * A local file system path where private files will be stored. This directory + * must be absolute, outside the Drupal installation directory and not + * accessible over the web. + * + * Note: Caches need to be cleared when this value is changed to make the + * private:// stream wrapper available to the system. + * + * See https://www.drupal.org/documentation/modules/file for more information + * about securing private files. + */ +$settings['file_private_path'] = $app_root . '/sites/default/files/private'; + // Set service base urls for the react apps. $config['dpl_react_apps.settings']['services'] = [ 'cover' => ['base_url' => 'https://cover.dandigbib.org'], diff --git a/config/sync/simple_oauth.settings.yml b/config/sync/simple_oauth.settings.yml index 133ba5039..530f0859f 100644 --- a/config/sync/simple_oauth.settings.yml +++ b/config/sync/simple_oauth.settings.yml @@ -4,8 +4,8 @@ access_token_expiration: 300 authorization_code_expiration: 300 refresh_token_expiration: 1209600 token_cron_batch_size: 0 -public_key: ../web/sites/default/files/simple_oauth_keys/public.key -private_key: ../web/sites/default/files/simple_oauth_keys/private.key +public_key: ../web/sites/default/files/private/simple_oauth_keys/public.key +private_key: ../web/sites/default/files/private/simple_oauth_keys/private.key remember_clients: true use_implicit: false disable_openid_connect: false diff --git a/web/modules/custom/dpl_graphql/dpl_graphql.install b/web/modules/custom/dpl_graphql/dpl_graphql.install index 508691ed2..ca908aff5 100644 --- a/web/modules/custom/dpl_graphql/dpl_graphql.install +++ b/web/modules/custom/dpl_graphql/dpl_graphql.install @@ -33,7 +33,8 @@ function dpl_graphql_update_10001(): string { $file_system = DrupalTyped::service(FileSystemInterface::class, 'file_system'); $key_generator = DrupalTyped::service(KeyGeneratorService::class, 'simple_oauth.key.generator'); - $path = '../web/sites/default/files/simple_oauth_keys'; + $private_files_path = $file_system->realpath('private://'); + $path = $private_files_path . '/simple_oauth_keys'; $file_system->prepareDirectory($path, FileSystemInterface::CREATE_DIRECTORY); try {