Merge multitendancy in main

.github/workflows/demo-deploy-action.yml

@@ -144,12 +144,12 @@ jobs:
         with:
           build: npm i -D cypress
           install: false
-          wait-on: 'http://localhost:8080/config, http://localhost:8544'
+          wait-on: 'http://pitc.okr.localhost:8080/config, http://pitc.okr.localhost:4200, http://localhost:8544'
           wait-on-timeout: 120
           browser: chrome
           headed: true
           working-directory: frontend
-          config: baseUrl=http://localhost:8080
+          config: baseUrl=http://pitc.okr.localhost:8080
 
       - uses: actions/upload-artifact@v4
         if: always()

.github/workflows/frontend-test-action.yml

@@ -45,9 +45,9 @@ jobs:
               --name my_keycloak \
               -e KEYCLOAK_ADMIN=admin \
               -e KEYCLOAK_ADMIN_PASSWORD=keycloak \
-              -v ./docker/config/realm-export.json:/opt/keycloak/data/import/realm.json \
+              -v ./docker/config/realm-export-pitc.json:/opt/keycloak/data/import/realm-pitc.json \
               -p 8544:8080 \
-              quay.io/keycloak/keycloak:23.0.1 \
+              quay.io/keycloak/keycloak:24.0.2 \
               start-dev --import-realm
 
       - name: start backend
@@ -58,10 +58,16 @@ jobs:
         with:
           working-directory: frontend
           start: npm start
-          wait-on: 'http://localhost:8080/config, http://localhost:4200, http://localhost:8544'
+          wait-on: 'http://pitc.okr.localhost:8080/config, http://pitc.okr.localhost:4200, http://localhost:8544'
           wait-on-timeout: 120
           browser: chrome
           headed: true
 
+      - uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: cypress-screenshots
+          path: frontend/cypress/screenshots
+
       - name: remove docker containers
         run: docker ps -aq | xargs -r docker rm -f

.gitignore

@@ -31,3 +31,4 @@ sonar-project.properties
 /frontend/cypress/downloads/
 /frontend/cypress/screenshots/
 /toolchains.xml
+/backend/src/main/resources/db/okr_schema.sql

.run/OkrApplication-E2E.run.xml

@@ -1,7 +1,7 @@
 <component name="ProjectRunConfigurationManager">
   <configuration default="false" name="OkrApplication-E2E" type="SpringBootApplicationConfigurationType" factoryName="Spring Boot">
     <option name="ACTIVE_PROFILES" value="integration-test" />
-    <option name="ALTERNATIVE_JRE_PATH" value="$USER_HOME$/.sdkman/candidates/java/current" />
+    <option name="ALTERNATIVE_JRE_PATH" value="azul-17" />
     <option name="ALTERNATIVE_JRE_PATH_ENABLED" value="true" />
     <module name="backend" />
     <option name="SPRING_BOOT_MAIN_CLASS" value="ch.puzzle.okr.OkrApplication" />

README.md

@@ -4,10 +4,17 @@ This is an open source application for managing OKRs, developed by the team of a
 
 This project contains two parts:
 
+## Setup
+Add subdomains to hosts file:
+```shell
+sudo sh -c 'echo "127.0.0.1       pitc.okr.localhost\n127.0.0.1       acme.okr.localhost" >> /etc/hosts'
+```
+
 ## Frontend
 
 [Frontend description](frontend/README.md)
 
+
 ## Backend
 [Backend description](backend/README.md)
 
@@ -20,7 +27,7 @@ Path to folder from repository root `cd docker`
 Type `docker-compose up` in terminal to start up the docker container, `docker-compose down` to shut the container down.
 
 ## Users
-All users 
+All users PITC
 ```json
 {
   "gl": {
@@ -65,3 +72,25 @@ All users
   }
 }
 ```
+All users ACME
+```json
+{
+  "gl": {
+    "username": "gl-acme",
+    "password": "gl",
+    "name": "Jaya Norris"
+  },
+  "bl": {
+    "username": "bl-acme",
+    "password": "bl",
+    "name": "Esha Harris"
+  },
+  "member": {
+    "username": "member-acme",
+    "password": "member",
+    "name": "Abraham Woodard"
+  }
+}
+```
+
+

backend/pom.xml

@@ -6,11 +6,11 @@
     <parent>
         <groupId>ch.puzzle.okr</groupId>
         <artifactId>parent</artifactId>
-        <version>2.0.136-SNAPSHOT</version>
+        <version>2.0.160-SNAPSHOT</version>
     </parent>
 
