merge

.gitlab-ci.yml

+default:
+  image: docker:24.0.5
+  services:
+    - name: docker:24.0.5-dind
+      command: ["--insecure-registry=registry.nitec.kz:8200"]
+  before_script:
+    - docker info
+    - docker login -u $NEXUS_USERNAME -p $NEXUS_PASSWORD registry.nitec.kz:8200
+    - mkdir -p ~/.ssh
+    - echo "$GITLAB_SSH_KEY" > ~/.ssh/id_rsa
+    - chmod 600 ~/.ssh/id_rsa
+    - ssh-keyscan $PROD_JUMP_HOST >> ~/.ssh/known_hosts
+
+
+variables:
+  DOCKER_TLS_CERTDIR: "/certs"
+  CONTAINER_IMAGE: registry.nitec.kz:8200/qaztech/ui/template-service:latest
+
+.deploy_app:
+  script:
+    - echo "Install app to server $CURRENT_DEPLOYMENT_SERVER"
+    - echo $CURRENT_DEPLOYMENT_SERVER
+    - |
+      cat > ~/.ssh/config << EOF
+      Host jumphost
+        HostName $CURRENT_JUMP_HOST
+        User $GITLAB_SSH_USER
+      
+      Host $CURRENT_DEPLOYMENT_SERVER
+        ProxyJump jumphost
+        StrictHostKeyChecking no
+        UserKnownHostsFile=/dev/null
+        User $GITLAB_SSH_USER
+      EOF
+    - cat ~/.ssh/config
+    - ssh -i ~/.ssh/id_rsa $CURRENT_DEPLOYMENT_SERVER 'sudo -i ls -la ~'
+    - scp -i ~/.ssh/id_rsa ./docker-compose.yaml $CURRENT_DEPLOYMENT_SERVER:/opt/printform/templateservice/docker-compose.yaml
+    #    - scp -i ~/.ssh/id_rsa bpms.tar $CURRENT_DEPLOYMENT_SERVER:~/
+    #    - scp -i ~/.ssh/id_rsa .env $CURRENT_DEPLOYMENT_SERVER:~/
+    #    - ssh -i ~/.ssh/id_rsa $CURRENT_DEPLOYMENT_SERVER 'sudo -i ls -la /opt/applatform/backend/'
+    #    - ssh -i ~/.ssh/id_rsa $CURRENT_DEPLOYMENT_SERVER 'sudo -i docker load -i ~/bpms.tar'
+    #    - ssh -i ~/.ssh/id_rsa $CURRENT_DEPLOYMENT_SERVER 'sudo docker stop acgateway || true'
+    #    - ssh -i ~/.ssh/id_rsa $CURRENT_DEPLOYMENT_SERVER 'sudo docker rm acgateway_backup || true'
+    #    - ssh -i ~/.ssh/id_rsa $CURRENT_DEPLOYMENT_SERVER 'sudo docker rename acgateway acgateway_backup || true'
+    - ssh -i ~/.ssh/id_rsa $CURRENT_DEPLOYMENT_SERVER 'cd /opt/printform/templateservice/ && sudo docker-compose up --build -d'
+    - sleep 30
+    - ssh -i ~/.ssh/id_rsa $CURRENT_DEPLOYMENT_SERVER 'sudo docker ps'
+    #    - ssh -i ~/.ssh/id_rsa $CURRENT_DEPLOYMENT_SERVER 'sudo docker logs acgateway'
+    #    - ssh -i ~/.ssh/id_rsa $CURRENT_DEPLOYMENT_SERVER 'sudo docker system prune -f'
+    - echo "Successfully deploy to $CURRENT_DEPLOYMENT_SERVER"
+
+
+build:
+  stage: build
+  script:
+    - docker build -t $CONTAINER_IMAGE -f Dockerfile .
+    - docker push $CONTAINER_IMAGE
+    # - docker tag $CONTAINER_IMAGE bpms:latest
+    # - docker save bpms:latest -o bpms.tar
+    - export CURRENT_DEPLOYMENT_SERVER=$PROD_DEPLOY_HOST
+    - export CURRENT_JUMP_HOST=$PROD_JUMP_HOST
+    - !reference [.deploy_app, script]
+  #    - export CURRENT_DEPLOYMENT_SERVER=$DEV_DEPLOY_HOST2
+  #    - !reference [.deploy_app, script]
+  tags:
+    - govtech-ic-docker
+#  rules:
+#    - when: manual
+#    - docker
+

Dockerfile

-FROM xldevops/jdk17-lts
+FROM gradle:jdk18 as builder
+USER root
+RUN addgroup builder && adduser --ingroup builder builder
+COPY --chown=builder:builder . /home/builder
+USER builder
+WORKDIR /home/builder
+RUN gradle build --info -x test
 
-ARG JAR_FILE=build/libs/printedFormsService-app.jar
-
-#RUN mkdir /app
-
-COPY ${JAR_FILE} /spring-boot-application.jar
-
-ENTRYPOINT ["java", "-Djava.security.egd=file:/dev/./urandom", "-jar","/spring-boot-application.jar"]
+FROM openjdk:18.0-slim
+WORKDIR /app
+RUN groupadd --system appuser && \
+   useradd --system --gid appuser appuser && \
+   chown -R appuser:appuser /app
+USER appuser
+WORKDIR /app
+COPY  --chown=appuser:appuser --from=builder /home/builder/build/libs/printedFormsService-app.jar /app
+EXPOSE 8081
+ENTRYPOINT exec java ${JVM_OPTS} -Djava.security.egd=file:/dev/./urandom -jar /app/printedFormsService-app.jar 

