diff --git a/ansible/artifacts/sunbird/login/resources/js/telemetry_service.js b/ansible/artifacts/sunbird/login/resources/js/telemetry_service.js index d7a295835334d43952036886378c518b60e7e965..fa1a23a3de9bb45124c096826bc11d07d1607d26 100644 --- a/ansible/artifacts/sunbird/login/resources/js/telemetry_service.js +++ b/ansible/artifacts/sunbird/login/resources/js/telemetry_service.js @@ -2506,7 +2506,7 @@ if(client_id.toLowerCase() === 'android'){ "telemetry": { "pdata": { "id": pdataId, - "ver": "4.9.0", + "ver": "4.10.3", "pid": "sunbird-portal" } } diff --git a/ansible/roles/keycloak-deploy/tasks/bootstrap.yml b/ansible/roles/keycloak-deploy/tasks/bootstrap.yml index 7df5d1e5038d84865cbf280fdfee7f9a2e83d402..dcefe36e30599ce7a8caecf5613e9d214dd52930 100644 --- a/ansible/roles/keycloak-deploy/tasks/bootstrap.yml +++ b/ansible/roles/keycloak-deploy/tasks/bootstrap.yml @@ -28,7 +28,6 @@ shell: "nohup {{keycloak_home}}/bin/standalone.sh -Dkeycloak.profile.feature.upload_scripts=enabled -b={{ansible_default_ipv4.address}} -bprivate={{ansible_default_ipv4.address}} --server-config standalone-ha.xml &" become: yes become_user: "{{ wildfly_user }}" - run_once: true notify: wait for keycloak to start - meta: flush_handlers @@ -37,7 +36,6 @@ apt: name: ["python-setuptools"] update_cache: true - run_once: true - name: Ensure python packages are installed apt: @@ -55,38 +53,32 @@ copy: src: "{{ role_path }}/files/python-keycloak-0.12.0" dest: /tmp/ - run_once: true - name: Initialize python library to run keycloak bootstrap script shell: cd /tmp/python-keycloak-0.12.0 && python setup.py install - run_once: true - name: Save keycloak vars to json template: src: "keycloak-bootstrap.conf.j2" dest: "/tmp/keycloak-bootstrap.conf.json" mode: "0644" - run_once: true - name: Copy realm json file to tmp location template: src: "keycloak-realm.j2" dest: "/tmp/keycloak-realm.json" mode: "0644" - run_once: true - name: Copy user manager roles file to tmp location copy: src: "files/python-keycloak-0.12.0/roles.json" dest: "/tmp/roles.json" mode: "0644" - run_once: true - name: Copy the keycloak bootstrap script copy: src: "{{ role_path }}/files/python-keycloak-0.12.0/keycloak" dest: /tmp - run_once: true - name: Run the keycloak bootstrap script shell: cd /tmp/keycloak/ && python keycloak_main.py /tmp/keycloak-bootstrap.conf.json diff --git a/ansible/roles/ml-analytics-service/tasks/main.yml b/ansible/roles/ml-analytics-service/tasks/main.yml index b5406faaa9cd8f1dfdd9626162440f5ec1e4ff2d..9c9bf79a9038881b1a7947ed26ce9aa157ff2522 100755 --- a/ansible/roles/ml-analytics-service/tasks/main.yml +++ b/ansible/roles/ml-analytics-service/tasks/main.yml @@ -40,10 +40,23 @@ - "{{ BASEPATH }}" - "{{ WORKDIR }}" - "{{ WORKDIR }}/faust_as_service" - -- name: Change user and create working directory under opt dir and install python virtual environment + +- name: Delete the virtualenv DIR + shell: "rm -rf {{ WORKDIR }}/spark_env" + become: true + +- name: Install python virtual environment shell: "cd {{ WORKDIR }} && virtualenv --python=python3.8 spark_venv" become: true + +- name: Change the ownership of virtual env + become: yes + file: + path: "{{ WORKDIR }}/spark_env" + state: directory + owner: "{{ USER }}" + group: "{{ USER }}" + mode: "0755" - name: Create necessary logs folders for pipeline become: yes @@ -113,4 +126,4 @@ user: "{{ USER }}" minute: "30" hour: "18" - job: "{{ BASEPATH }}/ml-analytics-service/run.sh" + job: "{{ BASEPATH }}/ml-analytics-service/run.sh > {{ BASEPATH }}/ml-analytics-service/crontab_job.log" diff --git a/ansible/roles/stack-sunbird/defaults/main.yml b/ansible/roles/stack-sunbird/defaults/main.yml index 