Merge remote-tracking branch 'origin/master'

64503f77 · Bazarbay Tulenov · 09c2b98a · 66a9e279 · 64503f77 · 64503f77
Commit 64503f77 authored Dec 25, 2023 by Bazarbay Tulenov
8 changed files
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
+default:
+  image: docker:24.0.5
+  services:
+    - name: docker:24.0.5-dind
+      command: ["--insecure-registry=registry.nitec.kz:8200"]
+  before_script:
+    - docker info
+    - docker login -u $NEXUS_USERNAME -p $NEXUS_PASSWORD registry.nitec.kz:8200
+    - mkdir -p ~/.ssh
+    - echo "$GITLAB_SSH_KEY" > ~/.ssh/id_rsa
+    - chmod 600 ~/.ssh/id_rsa
+    - ssh-keyscan $PROD_JUMP_HOST >> ~/.ssh/known_hosts
+
+
+variables:
+  DOCKER_TLS_CERTDIR: "/certs"
+  CONTAINER_IMAGE: registry.nitec.kz:8200/qaztech/ui/template-service:latest
+
+.deploy_app:
+  script:
+    - echo "Install app to server $CURRENT_DEPLOYMENT_SERVER"
+    - echo $CURRENT_DEPLOYMENT_SERVER
+    - |
+      cat > ~/.ssh/config << EOF
+      Host jumphost
+        HostName $CURRENT_JUMP_HOST
+        User $GITLAB_SSH_USER
+      
+      Host $CURRENT_DEPLOYMENT_SERVER
+        ProxyJump jumphost
+        StrictHostKeyChecking no
+        UserKnownHostsFile=/dev/null
+        User $GITLAB_SSH_USER
+      EOF
+    - cat ~/.ssh/config
+    - ssh -i ~/.ssh/id_rsa $CURRENT_DEPLOYMENT_SERVER 'sudo -i ls -la ~'
+    - scp -i ~/.ssh/id_rsa ./docker-compose.yaml $CURRENT_DEPLOYMENT_SERVER:/opt/printform/templateservice/docker-compose.yaml
+    #    - scp -i ~/.ssh/id_rsa bpms.tar $CURRENT_DEPLOYMENT_SERVER:~/
+    #    - scp -i ~/.ssh/id_rsa .env $CURRENT_DEPLOYMENT_SERVER:~/
+    #    - ssh -i ~/.ssh/id_rsa $CURRENT_DEPLOYMENT_SERVER 'sudo -i ls -la /opt/applatform/backend/'
+    #    - ssh -i ~/.ssh/id_rsa $CURRENT_DEPLOYMENT_SERVER 'sudo -i docker load -i ~/bpms.tar'
+    #    - ssh -i ~/.ssh/id_rsa $CURRENT_DEPLOYMENT_SERVER 'sudo docker stop acgateway || true'
+    #    - ssh -i ~/.ssh/id_rsa $CURRENT_DEPLOYMENT_SERVER 'sudo docker rm acgateway_backup || true'
+    #    - ssh -i ~/.ssh/id_rsa $CURRENT_DEPLOYMENT_SERVER 'sudo docker rename acgateway acgateway_backup || true'
+    - ssh -i ~/.ssh/id_rsa $CURRENT_DEPLOYMENT_SERVER 'cd /opt/printform/templateservice/ && sudo docker-compose up --build -d'
+    - sleep 30
+    - ssh -i ~/.ssh/id_rsa $CURRENT_DEPLOYMENT_SERVER 'sudo docker ps'
+    #    - ssh -i ~/.ssh/id_rsa $CURRENT_DEPLOYMENT_SERVER 'sudo docker logs acgateway'
+    #    - ssh -i ~/.ssh/id_rsa $CURRENT_DEPLOYMENT_SERVER 'sudo docker system prune -f'
+    - echo "Successfully deploy to $CURRENT_DEPLOYMENT_SERVER"
+
+
+build:
+  stage: build
+  script:
+    - docker build -t $CONTAINER_IMAGE -f Dockerfile .
+    - docker push $CONTAINER_IMAGE
+    # - docker tag $CONTAINER_IMAGE bpms:latest
+    # - docker save bpms:latest -o bpms.tar
+    - export CURRENT_DEPLOYMENT_SERVER=$PROD_DEPLOY_HOST
+    - export CURRENT_JUMP_HOST=$PROD_JUMP_HOST
+    - !reference [.deploy_app, script]
+  #    - export CURRENT_DEPLOYMENT_SERVER=$DEV_DEPLOY_HOST2
+  #    - !reference [.deploy_app, script]
+  tags:
+    - govtech-ic-docker
+#  rules:
+#    - when: manual
+#    - docker
+
--- a/Dockerfile
+++ b/Dockerfile
-FROM xldevops/jdk17-lts
+FROM gradle:jdk18 as builder
+USER root
+RUN addgroup builder && adduser --ingroup builder builder
+COPY --chown=builder:builder . /home/builder
+USER builder
+WORKDIR /home/builder
+RUN gradle build --info -x test

