Add keycloak and securize super user api paths

Makefile

@@ -20,7 +20,7 @@ init-local-sig:
 	./infra/local/postgis_insert_layers.sh && ./infra/init/geoserver_init_layers.sh
 
 run-back: run-stubbed-apis
-	docker compose up -d --quiet-pull --wait db
+	docker compose up -d --quiet-pull --wait db keycloak
 	cd backend && ./gradlew bootRun --args='--spring.profiles.active=local --spring.config.additional-location=$(INFRA_FOLDER)'
 
 run-back-with-monitorenv: run-monitorenv

backend/src/main/kotlin/fr/gouv/cnsp/monitorfish/infrastructure/api/bff/FleetSegmentController.kt

@@ -35,7 +35,7 @@ class FleetSegmentController(
         }
     }
 
-    @PutMapping(value = [""], consumes = ["application/json"])
+    @PutMapping(value = ["/backoffice"], consumes = ["application/json"])
     @Operation(summary = "Update a fleet segment")
     fun updateFleetSegment(
         @Parameter(description = "Year")
@@ -56,7 +56,7 @@ class FleetSegmentController(
         return FleetSegmentDataOutput.fromFleetSegment(updatedFleetSegment)
     }
 
-    @DeleteMapping(value = [""])
+    @DeleteMapping(value = ["/backoffice"])
     @Operation(summary = "Delete a fleet segment")
     fun deleteFleetSegment(
         @Parameter(description = "Year")
@@ -72,7 +72,7 @@ class FleetSegmentController(
     }
 
     @ResponseStatus(HttpStatus.CREATED)
-    @PostMapping(value = [""])
+    @PostMapping(value = ["/backoffice"])
     @Operation(summary = "Create a fleet segment")
     fun createFleetSegment(
         @RequestBody
@@ -83,7 +83,7 @@ class FleetSegmentController(
         return FleetSegmentDataOutput.fromFleetSegment(createdFleetSegment)
     }
 
-    @GetMapping("/years")
+    @GetMapping("/backoffice/years")
     @Operation(summary = "Get fleet segment year entries")
     fun getFleetSegmentYearEntries(): List<Int> {
         return getFleetSegmentYearEntries.execute()

docker-compose.yml

@@ -46,6 +46,20 @@ services:
     volumes:
       - ./frontend/cypress/mappings:/home/wiremock/mappings
 
+  keycloak:
+    container_name: monitorfish_keycloak
+    image: quay.io/keycloak/keycloak:latest
+    environment:
+      - KEYCLOAK_ADMIN=admin
+      - KEYCLOAK_ADMIN_PASSWORD=admin
+    ports:
+      - "8085:8080"
+    volumes:
+      - ./infra/dev/keycloak:/opt/keycloak/data/import
+    command:
+      - start-dev
+      - --import-realm
+
 volumes:
   geoserver-data:
     driver: local

frontend/.env.example

@@ -28,6 +28,7 @@ FRONTEND_OIDC_AUTHORITY=
 FRONTEND_OIDC_CLIENT_ID=
 FRONTEND_OIDC_ENABLED=
 FRONTEND_OIDC_REDIRECT_URI=
+FRONTEND_OIDC_LOGOUT_REDIRECT_URI=
 
 ################################################################################
 # Sentry

frontend/.env.local.defaults

@@ -24,10 +24,11 @@ FRONTEND_MONITORENV_URL=//localhost:8081
 ################################################################################
 # OICD
 
-FRONTEND_OIDC_AUTHORITY=https://authentification.recette.din.developpement-durable.gouv.fr/authSAML/oidc/monitorfish
+FRONTEND_OIDC_AUTHORITY=http://localhost:8085/realms/monitor
 FRONTEND_OIDC_CLIENT_ID=monitorfish
-FRONTEND_OIDC_ENABLED=false
-FRONTEND_OIDC_REDIRECT_URI=https://monitorfish.din.developpement-durable.gouv.fr
+FRONTEND_OIDC_ENABLED=true
+FRONTEND_OIDC_REDIRECT_URI=http://localhost:3000
+FRONTEND_OIDC_LOGOUT_REDIRECT_URI=http://localhost:3000
 