     <artifactId>backend</artifactId>
-    <version>2.0.136-SNAPSHOT</version>
+    <version>2.0.160-SNAPSHOT</version>
     <name>backend</name>
     <description>Puzzle OKR Tool</description>
 
@@ -107,7 +107,6 @@
                     <excludes>
                         <exclude>ch/puzzle/okr/models/**</exclude>
                         <exclude>ch/puzzle/okr/dto/**</exclude>
-                        <exclude>ch/puzzle/okr/mapper/**</exclude>
                         <exclude>ch/puzzle/okr/OkrApplication.*</exclude>
                         <exclude>ch/puzzle/okr/Constants.java</exclude>
                         <exclude>ch/puzzle/okr/ErrorKey.java</exclude>

backend/src/main/java/ch/puzzle/okr/Constants.java

@@ -13,8 +13,10 @@ private Constants() {
     public static final String ACTION = "Action";
     public static final String ALIGNMENT = "Alignment";
     public static final String COMPLETED = "Completed";
-    public static final String ORGANISATION = "Organisation";
     public static final String QUARTER = "Quarter";
     public static final String TEAM = "Team";
     public static final String USER = "User";
+    public static final String USER_TEAM = "UserTeam";
+
+    public static final String BACK_LOG_QUARTER_LABEL = "Backlog";
 }

backend/src/main/java/ch/puzzle/okr/ErrorKey.java

@@ -4,5 +4,5 @@ public enum ErrorKey {
     ATTRIBUTE_NULL, ATTRIBUTE_CHANGED, ATTRIBUTE_SET_FORBIDDEN, ATTRIBUTE_NOT_SET, ATTRIBUTE_CANNOT_CHANGE,
     ATTRIBUTE_MUST_BE_DRAFT, KEY_RESULT_CONVERSION, ALREADY_EXISTS_SAME_NAME, CONVERT_TOKEN, DATA_HAS_BEEN_UPDATED,
     MODEL_NULL, MODEL_WITH_ID_NOT_FOUND, NOT_AUTHORIZED_TO_READ, NOT_AUTHORIZED_TO_WRITE, NOT_AUTHORIZED_TO_DELETE,
-    TOKEN_NULL
+    TOKEN_NULL, TRIED_TO_DELETE_LAST_ADMIN, TRIED_TO_REMOVE_LAST_OKR_CHAMPION
 }

backend/src/main/java/ch/puzzle/okr/FlywayMultitenantConfig.java

@@ -0,0 +1,22 @@
+package ch.puzzle.okr;
+
+import ch.puzzle.okr.multitenancy.FlywayMultitenantMigrationInitializer;
+import org.springframework.boot.autoconfigure.flyway.FlywayMigrationStrategy;
+import org.springframework.cache.interceptor.KeyGenerator;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+public class FlywayMultitenantConfig {
+
+    @Bean
+    public FlywayMigrationStrategy cleanMigrateStrategy(FlywayMultitenantMigrationInitializer flywayMigration) {
+        return flyway -> flywayMigration.migrateFlyway();
+    }
+
+    @Bean("customKeyGenerator")
+    public KeyGenerator keyGenerator() {
+        return new UserKeyGenerator();
+    }
+
+}

backend/src/main/java/ch/puzzle/okr/OkrApplication.java

@@ -1,16 +1,16 @@
 package ch.puzzle.okr;
 
-import ch.puzzle.okr.service.clientconfig.ClientCustomizationProperties;
-import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
-import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.boot.builder.SpringApplicationBuilder;
 import org.springframework.scheduling.annotation.EnableScheduling;
 
 @SpringBootApplication
 @EnableScheduling
-@EnableConfigurationProperties(ClientCustomizationProperties.class)
 public class OkrApplication {
     public static void main(String[] args) {
-        SpringApplication.run(OkrApplication.class, args);
+
+        new SpringApplicationBuilder(OkrApplication.class) //
+                .initializers(new OkrApplicationContextInitializer()) //
+                .run(args);
     }
 }

backend/src/main/java/ch/puzzle/okr/OkrApplicationContextInitializer.java

@@ -0,0 +1,21 @@
+package ch.puzzle.okr;
+
+import ch.puzzle.okr.multitenancy.HibernateContext;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.context.ApplicationContextInitializer;
+import org.springframework.context.ConfigurableApplicationContext;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+public class OkrApplicationContextInitializer implements ApplicationContextInitializer<ConfigurableApplicationContext> {
+
+    private static final Logger logger = LoggerFactory.getLogger(OkrApplicationContextInitializer.class);
+
+    @Override
+    public void initialize(ConfigurableApplicationContext applicationContext) {
+        logger.info("Loading hibernate configuration from application properties");
+        HibernateContext.extractAndSetHibernateConfig(applicationContext.getEnvironment());
+    }
+
+}

backend/src/main/java/ch/puzzle/okr/SecurityConfig.java

@@ -1,30 +1,59 @@
 package ch.puzzle.okr;
 
