Merge branch 'proconnect-dev-env' into 2783-réparer-les-tests-e2e

Author: Viczei

.github/workflows/review-auto.yaml

@@ -157,6 +157,43 @@ jobs:
           buildkit-svc-count: ${{ vars.BUILDKIT_SVC_COUNT }}
           buildkit-daemon-address: ${{ vars.BUILDKIT_DAEMON_ADDRESS }}
 
+  build-keycloak:
+    environment: build-review-auto
+    outputs:
+      tags: ${{ steps.meta.outputs.tags }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: ⏬ Checkout code repository
+        uses: actions/checkout@v4
+
+      - name: 📌 Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ vars.REGISTRY_URL }}/${{ vars.PROJECT_NAME }}/${{ github.event.repository.name }}/keycloak
+          tags: |
+            type=sha,prefix=persist-,format=long,enable=${{
+              github.ref_name != 'prod'
+            }},priority=840
+            type=sha,prefix=sha-,format=long,priority=890
+            type=ref,event=branch,priority=600
+
+      - name: 📦 Build and push Docker image for keycloak
+        uses: socialgouv/workflows/actions/buildkit@v1
+        with:
+          context: "."
+          dockerfile: "packages/keycloak/Dockerfile"
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          registry: "${{ vars.REGISTRY_URL }}"
+          registry-username: "${{ secrets.REGISTRY_USERNAME }}"
+          registry-password: "${{ secrets.REGISTRY_PASSWORD }}"
+          buildkit-cert-ca: "${{ secrets.BUILDKIT_CERT_CA }}"
+          buildkit-cert: "${{ secrets.BUILDKIT_CERT }}"
+          buildkit-cert-key: "${{ secrets.BUILDKIT_CERT_KEY }}"
+          buildkit-svc-count: ${{ vars.BUILDKIT_SVC_COUNT }}
+          buildkit-daemon-address: ${{ vars.BUILDKIT_DAEMON_ADDRESS }}
+
   kontinuous:
     needs: [build-app, build-nginx, build-files]
     name: "Deploy on Kubernetes 🐳"

.github/workflows/review.yaml

@@ -159,6 +159,43 @@ jobs:
           buildkit-svc-count: ${{ vars.BUILDKIT_SVC_COUNT }}
           buildkit-daemon-address: ${{ vars.BUILDKIT_DAEMON_ADDRESS }}
 
+  build-keycloak:
+    environment: build-review
+    outputs:
+      tags: ${{ steps.meta.outputs.tags }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: ⏬ Checkout code repository
+        uses: actions/checkout@v4
+
+      - name: 📌 Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ vars.REGISTRY_URL }}/${{ vars.PROJECT_NAME }}/${{ github.event.repository.name }}/keycloak
+          tags: |
+            type=sha,prefix=persist-,format=long,enable=${{
+              github.ref_name != 'prod'
+            }},priority=840
+            type=sha,prefix=sha-,format=long,priority=890
+            type=ref,event=branch,priority=600
+
+      - name: 📦 Build and push Docker image for keycloak
+        uses: socialgouv/workflows/actions/buildkit@v1
+        with:
+          context: "."
+          dockerfile: "packages/keycloak/Dockerfile"
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          registry: "${{ vars.REGISTRY_URL }}"
+          registry-username: "${{ secrets.REGISTRY_USERNAME }}"
+          registry-password: "${{ secrets.REGISTRY_PASSWORD }}"
+          buildkit-cert-ca: "${{ secrets.BUILDKIT_CERT_CA }}"
+          buildkit-cert: "${{ secrets.BUILDKIT_CERT }}"
+          buildkit-cert-key: "${{ secrets.BUILDKIT_CERT_KEY }}"
+          buildkit-svc-count: ${{ vars.BUILDKIT_SVC_COUNT }}
+          buildkit-daemon-address: ${{ vars.BUILDKIT_DAEMON_ADDRESS }}
+
   kontinuous:
     needs: [build-app, build-nginx, build-files]
     name: "Deploy on Kubernetes 🐳"

