What has been discovered ?#
My colleague recently come across a GovCMS website that for some reason: doesn’t have a shield on the its production website, however, upon installing the website codebase on local and running ahoy refresh db && ahoy build , a shield magically appeared out of nowhere.
After some investigation, he find that upon putting configuration yml files in the config/dev folder, these files will ONLY be imported on local, as well as on sandbox/development environments on Lagoon (as long as LAGOON_ENVIRONMENT_TYPE!=production)
With this feature, the original site created have placed a shield.settings.yml file inside the config/dev folder, to enable the shield for all the non-production environments to hide them from the public audience (which is genius !)
The content of this config/dev/shield.settings.yml file is something like the below:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
| _core:
default_config_hash: FLJZ***************
+ shield_enable: true
credential_provider: shield
credentials:
shield:
+ user: shield_username
+ pass: shield_password
key:
user: ''
pass_key: ''
multikey:
user_pass_key: ''
allow_cli: true
debug_header: false
unset_basic_auth_headers: true
print: Hello!
method: 0
paths: ''
allowlist: ''
http_method_allowlist: { }
domains: ''
|
Similarly, my colleague also find a way to turn off Two-Factor-Authentication (TFA) for all these non-production environments, that is to create this tfa.settings.yml file inside the config/dev folder:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
| + enabled: false
required_roles:
authenticated: authenticated
manager: '0'
govcms_content_author: '0'
govcms_site_administrator: '0'
govcms_content_approver: '0'
send_plugins: { }
login_plugins: { }
login_plugin_settings:
tfa_trusted_browser:
cookie_expiration: 30
cookie_name: tfa-trusted-browser
allowed_validation_plugins:
tfa_recovery_code: tfa_recovery_code
tfa_totp: tfa_totp
default_validation_plugin: tfa_totp
validation_plugin_settings:
tfa_recovery_code:
recovery_codes_amount: 10
tfa_email_code:
code_validity_period: 60
email_setting:
subject: '[site:name] Authentication code'
body: "[user:display-name],\r\n\r\nThis code is valid for [length] minutes. Your code is: [code]\r\n\r\nThis code will be expired after login."
tfa_totp:
time_skew: 2
site_name_prefix: 1
name_prefix: TFA
issuer: psr2
tfa_hotp:
counter_window: 10
site_name_prefix: 1
name_prefix: TFA
issuer: psr2
validation_skip: 3
encryption: tfa_encryption_profile
tfa_flood_uid_only: 1
tfa_flood_window: 300
tfa_flood_threshold: 6
help_text: 'Contact support to reset your access'
mail:
tfa_enabled_configuration:
subject: 'Your [site:name] account now has two-factor authentication'
body: "[user:display-name],\r\n\r\nThanks for configuring two-factor authentication on your [site:name] account!\r\n\r\nThis additional level of security will help to ensure that only you are able to log in to your account.\r\n\r\nIf you ever lose the device you configured, you should act quickly to delete its association with this account.\r\n\r\n--\r\n[site:name] team"
tfa_disabled_configuration:
subject: 'Your [site:name] account no longer has two-factor authentication'
body: "[user:display-name],\r\n\r\nTwo-factor authentication has been disabled on your [site:name] account.\r\n\r\nIf you did not take this action, please contact a site administrator immediately.\r\n\r\n--\r\n[site:name] team"
|
How this mechanism is achieved ?#
TLDR; govcms-config-import script
(*the irrelevant logics are hidden with ...)
In the .ahoy.yml we can see that the build command calls govcms-deploy, which runs docker compose exec -T cli /app/vendor/bin/govcms-config-import to import the configuration file:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| ---
ahoyapi: v2
commands:
govcms-deploy:
usage: Runs deployment commands (e.g. config import, updb, cr, set up file_stage_proxy).
cmd: |
docker compose exec -T cli mkdir -p /app/web/sites/default/files/private/tmp && \
docker compose exec -T cli /app/vendor/bin/govcms-db-update && \
docker compose exec -T cli /app/vendor/bin/govcms-config-import && \
docker compose exec -T cli /app/vendor/bin/govcms-cache-rebuild && \
docker compose exec -T cli /app/vendor/bin/govcms-enable_modules
build:
usage: Build project.
