Skip to content

Commit

Permalink
Set up AT env (#539)
Browse files Browse the repository at this point in the history
* support other envs

* use platform base url in prod

* fix base_url

* add at env, remove legacyOpenId

* remove unused code

---------

Co-authored-by: Hammerbeck <[email protected]>
  • Loading branch information
2 people authored and Ceredron committed Dec 5, 2024
1 parent 3900190 commit 8873dc4
Show file tree
Hide file tree
Showing 13 changed files with 55 additions and 48 deletions.
6 changes: 2 additions & 4 deletions .azure/applications/api/main.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@ param environment string
param location string
@minLength(3)
param platform_base_url string
param legacy_base_url string
@secure()
@minLength(3)
param sourceKeyVaultName string
Expand Down Expand Up @@ -42,12 +41,12 @@ module appIdentity '../../modules/identity/create.bicep' = {
}
}

module addContributorAccess '../../modules/identity/addContributorAccess.bicep' = {
/*module addContributorAccess '../../modules/identity/addContributorAccess.bicep' = {
name: 'appDeployToAzureAccess'
params: {
userAssignedIdentityPrincipalId: appIdentity.outputs.principalId
}
}
}*/

module keyVaultReaderAccessPolicyUserIdentity '../../modules/keyvault/addReaderRoles.bicep' = {
name: 'kvreader-${namePrefix}-app'
Expand Down Expand Up @@ -90,7 +89,6 @@ module containerApp '../../modules/containerApp/main.bicep' = {
subscription_id: subscription().subscriptionId
principal_id: appIdentity.outputs.id
platform_base_url: platform_base_url
legacy_base_url: legacy_base_url
keyVaultUrl: keyVaultUrl
userIdentityClientId: appIdentity.outputs.clientId
containerAppEnvId: keyvault.getSecret('container-app-env-id')
Expand Down
1 change: 0 additions & 1 deletion .azure/applications/api/params.bicepparam
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ param namePrefix = readEnvironmentVariable('NAME_PREFIX')
param location = 'norwayeast'
param imageTag = readEnvironmentVariable('IMAGE_TAG')
param platform_base_url = readEnvironmentVariable('PLATFORM_BASE_URL')
param legacy_base_url = readEnvironmentVariable('LEGACY_BASE_URL')
param correspondenceBaseUrl = readEnvironmentVariable('CORRESPONDENCE_BASE_URL')
param environment = readEnvironmentVariable('ENVIRONMENT')
param maskinporten_environment = 'test'
Expand Down
9 changes: 9 additions & 0 deletions .azure/infrastructure/parameters.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"adminPassword": {
"value": "yourSecretHere123!"
}
}
}
5 changes: 0 additions & 5 deletions .azure/modules/containerApp/main.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ param namePrefix string
param image string
param environment string
param platform_base_url string
param legacy_base_url string
param maskinporten_environment string
param correspondenceBaseUrl string
param idportenIssuer string
Expand Down Expand Up @@ -58,10 +57,6 @@ var containerAppEnvVars = [
name: 'AltinnOptions__OpenIdWellKnown'
value: '${platform_base_url}/authentication/api/v1/openid/.well-known/openid-configuration'
}
{
name: 'AltinnOptions__LegacyOpenIdWellKnown'
value: '${legacy_base_url}/authentication/api/v1/openid/.well-known/openid-configuration'
}
{ name: 'AltinnOptions__PlatformGatewayUrl', value: platform_base_url }
{ name: 'AltinnOptions__PlatformSubscriptionKey', secretRef: 'platform-subscription-key' }
{ name: 'AltinnOptions__AccessManagementSubscriptionKey', secretRef: 'access-management-subscription-key' }
Expand Down
4 changes: 0 additions & 4 deletions .github/actions/deploy-to-environment/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -57,9 +57,6 @@ inputs:
PLATFORM_BASE_URL:
description: "Platform Base URL"
required: true
LEGACY_BASE_URL:
description: "Legacy Base URL"
required: false
PLATFORM_SUBSCRIPTION_KEY:
description: "Platform Subscription Key"
required: true
Expand Down Expand Up @@ -120,5 +117,4 @@ runs:
DIALOGPORTEN_ISSUER: ${{ inputs.DIALOGPORTEN_ISSUER }}
IDPORTEN_ISSUER: ${{ inputs.IDPORTEN_ISSUER }}
PLATFORM_BASE_URL: ${{ inputs.PLATFORM_BASE_URL }}
LEGACY_BASE_URL: ${{ inputs.LEGACY_BASE_URL }}
STORAGE_ACCOUNT_NAME: ${{ inputs.AZURE_STORAGE_ACCOUNT_NAME }}
4 changes: 0 additions & 4 deletions .github/actions/release-version/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,9 +29,6 @@ inputs:
PLATFORM_BASE_URL:
description: "Base url for Altinn platform"
required: true
LEGACY_BASE_URL:
description: "Base url for legacy platform"
required: false
STORAGE_ACCOUNT_NAME:
description: "Name of the storage account used for attachments"
required: true
Expand Down Expand Up @@ -69,7 +66,6 @@ runs:
CLIENT_ID: ${{ inputs.AZURE_CLIENT_ID }}
TENANT_ID: ${{ inputs.AZURE_TENANT_ID }}
PLATFORM_BASE_URL: ${{ inputs.PLATFORM_BASE_URL }}
LEGACY_BASE_URL: ${{ inputs.LEGACY_BASE_URL }}
STORAGE_ACCOUNT_NAME: ${{ inputs.STORAGE_ACCOUNT_NAME }}
CORRESPONDENCE_BASE_URL: ${{ inputs.CORRESPONDENCE_BASE_URL }}
DIALOGPORTEN_ISSUER: ${{ inputs.DIALOGPORTEN_ISSUER }}
Expand Down
41 changes: 38 additions & 3 deletions .github/workflows/ci-cd.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,44 @@ jobs:
MASKINPORTEN_CLIENT_ID: ${{ secrets.MASKINPORTEN_CLIENT_ID }}
MASKINPORTEN_JWK: ${{ secrets.MASKINPORTEN_JWK }}
PLATFORM_BASE_URL: ${{ secrets.PLATFORM_BASE_URL }}
LEGACY_BASE_URL: ${{ secrets.LEGACY_BASE_URL }}
PLATFORM_SUBSCRIPTION_KEY: ${{ secrets.PLATFORM_SUBSCRIPTION_KEY }}
SLACK_URL: ${{ secrets.SLACK_URL }}

