Drupal 8 policy.drush.inc for site not being read

[frederickjh]

Hi!
I have a fresh install of the Drupal 8 Lightning distribution using composer. I want to add a policy.drush.inc that will be used for the site. Lightning comes with drush folder with a README.md file in it that is on the same level as the docroot (inside the Composer project file). The README.md file says:

Project-specific Drush configuration, as well as custom and contributed Drush commands, should go in this directory.

To test I added the make your own sandwich policy from the example policy.drush.inc. into my policy.drush.inc In the drush folder supplied by Lightning it is not read. I check this by adding the --show-invoke option when running drush mmas (short for make me a sandwich).
When I place the same policy.drush.inc file in ~/.drush/policy.drush.inc I get told to make my own sandwich, as I should.
Placing the same policy.drush.inc file in /drush or /sites/all/drush or /sites/all/default and running drush mmas results in me getting a sandwich even though policy should tell me to make my own.

I am using Drush Version : 8.1.8. This is not install with composer in the Lightning website project. It is installed with composer on my computer at ~/.composer/vendor/bin/drush.

So, I am not sure with folders moving around in Drupal 8 as to where is the correct place. Not sure if I am not doing this the correct way or if it is a Lightning or Drush issue.
So, where on a Drupal 8 site built with Composer should I be placing policy.drush.inc files that I want to apply to only that website?

Thanks in advance for any help you can provide!
Frederick

[weitzman]

In order for the file to get read, you must be in the PROJECT/web dir, or specify a --root or a site alias. If you are in the top level dir without specifying any of those, I dont think /drush gets read. In order to help more, please paste output of your command with --debug. Its helpful to see your prompt so we can see what the command is and what dir it launches from.

[frederickjh]

Hi weitzman!

These test have all been done from the PROJECT/web dir (webroot is docroot in my case). With the policy.drush.inc in the PROJECT folder:

[Mon Dec 12 21:29:30 docker@localdevdrupal testing.docker:/var/www/docroot]$ ll ../drush/
total 16
drwxrwsr-x 2 docker users 4096 Dec 12 13:25 ./
drwxrwsr-x 8 docker users 4096 Dec 12 13:29 ../
-rw-rw-r-- 1 docker users  117 Sep  7 21:14 README.md
-rw-r--r-- 1 docker users 1863 Dec 12 13:25 policy.drush.inc
[Mon Dec 12 21:29:33 docker@localdevdrupal testing.docker:/var/www/docroot]$ drush --debug make-me-a-sandwich 
Using the Drush script found at /home/docker/.composer/vendor/drush/drush/drush.launcher using pcntl_exec
Loading drushrc "/home/docker/.drush/drushrc.php" into "home.drush" scope. [0.02 sec, 3.16 MB]                                                                     [bootstrap]
Cache HIT cid: 8.1.8-commandfiles-0-721a8daa5c8cc7ac8e37b3e05e497ab2 [0.03 sec, 3.22 MB]                                                                               [debug]
Bootstrap to phase 0. [0.32 sec, 13.62 MB]                                                                                                                         [bootstrap]
Bootstrap to phase -1. [0.32 sec, 13.63 MB]                                                                                                                        [bootstrap]
Found command: make-me-a-sandwich (commandfile=sandwich) [0.32 sec, 13.63 MB]                                                                                      [bootstrap]
Loading drushrc "/home/docker/.drush/deploy.drushrc.php" into "home.drush" scope. [0.32 sec, 13.64 MB]                                                             [bootstrap]
Calling hook drush_sandwich_make_me_a_sandwich [0.33 sec, 14.25 MB]                                                                                                    [debug]

Okay. Enjoy this ascii sandwich.