+import com.nimbusds.jose.proc.SecurityContext;
+import com.nimbusds.jwt.proc.ConfigurableJWTProcessor;
+import com.nimbusds.jwt.proc.DefaultJWTProcessor;
+import com.nimbusds.jwt.proc.JWTClaimsSetAwareJWSKeySelector;
+import com.nimbusds.jwt.proc.JWTProcessor;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.ApplicationEventPublisher;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.annotation.Order;
 import org.springframework.http.HttpStatus;
+import org.springframework.security.authentication.AuthenticationEventPublisher;
+import org.springframework.security.authentication.DefaultAuthenticationEventPublisher;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer;
+import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator;
+import org.springframework.security.oauth2.core.OAuth2TokenValidator;
+import org.springframework.security.oauth2.jwt.Jwt;
+import org.springframework.security.oauth2.jwt.JwtDecoder;
+import org.springframework.security.oauth2.jwt.JwtValidators;
+import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.HttpStatusEntryPoint;
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
-import org.springframework.security.web.header.writers.*;
+import org.springframework.security.web.header.writers.CrossOriginOpenerPolicyHeaderWriter;
+import org.springframework.security.web.header.writers.CrossOriginResourcePolicyHeaderWriter;
+import org.springframework.security.web.header.writers.StaticHeadersWriter;
+
+import static org.springframework.security.web.header.writers.CrossOriginEmbedderPolicyHeaderWriter.CrossOriginEmbedderPolicy.REQUIRE_CORP;
+import static org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter.ReferrerPolicy.NO_REFERRER;
+import static org.springframework.security.web.header.writers.XXssProtectionHeaderWriter.HeaderValue.ENABLED_MODE_BLOCK;
 
 @Configuration
 @EnableWebSecurity
 @EnableMethodSecurity
 public class SecurityConfig {
     private static final Logger logger = LoggerFactory.getLogger(SecurityConfig.class);
 
+    private static final CrossOriginOpenerPolicyHeaderWriter.CrossOriginOpenerPolicy OPENER_SAME_ORIGIN = CrossOriginOpenerPolicyHeaderWriter.CrossOriginOpenerPolicy.SAME_ORIGIN;
+    private static final CrossOriginResourcePolicyHeaderWriter.CrossOriginResourcePolicy RESOURCE_SAME_ORIGIN = CrossOriginResourcePolicyHeaderWriter.CrossOriginResourcePolicy.SAME_ORIGIN;
+
+    private String connectSrc;
+
     @Bean
     @Order(1) // Must be First order! Otherwise unauthorized Requests are sent to Controllers
-    public SecurityFilterChain apiSecurityFilterChain(HttpSecurity http) throws Exception {
+    public SecurityFilterChain apiSecurityFilterChain(HttpSecurity http, @Value("${connect.src}") String connectSrc)
+            throws Exception {
+
+        this.connectSrc = connectSrc;
         setHeaders(http);
         http.addFilterAfter(new ForwardFilter(), BasicAuthenticationFilter.class);
         logger.debug("*** apiSecurityFilterChain reached");
@@ -41,32 +70,64 @@ public SecurityFilterChain securityHeadersFilter(HttpSecurity http) throws Excep
         return setHeaders(http).build();
     }
 