 ################################################################################
 # Sentry

frontend/src/auth/getOIDCConfig.ts

@@ -6,6 +6,7 @@ const IS_CYPRESS = isCypress()
 export function getOIDCConfig() {
   const IS_OIDC_ENABLED = import.meta.env.FRONTEND_OIDC_ENABLED === 'true'
   const OIDC_REDIRECT_URI = import.meta.env.FRONTEND_OIDC_REDIRECT_URI
+  const OIDC_LOGOUT_REDIRECT_URI = import.meta.env.FRONTEND_OIDC_LOGOUT_REDIRECT_URI
   const OIDC_AUTHORITY = import.meta.env.FRONTEND_OIDC_AUTHORITY
   const OIDC_CLIENT_ID = import.meta.env.FRONTEND_OIDC_CLIENT_ID
 
@@ -21,7 +22,7 @@ export function getOIDCConfig() {
     authority: String(OIDC_AUTHORITY),
     client_id: String(OIDC_CLIENT_ID),
     onSigninCallback,
-    post_logout_redirect_uri: 'https://www.mer.gouv.fr',
+    post_logout_redirect_uri: String(OIDC_LOGOUT_REDIRECT_URI),
     redirect_uri: String(OIDC_REDIRECT_URI),
     scope: 'openid email',
     userStore: new WebStorageStateStore({ store: window.localStorage })

frontend/src/env.d.ts

@@ -13,6 +13,7 @@ interface ImportMetaEnv {
   readonly FRONTEND_OIDC_CLIENT_ID: string
   readonly FRONTEND_OIDC_ENABLED: string
   readonly FRONTEND_OIDC_REDIRECT_URI: string
+  readonly FRONTEND_OIDC_LOGOUT_REDIRECT_URI: string
   readonly FRONTEND_PRIOR_NOTIFICATION_LIST_ENABLED: string
   readonly FRONTEND_SENTRY_DSN?: string
   readonly FRONTEND_SENTRY_ENV?: string

frontend/src/features/FleetSegment/apis.ts

@@ -53,7 +53,7 @@ async function updateFleetSegmentFromAPI(
 ): Promise<FleetSegment> {
   try {
     return await monitorfishApiKy
-      .put(`/bff/v1/fleet_segments?year=${year}&segment=${segment}`, {
+      .put(`/bff/v1/fleet_segments/backoffice?year=${year}&segment=${segment}`, {
         json: updatedFields
       })
       .json<FleetSegment>()
@@ -70,7 +70,7 @@ async function updateFleetSegmentFromAPI(
 async function deleteFleetSegmentFromAPI(segment: string, year: number): Promise<FleetSegment[]> {
   try {
     return await monitorfishApiKy
-      .delete(`/bff/v1/fleet_segments?year=${year}&segment=${segment}`)
+      .delete(`/bff/v1/fleet_segments/backoffice?year=${year}&segment=${segment}`)
       .json<FleetSegment[]>()
   } catch (err) {
     throw new ApiError(DELETE_FLEET_SEGMENT_ERROR_MESSAGE, err)
@@ -85,7 +85,7 @@ async function deleteFleetSegmentFromAPI(segment: string, year: number): Promise
 async function createFleetSegmentFromAPI(segmentFields: UpdateFleetSegment): Promise<FleetSegment> {
   try {
     return await monitorfishApiKy
-      .post('/bff/v1/fleet_segments', {
+      .post('/bff/v1/fleet_segments/backoffice', {
         json: segmentFields
       })
       .json<FleetSegment>()
@@ -101,7 +101,7 @@ async function createFleetSegmentFromAPI(segmentFields: UpdateFleetSegment): Pro
  */
 async function addFleetSegmentYearFromAPI(nextYear: number) {
   try {
-    return await monitorfishApiKy.post(`/bff/v1/fleet_segments/${nextYear}`)
+    return await monitorfishApiKy.post(`/bff/v1/fleet_segments/${nextYear}/backoffice`)
   } catch (err) {
     throw new ApiError(ADD_FLEET_SEGMENT_YEAR_ERROR_MESSAGE, err)
   }
@@ -114,7 +114,7 @@ async function addFleetSegmentYearFromAPI(nextYear: number) {
  */
 async function getFleetSegmentYearEntriesFromAPI(): Promise<number[]> {
   try {
-    return await monitorfishApiKy.get('/bff/v1/fleet_segments/years').json<number[]>()
+    return await monitorfishApiKy.get('/bff/v1/fleet_segments/backoffice/years').json<number[]>()
   } catch (err) {
     throw new ApiError(GET_FLEET_SEGMENT_YEAR_ENTRIES_ERROR_MESSAGE, err)
   }

frontend/src/domain/use_cases/vessel/getFleetSegments.ts → frontend/src/features/FleetSegment/useCases/computeFleetSegments.ts

@@ -3,7 +3,7 @@ import { fleetSegmentApi } from '@features/FleetSegment/apis'
 import type { FleetSegment } from '@features/FleetSegment/types'
 import type { MissionActionFormValues } from '@features/Mission/components/MissionForm/types'
 
-export const getFleetSegments =
+export const computeFleetSegments =
   (
     faoAreas: string[] | undefined,
     gearOnBoard: MissionActionFormValues['gearOnboard'],

frontend/src/features/Mission/components/MissionForm/useCases/updateActionSegments.ts

@@ -1,6 +1,6 @@
 import { MissionAction } from '@features/Mission/missionAction.types'
 
-import { getFleetSegments } from '../../../../../domain/use_cases/vessel/getFleetSegments'
+import { computeFleetSegments } from '../../../../FleetSegment/useCases/computeFleetSegments'
 
 import type { MissionActionFormValues } from '@features/Mission/components/MissionForm/types'
 import type { Option } from '@mtes-mct/monitor-ui'
@@ -17,7 +17,7 @@ export const updateActionSegments =
     }
 
     const computedFleetSegments = await dispatch(
-      getFleetSegments(missionAction.faoAreas, missionAction.gearOnboard, missionAction.speciesOnboard)
+      computeFleetSegments(missionAction.faoAreas, missionAction.gearOnboard, missionAction.speciesOnboard)
     )
 
     const nextFleetSegments = fleetSegmentsAsOptions

infra/configurations/application-dev.properties

@@ -16,7 +16,7 @@ monitorfish.oidc.userinfo-endpoint=/api/user
 
 monitorfish.api.protected.paths=/bff/*,/light/v1/vessels/*
 # Super-user paths of type /** are not supported
-monitorfish.api.protected.super-user-paths=/bff/v1/beacon_malfunctions,/bff/v1/missions,/bff/v1/operational_alerts,/bff/v1/reportings,/bff/v1/vessels/risk_factors
+monitorfish.api.protected.super-user-paths=/bff/v1/beacon_malfunctions,/bff/v1/missions,/bff/v1/operational_alerts,/bff/v1/reportings,/bff/v1/vessels/risk_factors,/bff/v1/control_objectives,/bff/v1/fleet_segments/backoffice,/bff/v1/fleet_segments/compute
 monitorfish.api.protected.public-paths=/api/v1/authorization/management/*,/api/v1/beacon_malfunctions/*,/api/v1/mission_actions/*
 
 ###################

infra/configurations/application-local.properties

@@ -15,12 +15,12 @@ monitorfish.sentry.enabled=false
 sentry.dsn=
 
 monitorfish.oidc.enabled=false
-monitorfish.oidc.issuer-uri=https://authentification.recette.din.developpement-durable.gouv.fr/authSAML/oidc/monitorfish
-monitorfish.oidc.userinfo-endpoint=/api/user
+monitorfish.oidc.issuer-uri=http://localhost:8085/realms/monitor
+monitorfish.oidc.userinfo-endpoint=/protocol/openid-connect/userinfo
 
 monitorfish.api.protected.paths=/bff/*,/light/v1/vessels/*
 # Super-user paths of type /** are not supported
-monitorfish.api.protected.super-user-paths=/bff/v1/beacon_malfunctions,/bff/v1/missions,/bff/v1/operational_alerts,/bff/v1/reportings,/bff/v1/vessels/risk_factors
+monitorfish.api.protected.super-user-paths=/bff/v1/beacon_malfunctions,/bff/v1/missions,/bff/v1/operational_alerts,/bff/v1/reportings,/bff/v1/vessels/risk_factors,/bff/v1/control_objectives,/bff/v1/fleet_segments/backoffice,/bff/v1/fleet_segments/compute
 monitorfish.api.protected.public-paths=/api/v1/authorization/management/*,/api/v1/beacon_malfunctions/*,/api/v1/mission_actions/*
 monitorfish.api.protected.api-key=DUMMY-API-KEY
 