-ARG JAR_FILE=build/libs/printedFormsService-app.jar
-
-#RUN mkdir /app
-
-COPY ${JAR_FILE} /spring-boot-application.jar
-
-ENTRYPOINT ["java", "-Djava.security.egd=file:/dev/./urandom", "-jar","/spring-boot-application.jar"]
+FROM openjdk:18.0-slim
+WORKDIR /app
+RUN groupadd --system appuser && \
+   useradd --system --gid appuser appuser && \
+   chown -R appuser:appuser /app
+USER appuser
+WORKDIR /app
+COPY  --chown=appuser:appuser --from=builder /home/builder/build/libs/printedFormsService-app.jar /app
+EXPOSE 8081
+ENTRYPOINT exec java ${JVM_OPTS} -Djava.security.egd=file:/dev/./urandom -jar /app/printedFormsService-app.jar 
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
 version: '3'
 services:
-  postgres:
-    image: postgres
-    network_mode: host
-    environment:
-      POSTGRES_DB: template_db
-      POSTGRES_USER: postgres
-      POSTGRES_PASSWORD: password
-    expose:
-      - 5432
-    ports:
-      - "5432:5432"
+  # postgres:
+  #   image: postgres
+  #   networks:
+  #     - test
+  #   environment:
+  #     POSTGRES_DB: template_db
+  #     POSTGRES_USER: postgres
+  #     POSTGRES_PASSWORD: password
+  #   expose:
+  #     - 5432
+  #   ports:
+  #     - "5432:5432"

  client-backend:
-    image: templete-service:latest
-    build:
-      context: ./
-      dockerfile: Dockerfile
+    image: registry.nitec.kz:8200/qaztech/ui/template-service:latest
+    extra_hosts:
+      - idp.applatform.qaztech.gov.kz:172.22.229.115
+    networks:
+      - printform
    ports:
-      - "8081:8081"
-    depends_on:
-      - postgres
+      - "8085:8081"
+    # depends_on:
+    #   - postgres
    environment:
-      - SERVER_PORT= 8081
+      - SERVER_PORT=8081
+      - KEYCLOAK_REALM=applatform
      - SPRING_DATASOURCE_URL=jdbc:postgresql://postgres:5432/template_db
-      - KEYCLOAK_URI= https://keycloak.portal.btsd.kz
-      - KEYCLOAK_CLIENT_SECRET= F3ldvoA1iBLF142bhfHZNOtZZ0wjRiE4
+      - KEYCLOAK_URI=https://idp.applatform.qaztech.gov.kz
+      - KEYCLOAK_CLIENT_SECRET=1NYLMNlWXpPDW3QKeZ4VjlY76DuzNtaB
+
+networks:
+  printform:
+    external: true
+    name: printform
\ No newline at end of file
--- a/src/main/java/kz/project/printedFormsService/config/SecurityConfiguration.java
+++ b/src/main/java/kz/project/printedFormsService/config/SecurityConfiguration.java
@@ -30,12 +30,9 @@ import static kz.project.printedFormsService.controller.TemplateController.BASE_
 @EnableMethodSecurity
 public class SecurityConfiguration {

