deploy: update version of chill-bundles

.drone.yml

@@ -33,6 +33,8 @@ steps:
       commands:
           - composer install --no-scripts --no-interaction
           - composer update --with-all-dependencies --no-interaction chill-project/chill-bundles
+      depends_on:
+          - build-base-image
 
     - name: build-assets
       image: node:14
@@ -40,6 +42,8 @@ steps:
       commands:
           - yarn install
           - yarn run encore production
+      depends_on:
+          - composer-install
 
     - name: build-image-php
       image: plugins/docker
@@ -56,6 +60,9 @@ steps:
           cache_from:
               - h3m6q87t.gra7.container-registry.ovh.net/chillbasics/php-base:latest
               - chill/base-image:latest
+      depends_on:
+          - build-assets
+          - composer-install
 
     - name: build-image-nginx
       image: plugins/docker
@@ -70,3 +77,5 @@ steps:
           tag:
             - ${DRONE_TAG}
           Dockerfile: docker/nginx/Dockerfile
+      depends_on:
+          - build-assets

.env

@@ -3,18 +3,16 @@
 ## `$ composer symfony:dump-env prod`
 ##
 
-## Project environment
-# this should be set in docker-compose.yml file
-# APP_ENV=prod
-
-## Enable debug
-APP_DEBUG=false
-
 ## Locale
 LOCALE=fr
 
-## Framework secret
-APP_SECRET=ThisTokenIsNotSoSecretChangeIt
+###> symfony/framework-bundle ###
+# this should be set in docker-compose.yml file
+APP_ENV=prod
+APP_SECRET=ChangeItf2b58287ef7f9976409d3f6c72529e99ChangeIt
+TRUSTED_PROXIES=127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
+TRUSTED_HOSTS='^(localhost|example\.com|nginx)$'
+###< symfony/framework-bundle ###
 
 ## Wopi server for editing documents online
 WOPI_SERVER=http://collabora:9980
@@ -22,13 +20,6 @@ WOPI_SERVER=http://collabora:9980
 # must be manually set in .env.local
 # ADMIN_PASSWORD=
 
-## Symfony/framework-bundle
-TRUSTED_HOSTS='^(localhost|127.0.0.1|test.localde)$'
-TRUSTED_PROXIES=~
-
-## Doctrine/doctrine-bundle
-DATABASE_URL=
-
 ## Symfony/swiftmailer
 ## Mailer
 ###> symfony/mailer ###
@@ -83,3 +74,16 @@ SHORT_MESSAGE_DSN=null://null
 # MESSENGER_TRANSPORT_DSN=redis://localhost:6379/messages
 MESSENGER_TRANSPORT_DSN=sync://
 ###< symfony/messenger ###
+
+###> doctrine/doctrine-bundle ###
+# Format described at https://www.doctrine-project.org/projects/doctrine-dbal/en/latest/reference/configuration.html#connecting-using-a-url
+# IMPORTANT: You MUST configure your server version, either here or in config/packages/doctrine.yaml
+#
+DATABASE_URL="postgresql://postgres:postgres@db:5432/postgres?serverVersion=14&charset=utf8"
+###< doctrine/doctrine-bundle ###
+
+###> lexik/jwt-authentication-bundle ###
+JWT_SECRET_KEY=%kernel.project_dir%/config/jwt/private.pem
+JWT_PUBLIC_KEY=%kernel.project_dir%/config/jwt/public.pem
+JWT_PASSPHRASE=2a30f6ba26521a2613821da35f28386e
+###< lexik/jwt-authentication-bundle ###

.gitignore

@@ -75,3 +75,7 @@ yarn-error.log
 
 docker-compose.override.yml
 docker-compose.override.yaml
+
+###> lexik/jwt-authentication-bundle ###
+/config/jwt/*.pem
+###< lexik/jwt-authentication-bundle ###

composer.json

@@ -15,7 +15,7 @@
     },
     "require": {
         "ext-redis": "*",
-        "chill-project/chill-bundles": "dev-master#bbd2599e7e6040c7090bfb11bc2f913b5a73d5e4",
+        "chill-project/chill-bundles": "dev-master#239a978adb382d0c5dcc4ad6ae0f8f66a813a5dc",
         "symfony/flex": "^1.9",
         "symfony/http-client": "^4.4 || ^5",
         "nelmio/alice": "^3.8",
@@ -23,7 +23,8 @@
         "phpstan/phpstan": "^1.0",
         "spomky-labs/base64url": "^2.0",
         "twig/string-extra": "^3.3",
-        "symfony/mailer": "^5.4"
+        "symfony/mailer": "^5.4",
+        "symfony/dependency-injection": "5.4.16"
     },
     "require-dev": {
         "fakerphp/faker": "^1.13",
@@ -58,7 +59,9 @@
         },
         "preferred-install": {
           "chill-project/chill-bundles": "source",
-          "champs-libres/async-uploader-bundle": "source"
+          "champs-libres/async-uploader-bundle": "source",
+          "champs-libres/wopi-bundle": "source",
+          "champs-libres/wopi-lib": "source"
         }
     }
 }

