Prepare keycloak

Author: berrydenhartog

.github/workflows/build-backend.yaml .github/workflows/backend-ci.yaml.github/workflows/build-backend.yaml renamed to .github/workflows/backend-ci.yaml

@@ -1,17 +1,20 @@
-name: Build Backend container
+name: backend-ci
 
 on:
   push:
     branches:
       - main
     tags:
       - "v*"
+    paths:
+      - "backend/**"
   pull_request:
     branches:
       - "main"
+    paths:
+      - "backend/**"
 env:
   IMAGE_NAME: 'bureaublad-api'
-  PYTHON_VERSION: "3.12"
 
 jobs:
   format:
@@ -20,9 +23,9 @@ jobs:
       - uses: actions/checkout@v5
 
       - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
-          python-version: ${{ env.PYTHON_VERSION }}
+          python-version-file: 'backend/pyproject.toml'
 
       - name: Install uv
         run: pipx install uv
@@ -43,9 +46,9 @@ jobs:
       - uses: actions/checkout@v5
 
       - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
-          python-version: ${{ env.PYTHON_VERSION }}
+          python-version-file: 'backend/pyproject.toml'
 
       - name: Install uv
         run: pipx install uv
@@ -55,10 +58,21 @@ jobs:
           cd backend/
           uv run sync
 
-      - name: Run ruff 
+      - name: Run ruff linter
         run: |
           cd backend/
           uv run ruff check
+      
+      - name: Run  hadolint linter
+        uses: hadolint/hadolint-action@v3.1.0
+        with:
+          dockerfile: backend/Dockerfile
+          format: json
+          failure-threshold: warning
+
+      # - name: Run pyright type checker
+      #   run: |
+      #     uv run pyright
 
   security:
     runs-on: ubuntu-latest
@@ -74,6 +88,7 @@ jobs:
 
   build:
     needs: [format, lint, security]
+    if: github.event_name != 'pull_request'
     name: Push Docker image to github registries
     runs-on: ubuntu-latest
     permissions:
@@ -93,7 +108,7 @@ jobs:
 
       - name: Make changes to project to inject commit hash
         run: |
-          sed -i 's/VERSION: str = .*$/VERSION: str = "${{ steps.get_commit_hash.outputs.commit_hash }}"/g' backend/app/config.py
+          sed -i 's/VERSION: str = .*$/VERSION: str = "${{ steps.get_commit_hash.outputs.commit_hash }}"/g' backend/app/const.py
 
 
       - name: Log in to the Container registry

.github/workflows/build-frontend.yaml .github/workflows/frontend-ci.yaml.github/workflows/build-frontend.yaml renamed to .github/workflows/frontend-ci.yaml

@@ -1,22 +1,22 @@
-name: Build Frontend container
+name: frontend-ci
 
 on:
   push:
     branches:
       - main
     tags:
       - "v*"
-  pull_request:
-    branches:
-      - "main"
+    paths:
+      - "frontend/**"
+  
 
 env:
   IMAGE_NAME: 'bureaublad-frontend'
   URL: 'https://bureaublad.apps.digilab.network'
-  NEXT_PUBLIC_KEYCLOAK_URL: 'https://id.la-suite.apps.digilab.network'
-  NEXT_PUBLIC_KEYCLOAK_REALM: lasuite
-  NEXT_PUBLIC_KEYCLOAK_CLIENT: bureaublad-frontend
-  NEXT_PUBLIC_BACKEND_BASE_URL: 'https://bureaublad.apps.digilab.network/api'
+  NEXT_PUBLIC_KEYCLOAK_URL: 'http://localhost:8080'
+  NEXT_PUBLIC_KEYCLOAK_REALM: mijnbureau
+  NEXT_PUBLIC_KEYCLOAK_CLIENT: bureaublad
+  NEXT_PUBLIC_BACKEND_BASE_URL: http://localhost:8000'
 
 jobs:
   push_to_registries:

