ASU-1793: Fix default consumer and oauth keys

- oauth keys now get 600 perms
- default oauth consumer now gets a user created for it automatically

Author: leevi-identio

docker/openshift/init.sh

@@ -10,24 +10,38 @@ if [ -n "${DRUPAL_SIMPLE_OAUTH_PRIVATE_KEY_PEM}" ] || [ -n "${DRUPAL_SIMPLE_OAUT
   key_dir="${DRUPAL_SIMPLE_OAUTH_KEY_DIR:-${private_files_dir%/}/simple_oauth}"
   private_key_path="${key_dir%/}/private.key"
   public_key_path="${key_dir%/}/public.key"
+  old_umask="$(umask)"
 
-  if { [ -n "${DRUPAL_SIMPLE_OAUTH_PRIVATE_KEY_PEM}" ] && [ ! -f "${private_key_path}" ]; } || { [ -n "${DRUPAL_SIMPLE_OAUTH_PUBLIC_KEY_PEM}" ] && [ ! -f "${public_key_path}" ]; }; then
-    if ! mkdir -p "${key_dir}"; then
-      echo "Container start error: Unable to create Simple OAuth key directory at '${key_dir}'."
-      exit 1
-    fi
-    chmod 700 "${key_dir}" || true
+  if ! mkdir -p "${key_dir}"; then
+    echo "Container start error: Unable to create Simple OAuth key directory at '${key_dir}'."
+    exit 1
+  fi
+  chmod 700 "${key_dir}" || true
 
-    if [ -n "${DRUPAL_SIMPLE_OAUTH_PRIVATE_KEY_PEM}" ] && [ ! -f "${private_key_path}" ]; then
-      printf '%s\n' "${DRUPAL_SIMPLE_OAUTH_PRIVATE_KEY_PEM}" > "${private_key_path}"
+  # Create files with correct permissions even when chmod is blocked.
+  umask 077
+
+  if [ -n "${DRUPAL_SIMPLE_OAUTH_PRIVATE_KEY_PEM}" ]; then
+    if [ -f "${private_key_path}" ] && ! chmod 600 "${private_key_path}" 2>/dev/null; then
+      rm -f "${private_key_path}" || true
+    fi
+    if [ ! -f "${private_key_path}" ]; then
+      printf '%b\n' "${DRUPAL_SIMPLE_OAUTH_PRIVATE_KEY_PEM}" > "${private_key_path}"
       chmod 600 "${private_key_path}" || true
     fi
+  fi
 
-    if [ -n "${DRUPAL_SIMPLE_OAUTH_PUBLIC_KEY_PEM}" ] && [ ! -f "${public_key_path}" ]; then
-      printf '%s\n' "${DRUPAL_SIMPLE_OAUTH_PUBLIC_KEY_PEM}" > "${public_key_path}"
+  if [ -n "${DRUPAL_SIMPLE_OAUTH_PUBLIC_KEY_PEM}" ]; then
+    if [ -f "${public_key_path}" ] && ! chmod 600 "${public_key_path}" 2>/dev/null; then
+      rm -f "${public_key_path}" || true
+    fi
+    if [ ! -f "${public_key_path}" ]; then
+      printf '%b\n' "${DRUPAL_SIMPLE_OAUTH_PUBLIC_KEY_PEM}" > "${public_key_path}"
       chmod 600 "${public_key_path}" || true
     fi
   fi
+
+  umask "${old_umask}" || true
 fi
 
 function get_deploy_id {

public/modules/custom/asu_rest/asu_rest.install

@@ -69,24 +69,113 @@ function asu_rest_provision_oauth_consumer(): void {
   }
 
   $storage = \Drupal::entityTypeManager()->getStorage('consumer');
-  $existing = $storage->getQuery()
+  $existing_ids = $storage->getQuery()
     ->accessCheck(FALSE)
     ->condition('client_id', $client_id)
     ->range(0, 1)
     ->execute();
-  if ($existing) {
+  if ($existing_ids) {
+    // Ensure default user exists and is assigned, even if consumer already
+    // exists (common when secrets are added after initial install).
+    $role_storage = \Drupal::entityTypeManager()->getStorage('user_role');
+    if (!$role_storage->load('rest_client')) {
+      \Drupal::logger('asu_rest')->error(
+        'User role rest_client is missing; cannot provision OAuth REST client user for consumer @id.',
+        ['@id' => $client_id],
+      );
+      return;
+    }
+    $username_env = getenv('ASU_REST_OAUTH_DEFAULT_USERNAME');
+    $username = is_string($username_env) && trim($username_env) !== '' ? trim($username_env) : 'rest_client';
+    $user_storage = \Drupal::entityTypeManager()->getStorage('user');
+    $users = $user_storage->loadByProperties(['name' => $username]);
+    /** @var \Drupal\user\Entity\User|null $user */
+    $user = $users ? reset($users) : NULL;
+    if (!$user) {
+      $password = bin2hex(random_bytes(16));
+      $user = $user_storage->create([
+        'name' => $username,
+        'status' => 1,
+        'roles' => ['rest_client'],
+        'pass' => $password,
+      ]);
+      $user->save();
+    }
+    else {
+      if (!$user->isActive()) {
+        $user->activate();
+      }
+      if (!in_array('rest_client', $user->getRoles(), TRUE)) {
+        $user->addRole('rest_client');
+      }
+      $user->save();
+    }
+
+    /** @var \Drupal\consumers\Entity\Consumer|null $existing_consumer */
+    $existing_consumer = $storage->load(reset($existing_ids));
+    if ($existing_consumer && $existing_consumer->get('user_id')->isEmpty()) {
+      $existing_consumer->set('user_id', (int) $user->id())->save();
+      \Drupal::logger('asu_rest')->notice(
+        'Updated OAuth consumer @id default user to uid @uid.',
+        ['@id' => $client_id, '@uid' => $user->id()],
+      );
+    }
     return;
   }
 
-  $scope_storage = \Drupal::entityTypeManager()->getStorage('oauth2_scope');
-  if (!$scope_storage->load('rest_client')) {
+  $entity_type_manager = \Drupal::entityTypeManager();
+  // Some environments provide scopes as config entities (oauth2_scope). If the
+  // entity type exists, ensure the expected scope is present.
+  if ($entity_type_manager->hasDefinition('oauth2_scope')) {
+    $scope_storage = $entity_type_manager->getStorage('oauth2_scope');
+    if (!$scope_storage->load('rest_client')) {
+      \Drupal::logger('asu_rest')->error(
+        'OAuth scope rest_client is missing; cannot create consumer @id.',
+        ['@id' => $client_id],
+      );
+      return;
+    }
+  }
+
+  $role_storage = \Drupal::entityTypeManager()->getStorage('user_role');
+  if (!$role_storage->load('rest_client')) {
     \Drupal::logger('asu_rest')->error(
-      'OAuth scope rest_client is missing; cannot create consumer @id.',
+      'User role rest_client is missing; cannot provision OAuth REST client user for consumer @id.',
       ['@id' => $client_id],
     );
     return;
   }
 
+  $username_env = getenv('ASU_REST_OAUTH_DEFAULT_USERNAME');
+  $username = is_string($username_env) && trim($username_env) !== '' ? trim($username_env) : 'rest_client';
+  $user_storage = \Drupal::entityTypeManager()->getStorage('user');
+  $users = $user_storage->loadByProperties(['name' => $username]);
+  /** @var \Drupal\user\Entity\User|null $user */
+  $user = $users ? reset($users) : NULL;
+  if (!$user) {
+    $password = bin2hex(random_bytes(16));
+    $user = $user_storage->create([
+      'name' => $username,
+      'status' => 1,
+      'roles' => ['rest_client'],
+      'pass' => $password,
+    ]);
+    $user->save();
+    \Drupal::logger('asu_rest')->notice(
+      'Created OAuth REST client user @name (uid @uid) for consumer @id.',
+      ['@name' => $username, '@uid' => $user->id(), '@id' => $client_id],
+    );
+  }
+  else {
+    if (!$user->isActive()) {
+      $user->activate();
+    }
+    if (!in_array('rest_client', $user->getRoles(), TRUE)) {
+      $user->addRole('rest_client');
+    }
+    $user->save();
+  }
+
   $label = $oauth['label'] ?? 'Apartment application service';
   $label = is_string($label) && $label !== '' ? $label : 'Apartment application service';
 
