/oe_authentication

The OpenEuropa Authentication Drupal module allows to authenticate against the European Commission login service EU Login (ECAS)

Primary LanguagePHPOtherNOASSERTION

OpenEuropa Authentication

Build Status Packagist

The OpenEuropa Authentication module allows authentication against EU Login, the European Commission login service.

Table of contents:

Requirements

This module requires the following modules:

Installation

The recommended way of installing the OpenEuropa Authentication module is via Composer.

composer require openeuropa/oe_authentication

Enable the module

In order to enable the module in your project run:

./vendor/bin/drush en oe_authentication

EU Login service parameters are already set by default when installing the module. Please refer to the EU Login documentation for the available options that can be specified. You can see Project setup section on how to override these parameters.

Configuration

EU Login service parameters are already set by default when installing the module. Please refer to the EU Login documentation for the available options that can be specified. You can see Project setup section on how to override these parameters.

Settings overrides

In the Drupal settings.php you can override CAS parameters such as the ones below, corresponding to the cas.settings and oe_authentication.settings configuration objects.

$config['cas.settings']['server']['hostname'] = 'authentication';
$config['cas.settings']['server']['port'] = '7002';
$config['cas.settings']['server']['path'] = '/cas';
$config['oe_authentication.settings']['register_path'] = 'register';
$config['oe_authentication.settings']['validation_path'] = 'TicketValidationService';

By default, the development setup is configured via Task Runner to use the demo CAS server provided in the docker-compose.yml.dist, i.e. https://authentication:7002.

If you want to test the module with the actual EU Login service, comment out all the lines above in your settings.php and clear the cache.

Account Handling & Auto Registration

The module enables the option that if a user attempts to login with an account that is not already registered, the account will automatically be created.

See the Cas module for more information.

Forced Login

The module enables the Forced Login feature to force anonymous users to authenticate via CAS when they hit all or some of the pages on your site.

See the Cas module for more information.

SSL Verification Setting

The EU Login Authentication server must be accessed over HTTPS and the drupal site will verify the SSL/TLS certificate of the server to be sure it is authentic.

For development, you can configure the module to disable this verification:

$config['cas.settings']['server']['verify'] = '2';

NOTE: DO NOT USE IN PRODUCTION!

See the Cas module for more information.

Proxy

You can configure the module to "Initialize this client as a proxy" which allows authentication requests to 3rd party services (e.g. ePOETRY).

$config['cas.settings']['proxy']['initialize'] = TRUE;

This option is not enabled by default, if you want to use it please refer to Enable HTTPS PROXY for the drupal site for development. to be sure that your site is available over HTTPS and has good certificates.

See the Cas module for more information.

Development

The OpenEuropa Authentication project contains all the necessary code and tools for an effective development process, such as:

  • All PHP development dependencies (Drupal core included) are required by composer.json
  • Project setup and installation can be easily handled thanks to the integration with the Task Runner project.
  • All system requirements are containerized using Docker Composer
  • A mock server for testing.

Project setup

Download all required PHP code by running:

composer install

This will build a fully functional Drupal test site in the ./build directory that can be used to develop and showcase the module's functionality.

Before setting up and installing the site make sure to customize default configuration values by copying runner.yml.dist to ./runner.yml and overriding relevant properties.

This command will also:

  • Symlink the theme in ./build/modules/custom/oe_authentication so that it's available for the test site
  • Setup Drush and Drupal's settings using values from ./runner.yml.dist. This includes adding parameters for EULogin
  • Setup PHPUnit and Behat configuration files using values from ./runner.yml.dist

After a successful setup install the site by running:

./vendor/bin/run drupal:site-install

This will:

  • Install the test site
  • Enable the OpenEuropa Authentication module

Using Docker Compose

Alternatively, you can build a development site using Docker and Docker Compose with the provided configuration.

Docker provides the necessary services and tools such as a web server and a database server to get the site running, regardless of your local host configuration.

Requirements:

Configuration

By default, Docker Compose reads two files, a docker-compose.yml and an optional docker-compose.override.yml file. By convention, the docker-compose.yml contains your base configuration and it's provided by default. The override file, as its name implies, can contain configuration overrides for existing services or entirely new services. If a service is defined in both files, Docker Compose merges the configurations.

Find more information on Docker Compose extension mechanism on the official Docker Compose documentation.

Usage

To start, run:

docker-compose up

It's advised to not daemonize docker-compose so you can turn it off (CTRL+C) quickly when you're done working. However, if you'd like to daemonize it, you have to add the flag -d:

docker-compose up -d

Then:

docker-compose exec web composer install
docker-compose exec web ./vendor/bin/run drupal:site-install

To be able to interact with the EULogin Mock Service container you need to add the internal container hostname to the hosts file in your OS.

echo "127.0.1.1       authentication" >> /etc/hosts

Using default configuration, the development site files should be available in the build directory and the development site should be available at: http://127.0.0.1:8080/build.

Running the tests

To run the grumphp checks:

docker-compose exec web ./vendor/bin/grumphp run

To run the phpunit tests:

docker-compose exec web ./vendor/bin/phpunit

To run the behat tests:

docker-compose exec web ./vendor/bin/behat

Authenticating using the EULogin Mock Service

EULogin Mock Service container replicates the EU Login service.

To be able to interact with the EULogin Mock Service container you need to add the internal container hostname to the hosts file in your OS.

echo "127.0.1.1       authentication" >> /etc/hosts

To configure the container with User's structures and with some examples of User, you can use files present on the folder tests/fixtures/mock-server-config/.

The container docker that provides the EULogin Mock Service ecas-mock-server:4.6.0 is available on a private repo registry.fpfis.tech.ec.europa.eu, please contact DEVOPS team to request access.

See Docker login to connect to the repository.

Authenticating with HTTPS PROXY Ticket

To enable the https proxy you can uncomment and use the service secureweb in docker-compose.yml

services:
  secureweb:
    image: aheimsbakk/https-proxy:4
    ports:
      - 80:80
      - 443:443
    links:
      - <name of web container>:http
    restart: always
    volumes:
      - ./tests/fixtures/certs/secureweb:/etc/ssl/private
    environment:
      - SERVER_NAME=secureweb
      - SERVER_ADMIN=webmaster@mydomain.com
      - PORT_REDIRECT=8080
      - SSL_CERT_FILE=/etc/ssl/private/MyKeystore.crt
      - SSL_PRIVKEY_FILE=/etc/ssl/private/MyKeystore.key
      - SSL_CHAIN_FILE=/etc/ssl/private/MyKeystore.p12

To be able to interact with the https proxy container you need to add the internal container hostname to the hosts file in your OS.

echo "127.0.1.1       secureweb" >> /etc/hosts

Your test site will be available at https://secureweb/build.

Troubleshooting

Disable Drupal 8 caching

Manually disabling Drupal 8 caching is a laborious process that is well described here.

Alternatively you can use the following Drupal Console commands to disable/enable Drupal 8 caching:

./vendor/bin/drupal site:mode dev  # Disable all caches.
./vendor/bin/drupal site:mode prod # Enable all caches.

Note: to fully disable Twig caching the following additional manual steps are required:

  1. Open ./build/sites/default/services.yml
  2. Set cache: false in twig.config: property. E.g.:
parameters:
 twig.config:
   cache: false
  1. Rebuild Drupal cache: ./vendor/bin/drush cr

This is due to the following Drupal Console issue.

Contributing

Please read the full documentation for details on our code of conduct, and the process for submitting pull requests to us.

Versioning

We use SemVer for versioning. For the available versions, see the tags on this repository.