cmd: |
docker compose up -d --build "$@" &&
docker compose exec -T test dockerize -wait tcp://mariadb:3306 -timeout 2m &&
ahoy govcms-deploy && ahoy info;
|
Looking at this file /app/vendor/bin/govcms-config-impor inside the container, we found that it is calling the /app/vendor/govcms/scaffold-tooling/deploy/govems-config-import file, also inside the container:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
| #!/usr/bin/env sh
# Support bash to support `source` with fallback on $0 if this does not run with bash
# https://stackoverflow.com/a/35006505/6512
selfArg="$BASH_SOURCE"
if [ -z "$selfArg" ]; then
selfArg="$0"
fi
self=$(realpath $selfArg 2> /dev/null)
if [ -z "$self" ]; then
self="$selfArg"
fi
dir=$(cd "${self%[/\\]*}" > /dev/null; cd '../govcms/scaffold-tooling/scripts/deploy' && pwd)
if [ -d /proc/cygdrive ]; then
case $(which php) in
$(readlink -n /proc/cygdrive)/*)
# We are in Cygwin using Windows php, so the path must be translated
dir=$(cygpath -m "$dir");
;;
esac
fi
export COMPOSER_RUNTIME_BIN_DIR="$(cd "${self%[/\\]*}" > /dev/null; pwd)"
# If bash is sourcing this file, we have to source the target as well
bashSource="$BASH_SOURCE"
if [ -n "$bashSource" ]; then
if [ "$bashSource" != "$0" ]; then
source "${dir}/govcms-config-import" "$@"
return
fi
fi
exec "${dir}/govcms-config-import" "$@"
|
And below are the /app/vendor/govcms/scaffold-tooling/deploy/govems-config-import , it uses drush config-import command to import the website related configurations; And at line 64 ~ 67, we can see that when it is in non-production environment, i.e. local or sandbox, it will also import the configurations located in the config/dev folder:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
| #!/usr/bin/env bash
IFS=$'\n\t'
set -euo pipefail
#
# GovCMS configuration import.
#
LAGOON_ENVIRONMENT_TYPE=${LAGOON_ENVIRONMENT_TYPE:-production}
GOVCMS_DEPLOY_WORKFLOW_CONFIG=${GOVCMS_DEPLOY_WORKFLOW_CONFIG:-import}
CONFIG_DEFAULT_DIR=${CONFIG_DEFAULT_DIR:-/app/config/default}
CONFIG_DEV_DIR=${CONFIG_DEV_DIR:-/app/config/dev}
LAGOON_GIT_SAFE_BRANCH=${LAGOON_GIT_SAFE_BRANCH:-master}
# Drush 12 support.
DRUSH="${GOVCMS_DRUSH:-none}"
if [ "$DRUSH" == "none" ]; then
DRUSH=$(which /app/vendor/bin/drush > /dev/null 2>&1 && echo "/app/vendor/bin/drush" || echo "/usr/local/bin/drush")
fi
echo "GovCMS Deploy :: Configuration import"
# shellcheck disable=SC2236
if [ -n "${GOVCMS_TEST_CANARY+x}" ]; then
echo "[skip]: Config import disabled on canary sites."
exit 0
fi
if [ "$GOVCMS_DEPLOY_WORKFLOW_CONFIG" != "import" ]; then
echo "[skip]: Workflow is not set to import."
exit 0
fi
if [[ "$LAGOON_GIT_SAFE_BRANCH" = internal-govcms-update* ]]; then
echo "[skip]: Configuration cannot be imported on update branches."
exit 0
fi
# Check that there are configuration files.
set +e
# shellcheck disable=SC2012
config_count=$(ls -1 "$CONFIG_DEFAULT_DIR"/*.yml 2>/dev/null | wc -l)
# shellcheck disable=SC2012
dev_config_count=$(ls -1 "$CONFIG_DEV_DIR"/*.yml 2>/dev/null | wc -l)
set -e
if [ "$config_count" -eq 0 ] && [ "$dev_config_count" -eq 0 ]; then
# There are no configuration files to import.
echo "[skip]: There is no configuration."
exit 0
fi
STATUS=$("$DRUSH" status --fields=bootstrap --format=json)
if [ "$(jq -r '.bootstrap' 2> /dev/null <<< "$STATUS")" != "Successful" ]; then
echo '[skip]: Site is not available.'
exit 0
fi
if [ "$config_count" -gt 0 ]; then
echo "[update]: Import site configuration."
"$DRUSH" config:import -y
fi
if [ "$LAGOON_ENVIRONMENT_TYPE" != "production" ] && [ "$dev_config_count" -gt 0 ]; then
echo "[update]: Import dev configuration partially."
"$DRUSH" config:import -y --source="$CONFIG_DEV_DIR" --partial
fi
echo "[success]: Completed successfully."
|