Updated digital post module to allow key and old configuration methods

Author: jekuaitk

CHANGELOG.md

@@ -13,6 +13,8 @@ before starting to add changes. Use example [placed in the end of the page](#exa
 
 - [#101](https://github.com/OS2Forms/os2forms/pull/101)
   - Added support for `os2web_key` in Digital post
+  - Switched from saving settings in key value store to config, i.e
+    the module needs to be reconfigured.
   - Added support for `os2web_key` in Fasit handler.
     - Switched from saving settings in key value store to config, i.e
       the module needs to be reconfigured.

modules/os2forms_digital_post/os2forms_digital_post.services.yml

@@ -37,6 +37,7 @@ services:
       - "@Drupal\\os2forms_digital_post\\Helper\\MeMoHelper"
       - "@Drupal\\os2forms_digital_post\\Helper\\ForsendelseHelper"
       - "@Drupal\\os2forms_digital_post\\Helper\\BeskedfordelerHelper"
+      - "@Drupal\\os2forms_digital_post\\Helper\\CertificateLocatorHelper"
       - "@logger.channel.os2forms_digital_post"
       - "@logger.channel.os2forms_digital_post_submission"
       - "@os2web_audit.logger"

modules/os2forms_digital_post/src/Form/SettingsForm.php

@@ -11,6 +11,7 @@
 use Drupal\Core\StringTranslation\StringTranslationTrait;
 use Drupal\Core\StringTranslation\TranslatableMarkup;
 use Drupal\Core\Url;
+use Drupal\os2forms_digital_post\Helper\CertificateLocatorHelper;
 use Drupal\os2forms_digital_post\Helper\Settings;
 use Symfony\Component\DependencyInjection\ContainerInterface;
 
@@ -34,6 +35,7 @@ public function __construct(
     ConfigFactoryInterface $config_factory,
     EntityTypeManagerInterface $entityTypeManager,
     private readonly Settings $settings,
+    private readonly CertificateLocatorHelper $certificateLocatorHelper,
   ) {
     parent::__construct($config_factory);
     $this->queueStorage = $entityTypeManager->getStorage('advancedqueue_queue');
@@ -49,6 +51,7 @@ public static function create(ContainerInterface $container) {
       $container->get('config.factory'),
       $container->get('entity_type.manager'),
       $container->get(Settings::class),
+      $container->get(CertificateLocatorHelper::class),
     );
   }
 
@@ -134,17 +137,127 @@ public function buildForm(array $form, FormStateInterface $form_state): array {
       '#type' => 'fieldset',
       '#title' => $this->t('Certificate'),
       '#tree' => TRUE,
+    ];
+
+    $form[Settings::CERTIFICATE][Settings::CERTIFICATE_PROVIDER] = [
+      '#type' => 'select',
+      '#title' => $this->t('Provider'),
+      '#options' => [
+        Settings::PROVIDER_TYPE_FORM => $this->t('Form'),
+        Settings::PROVIDER_TYPE_KEY => $this->t('Key'),
+      ],
+      '#default_value' => $this->settings->getEditableValue([Settings::CERTIFICATE, Settings::CERTIFICATE_PROVIDER]) ?? Settings::PROVIDER_TYPE_FORM,
+      '#description' => $this->t('Specifies which provider to use'),
+    ];
+
+    $form[Settings::CERTIFICATE][CertificateLocatorHelper::LOCATOR_TYPE] = [
+      '#type' => 'select',
+      '#title' => $this->t('Certificate locator type'),
+      '#options' => [
+        CertificateLocatorHelper::LOCATOR_TYPE_AZURE_KEY_VAULT => $this->t('Azure key vault'),
+        CertificateLocatorHelper::LOCATOR_TYPE_FILE_SYSTEM => $this->t('File system'),
+      ],
+      '#default_value' => $this->settings->getEditableValue([
+        Settings::CERTIFICATE,
+        CertificateLocatorHelper::LOCATOR_TYPE,
+      ]) ?? NULL,
+      '#states' => [
+        'visible' => [':input[name="certificate[certificate_provider]"]' => ['value' => Settings::PROVIDER_TYPE_FORM]],
+      ],
+      '#description' => $this->t('Specifies which locator to use'),
+    ];
 
-      Settings::KEY => [
-        '#type' => 'key_select',
-        '#key_filters' => [
-          'type' => 'os2web_key_certificate',
+    $form[Settings::CERTIFICATE][CertificateLocatorHelper::LOCATOR_TYPE_AZURE_KEY_VAULT] = [
+      '#type' => 'fieldset',
+      '#title' => $this->t('Azure key vault'),
+      '#states' => [
+        'visible' => [
+          ':input[name="certificate[certificate_provider]"]' => ['value' => Settings::PROVIDER_TYPE_FORM],
+          ':input[name="certificate[locator_type]"]' => ['value' => CertificateLocatorHelper::LOCATOR_TYPE_AZURE_KEY_VAULT],
+        ],
+      ],
+    ];
+
+    $settings = [
+      CertificateLocatorHelper::LOCATOR_AZURE_KEY_VAULT_TENANT_ID => ['title' => $this->t('Tenant id')],
+      CertificateLocatorHelper::LOCATOR_AZURE_KEY_VAULT_APPLICATION_ID => ['title' => $this->t('Application id')],
+      CertificateLocatorHelper::LOCATOR_AZURE_KEY_VAULT_CLIENT_SECRET => ['title' => $this->t('Client secret')],
+      CertificateLocatorHelper::LOCATOR_AZURE_KEY_VAULT_NAME => ['title' => $this->t('Name')],
+      CertificateLocatorHelper::LOCATOR_AZURE_KEY_VAULT_SECRET => ['title' => $this->t('Secret')],
+      CertificateLocatorHelper::LOCATOR_AZURE_KEY_VAULT_VERSION => ['title' => $this->t('Version')],
+    ];
+
+    foreach ($settings as $key => $info) {
+      $form[Settings::CERTIFICATE][CertificateLocatorHelper::LOCATOR_TYPE_AZURE_KEY_VAULT][$key] = [
+        '#type' => 'textfield',
+        '#title' => $info['title'],
+        '#default_value' => $this->settings->getEditableValue([
+          Settings::CERTIFICATE,
+          CertificateLocatorHelper::LOCATOR_TYPE_AZURE_KEY_VAULT,
+          $key,
+        ]) ?? NULL,
+        '#states' => [
+          'required' => [
+            ':input[name="certificate[certificate_provider]"]' => ['value' => Settings::PROVIDER_TYPE_FORM],
+            ':input[name="certificate[locator_type]"]' => ['value' => CertificateLocatorHelper::LOCATOR_TYPE_AZURE_KEY_VAULT],
+          ],
+        ],
+      ];
+    }
+
+    $form[Settings::CERTIFICATE][CertificateLocatorHelper::LOCATOR_TYPE_FILE_SYSTEM] = [
+      '#type' => 'fieldset',
+      '#title' => $this->t('File system'),
+      '#states' => [
+        'visible' => [
+          ':input[name="certificate[certificate_provider]"]' => ['value' => Settings::PROVIDER_TYPE_FORM],
+          ':input[name="certificate[locator_type]"]' => ['value' => CertificateLocatorHelper::LOCATOR_TYPE_FILE_SYSTEM],
+        ],
+      ],
+
+      CertificateLocatorHelper::LOCATOR_FILE_SYSTEM_PATH => [
+        '#type' => 'textfield',
+        '#title' => $this->t('Path'),
+        '#default_value' => $this->settings->getEditableValue([
+          Settings::CERTIFICATE,
+          CertificateLocatorHelper::LOCATOR_TYPE_FILE_SYSTEM,
+          CertificateLocatorHelper::LOCATOR_FILE_SYSTEM_PATH,
+        ]) ?? NULL,
+        '#states' => [
+          'required' => [
+            ':input[name="certificate[certificate_provider]"]' => ['value' => Settings::PROVIDER_TYPE_FORM],
+            ':input[name="certificate[locator_type]"]' => ['value' => CertificateLocatorHelper::LOCATOR_TYPE_FILE_SYSTEM],
+          ],
         ],
-        '#key_description' => FALSE,
-        '#title' => $this->t('Key'),
-        '#default_value' => $this->settings->getEditableValue([Settings::CERTIFICATE, Settings::KEY]),
-        '#required' => TRUE,
-        '#description' => $this->createDescription([Settings::CERTIFICATE, Settings::KEY]),
+      ],
+    ];
+
+    $form[Settings::CERTIFICATE][CertificateLocatorHelper::LOCATOR_PASSPHRASE] = [
+      '#type' => 'textfield',
+      '#title' => $this->t('Passphrase'),
+      '#default_value' => $this->settings->getEditableValue([
+        Settings::CERTIFICATE,
+        CertificateLocatorHelper::LOCATOR_PASSPHRASE,
+      ]) ?? '',
+      '#states' => [
+        'visible' => [
+          ':input[name="certificate[certificate_provider]"]' => ['value' => Settings::PROVIDER_TYPE_FORM],
+        ],
+      ],
+    ];
+
+    $form[Settings::CERTIFICATE][Settings::PROVIDER_TYPE_KEY] = [
+      '#type' => 'key_select',
+      '#key_filters' => [
+        'type' => 'os2web_key_certificate',
+      ],
+      '#key_description' => FALSE,
+      '#title' => $this->t('Key'),
+      '#default_value' => $this->settings->getEditableValue([Settings::CERTIFICATE, Settings::PROVIDER_TYPE_KEY]),
+      '#required' => TRUE,
+      '#description' => $this->createDescription([Settings::CERTIFICATE, Settings::PROVIDER_TYPE_KEY]),
+      '#states' => [
+        'visible' => [':input[name="certificate[certificate_provider]"]' => ['value' => Settings::PROVIDER_TYPE_KEY]],
       ],
     ];
 
@@ -176,15 +289,55 @@ public function buildForm(array $form, FormStateInterface $form_state): array {
       ),
     ];
 
+    $form['actions']['testCertificate'] = [
+      '#type' => 'submit',
+      '#name' => 'testCertificate',
+      '#value' => $this->t('Test certificate'),
+      '#states' => [
+        'visible' => [':input[name="certificate[certificate_provider]"]' => ['value' => Settings::PROVIDER_TYPE_FORM]],
+      ],
+    ];
+
     return $form;
   }
 
+  /**
+   * {@inheritdoc}
+   *
+   * @phpstan-param array<string, mixed> $form
+   */
+  public function validateForm(array &$form, FormStateInterface $form_state): void {
+    $triggeringElement = $form_state->getTriggeringElement();
+    if ('testCertificate' === ($triggeringElement['#name'] ?? NULL)) {
+      return;
+    }
+
+    $values = $form_state->getValues();
+
+    if (Settings::PROVIDER_TYPE_FORM === $values[Settings::CERTIFICATE][Settings::CERTIFICATE_PROVIDER]) {
+      if (CertificateLocatorHelper::LOCATOR_TYPE_FILE_SYSTEM === $values[Settings::CERTIFICATE][CertificateLocatorHelper::LOCATOR_TYPE]) {
+        $path = $values[Settings::CERTIFICATE][CertificateLocatorHelper::LOCATOR_TYPE_FILE_SYSTEM][CertificateLocatorHelper::LOCATOR_FILE_SYSTEM_PATH] ?? NULL;
+        if (!file_exists($path)) {
+          $form_state->setErrorByName('certificate][file_system][path', $this->t('Invalid certificate path: %path', ['%path' => $path]));
+        }
+      }
+    }
+
+    parent::validateForm($form, $form_state);
+  }
+
   /**
    * {@inheritdoc}
    *
    * @phpstan-param array<string, mixed> $form
    */
   public function submitForm(array &$form, FormStateInterface $form_state): void {
+    $triggeringElement = $form_state->getTriggeringElement();
+    if ('testCertificate' === ($triggeringElement['#name'] ?? NULL)) {
+      $this->testCertificate();
+      return;
+    }
+
     $config = $this->config(Settings::CONFIG_NAME);
     foreach ([
       Settings::TEST_MODE,
@@ -223,4 +376,20 @@ private function createDescription(string|array $key, ?TranslatableMarkup $descr
     return (string) $description;
   }
 
+  /**
+   * Test certificate.
+   */
+  private function testCertificate(): void {
+    try {
+
+      $certificateLocator = $this->certificateLocatorHelper->getCertificateLocator();
+      $certificateLocator->getCertificates();
+      $this->messenger()->addStatus($this->t('Certificate succesfully tested'));
+    }
+    catch (\Throwable $throwable) {
+      $message = $this->t('Error testing certificate: %message', ['%message' => $throwable->getMessage()]);
+      $this->messenger()->addError($message);
+    }
+  }
+
 }

modules/os2forms_digital_post/src/Helper/CertificateLocatorHelper.php

@@ -0,0 +1,88 @@
+<?php
+
+namespace Drupal\os2forms_digital_post\Helper;
+
+use Drupal\os2forms_digital_post\Exception\CertificateLocatorException;
+use GuzzleHttp\Client;
+use Http\Adapter\Guzzle7\Client as GuzzleAdapter;
+use Http\Factory\Guzzle\RequestFactory;
+use ItkDev\AzureKeyVault\Authorisation\VaultToken;
+use ItkDev\AzureKeyVault\KeyVault\VaultSecret;
+use ItkDev\Serviceplatformen\Certificate\AzureKeyVaultCertificateLocator;
+use ItkDev\Serviceplatformen\Certificate\CertificateLocatorInterface;
+use ItkDev\Serviceplatformen\Certificate\FilesystemCertificateLocator;
+
+/**
+ * Certificate locator helper.
+ */
+class CertificateLocatorHelper {
+  public const LOCATOR_TYPE = 'locator_type';
+  public const LOCATOR_TYPE_AZURE_KEY_VAULT = 'azure_key_vault';
+  public const LOCATOR_TYPE_FILE_SYSTEM = 'file_system';
+  public const LOCATOR_PASSPHRASE = 'passphrase';
+  public const LOCATOR_AZURE_KEY_VAULT_TENANT_ID = 'tenant_id';
+  public const LOCATOR_AZURE_KEY_VAULT_APPLICATION_ID = 'application_id';
+  public const LOCATOR_AZURE_KEY_VAULT_CLIENT_SECRET = 'client_secret';
+  public const LOCATOR_AZURE_KEY_VAULT_NAME = 'name';
+  public const LOCATOR_AZURE_KEY_VAULT_SECRET = 'secret';
+  public const LOCATOR_AZURE_KEY_VAULT_VERSION = 'version';
+  public const LOCATOR_FILE_SYSTEM_PATH = 'path';
+
+  /**
+   * {@inheritdoc}
+   */
+  public function __construct(
+    private readonly Settings $settings,
+  ) {
+  }
+
+  /**
+   * Get certificate locator.
+   */
+  public function getCertificateLocator(): CertificateLocatorInterface {
+    $certificateSettings = $this->settings->getEditableValue(Settings::CERTIFICATE);
+
+    $locatorType = $certificateSettings['locator_type'];
+    $options = $certificateSettings[$locatorType];
+    $options += [
+      'passphrase' => $certificateSettings['passphrase'] ?: '',
+    ];
+
+    if (self::LOCATOR_TYPE_AZURE_KEY_VAULT === $locatorType) {
+      $httpClient = new GuzzleAdapter(new Client());
+      $requestFactory = new RequestFactory();
+
+      $vaultToken = new VaultToken($httpClient, $requestFactory);
+
+      $token = $vaultToken->getToken(
+        $options['tenant_id'],
+        $options['application_id'],
+        $options['client_secret'],
+      );
+
+      $vault = new VaultSecret(
+        $httpClient,
+        $requestFactory,
+        $options['name'],
+        $token->getAccessToken()
+      );
+
+      return new AzureKeyVaultCertificateLocator(
+        $vault,
+        $options['secret'],
+        $options['version'],
+        $options['passphrase'],
+      );
+    }
+    elseif (self::LOCATOR_TYPE_FILE_SYSTEM === $locatorType) {
+      $certificatepath = realpath($options['path']) ?: NULL;
+      if (NULL === $certificatepath) {
+        throw new CertificateLocatorException(sprintf('Invalid certificate path %s', $options['path']));
+      }
+      return new FilesystemCertificateLocator($certificatepath, $options['passphrase']);
+    }
+
+    throw new CertificateLocatorException(sprintf('Invalid certificate locator type: %s', $locatorType));
+  }
+
+}

modules/os2forms_digital_post/src/Helper/DigitalPostHelper.php

@@ -35,6 +35,7 @@ public function __construct(
     private readonly MeMoHelper $meMoHelper,
     private readonly ForsendelseHelper $forsendelseHelper,
     private readonly BeskedfordelerHelper $beskedfordelerHelper,
+    private readonly CertificateLocatorHelper $certificateLocatorHelper,
     private readonly LoggerChannelInterface $logger,
     private readonly LoggerChannelInterface $submissionLogger,
     private readonly Logger $auditLogger,
@@ -60,14 +61,23 @@ public function __construct(
    */
   public function sendDigitalPost(string $type, Message $message, ?ForsendelseI $forsendelse, ?WebformSubmissionInterface $submission = NULL): array {
     $senderSettings = $this->settings->getSender();
+
+    if (Settings::PROVIDER_TYPE_FORM === $this->settings->getCertificateProvider()) {
+      $certificateLocator = $this->certificateLocatorHelper->getCertificateLocator();
+    }
+    else {
+      $certificateLocator = new KeyCertificateLocator(
+        $this->settings->getCertificateKey(),
+        $this->keyHelper
+      );
+    }
+
     $options = [
       'test_mode' => (bool) $this->settings->getTestMode(),
       'authority_cvr' => $senderSettings[Settings::SENDER_IDENTIFIER],
-      'certificate_locator' => new KeyCertificateLocator(
-        $this->settings->getCertificateKey(),
-        $this->keyHelper
-      ),
+      'certificate_locator' => $certificateLocator,
     ];
+
     $service = new SF1601($options);
     $transactionId = Serializer::createUuid();