Merge branch 'release/3.x/10.3.5' into 3.x-master

Author: Ali Haider

.docker/Dockerfile.nginx-drupal

@@ -33,3 +33,6 @@ RUN echo 'env JS_SBOM_REPLACE;' >> /etc/nginx/nginx.conf
 
 # Define where the Drupal Root is located
 ENV WEBROOT=web
+
+# Add default for resty resolver.
+ENV RESTY_RESOLVER=${RESTY_RESOLVER:-8.8.8.8}

.docker/config/simplesaml/config/authsources.php

@@ -77,13 +77,13 @@
         /*
          * Whether logout requests and logout responses sent to this SP should be signed. The default is FALSE .
          */
-        'redirect.sign' => TRUE,
+        'redirect.sign' => filter_var(getenv('SIMPLESAMLPHP_SP_SIGN_AUTH'), FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE) ?? true,
 
         /* 
          * Whether authentication requests, logout requests and logout responses received from this SP should be validated.
          * The default is FALSE 
          */
-        'redirect.validate' => TRUE,
+        'redirect.validate' => filter_var(getenv('SIMPLESAMLPHP_SP_VALIDATE_AUTH'), FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE) ?? true,
 
         /*
          * Whether we require signatures on authentication requests sent from this SP. Set it to:

.docker/config/simplesaml/metadata/saml20-idp-remote.php

@@ -5,19 +5,30 @@
 $fallbackBinding = getenv('SIMPLESAMLPHP_IDP_DEFAULT_BINDING');
 
 $bindings = [
-  'SIMPLESAMLPHP_IDP_HTTP_POST_BINDING' => $fallbackBinding,
-  'SIMPLESAMLPHP_IDP_HTTP_REDIRECT_BINDING' => $fallbackBinding,
-  'SIMPLESAMLPHP_IDP_SOAP_BINDING' => $fallbackBinding,
-  'SIMPLESAMLPHP_IDP_HTTP_ARTIFACT' => $fallbackBinding,
+    'SIMPLESAMLPHP_IDP_HTTP_POST_BINDING' => $fallbackBinding,
+    'SIMPLESAMLPHP_IDP_HTTP_REDIRECT_BINDING' => $fallbackBinding,
+    'SIMPLESAMLPHP_IDP_SOAP_BINDING' => $fallbackBinding,
+    'SIMPLESAMLPHP_IDP_HTTP_ARTIFACT' => $fallbackBinding,
+    'SIMPLESAMLPHP_IDP_LOGOUT_HTTP_POST_BINDING' => $fallbackBinding,
+    'SIMPLESAMLPHP_IDP_LOGOUT_HTTP_REDIRECT_BINDING' => $fallbackBinding,
+    'SIMPLESAMLPHP_IDP_LOGOUT_SOAP_BINDING' => $fallbackBinding,
+    'SIMPLESAMLPHP_IDP_LOGOUT_HTTP_ARTIFACT' => $fallbackBinding
 ];
 
+// Override fallback binding if env variable value is present.
 foreach ($bindings as $binding => $fallback) {
-  $envVar = getenv($binding);
-  if (empty($envVar)) {
-    $bindings[$binding] = str_starts_with($fallback, 'http') ? $fallback : $idpBaseURL . $fallback;
-    continue;
-  }
-  $bindings[$binding] = str_starts_with($envVar, 'http') ? $envVar : $idpBaseURL . $envVar;
+    $envVar = getenv($binding);
+
+    // Apply special logic for logout bindings.
+    if (strpos($binding, 'LOGOUT') !== false) {
+        if (empty($envVar)) {
+            // Try fallback to the corresponding non-logout binding first.
+            $envVar = getenv(str_replace('LOGOUT', '', $binding)) ?: $fallback;
+        }
+    }
+
+    // Fallback to the base URL if needed.
+    $bindings[$binding] = str_starts_with($envVar, 'http') ? $envVar : $idpBaseURL . $envVar;
 }
 