infra/configurations/application-prod.properties

@@ -16,7 +16,7 @@ monitorfish.oidc.userinfo-endpoint=/api/user
 
 monitorfish.api.protected.paths=/bff/*,/light/v1/vessels/*
 # Super-user paths of type /** are not supported
-monitorfish.api.protected.super-user-paths=/bff/v1/beacon_malfunctions,/bff/v1/missions,/bff/v1/operational_alerts,/bff/v1/reportings,/bff/v1/vessels/risk_factors
+monitorfish.api.protected.super-user-paths=/bff/v1/beacon_malfunctions,/bff/v1/missions,/bff/v1/operational_alerts,/bff/v1/reportings,/bff/v1/vessels/risk_factors,/bff/v1/control_objectives,/bff/v1/fleet_segments/backoffice,/bff/v1/fleet_segments/compute
 monitorfish.api.protected.public-paths=/api/v1/authorization/management/*,/api/v1/beacon_malfunctions/*,/api/v1/mission_actions/*
 
 ###################

infra/dev/keycloak/realm-monitor-dev.json

@@ -0,0 +1,50 @@
+{
+  "realm": "monitor",
+  "enabled": true,
+  "clients": [
+    {
+      "clientId": "monitorfish",
+      "enabled": true,
+      "protocol": "openid-connect",
+      "redirectUris": [
+        "http://localhost:3000/*"
+      ],
+      "webOrigins": [
+        "http://localhost:3000"
+      ],
+      "publicClient": true
+    }
+  ],
+  "users": [
+    {
+      "username": "user",
+      "email": "another@email.com",
+      "firstName": "User",
+      "lastName": "Fish",
+      "enabled": true,
+      "emailVerified": true,
+      "credentials": [
+        {
+          "type": "password",
+          "value": "fish",
+          "temporary": false
+        }
+      ]
+    },
+    {
+      "username": "superuser",
+      "email": "dummy@email.gouv.fr",
+      "firstName": "SuperUser",
+      "lastName": "Fish",
+      "enabled": true,
+      "emailVerified": true,
+      "credentials": [
+        {
+          "type": "password",
+          "value": "fish",
+          "temporary": false
+        }
+      ]
+    }
+  ]
+}

infra/docker/docker-compose.cypress.yml

@@ -42,6 +42,7 @@ services:
       - FRONTEND_OIDC_CLIENT_ID=monitorfish
       - FRONTEND_OIDC_ENABLED=false
       - FRONTEND_OIDC_REDIRECT_URI=https://monitorfish.din.developpement-durable.gouv.fr
+      - FRONTEND_OIDC_LOGOUT_REDIRECT_URI=https://monitorfish.din.developpement-durable.gouv.fr
       - FRONTEND_MONITORFISH_VERSION=
       - FRONTEND_SENTRY_DSN=https://a5f3272efa794bb9ada2ffea90f2fec5@sentry.incubateur.net/8
       - FRONTEND_SENTRY_TRACING_ORIGINS=

infra/docker/docker-compose.puppeteer.yml

@@ -58,6 +58,7 @@ services:
       - FRONTEND_OIDC_CLIENT_ID=monitorfish
       - FRONTEND_OIDC_ENABLED=false
       - FRONTEND_OIDC_REDIRECT_URI=https://monitorfish.din.developpement-durable.gouv.fr
+      - FRONTEND_OIDC_LOGOUT_REDIRECT_URI=https://monitorfish.din.developpement-durable.gouv.fr
       - FRONTEND_MONITORFISH_VERSION=
       - FRONTEND_SENTRY_DSN=https://a5f3272efa794bb9ada2ffea90f2fec5@sentry.incubateur.net/8
       - FRONTEND_SENTRY_TRACING_ORIGINS=

infra/remote/docker-compose.yml

@@ -35,6 +35,7 @@ services:
       - MONITORFISH_OIDC_ENABLED=$MONITORFISH_OIDC_ENABLED
       - MONITORFISH_OIDC_ISSUER_URI=$MONITORFISH_OIDC_AUTHORITY
       - FRONTEND_OIDC_REDIRECT_URI=$MONITORFISH_OIDC_REDIRECT_URI
+      - FRONTEND_OIDC_LOGOUT_REDIRECT_URI=$MONITORFISH_OIDC_LOGOUT_REDIRECT_URI
       - FRONTEND_OIDC_AUTHORITY=$MONITORFISH_OIDC_AUTHORITY
       - FRONTEND_OIDC_CLIENT_ID=$MONITORFISH_OIDC_CLIENT
       - MONITORFISH_API_PROTECTED_API_KEY=$MONITORFISH_API_PROTECTED_API_KEY