18941 Deploy dev into stage (#62)

* Add staging pipeline file (#36)

* add file

* fix

* feat(cli): update seeder (#35)

* Add deploy stage to logto-admin (#38)

* fix(cli): fix logto pipeline (#40)

* fix(cli): fix seeder to handle empty data (#41)

fix(cli): fix seeder to handle empty values

* feat: logto uat changes (#43)

* feat: logto uat changes

* Update pipeline-variables/uat.yml

Co-authored-by: Sara Zanellato <47299026+peschina@users.noreply.github.com>

---------

Co-authored-by: Sara Zanellato <47299026+peschina@users.noreply.github.com>

* Test migration command in Terraform (#48)

fix: remove seed commands from dockerfile

* 18630 seed real roles (#45)

* feat(cli): seed roles and permissions into db

* fix(cli): cleanup code

* chore(cli): small update

* chore(cli): refactoring roles

* chore(cli): refactoring organization roles

* chore(cli): update

* chore(cli): rename seeder file (#52)

* chore(cli): rename seeder file

* chore(cli): fix eof new line

* chore: use port 7001 instead of 5001 to avoid conflicts with forms (#56)

* fix(cli): remove secrets from local seeder (#59)

* feat(cli): seed is_third_party flag (#57)

* feat(cli): seed is_third_party flag

* fix(demo-app): trying to ignore the entire seeder local file from gitleaks

* Reverted .gitleaksignore change

---------

Co-authored-by: alfonsograziano <alfonsohack0019@gmail.com>
Co-authored-by: Alfonso Graziano <alfonso.graziano@nearform.com>

* feat(cli): seed multiple redurect uris (#58)

* Feature(ogcio): messaging integration (#60)

* feat(ogcio): added messaging permissions locally

* feat(core): updated seeder for deployments

* chore(core): added EOL

---------

Co-authored-by: Alfonso Graziano <alfonso.graziano@nearform.com>

* Add MyGovId Mock service to Logto (#55)

* feat(demo-app): copied mock service from life events repo

* feat(demo-app): add mock users + fix build

* feat(demo-app): changed port to not clash with 3005 in life-events auth-service

* fix(demo-app): trying to ignore the entire seeder local file from gitleaks

* feat(cli): seeder updates already existing entries (#61)

* feat(cli): seeder updates already existing entries

* feat(cli): seeder file updated

* feat(cli): update

* feat(cli): documenting the seeders limitations

* feat(cli): updated documentation

---------

Co-authored-by: Alfonso Graziano <alfonso.graziano@nearform.com>
Co-authored-by: William Monteiro <williamwd@users.noreply.github.com>
Co-authored-by: Sara Zanellato <47299026+peschina@users.noreply.github.com>
Co-authored-by: Marius Sebastian Besel <145235082+msebastianb@users.noreply.github.com>
Co-authored-by: alfonsograziano <alfonsohack0019@gmail.com>
Co-authored-by: SamSalvatico <40636569+SamSalvatico@users.noreply.github.com>

.gitleaksignore

@@ -1,4 +1 @@
 /src/packages/connectors/connector-saml/README.md:private-key:101
-/src/packages/cli/src/commands/database/ogcio/ogcio-seeder-local.json:generic-api-key:37
-/src/packages/cli/src/commands/database/ogcio/ogcio-seeder-local.json:generic-api-key:46
-/src/packages/cli/src/commands/database/ogcio/ogcio-seeder-local.json:generic-api-key:157

.gitpod.yml

@@ -38,7 +38,8 @@ ports:
     port: 5432
     visibility: public
     onOpen: ignore
-  - port: 5001
+    # OGCIO - formsie port collision fixed
+  - port: 7001
     onOpen: ignore
   - port: 5002
     onOpen: ignore

README.OGCIO.md

@@ -113,3 +113,17 @@ This command can take a parameter to specify the input data file, called `seeder
 Usage: `npm run cli db ogcio -- --seeder-filepath="DATA_FILE_PATH"`
 
 To seed the default data for local dev environments, run `npm run cli db ogcio -- --seeder-filepath="./packages/cli/src/commands/database/ogcio/ogcio-seeder-local.json"`.
+
+### Limitations
+
+In most cases, we have predefined IDs in our seeder to ensure the same database structure, even if the database was cleared and re-seeded. Logto IDs are simple text fields (no UUID or other validations are applied) with a maximum length of 21 characters. Do not use IDs longer than 21 characters; otherwise, the seeder will fail with a database error!
+
+Be careful when defining a new ID because data duplication is avoided based on this field. If you later want to change the ID of any of your entries, the seeder won't be able to detect the existence of the affected entry, and it will try to create a new one. Creating a duplicate entry with a different ID can cause a database error if some other fields have a unique constraint. If this is not the case, a duplicate entry will be created, which is also a mistake, and we want to avoid any of these situations. Once you have defined an ID, do not change it if unnecessary.
+
+Using resources other than those declared in the seeder's data file is also impossible because referencing any resource outside of the seeder's scope is not supported. The seeder is supposed to create all the required resources and use them to seed the custom configuration into the database.
+
+### Edge cases
+
+Some changes might affect other entries from the database, like the user entities. In this case, a custom migration script is required to resolve the changes necessary to the affected entries. Before any change in the seeder data, analyse the situation to determine if it is safe to perform. The seeder is not intended to resolve conflicts or update other data than the configuration it seeds.
+
+Deletion of existing seeded data via the seeder is not yet possible. Only the permissions (scopes) will be removed and recreated every time the seeder is executed because that is safe and does not cause conflicts with other entries. A custom script or manual action is required for any other data that must be eliminated.