docker-compose.yaml

 version: '3'
 services:
-  postgres:
-    image: postgres
-    network_mode: host
-    environment:
-      POSTGRES_DB: template_db
-      POSTGRES_USER: postgres
-      POSTGRES_PASSWORD: password
-    expose:
-      - 5432
-    ports:
-      - "5432:5432"
+  # postgres:
+  #   image: postgres
+  #   networks:
+  #     - test
+  #   environment:
+  #     POSTGRES_DB: template_db
+  #     POSTGRES_USER: postgres
+  #     POSTGRES_PASSWORD: password
+  #   expose:
+  #     - 5432
+  #   ports:
+  #     - "5432:5432"
 
   client-backend:
-    image: templete-service:latest
-    build:
-      context: ./
-      dockerfile: Dockerfile
+    image: registry.nitec.kz:8200/qaztech/ui/template-service:latest
+    extra_hosts:
+      - idp.applatform.qaztech.gov.kz:172.22.229.115
+    networks:
+      - printform
     ports:
-      - "8081:8081"
-    depends_on:
-      - postgres
+      - "8085:8081"
+    # depends_on:
+    #   - postgres
     environment:
-      - SERVER_PORT= 8081
+      - SERVER_PORT=8081
+      - KEYCLOAK_REALM=applatform
       - SPRING_DATASOURCE_URL=jdbc:postgresql://postgres:5432/template_db
-      - KEYCLOAK_URI= https://keycloak.portal.btsd.kz
-      - KEYCLOAK_CLIENT_SECRET= F3ldvoA1iBLF142bhfHZNOtZZ0wjRiE4
-      - KEYCLOAK_REALM= selfserviceportal
+      - KEYCLOAK_URI=https://idp.applatform.qaztech.gov.kz
+      - KEYCLOAK_CLIENT_SECRET=1NYLMNlWXpPDW3QKeZ4VjlY76DuzNtaB
+
+networks:
+  printform:
+    external: true
+    name: printform
\ No newline at end of file

src/main/java/kz/project/printedFormsService/config/SecurityConfiguration.java

@@ -94,6 +94,8 @@ public class SecurityConfiguration {
                 .hasAnyRole(PROJECT_A_CREATOR, PROJECT_B_CREATOR, PROJECT_A_EDITOR, PROJECT_B_EDITOR,
                         PROJECT_A_DELETE, PROJECT_B_DELETE, ADMIN)
 
+                .requestMatchers(BASE_PATH + "/**")
+                .hasAnyRole(ADMIN)
                 .anyRequest().authenticated()
         );
 

src/main/java/kz/project/printedFormsService/converter/JwtAuthConverter.java

@@ -28,18 +28,21 @@ public class JwtAuthConverter implements Converter<Jwt, AbstractAuthenticationTo
     }
 
     private Collection<GrantedAuthority> extractAuthorities(Jwt jwt) {
-        if (jwt.getClaim("realm_access") != null) {
-            Map<String, Object> realmAccess = jwt.getClaim("realm_access");
-            ObjectMapper mapper = new ObjectMapper();
-            List<String> roles = mapper.convertValue(realmAccess.get("roles"), new TypeReference<>() {
-            });
-            List<GrantedAuthority> authorities = new ArrayList<>();
-
-            for (String role : roles) {
-                authorities.add(new SimpleGrantedAuthority("ROLE_" + role));
+        if (jwt.getClaim("resource_access") != null) {
+            Map<String, Map<String,Object>> resourceAccess = jwt.getClaim("resource_access");
+            if (resourceAccess.containsKey("print_form")){
+                ObjectMapper mapper = new ObjectMapper();
+                List<String> roles = mapper.convertValue(resourceAccess.get("print_form").get("roles"), new TypeReference<>() {
+                });
+                List<GrantedAuthority> authorities = new ArrayList<>();
+
+                for (String role : roles) {
+                    authorities.add(new SimpleGrantedAuthority("ROLE_" + role));
+                }
+
+                return authorities;
             }
 
-            return authorities;
         }
         return new ArrayList<>();
     }

src/main/resources/application.yml

@@ -6,20 +6,20 @@ spring:
     oauth2:
       resourceserver:
         jwt:
-          jwk-set-uri: ${KEYCLOAK_URI:http://94.247.129.11:8080}/realms/${KEYCLOAK_REALM:selfserviceportal}/protocol/openid-connect/certs
+          jwk-set-uri: ${KEYCLOAK_URI:http://94.247.129.11:8080}/realms/${KEYCLOAK_REALM:}/protocol/openid-connect/certs
       client:
         registration:
           keycloak:
             client-id: print_form
-            client-secret: ${KEYCLOAK_CLIENT_SECRET:MAJ7LHWtuZYpUI4wqdol6uKoyINj2OeE}
+            client-secret: ${KEYCLOAK_CLIENT_SECRET:PCFdHvlgAZTjqoieXvHN3z8zZENrbfKJ}
             client-name: Keycloak
             provider: keycloak
             scope: openid
             authorization-grant-type: authorization_code
         provider:
           keycloak:
-            jwk-set-uri: ${KEYCLOAK_URI:http://94.247.129.11:8080}/realms/${KEYCLOAK_REALM:selfserviceportal}/protocol/openid-connect/certs
-            issuer-uri: ${KEYCLOAK_URI:http://94.247.129.11:8080}/realms/${KEYCLOAK_REALM:selfserviceportal}
+            jwk-set-uri: ${KEYCLOAK_URI:http://94.247.129.11:8080}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/certs
+            issuer-uri: ${KEYCLOAK_URI:http://94.247.129.11:8080}/realms/${KEYCLOAK_REALM}
 
   jpa:
     hibernate: