SIMSBIOHUB-400: BioHub Dataset & Security Feature Branch

.config/config.json

@@ -41,37 +41,55 @@
   },
   "sso": {
     "dev": {
-      "url": "https://dev.loginproxy.gov.bc.ca/auth",
-      "clientId": "bio-hub-browser-4230",
+      "host": "https://dev.loginproxy.gov.bc.ca/auth",
       "realm": "standard",
-      "integrationId": "4230",
-      "adminHost": "https://loginproxy.gov.bc.ca/auth",
-      "adminUserName": "biohub-svc-4466",
-      "apiHost": "https://api.loginproxy.gov.bc.ca/api/v1",
-      "keycloakSecret": "keycloak-admin-password",
-      "keycloakSecretAdminPassword": "keycloak_admin_password"
+      "clientId": "bio-hub-browser-4230",
+      "keycloakSecret": "keycloak",
+      "serviceClient": {
+        "serviceClientName": "biohub-svc-4466",
+        "keycloakSecretServiceClientPasswordKey": "biohub_svc_client_password"
+      },
+      "cssApi": {
+        "cssApiTokenUrl": "https://loginproxy.gov.bc.ca/auth/realms/standard/protocol/openid-connect/token",
+        "cssApiClientId": "service-account-team-1159-4197",
+        "cssApiHost": "https://api.loginproxy.gov.bc.ca/api/v1",
+        "keycloakSecretCssApiSecretKey": "css_api_client_secret",
+        "cssApiEnvironment": "dev"
+      }
     },
     "test": {
-      "url": "https://test.loginproxy.gov.bc.ca/auth",
-      "clientId": "bio-hub-browser-4230",
+      "host": "https://test.loginproxy.gov.bc.ca/auth",
       "realm": "standard",
-      "integrationId": "4230",
-      "adminHost": "https://loginproxy.gov.bc.ca/auth",
-      "adminUserName": "biohub-svc-4466",
-      "apiHost": "https://api.loginproxy.gov.bc.ca/api/v1",
-      "keycloakSecret": "keycloak-admin-password",
-      "keycloakSecretAdminPassword": "keycloak_admin_password"
+      "clientId": "bio-hub-browser-4230",
+      "keycloakSecret": "keycloak",
+      "serviceClient": {
+        "serviceClientName": "biohub-svc-4466",
+        "keycloakSecretServiceClientPasswordKey": "biohub_svc_client_password"
+      },
+      "cssApi": {
+        "cssApiTokenUrl": "https://loginproxy.gov.bc.ca/auth/realms/standard/protocol/openid-connect/token",
+        "cssApiClientId": "service-account-team-1159-4197",
+        "cssApiHost": "https://api.loginproxy.gov.bc.ca/api/v1",
+        "keycloakSecretCssApiSecretKey": "css_api_client_secret",
+        "cssApiEnvironment": "test"
+      }
     },
     "prod": {
-      "url": "https://loginproxy.gov.bc.ca/auth",
-      "clientId": "bio-hub-browser-4230",
+      "host": "https://loginproxy.gov.bc.ca/auth",
       "realm": "standard",
-      "integrationId": "4230",
-      "adminHost": "https://loginproxy.gov.bc.ca/auth",
-      "adminUserName": "biohub-svc-4466",
-      "apiHost": "https://api.loginproxy.gov.bc.ca/api/v1",
-      "keycloakSecret": "keycloak-admin-password",
-      "keycloakSecretAdminPassword": "keycloak_admin_password"
+      "clientId": "bio-hub-browser-4230",
+      "keycloakSecret": "keycloak",
+      "serviceClient": {
+        "serviceClientName": "biohub-svc-4466",
+        "keycloakSecretServiceClientPasswordKey": "biohub_svc_client_password"
+      },
+      "cssApi": {
+        "cssApiTokenUrl": "https://loginproxy.gov.bc.ca/auth/realms/standard/protocol/openid-connect/token",
+        "cssApiClientId": "service-account-team-1159-4197",
+        "cssApiHost": "https://api.loginproxy.gov.bc.ca/api/v1",
+        "keycloakSecretCssApiSecretKey": "css_api_client_secret",
+        "cssApiEnvironment": "prod"
+      }
     }
   }
 }

.github/pull_request_template.md

@@ -1,50 +1,11 @@
-# Overview
+## Links to Jira Tickets
 
-## Links to Jira tickets
+- {Include a link to all applicable Jira tickets}
 
-- {List all applicable Jira tickets}
+## Description of Changes
 
-## Description of relevant changes
+- {List all relevant code changes. Include any changes to the business workflow that might not be obvious to the reviewers of this PR.}
 
-- {List all relevant changes, in particular anything that will help the reviewers test/verify this PR}
+## Testing Notes
 
-## PR Checklist
-
-A list of items that are good to consider when making any changes.
-
-_Note: this list is not exhaustive, and not all items are always applicable._
-
-### Code
-
-- [ ] New files/classes/functions have appropriately descriptive names and comment blocks to describe their use/behaviour
-- [ ] I have avoided duplicating code when possible, moving re-usable pieces into functions
-- [ ] I have avoided hard-coding values where possible and moved any re-usable constants to a constants file
-- [ ] My code is as flat as possible (avoids deeply nested if/else blocks, promise chains, etc)
-- [ ] My code changes account for null/undefined values and handle errors appropriately
-- [ ] My code uses types/interfaces to help describe values/parameters/etc, help ensure type safety, and improve readability
-
-### Style
-
-- [ ] My code follows the established style conventions
-- [ ] My code uses native material-ui components/icons/conventions when possible
-
-### Documentation
-
-- [ ] I have commented my code sufficiently, such that an unfamiliar developer could understand my code
-- [ ] I have added/updated README's and related documentation, as needed
-
-### Tests
-
-- [ ] I have added/updated unit tests for any code I've added/updated
-- [ ] I have added/updated the Postman requests/tests to account for any API endpoints I've added/updated
-
-### Linting/Formatting
-
-- [ ] I have run the linter and fixed any issues, as needed  
-       _See the `lint` commands in package.json_
-- [ ] I have run the formatter and fixed any issues, as needed  
-       _See the `format` commands in package.json_
-
-### SonarCloud
-
-- [ ] I have addressed all SonarCloud Bugs, Vulnerabilities, Security Hotspots, and Code Smells
+- {List any relevant testing considerations, necessary pre-reqs, and areas of the app to focus on. Specifically, include anything that will help the reviewers of this PR verify the code is functioning as expected.}

api/.pipeline/lib/api.deploy.js

@@ -44,14 +44,20 @@ const apiDeploy = async (settings) => {
         TZ: phases[phase].tz,
         DB_SERVICE_NAME: `${phases[phase].dbName}-postgresql${phases[phase].suffix}`,
         // Keycloak
-        KEYCLOAK_ADMIN_USERNAME: phases[phase].sso.adminUserName,
-        KEYCLOAK_SECRET: phases[phase].sso.keycloakSecret,
-        KEYCLOAK_SECRET_ADMIN_PASSWORD: phases[phase].sso.keycloakSecretAdminPassword,
-        KEYCLOAK_HOST: phases[phase].sso.url,
-        KEYCLOAK_CLIENT_ID: phases[phase].sso.clientId,
+        KEYCLOAK_HOST: phases[phase].sso.host,
         KEYCLOAK_REALM: phases[phase].sso.realm,
-        KEYCLOAK_INTEGRATION_ID: phases[phase].sso.integrationId,
-        KEYCLOAK_API_HOST: phases[phase].sso.apiHost,
+        KEYCLOAK_CLIENT_ID: phases[phase].sso.clientId,
+        // Keycloak secret
+        KEYCLOAK_SECRET: phases[phase].sso.keycloakSecret,
+        // Keycloak Service Client
+        KEYCLOAK_ADMIN_USERNAME: phases[phase].sso.serviceClient.serviceClientName,
+        KEYCLOAK_SECRET_ADMIN_PASSWORD_KEY: phases[phase].sso.serviceClient.keycloakSecretServiceClientPasswordKey,
+        // Keycloak CSS API
+        KEYCLOAK_API_TOKEN_URL: phases[phase].sso.cssApi.cssApiTokenUrl,
+        KEYCLOAK_API_CLIENT_ID: phases[phase].sso.cssApi.cssApiClientId,
+        KEYCLOAK_API_CLIENT_SECRET_KEY: phases[phase].sso.cssApi.keycloakSecretCssApiSecretKey,
+        KEYCLOAK_API_HOST: phases[phase].sso.cssApi.cssApiHost,
+        KEYCLOAK_API_ENVIRONMENT: phases[phase].sso.cssApi.cssApiEnvironment,
         // Log Level
         LOG_LEVEL: phases[phase].logLevel || 'info',
         // OPenshift Resources

