From ba007a6c52d799a8f0b949a4271e97d690bc6b36 Mon Sep 17 00:00:00 2001
From: Tanner Heffner <tanner.heffner@agile6.com>
Date: Thu, 9 Nov 2023 07:42:38 -0800
Subject: [PATCH] VACMS-15798 / 15791 / 15795 next preview configs + oauth key
 handling (#15936)

* gitignore public/private key for oauth

* export config for simple_oauth and next js site

* use simple oauth for preview in next

* echo keys to files in tugboat

* add other env vars where they need to be

* [docs] Update and rename pw-dark-launch.md to dark-launch.md

* Bump datadog/dd-trace from 0.92.2 to 0.93.1 (#15937)

Bumps [datadog/dd-trace](https://github.com/DataDog/dd-trace-php) from 0.92.2 to 0.93.1.
- [Release notes](https://github.com/DataDog/dd-trace-php/releases)
- [Commits](https://github.com/DataDog/dd-trace-php/compare/0.92.2...0.93.1)

---
updated-dependencies:
- dependency-name: datadog/dd-trace
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* VACMS-14342: Set up `CODEOWNERS` (#15581)

* VACMS-14342: Set up CODEOWNERS

* h/t Dave

* h/t Tanner

* h/t Dave

* Update .github/CODEOWNERS

* Apply suggestions from code review

h/t @swirtSJW

* Bump va-gov/content-build from 0.0.3377 to 0.0.3378 (#15938)

Bumps [va-gov/content-build](https://github.com/department-of-veterans-affairs/content-build) from 0.0.3377 to 0.0.3378.
- [Release notes](https://github.com/department-of-veterans-affairs/content-build/releases)
- [Commits](https://github.com/department-of-veterans-affairs/content-build/compare/v0.0.3377...v0.0.3378)

---
updated-dependencies:
- dependency-name: va-gov/content-build
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* VACMS-15721: added description field for alert blocks view and browser (#15927)

* VACMS-15276: Adds YouTube field (#15450)

* VACMS-15276: Adds YouTube field

* VACMS-15276: Adding field storage for YouTube

* VACMS-15891: Update Q&A Content Report View to use Multiple Workflow Filter (#15896)

* VACMS-15891: Update workflow filter to multiple

* VACMS-15891: Updated the filter machine name too because Jill is smart.

* VACMS-15891: Style-Guide-Related edits to view

* VACMS-15891: Added section filter

* VACMS-15891: Fix caption

* VACMS-15891: Caption and tab

* VACMS-15891: Copying new settings from view family

* VACMS-15891: Fix pager back to 25 for cypress test

* update perms for nextjs role

* update perms for nextjs role

* re-export config for correct dependencies

* override config for tugboat

* include full domains in the url path...

* a couple more env vars in place

* env vars need added before build

* tweak env vars slightly

* quote env vars

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Jill Adams <85581471+jilladams@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Nate Douglas <ndouglas@users.noreply.github.com>
Co-authored-by: Edmund Dunn <109987005+edmund-dunn@users.noreply.github.com>
Co-authored-by: Christian Burk <omahane@gmail.com>
Co-authored-by: Christia Troyer <christia.troyer@civicactions.com>
---
 .gitignore                                       |  3 +++
 .tugboat/config.yml                              | 16 ++++++++++++++--
 .../next.next_site.next_build_preview_server.yml | 11 +++++++++++
 config/sync/next.settings.yml                    |  4 ++++
 config/sync/simple_oauth.settings.yml            |  4 +++-
 config/sync/user.role.next_js.yml                | 11 +++++++++--
 .../sites/default/settings/settings.tugboat.php  |  4 ++++
 7 files changed, 48 insertions(+), 5 deletions(-)
 create mode 100644 config/sync/next.next_site.next_build_preview_server.yml

diff --git a/.gitignore b/.gitignore
index 39f475fda7..89b52fc6b7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -104,6 +104,9 @@ datadog-setup.php
 
 # Ignore Next (next-build)
 next
+# Ignore oauth keys used for validating next-build preview api requests
+public.key
+private.key
 
 # Temporary .deb packages
 *.deb
diff --git a/.tugboat/config.yml b/.tugboat/config.yml
index c4a7c97f68..96e452dd70 100644
--- a/.tugboat/config.yml
+++ b/.tugboat/config.yml
@@ -104,6 +104,10 @@ services:
         - cp "${TUGBOAT_ROOT}"/.tugboat/*.crt /usr/local/share/ca-certificates
         - update-ca-certificates
 
+        # Write OAuth keys to files for next-build Preview Server validation
+        - echo "${OAUTH_PUBLIC_KEY}" >> ${TUGBOAT_ROOT}/public.key
+        - echo "${OAUTH_PRIVATE_KEY}" >> ${TUGBOAT_ROOT}/private.key
+
         # Install drush-launcher, if desired.
         - wget -O /usr/local/bin/drush https://github.com/drush-ops/drush-launcher/releases/download/0.6.0/drush.phar
         - chmod +x /usr/local/bin/drush
@@ -233,9 +237,17 @@ services:
         - find -L "${DOCROOT}/vendor/va-gov/content-build/node_modules/.bin" -type f -exec chmod +x {} \+
         - find "${DOCROOT}/vendor/va-gov/content-build/script" -type f -exec chmod +x {} \+
 
