Merge pull request #167 from City-of-Helsinki/UHF-10012

UHF-9466, UHF-10012: Simplify api and vault accounts, user expire feature, remove debug api feature

README.md

@@ -17,7 +17,8 @@ A base module for [drupal-helfi-platform](https://github.com/City-of-Helsinki/dr
 - [Debug collector](documentation/debug.md): A plugin to collect and show various debug information in one place.
 - [Default language resolver](documentation/default-languages.md): A service to handle default primary languages and language fallbacks.
 - [Deploy hooks](documentation/deploy-hooks.md): Allows custom tasks to be run before or after deployment.
-- [Disable user password](/documentation/disable-user-password.md): A deployment hook to prevent users from logging in using password.
+- [Disable user password](/documentation/disable-user-password.md): A deployment hook to prevent configured users from logging in using password.
+- [Disable email sending](/documentation/disable-email-sending.md): Sending email is disabled by default.
 - [Environment resolver](documentation/environment-resolver.md): A service to fetch metadata for given project.
 - [Feature toggle](/documentation/feature-toggle.md): Allow certain functionality to be toggled on/off.
 - [Logging](documentation/logging.md): Log to Docker container stdout.
@@ -27,6 +28,7 @@ A base module for [drupal-helfi-platform](https://github.com/City-of-Helsinki/dr
 - [PubSub messaging](documentation/pubsub-messaging.md): A PubSub message service to send/receive messages.
 - [Remote Entity](documentation/remote-entity.md): A base entity to be used with migrations.
 - [Testing](documentation/testing.md): Various features to help with automated testing.
+- [User expire](/documentation/user-expire.md): Block inactive accounts automatically.
 
 ## Contact
 

config/install/helfi_api_base.features.yml

@@ -1 +1,3 @@
 disable_user_password: true
+user_expire: true
+disable_email_sending: true

config/schema/helfi_api_base.schema.yml

@@ -33,10 +33,12 @@ helfi_api_base.api_accounts:
 helfi_api_base.features:
   type: config_entity
   mapping:
-    logger:
+    disable_email_sending:
       type: boolean
     disable_user_password:
       type: boolean
+    user_expire:
+      type: boolean
 
 helfi_api_base.environment_resolver.settings:
   type: config_entity

documentation/api-accounts.md

@@ -25,41 +25,36 @@ $config['helfi_api_base.api_accounts']['accounts'][] = [
 
 If no `mail` is provided, an autogenerated email address like `drupal+$username@hel.fi` is used. For example: `drupal+account1@hel.fi`.
 
-### Using environment variable to define accounts
+### Configuring API accounts on OpenShift
 
-Define an environment variable called `DRUPAL_API_ACCOUNTS`. These accounts are read and mapped in [settings.php](https://github.com/City-of-Helsinki/drupal-helfi-platform/blob/main/public/sites/default/settings.php) file shipped with `City-of-Helsinki/drupal-helfi-platform`.
+Add new secret to your project's KeyVault on Azure Portal.
 
-The value should be a base64 encoded JSON string of whatever is defined in `helfi_api_base.api_accounts.accounts` configuration, for example:
+For example, add a new secret called `YOUR-API-ACCOUNT`. This will be automatically mapped to an env variable called `YOUR_API_ACCOUNT`.
 
-```bash
-php -r "print base64_encode('[{"username":"account1","password":"password1","roles":["role1","role2"]},{"username":"account2","password":"password2","mail":"some-email@example.com"}]');"
+The value should be a JSON encoded string, something like:
+```json
+{
+  "username": "account1",
+  "password": "password1",
+  "roles": ["role1"],
+  "mail": "some-email@example.com"
+}
 ```
-Then map the given output to `DRUPAL_API_ACCOUNTS` environment variable:
 
-```bash
-DRUPAL_API_ACCOUNTS=W3t1c2VybmFtZTphY2NvdW50MSxwYXNzd29yZDpwYXNzd29yZDEscm9sZXM6W3JvbGUxLHJvbGUyXX0se3VzZXJuYW1lOmFjY291bnQyLHBhc3N3b3JkOnBhc3N3b3JkMixtYWlsOnNvbWUtZW1haWxAZXhhbXBsZS5jb219XQ==
+Add mapping to your project's `all.settings.php`:
+```php
+# public/sites/all.settings.php
+
+if ($your_api_account = getenv('YOUR_API_ACCOUNT')) {
+  $config['helfi_api_base.api_accounts']['accounts'][] = json_decode($your_api_account, TRUE);
+}
 ```
 
