diff --git a/.github/workflows/push-trigger.yml b/.github/workflows/push-trigger.yml index 303458bf4..26cf8207b 100644 --- a/.github/workflows/push-trigger.yml +++ b/.github/workflows/push-trigger.yml @@ -10,14 +10,14 @@ on: workflow_dispatch: inputs: message: - description: 'Message for manually triggering' + description: "Message for manually triggering" required: false - default: 'Triggered for Updates' + default: "Triggered for Updates" type: string push: branches: - - '!release-branch' + - "!release-branch" - master - develop - develop-go @@ -29,7 +29,7 @@ jobs: with: SERVICE_LOCATION: ./esignet-service BUILD_BINARY: esignet - GO_VERSION: '1.26' + GO_VERSION: "1.26" secrets: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }} @@ -55,8 +55,8 @@ jobs: strategy: matrix: include: - - SERVICE_LOCATION: 'esignet-service' - SERVICE_NAME: 'esignet' + - SERVICE_LOCATION: "esignet-service" + SERVICE_NAME: "esignet" ONLY_DOCKER: true PLATFORMS: "linux/amd64,linux/arm64" @@ -76,4 +76,47 @@ jobs: DEV_NAMESPACE_DOCKER_HUB: ${{ secrets.DEV_NAMESPACE_DOCKER_HUB }} ACTOR_DOCKER_HUB: ${{ secrets.ACTOR_DOCKER_HUB }} RELEASE_DOCKER_HUB: ${{ secrets.RELEASE_DOCKER_HUB }} - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }} \ No newline at end of file + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }} + + build-oidc-ui: + uses: mosip/kattu/.github/workflows/npm-build.yml@develop + with: + SERVICE_LOCATION: oidc-ui + BUILD_ARTIFACT: oidc + NPM_BUILD_TYPE: BOB + NODE_VERSION: "18" + ZIP_DIR: build + secrets: + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }} + + sonar-analysis-oidc-ui: + needs: build-oidc-ui + if: "${{ github.event_name != 'pull_request' }}" + uses: mosip/kattu/.github/workflows/npm-sonar-analysis.yml@develop + with: + SERVICE_LOCATION: oidc-ui + NPM_BUILD_TYPE: BOB + secrets: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + ORG_KEY: ${{ secrets.ORG_KEY }} + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }} + + build_dockers_oidc_ui: + strategy: + matrix: + include: + - SERVICE_LOCATION: "oidc-ui" + SERVICE_NAME: "oidc-ui" + SQUASH_LAYERS: "13" + fail-fast: false + name: ${{ matrix.SERVICE_NAME }} + uses: mosip/kattu/.github/workflows/docker-build.yml@master-java21 + with: + SERVICE_LOCATION: ${{ matrix.SERVICE_LOCATION }} + SERVICE_NAME: ${{ matrix.SERVICE_NAME }} + SQUASH_LAYERS: ${{ matrix.SQUASH_LAYERS }} + secrets: + DEV_NAMESPACE_DOCKER_HUB: ${{ secrets.DEV_NAMESPACE_DOCKER_HUB }} + ACTOR_DOCKER_HUB: ${{ secrets.ACTOR_DOCKER_HUB }} + RELEASE_DOCKER_HUB: ${{ secrets.RELEASE_DOCKER_HUB }} + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }} diff --git a/helm/oidc-ui/templates/configmap.yaml b/helm/oidc-ui/templates/configmap.yaml index f2b3891cf..470bd0465 100644 --- a/helm/oidc-ui/templates/configmap.yaml +++ b/helm/oidc-ui/templates/configmap.yaml @@ -21,6 +21,7 @@ data: http { access_log /var/log/nginx/access1.log; error_log /var/log/nginx/error1.log; + server { listen {{ .Values.oidc_ui.oidc_ui_port }}; server_name localhost; @@ -35,7 +36,18 @@ data: gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript; location /v1/esignet { - proxy_pass http://{{ .Values.oidc_ui.oidc_service_host }}/v1/esignet; + proxy_pass http://{{ .Values.oidc_ui.oidc_service_host }}/; + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $server_name; + add_header Content-Security-Policy "default-src 'none'" always; + add_header Referrer-Policy "no-referrer" always; + } + + location /v1/esignet/actuator/ { + proxy_pass http://{{ .Values.oidc_ui.oidc_service_host }}/; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; @@ -54,6 +66,9 @@ data: proxy_set_header X-Forwarded-Host $server_name; add_header Content-Security-Policy "default-src 'none'" always; add_header Referrer-Policy "no-referrer" always; + add_header 'Access-Control-Allow-Origin' '*' always; + add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS' always; + add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always; types { text/plain log cer json txt; } @@ -68,6 +83,9 @@ data: proxy_set_header X-Forwarded-Host $server_name; add_header Content-Security-Policy "default-src 'none'" always; add_header Referrer-Policy "no-referrer" always; + add_header 'Access-Control-Allow-Origin' '*' always; + add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS' always; + add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always; types { text/plain log cer json txt; } @@ -82,6 +100,9 @@ data: proxy_set_header X-Forwarded-Host $server_name; add_header Content-Security-Policy "default-src 'none'" always; add_header Referrer-Policy "no-referrer" always; + add_header 'Access-Control-Allow-Origin' '*' always; + add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS' always; + add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always; types { text/plain log cer json txt; } @@ -96,6 +117,9 @@ data: proxy_set_header X-Forwarded-Host $server_name; add_header Content-Security-Policy "default-src 'none'" always; add_header Referrer-Policy "no-referrer" always; + add_header 'Access-Control-Allow-Origin' '*' always; + add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS' always; + add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always; types { text/plain log cer json txt; } diff --git a/oidc-ui/nginx/nginx.conf b/oidc-ui/nginx/nginx.conf index d5c23c01f..66ef99b4e 100644 --- a/oidc-ui/nginx/nginx.conf +++ b/oidc-ui/nginx/nginx.conf @@ -1,3 +1,4 @@ +nginx.conf worker_processes 1; events { @@ -5,12 +6,12 @@ events { } http { - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log; + access_log /var/log/nginx/access1.log; + error_log /var/log/nginx/error1.log; + server { listen 3000; server_name localhost; - server_tokens off; root /usr/share/nginx/html; index index.html index.htm; @@ -22,7 +23,7 @@ http { gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript; location /v1/esignet/ { - proxy_pass http://esignet.esignet/v1/esignet/; + proxy_pass http://esignet.esignet/; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; @@ -30,13 +31,10 @@ http { proxy_set_header X-Forwarded-Host $server_name; add_header Content-Security-Policy "default-src 'none'" always; add_header Referrer-Policy "no-referrer" always; - proxy_connect_timeout 10s; - proxy_send_timeout 30s; - proxy_read_timeout 30s; } - - location /.well-known/openid-configuration { - proxy_pass http://esignet.esignet/v1/esignet/oidc/.well-known/openid-configuration; + + location /v1/esignet/actuator/ { + proxy_pass http://esignet.esignet/; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; @@ -44,13 +42,10 @@ http { proxy_set_header X-Forwarded-Host $server_name; add_header Content-Security-Policy "default-src 'none'" always; add_header Referrer-Policy "no-referrer" always; - proxy_connect_timeout 10s; - proxy_send_timeout 30s; - proxy_read_timeout 30s; } location /.well-known/jwks.json { - proxy_pass http://esignet.esignet/v1/esignet/oauth/.well-known/jwks.json; + proxy_pass http://esignet.esignet/.well-known/jwks.json; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; @@ -58,13 +53,33 @@ http { proxy_set_header X-Forwarded-Host $server_name; add_header Content-Security-Policy "default-src 'none'" always; add_header Referrer-Policy "no-referrer" always; - proxy_connect_timeout 10s; - proxy_send_timeout 30s; - proxy_read_timeout 30s; + add_header 'Access-Control-Allow-Origin' '*' always; + add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS' always; + add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always; + types { + text/plain log cer json txt; + } + } + + location /.well-known/openid-configuration { + proxy_pass http://esignet.esignet/.well-known/openid-configuration; + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $server_name; + add_header Content-Security-Policy "default-src 'none'" always; + add_header Referrer-Policy "no-referrer" always; + add_header 'Access-Control-Allow-Origin' '*' always; + add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS' always; + add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always; + types { + text/plain log cer json txt; + } } location /.well-known/oauth-authorization-server { - proxy_pass http://esignet.esignet/v1/esignet/oauth/.well-known/oauth-authorization-server; + proxy_pass http://esignet.esignet/.well-known/oauth-authorization-server; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; @@ -72,14 +87,26 @@ http { proxy_set_header X-Forwarded-Host $server_name; add_header Content-Security-Policy "default-src 'none'" always; add_header Referrer-Policy "no-referrer" always; - proxy_connect_timeout 10s; - proxy_send_timeout 30s; - proxy_read_timeout 30s; + add_header 'Access-Control-Allow-Origin' '*' always; + add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS' always; + add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always; + types { + text/plain log cer json txt; + } } location / { - # alias /usr/share/nginx/html; try_files $uri $uri/ /index.html; + add_header Content-Security-Policy " + default-src 'self'; + style-src 'self' https://fonts.googleapis.com 'unsafe-inline'; + font-src 'self' https://fonts.gstatic.com; + img-src 'self' data: https://cdn.jsdelivr.net https://*.mosip.net; + script-src 'self' https://www.google.com https://www.gstatic.com; + frame-src https://www.google.com; + connect-src 'self' http://127.0.0.1:*; + " always; + add_header Referrer-Policy "no-referrer" always; } } -} \ No newline at end of file +}