deploy-at22:
name: deploy at22
runs-on: ubuntu-latest
environment: test
if: always() && !failure() && !cancelled()
needs: [get-version, publish, test]
permissions:
id-token: write
contents: read
packages: write
steps:
- name: Checkout
uses: actions/checkout@v4

- name: Deploy to environment
uses: ./.github/actions/deploy-to-environment
with:
environment: at22
imageTag: ${{ needs.get-version.outputs.imageTag }}
ACCESS_MANAGEMENT_SUBSCRIPTION_KEY: ${{ secrets.ACCESS_MANAGEMENT_SUBSCRIPTION_KEY }}
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
AZURE_ENVIRONMENT_KEY_VAULT_NAME: ${{ secrets.AZURE_ENVIRONMENT_KEY_VAULT_NAME }}
AZURE_NAME_PREFIX: ${{ secrets.AZURE_NAME_PREFIX }}
AZURE_STORAGE_ACCOUNT_NAME: ${{ secrets.AZURE_STORAGE_ACCOUNT_NAME }}
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
AZURE_TEST_ACCESS_CLIENT_ID: ${{ secrets.AZURE_TEST_ACCESS_CLIENT_ID }}
CORRESPONDENCE_BASE_URL: ${{ secrets.CORRESPONDENCE_BASE_URL }}
DIALOGPORTEN_ISSUER: ${{ secrets.DIALOGPORTEN_ISSUER }}
IDPORTEN_CLIENT_ID: ${{ secrets.IDPORTEN_CLIENT_ID }}
IDPORTEN_CLIENT_SECRET: ${{ secrets.IDPORTEN_CLIENT_SECRET }}
IDPORTEN_ISSUER: ${{ secrets.IDPORTEN_ISSUER }}
MASKINPORTEN_CLIENT_ID: ${{ secrets.MASKINPORTEN_CLIENT_ID }}
MASKINPORTEN_JWK: ${{ secrets.MASKINPORTEN_JWK }}
PLATFORM_BASE_URL: ${{ secrets.PLATFORM_BASE_URL }}
PLATFORM_SUBSCRIPTION_KEY: ${{ secrets.PLATFORM_SUBSCRIPTION_KEY }}
SLACK_URL: ${{ secrets.SLACK_URL }}

