diff --git a/README.md b/README.md index 2a6c0a38..482d17c2 100644 --- a/README.md +++ b/README.md @@ -23,7 +23,7 @@ With Vagrant (each of these steps may take several minutes!): ```bash ISLANDORA_BUILD_BASE=true vagrant up # Create the base box on a bare Ubuntu. vagrant package --output islandora_base # Shut down the VM and save it as a file, islandora_base, which is created in this directory. -vagrant destroy # You will be prompted to enter 'y' to destroy this VM +ISLANDORA_BUILD_BASE=true vagrant destroy # You will be prompted to enter 'y' to destroy the base box VM vagrant up # It will show it is importing the islandora_base base box, then will provision Islandora. ``` diff --git a/inventory/vagrant/group_vars/crayfish.yml b/inventory/vagrant/group_vars/crayfish.yml index 3665d8d9..616537e9 100644 --- a/inventory/vagrant/group_vars/crayfish.yml +++ b/inventory/vagrant/group_vars/crayfish.yml @@ -1,5 +1,3 @@ --- -crayfish_db: "{{ islandora_db }}" - crayfish_fedora_base_url: "http://{{ hostvars[groups['tomcat'][0]].ansible_host }}:8080/fcrepo/rest" crayfish_drupal_base_url: "http://{{ hostvars[groups['webserver'][0]].ansible_host }}:{{ apache_listen_port }}" diff --git a/roles/internal/Islandora-Devops.crayfish/README.md b/roles/internal/Islandora-Devops.crayfish/README.md index 8b26c1dc..70db1a64 100644 --- a/roles/internal/Islandora-Devops.crayfish/README.md +++ b/roles/internal/Islandora-Devops.crayfish/README.md @@ -19,8 +19,6 @@ crayfish_services: - Homarus - Hypercube - Recast -# Default crayfish static JWT token -crayfish_syn_token: islandora # Webserver path to install to crayfish_install_dir: /var/www/html/Crayfish # Crayfish log directory @@ -48,11 +46,6 @@ Some OS dependent variables are set in vars/* but can be overridden if desired: # - poppler-utils ``` ======= -`crayfish_db` can be set to: - - pgsql - - mysql - - Depending what database you would like to use. If not set it defaults to _mysql_ There are lots more configuration settings in [defaults/main.yml](defaults/main.yml) @@ -67,15 +60,6 @@ The module depends on the following. Links are provided to roles known to work w * [PHP](https://galaxy.ansible.com/geerlingguy/php/) * [Composer](https://galaxy.ansible.com/geerlingguy/composer/) * [git](https://galaxy.ansible.com/geerlingguy/git/) -* database - - [pgsql](https://galaxy.ansible.com/geerlingguy/postgresql/) - - [mysql](https://galaxy.ansible.com/geerlingguy/mysql/) - -## Example Playbook - -Examples from the role tests: -* [Postgresql](tests/pgsql.yml) -* [Mysql](tests/mysql.yml) ## License diff --git a/roles/internal/Islandora-Devops.crayfish/defaults/main.yml b/roles/internal/Islandora-Devops.crayfish/defaults/main.yml index 322cf89a..b9c684eb 100644 --- a/roles/internal/Islandora-Devops.crayfish/defaults/main.yml +++ b/roles/internal/Islandora-Devops.crayfish/defaults/main.yml @@ -1,4 +1,4 @@ -crayfish_version_tag: 3.x +crayfish_version_tag: 4.x crayfish_services: - Houdini diff --git a/roles/internal/Islandora-Devops.crayfish/tasks/install.yml b/roles/internal/Islandora-Devops.crayfish/tasks/install.yml index e07c2ea2..c3f15f3e 100644 --- a/roles/internal/Islandora-Devops.crayfish/tasks/install.yml +++ b/roles/internal/Islandora-Devops.crayfish/tasks/install.yml @@ -66,11 +66,6 @@ vars: ssl_key_public_output_path: "{{ crayfish_install_dir }}/public.key" -- name: Install auth config - template: - src: "syn-settings.xml.jp2" - dest: "{{ crayfish_install_dir }}/syn-settings.xml" - - name: Configure crayfish code (Symfony) include_tasks: "./tasks/symfony_config.yml" with_items: "{{ crayfish_services }}" diff --git a/roles/internal/Islandora-Devops.crayfish/templates/Homarus/packages/crayfish_commons.yaml.j2 b/roles/internal/Islandora-Devops.crayfish/templates/Homarus/packages/crayfish_commons.yaml.j2 index 07c89e91..74a3a41d 100644 --- a/roles/internal/Islandora-Devops.crayfish/templates/Homarus/packages/crayfish_commons.yaml.j2 +++ b/roles/internal/Islandora-Devops.crayfish/templates/Homarus/packages/crayfish_commons.yaml.j2 @@ -1,3 +1,4 @@ +### This file is managed with Ansible ### crayfish_commons: fedora_base_uri: {{ crayfish_homarus_fedora_base_url }} - syn_config: {{ crayfish_homarus_jwt_config }} + apix_middleware_enabled: false diff --git a/roles/internal/Islandora-Devops.crayfish/templates/Homarus/packages/lexik_jwt_authentication.yaml.j2 b/roles/internal/Islandora-Devops.crayfish/templates/Homarus/packages/lexik_jwt_authentication.yaml.j2 new file mode 100644 index 00000000..6251c306 --- /dev/null +++ b/roles/internal/Islandora-Devops.crayfish/templates/Homarus/packages/lexik_jwt_authentication.yaml.j2 @@ -0,0 +1,10 @@ +### This file is managed with Ansible ### +lexik_jwt_authentication: + # Need secret key to generate a token, this is not necessary for normal usage as the key is generated by Drupal. + secret_key: '' + # This is required if you have set a passphrase on the secret key, this is generally not needed. + pass_phrase: '' + # This is the public key from the pair generated by Drupal and is required to validate the JWTs + public_key: '{{ crayfish_install_dir }}/public.key' + # By default lexik_jwt looks for the username key in the payload, we use sub + user_identity_field: sub diff --git a/roles/internal/Islandora-Devops.crayfish/templates/Homarus/packages/security.yaml.j2 b/roles/internal/Islandora-Devops.crayfish/templates/Homarus/packages/security.yaml.j2 index 09caed05..02fa1051 100644 --- a/roles/internal/Islandora-Devops.crayfish/templates/Homarus/packages/security.yaml.j2 +++ b/roles/internal/Islandora-Devops.crayfish/templates/Homarus/packages/security.yaml.j2 @@ -1,12 +1,12 @@ -# This file managed by Ansible - -# To disable Syn checking, set syn_enabled=false in crayfish_commons.yaml and remove this configuration file. +### This file managed by Ansible ### +### To disable authentication, set crayfish_homarus_jwt_enabled to false. security: - - # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers + enable_authenticator_manager: true + # https://symfony.com/doc/5.4/security.html#where-do-users-come-from-user-providers providers: - jwt_user_provider: - id: Islandora\Crayfish\Commons\Syn\JwtUserProvider + users_in_memory: { memory: null } + jwt: + lexik_jwt: ~ firewalls: dev: @@ -16,25 +16,20 @@ security: # Need stateless or it reloads the User based on a token. stateless: true {%if crayfish_homarus_jwt_enabled == true %} - anonymous: false - - provider: jwt_user_provider - guard: - authenticators: - - Islandora\Crayfish\Commons\Syn\JwtAuthenticator + provider: jwt + jwt: ~ # activate different ways to authenticate - # https://symfony.com/doc/current/security.html#firewalls-authentication + # https://symfony.com/doc/5.4/security.html#firewalls-authentication - # https://symfony.com/doc/current/security/impersonating_user.html + # https://symfony.com/doc/5.4/security/impersonating_user.html # switch_user: true - +{% else %} + anonymous: true +{% endif %} # Easy way to control access for large sections of your site # Note: Only the *first* access control that matches will be used access_control: - # - { path: ^/admin, roles: ROLE_ADMIN } - # - { path: ^/profile, roles: ROLE_USER } -{% else %} - anonymous: true -{% endif %} + # - { path: ^/admin, roles: ROLE_ADMIN } + # - { path: ^/profile, roles: ROLE_USER } diff --git a/roles/internal/Islandora-Devops.crayfish/templates/Homarus/services.yaml.j2 b/roles/internal/Islandora-Devops.crayfish/templates/Homarus/services.yaml.j2 index d9d1e6b2..c276acdb 100644 --- a/roles/internal/Islandora-Devops.crayfish/templates/Homarus/services.yaml.j2 +++ b/roles/internal/Islandora-Devops.crayfish/templates/Homarus/services.yaml.j2 @@ -5,7 +5,7 @@ # Files in the packages/ subdirectory configure your dependencies. # Put