api/.pipeline/templates/api.dc.yaml

@@ -56,35 +56,49 @@ parameters:
     description: Application timezone
     required: false
     value: 'America/Vancouver'
+  # Keycloak
   - name: KEYCLOAK_HOST
     description: Key clock login url
     required: true
   - name: KEYCLOAK_REALM
     description: Realm identifier or name
     required: true
-  - name: KEYCLOAK_INTEGRATION_ID
-    description: keycloak integration id
-    required: true
-  - name: KEYCLOAK_API_HOST
-    description: keycloak API host
-    required: true
   - name: KEYCLOAK_CLIENT_ID
     description: Client Id for application
     required: true
-  - name: KEYCLOAK_ADMIN_USERNAME
-    description: keycloak host admin username
-    required: true
+  # Keycloak secret
   - name: KEYCLOAK_SECRET
     description: The name of the keycloak secret
     required: true
-  - name: KEYCLOAK_SECRET_ADMIN_PASSWORD
+  # Keycloak Service Client
+  - name: KEYCLOAK_ADMIN_USERNAME
+    description: keycloak host admin username
+    required: true
+  - name: KEYCLOAK_SECRET_ADMIN_PASSWORD_KEY
     description: The key of the admin password in the keycloak secret
     required: true
+  # Keycloak CSS API
+  - name: KEYCLOAK_API_TOKEN_URL
+    description: The url to fetch a css api access token, which is needed to call the css rest api
+    required: true
+  - name: KEYCLOAK_API_CLIENT_ID
+    description: The css api client id
+    required: true
+  - name: KEYCLOAK_API_CLIENT_SECRET_KEY
+    description: The css api client secret
+    required: true
+  - name: KEYCLOAK_API_HOST
+    description: The url of the css rest api
+    required: true
+  - name: KEYCLOAK_API_ENVIRONMENT
+    description: The css api environment to query (dev, test, prod)
+    required: true
   - name: API_PORT_DEFAULT
     value: '6100'
   - name: API_PORT_DEFAULT_NAME
     description: Api default port name
     value: '6100-tcp'
+  # Object Store (S3)
   - name: OBJECT_STORE_SECRETS
     description: Secrets used to read and write to the S3 storage
     value: 'biohubbc-object-store'
@@ -203,23 +217,35 @@ objects:
                       name: ${DB_SERVICE_NAME}
                 - name: DB_PORT
                   value: '5432'
+                # Keycloak
                 - name: KEYCLOAK_HOST
                   value: ${KEYCLOAK_HOST}
-                - name: KEYCLOAK_API_HOST
-                  value: ${KEYCLOAK_API_HOST}
                 - name: KEYCLOAK_REALM
                   value: ${KEYCLOAK_REALM}
                 - name: KEYCLOAK_CLIENT_ID
                   value: ${KEYCLOAK_CLIENT_ID}
-                - name: KEYCLOAK_INTEGRATION_ID
-                  value: ${KEYCLOAK_INTEGRATION_ID}
+                # Keycloak Service Client
                 - name: KEYCLOAK_ADMIN_USERNAME
                   value: ${KEYCLOAK_ADMIN_USERNAME}
                 - name: KEYCLOAK_ADMIN_PASSWORD
                   valueFrom:
                     secretKeyRef:
                       name: ${KEYCLOAK_SECRET}
-                      key: ${KEYCLOAK_SECRET_ADMIN_PASSWORD}
+                      key: ${KEYCLOAK_SECRET_ADMIN_PASSWORD_KEY}
+                # Keycloak CSS API
+                - name: KEYCLOAK_API_TOKEN_URL
+                  value: ${KEYCLOAK_API_TOKEN_URL}
+                - name: KEYCLOAK_API_CLIENT_ID
+                  value: ${KEYCLOAK_API_CLIENT_ID}
+                - name: KEYCLOAK_API_CLIENT_SECRET
+                  valueFrom:
+                    secretKeyRef:
+                      name: ${KEYCLOAK_SECRET}
+                      key: ${KEYCLOAK_API_CLIENT_SECRET_KEY}
+                - name: KEYCLOAK_API_HOST
+                  value: ${KEYCLOAK_API_HOST}
+                - name: KEYCLOAK_API_ENVIRONMENT
+                  value: ${KEYCLOAK_API_ENVIRONMENT}
                 - name: CHANGE_VERSION
                   value: ${CHANGE_ID}
                 - name: NODE_ENV