diff --git a/.gitignore b/.gitignore index 39f475fda7..89b52fc6b7 100644 --- a/.gitignore +++ b/.gitignore @@ -104,6 +104,9 @@ datadog-setup.php # Ignore Next (next-build) next +# Ignore oauth keys used for validating next-build preview api requests +public.key +private.key # Temporary .deb packages *.deb diff --git a/.tugboat/config.yml b/.tugboat/config.yml index c4a7c97f68..96e452dd70 100644 --- a/.tugboat/config.yml +++ b/.tugboat/config.yml @@ -104,6 +104,10 @@ services: - cp "${TUGBOAT_ROOT}"/.tugboat/*.crt /usr/local/share/ca-certificates - update-ca-certificates + # Write OAuth keys to files for next-build Preview Server validation + - echo "${OAUTH_PUBLIC_KEY}" >> ${TUGBOAT_ROOT}/public.key + - echo "${OAUTH_PRIVATE_KEY}" >> ${TUGBOAT_ROOT}/private.key + # Install drush-launcher, if desired. - wget -O /usr/local/bin/drush https://github.com/drush-ops/drush-launcher/releases/download/0.6.0/drush.phar - chmod +x /usr/local/bin/drush @@ -233,9 +237,17 @@ services: - find -L "${DOCROOT}/vendor/va-gov/content-build/node_modules/.bin" -type f -exec chmod +x {} \+ - find "${DOCROOT}/vendor/va-gov/content-build/script" -type f -exec chmod +x {} \+ - # Build storybook and the frontends in parallel + # Put necessary env variables in place for next's Drupal Preview before building server + # Need to construct this way instead of TUGBOAT_DEFAULT_SERVICE_URL in order to drop the trailing / + - echo "NEXT_PUBLIC_DRUPAL_BASE_URL=https://cms-${TUGBOAT_SERVICE_TOKEN}.${TUGBOAT_SERVICE_CONFIG_DOMAIN}" >> ${TUGBOAT_ROOT}/next/envs/.env.tugboat + - echo "NEXT_IMAGE_DOMAIN=https://cms-${TUGBOAT_SERVICE_TOKEN}.${TUGBOAT_SERVICE_CONFIG_DOMAIN}" >> ${TUGBOAT_ROOT}/next/envs/.env.tugboat + - echo "DRUPAL_CLIENT_ID=${DRUPAL_CLIENT_ID}" >> ${TUGBOAT_ROOT}/next/envs/.env.tugboat + - echo "DRUPAL_CLIENT_SECRET=${DRUPAL_CLIENT_SECRET}" >> ${TUGBOAT_ROOT}/next/envs/.env.tugboat + + # Build storybook and the frontends (web, next) in parallel - bash -lc 'time task --taskfile=tugboat.yml' - # Build next build server + + # Start the next build server - bash -lc 'composer va:next:start' memcache: diff --git a/config/sync/next.next_site.next_build_preview_server.yml b/config/sync/next.next_site.next_build_preview_server.yml new file mode 100644 index 0000000000..3e3a99c8bb --- /dev/null +++ b/config/sync/next.next_site.next_build_preview_server.yml @@ -0,0 +1,11 @@ +uuid: 75dd1bfb-8507-4981-90b6-3830400e1434 +langcode: en +status: true +dependencies: { } +id: next_build_preview_server +label: 'Next Build Preview Server' +base_url: 'http://localhost:3000' +preview_url: 'http://localhost:3000/api/preview' +preview_secret: secret +revalidate_url: '' +revalidate_secret: '' diff --git a/config/sync/next.settings.yml b/config/sync/next.settings.yml index 19893cfd6f..6d1945a747 100644 --- a/config/sync/next.settings.yml +++ b/config/sync/next.settings.yml @@ -6,3 +6,7 @@ site_previewer_configuration: width: 100% sync_route: false sync_route_skip_routes: '' +preview_url_generator: simple_oauth +preview_url_generator_configuration: + secret_expiration: 300 +debug: false diff --git a/config/sync/simple_oauth.settings.yml b/config/sync/simple_oauth.settings.yml index f58228bc1d..0cffd710fb 100644 --- a/config/sync/simple_oauth.settings.yml +++ b/config/sync/simple_oauth.settings.yml @@ -3,7 +3,9 @@ _core: access_token_expiration: 300 authorization_code_expiration: 300 refresh_token_expiration: 1209600 -remember_clients: true token_cron_batch_size: 0 +public_key: ../public.key +private_key: ../private.key +remember_clients: true use_implicit: false disable_openid_connect: false diff --git a/config/sync/user.role.next_js.yml b/config/sync/user.role.next_js.yml index 20eeaa6867..aaab07f0a1 100644 --- a/config/sync/user.role.next_js.yml +++ b/config/sync/user.role.next_js.yml @@ -3,17 +3,24 @@ langcode: en status: true dependencies: module: + - content_moderation + - media - node - subrequests + - system - va_gov_backend third_party_settings: va_gov_backend: vgb_description: 'Role for Next.js JSON API data access.' id: next_js label: Next.js -weight: 8 +weight: 7 is_admin: null permissions: + - 'access content' - 'access user profiles' - - 'bypass node access' - 'issue subrequests' + - 'view all revisions' + - 'view any unpublished content' + - 'view latest version' + - 'view media' diff --git a/docroot/sites/default/settings/settings.tugboat.php b/docroot/sites/default/settings/settings.tugboat.php index c1d2e1de44..a5bb4486ee 100644 --- a/docroot/sites/default/settings/settings.tugboat.php +++ b/docroot/sites/default/settings/settings.tugboat.php @@ -37,6 +37,10 @@ $config['environment_indicator.indicator']['fg_color'] = '#212121'; $config['environment_indicator.indicator']['name'] = 'Tugboat'; +// Update next-build site endpoint to the appropriate tugboat alias +$config['next.next_site.next_build_preview_server']['base_url'] = 'https://next-' . getenv('TUGBOAT_SERVICE_TOKEN') . '.' . getenv('TUGBOAT_SERVICE_CONFIG_DOMAIN'); +$config['next.next_site.next_build_preview_server']['preview_url'] = 'https://next-' . getenv('TUGBOAT_SERVICE_TOKEN') . '.' . getenv('TUGBOAT_SERVICE_CONFIG_DOMAIN') . '/api/preview'; + $settings['trusted_host_patterns'] = [ '^localhost$', '^.*' . getenv('TUGBOAT_SERVICE_TOKEN') . '.' . getenv('TUGBOAT_SERVICE_CONFIG_DOMAIN') . '$', @@ -71,7 +75,7 @@ // PIV login does not currently work on Tugboat. // -// To avoid confusing editors, we want to disable PIV login completely on +// To avoid confusing editors, we want to disable PIV login completely on // Tugboat demo environments. // // However, we want to _preserve_ the PIV login interface on Tugboat PR