parameters here that don't need to change on each machine where the app is deployed -# https://symfony.com/doc/current/best_practices/configuration.html#application-related-configuration +# https://symfony.com/doc/5.4/best_practices/configuration.html#application-related-configuration parameters: app.executable: {{ crayfish_homarus_executable_config.executable }} diff --git a/roles/internal/Islandora-Devops.crayfish/templates/Houdini/packages/crayfish_commons.yaml.j2 b/roles/internal/Islandora-Devops.crayfish/templates/Houdini/packages/crayfish_commons.yaml.j2 index 4e240525..6f5aded9 100644 --- a/roles/internal/Islandora-Devops.crayfish/templates/Houdini/packages/crayfish_commons.yaml.j2 +++ b/roles/internal/Islandora-Devops.crayfish/templates/Houdini/packages/crayfish_commons.yaml.j2 @@ -1,3 +1,3 @@ +### This file is managed with Ansible ### crayfish_commons: fedora_base_uri: {{ crayfish_houdini_fedora_base_url }} - syn_config: {{ crayfish_houdini_jwt_config }} diff --git a/roles/internal/Islandora-Devops.crayfish/templates/Houdini/packages/lexik_jwt_authentication.yaml.j2 b/roles/internal/Islandora-Devops.crayfish/templates/Houdini/packages/lexik_jwt_authentication.yaml.j2 new file mode 100644 index 00000000..6251c306 --- /dev/null +++ b/roles/internal/Islandora-Devops.crayfish/templates/Houdini/packages/lexik_jwt_authentication.yaml.j2 @@ -0,0 +1,10 @@ +### This file is managed with Ansible ### +lexik_jwt_authentication: + # Need secret key to generate a token, this is not necessary for normal usage as the key is generated by Drupal. + secret_key: '' + # This is required if you have set a passphrase on the secret key, this is generally not needed. + pass_phrase: '' + # This is the public key from the pair generated by Drupal and is required to validate the JWTs + public_key: '{{ crayfish_install_dir }}/public.key' + # By default lexik_jwt looks for the username key in the payload, we use sub + user_identity_field: sub diff --git a/roles/internal/Islandora-Devops.crayfish/templates/Houdini/packages/security.yaml.j2 b/roles/internal/Islandora-Devops.crayfish/templates/Houdini/packages/security.yaml.j2 index 4b6e8d09..d4a480ab 100644 --- a/roles/internal/Islandora-Devops.crayfish/templates/Houdini/packages/security.yaml.j2 +++ b/roles/internal/Islandora-Devops.crayfish/templates/Houdini/packages/security.yaml.j2 @@ -1,12 +1,12 @@ -# This file managed by Ansible - -# To disable Syn checking, set syn_enabled=false in crayfish_commons.yaml and remove this configuration file. +### This file managed by Ansible ### +### To disable authentication, set crayfish_houdini_jwt_enabled to false. security: - - # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers + enable_authenticator_manager: true + # https://symfony.com/doc/5.4/security.html#where-do-users-come-from-user-providers providers: - jwt_user_provider: - id: Islandora\Crayfish\Commons\Syn\JwtUserProvider + users_in_memory: { memory: null } + jwt: + lexik_jwt: ~ firewalls: dev: @@ -16,25 +16,20 @@ security: # Need stateless or it reloads the User based on a token. stateless: true {%if crayfish_houdini_jwt_enabled == true %} - anonymous: false - - provider: jwt_user_provider - guard: - authenticators: - - Islandora\Crayfish\Commons\Syn\JwtAuthenticator + provider: jwt + jwt: ~ # activate different ways to authenticate - # https://symfony.com/doc/current/security.html#firewalls-authentication + # https://symfony.com/doc/5.4/security.html#firewalls-authentication - # https://symfony.com/doc/current/security/impersonating_user.html + # https://symfony.com/doc/5.4/security/impersonating_user.html # switch_user: true - +{% else %} + anonymous: true +{% endif %} # Easy way to control access for large sections of your site # Note: Only the *first* access control that matches will be used access_control: - # - { path: ^/admin, roles: ROLE_ADMIN } - # - { path: ^/profile, roles: ROLE_USER } -{% else %} - anonymous: true -{% endif %} + # - { path: ^/admin, roles: ROLE_ADMIN } + # - { path: ^/profile, roles: ROLE_USER } diff --git a/roles/internal/Islandora-Devops.crayfish/templates/Houdini/services.yaml.j2 b/roles/internal/Islandora-Devops.crayfish/templates/Houdini/services.yaml.j2 index 790673be..31693479 100644 --- a/roles/internal/Islandora-Devops.crayfish/templates/Houdini/services.yaml.j2 +++ b/roles/internal/Islandora-Devops.crayfish/templates/Houdini/services.yaml.j2 @@ -5,7 +5,7 @@ # Files in the packages/ subdirectory configure your dependencies. # Put parameters here that don't need to change on each machine where the app is deployed -# https://symfony.com/doc/current/best_practices/configuration.html#application-related-configuration +# https://symfony.com/doc/5.4/best_practices/configuration.html#application-related-configuration parameters: app.executable: {{ crayfish_houdini_executable_config.executable }} diff --git a/roles/internal/Islandora-Devops.crayfish/templates/Hypercube/packages/crayfish_commons.yaml.j2 b/roles/internal/Islandora-Devops.crayfish/templates/Hypercube/packages/crayfish_commons.yaml.j2 index 16df6607..3d94c058 100644 --- a/roles/internal/Islandora-Devops.crayfish/templates/Hypercube/packages/crayfish_commons.yaml.j2 +++ b/roles/internal/Islandora-Devops.crayfish/templates/Hypercube/packages/crayfish_commons.yaml.j2 @@ -1,3 +1,3 @@ +### This file is managed with Ansible ### crayfish_commons: fedora_base_uri: {{ crayfish_hypercube_fedora_base_url }} - syn_config: {{ crayfish_hypercube_jwt_config }} diff --git a/roles/internal/Islandora-Devops.crayfish/templates/Hypercube/packages/lexik_jwt_authentication.yaml.j2 b/roles/internal/Islandora-Devops.crayfish/templates/Hypercube/packages/lexik_jwt_authentication.yaml.j2 new file mode 100644 index 00000000..6251c306 --- /dev/null +++ b/roles/internal/Islandora-Devops.crayfish/templates/Hypercube/packages/lexik_jwt_authentication.yaml.j2 @@ -0,0 +1,10 @@ +### This file is managed with Ansible ### +lexik_jwt_authentication: + # Need secret key to generate a token, this is not necessary for normal usage as the key is generated by Drupal. + secret_key: '' + # This is required if you have set a passphrase on the secret key, this is generally not needed. + pass_phrase: '' + # This is the public key from the pair generated by Drupal and is required to validate the JWTs + public_key: '{{ crayfish_install_dir }}/public.key' + # By default lexik_jwt looks for the username key in the payload, we use sub + user_identity_field: sub diff --git a/roles/internal/Islandora-Devops.crayfish/templates/Hypercube/packages/security.yaml.j2 b/roles/internal/Islandora-Devops.crayfish/templates/Hypercube/packages/security.yaml.j2 index c56c499b..57884601 100644 --- a/roles/internal/Islandora-Devops.crayfish/templates/Hypercube/packages/security.yaml.j2 +++ b/roles/internal/Islandora-Devops.crayfish/templates/Hypercube/packages/security.yaml.j2 @@ -1,12 +1,12 @@ -# This file managed by Ansible - -# To disable Syn checking, set syn_enabled=false in crayfish_commons.yaml and remove this configuration file. +### This file managed by Ansible ### +### To disable authentication, set crayfish_hypercube_jwt_enabled to false. security: - - # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers + enable_authenticator_manager: true + # https://symfony.com/doc/5.4/security.html#where-do-users-come-from-user-providers providers: - jwt_user_provider: - id: Islandora\Crayfish\Commons\Syn\JwtUserProvider + users_in_memory: { memory: null } + jwt: + lexik_jwt: ~ firewalls: dev: @@ -16,25 +16,20 @@ security: # Need stateless or it reloads the User based on a token. stateless: true {%if crayfish_hypercube_jwt_enabled == true %} - anonymous: false - - provider: jwt_user_provider - guard: - authenticators: - - Islandora\Crayfish\Commons\Syn\JwtAuthenticator + provider: jwt + jwt: ~ # activate different ways to authenticate - # https://symfony.com/doc/current/security.html#firewalls-authentication + # https://symfony.com/doc/5.4/security.html#firewalls-authentication - # https://symfony.com/doc/current/security/impersonating_user.html + # https://symfony.com/doc/5.4/security/impersonating_user.html # switch_user: true - +{% else %} + anonymous: true +{% endif %} # Easy way to control access for large sections of your site # Note: Only the *first* access control that matches will be used access_control: - # - { path: ^/admin, roles: ROLE_ADMIN } - # - { path: ^/profile, roles: ROLE_USER } -{% else %} - anonymous: true -{% endif %} + # - { path: ^/admin, roles: ROLE_ADMIN } + # - { path: ^/profile, roles: ROLE_USER } diff --git a/roles/internal/Islandora-Devops.crayfish/templates/Hypercube/services.yaml.j2 b/roles/internal/Islandora-Devops.crayfish/templates/Hypercube/services.yaml.j2 index ba9056a9..01c0be17 100644 --- a/roles/internal/Islandora-Devops.crayfish/templates/Hypercube/services.yaml.j2 +++ b/roles/internal/Islandora-Devops.crayfish/templates/Hypercube/services.yaml.j2 @@ -5,7 +5,7 @@ # Files in the packages/ subdirectory configure your dependencies. # Put parameters here that don't need to change on each machine where the app is deployed -# https://symfony.com/doc/current/best_practices/configuration.html#application-related-configuration +# https://symfony.com/doc/5.4/best_practices/configuration.html#application-related-configuration parameters: app.tesseract_executable: {{ crayfish_hypercube_tesseract_executable }} diff --git a/roles/internal/Islandora-Devops.crayfish/templates/Milliner/packages/crayfish_commons.yaml.j2 b/roles/internal/Islandora-Devops.crayfish/templates/Milliner/packages/crayfish_commons.yaml.j2 deleted file mode 100644 index 4eeadd3a..00000000 --- a/roles/internal/Islandora-Devops.crayfish/templates/Milliner/packages/crayfish_commons.yaml.j2 +++ /dev/null @@ -1,3 +0,0 @@ -crayfish_commons: - fedora_base_uri: {{ crayfish_milliner_fedora_base_url }} - syn_config: {{ crayfish_milliner_jwt_config }} diff --git a/roles/internal/Islandora-Devops.crayfish/templates/Milliner/packages/lexik_jwt_authentication.yaml.j2 b/roles/internal/Islandora-Devops.crayfish/templates/Milliner/packages/lexik_jwt_authentication.yaml.j2 new file mode 100644 index 00000000..6251c306 --- /dev/null +++ b/roles/internal/Islandora-Devops.crayfish/templates/Milliner/packages/lexik_jwt_authentication.yaml.j2 @@ -0,0 +1,10 @@ +### This file is managed with Ansible ### +lexik_jwt_authentication: + # Need secret key to generate a token, this is not necessary for normal usage as the key is generated by Drupal. + secret_key: '' + # This is required if you have set a passphrase on the secret key, this is generally not needed. + pass_phrase: '' + # This is the public key from the pair generated by Drupal and is required to validate the JWTs + public_key: '{{ crayfish_install_dir }}/public.key' + # By default lexik_jwt looks for the username key in the payload, we use sub + user_identity_field: sub diff --git a/roles/internal/Islandora-Devops.crayfish/templates/Milliner/packages/security.yaml.j2 b/roles/internal/Islandora-Devops.crayfish/templates/Milliner/packages/security.yaml.j2 index 4867620e..ca945874 100644 --- a/roles/internal/Islandora-Devops.crayfish/templates/Milliner/packages/security.yaml.j2 +++ b/roles/internal/Islandora-Devops.crayfish/templates/Milliner/packages/security.yaml.j2 @@ -1,12 +1,12 @@ -# This file managed by Ansible - -# To disable Syn checking, set syn_enabled=false in crayfish_commons.yaml and remove this configuration file. +### This file managed by Ansible ### +### To disable authentication, set crayfish_milliner_jwt_enabled to false. security: - - # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers + enable_authenticator_manager: true + # https://symfony.com/doc/5.4/security.html#where-do-users-come-from-user-providers providers: - jwt_user_provider: - id: Islandora\Crayfish\Commons\Syn\JwtUserProvider + users_in_memory: { memory: null } + jwt: + lexik_jwt: ~ firewalls: dev: @@ -16,25 +16,20 @@ security: # Need stateless or it reloads the User based on a token. stateless: true {%if crayfish_milliner_jwt_enabled == true %} - anonymous: false - - provider: jwt_user_provider - guard: - authenticators: - - Islandora\Crayfish\Commons\Syn\JwtAuthenticator + provider: jwt + jwt: ~ # activate different ways to authenticate - # https://symfony.com/doc/current/security.html#firewalls-authentication + # https://symfony.com/doc/5.4/security.html#firewalls-authentication - # https://symfony.com/doc/current/security/impersonating_user.html + # https://symfony.com/doc/5.4/security/impersonating_user.html # switch_user: true - +{% else %} + anonymous: true +{% endif %} # Easy way to control access for large sections of your site # Note: Only the *first* access control that matches will be used access_control: - # - { path: ^/admin, roles: ROLE_ADMIN } - # - { path: ^/profile, roles: ROLE_USER } -{% else %} - anonymous: true -{% endif %} + # - { path: ^/admin, roles: ROLE_ADMIN } + # - { path: ^/profile, roles: ROLE_USER } diff --git a/roles/internal/Islandora-Devops.crayfish/templates/Milliner/services.yaml.j2 b/roles/internal/Islandora-Devops.crayfish/templates/Milliner/services.yaml.j2 index 739175f5..78177062 100644 --- a/roles/internal/Islandora-Devops.crayfish/templates/Milliner/services.yaml.j2 +++ b/roles/internal/Islandora-Devops.crayfish/templates/Milliner/services.yaml.j2 @@ -5,7 +5,7 @@ # Files in the packages/ subdirectory configure your dependencies. # Put parameters here that don't need to change on each machine where the app is deployed -# https://symfony.com/doc/current/best_practices/configuration.html#application-related-configuration +# https://symfony.com/doc/5.4/best_practices/configuration.html#application-related-configuration parameters: app.fedora_base_url: {{ crayfish_milliner_fedora_base_url }} app.drupal_base_url: {{ crayfish_milliner_drupal_base_url }} @@ -34,6 +34,7 @@ services: $modifiedDatePredicate: '%app.modified_date_predicate%' $stripFormatJsonld: '%app.strip_format_jsonld%' $isFedora6: '%app.isFedora6%' + $fedoraBaseUrl: '%app.fedora_base_url%' # controllers are imported separately to make sure services can be injected # as action arguments even if you don't extend any base controller class diff --git a/roles/internal/Islandora-Devops.crayfish/templates/Recast/packages/crayfish_commons.yaml.j2 b/roles/internal/Islandora-Devops.crayfish/templates/Recast/packages/crayfish_commons.yaml.j2 index 2889ec9c..d2ce8be3 100644 --- a/roles/internal/Islandora-Devops.crayfish/templates/Recast/packages/crayfish_commons.yaml.j2 +++ b/roles/internal/Islandora-Devops.crayfish/templates/Recast/packages/crayfish_commons.yaml.j2 @@ -1,3 +1,3 @@ +### This file is managed with Ansible ### crayfish_commons: fedora_base_uri: {{ crayfish_recast_fedora_base_url }} - syn_config: {{ crayfish_recast_jwt_config }} diff --git a/roles/internal/Islandora-Devops.crayfish/templates/Recast/packages/lexik_jwt_authentication.yaml.j2 b/roles/internal/Islandora-Devops.crayfish/templates/Recast/packages/lexik_jwt_authentication.yaml.j2 new file mode 100644 index 00000000..6251c306 --- /dev/null +++ b/roles/internal/Islandora-Devops.crayfish/templates/Recast/packages/lexik_jwt_authentication.yaml.j2 @@ -0,0 +1,10 @@ +### This file is managed with Ansible ### +lexik_jwt_authentication: + # Need secret key to generate a token, this is not necessary for normal usage as the key is generated by Drupal. + secret_key: '' + # This is required if you have set a passphrase on the secret key, this is