Merge branch 'develop'

Author: tuj

CHANGELOG.md

@@ -4,6 +4,15 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+## [2.0.4] - 2024-04-25
+
+- [#204](https://github.com/os2display/display-api-service/pull/204)
+  - Ensured real ip is logged in nginx.
+- [#200](https://github.com/os2display/display-api-service/pull/200)
+  - Updated oidc internal documentation.
+- [#205](https://github.com/os2display/display-api-service/pull/205)
+  - Fixed redirecting post requests.
+
 ## [2.0.3] - 2024-04-10
 
 - [#203](https://github.com/os2display/display-api-service/pull/203)

README.md

@@ -128,9 +128,16 @@ The internal oidc provider gets that user's name, email and tenants from claims.
 
 The claim keys needed are set in the env variables:
 
-- INTERNAL_OIDC_CLAIM_NAME
-- INTERNAL_OIDC_CLAIM_EMAIL
-- INTERNAL_OIDC_CLAIM_GROUPS
+- `INTERNAL_OIDC_CLAIM_NAME`
+- `INTERNAL_OIDC_CLAIM_EMAIL`
+- `INTERNAL_OIDC_CLAIM_GROUPS`
+
+The value of the claim with the name that is defined in the env variable `INTERNAL_OIDC_CLAIM_GROUPS` is mapped to
+the user's access to tenants in `App\Security\AzureOidcAuthenticator`. The claim field should consist of an array of
+names that should follow the following structure `<TENANT_NAME><ROLE_IN_TENANT>`.
+`<ROLE_IN_TENANT>` can be `Admin` or `Redaktoer` (editor).
+E.g. `Example1Admin` will map to the tenant with name `Example1` with `ROLE_ADMIN`.
+If the tenant does not exist it will be created when the user logs in.
 
 ### External
 

config/packages/nelmio_cors.yaml

@@ -8,6 +8,7 @@ nelmio_cors:
         expose_headers: ['Link']
         max_age: 3600
     paths:
-        '^/v2/authentication/':
+        # v1 is added for backwards compatability: See App/Controller/ApiV1RedirectController
+        '^/(v1|v2)/authentication/':
             allow_credentials: true
         '^/': null

config/packages/security.yaml

@@ -33,8 +33,9 @@ security:
         login_oidc:
             pattern: ^/v2/authentication/oidc
             security: false
+        # v1 is added for backwards compatability: See App/Controller/ApiV1RedirectController
         api_token_refresh:
-            pattern: ^/v2/authentication/token/refresh
+            pattern: ^/(v1|v2)/authentication/token/refresh
             stateless: true
             refresh_jwt:
                 provider: user_provider

infrastructure/itkdev/nginx/etc/confd/templates/nginx.conf.tmpl

@@ -37,7 +37,11 @@ http {
     include       /etc/nginx/mime.types;
     default_type  application/octet-stream;
 
-    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+    set_real_ip_from 172.16.0.0/8;
+    real_ip_recursive on;
+    real_ip_header X-Forwarded-For;
+
+    log_format  main  '$http_x_real_ip - $remote_user [$time_local] "$request" '
                       '$status $body_bytes_sent "$http_referer" '
                       '"$http_user_agent" "$http_x_forwarded_for"';
 

infrastructure/os2display/nginx/etc/confd/templates/nginx.conf.tmpl

@@ -37,10 +37,13 @@ http {
     include       /etc/nginx/mime.types;
     default_type  application/octet-stream;
 
-    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+    set_real_ip_from 172.16.0.0/8;
+    real_ip_recursive on;
+    real_ip_header X-Forwarded-For;
+
+    log_format  main  '$http_x_real_ip - $remote_user [$time_local] "$request" '
                       '$status $body_bytes_sent "$http_referer" '
                       '"$http_user_agent" "$http_x_forwarded_for"';
-
     error_log /dev/stderr;
     access_log /dev/stdout main;
 

psalm-baseline.xml

@@ -751,8 +751,8 @@
       <code><![CDATA[$theme]]></code>
     </NullableReturnStatement>
     <PossiblyNullReference>
-      <code><![CDATA[addLogo]]></code>
       <code><![CDATA[removeLogo]]></code>
+      <code><![CDATA[setLogo]]></code>
       <code><![CDATA[setCreatedBy]]></code>
       <code><![CDATA[setCssStyles]]></code>
       <code><![CDATA[setDescription]]></code>

src/Controller/ApiV1RedirectController.php

@@ -6,13 +6,14 @@
 
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\RedirectResponse;
+use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Routing\Attribute\Route;
 
 class ApiV1RedirectController extends AbstractController
 {
-    #[Route('/v1/{endpoint}', name: 'app_api_v1_redirect', requirements: ['endpoint' => '.+'], defaults: ['endpoint' => null], methods: ['GET'])]
+    #[Route('/v1/{endpoint}', name: 'app_api_v1_redirect', requirements: ['endpoint' => '.+'], defaults: ['endpoint' => null])]
     public function index(string $endpoint): RedirectResponse
     {
-        return $this->redirect('/v2/'.$endpoint, \Symfony\Component\HttpFoundation\Response::HTTP_MOVED_PERMANENTLY);
+        return $this->redirect('/v2/'.$endpoint, Response::HTTP_PERMANENTLY_REDIRECT);
     }
 }

tests/Controller/ApiV1RedirectControllerTest.php

@@ -5,14 +5,19 @@
 namespace App\Tests\Controller;
 
 use App\Tests\AbstractBaseApiTestCase;
+use Symfony\Component\HttpFoundation\Request;
 
 class ApiV1RedirectControllerTest extends AbstractBaseApiTestCase
 {
     public function testIndex()
     {
         $client = $this->getAuthenticatedClient('ROLE_ADMIN');
-        $crawler = $client->request('GET', '/v1/screens/01GN9PW2Z03V8VQG7SN6Q9R17H');
+        $client->request(Request::METHOD_GET, '/v1/screens/01GN9PW2Z03V8VQG7SN6Q9R17H');
 
-        $this->assertResponseRedirects('/v2/screens/01GN9PW2Z03V8VQG7SN6Q9R17H', 301);
+        $this->assertResponseRedirects('/v2/screens/01GN9PW2Z03V8VQG7SN6Q9R17H', 308);
+
+        $client->request(Request::METHOD_POST, '/v1/authentication/screen');
+
+        $this->assertResponseRedirects('/v2/authentication/screen', 308);
     }
 }