 ### Usage
 
 We hook into `helfi_api_base.post_deploy` event ([src/EventSubscriber/EnsureApiAccountsSubscriber.php](/src/EventSubscriber/EnsureApiAccountsSubscriber.php)), triggered by `drush helfi:post-deploy` command executed as a part of deployment tasks: [https://github.com/City-of-Helsinki/drupal-helfi-platform/blob/main/docker/openshift/entrypoints/20-deploy.sh](https://github.com/City-of-Helsinki/drupal-helfi-platform/blob/main/docker/openshift/entrypoints/20-deploy.sh)
 
-### Testing locally
-
-Add something like this to your `local.settings.php`:
-
-```php
-# local.settings.php
-$api_accounts = [
-  [
-    'username' => 'helfi-debug-data',
-    'password' => '123',
-    'mail' => 'drupal+debug_api@hel.fi',
-    'roles' => ['debug_api'],
-  ],
-];
-$config['helfi_api_base.api_accounts']['accounts'] = $api_accounts;
-```
+You can test this locally by running `drush helfi:post-deploy`.
 
 ## Managing external API credentials
 
@@ -90,20 +85,22 @@ The value of `data` field depends on used `plugin`:
 - Authorization token (`authorization_token`): A simple string. For example `aGVsZmktYWRtaW46MTIz`.
 - JSON (`json`): A JSON string. For example `{"endpoint": "xxxx.docker.so", "key": "value"}`.
 
-### Using environment variable to define Vault items
+### Configuring Vault accounts on OpenShift
 
-Define an environment variable called `DRUPAL_VAULT_ACCOUNTS`. These accounts are read and mapped in [settings.php](https://github.com/City-of-Helsinki/drupal-helfi-platform/blob/main/public/sites/default/settings.php) file shipped with `City-of-Helsinki/drupal-helfi-platform`.
+Add new secret to your project's KeyVault on Azure Portal.
 
-The value should be a base64 encoded JSON string of whatever is defined in `helfi_api_base.api_accounts.vault` configuration, for example:
+For example, add a new secret called `YOUR-VAULT-ACCOUNT`. This will be automatically mapped to an env variable called `YOUR_VAULT_ACCOUNT`.
 
-```bash
-php -r "print base64_encode('[{"id": "global_navigation", "plugin": "authorization_token": "data": "aGVsZmktYWRtaW46MTIz"}]');"
-```
+Add mapping to your project's `all.settings.php` file, or `settings.php` if the feature should be enabled everywhere by default:
 
-Then map the given output to `DRUPAL_VAULT_ACCOUNTS` environment variable:
-
-```bash
-DRUPAL_VAULT_ACCOUNTS=W3tpZDogZXR1c2l2dV9sb2NhbCwgcGx1Z2luOiBhdXRob3JpemF0aW9uX3Rva2VuOiBkYXRhOiBhR1ZzWm1rdFlXUnRhVzQ2TVRJen1d
+```php
+if ($your_vault_account = getenv('YOUR_VAULT_ACCOUNT')) {
+  $config['helfi_api_base.api_accounts']['vault'][] = [
+    'id' => 'your_vault_account',
+    'plugin' => 'authorization_token',
+    'data' => $your_vault_account,
+  ];
+}
 ```
 
 ### Usage
@@ -112,8 +109,8 @@ DRUPAL_VAULT_ACCOUNTS=W3tpZDogZXR1c2l2dV9sb2NhbCwgcGx1Z2luOiBhdXRob3JpemF0aW9uX3
 /** @var \Drupal\helfi_api_base\Vault\VaultManager $service */
 $service = \Drupal::service('helfi_api_base.vault_manager');
 /** @var \Drupal\helfi_api_base\Vault\VaultItemInterface $item */
-$item = $service->get('global_navigation'); // 'global_navigation' is the ID previously defined in DRUPAL_VAULT_ACCOUNTS.
-$id = $item->id(); // $id = 'global_navigation'.
+$item = $service->get('your_vault_account'); // 'your_vault_account' is the ID previously defined in YOUR_VAULT_ACCOUNT.
+$id = $item->id(); // $id = 'vault_account_id'.
 $data = $item->data() // $data = 'aGVsZmktYWRtaW46MTIz'. This is a base64 encoded basic auth token (helfi-admin:123).
 ```
 