Expand Down Expand Up @@ -117,7 +154,6 @@ jobs:
MASKINPORTEN_CLIENT_ID: ${{ secrets.MASKINPORTEN_CLIENT_ID }}
MASKINPORTEN_JWK: ${{ secrets.MASKINPORTEN_JWK }}
PLATFORM_BASE_URL: ${{ secrets.PLATFORM_BASE_URL }}
LEGACY_BASE_URL: ${{ secrets.LEGACY_BASE_URL }}
PLATFORM_SUBSCRIPTION_KEY: ${{ secrets.PLATFORM_SUBSCRIPTION_KEY }}
SLACK_URL: ${{ secrets.SLACK_URL }}

Expand Down Expand Up @@ -159,7 +195,6 @@ jobs:
MASKINPORTEN_CLIENT_ID: ${{ secrets.MASKINPORTEN_CLIENT_ID }}
MASKINPORTEN_JWK: ${{ secrets.MASKINPORTEN_JWK }}
PLATFORM_BASE_URL: ${{ secrets.PLATFORM_BASE_URL }}
LEGACY_BASE_URL: ${{ secrets.PLATFORM_BASE_URL }}
PLATFORM_SUBSCRIPTION_KEY: ${{ secrets.PLATFORM_SUBSCRIPTION_KEY }}
SLACK_URL: ${{ secrets.SLACK_URL }}

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/deploy-to-environment.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ on:
- test
- staging
- production
- at22