 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 . . .  . . . . . . . .:8 ;t;;t;;;;:..:;%SX888@X%t;.. . . . 
 . .  .. . . . . . .%t%;%@%%%%%%%%%%X@8888XS%t;...:;ttt%X. .
 . . .  . . . . . .X:8%X%%%XS%%%%%%%XS%%%%%@%%%%X%%%@%S88 . 
 . . . . . .  .  . X@ @%%%X8X%%%88%%%8X%%%%%%%%%XXt@8@88@. .
 . . . . .  . . .t@tS;%%8XSX%@XSX%@XSS%8@@88X@888X8SS S;S.  
 . . . . . . .@%XS%%%%%S8@X%@8%XXSSXX%S@SSSX888.;@ 888@ . . 
 . . . . . :.8:S%%%XS8X@@X%S@SSSS8SXSXXX%X88X:;@8@:S  88S. .
 . . .  .8%S8%%%%%%8@SSSXXXSXSXSXSXSSS8S888 :@%:%XX:%8%:X:  
 . .  .:8 %%%%@%%8@S%%XXSXSSSS8S@X%XSXX88 ;@X;SX88X8;%X88t. 
 . . 88S%S%%%%8XSSXSX@@S@%XS8@SS%@S%888 88@S:8. .;.@%X:@8;. 
 . .  88.8888888@XX   888888%X%@XX 88SS8@@;S@8.%;8@S%%:8   .
 . .  S%:8 @SSSS8 @@8@8 8 88888888@%S:8:S8 @..%S SXX8888;. .
 . . %:8S8888@88SXS S S::X@.8.8 X%S%8X:X88..% @@.S.%% .;. . 
 .    .XX8@8;;%%t;;;;:@X@888888@888888.88S;8:8  ...    . . .
 . . 8.;;@8@8:%%%%%t.8@%ttX@8@@@S8%8 X8S;X:@; :... . . . . .
 . tS:8@;88.;:8888X8S:.tX88888X88  S8tStS88 :.. . . . . . . 
 .:X;;:t%;tt%888S@8XS888@8.:tt@;88.tXXX8:::... . . . . . . .
 .:X8St:8SXS XS8@X 8.8%888%X8@@X88tXS8t; . . . . . . .  . . 
 .    :8888.88888888X@@X @ X X%S%;88;8t .. . .  . . . . .  .
 ... ..: .    .@@888%St    @ @ 8SS 8:; . . . . . . . . . . .
   .  .  .      ..::. ..:;;::::. ... . . . . . . . . . . . .
 .. . . .     . .. . .  .  .  .. . . . . . .  . . . . . . . 

Cache HIT cid: 8.1.8-sandwiches-served-d41d8cd98f00b204e9800998ecf8427e [0.33 sec, 14.25 MB]                                                                           [debug]
Cache SET cid: 8.1.8-sandwiches-served-d41d8cd98f00b204e9800998ecf8427e [0.33 sec, 14.25 MB]                                                                           [debug]
Returned from hook drush_sandwich_make_me_a_sandwich [0.33 sec, 14.25 MB]                                                                                              [debug]
Cache MISS cid: 8.1.8-command-recording-d41d8cd98f00b204e9800998ecf8427e [0.33 sec, 14.2 MB]                                                                           [debug]
Command dispatch complete [0.33 sec, 14.19 MB]                                                                                                                        [notice]
[Mon Dec 12 21:29:44 docker@localdevdrupal testing.docker:/var/www/docroot]$ drush st
 Drupal version                  :  8.2.2                                                                  
 Site URI                        :  http://default                                                         
 Database driver                 :  mysql                                                                  
 Database hostname               :  localhost                                                              
 Database port                   :  3306                                                                   
 Database username               :  drupal                                                                 
 Database name                   :  drupal                                                                 
 Database                        :  Connected                                                              
 Drupal bootstrap                :  Successful                                                             
 Drupal user                     :                                                                         
 Default theme                   :  bartik                                                                 
 Administration theme            :  seven                                                                  
 PHP executable                  :  /usr/bin/php                                                           
 PHP configuration               :  /etc/php5/cli/php.ini /home/docker/.drush/drush.ini                    
 PHP OS                          :  Linux                                                                  
 Drush script                    :  /home/docker/.composer/vendor/drush/drush/drush.php                    
 Drush version                   :  8.1.8                                                                  
 Drush temp directory            :  /tmp                                                                   
 Drush configuration             :  /home/docker/.drush/deploy.drushrc.php /home/docker/.drush/drushrc.php 
 Drush alias files               :  /home/docker/.drush/test.aliases.drushrc.php "                         
                                    There are 29 more alias files. Run with --full to see the full list."  
 Install profile                 :  lightning                                                              
 Drupal root                     :  /var/www/docroot                                                       
 Drupal Settings File            :  sites/default/settings.php                                             
 Site path                       :  sites/default                                                          
 File directory path             :  sites/default/files                                                    
 Private file directory path     :  /var/tmp/private                                                       
 Temporary file directory path   :  /tmp                                                                   
 Sync config path                :  ../config/sync                                                         

[Mon Dec 12 21:37:12 docker@localdevdrupal testing.docker:/var/www/docroot]$ 

Let me know if I should have placed the policy.drush.inc in a different folder.

[weitzman]

Your setup looks right to me. Not sure whats going on.

[danepowell]

I'm thinking this is the same bug that we are hitting. Basically, we've defined policy_drush_sitealias_alter but it's not taking effect as expected.

Our project structure is something like:

* /var/www/html/myproject
* /var/www/html/myproject/drush/site-aliases/myproject.aliases.drushrc.php
* /var/www/html/myproject/drush/policy.drush.inc
* /var/www/html/myproject/docroot

If I run drush from the myproject directory, it correctly picks up the alter hook in policy.drush.inc.

