Merge branch 'main' into SPSH-1176

.github/workflows/chart-release-manual.yml

@@ -30,4 +30,5 @@ jobs:
       helm_chart_version_generation: specified 
       image_tag_generation: specified 
       helm_chart_version: ${{ inputs.chart_version }}
-      image_tag: ${{ inputs.image_tag }}
+      image_tag: ${{ inputs.image_tag }}
+      helm_repo_list: "bitnami,https://charts.bitnami.com/bitnami"

.github/workflows/create-release.yml

@@ -34,14 +34,14 @@ jobs:
     uses: dBildungsplattform/dbp-github-workflows/.github/workflows/check-nest-test-sonarcloud.yaml@5
     with:
       node_version: '18'
-      timeout_minutes: 15
+      timeout_minutes: 20
     permissions:
       contents: read
     secrets: inherit
 
   release_image:
     name: "Publish image and scan with trivy"
-    needs: 
+    needs:
      - codeql_analyze
      - nest_lint
      - tests_and_sonarcloud
@@ -57,7 +57,7 @@ jobs:
       container_registry: "ghcr.io"
       fail_on_vulnerabilites: false
       report_location: "Dockerfile"
-  
+
   # Helm Chart
   scan_helm:
     uses: dBildungsplattform/dbp-github-workflows/.github/workflows/check-helm-kics.yaml@5
@@ -70,7 +70,8 @@ jobs:
     secrets: inherit
     with:
       chart_name: "dbildungs-iam-server"
-      helm_chart_version_generation: specified 
-      image_tag_generation: specified 
+      helm_chart_version_generation: specified
+      image_tag_generation: specified
       helm_chart_version: "${{ github.ref_name }}"
-      image_tag: "${{ github.ref_name }}"
+      image_tag: "${{ github.ref_name }}"
+      helm_repo_list: "bitnami,https://charts.bitnami.com/bitnami"

.github/workflows/image-and-helm-publish-check-deploy-on-push-scheduled.yml

@@ -41,18 +41,14 @@ jobs:
     with:
       node_version: '18'
       deploy_stage: 'dev'
-      timeout_minutes: 15
+      timeout_minutes: 20
     permissions:
       contents: read
     secrets: inherit
 
   build_image_on_push:
     name: "Publish image and scan with trivy"
     if: ${{ github.event_name == 'push' }}
-    needs:
-      - codeql_analyze
-      - nest_lint
-      - tests_and_sonarcloud
     permissions:
       packages: write
       security-events: write
@@ -67,18 +63,6 @@ jobs:
       fail_on_vulnerabilites: false
       report_location: "Dockerfile"
 
-  scheduled_trivy_scan:
-    name: "Scheduled trivy scan of latest image"
-    if: ${{ github.event_name == 'schedule' }}
-    permissions:
-      packages: read
-      security-events: write
-    uses: dBildungsplattform/dbp-github-workflows/.github/workflows/check-trivy.yaml@7
-    with:
-      image_ref: 'ghcr.io/${{ github.repository_owner }}/dbildungs-iam-server:latest'
-      fail_on_vulnerabilites: false
-      report_location: "Dockerfile"
-
   scan_helm:
     if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }}
     uses: dBildungsplattform/dbp-github-workflows/.github/workflows/check-helm-kics.yaml@5
@@ -87,8 +71,6 @@ jobs:
 
   select_helm_version_generation_and_image_tag_generation:
     if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }}
-    needs:
-      - scan_helm
     runs-on: ubuntu-latest
     outputs:
       SELECT_HELM_VERION_GENERATION: ${{ steps.select_generation.outputs.SELECT_HELM_VERION_GENERATION }}
@@ -104,6 +86,7 @@ jobs:
             echo "SELECT_HELM_VERION_GENERATION=ticket_from_branch_timestamp" >> "$GITHUB_OUTPUT"
             echo "SELECT_IMAGE_TAG_GENERATION=ticket_from_branch" >> "$GITHUB_OUTPUT"
           fi
+
   release_helm:
     if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }}
     needs:
@@ -115,6 +98,14 @@ jobs:
       helm_chart_version_generation: ${{ needs. select_helm_version_generation_and_image_tag_generation.outputs.SELECT_HELM_VERION_GENERATION  }}
       image_tag_generation: ${{ needs. select_helm_version_generation_and_image_tag_generation.outputs.SELECT_IMAGE_TAG_GENERATION  }}
 
