Merge branch 'refs/heads/main' into next

# Conflicts: # package.json
pagopa · Jul 19, 2024 · bffd3e7 · bffd3e7
2 parents de60128 + 5f19d47
commit bffd3e7
Show file tree

Hide file tree

Showing 6 changed files with 55 additions and 25 deletions.
diff --git a/.github/workflows/ci_integration_test.yml b/.github/workflows/ci_integration_test.yml
@@ -69,25 +69,18 @@ jobs:
       - name: Run Integration Tests Puppeteer
         shell: bash
         run: |
-          cd ./integration-test
-          yarn install
-          
           
-          if [ "${{ inputs.environment }}" = "local" ]; then
-            export KEY_PEM='${{ secrets.DEV_KEY_PEM }}'
+          export KEY_PEM='${{ secrets.DEV_KEY_PEM }}'
+          if [ "${{ inputs.environment || 'dev' }}" = "local" ]; then
             export FE_URL=https://icy-island-050778e03-${{ github.event.number }}.westeurope.5.azurestaticapps.net/ui
           fi
           
-          if [ "${{ inputs.environment }}" = "dev" ]; then
-            export KEY_PEM='${{ secrets.DEV_KEY_PEM }}'
+          if [ "${{ inputs.environment || 'dev' }}" = "dev" ]; then
             export FE_URL="https://selfcare.dev.platform.pagopa.it/ui"
           fi
-          
-          if [ "${{ inputs.environment }}" = "uat" ]; then
-            export KEY_PEM='${{ secrets.UAT_KEY_PEM }}'
-            export FE_URL="https://selfcare.uat.platform.pagopa.it/ui"
-          fi
-          
+
+          cd ./integration-test
+          yarn install
           yarn run cucumber
       
       - name: Run Integration Tests Playwright
@@ -157,7 +150,7 @@ jobs:
           status: ${{ needs.integration_test.result }}
           token: ${{ secrets.GITHUB_TOKEN }}
           notify_when: 'success,failure,skipped'
-          notification_title: '<{run_url}| Integration Test> has {status_message} in ${{ inputs.environment }}'
+          notification_title: "<{run_url}| Integration Test> has {status_message} in ${{ inputs.environment || 'dev'}}"
           message_format: '{emoji} <{run_url}|{workflow}> {status_message} in <{repo_url}|{repo}>'
           footer: 'Linked to <{workflow_url}| workflow file>'
         env:

diff --git a/.gitignore b/.gitignore
@@ -73,3 +73,4 @@ public/version.json
 /blob-report/
 /playwright/.cache/
 **/key.pem
+**/client_certificate.pfx
diff --git a/.identity/00_data.tf b/.identity/00_data.tf
@@ -54,6 +54,11 @@ data "azurerm_key_vault_secret" "key_vault_key_pem" {
   key_vault_id = data.azurerm_key_vault.domain_key_vault.id
 }
 
+data "azurerm_key_vault_certificate" "certificate_key_pem" {
+  name         = "pagopa-${var.env_short}-weu-selfcare-jwt-signing-cert"
+  key_vault_id = data.azurerm_key_vault.domain_key_vault.id
+}
+
 data "azurerm_cdn_profile" "cdn_profile" {
   name                = local.cdn.name
   resource_group_name = local.cdn.resource_group_name

diff --git a/.identity/03_github_environment.tf b/.identity/03_github_environment.tf
@@ -25,7 +25,7 @@ locals {
     "TENANT_ID" : data.azurerm_client_config.current.tenant_id,
     "SUBSCRIPTION_ID" : data.azurerm_subscription.current.subscription_id,
     "SUBKEY" : data.azurerm_key_vault_secret.key_vault_integration_test_subkey.value,
-    
+
     "REACT_APP_MIXPANEL_TOKEN" : data.azurerm_key_vault_secret.key_vault_mixpanel_token.value
     "REACT_APP_ONETRUST_DOMAIN_ID" : data.azurerm_key_vault_secret.key_vault_onetrust_domain.value
     "BLOB_CONNECTION_STRING" : data.azurerm_key_vault_secret.key_vault_blob_connection_string.value
@@ -45,10 +45,29 @@ locals {
     "SUBKEY" : {
       "key" : "${upper(var.env)}_SUBKEY",
       "value" : data.azurerm_key_vault_secret.key_vault_integration_test_subkey.value
+    },
+    "KEY_PEM" : {
+      "key" : "${upper(var.env)}_KEY_PEM",
+      "value" : var.env == "dev" ? data.external.pem.result.pem : ""
     }
   }
 }
 