If I run drush from myproject/docroot, it does not pick up the alter hook in policy.drush.inc, despite the documentation indicating that drush should detect a policy file "in the /drush folder in the directory above the Drupal root": https://github.com/drush-ops/drush/blob/master/examples/policy.drush.inc#L15

[frederickjh]

@weitzman I think I have figured something out on this issue. Maybe you can confirm that this is the way it should work. If so then a change to the documentation at the top of the example policy.drush.inc file is what is needed. Currently this reads:

 /**
 * @file
 * Drush Policy command file.  Currently only helps prevents the user from doing 
 * things they use to use drush for but should now use Composer for.
 *
 * An example Drush Policy File can be found at:
 * https://raw.githubusercontent.com/drush-ops/drush/master/examples/policy.drush.inc
 * 
 * Validates commands as they are issued and returns an error
 * or changes options when policy is violated.
 *
 * You can copy this file to any of the following
 *   1. A .drush folder in your HOME folder.
 *   2. Anywhere in a folder tree below an active module on your site.
 *   3. /usr/share/drush/commands (configurable)
 *   4. In an arbitrary folder specified with the --include option.
 *   5. Drupal's /drush or sites/all/drush folder, or in the /drush
 *        folder in the directory above the Drupal root (note: sql-sync
 *        validation won't work in any of these locations).
 */

I believe that in addition to being able to put a policy file in these different locations this also makes a difference to what the policy gets applied to. The closer to the top of the location list (see above) the more it gets applied and the closer to the bottom of the same list it only gets applied to the realms or scopes below it.

Let me try and explain. I tried to test with the make-your-own-sandwich example policy in the Drupal sites drush folder (5.). This did not work because the sandwich command was not installed at the Drupal site level (5.) but on the Drush user level (1.)

I believe that this is working as it should. It allows for a hierarchy of policy files and this needs to be explained in the policy.drush.inc example file.

As an example I added the the example policy that Encourage folks to use composer instead of Drush pm commands! to my Drupal site that is managed by composer /drush folder in the directory above the Drupal root (5.) and this works but only for that site. Which is what I wanted.

If I wanted this for all websites that I work with I could instead add this to my .drush/policy.drush.inc in my HOME folder.

Is this sounding correct @weitzman according to what the code that handles policy.drush.inc files? If so an explanation of this hierarchy should be added to the comments in the example policy.drush.inc.

[frederickjh]

Our project structure is something like:

• /var/www/html/myproject
• /var/www/html/myproject/drush/policy.drush.inc
• /var/www/html/myproject/docroot
  If I run drush from the myproject directory, it correctly picks up the alter hook in policy.drush.inc.

If I run drush from myproject/docroot, it does not pick up the alter hook in policy.drush.inc, despite the > documentation indicating that drush should detect a policy file "in the /drush folder in the directory > > > above the Drupal root"

@danepowell The folder you should place your site specific policy.drush.inc, in your case would be:
/var/www/html/myproject/drush
I installed the Drupal 8 Lightning distribution with composer and it created a drush folder in this location that has a README.md files that says:
Project-specific Drush configuration, as well as custom and contributed Drush commands, should go in this directory.
My policy.drush.inc file in this location is working for policy for this site.

@weitzman I have to wonder if the "directory above Drupal root" is best way to say this. If people visualise the Linux file structure as a tree with the base being root / and everything goes up from there into the branches so to speak, then the drush folder would be in the directory below the Drupal docroot folder. Maybe would should change this to say that the policy.drush.inc for a Composer managed site should be place in the in the drush folder in the Composer project root beside the docroot folder.

[weitzman]

Yes, your understanding of where we look for policy files is correct ... Sure, I'm open to rewording the "directory above drupal root" part.

[danepowell]

I think I understand how it's supposed to work, that's why I organized our project folders the way I did. What I'm saying is that it doesn't work in practice. I have to manually include the policy file. See acquia/blt#1076

[frederickjh]

@danepowell does your policy.drush.inc file work if you move it to, /var/www/html/myproject/drush/policy.drush.inc ?

[frederickjh]

@weitzman Is my understanding of the context of the policy.drush.inc files also correct?

In other word putting policy in 5. (site specific policy file) for the make a sandwich command that is installed not in the Drupal site but in the users' ~/.drush folder would have no effect on the make a sandwich command?

[danepowell]

@frederickjh that's where my policy file is. See my original comment: #2497 (comment)

Am I missing something?

There's a small chance that this is due to caching... I can't recall if I attempted clearing the Drush cache before or after noticing this, since I was dealing with a lot of quirks at the same time.