mygovid-mock-service/.eslintrc.json

@@ -0,0 +1,21 @@
+{
+  "parser": "@typescript-eslint/parser",
+  "extends": [
+    "plugin:@typescript-eslint/recommended",
+    "plugin:prettier/recommended",
+    "eslint:recommended"
+  ],
+  "parserOptions": {
+    "ecmaVersion": 2020,
+    "sourceType": "module"
+  },
+  "rules": {
+    "no-redeclare": "off",
+    "no-unused-vars": "off"
+  },
+  "env": {
+    "browser": true,
+    "node": true
+  },
+  "ignorePatterns": ["dist"]
+}

mygovid-mock-service/.gitignore

@@ -0,0 +1,2 @@
+node_modules
+.tap

mygovid-mock-service/package.json

@@ -0,0 +1,44 @@
+{
+  "name": "mygovid-mock-service",
+  "version": "1.0.0",
+  "description": "",
+  "main": "dist/index.js",
+  "scripts": {
+    "test": "TAP_RCFILE=tap.yml tap",
+    "start": "node dist/index.js",
+    "dev": "nodemon | pino-pretty",
+    "lint": "eslint . --ext .ts",
+    "build": "echo Build script for the MyGovId mock service not needed so far"
+  },
+  "nodemonConfig": {
+    "ext": "ts,json",
+    "exec": "node --import tsx src/index.ts"
+  },
+  "type": "module",
+  "author": "",
+  "license": "ISC",
+  "dependencies": {
+    "@fastify/cookie": "^9.3.1",
+    "@fastify/formbody": "^7.4.0",
+    "@fastify/sensible": "^5.5.0",
+    "@fastify/type-provider-typebox": "^4.0.0",
+    "@sinclair/typebox": "^0.32.16",
+    "fastify": "^4.26.2",
+    "fastify-plugin": "^4.5.1",
+    "jose": "^5.2.4"
+  },
+  "devDependencies": {
+    "@types/node": "^20.11.28",
+    "@typescript-eslint/eslint-plugin": "^7.5.0",
+    "@typescript-eslint/parser": "^7.5.0",
+    "eslint": "^8.57.0",
+    "eslint-config-prettier": "^9.1.0",
+    "eslint-plugin-prettier": "^5.1.3",
+    "pino-pretty": "^11.0.0",
+    "prettier": "^3.2.5",
+    "tap": "^18.8.0",
+    "ts-node": "^10.9.2",
+    "tsx": "^4.7.1",
+    "typescript": "^5.4.2"
+  }
+}

mygovid-mock-service/src/app.ts

@@ -0,0 +1,21 @@
+import fastify, { FastifyServerOptions } from "fastify";
+import routes from "./routes/index.js";
+import { TypeBoxTypeProvider } from "@fastify/type-provider-typebox";
+import sensible from "@fastify/sensible";
+
+export async function build(opts?: FastifyServerOptions) {
+  const app = fastify(opts).withTypeProvider<TypeBoxTypeProvider>();
+
+  app.register(import("@fastify/cookie"), {
+    hook: "onRequest", // set to false to disable cookie autoparsing or set autoparsing on any of the following hooks: 'onRequest', 'preParsing', 'preHandler', 'preValidation'. default: 'onRequest'
+    parseOptions: {}, // options for parsing cookies
+  });
+
+  app.register(import("@fastify/formbody"));
+
+  app.register(routes);
+
+  app.register(sensible);
+
+  return app;
+}

mygovid-mock-service/src/index.ts

@@ -0,0 +1,13 @@
+import { build } from "./app.js";
+
+const app = await build();
+
+app.listen({ host: "0.0.0.0", port: 4005 }, (err, address) => {
+  if (err) {
+    console.error(err);
+    process.exit(1);
+  }
+  console.log(`MyGovId Mock Service listening at ${address}`);
+});
+
+await app.ready();

mygovid-mock-service/src/routes/healthcheck.ts

@@ -0,0 +1,6 @@
+import { FastifyInstance } from "fastify";
+export default async function healthCheck(app: FastifyInstance) {
+  app.get("/health", async () => {
+    return { status: "ok" };
+  });
+}

mygovid-mock-service/src/routes/index.ts

@@ -0,0 +1,8 @@
+import { FastifyInstance } from "fastify";
+import healthCheck from "./healthcheck.js";
+import logto from "./logto/index.js";
+
+export default async function routes(app: FastifyInstance) {
+  app.register(healthCheck);
+  app.register(logto, { prefix: "/logto/mock" });
+}