+  wait_for_helm_chart_to_get_published:
+    needs:
+      - release_helm
+    runs-on: ubuntu-latest
+    steps:
+      - shell: bash
+        run: sleep 1m 
+
   branch_meta:
     if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }}
     uses: dBildungsplattform/spsh-app-deploy/.github/workflows/get-branch-meta.yml@3
@@ -126,13 +117,13 @@ jobs:
     uses: dBildungsplattform/spsh-app-deploy/.github/workflows/deploy-branch-to-namespace.yml@3
     with:
       branch: ${{ needs.branch_meta.outputs.branch }}
-
+  
   deploy:
     if: ${{ github.event_name == 'push' && !startsWith(github.ref_name,'dependabot/') }}
     needs:
       - branch_meta
       - create_branch_identifier
-      - release_helm
+      - wait_for_helm_chart_to_get_published
       - build_image_on_push
     uses: dBildungsplattform/spsh-app-deploy/.github/workflows/deploy.yml@5
     with:
@@ -143,6 +134,7 @@ jobs:
       namespace: ${{ needs.create_branch_identifier.outputs.namespace_from_branch }}
     secrets: inherit
 
+  # On Delete
   create_branch_identifier_for_deletion:
     if: ${{ github.event_name == 'delete' && github.event.ref_type == 'branch' }}
     uses: dBildungsplattform/spsh-app-deploy/.github/workflows/deploy-branch-to-namespace.yml@3
@@ -167,3 +159,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - run: echo "Deletion workflow of namespace" ${{ needs.create_branch_identifier_for_deletion.outputs.namespace_from_branch }} "done"
+
+  # Scheduled
+  scheduled_trivy_scan:
+    name: "Scheduled trivy scan of latest image"
+    if: ${{ github.event_name == 'schedule' }}
+    permissions:
+      packages: read
+      security-events: write
+    uses: dBildungsplattform/dbp-github-workflows/.github/workflows/check-trivy.yaml@7
+    with:
+      image_ref: 'ghcr.io/${{ github.repository_owner }}/dbildungs-iam-server:latest'
+      fail_on_vulnerabilites: false
+      report_location: "Dockerfile"

.gitignore

@@ -144,3 +144,4 @@ dist
 .vscode/settings.json
 
 mariadb/
+test/secrets.test.json

charts/dbildungs-iam-server/Chart.yaml

@@ -3,4 +3,4 @@ name: dbildungs-iam-server
 version: 0.2.0
 description: dBildungs-IAM-server
 type: application
-appVersion: ""
+appVersion: ""