5ded8b68133a15dd16dcf22d8f8529a3ca5aa3c9..12d98086b356893dd2e995ce0797405da1d37238 100644 --- a/ansible/roles/stack-sunbird/defaults/main.yml +++ b/ansible/roles/stack-sunbird/defaults/main.yml @@ -607,7 +607,7 @@ nodebb_liveness_readiness: initialDelaySeconds: 45 periodSeconds: 15 timeoutSeconds: 5 - failureThreshold: 2 + failureThreshold: 20 livenessProbe: httpGet: path: /discussions/api/category/2 @@ -615,7 +615,7 @@ nodebb_liveness_readiness: initialDelaySeconds: 45 periodSeconds: 15 timeoutSeconds: 5 - failureThreshold: 2 + failureThreshold: 20 player_liveness_readiness: healthcheck: true @@ -1051,4 +1051,4 @@ kong_desktop_device_consumer_names_for_opa: '["desktop"]' # Audience claim check is disabled as of now # List of keycloak clients as these can come in audience field of a JWT token -# keycloak_allowed_aud: '"{{ keycloak_auth_server_url }}/realms/{{ keycloak_realm }}", "account", "realm-management"' \ No newline at end of file +# keycloak_allowed_aud: '"{{ keycloak_auth_server_url }}/realms/{{ keycloak_realm }}", "account", "realm-management"' diff --git a/ansible/roles/stack-sunbird/templates/inbound.env b/ansible/roles/stack-sunbird/templates/inbound.env index 7b48fe115350d60a7013b9c62d36c51dd52b68bf..c8ed1a515721a131cf1d71c717398f0bcf97fed6 100644 --- a/ansible/roles/stack-sunbird/templates/inbound.env +++ b/ansible/roles/stack-sunbird/templates/inbound.env @@ -12,6 +12,7 @@ KAFKA_OUTBOUND_TOPIC={{env_name}}.outbound KAFKA_TELEMETRY_TOPIC={{env_name}}.uci.telemetry KAFKA_ODK_TRANSFORMER_TOPIC={{env_name}}.odk.transformer KAFKA_ODK_TRANSFORMER_TOPIC_PATTERN={{env_name}}.odk.* +KAFKA_MESSAGE_REPORT_TOPIC={{env_name}}.message-report #FormsDB FORMS_DB_URL=postgresql://{{uci_postgres_host}}:5432/{{uci_forms_postgres_database}} @@ -56,6 +57,7 @@ REDIS_DB_INDEX={{redis_db_index_uci | default('7')}} AZURE_BLOB_STORE_CONTAINER={{sunbird_azure_uci_container_name | default('uci-' + env )}} AZURE_BLOB_STORE_ACCOUNT_KEY={{sunbird_private_storage_account_name}} AZURE_BLOB_STORE_ACCOUNT_NAME={{sunbird_private_storage_account_key}} +SELECTED_FILE_CDN=azure #Netcore NETCORE_WHATSAPP_AUTH_TOKEN={{uci_netcore_whatsapp_token}} diff --git a/ansible/roles/stack-sunbird/templates/orchestrator.env b/ansible/roles/stack-sunbird/templates/orchestrator.env index bd6b974a11a346b2c8c9d092fecbc52a75358c88..4165f7dcebf68b51fbba867edae0c144365c7406 100644 --- a/ansible/roles/stack-sunbird/templates/orchestrator.env +++ b/ansible/roles/stack-sunbird/templates/orchestrator.env @@ -12,6 +12,9 @@ KAFKA_OUTBOUND_TOPIC={{env_name}}.outbound KAFKA_TELEMETRY_TOPIC={{env_name}}.uci.telemetry KAFKA_ODK_TRANSFORMER_TOPIC={{env_name}}.odk.transformer KAFKA_ODK_TRANSFORMER_TOPIC_PATTERN={{env_name}}.odk.* +KAFKA_PROCESS_OUTBOUND={{env_name}}.process-outbound +KAFKA_BROADCAST_TRANSFORMER_TOPIC={{env_name}}.broadcast-transformer +KAFKA_GENERIC_TRANSFORMER_TOPIC={{env_name}}.generic-transformer #Dummy config: To be removed later KAFKA_LOGS_TOPIC={{env_name}}.inbound-unprocessed @@ -21,11 +24,14 @@ FORMS_DB_URL=postgresql://{{uci_postgres_host}}:5432/{{uci_forms_postgres_databa FORMS_DB_USERNAME={{uci_postgres_user}} FORMS_DB_PASSWORD={{uci_postgres_password}} FORMS_DB_NAME={{uci_forms_postgres_database}} +FORMS_DB_HOST={{uci_postgres_host}} +FORMS_DB_PORT=5432 #Cassandra CASSANDRA_URL={{sunbird_cassandra_host}} CASSANDRA_PORT=9042 CASSANDRA_KEYSPACE={{env}}_uci_store +CASSANDRA_MIGRATION_COUNT={{uci_cassandra_migration_count | default(1)}} #Ports ORCHESTRATOR_INTERNAL_PORT=8686 diff --git a/ansible/roles/stack-sunbird/templates/outbound.env b/ansible/roles/stack-sunbird/templates/outbound.env index a76df2cce365ee4985e1bc4f933adf1b850ced46..bac1d980e82e97e68164b0bdc75ada40b1d8cb2a 