+    @Bean
+    JWTProcessor<SecurityContext> jwtProcessor(JWTClaimsSetAwareJWSKeySelector<SecurityContext> keySelector) {
+        ConfigurableJWTProcessor<SecurityContext> jwtProcessor = new DefaultJWTProcessor<>();
+        jwtProcessor.setJWTClaimsSetAwareJWSKeySelector(keySelector);
+        return jwtProcessor;
+    }
+
+    @Bean
+    JwtDecoder jwtDecoder(JWTProcessor<SecurityContext> jwtProcessor, OAuth2TokenValidator<Jwt> jwtValidator) {
+        NimbusJwtDecoder decoder = new NimbusJwtDecoder(jwtProcessor);
+        OAuth2TokenValidator<Jwt> validator = new DelegatingOAuth2TokenValidator<>(JwtValidators.createDefault(),
+                jwtValidator);
+        decoder.setJwtValidator(validator);
+        return decoder;
+    }
+
     private HttpSecurity setHeaders(HttpSecurity http) throws Exception {
-        http.headers(h -> h
-                .contentSecurityPolicy(e -> e.policyDirectives("default-src 'self';"
-                        + "script-src 'self' 'unsafe-inline';" + "        style-src 'self' 'unsafe-inline';"
-                        + "        object-src 'none';" + "        base-uri 'self';"
-                        + "        connect-src 'self' https://sso.puzzle.ch http://localhost:8544;"
-                        + "        font-src 'self';" + "        frame-src 'self';" + "        img-src 'self' data: ;"
-                        + "        manifest-src 'self';" + "        media-src 'self';" + "        worker-src 'none';"))
-                .crossOriginEmbedderPolicy(coepCustomizer -> coepCustomizer
-                        .policy(CrossOriginEmbedderPolicyHeaderWriter.CrossOriginEmbedderPolicy.REQUIRE_CORP))
-                .crossOriginOpenerPolicy(coopCustomizer -> coopCustomizer
-                        .policy(CrossOriginOpenerPolicyHeaderWriter.CrossOriginOpenerPolicy.SAME_ORIGIN))
-                .crossOriginResourcePolicy(corpCustomizer -> corpCustomizer
-                        .policy(CrossOriginResourcePolicyHeaderWriter.CrossOriginResourcePolicy.SAME_ORIGIN))
-                .addHeaderWriter(new StaticHeadersWriter("X-Permitted-Cross-Domain-Policies", "none")));
-        return http.headers(headers -> headers.frameOptions(HeadersConfigurer.FrameOptionsConfig::deny)
-                .xssProtection(e -> e.headerValue(XXssProtectionHeaderWriter.HeaderValue.ENABLED_MODE_BLOCK))
-                .httpStrictTransportSecurity(e -> e.includeSubDomains(true).maxAgeInSeconds(31536000))
-                .referrerPolicy(referrer -> referrer.policy(ReferrerPolicyHeaderWriter.ReferrerPolicy.NO_REFERRER))
-                .permissionsPolicy(
-                        permissions -> permissions.policy("accelerometer=(), ambient-light-sensor=(), autoplay=(), "
-                                + "battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), "
-                                + "execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(),"
-                                + " geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), "
-                                + "midi=(), navigation-override=(), payment=(), picture-in-picture=(),"
-                                + " publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(self), "
-                                + "usb=(), web-share=(), xr-spatial-tracking=()")));
+        return http.headers(headers -> headers
+                .contentSecurityPolicy(c -> c.policyDirectives(okrContentSecurityPolicy()))
+                .crossOriginEmbedderPolicy(c -> c.policy(REQUIRE_CORP))
+                .crossOriginOpenerPolicy(c -> c.policy(OPENER_SAME_ORIGIN))
+                .crossOriginResourcePolicy(c -> c.policy(RESOURCE_SAME_ORIGIN))
+                .addHeaderWriter(new StaticHeadersWriter("X-Permitted-Cross-Domain-Policies", "none"))
+                .frameOptions(HeadersConfigurer.FrameOptionsConfig::deny)
+                .xssProtection(c -> c.headerValue(ENABLED_MODE_BLOCK))
+                .httpStrictTransportSecurity(c -> c.includeSubDomains(true).maxAgeInSeconds(31536000))
+                .referrerPolicy(c -> c.policy(NO_REFERRER)).permissionsPolicy(c -> c.policy(okrPermissionPolicy())));
+    }
+
+    private String okrContentSecurityPolicy() {
+        return "default-src 'self';" //
+                + "script-src 'self' 'unsafe-inline';" //
+                + "        style-src 'self' 'unsafe-inline';" //
+                + "        object-src 'none';" //
+                + "        base-uri 'self';" //
+                + "        connect-src 'self' " + connectSrc + ";" //
+                + "        font-src 'self';" //
+                + "        frame-src 'self';" //
+                + "        img-src 'self' data: ;" //
+                + "        manifest-src 'self';" //
+                + "        media-src 'self';" //
+                + "        worker-src 'none';"; //
+    }
+
+    private String okrPermissionPolicy() {
+        return "accelerometer=(), ambient-light-sensor=(), autoplay=(), "
+                + "battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), "
+                + "execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(),"
+                + " geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), "
+                + "midi=(), navigation-override=(), payment=(), picture-in-picture=(),"
+                + " publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(self), "
+                + "usb=(), web-share=(), xr-spatial-tracking=()";
     }
+
+    @Bean
+    public AuthenticationEventPublisher authenticationEventPublisher(
+            ApplicationEventPublisher applicationEventPublisher) {
+        return new DefaultAuthenticationEventPublisher(applicationEventPublisher);
+    }
+
 }