.kontinuous/env/dev/templates/proconnect.configmap.yaml

@@ -3,8 +3,11 @@ apiVersion: v1
 metadata:
   name: proconnect
 data:
-  NEXT_PUBLIC_PROCONNECT_CALLBACK_URL: https://app.proconnect.gouv.fr
-  PROCONNECT_AUTHORIZATION_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/authorize
-  PROCONNECT_TOKEN_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/token
-  PROCONNECT_USERINFO_ENDPOINT: https://fca.integ01.dev-agentconnect.fr/api/v2/userinfo
-  PROCONNECT_SCOPE: "openid email given_name usual_name phone_number organizations"
+  SECURITY_PROCONNECT_CLIENT_ID: "egapro-dev"
+  SECURITY_PROCONNECT_CLIENT_SECRET: "dev-secret-key-for-local-development-only"
+  EGAPRO_PROCONNECT_AUTHORIZATION_ENDPOINT: "https://keycloak-egapro-{{ .Values.global.branchSlug }}.ovh.fabrique.social.gouv.fr/realms/atlas/protocol/openid-connect/auth"
+  EGAPRO_PROCONNECT_TOKEN_ENDPOINT: "http://keycloak/realms/atlas/protocol/openid-connect/token"
+  EGAPRO_PROCONNECT_USERINFO_ENDPOINT: "http://keycloak/realms/atlas/protocol/openid-connect/userinfo"
+  EGAPRO_PROCONNECT_ISSUER: "https://keycloak-egapro-{{ .Values.global.branchSlug }}.ovh.fabrique.social.gouv.fr"
+  NEXT_PUBLIC_PROCONNECT_CALLBACK_URL: "https://egapro-{{ .Values.global.branchSlug }}.ovh.fabrique.social.gouv.fr/api/auth/callback/proconnect"
+  EGAPRO_ORIGIN: "https://egapro-{{ .Values.global.branchSlug }}.ovh.fabrique.social.gouv.fr"

.kontinuous/env/dev/templates/proconnect.sealed-secret.yaml

@@ -2,14 +2,40 @@ app:
   annotations:
     oblik.socialgouv.io/min-limit-cpu: 2
   envFrom:
+    - configMapRef:
+        name: "proconnect"
+        optional: true
     - secretRef:
         name: "proconnect"
+        optional: true
   vars:
     MAILER_ENABLE: "True"
     MAILER_SMTP_HOST: maildev
     MAILER_SMTP_PORT: "1025"
     MAILER_SMTP_SSL: "False"
-    EGAPRO_PROCONNECT_DISCOVERY_URL: "https://fca.integ01.dev-agentconnect.fr/api/v2"
+    # Note: EGAPRO_PROCONNECT_ISSUER sera surchargé par le ConfigMap avec l'URL externe
+    # L'URL interne est gardée ici comme fallback pour les tests locaux
+    EGAPRO_PROCONNECT_DISCOVERY_URL: "http://localhost:8080/realms/atlas/.well-known/openid-configuration"
+
+keycloak:
+  ~chart: app
+  imagePackage: keycloak
+  containerPort: 8080
+  probesPath: /
+  resources:
+    requests:
+      cpu: 200m
+      memory: 512Mi
+    limits:
+      cpu: 1000m
+      memory: 1Gi
+  vars:
+    KEYCLOAK_ADMIN: admin
+    KEYCLOAK_ADMIN_PASSWORD: admin
+    KEYCLOAK_CLIENT_SECRET: dev-secret-key-for-local-development-only
+    KC_PROXY: edge
+    KC_HOSTNAME_STRICT: "false"
+    EGAPRO_ORIGIN: "https://egapro-{{ .Values.global.branchSlug }}.ovh.fabrique.social.gouv.fr"
 
 maildev: {}
 pgweb: {}
@@ -21,4 +47,3 @@ nginx:
     annotations:
       nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
       nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
-

.kontinuous/env/dev/values.yaml

@@ -1,26 +1,6 @@
 version: "3.8"
 
 services:
-  files:
-    image: egapro_files
-    build:
-      context: .
-      dockerfile: packages/files/Dockerfile
-    volumes:
-      - ./packages/files:/app
-      - ./mnt:/mnt
-    environment:
-      ROOT_PATH: /mnt
-      TRUSTED_PROXY_IP: "172.17.0.1"
-      AUTH_PASSWD_FILE: "/app/.htpasswd"
-      WHITELIST_IP: "127.0.0.1"
-      FILES_PUBLIC: "dgt.xlsx,dgt-representation.xlsx,index-egalite-fh.xlsx,indexes.csv,full.ndjson,dgt-export-representation.xlsx"
-      FILES_RESTRICTED: ""
-    ports:
-      - 8080:8080
-    restart: always
-
-
   maildev:
     image: djfarrelly/maildev
     command: bin/maildev --hide-extensions STARTTLS
@@ -72,17 +52,17 @@ services:
       - pgadmin:/var/lib/pgadmin
 
   keycloak:
-    image: quay.io/keycloak/keycloak:21.1.1
-    command: start-dev --import-realm
-    ports:
-      - 8081:8080
+    build:
+      context: .
+      dockerfile: ./packages/keycloak/Dockerfile
     environment:
       KEYCLOAK_ADMIN: admin
       KEYCLOAK_ADMIN_PASSWORD: admin
-      KEYCLOAK_CLIENT_SECRET: dev-secret-key-for-local-development-only
+      EGAPRO_ORIGIN: "http://localhost:3000"
+    ports:
+      - "8081:8080"
     volumes:
-      - ./keycloak/realm-export.json:/opt/keycloak/data/import/realm-export.json
-    restart: always
+      - ./packages/keycloak/realm-export.json:/opt/keycloak/data/import/realm-export.json:ro
 
   # TODO handle redirect with nginx (https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview/#configuring-for-use-with-the-nginx-auth_request-directive)
   oauth2-proxy-github:

docker-compose.yml

@@ -30,8 +30,6 @@ export interface ProConnectProfile {
   exp?: number;
 }
 
-
-
 export function ProConnectProvider<P extends ProConnectProfile>(
   options?: OAuthUserConfig<P>,
 ): OAuthConfig<P> {
@@ -56,70 +54,91 @@ export function ProConnectProvider<P extends ProConnectProfile>(
     userinfo: {
       url: proconnect.userinfo_endpoint,
       async request({ tokens }) {
-        if (!tokens.access_token) throw new Error("No access token");
+        if (!tokens.access_token) {
+          logger.error("❌ Pas d'access_token disponible pour userinfo");
+          throw new Error("No access token");
+        }
 
-        const response = await fetch(proconnect.userinfo_endpoint, {
-          headers: {
-            Authorization: `Bearer ${tokens.access_token}`,
-            Accept: "application/json",
-          },
-          cache: "no-store",
-        });
+        try {
+          const response = await fetch(proconnect.userinfo_endpoint, {
+            headers: {
+              Authorization: `Bearer ${tokens.access_token}`,
+              Accept: "application/json",
+            },
+            cache: "no-store",
+          });
 
-        if (!response.ok) {
-          const text = await response.text();
-          logger.error(
-            { status: response.status, body: text },
-            "ProConnect userinfo error",
-          );
-          throw new Error(`ProConnect userinfo failed: ${response.status}`);
-        }
+          if (!response.ok) {
+            const text = await response.text();
+            logger.error(
+              {
+                status: response.status,
+                statusText: response.statusText,
+                url: proconnect.userinfo_endpoint,
+                body: text,
+              },
+              "❌ Userinfo request failed",
+            );
+            throw new Error(`ProConnect userinfo failed: ${response.status}`);
+          }
 
-        const contentType = response.headers.get("content-type") || "";
-        const rawBody = await response.text();
+          const contentType = response.headers.get("content-type") || "";
+          const rawBody = await response.text();
 
-        if (contentType.includes("jwt") || rawBody.startsWith("ey")) {
-          const parts = rawBody.trim().split(".");
-          if (parts.length !== 3) throw new Error("Invalid JWT format");
+          if (contentType.includes("jwt") || rawBody.startsWith("ey")) {
+            const parts = rawBody.trim().split(".");
+            if (parts.length !== 3) throw new Error("Invalid JWT format");
 
-          let payload = parts[1];
-          payload += "=".repeat((4 - (payload.length % 4)) % 4);
-          const decoded = JSON.parse(
-            Buffer.from(payload, "base64url").toString("utf-8"),
+            let payload = parts[1];
+            payload += "=".repeat((4 - (payload.length % 4)) % 4);
+            const decoded = JSON.parse(
+              Buffer.from(payload, "base64url").toString("utf-8"),
+            );
+            return decoded;
+          }
+
+          return JSON.parse(rawBody);
+        } catch (error) {
+          logger.error(
+            {
+              error: error instanceof Error ? error.message : String(error),
+              url: proconnect.userinfo_endpoint,
+            },
+            "❌ Erreur lors de la requête userinfo",
           );
-          return decoded;
+          throw error;
         }
-
-        return JSON.parse(rawBody);
       },
     },
     checks: ["pkce", "state"],
     async profile(profile: ProConnectProfile) {
-      logger.info({ profile }, "ProConnect profile reçu");
-
       return {
         id: profile.sub,
         email: profile.email,
         emailVerified: profile.email_verified ?? false,
-        name: `${profile.given_name ?? ""} ${profile.usual_name ?? ""}`.trim() || null,
+        name:
+          `${profile.given_name ?? ""} ${profile.usual_name ?? ""}`.trim() ||
+          null,
         given_name: profile.given_name ?? null,
         family_name: profile.usual_name ?? null,
         phone_number: profile.phone_number
           ? profile.phone_number.replace(/[.\-\s]/g, "")
           : null,
         siret: profile.siret || null,
-        organization: profile.siret ? {
-          id: parseInt(profile.siret, 10),
-          label: null,
-          siren: profile.siret.substring(0, 9),
-          siret: profile.siret,
-          is_collectivite_territoriale: false,
-          is_external: false,
-          is_service_public: false,
-        } : undefined,
+        organization: profile.siret
+          ? {
+              id: parseInt(profile.siret, 10),
+              label: null,
+              siren: profile.siret.substring(0, 9),
+              siret: profile.siret,
+              is_collectivite_territoriale: false,
+              is_external: false,
+              is_service_public: false,
+            }
+          : undefined,
         raw: profile,
       };
     },
     ...options,
   };
-}
+}