[frederickjh]

@danepowell Sorry, you are correct. That is where you said you put the policy.drush.inc However, I would not expect it to work there. You are trying to modify a site alias that you most likely have in your ~/.drush/ folder (so it will work from anywhere). I am using policy_drush_sitealias_alter but I have it in: `~/.drush/policy.drush.inc' and there it works for all sites.

I am not sure how to explain this better but it is like the policy.drush.inc files only work in the context of where they are placed. If a policy file is defined at the site level. It only affects things for that site. The policy file for a site would not be loaded for a site alias for that site when the alias is in the user's ~/.drush folder. It would only be loaded when the alias is also defined at the site level. See my example about the make a sandwich command.

In your case try putting the site alias in the same folder on the site with the drush.policy.inc file and see if it works. However placing an alias file there removes a lot of the benefits of drush sites aliases. IMHO it would be better to use either a user (1.) or server (3.) policy.drush.inc file for policy_drush_sitealias_alter.

This is my policy_drush_sitealias_alter that is in ~/.drush/policy.drush.inc

/**
 * Implements hook_drush_sitealias_alter
 *
 * Alter alias record data in code.
 */
function policy_drush_sitealias_alter(&$alias_record) {
  // A duplicate of the old implementation of the 'parent' element.
  // Keep this if you want to keep using 'parent', but do not want
  // to be nagged (or worse, break when it is removed).
  if (isset($alias_record['parent'])) {
    // Fetch and merge in each parent
    foreach (explode(',', $alias_record['parent']) as $parent) {
      $parent_record = drush_sitealias_get_record($parent);
      unset($parent_record['#name']);
      unset($parent_record['#file']);
      unset($parent_record['#hidden']);
      $array_based_keys = array_merge(drush_get_special_keys(), array('path-aliases'));
      foreach ($array_based_keys as $array_based_key) {
        if (isset($alias_record[$array_based_key]) && isset($parent_record[$array_based_key])) {
          $alias_record[$array_based_key] = array_merge($parent_record[$array_based_key], $alias_record[$array_based_key]);
        }
      }
      $alias_record = array_merge($parent_record, $alias_record);
    }
    unset($alias_record['parent']);
  }
}

[danepowell]

Actually my site aliases are also with my site (so siblings of the policy file). They are all part of a Git repo containing the project, which I think is pretty typical for enterprise deployments. I'll update my previous post to reflect this.

* /var/www/html/myproject
* /var/www/html/myproject/drush/site-aliases/myproject.aliases.drushrc.php
* /var/www/html/myproject/drush/policy.drush.inc
* /var/www/html/myproject/docroot

[bkosborne]

I'm running into this too, and I imagine I have the same setup as @danepowell since he and I are both using BLT.

Heres the file structure:

/drush.wrapper
/drush/site-aliases/
/drush/policy.drush.inc
/drush/drushrc.php
/docroot/

The drush.wrapper looks like this:

DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
cd "`dirname $0`"

if [ ! -f ${DIR}/vendor/drush/drush/drush.launcher ]; then
  echo >&2 "Drush was not found in this project's vendor directory. You can install it by typing:"
  echo >&2 "composer install"
  exit 1
fi

vendor/drush/drush/drush.launcher --config=${DIR}/drush/drushrc.php --alias-path=${DIR}/drush/site-aliases "$@"

Inside the drushrc.php file we have:

$options['include'][] = __DIR__;

And in my policy file I have:

function drush_policy_pm_updatecode_validate() {
  return drush_set_error('POLICY_PM_DENY', dt('Test'));
}

function drush_policy_sql_sync_validate($source = NULL, $destination = NULL) {
  return drush_set_error('POLICY_DENY', dt('Test'));
}

Running drush pm-updatecode from /docroot/, my policy file works and it's denied. However running drush sql-sync @self @prod my policy hook is ignored and the command proceeds.

This is strange that sql-sync hook is not working but the other is?

[bkosborne]

OK, nevermind, things are working as expected for me.

I was confused by the fact that I was being prompted to confirm the sql-sync action even though my policy denied it. That's because that prompt is included in drush's own implementation of the sql_sync_validate and was invoked before mine. After responding to the prompt, my validation is run.

[frederickjh]

@danepowell I just reread your last comment due to the recent posts on this thread. Is there a reason you have your myproject.aliases.drushrc.php in a sub-directory of the drush directory called site-aliases?

/var/www/html/myproject/drush/site-aliases/myproject.aliases.drushrc.php

I have never seen it done this way before.

@weitzman Could this have any effect on the policy file not working? Or is it OK to organize your drush folder with sub-directories?

[weitzman]

subdirs are fine and should not affect whether drush find a policy or not.

[weitzman]

No activity