100644 --- a/ansible/roles/stack-sunbird/templates/outbound.env +++ b/ansible/roles/stack-sunbird/templates/outbound.env @@ -18,6 +18,8 @@ FORMS_DB_URL=postgresql://{{uci_postgres_host}}:5432/{{uci_forms_postgres_databa FORMS_DB_USERNAME={{uci_postgres_user}} FORMS_DB_PASSWORD={{uci_postgres_password}} FORMS_DB_NAME={{uci_forms_postgres_database}} +FORMS_DB_HOST={{uci_postgres_host}} +FORMS_DB_PORT=5432 #Cassandra CASSANDRA_URL={{sunbird_cassandra_host}} @@ -55,3 +57,4 @@ REDIS_DB_INDEX={{redis_db_index_uci | default('7')}} AZURE_BLOB_STORE_CONTAINER={{sunbird_azure_uci_container_name | default('uci-' + env )}} AZURE_BLOB_STORE_ACCOUNT_KEY={{sunbird_private_storage_account_name}} AZURE_BLOB_STORE_ACCOUNT_NAME={{sunbird_private_storage_account_key}} +SELECTED_FILE_CDN=azure diff --git a/ansible/roles/stack-sunbird/templates/sunbird_discussions-mw-service.env b/ansible/roles/stack-sunbird/templates/sunbird_discussions-mw-service.env index afce77b2ed09610074850bf0e3bf631d08402e4b..f972a40d802b7923b579f6c80b37bdaeb885183a 100644 --- a/ansible/roles/stack-sunbird/templates/sunbird_discussions-mw-service.env +++ b/ansible/roles/stack-sunbird/templates/sunbird_discussions-mw-service.env @@ -12,5 +12,5 @@ TELEMETRY_EVENTS_BATCH_SIZE={{ telemetry_events_batch_size | default(1) }} TELEMETRY_SERVICE_API_SLUG={{ telemetry_service_api_slug | default('/v1/telemetry') }} TELEMETRY_SERVICE_URL={{ telemetry_service_url | default('http://telemetry-service:9001') }} API_AUTH_TOKEN={{ api_auth_token | default('') }} -enable_audit_event={{ enable_audit_event | default(true) }} -moderation_flag={{ moderation_flag | default(false) }} +enable_audit_event={{ enable_audit_event | default('true') }} +moderation_flag={{ moderation_flag | default('false') }} diff --git a/ansible/roles/stack-sunbird/templates/transformer.env b/ansible/roles/stack-sunbird/templates/transformer.env index 30963cb81fb89f58257457bcdb899ec486c8a325..fd2e6d00aa55242c05c8970f6e3d0fc70cf40a85 100644 --- a/ansible/roles/stack-sunbird/templates/transformer.env +++ b/ansible/roles/stack-sunbird/templates/transformer.env @@ -13,6 +13,8 @@ KAFKA_TELEMETRY_TOPIC={{env_name}}.uci.telemetry KAFKA_ODK_TRANSFORMER_TOPIC={{env_name}}.odk.transformer KAFKA_ODK_TRANSFORMER_TOPIC_PATTERN={{env_name}}.odk.* KAFKA_LOGS_TOPIC={{env_name}}.inbound-unprocessed +KAFKA_PROCESS_OUTBOUND={{env_name}}.process-outbound +KAFKA_BROADCAST_TRANSFORMER_TOPIC={{env_name}}.broadcast-transformer #FormsDB FORMS_DB_URL=postgresql://{{uci_postgres_host}}:5432/{{uci_forms_postgres_database}} @@ -26,6 +28,7 @@ FORMS_DB_PORT=5432 CASSANDRA_URL={{sunbird_cassandra_host}} CASSANDRA_PORT=9042 CASSANDRA_KEYSPACE={{env}}_uci_store +CASSANDRA_MIGRATION_COUNT=1 #Ports TRANSFORMER_INTERNAL_PORT=9091 @@ -61,4 +64,14 @@ ENV={{env}} REDIS_HOST={{sunbird_redis_host}} REDIS_PASS={{sunbird_redis_pass | default('')}} REDIS_PORT={{sunbird_redis_port | default(6379)}} -REDIS_DB_INDEX={{redis_db_index_uci | default('7')}} \ No newline at end of file +REDIS_DB_INDEX={{redis_db_index_uci | default('7')}} + +# Events +EXHAUST_TELEMETRY_ENABLED=TRUE +POSTHOG_EVENT_ENABLED=FALSE + +#Azure Config +AZURE_BLOB_STORE_CONTAINER={{sunbird_azure_uci_container_name | default('uci-' + env )}} +AZURE_BLOB_STORE_ACCOUNT_KEY={{sunbird_private_storage_account_name}} +AZURE_BLOB_STORE_ACCOUNT_NAME={{sunbird_private_storage_account_key}} +SELECTED_FILE_CDN=azure \ No newline at end of file diff --git a/kubernetes/ansible/roles/kong-api/tasks/main.yml b/kubernetes/ansible/roles/kong-api/tasks/main.yml index 82a9f774395279241d4b8edbc5dbe98c7854e403..d85575decee8350e12fc117c4612517ca27bd69d 100644 --- a/kubernetes/ansible/roles/kong-api/tasks/main.yml +++ b/kubernetes/ansible/roles/kong-api/tasks/main.yml @@ -21,3 +21,6 @@ - name: Run script to save apis shell: "python /tmp/kong-api-scripts/kong_apis.py /tmp/kong_apis.json --kong-admin-api-url=http://{{ private_ingressgateway_ip }}/admin-api" + +- name: Reload kong + shell: kubectl get pod -l app=apimanager --namespace={{namespace}} -o name | xargs -I{} kubectl exec {} -- kong reload \ No newline at end of file diff --git a/kubernetes/ansible/roles/kong-consumer/tasks/main.yml b/kubernetes/ansible/roles/kong-consumer/tasks/main.yml index 2300a372dae683f4863f00936fb21485b7bb7c76..edb1b4c0a4feb4906600feaca07873b394931f60 100644 --- a/kubernetes/ansible/roles/kong-consumer/tasks/main.yml +++ b/kubernetes/ansible/roles/kong-consumer/tasks/main.yml @@ -48,3 +48,6 @@ with_items: - /tmp/jwt_token_output.txt - /tmp/jwt_token.txt + +- name: Reload kong + shell: kubectl get pod -l app=apimanager --namespace={{namespace}} -o name | xargs -I{} kubectl exec {} -- kong reload \ No newline at end of file diff --git a/kubernetes/ansible/roles/opa-test-coverage/defaults/main.yml b/kubernetes/ansible/roles/opa-test-coverage/defaults/main.yml index 96e556a90436ddb6e5b18fef330dc63e88891b7a..2da3a4ed45b53eece8806f26d72dc9e3bde7cc27 100644 --- a/kubernetes/ansible/roles/opa-test-coverage/defaults/main.yml +++ b/kubernetes/ansible/roles/opa-test-coverage/defaults/main.yml @@ -24,7 +24,7 @@ keycloak_public_key: stdout: '-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwTS+srpbA/n7I5fDjxcf\nH1QUSiFMP7B4yyLxir3VigKtai+YW7ZqMF853O3OiE/QTKuT0ZsR7aDtCsoZaGqq\n2NSyfbc3m339dBQ+0YgM5UdqvUHubNkgQwkRwb1lGlMWSHMYk0iIKJEIw1MCdCH0\nOBwjzlDxHb78lCKd/GvBvRLMXOJbAP72xJ/gjaNFHQ/GzskhrapDuMXaH+S7vtox\nBDG74fQwXCG+nDJ9ryV2bbWxWMINLU82x3+L6YYnWK80loucm2fzG5l1W/Wz9DIa\nGiWwP0JHlZf9GM/raydB4kDEq3jB22LfdLCdQanMkxbw7bkmvjBT2NFwqgFv3q3m\nVQIDAQAB\n-----END PUBLIC KEY-----' keycloak_auth_server_url: "https://sunbirded.org/auth" keycloak_realm: "sunbird" -private_ingressgateway_ip: "1.2.3.4" +private_ingressgateway_ip: "2.3.4.5" # Audience claim check is disabled as of now # keycloak_allowed_aud: '"{{ keycloak_auth_server_url }}/realms/{{ keycloak_realm }}", "account", "realm-management"' diff --git a/kubernetes/helm_charts/core/nginx-private-ingress/templates/configmap.yaml b/kubernetes/helm_charts/core/nginx-private-ingress/templates/configmap.yaml index 6c217b18329d2fbbab4c42dad89e8318a2e13e31..f4422e608b1c0ce6ff840292624633b1fd2cc73c 100644 --- a/kubernetes/helm_charts/core/nginx-private-ingress/templates/configmap.yaml +++ b/kubernetes/helm_charts/core/nginx-private-ingress/templates/configmap.yaml @@ -125,6 +125,7 @@ data: set $target http://report-service.{{ .Values.namespace }}.svc.cluster.local:3030; rewrite ^/report/(.*) /$1 break; proxy_http_version 1.1; + proxy_set_header Host $server_name; proxy_pass $target; } location /search/ { diff --git a/kubernetes/helm_charts/sunbird-RC/registry/values.j2 b/kubernetes/helm_charts/sunbird-RC/registry/values.j2 index b7b4bbbb7329c82062712275af78d1a96410d92c..e7e6e6f31c2659e0486185571a32a3dc7f81c72f 100644 --- a/kubernetes/helm_charts/sunbird-RC/registry/values.j2 +++ b/kubernetes/helm_charts/sunbird-RC/registry/values.j2 @@ -80,4 +80,4 @@ serviceMonitor: enabled: true labels: # labels with which the prometheus choose the serviceMonitor app: prometheus-operator - release: prometheus-operator \ No newline at end of file + release: prometheus-operator diff --git a/kubernetes/opa/common/common.rego b/kubernetes/opa/common/common.rego index 9023b7250dc572602e220eff2bf1d0c689d577bd..63b315888638300294fe83496f5b51a746841091 100644 --- a/kubernetes/opa/common/common.rego +++ b/kubernetes/opa/common/common.rego @@ -22,11 +22,11 @@ ROLES := { "PROGRAM_DESIGNER": ["submitDataExhaustRequest", "getDataExhaustRequest", "listDataExhaustRequest"], - "ORG_ADMIN": ["acceptTnc", "assignRole", "submitDataExhaustRequest", "getDataExhaustRequest", "listDataExhaustRequest", "getUserProfileV5", "updateUserV2", "readUserConsent", "createTenantPreferences", "updateTenantPreferences", "getReport", "listReports", "createReport", "deleteReport", "updateReport", "publishReport", "retireReport", "getReportSummary", "listReportSummary", "createReportSummary"], + "ORG_ADMIN": ["acceptTnc", "assignRole", "submitDataExhaustRequest", "getDataExhaustRequest", "listDataExhaustRequest", "getUserProfileV5", "updateUserV2", "readUserConsent", "createTenantPreferences", "updateTenantPreferences", "createReport", "deleteReport", "updateReport", "publishReport", "retireReport", "getReportSummary", "listReportSummary", "createReportSummary"], - "REPORT_VIEWER": ["acceptTnc", "getReport", "listReports", "getReportSummary", "listReportSummary"], + "REPORT_VIEWER": ["acceptTnc", "getReportSummary", "listReportSummary"], - "REPORT_ADMIN": ["submitDataExhaustRequest", "getDataExhaustRequest", "listDataExhaustRequest", "acceptTnc", "getReport", "listReports", "createReport", "deleteReport", "updateReport", "publishReport", "retireReport", "getReportSummary", "listReportSummary", "createReportSummary"], + "REPORT_ADMIN": ["submitDataExhaustRequest", "getDataExhaustRequest", "listDataExhaustRequest", "acceptTnc", "createReport", "deleteReport", "updateReport", "publishReport", "retireReport", "getReportSummary", "listReportSummary", "createReportSummary"], "PUBLIC": ["PUBLIC"] } diff --git a/kubernetes/opa/learner/policies.rego b/kubernetes/opa/learner/policies.rego index b2413a7ea11e6800372b3c72ec61be40bc0390f9..6bdfd974411ade7adf85c1e76617072c67133e6d 100644 --- a/kubernetes/opa/learner/policies.rego +++ b/kubernetes/opa/learner/policies.rego @@ -141,6 +141,15 @@ assignRoleV2 { payload_orgs == matching_orgs } +# https://project-sunbird.atlassian.net/browse/SB-30186 +# Allow the request to go through if the organisationId is an array type in order to receive a 400 Bad Request error from backend +assignRoleV2 { + acls := ["assignRole"] + roles := ["ORG_ADMIN"] + super.acls_check(acls) + type_name(input.parsed_body.request.roles[_].scope[_].organisationId) == "array" +} + getUserProfile { super.public_role_check user_id := split(http_request.path, "/")[4] diff --git a/kubernetes/opa/learner/policies_test.rego b/kubernetes/opa/learner/policies_test.rego index 8553352cd3cab0aa14cc977f39771fb7efb5e92d..ca2ab15ee03faf62a4b9e80d6cd79494d7353644 100644 --- a/kubernetes/opa/learner/policies_test.rego +++ b/kubernetes/opa/learner/policies_test.rego @@ -297,6 +297,44 @@ test_assign_role_v2 { } } +test_assign_role_v2 { + data.main.allow.allowed + with data.common.current_time as current_time + with data.common.iss as iss + with input as + { + "attributes": { + "request": { + "http": { + "headers": { + "x-authenticated-user-token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImFjY2Vzc3YxX2tleTEifQ.eyJhdWQiOiJodHRwczovL3N1bmJpcmRlZC5vcmcvYXV0aC9yZWFsbXMvc3VuYmlyZCIsInN1YiI6ImY6NWJiNmM4N2MtN2M4OC00ZDJiLWFmN2UtNTM0YTJmZWY5NzhkOjI4YjBkMDhmLWMyZWEtNDBkMS1iY2QwLThhZTAwZmNhNjZiZSIsInJvbGVzIjpbeyJyb2xlIjoiQk9PS19DUkVBVE9SIiwic2NvcGUiOlt7Im9yZ2FuaXNhdGlvbklkIjoiMDEzNjk4Nzg3OTc1MDM2OTI4MTAifV19LHsicm9sZSI6IkNPTlRFTlRfQ1JFQVRPUiIsInNjb3BlIjpbeyJvcmdhbmlzYXRpb25JZCI6IjAxMzY5ODc4Nzk3NTAzNjkyODEwIn1dfSx7InJvbGUiOiJDT05URU5UX1JFVklFV0VSIiwic2NvcGUiOlt7Im9yZ2FuaXNhdGlvbklkIjoiMDEzNjk4Nzg3OTc1MDM2OTI4MTAifV19LHsicm9sZSI6IkNPVVJTRV9NRU5UT1IiLCJzY29wZSI6W3sib3JnYW5pc2F0aW9uSWQiOiIwMTM2OTg3ODc5NzUwMzY5MjgxMCJ9XX0seyJyb2xlIjoiUFJPR1JBTV9ERVNJR05FUiIsInNjb3BlIjpbeyJvcmdhbmlzYXRpb25JZCI6IjAxMzY5ODc4Nzk3NTAzNjkyODEwIn1dfSx7InJvbGUiOiJSRVBPUlRfVklFV0VSIiwic2NvcGUiOlt7Im9yZ2FuaXNhdGlvbklkIjoiMDEzNjk4Nzg3OTc1MDM2OTI4MTAifV19LHsicm9sZSI6Ik9SR19BRE1JTiIsInNjb3BlIjpbeyJvcmdhbmlzYXRpb25JZCI6IjAxMzY5ODc4Nzk3NTAzNjkyODEwIn0seyJvcmdhbmlzYXRpb25JZCI6IjAxNDcxOTIzNTY3ODEyMzQ1Njc4In1dfSx7InJvbGUiOiJQVUJMSUMiLCJzY29wZSI6W119XSwiaXNzIjoiaHR0cHM6Ly9zdW5iaXJkZWQub3JnL2F1dGgvcmVhbG1zL3N1bmJpcmQiLCJuYW1lIjoiZGVtbyIsInR5cCI6IkJlYXJlciIsImV4cCI6MTY0MDIzNjEwMiwiaWF0IjoxNjQwMTQ5NzA1fQ.B3-TSdYSOlawPHjFdiRjXwvRbYQ_eH_HTiLKlH7vGS0rCOJ6HQbYyWOhZ7vbZPb3virkuyfhykFcYCEHBCkHY-fwGAeU58Pmhi0dnNJkR59Fa9y_75W98JXZW68HROp62ntEAKCA1oot_U4tYi-8UNoR17Gszj9iYzFEBc6TZA4Lrom_9gqhBOYzL0ISFWSS6oG94EaaKDYHyWzCSjU2nYRB_fn-tODmnVJ12GRJAc1oM9y54o8neNYsl4T_xPyD34v-CinUJM8jzDjFqK5_O3HnAbcmXvkZjFRgfk4mF1V4s5hlsTJGyhi2JOPh90C5N-HbAY8QsPBnzgYFQU_sww" + }, + "path": "/v2/user/assign/role" + } + } + }, + "parsed_body": { + "request": { + "userId": "fcae65a6-8a48-11ec-8c82-c7075e84952d", + "roles": [{ + "role": "COURSE_CREATOR", + "operation":"remove", + "scope": [{ + "organisationId": "01369878797503692810" + }] + }, + { + "role": "CONTENT_CREATOR", + "operation":"add", + "scope": [{ + "organisationId": ["01471923567812345678"] + }] + }] + } + } + } +} + test_get_user_profile { data.main.allow.allowed with data.common.current_time as current_time diff --git a/kubernetes/opa/registry/policies_test.rego b/kubernetes/opa/registry/policies_test.rego index 01bd3c7a32ba7507ed0012fb25d6f085632f6e77..1e37608805c88bae5d27a1e1d3bae2eab6c32f6f 100644 --- a/kubernetes/opa/registry/policies_test.rego +++ b/kubernetes/opa/registry/policies_test.rego @@ -6,11 +6,13 @@ package tests current_time := 1640235102 iss := "https://sunbirded.org/auth/realms/sunbird" +private_ingressgateway_ip := "1.2.3.4" test_rc_certificate_create_internal_request { data.main.allow.allowed with data.common.current_time as current_time with data.common.iss as iss + with data.common.private_ingressgateway_ip as private_ingressgateway_ip with input as { "attributes": { @@ -65,6 +67,7 @@ test_rc_certificate_delete_internal_request { data.main.allow.allowed with data.common.current_time as current_time with data.common.iss as iss + with data.common.private_ingressgateway_ip as private_ingressgateway_ip with input as { "attributes": { diff --git a/kubernetes/opa/report/policies.rego b/kubernetes/opa/report/policies.rego index 728bb245bca7052ce71b452e30a0d53735680eec..6b9a96d48bd2214114b8b5db732660abf7b31cd4 100644 --- a/kubernetes/opa/report/policies.rego +++ b/kubernetes/opa/report/policies.rego @@ -1,6 +1,9 @@ package policies import data.common as super +import input.attributes.request.http as http_request + +x_authenticated_user_token := http_request.headers["x-authenticated-user-token"] urls_to_action_mapping := { "/report/get": "getReport", @@ -12,21 +15,28 @@ urls_to_action_mapping := { "/report/retire": "retireReport", "/report/summary": "getReportSummary", "/report/summary/list": "listReportSummary", - "/report/summary/create": "createReportSummary" + "/report/summary/create": "createReportSummary", + "/report/datasets/get": "getReportDatasets" } getReport { - acls := ["getReport"] - roles := ["REPORT_ADMIN", "REPORT_VIEWER", "ORG_ADMIN"] - super.acls_check(acls) - super.role_check(roles) + super.public_role_check +} + +getReport { + not x_authenticated_user_token +} + +getReport { + super.is_an_internal_request } listReports { - acls := ["listReports"] - roles := ["REPORT_ADMIN", "REPORT_VIEWER", "ORG_ADMIN"] - super.acls_check(acls) - super.role_check(roles) + super.public_role_check +} + +listReports { + not x_authenticated_user_token } createReport { @@ -37,6 +47,10 @@ createReport { input.parsed_body.request.report.createdby == super.userid } +createReport { + super.is_an_internal_request +} + deleteReport { acls := ["deleteReport"] roles := ["REPORT_ADMIN", "ORG_ADMIN"] @@ -51,6 +65,10 @@ updateReport { super.role_check(roles) } +updateReport { + super.is_an_internal_request +} + publishReport { acls := ["publishReport"] roles := ["REPORT_ADMIN", "ORG_ADMIN"] @@ -85,4 +103,12 @@ createReportSummary { super.acls_check(acls) super.role_check(roles) input.parsed_body.request.summary.createdby == super.userid +} + +getReportDatasets { + super.public_role_check +} + +getReportDatasets { + not x_authenticated_user_token } \ No newline at end of file diff --git a/kubernetes/opa/report/policies_test.rego b/kubernetes/opa/report/policies_test.rego index 161c13bd7092f771a8ebf588c7405f495637fb4c..10bd59faf78e5c1c0d7f8f376a431c99f18b2f7d 100644 --- a/kubernetes/opa/report/policies_test.rego +++ b/kubernetes/opa/report/policies_test.rego @@ -6,6 +6,7 @@ package tests current_time := 1640235102 iss := "https://sunbirded.org/auth/realms/sunbird" +private_ingressgateway_ip := "1.2.3.4" test_get_report { data.main.allow.allowed @@ -26,6 +27,25 @@ test_get_report { } } +test_get_report_internal_request { + data.main.allow.allowed + with data.common.current_time as current_time + with data.common.iss as iss + with data.common.private_ingressgateway_ip as private_ingressgateway_ip + with input as + { + "attributes": { + "request": { + "http": { + "headers": {}, + "path": "/report/get/1656a060-bf3a-11ec-b495-9fb99cdeb463", + "host": "1.2.3.4" + } + } + } + } +} + test_list_reports { data.main.allow.allowed with data.common.current_time as current_time @@ -50,6 +70,28 @@ test_list_reports { } } +test_list_reports_without_user_token { + data.main.allow.allowed + with data.common.current_time as current_time + with data.common.iss as iss + with input as + { + "attributes": { + "request": { + "http": { + "headers": {}, + "path": "/report/list" + } + } + }, + "parsed_body": { + "request": { + "filters": {} + } + } + } +} + test_create_report { data.main.allow.allowed with data.common.current_time as current_time @@ -90,6 +132,46 @@ test_create_report { } } +test_create_report_internal_request { + data.main.allow.allowed + with data.common.current_time as current_time + with data.common.iss as iss + with data.common.private_ingressgateway_ip as private_ingressgateway_ip + with input as + { + "attributes": { + "request": { + "http": { + "headers": {}, + "path": "/report/create", + "host": "1.2.3.4" + } + } + }, + "parsed_body": { + "request": { + "report": { + "title": "string", + "description": "string", + "authorizedroles": ["string"], + "status": "string", + "type": "string", + "createdby": "28b0d08f-c2ea-40d1-bcd0-8ae00fca66be", + "reportconfig": { + "id": "string", + "label": "string", + "title": "string", + "description": "string", + }, + "slug": "string", + "reportgenerateddate": "string", + "updatefrequency": "string" + } + } + } + } +} + test_delete_report { data.main.allow.allowed with data.common.current_time as current_time @@ -133,6 +215,30 @@ test_update_report { } } +test_update_report_internal_request { + data.main.allow.allowed + with data.common.current_time as current_time + with data.common.iss as iss + with data.common.private_ingressgateway_ip as private_ingressgateway_ip + with input as + { + "attributes": { + "request": { + "http": { + "headers": {}, + "path": "/report/update", + "host": "1.2.3.4" + } + } + }, + "parsed_body": { + "request": { + "report": {} + } + } + } +} + test_publish_report { data.main.allow.allowed with data.common.current_time as