charts/dbildungs-iam-server/config/config.json

@@ -1,79 +1,93 @@
 {
-    "HOST": {
-        "PORT": 8080
-    },
-    "FRONTEND": {
-        "PORT": 8080,
-        "SECURE_COOKIE": true,
-        "SESSION_SECRET": "SessionSecretForDevelopment",
-        "SESSION_TTL_MS": 3600000,
-        "BACKEND_ADDRESS": "http://dbildungs-iam-server-backend:80",
-        "DEFAULT_AUTH_REDIRECT": "/",
-        "TRUST_PROXY": 1,
-        "ERROR_PAGE_REDIRECT": "/login-error"
-    },
-    "DB": {
-        "USE_SSL": true
-    },
-    "KEYCLOAK": {
-        "ADMIN_REALM_NAME": "SPSH",
-        "REALM_NAME": "SPSH",
-        "ADMIN_CLIENT_ID": "spsh-admin",
-        "CLIENT_ID": "spsh",
-        "TEST_CLIENT_ID": "spsh-test",
-        "SERVICE_CLIENT_ID": "spsh-service"
-    },
-    "REDIS": {
-        "HOST": "dbildungs-iam-server-redis",
-        "PORT": 6379,
-        "USERNAME": "default",
-        "USE_TLS": false
-    },
-    "LDAP": {
-        "URL": "ldap://spsh-xxx.svc.cluster.local",
-        "BIND_DN": "cn=admin,dc=schule-sh,dc=de",
-        "ADMIN_PASSWORD": "password"
-    },
-    "DATA": {
-        "ROOT_ORGANISATION_ID": "d39cb7cf-2f9b-45f1-849f-973661f2f057"
-    },
-    "LOGGING": {
-        "DEFAULT_LOG_LEVEL": "info",
-        "PERSON_MODULE_LOG_LEVEL": "debug",
-        "PERSON_API_MODULE_LOG_LEVEL": "debug",
-        "ORGANISATION_MODULE_LOG_LEVEL": "debug",
-        "ORGANISATION_API_MODULE_LOG_LEVEL": "debug",
-        "ROLLE_MODULE_LOG_LEVEL": "debug",
-        "ROLLE_API_MODULE_LOG_LEVEL": "debug",
-        "KEYCLOAK_ADMINISTRATION_MODULE_LOG_LEVEL": "debug",
-        "HEALTH_MODULE_LOG_LEVEL": "debug",
-        "BACKEND_FOR_FRONTEND_MODULE_LOG_LEVEL": "debug"
-    },
-    "ITSLEARNING": {
-        "ENABLED": "false",
-        "ENDPOINT": "https://itslearning.example.com",
-        "USERNAME": "username",
-        "PASSWORD": "password",
-        "ROOT": "sh",
-        "ROOT_OEFFENTLICH": "oeffentlich",
-        "ROOT_ERSATZ": "ersatz"
-    },
-    "OX": {
-        "ENABLED": "false",
-        "ENDPOINT": "https://ox_ip:ox_port/webservices/OXUserService",
-        "CONTEXT_ID": "1337",
-        "CONTEXT_NAME": "contextname",
-        "USERNAME": "username",
-        "PASSWORD": "password"
-    },
-    "PRIVACYIDEA": {
-        "ENDPOINT": "http://localhost:5000",
-        "USERNAME": "admin",
-        "PASSWORD": "admin",
-        "USER_RESOLVER": "mariadb_resolver",
-        "REALM": "defrealm"
-    },
-    "IMPORT": {
-        "IMPORT_FILE_MAXGROESSE_IN_MB": 10
-    }
+  "HOST": {
+    "PORT": 8080
+  },
+  "FRONTEND": {