mygovid-mock-service/src/routes/logto/index.ts

@@ -0,0 +1,186 @@
+import { FastifyInstance } from "fastify";
+import fs from "fs";
+import path, { dirname } from "path";
+import { exportJWK } from "jose";
+import { fileURLToPath } from "url";
+import { Type } from "@sinclair/typebox";
+import {
+  createMockSignedJwt,
+  getPublicKey,
+  streamToString,
+} from "./utils/index.js";
+import { HttpError } from "../../types/httpErrors.js";
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+
+export default async function login(app: FastifyInstance) {
+  app.get<{
+    Querystring: {
+      response_type: string;
+      client_id: string;
+      redirect_uri: string;
+      state: string;
+      nonce: string;
+      scope: string;
+    };
+  }>(
+    "/auth",
+    {
+      schema: {
+        tags: ["Mock"],
+        querystring: {
+          response_type: Type.String(),
+          client_id: Type.String(),
+          redirect_uri: Type.String(),
+          state: Type.String(),
+          nonce: Type.String(),
+          scope: Type.String(),
+        },
+        response: { 200: Type.String(), 500: HttpError },
+      },
+    },
+    async (request, reply) => {
+      const { redirect_uri, state } = request.query;
+
+      const stream = fs.createReadStream(
+        path.join(__dirname, "..", "static", "mock-login.html")
+      );
+
+      const result = (await streamToString(stream))
+        .replace("%REDIRECT_URL%", redirect_uri)
+        .replace("%STATE%", state);
+      return reply.type("text/html").send(result);
+    }
+  );
+
+  app.post<{
+    Body: {
+      password: string;
+      firstName: string;
+      lastName: string;
+      email: string;
+      redirect_url: string;
+      state: string;
+    };
+  }>("/login", async (request, reply) => {
+    const { password, firstName, lastName, email, redirect_url, state } =
+      request.body;
+
+    if (password !== "123")
+      reply.redirect(
+        `/logto/mock/auth?redirect_uri=${redirect_url}&state=${state}`
+      );
+
+    const id_token = await createMockSignedJwt(
+      { firstName, lastName, email },
+      request.headers.origin as unknown as string
+    );
+
+    return reply.redirect(`${redirect_url}?code=${id_token}&state=${state}`);
+  });
+
+  app.post<{
+    Body: {
+      code: string;
+      grant_type: string;
+      redirect_uri: string;
+      client_id: string;
+      client_secret: string;
+    };
+    Reply: {
+      id_token: string;
+      access_token: string;
+      token_type: string;
+      not_before: number;
+      expires_in: number;
+      expires_on: number;
+      id_token_expires_in: number;
+      profile_info: string;
+      scope: string;
+    };
+  }>(
+    "/token",
+    {
+      schema: {
+        tags: ["Mock"],
+        body: Type.Object({
+          code: Type.String(),
+          grant_type: Type.String(),
+          redirect_uri: Type.String(),
+          client_id: Type.String(),
+          client_secret: Type.String(),
+        }),
+        response: {
+          200: Type.Object({
+            id_token: Type.String(),
+            access_token: Type.String(),
+            token_type: Type.String(),
+            not_before: Type.Number(),
+            expires_in: Type.Number(),
+            expires_on: Type.Number(),
+            id_token_expires_in: Type.Number(),
+            profile_info: Type.String(),
+            scope: Type.String(),
+          }),
+          500: HttpError,
+        },
+      },
+    },
+    async (request, _) => {
+      const id_token = request.body.code;
+      return {
+        id_token,
+        access_token: id_token,
+        token_type: "Bearer",
+        not_before: Date.now() - 5000,
+        expires_in: 1800,
+        expires_on: Date.now() - 5000 + 1800,
+        id_token_expires_in: 1800,
+        profile_info:
+          "eyJ2ZXIiOiIxLjAiLCJ0aWQiOiI4OTc5MmE2ZC0xZWE0LTQxMjYtOTRkZi1hNzFkMjkyZGViYzciLCJzdWIiOm51bGwsIm5hbWUiOm51bGwsInByZWZlcnJlZF91c2VybmFtZSI6bnVsbCwiaWRwIjpudWxsfQ",
+        scope: "openid",
+      };
+    }
+  );
+
+  app.get<{
+    Reply: {
+      keys: {
+        kid: string;
+        use: string;
+        kty?: string;
+        n?: string;
+        e?: string;
+      }[];
+    };
+  }>(
+    "/keys",
+    {
+      schema: {
+        tags: ["Mock"],
+        response: {
+          200: Type.Object({
+            keys: Type.Array(
+              Type.Object({
+                kid: Type.String(),
+                use: Type.String(),
+                kty: Type.Optional(Type.String()),
+                n: Type.Optional(Type.String()),
+                e: Type.Optional(Type.String()),
+              })
+            ),
+          }),
+          500: HttpError,
+        },
+      },
+    },
+    async (request, reply) => {
+      const publicKey = await getPublicKey();
+      const { kty, n, e } = await exportJWK(publicKey);
+
+      return {
+        keys: [{ kid: "signingkey.mygovid.v1", use: "sig", kty, n, e }],
+      };
+    }
+  );
+}