Develop open : SSO 2

.env.example

@@ -11,3 +11,40 @@ NLP_PSEUDONYMISATION_API_ENABLED=false
 JWT_PRIVATE_KEY=myPrivateKey
 SDER_DB_URL=http://127.0.0.1:55433
 RUN_MODE=LOCAL
+
+##SSO VARIABLES
+COOKIE_PRIVATE_KEY=myPrivateKey
+#Service Provider (SP)
+SSO_SP_ENTITY_ID=http://localhost:55430/label/api/sso/metadata
+SSO_SP_ASSERTION_CONSUMER_SERVICE_LOCATION=http://localhost:55430/label/api/sso/acs
+#Identity Provider (IdP)
+SSO_IDP_METADATA=sso_files/sso_idp_metadata.xml
+SSO_IDP_SINGLE_SIGN_ON_SERVICE_LOCATION=http://test.sso.intranet.justice.gouv.fr:9000/saml/singleSignOn
+SSO_IDP_SINGLE_LOGOUT_SERVICE_LOCATION=http://test.sso.intranet.justice.gouv.fr:9000/saml/singleLogout
+SSO_CERTIFICAT=certificate-example.pem
+SSO_SP_PRIVATE_KEY=privatekey-example.pem
+# Les valeurs possibles du SSO_NAME_ID_FORMAT sont le IDP metadata.xml
+SSO_NAME_ID_FORMAT=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
+SSO_SIGNATURE_ALGORITHM="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
+# Authentication
+#604800=7*24*60*60
+SESSION_DURATION=604800
+# FRONT END
+SSO_FRONT_SUCCESS_CONNEXION_ANNOTATOR_URL=http://localhost:55432/label/annotation
+SSO_FRONT_SUCCESS_CONNEXION_ADMIN_SCRUTATOR_URL=http://localhost:55432/label/admin/main/summary
+SSO_FRONT_SUCCESS_CONNEXION_PUBLICATOR_URL=http://localhost:55432/label/publishable-documents
+# SSO URL du back à setter dans le serveur du client (front react)
+REACT_APP_BACKEND_API_URL=http://localhost:55430
+
+#ATTRIBUTS KEYS
+SSO_ATTRIBUTE_NAME=nom
+SSO_ATTRIBUTE_FIRSTNAME=prenom
+SSO_ATTRIBUTE_FULLNAME=name
+SSO_ATTRIBUTE_MAIL=email
+SSO_ATTRIBUTE_ROLE=role
+
+#APPLICATION NAME
+SSO_APP_NAME=LABEL
+
+#APPLICATION ROLES
+SSO_APP_ROLES=admin,annotator,publicator,scrutator

.gitignore

@@ -17,4 +17,5 @@ package-lock.json
 /packages/courDeCassation/yarn-error.log
 *.env
 *coverage
+.history/*
 .ash-history

.gitlab-ci.yml

@@ -56,6 +56,7 @@ build_label_backend:
     - master
     - re7
     - dev
+    - develop-open-sso
   tags:
     - docker
 
@@ -79,14 +80,16 @@ build_label_client:
     - master
     - re7
     - dev
+    - develop-open-sso
   tags:
     - docker
 
 deploy_label_backend:
   stage: deploy
   image: alpine/ansible:2.16.1
   script:
-    - inventaire=$(eval "echo \$$CI_COMMIT_BRANCH")
+    #- inventaire=$(eval "echo \$$CI_COMMIT_BRANCH")
+    - inventaire=dev
     - mkdir /root/.ssh
     - cat $SSH_KEY > /root/.ssh/id_rsa
     - cat $KNOWN_HOSTS > /root/.ssh/known_hosts
@@ -96,7 +99,7 @@ deploy_label_backend:
   rules:
     - if: $CI_COMMIT_BRANCH == "master" || $CI_COMMIT_BRANCH == "re7"
       when: manual
-    - if: $CI_COMMIT_BRANCH == "dev"
+    - if: $CI_COMMIT_BRANCH == "dev" || $CI_COMMIT_BRANCH == "develop-open-sso"
       when: on_success
   tags:
     - docker
@@ -107,7 +110,8 @@ deploy_label_client:
   stage: deploy
   image: alpine/ansible:2.16.1
   script:
-    - inventaire=$(eval "echo \$$CI_COMMIT_BRANCH")
+    #- inventaire=$(eval "echo \$$CI_COMMIT_BRANCH")
+    - inventaire=dev
     - mkdir /root/.ssh
     - cat $SSH_KEY > /root/.ssh/id_rsa
     - cat $KNOWN_HOSTS > /root/.ssh/known_hosts
@@ -117,7 +121,7 @@ deploy_label_client:
   rules:
     - if: $CI_COMMIT_BRANCH == "master" || $CI_COMMIT_BRANCH == "re7"
       when: manual
-    - if: $CI_COMMIT_BRANCH == "dev"
+    - if: $CI_COMMIT_BRANCH == "dev" || $CI_COMMIT_BRANCH == "develop-open-sso"
       when: on_success
   tags:
     - docker

Dockerfile.label-backend

@@ -1,11 +1,11 @@
 FROM node:16-alpine as label-backend
-ARG http_proxy
-ARG https_proxy
+# ARG http_proxy
+# ARG https_proxy
 ENV API_PORT=55430
 
 # Use proxy
-RUN yarn config set proxy $http_proxy; \
-  yarn config set https-proxy $https_proxy;
+# RUN yarn config set proxy $http_proxy; \
+#   yarn config set https-proxy $https_proxy;
 
 WORKDIR /home/node/
 
@@ -17,27 +17,34 @@ COPY ./package.json ./
 COPY packages/generic/core/package.json ./packages/generic/core/
 COPY packages/generic/backend/package.json ./packages/generic/backend/
 COPY packages/courDeCassation/package.json ./packages/courDeCassation/
+COPY packages/generic/sso/package.json ./packages/generic/sso/
+COPY ./sso_files ./sso_files/
 
 COPY . .
 
-# Do not bring client dependencies to backend prod
-# Workaround to rewrite 'workspaces' in packages.json file to not run 'yarn install' in all packages
-RUN cat package.json | sed 's|"packages/generic/\*"|"packages/generic/backend", "packages/generic/core"|' > package.json.new && \
+# Exclure les dépendances inutiles pour le backend prod
+RUN cat package.json | sed 's|"packages/generic/\*"|"packages/generic/backend", "packages/generic/core", "packages/generic/sso"|' > package.json.new && \
   mv package.json.new package.json
 
 # Install dependencies
-RUN yarn install --production
+RUN yarn install  --production
+# RUN yarn install --pure-lockfile
 
-# Compile project without lerna
-RUN cd /home/node/packages/generic/core && yarn compile && \
-  cd /home/node/packages/generic/backend && yarn compile && \
-  cd /home/node/packages/courDeCassation && yarn compile
+# Compilation explicite des packages nécessaires
+# RUN cd packages/generic/sso && yarn compile
+# RUN cd packages/generic/core && yarn compile
+# RUN cd packages/generic/backend && yarn compile
+# RUN cd packages/courDeCassation && yarn compile
 
-ADD packages/generic/core packages/generic/core
-ADD packages/generic/backend packages/generic/backend
-ADD packages/courDeCassation packages/courDeCassation
+# ADD packages/generic/core packages/generic/core
+# ADD packages/generic/backend packages/generic/backend
+# ADD packages/courDeCassation packages/courDeCassation
+# ADD packages/generic/sso packages/generic/sso
 
-WORKDIR /home/node/packages/courDeCassation
+# RUN yarn build
+
+# Vérification que le fichier compilé existe
+RUN ls -la packages/courDeCassation/dist/ || (echo "Erreur: dist/ est manquant" && exit 1)
 
 RUN chown node .
 
@@ -46,4 +53,5 @@ USER node
 # Expose the listening port of your app
 EXPOSE ${API_PORT}
 
-CMD ["sh", "-c", "RUN_MODE=PROD node dist/labelServer.js -s settings/settings.json"]
+# Lancement avec vérification
+CMD ["sh", "-c", "RUN_MODE=PROD node packages/courDeCassation/dist/labelServer.js -s packages/courDeCassation/settings/settings.json"]