.github/workflows/sonarcube.yaml

@@ -15,8 +15,9 @@ jobs:
       - uses: actions/checkout@v5
         with:
           fetch-depth: 0
+
       - name: SonarQube Scan
-        uses: SonarSource/sonarqube-scan-action@v5
+        uses: SonarSource/sonarqube-scan-action@v6
         env:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 

README.md

@@ -1,28 +1,36 @@
 # Bureaublad
 
+![GitHub Actions Workflow Status](https://img.shields.io/github/actions/workflow/status/minbzk/bureaublad/build-backend.yaml?label=backend)
+![GitHub Actions Workflow Status](https://img.shields.io/github/actions/workflow/status/minbzk/bureaublad/build-frontend.yaml.yaml?label=frontend)
+[![Coverage](https://sonarcloud.io/api/project_badges/measure?project=MinBZK_bureaublad&metric=coverage)](https://sonarcloud.io/summary/new_code?id=MinBZK_bureaublad)
+[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=MinBZK_bureaublad&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=MinBZK_bureaublad)
+![GitHub License](https://img.shields.io/github/license/minbzk/bureaublad)
+
 Bureaublad is a flexible dashboard that aggregates information from multiple open-source components, providing users with a unified interface to access essential tools and data.
 
 It is a stateless application, so all data stays at the source.
 
 ## Integrated Tools
 
-- [CalDav](https://datatracker.ietf.org/doc/html/rfc4791) (calendar protocol)
+- [CalDav protocol](https://datatracker.ietf.org/doc/html/rfc4791) (calendar protocol)
+  - calendar
+  - tasks
 - [Docs](https://github.com/suitenumerique/docs)
 - [Ocs](https://docs.nextcloud.com/server/stable/developer_manual/client_apis/OCS/ocs-api-overview.html) (Nextcloud & OwnCloud protocol)
-- [OpenZaak](https://github.com/open-zaak/open-zaak)
-- OpenAI Chat Completion API
+  - activity app
+- [Drive](https://github.com/suitenumerique/drive)
+- [Meet](https://github.com/suitenumerique/meet)
+- [OpenAI interface](https://github.com/openai/openai-python)
 
 ## Planned Integrations
 
 - [Synapse](https://github.com/element-hq/synapse)
-- [Drive](https://github.com/suitenumerique/drive)
-- [Meet](https://github.com/suitenumerique/meet)
 
 ## Getting Started
 
 To run Bureaublad, ensure you have [Docker](https://docs.docker.com/get-started/get-docker/) installed.
 
-The copy the example.env in the backend to .env
+copy the example.env in the backend to .env
 
 ```bash
 cp backend/example.env backend/.env
@@ -35,19 +43,27 @@ docker compose build
 docker compose up
 ```
 
-When the application start you will get 3 urls:
+When the application start you will get 4 urls:
 
-1. <http://localhost:3000>
-2. <http://localhost:8081>
-3. <http://localhost:8080>
+- [frontend](http://localhost:3000)
+- [backend](http://localhost:8000)
+- [keycloak master](http://localhost:8080)
+- [keycloak mijnbureau](http://localhost:8080/realms/mijnbureau/account/)
 
-You can use the admin user to login:
+In the master realm you can login with the admin credentials and manage all realm, including mijnbureau
 
 ```
 username: admin
 password: admin
 ```
 
+in the MijnBureau realm you can login with 4 users:
+
+```
+username: jane@mijnbureau.nl password: jane
+username: john@mijnbureau.nl password: john
+```
+
 ## Solution Architecture
 
 Bureaublad consolidates data from various tools into a single platform, making it easier for users to access the information they need, when they need it.
@@ -64,7 +80,6 @@ In the future we plan to add a advanced search feature and make the page more co
 
 - **Frontend:** [React](https://react.dev/)
 - **Backend:** [FastAPI](https://fastapi.tiangolo.com/)
-- **Design System:** [Rijkshuiststyle NL-Design System](https://github.com/nl-design-system/rijkshuisstijl-community)
 
 **Note:** Your identity provider must support Token Exchange for authentication. Verify compatibility before deployment.
 

backend/Dockerfile

@@ -1,18 +1,19 @@
-FROM --platform=$BUILDPLATFORM python:3.12-slim
+FROM --platform=$BUILDPLATFORM python:3.13-slim
 
 # Install uv.
 COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/
 
 # Copy the application into the container.
-COPY app/ /app
+COPY app/ /app/app
 COPY uv.lock pyproject.toml /app/
 
 # Install the application dependencies.
 WORKDIR /app
+ENV UV_PROJECT_ENVIRONMENT=/venv
 RUN uv sync --frozen --no-cache
 
-WORKDIR /
-ENV PYTHONPATH=/
+ENV PYTHONPATH=/app/
 
 # Run the application.
-CMD ["/app/.venv/bin/uvicorn", "--host", "0.0.0.0", "app.main:app", "--port", "8080"]
+ENTRYPOINT [ "/venv/bin/uvicorn" ]
+CMD ["--host", "0.0.0.0", "app.main:app", "--port", "8000"]

backend/app/authentication.py

@@ -4,7 +4,7 @@
 
 import httpx
 from fastapi import Depends, Request
-from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
+from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer, OAuth2AuthorizationCodeBearer
 from jose import JWTError, jwt
 from jose.constants import ALGORITHMS
 from jose.jws import get_unverified_header
@@ -15,11 +15,21 @@
 
 logger = logging.getLogger(__name__)
 
-security = HTTPBearer(bearerFormat="JWT", scheme_name="bearer", description="OpenID Connect JWT token", auto_error=True)
+bearer_scheme = HTTPBearer(
+    bearerFormat="JWT", scheme_name="Bearer", description="OpenID Connect JWT token", auto_error=True
+)
+openid_scheme = OAuth2AuthorizationCodeBearer(
+    authorizationUrl=str(settings.OIDC_AUTHORIZATION_ENDPOINT),
+    refreshUrl=str(settings.parsed_oidc_public_token_endpoint),
+    tokenUrl=str(settings.parsed_oidc_public_token_endpoint),
+    auto_error=False,
+    scheme_name="OpenID Connect",
+)
 
 
 @cache
 def get_public_key(kid: str) -> dict[str, str]:
+    logger.debug(f"Fetching public key from {settings.OIDC_JWKS_ENDPOINT}")
     response = httpx.get(settings.OIDC_JWKS_ENDPOINT)
     response.raise_for_status()
     jwks = response.json()
@@ -32,8 +42,12 @@ def get_public_key(kid: str) -> dict[str, str]:
     return public_key
 
 
-def get_current_user(request: Request, credentials: Annotated[HTTPAuthorizationCredentials, Depends(security)]) -> str:
-    token = credentials.credentials
+def get_current_user(
+    request: Request,
+    credentials: Annotated[HTTPAuthorizationCredentials, Depends(bearer_scheme)],
+    openid_token: str = Depends(openid_scheme),
+) -> str:
+    token = openid_token or (credentials.credentials if credentials else None)
 
     jtw_decode_options = {
         "require_iat": True,
@@ -44,15 +58,18 @@ def get_current_user(request: Request, credentials: Annotated[HTTPAuthorizationC
     }
 
     try:
-        header = get_unverified_header(token)
+        # Get header info for key selection - signature verified in jwt.decode below
+        header = get_unverified_header(token)  # NOSONAR
         alg = header.get("alg", None)
 
+        # Determine verification key based on algorithm
         if alg == ALGORITHMS.RS256:
             kid = header.get("kid")
             key = get_public_key(kid=kid)
         else:
             key = str(settings.OIDC_CLIENT_SECRET)
 
+        # Full signature verification happens here
         claims = jwt.decode(
             token,
             key,