VACMS-15798 / 15791 / 15795 next preview configs + oauth key handling

.gitignore

@@ -104,6 +104,9 @@ datadog-setup.php
 
 # Ignore Next (next-build)
 next
+# Ignore oauth keys used for validating next-build preview api requests
+public.key
+private.key
 
 # Temporary .deb packages
 *.deb

.tugboat/config.yml

@@ -104,6 +104,10 @@ services:
         - cp "${TUGBOAT_ROOT}"/.tugboat/*.crt /usr/local/share/ca-certificates
         - update-ca-certificates
 
+        # Write OAuth keys to files for next-build Preview Server validation
+        - echo ${OAUTH_PUBLIC_KEY} >> ${TUGBOAT_ROOT}/public.key
+        - echo ${OAUTH_PRIVATE_KEY} >> ${TUGBOAT_ROOT}/private.key
+
         # Install drush-launcher, if desired.
         - wget -O /usr/local/bin/drush https://github.com/drush-ops/drush-launcher/releases/download/0.6.0/drush.phar
         - chmod +x /usr/local/bin/drush
@@ -233,9 +237,17 @@ services:
         - find -L "${DOCROOT}/vendor/va-gov/content-build/node_modules/.bin" -type f -exec chmod +x {} \+
         - find "${DOCROOT}/vendor/va-gov/content-build/script" -type f -exec chmod +x {} \+
 
-        # Build storybook and the frontends in parallel
+        # Put necessary env variables in place for next's Drupal Preview before building server
+        # Need to construct this way instead of TUGBOAT_DEFAULT_SERVICE_URL in order to drop the trailing /
+        - echo "NEXT_PUBLIC_DRUPAL_BASE_URL=https://cms-${TUGBOAT_SERVICE_TOKEN}.${TUGBOAT_SERVICE_CONFIG_DOMAIN}" >> ${TUGBOAT_ROOT}/next/envs/.env.tugboat
+        - echo "NEXT_IMAGE_DOMAIN=https://cms-${TUGBOAT_SERVICE_TOKEN}.${TUGBOAT_SERVICE_CONFIG_DOMAIN}" >> ${TUGBOAT_ROOT}/next/envs/.env.tugboat
+        - echo "DRUPAL_CLIENT_ID=${DRUPAL_CLIENT_ID}" >> ${TUGBOAT_ROOT}/next/envs/.env.tugboat
+        - echo "DRUPAL_CLIENT_SECRET=${DRUPAL_CLIENT_SECRET}" >> ${TUGBOAT_ROOT}/next/envs/.env.tugboat
+
+        # Build storybook and the frontends (web, next) in parallel
         - bash -lc 'time task --taskfile=tugboat.yml'
-        # Build next build server
+
+        # Start the next build server
         - bash -lc 'composer va:next:start'
 
   memcache:

config/sync/next.next_site.next_build_preview_server.yml

@@ -0,0 +1,11 @@
+uuid: 75dd1bfb-8507-4981-90b6-3830400e1434
+langcode: en
+status: true
+dependencies: {  }
+id: next_build_preview_server
+label: 'Next Build Preview Server'
+base_url: 'http://localhost:3000'
+preview_url: 'http://localhost:3000/api/preview'
+preview_secret: secret
+revalidate_url: ''
+revalidate_secret: ''

config/sync/next.settings.yml

@@ -6,3 +6,7 @@ site_previewer_configuration:
   width: 100%
   sync_route: false
   sync_route_skip_routes: ''
+preview_url_generator: simple_oauth
+preview_url_generator_configuration:
+  secret_expiration: 300
+debug: false

config/sync/simple_oauth.settings.yml

@@ -3,7 +3,9 @@ _core:
 access_token_expiration: 300
 authorization_code_expiration: 300
 refresh_token_expiration: 1209600
-remember_clients: true
 token_cron_batch_size: 0
+public_key: ../public.key
+private_key: ../private.key
+remember_clients: true
 use_implicit: false
 disable_openid_connect: false

config/sync/user.role.next_js.yml

@@ -3,17 +3,24 @@ langcode: en
 status: true
 dependencies:
   module:
+    - content_moderation
+    - media
     - node
     - subrequests
+    - system
     - va_gov_backend
 third_party_settings:
   va_gov_backend:
     vgb_description: 'Role for Next.js JSON API data access.'
 id: next_js
 label: Next.js
-weight: 8
+weight: 7
 is_admin: null
 permissions:
+  - 'access content'
   - 'access user profiles'
-  - 'bypass node access'
   - 'issue subrequests'
+  - 'view all revisions'
+  - 'view any unpublished content'
+  - 'view latest version'
+  - 'view media'

docroot/sites/default/settings/settings.tugboat.php

@@ -37,6 +37,10 @@
 $config['environment_indicator.indicator']['fg_color'] = '#212121';
 $config['environment_indicator.indicator']['name'] = 'Tugboat';
 
+// Update next-build site endpoint to the appropriate tugboat alias
+$config['next.next_site.next_build_preview_server']['base_url'] = 'https://next-' . getenv('TUGBOAT_SERVICE_TOKEN') . '.' . getenv('TUGBOAT_SERVICE_CONFIG_DOMAIN');
+$config['next.next_site.next_build_preview_server']['preview_url'] = 'https://next-' . getenv('TUGBOAT_SERVICE_TOKEN') . '.' . getenv('TUGBOAT_SERVICE_CONFIG_DOMAIN') . '/api/preview';
+
 $settings['trusted_host_patterns'] = [
   '^localhost$',
   '^.*' . getenv('TUGBOAT_SERVICE_TOKEN') . '.' . getenv('TUGBOAT_SERVICE_CONFIG_DOMAIN') . '$',
@@ -71,7 +75,7 @@
 
 // PIV login does not currently work on Tugboat.
 //
-// To avoid confusing editors, we want to disable PIV login completely on 
+// To avoid confusing editors, we want to disable PIV login completely on
 // Tugboat demo environments.
 //
 // However, we want to _preserve_ the PIV login interface on Tugboat PR