From 8873dc4819b27a84fa0ca71a3205831b507191b9 Mon Sep 17 00:00:00 2001 From: Andreas Hammerbeck Date: Thu, 5 Dec 2024 20:26:58 +0100 Subject: [PATCH] Set up AT env (#539) * support other envs * use platform base url in prod * fix base_url * add at env, remove legacyOpenId * remove unused code --------- Co-authored-by: Hammerbeck --- .azure/applications/api/main.bicep | 6 +-- .azure/applications/api/params.bicepparam | 1 - .azure/infrastructure/parameters.json | 9 ++++ .azure/modules/containerApp/main.bicep | 5 --- .../actions/deploy-to-environment/action.yml | 4 -- .github/actions/release-version/action.yml | 4 -- .github/workflows/ci-cd.yaml | 41 +++++++++++++++++-- .github/workflows/deploy-to-environment.yml | 2 +- .github/workflows/publish-branch.yml | 1 - .../Auth/DependencyInjection.cs | 21 +--------- .../LegacyCorrespondenceController.cs | 2 +- .../Options/AltinnOptions.cs | 1 - .../AltinnAuthorizationService.cs | 6 +-- 13 files changed, 55 insertions(+), 48 deletions(-) create mode 100644 .azure/infrastructure/parameters.json diff --git a/.azure/applications/api/main.bicep b/.azure/applications/api/main.bicep index 6566c145..ba5d9b4b 100644 --- a/.azure/applications/api/main.bicep +++ b/.azure/applications/api/main.bicep @@ -8,7 +8,6 @@ param environment string param location string @minLength(3) param platform_base_url string -param legacy_base_url string @secure() @minLength(3) param sourceKeyVaultName string @@ -42,12 +41,12 @@ module appIdentity '../../modules/identity/create.bicep' = { } } -module addContributorAccess '../../modules/identity/addContributorAccess.bicep' = { +/*module addContributorAccess '../../modules/identity/addContributorAccess.bicep' = { name: 'appDeployToAzureAccess' params: { userAssignedIdentityPrincipalId: appIdentity.outputs.principalId } -} +}*/ module keyVaultReaderAccessPolicyUserIdentity '../../modules/keyvault/addReaderRoles.bicep' = { name: 'kvreader-${namePrefix}-app' @@ -90,7 +89,6 @@ module containerApp '../../modules/containerApp/main.bicep' = { subscription_id: subscription().subscriptionId principal_id: appIdentity.outputs.id platform_base_url: platform_base_url - legacy_base_url: legacy_base_url keyVaultUrl: keyVaultUrl userIdentityClientId: appIdentity.outputs.clientId containerAppEnvId: keyvault.getSecret('container-app-env-id') diff --git a/.azure/applications/api/params.bicepparam b/.azure/applications/api/params.bicepparam index 007dec05..e3632ece 100644 --- a/.azure/applications/api/params.bicepparam +++ b/.azure/applications/api/params.bicepparam @@ -4,7 +4,6 @@ param namePrefix = readEnvironmentVariable('NAME_PREFIX') param location = 'norwayeast' param imageTag = readEnvironmentVariable('IMAGE_TAG') param platform_base_url = readEnvironmentVariable('PLATFORM_BASE_URL') -param legacy_base_url = readEnvironmentVariable('LEGACY_BASE_URL') param correspondenceBaseUrl = readEnvironmentVariable('CORRESPONDENCE_BASE_URL') param environment = readEnvironmentVariable('ENVIRONMENT') param maskinporten_environment = 'test' diff --git a/.azure/infrastructure/parameters.json b/.azure/infrastructure/parameters.json new file mode 100644 index 00000000..19a215b6 --- /dev/null +++ b/.azure/infrastructure/parameters.