@@ -96,6 +185,7 @@ function asu_rest_provision_oauth_consumer(): void {
     'description' => 'Machine client for Elasticsearch-compatible REST endpoints (projects, apartments).',
     'grant_types' => ['client_credentials'],
     'scopes' => ['rest_client'],
+    'user_id' => (int) $user->id(),
     'confidential' => TRUE,
     'secret' => $secret,
     'redirect' => ['https://127.0.0.1/oauth2-callback-not-used'],

public/modules/custom/asu_rest/tests/src/Kernel/OAuthConsumerProvisioningTest.php

@@ -0,0 +1,94 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Drupal\Tests\asu_rest\Kernel;
+
+use Drupal\consumers\Entity\Consumer;
+use Drupal\KernelTests\KernelTestBase;
+use Drupal\user\Entity\Role;
+use Drupal\user\Entity\User;
+
+/**
+ * Tests OAuth consumer provisioning for REST API clients.
+ *
+ * @group asu_rest
+ */
+final class OAuthConsumerProvisioningTest extends KernelTestBase {
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $modules = [
+    'system',
+    'user',
+    'file',
+    'image',
+    'serialization',
+    'rest',
+    'consumers',
+    'simple_oauth',
+    'asu_rest',
+  ];
+
+  protected function setUp(): void {
+    parent::setUp();
+
+    $this->installEntitySchema('user');
+    $this->installEntitySchema('consumer');
+
+    // Needed by consumers/simple_oauth entities.
+    $this->installConfig(['system', 'user']);
+
+    // Role expected to exist via CMI in real environments.
+    Role::create([
+      'id' => 'rest_client',
+      'label' => 'REST api client',
+    ])->save();
+  }
+
+  public function tearDown(): void {
+    putenv('ASU_REST_OAUTH_CLIENT_SECRET');
+    putenv('ASU_REST_OAUTH_CLIENT_ID');
+    putenv('ASU_REST_OAUTH_DEFAULT_USERNAME');
+    parent::tearDown();
+  }
+
+  /**
+   * Provisioning creates a REST client user and assigns it to the consumer.
+   */
+  public function testProvisioningCreatesUserAndAssignsConsumer(): void {
+    putenv('ASU_REST_OAUTH_CLIENT_SECRET=test-secret');
+    putenv('ASU_REST_OAUTH_DEFAULT_USERNAME=rest_client');
+
+    $this->config('asu_rest.settings')
+      ->set('oauth_consumer', [
+        'auto_create' => TRUE,
+        'client_id' => 'apartment_application_service',
+        'label' => 'Apartment application service',
+      ])
+      ->save();
+
+    $this->container->get('module_handler')->loadInclude('asu_rest', 'install');
+    call_user_func('asu_rest_provision_oauth_consumer');
+
+    $users = $this->container->get('entity_type.manager')
+      ->getStorage('user')
+      ->loadByProperties(['name' => 'rest_client']);
+    /** @var \Drupal\user\Entity\User $user */
+    $user = reset($users);
+    $this->assertInstanceOf(User::class, $user);
+    $this->assertTrue($user->isActive());
+    $this->assertTrue(in_array('rest_client', $user->getRoles(), TRUE));
+
+    $consumers = $this->container->get('entity_type.manager')
+      ->getStorage('consumer')
+      ->loadByProperties(['client_id' => 'apartment_application_service']);
+    /** @var \Drupal\consumers\Entity\Consumer $consumer */
+    $consumer = reset($consumers);
+    $this->assertInstanceOf(Consumer::class, $consumer);
+    $this->assertSame((int) $user->id(), (int) $consumer->get('user_id')->target_id);
+  }
+
+}
+