generally not needed. + pass_phrase: '' + # This is the public key from the pair generated by Drupal and is required to validate the JWTs + public_key: '{{ crayfish_install_dir }}/public.key' + # By default lexik_jwt looks for the username key in the payload, we use sub + user_identity_field: sub diff --git a/roles/internal/Islandora-Devops.crayfish/templates/Recast/packages/security.yaml.j2 b/roles/internal/Islandora-Devops.crayfish/templates/Recast/packages/security.yaml.j2 index aa820b80..f379a9ea 100644 --- a/roles/internal/Islandora-Devops.crayfish/templates/Recast/packages/security.yaml.j2 +++ b/roles/internal/Islandora-Devops.crayfish/templates/Recast/packages/security.yaml.j2 @@ -1,12 +1,12 @@ -# This file managed by Ansible - -# To disable Syn checking, set syn_enabled=false in crayfish_commons.yaml and remove this configuration file. +### This file managed by Ansible ### +### To disable authentication, set crayfish_recast_jwt_enabled to false. security: - - # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers + enable_authenticator_manager: true + # https://symfony.com/doc/5.4/security.html#where-do-users-come-from-user-providers providers: - jwt_user_provider: - id: Islandora\Crayfish\Commons\Syn\JwtUserProvider + users_in_memory: { memory: null } + jwt: + lexik_jwt: ~ firewalls: dev: @@ -16,25 +16,20 @@ security: # Need stateless or it reloads the User based on a token. stateless: true {%if crayfish_recast_jwt_enabled == true %} - anonymous: false - - provider: jwt_user_provider - guard: - authenticators: - - Islandora\Crayfish\Commons\Syn\JwtAuthenticator + provider: jwt + jwt: ~ # activate different ways to authenticate - # https://symfony.com/doc/current/security.html#firewalls-authentication + # https://symfony.com/doc/5.4/security.html#firewalls-authentication - # https://symfony.com/doc/current/security/impersonating_user.html + # https://symfony.com/doc/5.4/security/impersonating_user.html # switch_user: true - +{% else %} + anonymous: true +{% endif %} # Easy way to control access for large sections of your site # Note: Only the *first* access control that matches will be used access_control: - # - { path: ^/admin, roles: ROLE_ADMIN } - # - { path: ^/profile, roles: ROLE_USER } -{% else %} - anonymous: true -{% endif %} + # - { path: ^/admin, roles: ROLE_ADMIN } + # - { path: ^/profile, roles: ROLE_USER } diff --git a/roles/internal/Islandora-Devops.crayfish/templates/Recast/services.yaml.j2 b/roles/internal/Islandora-Devops.crayfish/templates/Recast/services.yaml.j2 index 03d41b30..462fa0ce 100644 --- a/roles/internal/Islandora-Devops.crayfish/templates/Recast/services.yaml.j2 +++ b/roles/internal/Islandora-Devops.crayfish/templates/Recast/services.yaml.j2 @@ -5,7 +5,7 @@ # Files in the packages/ subdirectory configure your dependencies. # Put parameters here that don't need to change on each machine where the app is deployed -# https://symfony.com/doc/current/best_practices/configuration.html#application-related-configuration +# https://symfony.com/doc/5.4/best_practices/configuration.html#application-related-configuration parameters: app.drupal_base_url: {{ crayfish_recast_drupal_base_url }} app.fedora_base_url: {{ crayfish_recast_fedora_base_url }} diff --git a/roles/internal/Islandora-Devops.crayfish/templates/syn-settings.xml.jp2 b/roles/internal/Islandora-Devops.crayfish/templates/syn-settings.xml.jp2 deleted file mode 100644 index 65b04e35..00000000 --- a/roles/internal/Islandora-Devops.crayfish/templates/syn-settings.xml.jp2 +++ /dev/null @@ -1,8 +0,0 @@ - - - - - - {{ crayfish_syn_token }} - - diff --git a/vars/Debian.yml b/vars/Debian.yml index 14e8606c..d066b808 100644 --- a/vars/Debian.yml +++ b/vars/Debian.yml @@ -8,4 +8,4 @@ php_packages_extra: - "php{{ php_version }}-pgsql" - "php{{ php_version }}-gd" - "php{{ php_version }}-xml" - + - "php{{ php_version }}-curl"