Key

.gitignore

@@ -218,6 +218,9 @@ private-files/
 node_modules/
 yarn-error.log
 
+# Ignore keys
+config/sync/**/key.key.*
+
 # Ignore webforms, webform options and maestro templates including localized config.
 config/sync/**/maestro.maestro_template.*
 config/sync/**/webform.webform.*

composer.json

@@ -5,6 +5,14 @@
     "license": "GPL-2.0-or-later",
     "homepage": "https://github.com/itk-dev/os2forms_selvbetjening",
     "repositories": [
+        {
+            "type": "vcs",
+            "url": "https://github.com/itk-dev/os2forms"
+        },
+        {
+            "type": "path",
+            "url": "web/sites/default/modules/os2web_key"
+        },
         {
             "//": "https://git.drupalcode.org/issue/webform_embed-3149360/-/tree/3149360-automated-drupal-9",
             "type": "package",
@@ -45,6 +53,7 @@
     ],
     "require": {
         "php": "^8.1",
+        "ext-openssl": "*",
         "composer/installers": "^1.12",
         "drupal/advancedqueue": "^1.0",
         "drupal/bootstrap": "^3.28",
@@ -54,7 +63,6 @@
         "drupal/core-project-message": "^9.5.9",
         "drupal/core-recommended": "^9.5.9",
         "drupal/jquery_ui_datepicker": "^1.4",
-        "drupal/key": "^1.17",
         "drupal/key_auth": "^2.1",
         "drupal/keyboard_shortcuts": "^1.1.1",
         "drupal/lang_dropdown": "^2.0",
@@ -77,6 +85,7 @@
         "itk-dev/os2forms_user_field_lookup": "^1.0",
         "itk-dev/serviceplatformen": "dev-feature/guzzle6-adapter as 1.5",
         "itk-dev/web_accessibility_statement": "^1.0",
+        "os2forms/os2forms": "dev-feature/os2web_key as 3.14.0",
         "os2forms/os2forms_fasit": "^1.0",
         "os2forms/os2forms_forloeb_profile": "^1.12",
         "os2forms/os2forms_get_organized": "^1.1.5",

config/sync/config_ignore.settings.yml

@@ -26,3 +26,5 @@ ignored_config_entities:
   - 'leaflet_layers.map_bundle.*'
   - 'leaflet_layers.map_layer.*'
   - os2forms_forloeb.settings
+  - '# Ignore keys (https://www.drupal.org/project/key)'
+  - 'key.key.*'

config/sync/core.extension.yml

@@ -102,6 +102,7 @@ module:
   os2forms_webform_maps: 0
   os2forms_webform_submission_log: 0
   os2web_datalookup: 0
+  os2web_key: 0
   os2web_nemlogin: 0
   os2web_simplesaml: 0
   page_cache: 0

docker-compose.yml

@@ -73,9 +73,9 @@ services:
       - "traefik.enable=true"
       - "traefik.docker.network=frontend"
       - "traefik.http.routers.${COMPOSE_PROJECT_NAME}.rule=Host(`${COMPOSE_DOMAIN}`)"
-#      HTTPS config - uncomment to enable redirect from :80 to :443
-#      - "traefik.http.routers.${COMPOSE_PROJECT_NAME}.middlewares=redirect-to-https"
-#      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+      # HTTPS config - uncomment to enable redirect from :80 to :443
+      - "traefik.http.routers.${COMPOSE_PROJECT_NAME}.middlewares=redirect-to-https"
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
 
   memcached:
     image: 'memcached:latest'

docs/Keys.md

@@ -0,0 +1,68 @@
+# Keys
+
+## Usage
+
+### Certificate and passphrase
+
+* <http://selvbetjening.local.itkdev.dk/admin/config/system/os2web-datalookup/datafordeler-cvr>
+* <http://selvbetjening.local.itkdev.dk/admin/config/system/os2web-datalookup/serviceplatformen-cpr-extended>
+  * What about all the UUIDs?
+* <http://selvbetjening.local.itkdev.dk/admin/os2forms_digital_post/settings>
+* <http://selvbetjening.local.itkdev.dk/admin/os2forms_fasit/settings>
+  - Is `Fasit API tenant` a secret?
+
+### Username and passphrase
+
+* <http://selvbetjening.local.itkdev.dk/admin/os2forms_get_organized/settings>
+
+### OpenID Connect (Multivalue)
+
+* <http://selvbetjening.local.itkdev.dk/admin/config/system/os2web-nemlogin/openid-connect-nemlogin>
+  * <http://selvbetjening.local.itkdev.dk/os2forms_nemlogin_openid_connect/authenticate/{id}>
+  * <http://selvbetjening.local.itkdev.dk/admin/os2forms_nemlogin_openid_connect/settings>
+
+* FBS?!
+
+## Not our modules
+
+* <http://selvbetjening.local.itkdev.dk/admin/config/people/openid-connect/generic/edit>
+  * We can use the key module to inject `Client ID` and `Client secret`, cf.
+
+    ```php
+    # web/sites/default/settings.local.php
+    $config['openid_connect.client.generic']['settings']['client_id'] = 'mock-idp-admin';
+    $config['openid_connect.client.generic']['settings']['client_secret'] = 'mock-idp-admin-secret';
+    ```
+
+## Test certificates
+
+```shell name=create-test-certificates
+# p12 with password
+openssl req -x509 -newkey rsa:4096 -days 365 -subj "/CN=example.com" -passout pass:test -keyout cert/test.key -out cert/test.crt
+openssl pkcs12 -export -out cert/test.p12 -passin pass:test -passout pass:test -inkey cert/test.key -in cert/test.crt
+openssl pkcs12 -in cert/test.p12 -passin pass:test -noenc
+
+# p12 without password
+openssl req -x509 -newkey rsa:4096 -days 365 -subj "/CN=example.com" -passout pass:''   -keyout cert/test_no_password.key -out cert/test_no_password.crt
+openssl pkcs12 -export -out cert/test_no_password.p12 -passin pass:'' -passout pass:'' -inkey cert/test_no_password.key -in cert/test_no_password.crt
+openssl pkcs12 -in cert/test_no_password.p12 -passin pass:'' -noenc
+
+# PEM with password
+openssl req -x509 -newkey rsa:4096 -days 365 -subj "/CN=example.com" -passout pass:test -keyout cert/test.key -out cert/test.crt
+cat cert/test.crt cert/test.key > cert/test.pem
+openssl x509 -in cert/test.pem
+
+# PEM without password
+openssl req -x509 -newkey rsa:4096 -days 365 -subj "/CN=example.com" -passout pass:''   -keyout cert/test_no_password.key -out cert/test_no_password.crt -noenc
+cat cert/test_no_password.crt cert/test_no_password.key > cert/test_no_password.pem
+openssl x509 -in cert/test_no_password.pem
+```
+
+```php
+# web/sites/default/settings.local.php
+putenv('KEY_DIGITAL_POST_CERTIFICATE_PASSWORD=digital_post');
+```
+
+## Questions
+
+<https://www.drupal.org/project/key>