-    private static final String PROJECT_A_CREATOR = "projecta_creator";
-    private static final String PROJECT_B_CREATOR = "projectb_creator";
-    private static final String PROJECT_A_DELETE = "projecta_delete";
-    private static final String PROJECT_B_DELETE = "projectb_delete";
-    private static final String PROJECT_A_EDITOR = "projecta_editor";
-    private static final String PROJECT_B_EDITOR = "projectb_editor";
+    private static final String CREATOR = "creator";
+    private static final String DELETE = "delete";
+    private static final String EDITOR = "editor";
    private static final String ADMIN = "admin";

    @Bean
@@ -66,33 +63,28 @@ public class SecurityConfiguration {
                .permitAll()

                .requestMatchers(BASE_PATH + TemplateController.SAVE)
-                .hasAnyRole(PROJECT_A_CREATOR, PROJECT_B_CREATOR, ADMIN)
+                .hasAnyRole(CREATOR, ADMIN)

                .requestMatchers(BASE_PATH + TemplateController.GET_TEMPLATE_DATA)
-                .hasAnyRole(PROJECT_A_CREATOR, PROJECT_B_CREATOR, PROJECT_A_EDITOR, PROJECT_B_EDITOR,
-                        PROJECT_A_DELETE, PROJECT_B_DELETE, ADMIN)
+                .hasAnyRole(CREATOR, EDITOR, DELETE, ADMIN)

                .requestMatchers(BASE_PATH + TemplateController.EDIT)
-                .hasAnyRole(PROJECT_A_EDITOR, PROJECT_B_EDITOR, ADMIN)
+                .hasAnyRole(EDITOR, ADMIN)

                .requestMatchers(BASE_PATH + TemplateController.DELETE)
-                .hasAnyRole(PROJECT_A_DELETE, PROJECT_B_DELETE, ADMIN)
+                .hasAnyRole(DELETE, ADMIN)

                .requestMatchers(BASE_PATH + TemplateController.GET_ALL)
-                .hasAnyRole(PROJECT_A_CREATOR, PROJECT_B_CREATOR, PROJECT_A_EDITOR, PROJECT_B_EDITOR,
-                        PROJECT_A_DELETE, PROJECT_B_DELETE, ADMIN)
+                .hasAnyRole(CREATOR, EDITOR, DELETE, ADMIN)

                .requestMatchers(BASE_PATH + TemplateController.GET_ALL_BY_CODE)
-                .hasAnyRole(PROJECT_A_CREATOR, PROJECT_B_CREATOR, PROJECT_A_EDITOR, PROJECT_B_EDITOR,
-                        PROJECT_A_DELETE, PROJECT_B_DELETE, ADMIN)
+                .hasAnyRole(CREATOR, EDITOR, DELETE, ADMIN)

                .requestMatchers(DocumentsController.BY_DAY)
-                .hasAnyRole(PROJECT_A_CREATOR, PROJECT_B_CREATOR, PROJECT_A_EDITOR, PROJECT_B_EDITOR,
-                        PROJECT_A_DELETE, PROJECT_B_DELETE, ADMIN)
+                .hasAnyRole(CREATOR, EDITOR, DELETE, ADMIN)

                .requestMatchers(DocumentsController.BY_TEMPLATE)
-                .hasAnyRole(PROJECT_A_CREATOR, PROJECT_B_CREATOR, PROJECT_A_EDITOR, PROJECT_B_EDITOR,
-                        PROJECT_A_DELETE, PROJECT_B_DELETE, ADMIN)
+                .hasAnyRole(CREATOR, EDITOR, DELETE, ADMIN)

                .anyRequest().authenticated()
        );

--- a/src/main/java/kz/project/printedFormsService/config/SecurityContextUtils.java
+++ b/src/main/java/kz/project/printedFormsService/config/SecurityContextUtils.java
@@ -35,7 +35,6 @@ public class SecurityContextUtils {
                .map(GrantedAuthority::getAuthority)
                .map(role -> role.replace("ROLE_", ""))
                .filter(role -> role.contains(PROJECT_ROLE_SPLITTER))
-                .filter(role->role.startsWith("project"))
                .collect(Collectors.toMap(
                        role -> role.split(PROJECT_ROLE_SPLITTER)[0],
                        role -> new ArrayList<>(List.of(role.split(PROJECT_ROLE_SPLITTER)[1])),