@@ -125,28 +122,10 @@ Add something like this to your `local.settings.php`:
 # local.settings.php
 $vault_accounts = [
   [
-    'id' => 'etusivu_local',
+    'id' => 'your_vault_account',
     'plugin' => 'authorization_token',
     'data' => base64_encode('helfi-debug-data:123'),
   ],
 ];
 $config['helfi_api_base.api_accounts']['vault'] = $vault_accounts;
 ```
-
-## Tool to create/update the secret
-
-See https://helsinkisolutionoffice.atlassian.net/wiki/spaces/HEL/pages/6785826654/Ymp+rist+t (in Finnish) for more information on how to actually update the value for given environment variable.
-
-This module provides a Drush command to easily update and create API secrets. The command returns a base64 encoded string that can directly be copied to Azure Key Vault.
-
-### Update
-
-Use `drush helfi:update-api-secret` command to update the API secret.
-
-### Create
-
-Use `drush helfi:create-api-secret` command to create the API secret.
-
-### Show current value
-
-Call `drush helfi:reveal-api-secret {secret value}` to show the value of given secret.

documentation/disable-email-sending.md

@@ -0,0 +1,10 @@
+# Disable email sending
+
+Email sending is disabled by default in `helfi_api_email_alter()` hook.
+
+To enable email sending, set `disable_email_sending` setting to false:
+
+```yaml
+# conf/cmi/helfi_api_base.features.yml
+disable_email_sending: false
+```

documentation/disable-user-password.md

@@ -1,6 +1,6 @@
 # Disable user password
 
-Provides a [Deployment hook](/documentation/deploy-hooks.md) that sets listed users' password to NULL.
+Provides a [Deployment hook](/documentation/deploy-hooks.md) that sets configured users' password to NULL.
 
 ## Usage
 
@@ -25,3 +25,12 @@ parameters:
 ```
 
 or dynamically in service provider class: https://www.drupal.org/docs/drupal-apis/services-and-dependency-injection/altering-existing-services-providing-dynamic-services.
+
+## Disable this feature
+
+You can disable this feature by changing the `disable_user_password` setting to false:
+
+```yaml
+# conf/cmi/helfi_api_base.features.yml
+disable_user_password: false
+```

documentation/user-expire.md

@@ -0,0 +1,9 @@
+# User expire
+
+Accounts that have been inactive for longer than 6 months are blocked automatically.
+
+This feature can be disabled by changing `user_expire` setting to false:
+```yaml
+# conf/cmi/helfi_api_base.features.yml
+user_expire: false
+```

drush.services.yml

@@ -13,11 +13,6 @@ services:
       - '@helfi_api_base.pubsub_manager'
     tags:
       - { name: drush.command }
-  helfi_api_base.api_account_commands:
-    class: \Drupal\helfi_api_base\Commands\ApiAccountCommands
-    arguments: ['@password_generator']
-    tags:
-      - { name: drush.command }
   helfi_api_base.deploy_commands:
     class: \Drupal\helfi_api_base\Commands\DeployCommands
     arguments: ['@event_dispatcher']