@dsivd/prestations-ng 18.3.1 → 18.3.2-beta.2

package/CHANGELOG.md

@@ -6,6 +6,45 @@
 
 ---
 
+## [18.3.2]
+
+### Added
+
+- [IAM_ACV_MIGRATION_OIDC.md](IAM_ACV_MIGRATION_OIDC.md)
+
+    - Migration guide to protect IAM applications wiht OIDC instead of IAM headers (deprecated)
+
+- [oidc-not-authenticated-interceptor.ts](projects/prestations-ng/src/oidc/oidc-not-authenticated-interceptor.ts)
+
+    - HTTP interceptor that redirect to login when using ng serve if the current application is behind IAM with OIDC
+
+- [oidc-injection-token.ts](projects/prestations-ng/src/oidc/oidc-injection-token.ts)
+
+    - Enables the OidcNotAuthenticatedInterceptor
+
+- [foehn-global-upload-progress-bar.component.ts](projects/prestations-ng/src/foehn-upload/foehn-upload-progress-bar/foehn-global-upload-progress-bar.component.ts)
+
+    - Added a global progress bar displaying upload progress of pending files
+
+- [global-upload-progress.service.ts](projects/prestations-ng/src/foehn-upload/foehn-upload-progress-bar/global-upload-progress.service.ts)
+
+    - Added a global upload progress service to manage global progress bar
+
+- [foehn-page.component.ts](projects/prestations-ng/src/foehn-page/foehn-page.component.ts)
+    - added a global progress bar to manage pending files upload
+
+## [18.3.1]
+
+### Added
+
+- [foehn-breadcrumb.component.ts](projects/prestations-ng/src/foehn-breadcrumb/breadcrumb.ts)
+    - added optional property `urlTarget?: '_blank' | '_self' | '_parent' | '_top';`
+
+### Updated
+
+- [foehn-breadcrumb.component.ts](projects/prestations-ng/src/foehn-breadcrumb/foehn-breadcrumb.component.ts)
+    - uses optional `urlTarget` property for external links
+
 ## [18.3.0] - should be aligned with prestations-be 18.3.x
 
 ### Added

package/IAM_ACV_MIGRATION_OIDC.md

@@ -0,0 +1,116 @@
+# IAM ACV OIDC MIGRATION GUIDE
+
+Back offices that are behind IAM ACV should migrate to OIDC, IAM headers are now deprecated.
+
+## ADMIN
+
+- You have to request a new VIP for your application (<env>-<deployunit>.etat-de-vaud.ch)
+    - i.e. for eldoradobo (R260219_00034) : https://int-eldoradobo.etat-de-vaud.ch/
+- On IAM side, you have to request a client id / secret on every environment to be used in your configuration
+
+## FRONTEND
+
+- Enable the interceptor that is used for dev server by providing the following injection token in your app.module.ts : `{ provide: OIDC_ENABLED, useValue: 'true' }`
+- Update your proxy.conf.json to add `/oauth2`, `/login`, `/logout` :
+
+```json
+[
+    {
+        "context": ["/api", "/oauth2", "/login", "/logout"],
+        "target": "http://localhost:20900",
+        "secure": false
+    }
+]
+```
+
+- update your angular.json
+
+```json
+  "baseHref": "/",
+```
+
+## BACKEND
+
+- remove the server.servlet.context-path (your application should respond on "/")
+- Replace this import : `cyberadminbe.config.CyberAdminBeSecurityConfig` with this one `backofficebe.config.IamAcvOidcSecurityConfiguration`
+- add the following dependency :
+
+```xml
+<dependency>
+    <groupId>org.springframework.boot</groupId>
+    <artifactId>spring-boot-starter-oauth2-client</artifactId>
+</dependency>
+```
+
+- update your application.properties with
+
+```properties
+# OIDC common properties
+spring.security.oauth2.client.registration.acv.client-name=SSO ACV
+spring.security.oauth2.client.registration.acv.authorization-grant-type=authorization_code
+spring.security.oauth2.client.registration.acv.scope=openid,profile,email
+```
+
+- update your CO/environment.properties + UT/environment.properties with
+
+```properties
+spring.security.oauth2.client.registration.acv.client-id=mock-client-id
+spring.security.oauth2.client.registration.acv.client-secret=anySecret
+spring.security.oauth2.client.provider.acv.issuer-uri=http://localhost:8080/acv
+```
+
+- Expose the actuators on a different port, by updating your application.properties
+
+```properties
+# With OIDC we have to expose actuators without any security to be called by spring boot admin
+# so the are exposed on another port
+management.server.port=${port.divers:8086}
+# expose liveness/readiness probes on the same port as the application (/livez / readyz)
+management.endpoint.health.probes.add-additional-paths=true
+# send actuator access log to /dev/stdout
+management.server.tomcat.accesslog.enabled=true
+management.server.tomcat.accesslog.directory=/dev
+management.server.tomcat.accesslog.prefix=stdout
+management.server.tomcat.accesslog.suffix=
+```
+
+### TESTING
+
+To be able to use @SpringBootTest, you have to :
+
+- add the following dependency :
+
+```xml
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-test</artifactId>
+            <scope>test</scope>
+        </dependency>
+```
+
+- provide the token in your mock request, you can replace this helper :
+
+```java
+    static MockHttpServletRequestBuilder enrichWithAuthHeaders(MockHttpServletRequestBuilder builder) {
+        return builder.header("iam-userid", "sar8h6")
+                .header("iam-firstname", "Bruce")
+                .header("iam-lastname", "Wayne")
+                .header("iam-application", "app")
+                .header("iam-roles", "app-user");
+    }
+```
+
+with methods from `ch.vd.cyber.backofficebe.utils.MVCTestUtils`:
+
+- `enrichWithOidcTokenAsUser` : simulates that a request is done by an IAM user, with a valid OIDC token and the role "user"
+- `enrichWithOidcTokenAsRole` : same as previous, but you can set another role than "user"
+- `enrichWithAuthHeadersForEsgateAsUser` : simulates that a request is done by a techincal user through esgate and the role "user"
+- `enrichWithAuthHeadersForEsgate` : same as previous, but you can set another role than "user"
+
+## RUNNING YOUR APP
+
+- You can run a mock OIDC server with this command :
+
+```shell
+podman run -p 8080:8080 --rm docker-registry.etat-de-vaud.ch/tools/mock-oidc:latest
+```