current_time @@ -242,4 +348,40 @@ test_create_report_summary { } } } +} + +test_get_report_datasets { + data.main.allow.allowed + with data.common.current_time as current_time + with data.common.iss as iss + with input as + { + "attributes": { + "request": { + "http": { + "headers": { + "x-authenticated-user-token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImFjY2Vzc3YxX2tleTEifQ.eyJhdWQiOiJodHRwczovL3N1bmJpcmRlZC5vcmcvYXV0aC9yZWFsbXMvc3VuYmlyZCIsInN1YiI6ImY6NWJiNmM4N2MtN2M4OC00ZDJiLWFmN2UtNTM0YTJmZWY5NzhkOjI4YjBkMDhmLWMyZWEtNDBkMS1iY2QwLThhZTAwZmNhNjZiZSIsInJvbGVzIjpbeyJyb2xlIjoiQk9PS19DUkVBVE9SIiwic2NvcGUiOlt7Im9yZ2FuaXNhdGlvbklkIjoiMDEzNjk4Nzg3OTc1MDM2OTI4MTAifV19LHsicm9sZSI6IkNPTlRFTlRfQ1JFQVRPUiIsInNjb3BlIjpbeyJvcmdhbmlzYXRpb25JZCI6IjAxMzY5ODc4Nzk3NTAzNjkyODEwIn1dfSx7InJvbGUiOiJDT05URU5UX1JFVklFV0VSIiwic2NvcGUiOlt7Im9yZ2FuaXNhdGlvbklkIjoiMDEzNjk4Nzg3OTc1MDM2OTI4MTAifV19LHsicm9sZSI6IkNPVVJTRV9NRU5UT1IiLCJzY29wZSI6W3sib3JnYW5pc2F0aW9uSWQiOiIwMTM2OTg3ODc5NzUwMzY5MjgxMCJ9XX0seyJyb2xlIjoiUFJPR1JBTV9ERVNJR05FUiIsInNjb3BlIjpbeyJvcmdhbmlzYXRpb25JZCI6IjAxMzY5ODc4Nzk3NTAzNjkyODEwIn1dfSx7InJvbGUiOiJSRVBPUlRfVklFV0VSIiwic2NvcGUiOlt7Im9yZ2FuaXNhdGlvbklkIjoiMDEzNjk4Nzg3OTc1MDM2OTI4MTAifV19LHsicm9sZSI6Ik9SR19BRE1JTiIsInNjb3BlIjpbeyJvcmdhbmlzYXRpb25JZCI6IjAxMzY5ODc4Nzk3NTAzNjkyODEwIn0seyJvcmdhbmlzYXRpb25JZCI6IjAxNDcxOTIzNTY3ODEyMzQ1Njc4In1dfSx7InJvbGUiOiJQVUJMSUMiLCJzY29wZSI6W119XSwiaXNzIjoiaHR0cHM6Ly9zdW5iaXJkZWQub3JnL2F1dGgvcmVhbG1zL3N1bmJpcmQiLCJuYW1lIjoiZGVtbyIsInR5cCI6IkJlYXJlciIsImV4cCI6MTY0MDIzNjEwMiwiaWF0IjoxNjQwMTQ5NzA1fQ.B3-TSdYSOlawPHjFdiRjXwvRbYQ_eH_HTiLKlH7vGS0rCOJ6HQbYyWOhZ7vbZPb3virkuyfhykFcYCEHBCkHY-fwGAeU58Pmhi0dnNJkR59Fa9y_75W98JXZW68HROp62ntEAKCA1oot_U4tYi-8UNoR17Gszj9iYzFEBc6TZA4Lrom_9gqhBOYzL0ISFWSS6oG94EaaKDYHyWzCSjU2nYRB_fn-tODmnVJ12GRJAc1oM9y54o8neNYsl4T_xPyD34v-CinUJM8jzDjFqK5_O3HnAbcmXvkZjFRgfk4mF1V4s5hlsTJGyhi2JOPh90C5N-HbAY8QsPBnzgYFQU_sww" + }, + "path": "/report/datasets/get/1656a060-bf3a-11ec-b495-9fb99cdeb463" + } + } + } + } +} + +test_get_report_datasets_without_user_token { + data.main.allow.allowed + with data.common.current_time as current_time + with data.common.iss as iss + with input as + { + "attributes": { + "request": { + "http": { + "headers": {}, + "path": "/report/datasets/get/1656a060-bf3a-11ec-b495-9fb99cdeb463" + } + } + } + } } \ No newline at end of file diff --git a/private_repo/ansible/inventory/dev/Core/secrets.yml b/private_repo/ansible/inventory/dev/Core/secrets.yml index 3e35beb55684e6c9dc3106e2bd28106402f30859..b004ab86d2639d650ef27b4f828e1686ee15bd05 100644 --- a/private_repo/ansible/inventory/dev/Core/secrets.yml +++ b/private_repo/ansible/inventory/dev/Core/secrets.yml @@ -65,7 +65,6 @@ adminutil_refresh_token_public_key_kid: "" # get after keycloak deployment, go #SELECT value FROM component_config CC INNER JOIN component C ON(CC.component_id = C.id) WHERE C.realm_id = 'sunbird' and provider_id = 'hmac-generated' AND CC.name = 'secret'; adminutil_refresh_token_secret_key: "" # get after Keycloak deployment from postgres using the above query - # mongodb keyfile content generated using # 'openssl rand -base64 741' # eg: @@ -102,6 +101,7 @@ core_vault_sunbird_google_oauth_clientId_portal: # Google oauth client i core_vault_sunbird_google_oauth_clientSecret_portal: # Google oauth client secret core_vault_sunbird_google_captcha_site_key_portal: # Google recaptch site key google_captcha_private_key: # Google recaptch private key +learning_content_drive_apiKey: # Google drive api key # ------------------------------------------------------------------------------------------------------------ # # Optional variables - Can be left blank if you dont plan to use the intended features