+    "PORT": 8080,
+    "SECURE_COOKIE": true,
+    "SESSION_SECRET": "SessionSecretForDevelopment",
+    "SESSION_TTL_MS": 3600000,
+    "BACKEND_ADDRESS": "http://dbildungs-iam-server-backend:80",
+    "DEFAULT_AUTH_REDIRECT": "/",
+    "TRUST_PROXY": 1,
+    "ERROR_PAGE_REDIRECT": "/login-error"
+  },
+  "DB": {
+    "USE_SSL": true
+  },
+  "KEYCLOAK": {
+    "ADMIN_REALM_NAME": "SPSH",
+    "REALM_NAME": "SPSH",
+    "ADMIN_CLIENT_ID": "spsh-admin",
+    "CLIENT_ID": "spsh",
+    "TEST_CLIENT_ID": "spsh-test",
+    "SERVICE_CLIENT_ID": "spsh-service"
+  },
+  "REDIS": {
+    "HOST": "dbildungs-iam-redis-master.spsh.svc.cluster.local",
+    "PORT": 6379,
+    "USERNAME": "default",
+    "PASSWORD": "",
+    "USE_TLS": false
+  },
+  "LDAP": {
+    "URL": "ldap://spsh-xxx.svc.cluster.local",
+    "BIND_DN": "cn=admin,dc=schule-sh,dc=de",
+    "ADMIN_PASSWORD": "password"
+  },
+  "DATA": {
+    "ROOT_ORGANISATION_ID": "d39cb7cf-2f9b-45f1-849f-973661f2f057"
+  },
+  "LOGGING": {
+    "DEFAULT_LOG_LEVEL": "info",
+    "PERSON_MODULE_LOG_LEVEL": "debug",
+    "PERSON_API_MODULE_LOG_LEVEL": "debug",
+    "ORGANISATION_MODULE_LOG_LEVEL": "debug",
+    "ORGANISATION_API_MODULE_LOG_LEVEL": "debug",
+    "ROLLE_MODULE_LOG_LEVEL": "debug",
+    "ROLLE_API_MODULE_LOG_LEVEL": "debug",
+    "KEYCLOAK_ADMINISTRATION_MODULE_LOG_LEVEL": "debug",
+    "HEALTH_MODULE_LOG_LEVEL": "debug",
+    "BACKEND_FOR_FRONTEND_MODULE_LOG_LEVEL": "debug"
+  },
+  "ITSLEARNING": {
+    "ENABLED": false,
+    "ENDPOINT": "https://itslearning.example.com",
+    "USERNAME": "username",
+    "PASSWORD": "password",
+    "ROOT": "sh",
+    "ROOT_OEFFENTLICH": "oeffentlich",
+    "ROOT_ERSATZ": "ersatz"
+  },
+  "OX": {
+    "ENABLED": false,
+    "ENDPOINT": "https://ox_ip:ox_port/webservices/OXUserService",
+    "CONTEXT_ID": "1337",
+    "CONTEXT_NAME": "contextname",
+    "USERNAME": "username",
+    "PASSWORD": "password"
+  },
+  "PRIVACYIDEA": {
+    "ENDPOINT": "http://localhost:5000",
+    "USERNAME": "admin",
+    "PASSWORD": "admin",
+    "USER_RESOLVER": "mariadb_resolver",
+    "REALM": "defrealm"
+  },
+  "IMPORT": {
+    "IMPORT_FILE_MAXGROESSE_IN_MB": 10
+  },
+  "SYSTEM": {
+    "RENAME_WAITING_TIME_IN_SECONDS": 3,
+    "STEP_UP_TIMEOUT_ENABLED": "true",
+    "STEP_UP_TIMEOUT_IN_SECONDS": 10
+  },
+  "VIDIS": {
+      "BASE_URL": "https://service-stage.vidis.schule",
+      "USERNAME": "",
+      "PASSWORD": "",
+      "REGION_NAME": "test-region",
+      "KEYCLOAK_GROUP": "VIDIS-service",
+      "KEYCLOAK_ROLE": "VIDIS-user"
+  }
 }

charts/dbildungs-iam-server/config/secrets.json

@@ -5,4 +5,4 @@
     "REDIS": {
         "PASSWORD": "password"
     }
-}
+}

charts/dbildungs-iam-server/cron/Dockerfile

@@ -0,0 +1,25 @@
+FROM alpine:3.19
+
+ENV LOG_FILE_PATH=/var/log/cron.log
+
+# Install necessary packages
+RUN apk update && \
+    apk add --no-cache bash cronie jq openssl vim wget
+
+# Create a new user and group
+RUN addgroup -S appgroup && adduser -S appuser -G appgroup
+
+# Copy scripts into the image
+COPY scripts/ /scripts/
+
+# Set execute permissions for all .sh scripts in /scripts/ and create a log file
+RUN chmod +x /scripts/*.sh \
+    && touch /var/log/cron.log \
+    && chmod 644 /var/log/cron.log \
+    && chown -R appuser:appgroup /scripts /var/log/cron.log
+
+# Switch to the new user
+USER appuser
+
+# Start the cron service in foreground
+CMD ["/usr/sbin/crond", "-f"]

charts/dbildungs-iam-server/cron/keys/dummy_jwks.json

@@ -0,0 +1,15 @@
+{
+    "keys": [
+        {
+            "kty": "RSA",
+            "n": "23mzd3v4YjgWMzO7XYYwD92NqCm436ErU1-NPTVok9aaVXx5mjZKfh_Xoyp5BEgjQU042MKOhl1Ri17HfOOf6k4cpBpvBQhENp0yfNPv_-kSy4OgdA3qk9-kZyvuRX1-0LKvJMwlrCLCLEfiv_yn8YQLpQeqgdIj1AlX37fcnSxxL3qukM_-Hm8dCB2mbUzANT_uRkSCHFQWVDxcbocKAmhr0808CmpiINWEIVv7AhS_HVSliaeB-iteAKN3W9Am3tCtGZaWKUlioKueQux7OTKxHm5fM-jZ9ZPnb7_RQlOGV9vu-TTMO8pKYkqn15LcnYuBKKHmFEBO8vRxI9_8Lw",
+            "e": "AQAB",
+            "d": "CdcSByhlbC9BkjgejW89FmkDjJJE-gR63HkV7F70T7SOejNjga4vdtTXUTclR94yyR8SORMNWtQyRMJnb_UGBXZNGG_K9yR2EntyeQrzjBDCHqJ0fjTlheMVYZQkUbSdC_RcSpUQl1V-STKhOvmz-e3Gq-Evxt70wPFOTEyCYAA5zTSgF7vwoxtKChfOb3NvkLUmD4JrBEb0vzapTgVvoyB158glUGEibpHBaVvVnA98qEI5hqJE2jhhtaoGyvErIkWDOummb1WPN2D0Nqsvr-sfwH3mxKFLDogHIfjMLxDaP9Y3I7Wwie9pbpsg6zK66s6EB27hkZnbRLlwaK4ImQ",
+            "p": "_KCzohdV8BpnvfDxyL-Zjj8paJB5RBLkewf7xl-sqLHykjn-_nR1OGfEr8Gc0zwYD6FtTAJ9JN-h730vBacUVZDrgnKOW0NbQPIwNXCSisyChhbkSVXLBi94r_-t92ieJ8wPbchynF6Z1UyH0m4rieKnAPcxuio9iLuXdQrRNEs",
+            "q": "3me1bHQ_GO5mPKwUf-kSZDguninq98ERMOAYdr__yUM1fc8QJ_3FSkZsSFr91Fi5kPvP9gthPRYhlfKeix61ibypLnLpyx6A298VIdG8VFjPrXzlme5CGSPYN9-YRSQq31e-xSdkn3lKiJlqPZzlRARyHveJlSWu07LuS91AgS0",
+            "dp": "--U1GEOSchWyKaeNPrElaLu8C0I7WFBKOA7u0o9ldtPwXjOr-Yaftz1o1iMEv29lQnigpbC5ncHLEyRMdaNyWBtnaSvWnFNeMzUKMs7rn7Bp2VAMEr-T77f36-3SRiavxFjpbXr4JMkDNLbZm0405Yj1IrZYhBtIPgVm8NJ3ZV8",
+            "dq": "ofqgbKvBZLQEq_2cNIiYh3tPoIvhAK6Riao8xwgREBEt_UH4f1fY_76IkK4MnkI8bHapwIYLPQVIUsBQbfxgtT89bIHu-qttqDUyW944Lqo8HxuO0WxwoYS0rgTgDsNHokByxX5qT6dz_EbX1KXXaJFgWGNqxcCbMr3nxkMO_sU",
+            "qi": "r8ZslmjXzZJUv6IoN6nUT12UpzmhbriRXxjTcLNSwZBuSXz8QV_7F8ViNyEcot20aDo35t8IssLnDD9nxDAGTCL68FkXTJaAsUE2beGfkX9Sz5r_Gzlcer_Gjhl5aNHeZYgIMsYciPhM4laBzKD3d51xQuDFMMX1RQUvyDHDIog"
+        }
+    ]
+}