-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added submodule Tide OAuth. #172
Conversation
On-behalf-of: @salsadigitalauorg <sonny@salsadigital.com.au>
On-behalf-of: @salsadigitalauorg <sonny@salsadigital.com.au>
fe71cbe
to
ccf34e4
Compare
On-behalf-of: @salsadigitalauorg <sonny@salsadigital.com.au>
ccf34e4
to
84fcbb3
Compare
On-behalf-of: @salsadigitalauorg <sonny@salsadigital.com.au>
On-behalf-of: @salsadigitalauorg <sonny@salsadigital.com.au>
@sonnykt for my understanding why would we ever want to provide env variables for generating keys? Is it good enough to let them be generated every time? The main motivation here is that the |
* If the TIDE_OAUTH_ environment variables are set, the module will copy | ||
the keys to `private://oauth.key` and `private://oauth.pub`. | ||
* Otherwise, the module will generate a new key pair. | ||
3. _(Optional - **Lagoon only**)_ Add a `post-rollout` task to generate the OAuth |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there any reason this couldn't be an openssl command to generate on the fly from scratch?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if the key changes, all existing tokens become invalid, even if they are not expired.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So if the deploy step checked if the key existed first before trying to create it, then it would work?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it only happens upon installation. If it's already on Prod and you launch a new dev env, the key pair doesn't exist on the new env and it still fails. There is no mechanism for Drupal to check the key pair upon init, hence the lagoon post-rollout
task to trigger the Drush command copy the env to the key pair. The Drush command doesn't generate a new key pair if the env var doesn't exist.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you see any issue if we use a HMAC key rather than an RSA key @sonnykt ? It should just be the instructions that change. HMAC will be a single line token that can then be defined at the project level in Lagoon (and overridden for production) and will be able to be managed by our configuration management.
@@ -0,0 +1,12 @@ | |||
{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We are still on Drush 8, does this present an issue here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it's not an issue. drush.services.yml
only takes effect from Drush 9. That snippet ensures that we support both 8 and 9.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
If there is no env variable, the module will generate a random key pair upon its installation. The env var is to ensure that all envs have the same key pair. |
And more importantly, if I understand correctly @sonnykt that they remain the same after deploy? See my previous comment re: using a HMAC rather than RSA. If this is ok then I'm ok with this. Maintaining the |
I don't think OAuth2 server accepts HMAC key. It requires a key pair. |
Thinking some more about this @sonnykt and the install creates a valid key in |
The module installation creates a key pair in The
|
I think this is the best solution. That post deploy step can stay in place as it won't be destructive. Do you think it needs some sort of |
On-behalf-of: @salsadigitalauorg <sonny@salsadigital.com.au>
dac7a1c
to
20ab5d0
Compare
Hey @sonnykt did this get done? |
@anthony-malkoun I doubt that. IIRC we only discussed but haven't got a final decision yet. |
Who are you waiting for a final decision from? I'm happy for this to happen. |
@anthony-malkoun you'd probably get @vincent-gao to make the change as my allocation this week is for VT. |
…keys. (#197) * [tide_oauth_changes] Updated drush command to generate keys if no envkeys.
On-behalf-of: @salsadigitalauorg sonny@salsadigital.com.au