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "adminPassword": { + "value": "yourSecretHere123!" + } + } +} \ No newline at end of file diff --git a/.azure/modules/containerApp/main.bicep b/.azure/modules/containerApp/main.bicep index cc52b0ad..0648ef59 100644 --- a/.azure/modules/containerApp/main.bicep +++ b/.azure/modules/containerApp/main.bicep @@ -4,7 +4,6 @@ param namePrefix string param image string param environment string param platform_base_url string -param legacy_base_url string param maskinporten_environment string param correspondenceBaseUrl string param idportenIssuer string @@ -58,10 +57,6 @@ var containerAppEnvVars = [ name: 'AltinnOptions__OpenIdWellKnown' value: '${platform_base_url}/authentication/api/v1/openid/.well-known/openid-configuration' } - { - name: 'AltinnOptions__LegacyOpenIdWellKnown' - value: '${legacy_base_url}/authentication/api/v1/openid/.well-known/openid-configuration' - } { name: 'AltinnOptions__PlatformGatewayUrl', value: platform_base_url } { name: 'AltinnOptions__PlatformSubscriptionKey', secretRef: 'platform-subscription-key' } { name: 'AltinnOptions__AccessManagementSubscriptionKey', secretRef: 'access-management-subscription-key' } diff --git a/.github/actions/deploy-to-environment/action.yml b/.github/actions/deploy-to-environment/action.yml index 3aafa4a6..45a577e0 100644 --- a/.github/actions/deploy-to-environment/action.yml +++ b/.github/actions/deploy-to-environment/action.yml @@ -57,9 +57,6 @@ inputs: PLATFORM_BASE_URL: description: "Platform Base URL" required: true - LEGACY_BASE_URL: - description: "Legacy Base URL" - required: false PLATFORM_SUBSCRIPTION_KEY: description: "Platform Subscription Key" required: true @@ -120,5 +117,4 @@ runs: DIALOGPORTEN_ISSUER: ${{ inputs.DIALOGPORTEN_ISSUER }} IDPORTEN_ISSUER: ${{ inputs.IDPORTEN_ISSUER }} PLATFORM_BASE_URL: ${{ inputs.PLATFORM_BASE_URL }} - LEGACY_BASE_URL: ${{ inputs.LEGACY_BASE_URL }} STORAGE_ACCOUNT_NAME: ${{ inputs.AZURE_STORAGE_ACCOUNT_NAME }} diff --git a/.github/actions/release-version/action.yml b/.github/actions/release-version/action.yml index 843b951e..4f50b31e 100644 --- a/.github/actions/release-version/action.yml +++ b/.github/actions/release-version/action.yml @@ -29,9 +29,6 @@ inputs: PLATFORM_BASE_URL: description: "Base url for Altinn platform" required: true - LEGACY_BASE_URL: - description: "Base url for legacy platform" - required: false STORAGE_ACCOUNT_NAME: description: "Name of the storage account used for attachments" required: true @@ -69,7 +66,6 @@ runs: CLIENT_ID: ${{ inputs.AZURE_CLIENT_ID }} TENANT_ID: ${{ inputs.AZURE_TENANT_ID }} PLATFORM_BASE_URL: ${{ inputs.PLATFORM_BASE_URL }} - LEGACY_BASE_URL: ${{ inputs.LEGACY_BASE_URL }} STORAGE_ACCOUNT_NAME: ${{ inputs.STORAGE_ACCOUNT_NAME }} CORRESPONDENCE_BASE_URL: ${{ inputs.CORRESPONDENCE_BASE_URL }} DIALOGPORTEN_ISSUER: ${{ inputs.DIALOGPORTEN_ISSUER }} diff --git a/.github/workflows/ci-cd.yaml b/.github/workflows/ci-cd.yaml index 7477fea3..2a8a739f 100644 --- a/.github/workflows/ci-cd.yaml +++ b/.github/workflows/ci-cd.yaml @@ -75,7 +75,44 @@ jobs: MASKINPORTEN_CLIENT_ID: ${{ secrets.MASKINPORTEN_CLIENT_ID }} MASKINPORTEN_JWK: ${{ secrets.MASKINPORTEN_JWK }} PLATFORM_BASE_URL: ${{ secrets.PLATFORM_BASE_URL }} - LEGACY_BASE_URL: ${{ secrets.LEGACY_BASE_URL }} + PLATFORM_SUBSCRIPTION_KEY: ${{ secrets.PLATFORM_SUBSCRIPTION_KEY }} + SLACK_URL: ${{ secrets.SLACK_URL }} + + deploy-at22: + name: deploy at22 + runs-on: ubuntu-latest + environment: test + if: always() && !failure() && !cancelled() + needs: [get-version, publish, test] + permissions: + id-token: write + contents: read + packages: write + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Deploy to environment + uses: ./.github/actions/deploy-to-environment + with: + environment: at22 + imageTag: ${{ needs.get-version.outputs.imageTag }} + ACCESS_MANAGEMENT_SUBSCRIPTION_KEY: ${{ secrets.ACCESS_MANAGEMENT_SUBSCRIPTION_KEY }} + AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + AZURE_ENVIRONMENT_KEY_VAULT_NAME: ${{ secrets.AZURE_ENVIRONMENT_KEY_VAULT_NAME }} + AZURE_NAME_PREFIX: ${{ secrets.AZURE_NAME_PREFIX }} + AZURE_STORAGE_ACCOUNT_NAME: ${{ secrets.AZURE_STORAGE_ACCOUNT_NAME }} + AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + AZURE_TEST_ACCESS_CLIENT_ID: ${{ secrets.AZURE_TEST_ACCESS_CLIENT_ID }} + CORRESPONDENCE_BASE_URL: ${{ secrets.CORRESPONDENCE_BASE_URL }} + DIALOGPORTEN_ISSUER: ${{ secrets.DIALOGPORTEN_ISSUER }} + IDPORTEN_CLIENT_ID: ${{ secrets.IDPORTEN_CLIENT_ID }} + IDPORTEN_CLIENT_SECRET: ${{ secrets.IDPORTEN_CLIENT_SECRET }} + IDPORTEN_ISSUER: ${{ secrets.IDPORTEN_ISSUER }} + MASKINPORTEN_CLIENT_ID: ${{ secrets.MASKINPORTEN_CLIENT_ID }} + MASKINPORTEN_JWK: ${{ secrets.MASKINPORTEN_JWK }} + PLATFORM_BASE_URL: ${{ secrets.PLATFORM_BASE_URL }} PLATFORM_SUBSCRIPTION_KEY: ${{ secrets.PLATFORM_SUBSCRIPTION_KEY }} SLACK_URL: ${{ secrets.SLACK_URL }} @@ -117,7 +154,6 @@ jobs: MASKINPORTEN_CLIENT_ID: ${{ secrets.MASKINPORTEN_CLIENT_ID }} MASKINPORTEN_JWK: ${{ secrets.MASKINPORTEN_JWK }} PLATFORM_BASE_URL: ${{ secrets.PLATFORM_BASE_URL }} - LEGACY_BASE_URL: ${{ secrets.LEGACY_BASE_URL }} PLATFORM_SUBSCRIPTION_KEY: ${{ secrets.PLATFORM_SUBSCRIPTION_KEY }} SLACK_URL: ${{ secrets.SLACK_URL }} @@ -159,7 +195,6 @@ jobs: MASKINPORTEN_CLIENT_ID: ${{ secrets.MASKINPORTEN_CLIENT_ID }} MASKINPORTEN_JWK: ${{ secrets.MASKINPORTEN_JWK }} PLATFORM_BASE_URL: ${{ secrets.PLATFORM_BASE_URL }} - LEGACY_BASE_URL: ${{ secrets.PLATFORM_BASE_URL }} PLATFORM_SUBSCRIPTION_KEY: ${{ secrets.PLATFORM_SUBSCRIPTION_KEY }} SLACK_URL: ${{ secrets.SLACK_URL }} diff --git a/.github/workflows/deploy-to-environment.yml b/.github/workflows/deploy-to-environment.yml index c158a429..f9b14ea5 100644 --- a/.github/workflows/deploy-to-environment.yml +++ b/.github/workflows/deploy-to-environment.yml @@ -14,6 +14,7 @@ on: - test - staging - production + - at22 jobs: get-version: @@ -77,6 +78,5 @@ jobs: MASKINPORTEN_CLIENT_ID: ${{ secrets.MASKINPORTEN_CLIENT_ID }} MASKINPORTEN_JWK: ${{ secrets.MASKINPORTEN_JWK }} PLATFORM_BASE_URL: ${{ secrets.PLATFORM_BASE_URL }} - LEGACY_BASE_URL: ${{ secrets.LEGACY_BASE_URL }} PLATFORM_SUBSCRIPTION_KEY: ${{ secrets.PLATFORM_SUBSCRIPTION_KEY }} SLACK_URL: ${{ secrets.SLACK_URL }} \ No newline at end of file diff --git a/.github/workflows/publish-branch.yml b/.github/workflows/publish-branch.yml index a65f2f6d..8b65b6e0 100644 --- a/.github/workflows/publish-branch.yml +++ b/.github/workflows/publish-branch.yml @@ -35,7 +35,6 @@ jobs: AZURE_ENVIRONMENT_KEY_VAULT_NAME: ${{ secrets.AZURE_ENVIRONMENT_KEY_VAULT_NAME }} AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} PLATFORM_BASE_URL: ${{ secrets.PLATFORM_BASE_URL }} - LEGACY_BASE_URL: ${{ secrets.LEGACY_BASE_URL }} CORRESPONDENCE_BASE_URL: ${{ secrets.CORRESPONDENCE_BASE_URL }} STORAGE_ACCOUNT_NAME: ${{ secrets.AZURE_STORAGE_ACCOUNT_NAME }} DIALOGPORTEN_ISSUER: ${{ secrets.DIALOGPORTEN_ISSUER }} diff --git a/src/Altinn.Correspondence.API/Auth/DependencyInjection.cs b/src/Altinn.Correspondence.API/Auth/DependencyInjection.cs index c3c0186f..79e8182a 100644 --- a/src/Altinn.Correspondence.API/Auth/DependencyInjection.cs +++ b/src/Altinn.Correspondence.API/Auth/DependencyInjection.cs @@ -48,25 +48,6 @@ public static void ConfigureAuthentication(this IServiceCollection services, ICo OnChallenge = AltinnTokenEventsHelper.OnChallenge }; }) - .AddJwtBearer(AuthorizationConstants.Legacy, options => - { - options.SaveToken = true; - options.MetadataAddress = altinnOptions.LegacyOpenIdWellKnown ?? altinnOptions.OpenIdWellKnown; - options.TokenValidationParameters = new TokenValidationParameters - { - ValidateIssuerSigningKey = true, - ValidateIssuer = true, - ValidateAudience = false, - RequireExpirationTime = true, - ValidateLifetime = !hostEnvironment.IsDevelopment(), // Do not validate lifetime in tests - ClockSkew = TimeSpan.Zero - }; - options.Events = new JwtBearerEvents() - { - OnAuthenticationFailed = AltinnTokenEventsHelper.OnAuthenticationFailed, - OnChallenge = AltinnTokenEventsHelper.OnChallenge - }; - }) .AddJwtBearer(AuthorizationConstants.MaskinportenScheme, options => // To support maskinporten tokens { options.SaveToken = true; @@ -160,7 +141,7 @@ public static void ConfigureAuthorization(this IServiceCollection services, ICon options.AddPolicy(AuthorizationConstants.DownloadAttachmentPolicy, policy => policy.RequireScopeIfAltinn(config, AuthorizationConstants.RecipientScope) .AddAuthenticationSchemes(AuthorizationConstants.AllSchemes)); - options.AddPolicy(AuthorizationConstants.Legacy, policy => policy.AddRequirements(new ScopeAccessRequirement(AuthorizationConstants.LegacyScope)).AddAuthenticationSchemes(AuthorizationConstants.Legacy)); + options.AddPolicy(AuthorizationConstants.Legacy, policy => policy.AddRequirements(new ScopeAccessRequirement(AuthorizationConstants.LegacyScope)).AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme)); }); } } diff --git a/src/Altinn.Correspondence.API/Controllers/LegacyCorrespondenceController.cs b/src/Altinn.Correspondence.API/Controllers/LegacyCorrespondenceController.cs index d69f50cb..7b33b191 100644 --- a/src/Altinn.Correspondence.API/Controllers/LegacyCorrespondenceController.cs +++ b/src/Altinn.Correspondence.API/Controllers/LegacyCorrespondenceController.cs @@ -21,7 +21,7 @@ namespace Altinn.Correspondence.API.Controllers [ApiController] [ApiExplorerSettings(IgnoreApi = true)] [Route("correspondence/api/v1/legacy/correspondence")] - [Authorize(Policy = AuthorizationConstants.Legacy, AuthenticationSchemes = AuthorizationConstants.LegacyOrDefaultScheme)] + [Authorize(Policy = AuthorizationConstants.Legacy)] public class LegacyCorrespondenceController : Controller { private readonly ILogger _logger; diff --git a/src/Altinn.Correspondence.Core/Options/AltinnOptions.cs b/src/Altinn.Correspondence.Core/Options/AltinnOptions.cs index d9018244..fc8f8819 100644 --- a/src/Altinn.Correspondence.Core/Options/AltinnOptions.cs +++ b/src/Altinn.Correspondence.Core/Options/AltinnOptions.cs @@ -6,5 +6,4 @@ public class AltinnOptions public string PlatformGatewayUrl { get; set; } = string.Empty; public string PlatformSubscriptionKey { get; set; } = string.Empty; public string AccessManagementSubscriptionKey { get; set; } = string.Empty; - public string LegacyOpenIdWellKnown { get; set; } = string.Empty; } diff --git a/src/Altinn.Correspondence.Integrations/Altinn/Authorization/AltinnAuthorizationService.cs b/src/Altinn.Correspondence.Integrations/Altinn/Authorization/AltinnAuthorizationService.cs index 57fef668..d9948f21 100644 --- a/src/Altinn.Correspondence.Integrations/Altinn/Authorization/AltinnAuthorizationService.cs +++ b/src/Altinn.Correspondence.Integrations/Altinn/Authorization/AltinnAuthorizationService.cs @@ -41,7 +41,7 @@ public AltinnAuthorizationService(HttpClient httpClient, IOptions _logger = logger; } - public Task CheckAccessAsSender(ClaimsPrincipal? user, string resourceId, string sender, string? instance, CancellationToken cancellationToken = default) + public Task CheckAccessAsSender(ClaimsPrincipal? user, string resourceId, string sender, string? instance, CancellationToken cancellationToken = default) => CheckUserAccess( user, resourceId, @@ -49,8 +49,8 @@ public Task CheckAccessAsSender(ClaimsPrincipal? user, string resourceId, instance, new List { ResourceAccessLevel.Write }, cancellationToken); - - public Task CheckAccessAsSender(ClaimsPrincipal? user, CorrespondenceEntity correspondence, CancellationToken cancellationToken = default) => + + public Task CheckAccessAsSender(ClaimsPrincipal? user, CorrespondenceEntity correspondence, CancellationToken cancellationToken = default) => CheckUserAccess( user, correspondence.ResourceId,