Added submodule Tide OAuth. (#172)

* Added submodule Tide OAuth.

On-behalf-of: @salsadigitalauorg <sonny@salsadigital.com.au>

composer.json

@@ -45,6 +45,7 @@
         "drupal/redirect": "^1.3",
         "drupal/role_delegation": "^1.0-alpha1",
         "drupal/seckit": "^1.1",
+        "drupal/simple_oauth": "^4.5",
         "drupal/simple_sitemap": "^2.12",
         "drupal/smart_trim": "^1.1",
         "drupal/smtp": "^1.0@RC",
@@ -118,6 +119,9 @@
             "drupal/scheduled_transitions": {
                 "The revision user is incorrect after CRON ran - https://www.drupal.org/project/scheduled_transitions/issues/3094322": "https://www.drupal.org/files/issues/2019-11-14/3094322_8.x-8.x-1.0-rc3-2.patch"
             },
+            "drupal/simple_oauth": {
+                "access:false even though permission is checked for the role - https://www.drupal.org/project/simple_oauth/issues/2958159#comment-13847450": "https://www.drupal.org/files/issues/2020-10-05/simple_oauth-refresh_token_authenticated_missing_scope-2958159-4.patch"
+            },
             "drupal/viewsreference": {
                 "Updating from alpha4 to alpha5 via composer results in error - https://www.drupal.org/project/viewsreference/issues/3096956#comment-13370643": "https://www.drupal.org/files/issues/2019-11-28/3096956-17.Unmet-service-dependencies.patch"
             },

includes/helpers.inc

@@ -9,6 +9,8 @@ use Drupal\config\StorageReplaceDataWrapper;
 use Drupal\Core\Config\ConfigImporter;
 use Drupal\Core\Config\FileStorage;
 use Drupal\Core\Config\StorageComparer;
+use Drupal\Core\Serialization\Yaml;
+use Drupal\Core\Site\Settings;
 
 /**
  * Helper to read configuration from provided locations.
@@ -152,3 +154,36 @@ function _tide_import_single_config($config_name, array $locations = [], $priori
     throw $exception;
   }
 }
+
+/**
+ * Retrieve UUID of a config file in config/sync directory.
+ *
+ * @param string $config_name
+ *   The config name.
+ *
+ * @return string|null
+ *   The UUID.
+ */
+function _tide_retrieve_config_uuid(string $config_name) : ?string {
+  try {
+    if (version_compare(\Drupal::VERSION, '8.8.0', '<')) {
+      $config_sync = config_get_config_directory(CONFIG_SYNC_DIRECTORY);
+    }
+    else {
+      $config_sync = Settings::get('config_sync_directory');
+    }
+    if ($config_sync) {
+      $config_file = $config_sync . DIRECTORY_SEPARATOR . $config_name . '.yml';
+      if (file_exists($config_file)) {
+        $config = Yaml::decode(file_get_contents($config_file));
+        if (!empty($config['uuid'])) {
+          return $config['uuid'];
+        }
+      }
+    }
+  }
+  catch (Exception $exception) {
+    watchdog_exception('tide_core', $exception);
+  }
+  return NULL;
+}

modules/tide_oauth/README.md

@@ -0,0 +1,50 @@
+## Tide OAuth
+
+### Prerequisites
+1. Consumers module: https://www.drupal.org/project/consumers
+2. Simple OAuth module: https://www.drupal.org/project/simple_oauth
+
+### Installation
+1. _(Optional)_ Generate a key pair and set environment variables
+    ```shell script
+    $ openssl genrsa -out /tmp/private.key 4096
+    $ openssl rsa -in /tmp/private.key -pubout > /tmp/public.key
+    $ export TIDE_OAUTH_PRIVATE_KEY=`cat /tmp/private.key`
+    $ export TIDE_OAUTH_PUBLIC_KEY=`cat /tmp/public.key`
+    ```
+2. Enable the `tide_oauth` module.
+    * If the TIDE_OAUTH_ environment variables are set, the module will copy
+    the keys to `private://oauth.key` and `private://oauth.pub`.
+    * Otherwise, the module will generate a new key pair.
+3. _(Optional - **Lagoon only**)_ Add a `post-rollout` task to generate the OAuth
+    key pair from environment variables upon deployment.
+    ```yaml
+    tasks:
+       post-rollout:
+          - run:
+             name: Generate OAuth keys from ENV variables.
+             command: 'drush tide-oauth:keygen'
+             service: cli
+    ```    
+
+### Authentication
+1. See the documentation of [Simple OAuth2](https://www.drupal.org/node/2843627)
+2. Due to both JWT Authentication module and Simple OAuth module accept 
+    `Authorization: Bearer {TOKEN}` header, Tide OAuth provides extra headers:
+    * `Authorization: OAuth2 {TOKEN}`     
+    * `X-OAuth2-Authorization: Bearer {TOKEN}`
+    * `X-OAuth2-Authorization: OAuth2 {TOKEN}` 
+
+    When Tide Authenticated Content or JWT module is enabled, all OAuth2 
+    authentication calls should one of the custom headers as the normal 
+    `Authorization` header is always authenticated against JWT Authentication.
+3. By default, the module creates a client `Editorial Preview` with the scope
+    `editor`. All OAuth2 authentication requests using this client will have
+    permissions of the `Editor` role.
+4. OAuth2 endpoints:
+    * Authorization URL: `/oauth/authorize`
+    * Access token URL: `/oauth/token`
+5. Default expiration time:
+    * Access token: 5 minutes
+    * Authorization code: 5 minutes
+    * Refresh token: 2 weeks

modules/tide_oauth/composer.json

@@ -0,0 +1,12 @@
+{
+    "name": "dpc-sdp/tide_oauth",
+    "type": "drupal-drush",
+    "description": "Drush commands for Tide OAuth.",
+    "extra": {
+        "drush": {
+            "services": {
+                "drush.services.yml": "^9"
+            }
+        }
+    }
+}

modules/tide_oauth/drush.services.yml

@@ -0,0 +1,6 @@
+services:
+  tide_oauth.commands:
+    class: \Drupal\tide_oauth\Commands\TideOauthCommands
+    arguments: ['@tide_oauth.env_key_generator']
+      tags:
+        - { name: drush.command }

modules/tide_oauth/drush/tide_oauth.drush.inc

@@ -0,0 +1,34 @@
+<?php
+
+/**
+ * @file
+ * Tide OAuth Drush commands.
+ */
+
+/**
+ * Implements hook_drush_command().
+ */
+function tide_oauth_drush_command() {
+  $commands['tide-oauth-keygen'] = [
+    'description' => 'Generate OAuth keys from environment variables',
+    'drupal dependencies' => ['tide_oauth'],
+    'aliases' => ['tokgn', 'tide-oauth:keygen'],
+  ];
+  return $commands;
+}
+
+/**
+ * Callback for tide-oauth:keygen command.
+ */
+function drush_tide_oauth_keygen() {
+  /** @var \Drupal\tide_oauth\EnvKeyGenerator $env_key_generator */
+  $env_key_generator = \Drupal::service('tide_oauth.env_key_generator');
+  // Generate the OAuth encryption keys from Environment variables.
+  if ($env_key_generator->generateEnvKeys()) {
+    // Update Simple OAuth settings.
+    $env_key_generator->setSimpleOauthKeySettings();
+  }
+  else {
+    drush_set_error('Could not generate OAuth keys.');
+  }
+}

modules/tide_oauth/src/Authentication/Provider/XSimpleOauthAuthenticationProvider.php

@@ -0,0 +1,56 @@
+<?php
+
+namespace Drupal\tide_oauth\Authentication\Provider;
+
+use Drupal\simple_oauth\Authentication\Provider\SimpleOauthAuthenticationProvider;
+use Symfony\Component\HttpFoundation\Request;
+
+/**
+ * Class XSimpleOauthAuthenticationProvider.
+ *
+ * @internal
+ * @package Drupal\tide_oauth\Authentication\Provider
+ */
+class XSimpleOauthAuthenticationProvider extends SimpleOauthAuthenticationProvider {
+
+  /**
+   * {@inheritdoc}
+   */
+  public function authenticate(Request $request) {
+    // X-OAuth2-Authorization does not comply to OAuth2 so that we need to
+    // set Authorization header as per the OAuth2 specs.
+    // However, Authorization header will trigger JWT Authentication (if exists)
+    // hence we need to clone the request instead of modifying the original.
+    $oauth2_request = clone $request;
+    $auth_header = trim($request->headers->get('Authorization', '', TRUE));
+    if ((strpos($auth_header, 'OAuth2 ') !== FALSE) || ($auth_header === 'OAuth2')) {
+      $oauth2_request->headers->add([
+        'Authorization' => str_replace('OAuth2', 'Bearer', $auth_header),
+      ]);
+    }
+    else {
+      $x_auth_header = trim($oauth2_request->headers->get('X-OAuth2-Authorization', '', TRUE));
+      if (($x_auth_header === 'Bearer') || (strpos($x_auth_header, 'Bearer ') !== FALSE)) {
+        $oauth2_request->headers->add(['Authorization' => $x_auth_header]);
+      }
+      elseif (($x_auth_header === 'OAuth2') || (strpos($x_auth_header, 'OAuth2 ') !== FALSE)) {
+        $oauth2_request->headers->add([
+          'Authorization' => str_replace('OAuth2', 'Bearer', $x_auth_header),
+        ]);
+      }
+    }
+
+    $account = parent::authenticate($oauth2_request);
+    if ($account) {
+      // Inherit uploaded files for the current request.
+      /* @link https://www.drupal.org/project/drupal/issues/2934486 */
+      $request->files->add($oauth2_request->files->all());
+      // Set consumer ID header on successful authentication, so negotiators
+      // will trigger correctly.
+      $request->headers->set('X-Consumer-ID', $account->getConsumer()->uuid());
+    }
+
+    return $account;
+  }
+
+}

modules/tide_oauth/src/Commands/TideOauthCommands.php

@@ -0,0 +1,54 @@
+<?php
+
+namespace Drupal\tide_oauth\Commands;
+
+use Drupal\tide_oauth\EnvKeyGenerator;
+use Drush\Commands\DrushCommands;
+
+/**
+ * Class TideOauthCommands.
+ *
+ * @package Drupal\tide_oauth\Commands
+ */
+class TideOauthCommands extends DrushCommands {
+
+  /**
+   * Env Key Generator.
+   *
+   * @var \Drupal\tide_oauth\EnvKeyGenerator
+   */
+  protected $envKeyGenerator;
+
+  /**
+   * TideOauthCommands constructor.
+   *
+   * @param \Drupal\tide_oauth\EnvKeyGenerator $env_key_generator
+   *   Env Key Generator.
+   */
+  public function __construct(EnvKeyGenerator $env_key_generator) {
+    parent::__construct();
+    $this->envKeyGenerator = $env_key_generator;
+  }
+
+  /**
+   * Generate OAuth keys from Environment variables.
+   *
+   * @usage drush tide-oauth:keygen
+   *   Generate OAuth keys from Environment variables.
+   *
+   * @command tide-oauth:keygen
+   * @validate-module-enabled tide_oauth
+   * @aliases tokgn,tide-oauth-keygen
+   */
+  public function generateKeys() {
+    if ($this->envKeyGenerator->generateEnvKeys()) {
+      // Update Simple OAuth settings.
+      $this->envKeyGenerator->setSimpleOauthKeySettings();
+      $this->io()->success('OAuth keys have been created.');
+    }
+    else {
+      $this->io()->error('Could not generate OAuth keys.');
+    }
+  }
+
+}