Fix gh action in pull requests from fork

.github/workflows/build-server-docker.yml → .github/workflows/docker-image.yml

@@ -1,27 +1,32 @@
-name: Build server docker
+name: Publish Docker Image
 
 on:
   push:
-    branches: [ master ]
+    branches: [ main ]
   pull_request:
-    branches: [ master ]
+    branches: [ main ]
   workflow_dispatch:
 env:
-  IMAGE_NAME: record-manager-server
-  MVN_PROFILE: production-docker
-  MAIN_BRANCH_NAME: master
+  # Last fragment of identifier of the docker image
+  IMAGE_NAME: ${{ github.repository }}
+  # Group identifier of the docker image, typically ${{ github.repository_owner }} or ${{ github.repository }}
+  IMAGE_GROUP_NAME: ${{ github.repository_owner }}
+  MAIN_BRANCH_NAME: main
+
 jobs:
-
   build-and-publish:
-  
+
     runs-on: ubuntu-latest
-    
+
     steps:
+      - name: Exit if pull request is from a fork
+        run: |
+          if [ "${{ github.event_name }}" == "pull_request" ] && [ "${{ github.event.pull_request.head.repo.name }}" != "${{ github.event.repository.name }}" ]; then
+            echo "Skiping workflow as this pull request is from a fork."
+            exit 78
+          fi
       - uses: actions/checkout@v2
 
-      - name: Build application archive
-        run: mvn clean package -B -P $MVN_PROFILE
-
       - name: Build docker image
         run: docker build . --file Dockerfile --tag $IMAGE_NAME
 
@@ -30,7 +35,7 @@ jobs:
 
       - name: Push image
         run: |
-          IMAGE_ID=docker.pkg.github.com/${{ github.repository }}/$IMAGE_NAME
+          IMAGE_ID=docker.pkg.github.com/$IMAGE_GROUP_NAME/$IMAGE_NAME
           # Change all uppercase to lowercase
           IMAGE_ID=$(echo $IMAGE_ID | tr '[A-Z]' '[a-z]')
           # Get branch name if merge to a branch

.github/workflows/protect-master.yml → .github/workflows/protect-main.yml

@@ -6,9 +6,9 @@ name: CI
 # events but only for the master branch
 on:
   push:
-    branches: [ master ]
+    branches: [ main ]
   pull_request:
-    branches: [ master ]
+    branches: [ main ]
 
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
@@ -20,12 +20,12 @@ jobs:
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
     # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-    - uses: actions/checkout@v2
-
-    # Runs a single command using the runners shell
-#    - name: Compile
-#      run: mvn compile
+    - uses: actions/checkout@v3
+    - uses: actions/setup-java@v3
+      with:
+        java-version: '17'
+        distribution: 'adopt'
 
     # Runs a set of commands using the runners shell
-#    - name: Test
-#      run: mvn test
+    - name: Test
+      run: mvn -B test

.gitignore

@@ -3,6 +3,7 @@
 target
 node_modules
 build
+logs
 **/generated-sources
 **/npm-debug.log
 .DS_store

Dockerfile

@@ -1,7 +1,18 @@
-FROM tomcat:9.0-jdk8-slim
+FROM maven:3-eclipse-temurin-17 as build
 
-EXPOSE 8080
+WORKDIR /record-manager
+
+COPY pom.xml pom.xml
+
+RUN mvn -B de.qaware.maven:go-offline-maven-plugin:resolve-dependencies
+
+COPY src src
 
-COPY /target/record-manager-0.*.war /usr/local/tomcat/webapps/record-manager.war
+RUN mvn package -B -DskipTests=true
+
+FROM eclipse-temurin:17-jdk-alpine as runtime
+COPY --from=build  /record-manager/target/record-manager.jar record-manager.jar
+
+EXPOSE 8080
 
-CMD ["catalina.sh","run"]
+ENTRYPOINT ["java","-jar","/record-manager.jar"]

README.md

@@ -1,12 +1,11 @@
 # OFN Record Manager
 
-Manager of records based on OFN (https://opendata.gov.cz/otevřené-formální-normy:start).
+Manager of records based on OFN (https://data.gov.cz/ofn/).
 
 ## Required Technologies
 
-- JDK 8 (preferably Oracle)
+- JDK 17
 - Apache Maven 3.5.x
-- Apache Tomcat 9 or newer (required by Servlet API 4)
 
 ## System Architecture
 

doc/development.md

@@ -1,14 +1,14 @@
 Development Notes
 
-Frontend of the application can be developed separately from the backend. 
+Frontend of the application is developed separately.
+
 The setup requires following steps:
 1) configure the application according to [Setup Guide](setup.md)
 2) configure `config.properties` to contain `security.sameSite=None`    
    This is important if you are running the application over http so 
    web browser would not block requests to the server due to CORS policy.
 3) build the backend `mvn clean package`
-4) deploy created web application archive (`./target/record-manager-*.war`) to a web server 
-5) run frontend `cd ./src/main/webapp; npm run dev`
-6) frontend is by default accessible from `http://localhost:3000`
+4) Run the created application archive (`./target/record-manager.jar`)
+5) Checkout and run frontend
 
-Alternatively to step 2, a browser plugin can be used to disable CORS policy.
+Alternatively to step 2, a browser plugin can be used to disable CORS policy.

doc/setup.md

@@ -4,37 +4,22 @@
 
 ### System Requirements
 
-- JDK 8 (newer or older versions are not supported at the moment)
+- JDK 17 or later
 - Apache Maven 3.5.x or newer
 
-### Setup
-
-#### Maven Profiles
-
-To build the application for **non**-development deployment, use Maven and select the `production` profile.
-
 ### Application Configuration
 
-Application has backend developed in Java and frontend developed in ReactJS frameworks. 
-
-__Backend__ uses src/main/resources/config.properties to configure:
+The application uses `src/main/resources/config.properties` to configure:
 * connection to internal triple store
-* rest endpoint of Form service
-* smtp configuration for sending emails
+* REST endpoint of Form service
+* SMTP configuration for sending emails
 * email templates for invitation, password change, and profile update scenarios
 
-See comments in the configuration file for more information. In addition, supported record types are configured using query in src/main/resources/query/findFormTypes.rq.
-
-__Frontend__ uses src/main/resources/webapp/.env to configure:
-* url of backend
-* application title in browser
-* internationalization settings
-
-See src/main/resources/webapp/.env.example for detailed description of options. 
+See comments in the configuration file for more information. In addition, supported record types are configured using query in `src/main/resources/query/findFormTypes.rq`.
 
 ### Building
 
-Production war file can be produced by maven command: `mvn clean package -B -P production`
+Application JAR file can be produced by maven command: `mvn clean package -B`
 
 ## Deployment
 
@@ -47,25 +32,37 @@ Deployment requires 4 steps:
 
 ### System Requirements
 
-- JDK 8 (newer or older versions are not supported at the moment)
-- Apache Tomcat 8.5 or later (9.x is recommended) or any Servlet API 4-compatible application server
+- JDK 17
 
- ### Record Manager RDF4J Repository
+### Record Manager RDF4J Repository
 
- Main repository of the application is configured by `repositoryUrl` parameter. 
+Main repository of the application is configured by `repositoryUrl` parameter. 
 
- ### Form service RDF4J Repository
+### Form service RDF4J Repository
 
- Repository dedicated to provide data to Form service is configured by `formGenRepositoryUrl`. Additionally, this repository can contain a configuration of generation of forms fom SGoV model.
+Repository dedicated to provide data to Form service is configured by `formGenRepositoryUrl`. Additionally, this repository can contain a configuration of generation of forms fom SGoV model.
 
- ### SGoV Model Repository
+### SGoV Model Repository
 
- This repository is query parameter of Form service call specified in `sgovRepositoryUrl`.
+This repository is query parameter of Form service call specified in `sgovRepositoryUrl`.
 
- ### SForms Service
+### SForms Service
 
- SForms service is configured in `formGenServiceUrl`, the call to the service should contain SGoV model repository as query parameter. Example call:
- `formGenRepositoryUrl=`http://localhost:8080/s-pipes/service?_pId=transform&sgovRepositoryUrl=https%3A%2F%2Fgraphdb.onto.fel.cvut.cz%2Frepositories%2Fkodi-slovnik-gov-cz`
+SForms service is configured in `formGenServiceUrl`, the call to the service should contain SGoV model repository as query parameter. Example call:
+`formGenRepositoryUrl=`http://localhost:8080/s-pipes/service?_pId=transform&sgovRepositoryUrl=https%3A%2F%2Fgraphdb.onto.fel.cvut.cz%2Frepositories%2Fkodi-slovnik-gov-cz`
+
+### OpenID Connect Authentication
 
+RecordManager can work with an external authentication service implementing the OpenID Connect protocol. To use it,
+set the `security.provider` (in `config.properties` or via `SECURITY_PROVIDER` via an environment variable) configuration to `oidc` 
+and configure the `spring.security.oauth2.resourceserver.jwt.issuer-uri` (in `application.properties` or using an environment variable)
+parameter to the URI of the OAuth2 token issuer. When using Keycloak, this corresponds to the URI of the realm through
+which Record Manager users authenticate their requests. For example, the value may be `http://localhost:8080/realms/record-manager`.
+A client with confidential access and the corresponding valid redirect and origin URIs should be configured in the realm.
 
+If needed, claim used to access user's roles can be configured via `oidc.roleClaim`. The default value corresponds to the
+default role mapping in Keycloak. Record Manager will assign `ROLE_USER` to authenticated users by default, any other roles
+must be available in the token.
 
+Note also that it is expected that user metadata corresponding to the user extracted from the access token exist in the
+repository. They are paired via the `prefferred_username` claim value (see `SecurityUtils`).

docker-compose.yml

@@ -12,7 +12,8 @@ services:
       API_URL: "http://localhost:3000/ofn-record-manager"
 
   dm-record-manager-server:
-    image: 'ofn-record-manager-server:latest'
+    build: .
+    image: record-manager-server
     container_name: dm-record-manager-server
     ports:
       - '3000:8080'
@@ -37,7 +38,7 @@ services:
       - ./scripts:/scripts
 
   dm-rdf4j:
-    image: 'eclipse/rdf4j-workbench:amd64-3.5.0'
+    image: 'eclipse/rdf4j-workbench:4.3.7'
     container_name: dm-rdf4j
     ports:
       - "8080:8080"