Dockerfile.label-backend.copy

@@ -0,0 +1,52 @@
+FROM node:16-alpine as label-backend
+ARG http_proxy
+ARG https_proxy
+ENV API_PORT=55430
+
+# Use proxy
+RUN yarn config set proxy $http_proxy; \
+  yarn config set https-proxy $https_proxy;
+
+WORKDIR /home/node/
+
+# Install git for sder and sder-core package
+RUN apk add git
+
+# Copy context files
+COPY ./package.json ./
+COPY packages/generic/core/package.json ./packages/generic/core/
+COPY packages/generic/backend/package.json ./packages/generic/backend/
+COPY packages/courDeCassation/package.json ./packages/courDeCassation/
+COPY packages/generic/sso/package.json ./packages/generic/sso/
+COPY ./sso_files ./sso_files/
+
+COPY . .
+
+# Do not bring client dependencies to backend prod
+# Workaround to rewrite 'workspaces' in packages.json file to not run 'yarn install' in all packages
+RUN cat package.json | sed 's|"packages/generic/\*"|"packages/generic/backend", "packages/generic/core", "packages/generic/sso"|' > package.json.new && \
+  mv package.json.new package.json
+
+# Install dependencies
+RUN yarn install --production
+
+# Compile project without lerna
+# RUN cd packages/generic/core && yarn compile && \
+#   cd packages/generic/backend && yarn compile && \
+#   cd packages/courDeCassation && yarn compile
+
+ADD packages/generic/core packages/generic/core
+ADD packages/generic/backend packages/generic/backend
+ADD packages/courDeCassation packages/courDeCassation
+ADD packages/generic/sso packages/generic/sso
+
+WORKDIR /packages/courDeCassation
+
+RUN chown node .
+
+USER node
+
+# Expose the listening port of your app
+EXPOSE ${API_PORT}
+
+CMD ["sh", "-c", "RUN_MODE=PROD node dist/labelServer.js -s settings/settings.json"]

DockerfileLocalDev

@@ -10,6 +10,7 @@ RUN apk add git
 # Copy context files
 COPY ./package.json ./
 COPY packages/generic/core/package.json ./packages/generic/core/
+COPY packages/generic/sso/package.json ./packages/generic/sso/
 COPY packages/generic/backend/package.json ./packages/generic/backend/
 COPY packages/courDeCassation/package.json ./packages/courDeCassation/
 COPY yarn.lock ./

INSTALL.md

@@ -89,3 +89,16 @@ docker container exec -it label-backend-1 sh -c "cd packages/courDeCassation; sh
 ```sh
 scripts/runScriptLocally.sh "myScript.js --myArgument"
 ```
+### SSO configuration
+Follow the [installation guide](packages/generic/sso/README.md).
+
+
+>The LABEL application leverages the SSO module as a dependency for its integration with the Single Sign-On (SSO) system. The details of this integration are documented in the [README](packages/generic/sso/README.md) of the SSO module.
+
+The backend exposes the following URLs to interact with the SSO:
+
+1. /api/sso/login: Endpoint to initiate the login process via SSO.
+2. /api/sso/acs: Endpoint for processing SAML assertions following a successful authentication.
+3. /api/sso/logout: Endpoint to disconnect the user from the SSO.
+
+***The attributes returned by the SSO, as well as the roles used by the application, are specified in the configuration file.***

README.fr.md

@@ -99,6 +99,7 @@ LABEL permet de lier des annotations. Parfois les noms sont écrits en minuscule
 - Avril 2022 : Ajout des décisions des Cours d'appel en matière civile, sociale et commerciale (base de données JuriCA).
 - Décembre 2023 : Ajout des décisions de 9 tribunaux judiciaires.
 - Courant 2024-2025 : Ajout des décisions de l'ensemble les tribunaux judiciaires.
+- Septembre 2024: Connection de LABEL au SSO/LDAP du ministère
 
 Prochaines étapes:
 
@@ -124,4 +125,4 @@ LABEL a été conçu pour être réutiliser dans n'importe quel contexte d'annot
 - `specific` : ce qui est spécifique à la Cour de cassation (machine learning engine API, database connector, etc.)
 - `generic` : tout ce qui n'est pas lié aux besoins propres à la Cour de cassation
 
-Lisez [le guide de réutilisation](docs/reuserGuide.md) pour en savoir plus.
+Lisez [le guide de réutilisation](docs/reuserGuide.md) pour en savoir plus.

README.md

@@ -99,6 +99,7 @@ LABEL allow you to link annotations. Sometimes names are written lowercase or in
 - April 2022: Addition of appeal court's decisions (JuriCA database).
 - December 2023: Addition of 9 first judicial courts' decisions.
 - During 2024-2025: Addition of other judicial courts' decisions.
+- September 2024: Connecting label to the ministry's SSO/LDAP.
 
 Next steps:
 
@@ -124,4 +125,4 @@ LABEL has been designed to be reused whatever the annotation context. There are
 - `specific`: what is specific to the Cour de cassation (machine learning engine API, database connector, etc.)
 - `generic`: what is not linked to the specific needs of the Cour de cassation
 
-Learn more in the [reuser guide](docs/reuserGuide.md).
+Learn more in the [reuser guide](docs/reuserGuide.md).

ROADMAP.md

@@ -8,7 +8,6 @@ Here are the current roadmaps:
 - Fix security issues and update dependencies
 - Improve reusability
 - Improve test coverage
-- Connect label to the ministry's SSO/LDAP
 - Use dbsder api and dbsder-api-type instead of `sder` repository
 - Rethinking the use of the pelta design system
 - Use mongoose

ansible/group_vars/dev/main.yml

@@ -1,6 +1,47 @@
-git_branch: dev
+#git_branch: dev
+git_branch: develop-open-sso
 
 sder_mongodb_url: "{{ vault_sder_mongodb_url }}"
 label_mongodb_url: "{{ vault_label_mongodb_url }}"
 dbsder_api_key: "{{ vault_dbsder_api_key }}"
 jwt_private_key: "{{ vault_jwt_private_key }}"
+
+#SSO VARIABLES
+COOKIE_PRIVATE_KEY: "{{ vault_cookie_private_key }}"
+
+#Service Provider (SP)
+SSO_SP_ENTITY_ID: "{{ vault_sso_sp_entity_id }}"
+SSO_SP_ASSERTION_CONSUMER_SERVICE_LOCATION: "{{ vault_sso_sp_assertion_consumer_service_location }}"
+
+#Identity Provider (IdP)
+SSO_IDP_METADATA: "{{ vault_sso_idp_metadata }}"
+SSO_IDP_SINGLE_SIGN_ON_SERVICE_LOCATION: "{{ vault_sso_idp_single_sign_on_service_location }}"
+SSO_IDP_SINGLE_LOGOUT_SERVICE_LOCATION: "{{ vault_sso_idp_single_logout_service_location }}"
+
+SSO_CERTIFICAT: "{{ vault_sso_certificat }}"
+SSO_SP_PRIVATE_KEY: "{{ vault_sso_sp_private_key }}"
+# Les valeurs possibles du SSO_NAME_ID_FORMAT sont le IDP metadata.xml
+SSO_NAME_ID_FORMAT: "{{ vault_sso_name_id_format }}"
+SSO_SIGNATURE_ALGORITHM: "{{ vault_sso_signature_algorithm }}"
+
+# Authentication
+SESSION_DURATION: "{{ vault_session_duration }}"
+# FRONT END
+SSO_FRONT_SUCCESS_CONNEXION_ANNOTATOR_URL: "{{ vault_sso_front_success_connexion_annotator_url }}"
+SSO_FRONT_SUCCESS_CONNEXION_ADMIN_SCRUTATOR_URL: "{{ vault_sso_front_success_connexion_admin_scrutator_url }}"
+SSO_FRONT_SUCCESS_CONNEXION_PUBLICATOR_URL: "{{ vault_sso_front_success_connexion_publicator_url }}"
+# SSO URL du back à setter dans le serveur du client (front react)
+REACT_APP_BACKEND_API_URL: "{{ vault_react_app_backend_api_url }}"
+
+#ATTRIBUTS KEYS
+SSO_ATTRIBUTE_NAME: "{{ vault_sso_attribute_name }}"
+SSO_ATTRIBUTE_FIRSTNAME: "{{ vault_sso_attribute_firstname }}"
+SSO_ATTRIBUTE_FULLNAME: "{{ vault_sso_attribute_fullname }}"
+SSO_ATTRIBUTE_MAIL: "{{ vault_sso_attribute_mail }}"
+SSO_ATTRIBUTE_ROLE: "{{ vault_sso_attribute_role }}"
+
+#APPLICATION NAME
+SSO_APP_NAME: "{{ vault_sso_app_name }}"
+
+#APPLICATION ROLES
+SSO_APP_ROLES: "{{ vault_sso_app_roles }}" # pour la prod adminitrator pour harmoniser