jobs:
get-version:
Expand Down Expand Up @@ -77,6 +78,5 @@ jobs:
MASKINPORTEN_CLIENT_ID: ${{ secrets.MASKINPORTEN_CLIENT_ID }}
MASKINPORTEN_JWK: ${{ secrets.MASKINPORTEN_JWK }}
PLATFORM_BASE_URL: ${{ secrets.PLATFORM_BASE_URL }}
LEGACY_BASE_URL: ${{ secrets.LEGACY_BASE_URL }}
PLATFORM_SUBSCRIPTION_KEY: ${{ secrets.PLATFORM_SUBSCRIPTION_KEY }}
SLACK_URL: ${{ secrets.SLACK_URL }}
1 change: 0 additions & 1 deletion .github/workflows/publish-branch.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,6 @@ jobs:
AZURE_ENVIRONMENT_KEY_VAULT_NAME: ${{ secrets.AZURE_ENVIRONMENT_KEY_VAULT_NAME }}
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
PLATFORM_BASE_URL: ${{ secrets.PLATFORM_BASE_URL }}
LEGACY_BASE_URL: ${{ secrets.LEGACY_BASE_URL }}
CORRESPONDENCE_BASE_URL: ${{ secrets.CORRESPONDENCE_BASE_URL }}
STORAGE_ACCOUNT_NAME: ${{ secrets.AZURE_STORAGE_ACCOUNT_NAME }}
DIALOGPORTEN_ISSUER: ${{ secrets.DIALOGPORTEN_ISSUER }}
Expand Down
21 changes: 1 addition & 20 deletions src/Altinn.Correspondence.API/Auth/DependencyInjection.cs
Original file line number Diff line number Diff line change
Expand Up @@ -48,25 +48,6 @@ public static void ConfigureAuthentication(this IServiceCollection services, ICo
OnChallenge = AltinnTokenEventsHelper.OnChallenge
};
})
.AddJwtBearer(AuthorizationConstants.Legacy, options =>
{
options.SaveToken = true;
options.MetadataAddress = altinnOptions.LegacyOpenIdWellKnown ?? altinnOptions.OpenIdWellKnown;
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
ValidateIssuer = true,
ValidateAudience = false,
RequireExpirationTime = true,
ValidateLifetime = !hostEnvironment.IsDevelopment(), // Do not validate lifetime in tests
ClockSkew = TimeSpan.Zero
};
options.Events = new JwtBearerEvents()
{
OnAuthenticationFailed = AltinnTokenEventsHelper.OnAuthenticationFailed,
OnChallenge = AltinnTokenEventsHelper.OnChallenge
};
})
.AddJwtBearer(AuthorizationConstants.MaskinportenScheme, options => // To support maskinporten tokens
{
options.SaveToken = true;
Expand Down Expand Up @@ -160,7 +141,7 @@ public static void ConfigureAuthorization(this IServiceCollection services, ICon
options.AddPolicy(AuthorizationConstants.DownloadAttachmentPolicy, policy =>
policy.RequireScopeIfAltinn(config, AuthorizationConstants.RecipientScope)
.AddAuthenticationSchemes(AuthorizationConstants.AllSchemes));
options.AddPolicy(AuthorizationConstants.Legacy, policy => policy.AddRequirements(new ScopeAccessRequirement(AuthorizationConstants.LegacyScope)).AddAuthenticationSchemes(AuthorizationConstants.Legacy));
options.AddPolicy(AuthorizationConstants.Legacy, policy => policy.AddRequirements(new ScopeAccessRequirement(AuthorizationConstants.LegacyScope)).AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme));
});
}
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ namespace Altinn.Correspondence.API.Controllers
[ApiController]
[ApiExplorerSettings(IgnoreApi = true)]
[Route("correspondence/api/v1/legacy/correspondence")]
[Authorize(Policy = AuthorizationConstants.Legacy, AuthenticationSchemes = AuthorizationConstants.LegacyOrDefaultScheme)]
[Authorize(Policy = AuthorizationConstants.Legacy)]
public class LegacyCorrespondenceController : Controller
{
private readonly ILogger<LegacyCorrespondenceController> _logger;
Expand Down
1 change: 0 additions & 1 deletion src/Altinn.Correspondence.Core/Options/AltinnOptions.cs
Original file line number Diff line number Diff line change
Expand Up @@ -6,5 +6,4 @@ public class AltinnOptions
public string PlatformGatewayUrl { get; set; } = string.Empty;
public string PlatformSubscriptionKey { get; set; } = string.Empty;
public string AccessManagementSubscriptionKey { get; set; } = string.Empty;
public string LegacyOpenIdWellKnown { get; set; } = string.Empty;
}
Original file line number Diff line number Diff line change
Expand Up @@ -41,16 +41,16 @@ public AltinnAuthorizationService(HttpClient httpClient, IOptions<AltinnOptions>
_logger = logger;
}

public Task<bool> CheckAccessAsSender(ClaimsPrincipal? user, string resourceId, string sender, string? instance, CancellationToken cancellationToken = default)
public Task<bool> CheckAccessAsSender(ClaimsPrincipal? user, string resourceId, string sender, string? instance, CancellationToken cancellationToken = default)
=> CheckUserAccess(
user,
resourceId,
sender.WithoutPrefix(),
instance,
new List<ResourceAccessLevel> { ResourceAccessLevel.Write },
cancellationToken);
public Task<bool> CheckAccessAsSender(ClaimsPrincipal? user, CorrespondenceEntity correspondence, CancellationToken cancellationToken = default) =>

public Task<bool> CheckAccessAsSender(ClaimsPrincipal? user, CorrespondenceEntity correspondence, CancellationToken cancellationToken = default) =>
CheckUserAccess(
user,
correspondence.ResourceId,
Expand Down

0 comments on commit 8873dc4

Please sign in to comment.