--- a/src/main/java/kz/project/printedFormsService/converter/JwtAuthConverter.java
+++ b/src/main/java/kz/project/printedFormsService/converter/JwtAuthConverter.java
@@ -11,10 +11,7 @@ import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
 import org.springframework.stereotype.Component;

-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.List;
-import java.util.Map;
+import java.util.*;

 @Component
 public class JwtAuthConverter implements Converter<Jwt, AbstractAuthenticationToken> {
@@ -28,18 +25,21 @@ public class JwtAuthConverter implements Converter<Jwt, AbstractAuthenticationTo
    }

    private Collection<GrantedAuthority> extractAuthorities(Jwt jwt) {
-        if (jwt.getClaim("realm_access") != null) {
-            Map<String, Object> realmAccess = jwt.getClaim("realm_access");
-            ObjectMapper mapper = new ObjectMapper();
-            List<String> roles = mapper.convertValue(realmAccess.get("roles"), new TypeReference<>() {
-            });
-            List<GrantedAuthority> authorities = new ArrayList<>();
-
-            for (String role : roles) {
-                authorities.add(new SimpleGrantedAuthority("ROLE_" + role));
+        if (jwt.getClaim("resource_access") != null) {
+            Map<String, Map<String,Object>> resourceAccess = jwt.getClaim("resource_access");
+            if (resourceAccess.containsKey("print_form")){
+                ObjectMapper mapper = new ObjectMapper();
+                List<String> roles = mapper.convertValue(resourceAccess.get("print_form").get("roles"), new TypeReference<>() {
+                });
+                Set<GrantedAuthority> authorities = new HashSet<>();
+
+                for (String role : roles) {
+                    authorities.add(new SimpleGrantedAuthority("ROLE_" + role.substring(role.lastIndexOf('_')+1)));
+                }
+
+                return authorities;
            }

-            return authorities;
        }
        return new ArrayList<>();
    }

--- a/src/main/java/kz/project/printedFormsService/data/repository/DocumentJdbcRepository.java
+++ b/src/main/java/kz/project/printedFormsService/data/repository/DocumentJdbcRepository.java
@@ -33,7 +33,7 @@ public class DocumentJdbcRepository {
                                WHERE
                                    DATE_TRUNC('day',created_at) >= :startDate
                                    AND  DATE_TRUNC('day',created_at) <= :endDate
-                                    AND project in(:projects)
+                                    --AND project in(:projects)
                                GROUP BY
                                    date
                                ORDER BY
@@ -65,7 +65,7 @@ public class DocumentJdbcRepository {
                        WHERE
                            DATE_TRUNC('day',created_at) >= :startDate
                          AND DATE_TRUNC('day',created_at) <= :endDate
-                          AND d.project in(:projects)
+                          --AND d.project in(:projects)
                        GROUP BY
                            d.template_id, t.name
                        ORDER BY

--- a/src/main/resources/application.yml
+++ b/src/main/resources/application.yml
@@ -6,7 +6,7 @@ spring:
    oauth2:
      resourceserver:
        jwt:
-          jwk-set-uri: ${KEYCLOAK_URI:http://94.247.129.11:8080}/realms/selfserviceportal/protocol/openid-connect/certs
+          jwk-set-uri: ${KEYCLOAK_URI:http://94.247.129.11:8080}/realms/${KEYCLOAK_REALM:}/protocol/openid-connect/certs
      client:
        registration:
          keycloak:
@@ -18,8 +18,8 @@ spring:
            authorization-grant-type: authorization_code
        provider:
          keycloak:
-            jwk-set-uri: ${KEYCLOAK_URI:http://94.247.129.11:8080}/realms/selfserviceportal/protocol/openid-connect/certs
-            issuer-uri: ${KEYCLOAK_URI:http://94.247.129.11:8080}/realms/selfserviceportal
+            jwk-set-uri: ${KEYCLOAK_URI:http://94.247.129.11:8080}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/certs
+            issuer-uri: ${KEYCLOAK_URI:http://94.247.129.11:8080}/realms/${KEYCLOAK_REALM}

  jpa:
    hibernate: