Merge branch 'main' into dependabot/npm_and_yarn/authority-portal-fro…

…ntend/npm_and_yarn-security-group-e0cd778f82

.github/workflows/add_issue_to_project.yml

@@ -10,7 +10,7 @@ jobs:
     name: add_issue_to_project
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/add-to-project@v0.5.0
+      - uses: actions/add-to-project@v1.0.1
         with:
           project-url: https://github.com/orgs/sovity/projects/9
           github-token: ${{ secrets.ADD_ISSUE_TO_PROJECT_PAT }}

CHANGELOG.md

@@ -13,6 +13,129 @@ please see [changelog_updates.md](docs/dev/changelog_updates.md).
 
 #### Minor
 
+- Changed connector status DEAD to OFFLINE in UI responses ([#184](https://github.com/sovity/authority-portal/issues/184))
+
+#### Patch
+
+- Fixed the connector status missing in the CSV reports ([#190](https://github.com/sovity/authority-portal/issues/189))
+- Fixed naming of EDC variable in instructions ([#195](https://github.com/sovity/authority-portal/issues/195))
+- Fixed error message for already existing CaaS subdomains ([#196](https://github.com/sovity/authority-portal/issues/196))
+- Removed possibility to provide a connector for oneself as a Service Partner ([#191](https://github.com/sovity/authority-portal/issues/191))
+- Added an environment variable to enable configuration of the support page URL. See deployment migration notes. ([#203](https://github.com/sovity/authority-portal/issues/203))
+
+### Known issues
+
+### Deployment Migration Notes
+
+- Added environment variables
+  - Portal Frontend
+    ```yaml
+    # Support page URL
+    AUTHORITY_PORTAL_FRONTEND_SUPPORT_URL: https://support.mobility-dataspace.eu
+    ```
+  - Keycloak
+    ```yaml
+    # Privacy policy and legal notice URLs
+    KEYCLOAK_PRIVACY_POLICY_URL: https://mobility-dataspace.online/privacy-policy-mds-portal
+    KEYCLOAK_LEGAL_NOTICE_URL: https://mobility-dataspace.eu/legal-notice
+    ```
+
+#### Compatible Versions
+
+- Authority Portal Backend Docker Image: `ghcr.io/sovity/authority-portal-backend:{{ version }}`
+- Authority Portal Frontend Docker Image: `ghcr.io/sovity/authority-portal-frontend:{{ version }}`
+- Broker Server: `{{ broker version }}`
+
+## [v2.2.1] - 2024-04-11
+
+### Overview
+
+This release addresses several security issues and adds minor improvements to the Authority Portal.
+
+### Detailed Changes
+
+#### Patch
+
+- Fixed "Provided Connectors" view for Service Partners ([#172](https://github.com/sovity/authority-portal/issues/172))
+- Fixed red fields in organization create page ([#122](https://github.com/sovity/authority-portal/issues/122))
+- Fixed wrong path after onboarding ([#103](https://github.com/sovity/authority-portal/issues/103))
+- Fixed yellow inactive sidebar item ([#123](https://github.com/sovity/authority-portal/issues/123))
+- Fixed vulnerability from [CVE-2024-2700](https://github.com/advisories/GHSA-f8h5-v2vg-46rr)
+- Adjusted headers for improved security ([#176](https://github.com/sovity/authority-portal/issues/176))
+- Adjusted Keycloak SSL settings for improved security ([#183](https://github.com/sovity/authority-portal/issues/183))
+- Adjusted documentation ([#181](https://github.com/sovity/authority-portal/issues/181))
+
+### Known issues
+
+### Deployment Migration Notes
+
+- Keycloak
+  - Change SSL settings
+    - Realm settings > General > Require SSL: `All requests`
+- Caddy
+  - Headers to improve security are now set
+  - Modified Caddyfile:
+  ```
+  # UI Requests: Internet -> Caddy 8080 -> Frontend
+  # Backend Requests: Internet -> Caddy 8080 -> Auth Proxy -> Caddy 8081 -> Backend
+  
+  :8080 {
+    map {path} {target_host} {target_port} {
+      ~^/api/.*      {$AUTH_PROXY_UPSTREAM_HOST}   8080
+      ~^/oauth2/.*   {$AUTH_PROXY_UPSTREAM_HOST}   8080
+      default        {$FRONTEND_UPSTREAM_HOST}     8080
+    }
+  
+    reverse_proxy {target_host}:{target_port} {
+      header_down -Gap-Auth
+    }
+  
+    # Set security headers for UI responses
+    header {
+      X-Frame-Options "DENY"
+      +Content-Security-Policy "frame-ancestors 'none'"
+    }
+  
+    # Set security headers for API responses
+    header /api/* {
+      X-Content-Type-Options nosniff
+      +Content-Security-Policy "script-src 'none'"
+      +Cache-Control "no-store"
+    }
+
+    # Set Cache-Control for UI assets
+    header /assets/* {
+      +Cache-Control "public, max-age=2592000, immutable"
+    }
+  }
+  
+  # Caddy 8081 -> Backend
+  # We need this second block because the auth proxy
+  # does not pass the token on the right header due to
+  # kubernetes conventions.
+  :8081 {
+    reverse_proxy {$BACKEND_UPSTREAM_HOST}:8080 {
+      header_up Authorization "Bearer {header.X-Forwarded-Access-Token}"
+    }
+  }
+  ```
+
+#### Compatible Versions
+
+- Authority Portal Backend Docker Image: `ghcr.io/sovity/authority-portal-backend:2.2.1`
+- Authority Portal Frontend Docker Image: `ghcr.io/sovity/authority-portal-frontend:2.2.1`
+- Broker Server: [`4.1.1`](https://github.com/sovity/edc-broker-server-extension/releases/tag/v4.1.1)
+
+## [v2.2.0] - 20240-04-02
+
+### Overview
+
+This release addresses several issues and adds minor improvements to the Authority Portal.
+
+### Detailed Changes
+
+#### Minor
+
 - Enable users to delete themselves ([#127](https://github.com/sovity/authority-portal/issues/127))
 - Added an API endpoint to set the backend log level during runtime: `https://[AP_FQDN]/api/config/log-level?level=[LOG_LEVEL]` ([#2](https://github.com/sovity/authority-portal/issues/2))
   - `x-api-key` header must be set correctly to access this endpoint
@@ -27,14 +150,14 @@ please see [changelog_updates.md](docs/dev/changelog_updates.md).
 - Fixed Keycloak notifications, OTP pages ([#146](https://github.com/sovity/authority-portal/issues/146)), ([#151](https://github.com/sovity/authority-portal/issues/151))
 - Fixed provided connectors' statuses missing on the dashboard ([#138](https://github.com/sovity/authority-portal/issues/138))
 - Fixed "Hosted By Name" column in Connector CSV report ([#149](https://github.com/sovity/authority-portal/issues/149))
-- Adjusted wording in the sidebar menu ([#117](https://github.com/sovity/authority-portal/issues/117))
-- Fixed wording in "Reset Password" email ([#116](https://github.com/sovity/authority-portal/issues/116))
-- Fixed wording in "Provide Central Component" form ([#112](https://github.com/sovity/authority-portal/issues/112))
 - Fixed wrong Users and Roles path [#150](https://github.com/sovity/authority-portal/issues/150)
 - Fixed phone number and description validators ([#161](https://github.com/sovity/authority-portal/issues/161))
 - Fixed Page not found for "MyUsers" route ([#163](https://github.com/sovity/authority-portal/issues/163))
-
-### Known issues
+- Fixed logo in Keycloak Theme being cut off ([#165](https://github.com/sovity/authority-portal/issues/165))
+- Fixed wording in "Reset Password" email ([#116](https://github.com/sovity/authority-portal/issues/116))
+- Fixed wording in "Provide Central Component" form ([#112](https://github.com/sovity/authority-portal/issues/112))
+- Adjusted wording in the sidebar menu ([#117](https://github.com/sovity/authority-portal/issues/117))
+- Adjusted documentation ([#159](https://github.com/sovity/authority-portal/issues/159))
 
 ### Deployment Migration Notes
 
@@ -56,11 +179,11 @@ please see [changelog_updates.md](docs/dev/changelog_updates.md).
 
 #### Compatible Versions
 
-- Authority Portal Backend Docker Image: `ghcr.io/sovity/authority-portal-backend:{{ version }}`
-- Authority Portal Frontend Docker Image: `ghcr.io/sovity/authority-portal-frontend:{{ version }}`
-- Broker Server: `{{ broker version }}`
+- Authority Portal Backend Docker Image: `ghcr.io/sovity/authority-portal-backend:2.2.0`
+- Authority Portal Frontend Docker Image: `ghcr.io/sovity/authority-portal-frontend:2.2.0`
+- Broker Server: [`4.1.0`](https://github.com/sovity/edc-broker-server-extension/releases/tag/v4.1.0)
 
-## [2.1.2] - 2024-03-22
+## [v2.1.2] - 2024-03-22
 
 ### Overview
 

authority-portal-backend/authority-portal-api/src/main/java/de/sovity/authorityportal/api/UiResource.java

@@ -189,10 +189,10 @@ OrganizationOverviewResult organizationsOverviewForAuthority(
     );
 
     @GET
-    @Path("/application/organizations")
+    @Path("/service-partner/providable-organizations")
     @Produces(MediaType.APPLICATION_JSON)
-    @Operation(description = "Get all participating organizations with their status. (For Service Partners and Operators)")
-    OrganizationOverviewResult organizationsOverview(
+    @Operation(description = "Get all organizations a service partner can provide a connector to. (For Service Partners)")
+    OrganizationOverviewResult organizationsOverviewForProvidingConnectors(
         @QueryParam("environmentId")
         @Valid
         @NotBlank(message = "EnvironmentId cannot be blank")

authority-portal-backend/authority-portal-quarkus/src/main/kotlin/de/sovity/authorityportal/web/UiResourceImpl.kt

@@ -258,9 +258,10 @@ class UiResourceImpl : UiResource {
     }
 
     @Transactional
-    override fun organizationsOverview(environmentId: String): OrganizationOverviewResult {
-        authUtils.requiresAnyRole(Roles.UserRoles.SERVICE_PARTNER_ADMIN, Roles.UserRoles.OPERATOR_ADMIN)
-        return organizationInfoApiService.organizationsOverview(environmentId)
+    override fun organizationsOverviewForProvidingConnectors(environmentId: String): OrganizationOverviewResult {
+        authUtils.requiresAnyRole(Roles.UserRoles.SERVICE_PARTNER_ADMIN)
+        authUtils.requiresMemberOfAnyOrganization()
+        return organizationInfoApiService.organizationsOverviewForProvidingConnectors(loggedInUser.organizationMdsId!!, environmentId)
     }
 
     @Transactional

authority-portal-backend/authority-portal-quarkus/src/main/kotlin/de/sovity/authorityportal/web/pages/connectormanagement/CaasManagementApiService.kt

@@ -103,10 +103,10 @@ class CaasManagementApiService {
 
     private fun assertValidConfig(apDeploymentDto: CaasPortalDeploymentDto, mdsId: String, environmentId: String): ConfigAssertion {
         if (!connectorService.assertCaasRegistrationLimit(mdsId, environmentId)) {
-            return ConfigAssertion(false, "Connector limit reached for mdsId: $mdsId")
+            return ConfigAssertion(false, "Connector limit reached for MDS ID: $mdsId")
         }
         if (!caasClient.validateSubdomain(apDeploymentDto.subdomain.trim())) {
-            return ConfigAssertion(false, "Subdomain ${apDeploymentDto.subdomain} is not available! mdsId: $mdsId")
+            return ConfigAssertion(false, "Subdomain ${apDeploymentDto.subdomain} is not available! Please choose a different one.")
         }
         return ConfigAssertion(true, "")
     }

authority-portal-backend/authority-portal-quarkus/src/main/kotlin/de/sovity/authorityportal/web/pages/connectormanagement/ConnectorManagementApiService.kt

@@ -33,6 +33,7 @@ import de.sovity.authorityportal.web.services.ConnectorService
 import de.sovity.authorityportal.web.services.OrganizationService
 import de.sovity.authorityportal.web.thirdparty.broker.BrokerClientService
 import de.sovity.authorityportal.web.thirdparty.broker.model.AddedConnector
+import de.sovity.authorityportal.web.thirdparty.broker.model.ConnectorOnlineStatus
 import de.sovity.authorityportal.web.thirdparty.caas.CaasClient
 import de.sovity.authorityportal.web.thirdparty.daps.DapsClientService
 import de.sovity.authorityportal.web.utils.idmanagement.ClientIdUtils
@@ -109,7 +110,7 @@ class ConnectorManagementApiService {
             connector.frontendUrl,
             connector.endpointUrl,
             connector.managementUrl,
-            buildConnectorStatus(connector)
+            buildConnectorStatusFromConnectorDetails(connector)
         )
     }
 
@@ -148,6 +149,7 @@ class ConnectorManagementApiService {
         deploymentEnvironmentService.assertValidEnvId(environmentId)
 
         val connectors = connectorService.getConnectorsByHostMdsId(mdsId, environmentId)
+            .filter { it.mdsId != it.providerMdsId }
         val orgNames = organizationService.getAllOrganizationNames()
 
         val connectorDtos = connectors.map {
@@ -157,7 +159,7 @@ class ConnectorManagementApiService {
                 it.type.toDto(),
                 deploymentEnvironmentDtoService.findByIdOrThrow(it.environment),
                 it.name,
-                if (it.type == ConnectorType.CAAS) it.caasStatus.toDto() else connectorMetadataService.getConnectorStatus(it.connectorId, it.environment).toDto(),
+                buildConnectorStatusFromConnectorRecord(it),
                 it.frontendUrl
             )
         }
@@ -345,11 +347,28 @@ class ConnectorManagementApiService {
         dapsClient.configureMappers(clientId, connectorId, connector.certificate)
     }
 
-    private fun buildConnectorStatus(connector: ConnectorService.ConnectorDetailRs): ConnectorStatusDto {
-        return if (connector.type == ConnectorType.CAAS) {
+    private fun buildConnectorStatusFromConnectorDetails(connector: ConnectorService.ConnectorDetailRs) =
+        if (connector.type == ConnectorType.CAAS) {
             connector.caasStatus!!.toDto()
         } else {
-            connectorMetadataService.getConnectorStatus(connector.connectorId, connector.environment).toDto()
+            connectorMetadataService.getConnectorStatus(connector.connectorId, connector.environment).let { status ->
+                filterDeadConnectorStatus(status)
+            }.toDto()
+        }
+
+    private fun buildConnectorStatusFromConnectorRecord(it: ConnectorRecord) =
+        if (it.type == ConnectorType.CAAS) {
+            it.caasStatus.toDto()
+        } else {
+            connectorMetadataService.getConnectorStatus(it.connectorId, it.environment).let { status ->
+                filterDeadConnectorStatus(status)
+            }.toDto()
+        }
+
+    private fun filterDeadConnectorStatus(status: ConnectorOnlineStatus) =
+        if (status == ConnectorOnlineStatus.DEAD) {
+            ConnectorOnlineStatus.OFFLINE
+        } else {
+            status
         }
-    }
 }

authority-portal-backend/authority-portal-quarkus/src/main/kotlin/de/sovity/authorityportal/web/pages/organizationmanagement/OrganizationInfoApiService.kt

@@ -59,6 +59,12 @@ class OrganizationInfoApiService {
         return OrganizationOverviewResult(dtos)
     }
 
+    fun organizationsOverviewForProvidingConnectors(providerMdsId: String, environmentId: String): OrganizationOverviewResult {
+        val organizations = organizationsOverview(environmentId).organizations
+            .filter { it.mdsId != providerMdsId }
+        return OrganizationOverviewResult(organizations)
+    }
+
     private fun buildOrganizationOverviewEntryDto(
         organization: OrganizationRecord,
         userCounts: Map<String, Int>,

authority-portal-backend/authority-portal-quarkus/src/main/kotlin/de/sovity/authorityportal/web/services/reporting/ConnectorAuthorityCsvReportService.kt

@@ -17,8 +17,10 @@ import de.sovity.authorityportal.db.jooq.enums.ConnectorType
 import de.sovity.authorityportal.web.environment.DeploymentEnvironmentService
 import de.sovity.authorityportal.web.services.ConnectorService
 import de.sovity.authorityportal.web.services.OrganizationService
+import de.sovity.authorityportal.web.services.reporting.utils.ConnectorCsvReportUtils
 import de.sovity.authorityportal.web.services.reporting.utils.CsvColumn
 import de.sovity.authorityportal.web.services.reporting.utils.buildCsv
+import de.sovity.authorityportal.web.thirdparty.broker.model.ConnectorOnlineStatus
 import de.sovity.authorityportal.web.thirdparty.keycloak.KeycloakService
 import jakarta.enterprise.context.ApplicationScoped
 import jakarta.inject.Inject
@@ -39,13 +41,17 @@ class ConnectorAuthorityCsvReportService {
     @Inject
     lateinit var keycloakService: KeycloakService
 
+    @Inject
+    lateinit var connectorCsvReportUtils: ConnectorCsvReportUtils
+
     data class AuthorityConnectorReportRow(
         val organizationMdsId: String,
         val organizationName: String,
         val connectorId: String,
         val connectorName: String,
         val connectorType: ConnectorType,
         val environment: String,
+        val status: ConnectorOnlineStatus,
         val frontendUrl: String?,
         val endpointUrl: String?,
         val managementUrl: String?,
@@ -60,6 +66,7 @@ class ConnectorAuthorityCsvReportService {
         CsvColumn("Name") { it.connectorName },
         CsvColumn("Type") { it.connectorType.toString() },
         CsvColumn("Environment") { it.environment },
+        CsvColumn("Status") { it.status.toString() },
         CsvColumn("Frontend URL") { it.frontendUrl ?: "" },
         CsvColumn("Endpoint URL") { it.endpointUrl ?: "" },
         CsvColumn("Management API URL") { it.managementUrl ?: "" },
@@ -76,6 +83,7 @@ class ConnectorAuthorityCsvReportService {
     private fun buildAuthorityConnectorReportRows(environmentId: String): List<AuthorityConnectorReportRow> {
         val connectors = connectorService.getConnectorsByEnvironment(environmentId)
         val organizationNames = organizationService.getAllOrganizationNames()
+        val connectorStatuses = connectorCsvReportUtils.getConnectorStatusesFromBroker(environmentId, connectors)
 
         return connectors.map {
             AuthorityConnectorReportRow(
@@ -85,6 +93,7 @@ class ConnectorAuthorityCsvReportService {
                 connectorName = it.name,
                 connectorType = it.type,
                 environment = it.environment,
+                status = connectorStatuses[it.endpointUrl] ?: ConnectorOnlineStatus.DEAD,
                 frontendUrl = it.frontendUrl,
                 endpointUrl = it.endpointUrl,
                 managementUrl = it.managementUrl,
@@ -93,5 +102,4 @@ class ConnectorAuthorityCsvReportService {
             )
         }
     }
-
 }