-        # Build storybook and the frontends in parallel
+        # Put necessary env variables in place for next's Drupal Preview before building server
+        # Need to construct this way instead of TUGBOAT_DEFAULT_SERVICE_URL in order to drop the trailing /
+        - echo "NEXT_PUBLIC_DRUPAL_BASE_URL=https://cms-${TUGBOAT_SERVICE_TOKEN}.${TUGBOAT_SERVICE_CONFIG_DOMAIN}" >> ${TUGBOAT_ROOT}/next/envs/.env.tugboat
+        - echo "NEXT_IMAGE_DOMAIN=https://cms-${TUGBOAT_SERVICE_TOKEN}.${TUGBOAT_SERVICE_CONFIG_DOMAIN}" >> ${TUGBOAT_ROOT}/next/envs/.env.tugboat
+        - echo "DRUPAL_CLIENT_ID=${DRUPAL_CLIENT_ID}" >> ${TUGBOAT_ROOT}/next/envs/.env.tugboat
+        - echo "DRUPAL_CLIENT_SECRET=${DRUPAL_CLIENT_SECRET}" >> ${TUGBOAT_ROOT}/next/envs/.env.tugboat
+
+        # Build storybook and the frontends (web, next) in parallel
         - bash -lc 'time task --taskfile=tugboat.yml'
-        # Build next build server
+
+        # Start the next build server
         - bash -lc 'composer va:next:start'
 
   memcache:
diff --git a/config/sync/next.next_site.next_build_preview_server.yml b/config/sync/next.next_site.next_build_preview_server.yml
new file mode 100644
index 0000000000..3e3a99c8bb
--- /dev/null
+++ b/config/sync/next.next_site.next_build_preview_server.yml
@@ -0,0 +1,11 @@
+uuid: 75dd1bfb-8507-4981-90b6-3830400e1434
+langcode: en
+status: true
+dependencies: {  }
+id: next_build_preview_server
+label: 'Next Build Preview Server'
+base_url: 'http://localhost:3000'
+preview_url: 'http://localhost:3000/api/preview'
+preview_secret: secret
+revalidate_url: ''
+revalidate_secret: ''
diff --git a/config/sync/next.settings.yml b/config/sync/next.settings.yml
index 19893cfd6f..6d1945a747 100644
--- a/config/sync/next.settings.yml
+++ b/config/sync/next.settings.yml
@@ -6,3 +6,7 @@ site_previewer_configuration:
   width: 100%
   sync_route: false
   sync_route_skip_routes: ''
+preview_url_generator: simple_oauth
+preview_url_generator_configuration:
+  secret_expiration: 300
+debug: false
diff --git a/config/sync/simple_oauth.settings.yml b/config/sync/simple_oauth.settings.yml
index f58228bc1d..0cffd710fb 100644
--- a/config/sync/simple_oauth.settings.yml
+++ b/config/sync/simple_oauth.settings.yml
@@ -3,7 +3,9 @@ _core:
 access_token_expiration: 300
 authorization_code_expiration: 300
 refresh_token_expiration: 1209600
-remember_clients: true
 token_cron_batch_size: 0
+public_key: ../public.key
+private_key: ../private.key
+remember_clients: true
 use_implicit: false
 disable_openid_connect: false
diff --git a/config/sync/user.role.next_js.yml b/config/sync/user.role.next_js.yml
index 20eeaa6867..aaab07f0a1 100644
--- a/config/sync/user.role.next_js.yml
+++ b/config/sync/user.role.next_js.yml
@@ -3,17 +3,24 @@ langcode: en
 status: true
 dependencies:
   module:
+    - content_moderation
+    - media
     - node
     - subrequests
+    - system
     - va_gov_backend
 third_party_settings:
   va_gov_backend:
     vgb_description: 'Role for Next.js JSON API data access.'
 id: next_js
 label: Next.js
-weight: 8
+weight: 7
 is_admin: null
 permissions:
+  - 'access content'
   - 'access user profiles'
-  - 'bypass node access'
   - 'issue subrequests'
+  - 'view all revisions'
+  - 'view any unpublished content'
+  - 'view latest version'
+  - 'view media'
diff --git a/docroot/sites/default/settings/settings.tugboat.php b/docroot/sites/default/settings/settings.tugboat.php
index 8d386c4562..5bcd14b1e3 100644
--- a/docroot/sites/default/settings/settings.tugboat.php
+++ b/docroot/sites/default/settings/settings.tugboat.php
@@ -37,6 +37,10 @@
 $config['environment_indicator.indicator']['fg_color'] = '#212121';
 $config['environment_indicator.indicator']['name'] = 'Tugboat';
 
+// Update next-build site endpoint to the appropriate tugboat alias
+$config['next.next_site.next_build_preview_server']['base_url'] = 'https://next-' . getenv('TUGBOAT_SERVICE_TOKEN') . '.' . getenv('TUGBOAT_SERVICE_CONFIG_DOMAIN');
+$config['next.next_site.next_build_preview_server']['preview_url'] = 'https://next-' . getenv('TUGBOAT_SERVICE_TOKEN') . '.' . getenv('TUGBOAT_SERVICE_CONFIG_DOMAIN') . '/api/preview';
+
 $settings['trusted_host_patterns'] = [
   '^localhost$',
   '^.*' . getenv('TUGBOAT_SERVICE_TOKEN') . '.' . getenv('TUGBOAT_SERVICE_CONFIG_DOMAIN') . '$',