config/bundles.php

@@ -36,4 +36,5 @@ return [
     Misd\PhoneNumberBundle\MisdPhoneNumberBundle::class => ['all' => true],
     App\App::class => ['all' => true],
     KnpU\OAuth2ClientBundle\KnpUOAuth2ClientBundle::class => ['all' => true],
+    Lexik\Bundle\JWTAuthenticationBundle\LexikJWTAuthenticationBundle::class => ['all' => true],
 ];

config/packages/doctrine.yaml

@@ -1,3 +1,10 @@
+framework:
+    cache:
+        pools:
+            doctrine.system_cache_pool:
+                adapter: cache.adapter.redis
+
+
 doctrine:
     dbal:
         url: '%env(resolve:DATABASE_URL)%'
@@ -5,7 +12,7 @@ doctrine:
             geometry: string
         # IMPORTANT: You MUST configure your server version,
         # either here or in the DATABASE_URL env var (see .env file)
-        #server_version: '5.7'
+        #server_version: '14'
     orm:
         auto_generate_proxy_classes: true
         naming_strategy: doctrine.orm.naming_strategy.default

config/packages/lexik_jwt_authentication.yaml

@@ -0,0 +1,12 @@
+lexik_jwt_authentication:
+    secret_key: '%env(resolve:JWT_SECRET_KEY)%'
+    public_key: '%env(resolve:JWT_PUBLIC_KEY)%'
+    pass_phrase: '%env(JWT_PASSPHRASE)%'
+
+    # required for wopi - recommended duration
+    token_ttl: 36000
+
+    token_extractors:
+        query_parameter:
+            enabled: true
+            name: access_token

config/packages/prod/doctrine.yaml

@@ -1,9 +1,6 @@
 doctrine:
     orm:
         auto_generate_proxy_classes: false
-        metadata_cache_driver:
-            type: pool
-            pool: doctrine.system_cache_pool
         query_cache_driver:
             type: pool
             pool: doctrine.system_cache_pool

config/packages/prod/lexik_jwt_authentication.yaml

@@ -0,0 +1,9 @@
+lexik_jwt_authentication:
+    # in production, the secret must be located in an environment variable
+    # for converting the file to a raw variable, use this command:
+    #
+    # cat path/to/private_or_public.pem | base64 -w0
+    #
+    # then copy past the printed string into the dedicated environment variable
+    secret_key: '%env(base64:resolve:JWT_SECRET_KEY)%'
+    public_key: '%env(base64:resolve:JWT_PUBLIC_KEY)%'

config/packages/security.yaml

@@ -29,6 +29,14 @@ security:
             pattern: ^/(_(profiler|wdt)|css|images|js)/
             security: false
 
+        wopi:
+            pattern: ^/wopi
+            provider: chain_provider
+            stateless: true
+            guard:
+                authenticators:
+                    - lexik_jwt_authentication.jwt_token_authenticator
+
         default:
             anonymous: ~
             provider: chain_provider
@@ -54,7 +62,7 @@ security:
         - { path: ^/saml/metadata, roles: IS_AUTHENTICATED_ANONYMOUSLY }
         - { path: ^/(login|logout), roles: IS_AUTHENTICATED_ANONYMOUSLY }
         - { path: ^/public, roles: IS_AUTHENTICATED_ANONYMOUSLY }
-        - { path: ^/wopi, roles: IS_AUTHENTICATED_ANONYMOUSLY }
+        - { path: ^/wopi, roles: IS_AUTHENTICATED_FULLY }
         # access for homepage, the homepage redirect admin to admin section
         - { path: ^/$, roles: [ IS_AUTHENTICATED_REMEMBERED ] }
         - { path: ^/homepage$, roles: [ IS_AUTHENTICATED_REMEMBERED ] }

config/packages/test/doctrine.yaml

@@ -0,0 +1,4 @@
+doctrine:
+    dbal:
+        # "TEST_TOKEN" is typically set by ParaTest
+        dbname: 'main_test%env(default::TEST_TOKEN)%'

config/packages/wopi.yaml

@@ -1,3 +1,2 @@
 wopi:
   server: "%env(resolve:WOPI_SERVER)%"
-  access_token_ttl: 0

config/preload.php

@@ -0,0 +1,9 @@
+<?php
+
+if (file_exists(dirname(__DIR__).'/var/cache/prod/srcApp_KernelProdContainer.preload.php')) {
+    require dirname(__DIR__).'/var/cache/prod/srcApp_KernelProdContainer.preload.php';
+}
+
+if (file_exists(dirname(__DIR__).'/var/cache/prod/App_KernelProdContainer.preload.php')) {
+    require dirname(__DIR__).'/var/cache/prod/App_KernelProdContainer.preload.php';
+}

config/routes/chill_wopi.yaml

@@ -1,3 +1,3 @@
 chill_wopi_bundle:
   resource: '@ChillWopiBundle/Resources/config/routes/routes.php'
-  prefix: /wopi
+  prefix: /chill/wopi

config/services.yaml

@@ -19,7 +19,6 @@ services:
             - '../src/DependencyInjection/'
             - '../src/Entity/'
             - '../src/Kernel.php'
-            - '../src/Tests/'
 
     # controllers are imported separately to make sure services can be injected
     # as action arguments even if you don't extend any base controller class
@@ -36,15 +35,7 @@ services:
         resource: '../src/Service/'
 
 
-    Chill\WopiBundle\Service\Wopi\ChillWopi:
-        decorates: ChampsLibres\WopiLib\Contract\Service\WopiInterface
-        arguments:
-            $cache: '@cache.user_data'
-
     ChampsLibres\WopiLib\Service\DocumentLockManager:
         arguments:
             $cache: '@cache.user_data'
 
-    App\Service\Wopi\NullProofValidator:
-        decorates: ChampsLibres\WopiLib\Contract\Service\ProofValidatorInterface
-

entrypoint.sh

@@ -36,6 +36,12 @@ fi
 if [ "${APP_ENV}" = "prod" ]; then
   composer dump-env "${APP_ENV}"
   chmod +r /var/www/app/.env.local.php
+
+  if [ "${PREVENT_MIGRATIONS}" != "true" ]; then
+    php /var/www/app/bin/console doctrine:migrations:status
+    php /var/www/app/bin/console doctrine:migrations:migrate -n
+    php /var/www/app/bin/console messenger:setup-transports
+  fi
 fi
 
 if [ "${CLEAR_CACHE}" != "false" ]; then
@@ -45,11 +51,5 @@ if [ "${CLEAR_CACHE}" != "false" ]; then
   chgrp ${PHP_FPM_GROUP} /var/www/app/var/log   -R && chmod g+rw /var/www/app/var/log   -R
 fi
 
-if [ "${PREVENT_MIGRATIONS}" != "true" ]; then
-  php /var/www/app/bin/console doctrine:migrations:status
-  php /var/www/app/bin/console doctrine:migrations:migrate -n
-  php /var/www/app/bin/console messenger:setup-transports
-fi
-
 exec "${@}"
 

public/index.php

@@ -13,7 +13,7 @@ if ($_SERVER['APP_DEBUG']) {
 }
 
 if ($trustedProxies = $_SERVER['TRUSTED_PROXIES'] ?? false) {
-    Request::setTrustedProxies(explode(',', $trustedProxies), Request::HEADER_X_FORWARDED_ALL ^ Request::HEADER_X_FORWARDED_HOST);
+    Request::setTrustedProxies(explode(',', $trustedProxies), Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_PORT | Request::HEADER_X_FORWARDED_PROTO);
 }
 
 if ($trustedHosts = $_SERVER['TRUSTED_HOSTS'] ?? false) {

symfony.lock

@@ -51,16 +51,17 @@
         "version": "v0.5.3"
     },
     "doctrine/doctrine-bundle": {
-        "version": "2.0",
+        "version": "2.7",
         "recipe": {
             "repo": "github.com/symfony/recipes",
-            "branch": "master",
-            "version": "2.0",
-            "ref": "a9f2463b9f73efe74482f831f03a204a41328555"
+            "branch": "main",
+            "version": "2.3",
+            "ref": "b8ddff356705ad8e704ea75b6872ce89a15d614d"
         },
         "files": [
             "config/packages/doctrine.yaml",
             "config/packages/prod/doctrine.yaml",
+            "config/packages/test/doctrine.yaml",
             "src/Entity/.gitignore",
             "src/Repository/.gitignore"
         ]
@@ -186,6 +187,18 @@
     "league/csv": {
         "version": "9.6.2"
     },
+    "lexik/jwt-authentication-bundle": {
+        "version": "2.16",
+        "recipe": {
+            "repo": "github.com/symfony/recipes",
+            "branch": "main",
+            "version": "2.5",
+            "ref": "5b2157bcd5778166a5696e42f552ad36529a07a6"
+        },
+        "files": [
+            "config/packages/lexik_jwt_authentication.yaml"
+        ]
+    },
     "loophp/psr-http-message-bridge-bundle": {
         "version": "1.0.0"
     },
@@ -542,15 +555,16 @@
         "version": "4.4",
         "recipe": {
             "repo": "github.com/symfony/recipes",
-            "branch": "master",
+            "branch": "main",
             "version": "4.4",
-            "ref": "af2e2efad553bc959a0c61d9185e33ca9eec5c99"
+            "ref": "24eb45d1355810154890460e6a05c0ca27318fe7"
         },
         "files": [
             "config/bootstrap.php",
             "config/packages/cache.yaml",
             "config/packages/framework.yaml",
             "config/packages/test/framework.yaml",
+            "config/preload.php",
             "config/routes/dev/framework.yaml",
             "config/services.yaml",
             "public/index.php",