Finalise sso

.env.example

@@ -10,6 +10,36 @@ DBSDER_API_KEY=3d8767ff-ed2a-47bd-91c2-f5ebac712f2c
 NLP_PSEUDONYMISATION_API_URL=http://localhost:8081 # to docker use host.docker.internal over localhost
 
 NLP_PSEUDONYMISATION_API_ENABLED=false # true to use nlp-api
-JWT_PRIVATE_KEY=myPrivateKey
 # PROD to use DB:
 RUN_MODE=LOCAL 
+
+# SSO VARIABLES
+COOKIE_PRIVATE_KEY=myPrivateKey
+# Service Provider (SP)
+SSO_SP_ENTITY_ID=label
+SSO_SP_ASSERTION_CONSUMER_SERVICE_LOCATION=http://localhost:55430/label/api/sso/acs
+# Identity Provider (IdP)
+SSO_IDP_METADATA=sso_files/keycloak-metadata-idp.xml
+SSO_IDP_SINGLE_SIGN_ON_SERVICE_LOCATION=http://localhost:8080/realms/label/protocol/saml
+SSO_IDP_SINGLE_LOGOUT_SERVICE_LOCATION=http://localhost:8080/realms/label/protocol/saml
+SSO_CERTIFICAT=sso_files/keycloak-cert.pem
+SSO_SP_PRIVATE_KEY=sso_files/keycloak-private.key
+# Les valeurs possibles du SSO_NAME_ID_FORMAT sont le IDP metadata.xml
+SSO_NAME_ID_FORMAT=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
+SSO_SIGNATURE_ALGORITHM="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
+# Authentication
+# 604800=7*24*60*60
+SESSION_DURATION=604800
+# FRONT END
+SSO_FRONT_SUCCESS_CONNEXION_ANNOTATOR_URL=http://localhost:55432/label/annotation
+SSO_FRONT_SUCCESS_CONNEXION_ADMIN_SCRUTATOR_URL=http://localhost:55432/label/admin/main/summary
+SSO_FRONT_SUCCESS_CONNEXION_PUBLICATOR_URL=http://localhost:55432/label/publishable-documents
+# ATTRIBUTS KEYS
+SSO_ATTRIBUTE_NAME=lastName
+SSO_ATTRIBUTE_FIRSTNAME=firstName
+SSO_ATTRIBUTE_MAIL=email
+SSO_ATTRIBUTE_ROLE=Role
+# APPLICATION NAME
+SSO_APP_NAME=LABEL
+# APPLICATION ROLES
+SSO_APP_ROLES=admin,annotator,publicator,scrutator

Dockerfile.label-backend

@@ -9,15 +9,23 @@ RUN yarn config set proxy $http_proxy; \
 
 WORKDIR /home/node/
 
-# Install git for sder and sder-core package
-RUN apk add git
-
 # Copy context files
 COPY ./package.json ./
 COPY packages/generic/core/package.json ./packages/generic/core/
 COPY packages/generic/backend/package.json ./packages/generic/backend/
 COPY packages/courDeCassation/package.json ./packages/courDeCassation/
 
+# Voir comment améliorer car pour la re7 et la prod les seront ajoutées depuis un bucket dans l'image
+# Si en dev, on copie les fichiers comme ça on enleve le changement de droit
+# COPY sso_files/ ./packages/courDeCassation/sso_files/
+# RUN if [ "$NODE_ENV" = "development" ]; then \
+#       COPY sso_files/ ./packages/courDeCassation/sso_files/; \
+#     fi
+
+COPY sso_files/ ./packages/courDeCassation/sso_files/
+RUN chmod -R 777 ./packages/courDeCassation/sso_files
+RUN chmod -R 777 ./packages/courDeCassation/sso_files/
+
 COPY . .
 
 # Do not bring client dependencies to backend prod

INSTALL.md

@@ -7,11 +7,13 @@
 ## Configuration
 
 You can lauch the backend with or withour docker. To configure these methods you must have an env file :
+
 - `.env`
 
 Copy and rename `.env.example`.
 
 Label depends on 2 other services from the Cour de cassation : dbsder-api and nlp-pseudonymisation-api. You can lauch these services locally to simulate operation close to production or you can disable theses services from env files. In this case these 2 services are emulated by Label with the storage folder. To do so, follow the `Add documents you want to annotate` step in the [reuser guide](docs/reuserGuide.md) or just rename the `storage-example` folder to `storage`.
+To manage local authentication label uses keycloak.
 
 You should take a look at [juridependencies](https://github.com/Cour-de-cassation/juridependencies) to install theses services.
 
@@ -87,3 +89,17 @@ docker compose exec labelbk sh -c "cd packages/courDeCassation; sh scripts/runLo
 ```sh
 scripts/runScriptLocally.sh "myScript.js --myArgument"
 ```
+
+### SSO configuration
+
+Follow the [installation guide](packages/generic/sso/README.md).
+
+> The LABEL application leverages the SSO module as a dependency for its integration with the Single Sign-On (SSO) system. The details of this integration are documented in the [README](packages/generic/sso/README.md) of the SSO module.
+
+The backend exposes the following URLs to interact with the SSO:
+
+1. /api/sso/login: Endpoint to initiate the login process via SSO.
+2. /api/sso/acs: Endpoint for processing SAML assertions following a successful authentication.
+3. /api/sso/logout: Endpoint to disconnect the user from the SSO.
+
+**_The attributes returned by the SSO, as well as the roles used by the application, are specified in the configuration file._**

ROADMAP.md

@@ -8,12 +8,9 @@ Here are the current roadmaps:
 - Fix security issues and update dependencies
 - Improve reusability
 - Improve test coverage
-- Connect label to the ministry's SSO/LDAP
-- Use dbsder api and dbsder-api-type instead of `sder` repository
 - Rethinking the use of the pelta design system
 - Use mongoose
 
-
 ## Functionnal roadmap
 
 This software will follow the [official calendar of french justice open data](https://www.justice.gouv.fr/documentation/open-data-decisions-justice) which follows [an official decree](https://www.legifrance.gouv.fr/loda/id/JORFTEXT000043426865/).

ansible/group_vars/all/main.yml

@@ -12,3 +12,16 @@ dbsder_api_url: "http://api-service.dbsder:3000" # url not tested
 label_db_name: "labelDb"
 label_client_url: "https://label.cour-de-cassation.justice.fr:55432" # strange url
 label_kube_namespace: "label"
+session_duration: "604800"
+
+# SSO 
+sso_name_id_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+sso_signature_algorithm: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
+sso_app_name: "LABEL"
+sso_app_roles: "admin,annotator,publicator,scrutator"
+
+sso_bucket: "sso-files"
+s3_type: "s3"
+s3_provider: "Minio"
+s3_endpoint: "http://bucket-service.juritj.svc.cluster.local:9000"
+rclone_app_id: "rclone"

ansible/group_vars/dev/main.yml

@@ -1,6 +1,26 @@
 git_branch: dev
 
-sder_mongodb_url: "{{ vault_sder_mongodb_url }}"
-label_mongodb_url: "{{ vault_label_mongodb_url }}"
-dbsder_api_key: "{{ vault_dbsder_api_key }}"
-jwt_private_key: "{{ vault_jwt_private_key }}"
+label_mongodb_url: "{{ vault_label_mongodb_url }}" 
+dbsder_api_key: "{{ vault_dbsder_api_key }}" 
+cookie_private_key: "{{ vault_cookie_private_key }}" 
+sso_sp_assertion_consumer_service_location: "{{ vault_sso_sp_assertion_consumer_service_location }}" 
+sso_sp_entity_id: "{{ vault_sso_sp_entity_id }}" 
+sso_idp_single_sign_on_service_location: "{{ vault_sso_idp_single_sign_on_service_location }}"
+sso_idp_single_logout_service_location: "{{ vault_sso_idp_single_logout_service_location }}"
+sso_front_success_connexion_annotator_url: "{{ vault_sso_front_success_connexion_annotator_url }}" 
+sso_front_success_connexion_admin_scrutator_url: "{{ vault_sso_front_success_connexion_admin_scrutator_url }}" 
+sso_front_success_connexion_publicator_url: "{{ vault_sso_front_success_connexion_publicator_url }}" 
+
+sso_idp_metadata: "sso_files/keycloak-metadata-idp-dev.xml"
+sso_certificat: "sso_files/keycloak-cert.pem"
+sso_sp_private_key: "sso_files/keycloak-private.key"
+
+# On ajoutera cette parti dans le all quand on aura les mêmes attributs partout (keyclaock et ldapMJ)
+sso_attribute_name: "lastName" 
+sso_attribute_firstname: "firstname"
+sso_attribute_mail: "email"
+sso_attribute_role: "Role"
+
+
+s3_access_key: "{{ vault_s3_access_key }}" 
+s3_secret_key: "{{ vault_s3_secret_key }}"  

ansible/group_vars/dev/vault.yml

@@ -1,16 +1,61 @@
 $ANSIBLE_VAULT;1.1;AES256
-66643134396430343834663432376438623436313864316233383962663735393936623738653062
-6432333835333531653565383935623135626130663235340a303530636461666236396261656537
-65363832633664633932386366323566653661343535623933653934613433663136323535643836
-6231666439313437390a313932393739393862613234373832383939353739666534356465663333
-35313938343064366138373333323630663661356335633263663563656132356235343166386365
-62656438303161343064343235333034656166326565383231323162326237653537653531396231
-65346634666565373433383230333734343531386631613833626331303437613464313063383962
-39623030356239333331313631626238643739336163373235643839306264353463646239353536
-35623637663462306663386365366339386139613235326337616666623434306266623164653839
-32396262393133333664653863393238353066633632646230616330663662663761323464313237
-35666663366533386437363461393230356162376533616265636336373265376632656634376462
-65363538373137356636336463366430303761356364303737643865646237313439623065613262
-39656337313738396530356166623038363132343135666566653139623564313763653837306531
-66613033366233616432613239376166313733663236323335363833333032303162353639653131
-646330653531393233346266396536616338
+64313037313065396237393832636439643036373839616339336663333631323439333932393662
+3430373432613934306139356430363566643531393537650a393437343433376432633533363135
+62333762656464643835343737363232353931386432386530656138303562313533336236663234
+3231373939656566650a333464643538333038376436656238333863613062643363323632323735
+66396539623536386162346230356130616339356336633163636265313539353133626537363463
+30346135646561656565336461666239656335636536366331636438643530313433343864373666
+65613864333864616262316238643034363362383637393137383966323262306530356363303135
+34333233633033656138343362366465396433623432633631633563666536636333363831303931
+35616139396234373462653433383363653833353363353238383136366439366564313535323566
+36316239653064373837376135646338393865616137633334653233383034663264336231313634
+65366262396537386438386562306262623630326465333532326234626437663232326265636533
+33666133643965393935383763356231653036333234633332666261666633353135376136313332
+61383231326633326334316638336238383936366339383836326238386564633331363063666663
+66393237323335303533623330613532653836343037653636373565636166376466316536306137
+37613133396466333463326635643961363865656438383234376136346161383234313937303962
+39636261666464616230626331356135653834333864643161333831643738386639363933303064
+33383733333563343839343438376365373963323230666164653965333237343461383039336564
+34626463643935373564386436343535343437373361306263393862646137623561353363653364
+37663538616436306564313666666666336131616132623963326530623639636561653038326334
+34366461383938303863623264646364613365346363356661616432373633386464656130306230
+37393832313631333338616331383934613136613638306232353738313338623361613766356636
+33373139343837633463616334356330666462383131656132326530333135363534343335643933
+62633362316433316163663532306464613932396237366532383235396666653361663262323835
+30363233626163643331646131363065613837336233636136653030616430313134656335333438
+33336533626531326137336566323839663565326134333236663339343863636432353461636663
+36383936383862663661373265656133333165653338646362336166663864393736646538653530
+33643431386632333830613635376532353533636131373139646139303631383134623039306263
+38396236613436643130383666616131346437623135633263316663336238376431363933633961
+66356337366261383165306130636238633461623037646638366236336261363839653334643139
+30336337643230376563353830313931633661633236383362343434366632373639313632356131
+36396331643266323537613431333734323737343461383263386665356662643663343434643530
+37303962326432623338336438373234623866376538333730343330633963643166363732353966
+61646634616632373162643932643232653763313862646364313237336230366630373139353438
+66633734313130346633326531396364346530376430623132333663626631323737626136633433
+39393931376433366532626165356166636265663962363032666364326332366563346231356462
+39373436346535663532306464333762373338643836383063633135313432623532363630373333
+33366138363836623939336633353965323135613330336466653232613639333339343834396262
+61366335383730363734396263383431663532626365656165303135343931326463643166646638
+39393733393332313466623463303165663861666137376334323835646264663434663831303663
+39366631613964666435356331353866316363336434313334663239633230343061373864303832
+34616466356535363339646433656232336530663463306533636433373330336431303738636363
+39306339613138653362336338396338343135623463623239613066336263393137356163646632
+37656331396562653434643261333630383838373133313738633664313663323137373933363565
+62313966376163396666303463616334383939343161366335613835346265643830643564363237
+30333835303032626333343265333834373638636537656163653534356663323864393537356636
+66393237356565363163383639323534306563316662343532653663613739313934643766326135
+38653933333534666536623266383832663566623930333636323261663039623865306430303138
+65356665666261333830306336303938313133333962623934363338316639623435326665653566
+39303830383033393739353666636138333932653364343837616230613532306632303562386133
+61303730616534376563363466326334613866643332373139386537323535366635633333393232
+38393939636439653939363437626361663562383161656166393666343731313638346337313261
+31306263383563623935343236336566343637363331393562353761323962373464313364306361
+37663831643530376363306635313562653762346436616261373634633737373135633039656565
+66383033303031623633663933633035633636616263383237383466333435363965393739316636
+36326437653339613738333937363161343865376166396539346432633836613230323762363462
+34373639376461336137383438393931323930316139346163626531303564613536396263643936
+32353637386366623139383637313637356565373039326233343362386433363463653864663564
+32396262616131616261393835633238393637376632653762333030613538343664613335643039
+66636234656532393166346138653865343739643530336263353130623161663835626463326539
+34326237333133316433

ansible/group_vars/preprod/main.yml

@@ -1,6 +1,27 @@
 git_branch: re7
 
-sder_mongodb_url: "{{ vault_sder_mongodb_url }}"
 label_mongodb_url: "{{ vault_label_mongodb_url }}"
 dbsder_api_key: "{{ vault_dbsder_api_key }}"
-jwt_private_key: "{{ vault_jwt_private_key }}"
+
+cookie_private_key: "{{ vault_cookie_private_key }}"
+sso_sp_assertion_consumer_service_location: "{{ vault_sso_sp_assertion_consumer_service_location }}"
+sso_sp_entity_id: "{{ vault_sso_sp_entity_id }}"
+sso_idp_single_sign_on_service_location: "{{ vault_sso_idp_single_sign_on_service_location }}"
+sso_idp_single_logout_service_location: "{{ vault_sso_idp_single_logout_service_location }}"
+sso_front_success_connexion_annotator_url: "{{ vault_sso_front_success_connexion_annotator_url }}"
+sso_front_success_connexion_admin_scrutator_url: "{{ vault_sso_front_success_connexion_admin_scrutator_url }}"
+sso_front_success_connexion_publicator_url: "{{ vault_sso_front_success_connexion_publicator_url }}"
+
+sso_idp_metadata: "sso-files/recette_idp_mj.xml"
+sso_certificat: "sso-files/recette-certificate.pem"
+sso_sp_private_key: "sso-files/recette-private.key"
+
+# a enlever quand on adaptera le keycloack 
+sso_attribute_name: "nom"
+sso_attribute_firstname: "prenom"
+sso_attribute_mail: "mail"
+sso_attribute_role: "roles"
+
+
+s3_access_key: "{{ vault_s3_access_key }}"
+s3_secret_key: "{{ vault_s3_secret_key }}"