+data "external" "pem" {
+  program = [
+    "bash", "download_pem.sh"
+  ]
+  query = {
+    env = var.env_short
+  }
+}
+
+# output "certificate" {
+#   description = "certificate"
+#   value = data.external.pem.result.pem
+# }
+
+
 ###############
 # ENV Secrets #
 ###############
@@ -78,33 +97,24 @@ resource "github_actions_environment_variable" "github_environment_runner_variab
 # Secrets of the Repository #
 #############################
 
-#tfsec:ignore:github-actions-no-plain-text-action-secrets # not real secret
 resource "github_actions_secret" "secret_sonar_token" {
   repository      = local.github.repository
   secret_name     = "SONAR_TOKEN"
   plaintext_value = data.azurerm_key_vault_secret.key_vault_sonar.value
 }
 
-#tfsec:ignore:github-actions-no-plain-text-action-secrets # not real secret
 resource "github_actions_secret" "secret_bot_token" {
   repository      = local.github.repository
   secret_name     = "BOT_TOKEN_GITHUB"
   plaintext_value = data.azurerm_key_vault_secret.key_vault_bot_token.value
 }
 
-#tfsec:ignore:github-actions-no-plain-text-action-secrets # not real secret
 resource "github_actions_secret" "secret_cucumber_token" {
   repository      = local.github.repository
   secret_name     = "CUCUMBER_PUBLISH_TOKEN"
   plaintext_value = data.azurerm_key_vault_secret.key_vault_cucumber_token.value
 }
 
-#tfsec:ignore:github-actions-no-plain-text-action-secrets # not real secret
-resource "github_actions_secret" "secret_key_pem" {
-  repository      = local.github.repository
-  secret_name     = "KEY_PEM"
-  plaintext_value =  var.env == "dev" ? data.azurerm_key_vault_secret.key_vault_key_pem[0].value : ""
-}
 
 resource "github_actions_secret" "special_repo_secrets" {
   for_each        = local.special_repo_secrets

diff --git a/.identity/download_pem.sh b/.identity/download_pem.sh
@@ -0,0 +1,21 @@
+# stackoverflow -> https://stackoverflow.com/questions/65097173/azure-key-vault-download-certificate-with-private-key
+
+eval "$(jq -r '@sh "export $short_env=\(.env)"')"
+
+# Define the passphrase for the PKCS#12 file.
+passphrase=""
+
+pkcs12_file="client_certificate.pfx"
+certificate_name='pagopa-d-weu-selfcare-jwt-signing-cert'
+KeyVaultName='pagopa-d-selfcare-kv'
+
+# Retrieve the client certificate from the Key Vault
+certificate_pfx_base64=$(az keyvault secret show --name ${certificate_name} --vault-name ${KeyVaultName} --query value --output tsv)
+
+echo "$certificate_pfx_base64" | base64 --decode > client_certificate.pfx
+
+# Extract private key and certificates
+openssl pkcs12 -in "$pkcs12_file" -passin "pass:$passphrase" -nocerts -nodes -out key.pem
+
+json='{"pem": '$(cat key.pem | jq -Rsa . )'}'
+echo -n $json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "pagopa-selfcare-backoffice-frontend",
-  "version": "1.27.0-4-next",
+  "version": "1.28.1",
   "homepage": "ui",
   "private": true,
   "scripts": {