 $metadata[$idpEntityId] = [
@@ -46,19 +57,19 @@
   'SingleLogoutService' => [
     [
       'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
-      'Location' => $bindings['SIMPLESAMLPHP_IDP_HTTP_POST_BINDING'],
+      'Location' => $bindings['SIMPLESAMLPHP_IDP_LOGOUT_HTTP_POST_BINDING'],
     ],
     [
       'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
-      'Location' => $bindings['SIMPLESAMLPHP_IDP_HTTP_REDIRECT_BINDING'],
+      'Location' => $bindings['SIMPLESAMLPHP_IDP_LOGOUT_HTTP_REDIRECT_BINDING'],
     ],
     [
       'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
-      'Location' => $bindings['SIMPLESAMLPHP_IDP_HTTP_ARTIFACT'],
+      'Location' => $bindings['SIMPLESAMLPHP_IDP_LOGOUT_HTTP_ARTIFACT'],
     ],
     [
       'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
-      'Location' => $bindings['SIMPLESAMLPHP_IDP_SOAP_BINDING'],
+      'Location' => $bindings['SIMPLESAMLPHP_IDP_LOGOUT_SOAP_BINDING'],
     ],
   ],
   'ArtifactResolutionService' => [

.docker/images/nginx/helpers/206-x_robots_tag_header.conf

@@ -11,4 +11,9 @@ if ($host ~* ^(?!www\.govcms\.gov\.au$)(?:[\w\-]+\.)+govcms\.gov\.au$){
   set $robots_header "none";
 }
 
+# Set none for Drupal /admin and /user routes.
+if ($uri ~* ^/(admin|user)/.*$) {
+  set $robots_header "none";
+}
+
 add_header X-Robots-Tag $robots_header;

.env.default

@@ -35,11 +35,11 @@ X_FRAME_OPTIONS=SAMEORIGIN
 
 # Set the version of GovCMS and Drupal Core to use - you can use a tag or branch reference (3.x-dev) here
 # See https://github.com/govCMS/GovCMS/releases
-GOVCMS_PROJECT_VERSION=3.21.2
+GOVCMS_PROJECT_VERSION=3.22.0
 
 # Set the Lagoon tag to use for the upstream dockerfiles (e.g. 20.12.0)
 # See https://github.com/uselagoon/lagoon-images/releases
-LAGOON_IMAGE_VERSION=24.12.0
+LAGOON_IMAGE_VERSION=25.2.0
 
 # Set the CLI image name
 # Support both legacy (govcms8lagoon/govcms8) and newer (govcms/govcms) images.

.gitlab-ci.yml

@@ -16,6 +16,17 @@ stages:
 # ---
 workflow:
   rules:
+    ## D11
+    - if: $CI_COMMIT_REF_NAME == "4.x-develop"
+      variables:
+        DEPLOY_TAG: "11.x-edge"
+    - if: $CI_COMMIT_REF_NAME == "4.x-master"
+      variables:
+        DEPLOY_TAG: "11.x-latest"
+    - if: $CI_COMMIT_REF_NAME =~ /^release\/4.x\//
+      variables:
+        DEPLOY_TAG: "11.x-beta"
+
     ## D10
     - if: $CI_COMMIT_REF_NAME == "3.x-develop"
       variables:

README.md

@@ -2,7 +2,7 @@
 
 ## Purpose
 
-This project is used to create the images required by Lagoon, using the GovCMS distribution - it is only intended to
+This project is used to create the images required by Lagoon, using the GovCMS distribution - it is only intended to 
 be used by distribution/platform maintainers.
 
 Images are published to the [govcms](https://hub.docker.com/u/govcms) namespace on Docker Hub.

composer.json

@@ -19,7 +19,7 @@
         "drupal/bartik": "^1.0",
         "govcms/govcms": "3.x-develop-dev",
         "govcms/govcms-custom": "*",
-        "govcms/scaffold-tooling": "5.4.0"
+        "govcms/scaffold-tooling": "5.4.1"
     },
     "require-dev": {
         "drupal/core-dev": "^10.0",