feat: or-1349 add security; delete views on rebuild

Informatievlaanderen · Dec 15, 2023 · ce4e714 · ce4e714
1 parent c14ceae
commit ce4e714
Show file tree

Hide file tree

Showing 23 changed files with 303 additions and 88 deletions.
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -15,9 +15,9 @@ services:
       ELASTIC_PASSWORD: local_development
       discovery.type: single-node
       xpack.security.transport.ssl.enabled: false
-      cluster.routing.allocation.disk.watermark.low: 95%
-      cluster.routing.allocation.disk.watermark.high: 96%
-      cluster.routing.allocation.disk.watermark.flood_stage: 97%
+      cluster.routing.allocation.disk.watermark.low: 97%
+      cluster.routing.allocation.disk.watermark.high: 98%
+      cluster.routing.allocation.disk.watermark.flood_stage: 99%
     volumes:
       - es-data:/usr/share/elasticsearch/data
 

diff --git a/identityserver/vr.json b/identityserver/vr.json
@@ -54,7 +54,20 @@
       "accessTokenLifetime": -1,
       "identityTokenLifetime": -1,
       "clientClaimsPrefix": ""
+    },
+    {
+      "clientId": "superAdminClient",
+      "clientSecrets": [
+        "secret"
+      ],
+      "allowedGrantTypes": "clientCredentials",
+      "allowedScopes": [
+        "vo_info",
+        "dv_verenigingsregister_beheer"
+      ],
+      "accessTokenLifetime": -1,
+      "identityTokenLifetime": -1,
+      "clientClaimsPrefix": ""
     }
   ]
 }
-
diff --git a/src/AssociationRegistry.Acm.Api/Projections/VerenigingenPerInszProjection.cs b/src/AssociationRegistry.Acm.Api/Projections/VerenigingenPerInszProjection.cs
@@ -1,14 +1,14 @@
 namespace AssociationRegistry.Acm.Api.Projections;
 
-using System.Collections.Generic;
-using System.Linq;
-using System.Threading.Tasks;
 using Events;
 using Marten;
 using Marten.Events;
 using Marten.Events.Projections;
 using Schema.Constants;
 using Schema.VerenigingenPerInsz;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
 
 public class VerenigingenPerInszProjection : EventProjection
 {
@@ -18,6 +18,8 @@ public VerenigingenPerInszProjection()
         // the newly persisted VerenigingenPerInszDocument from FeitelijkeVerenigingWerdGeregistreerd is not in the
         // Query yet when we handle NaamWerdGewijzigd
         Options.BatchSize = 1;
+        Options.DeleteViewTypeOnTeardown<VerenigingenPerInszDocument>();
+        Options.DeleteViewTypeOnTeardown<VerenigingDocument>();
     }
 
     public async Task Project(FeitelijkeVerenigingWerdGeregistreerd werdGeregistreerd, IDocumentOperations ops)

diff --git a/src/AssociationRegistry.Admin.Api/Constants/Security.cs b/src/AssociationRegistry.Admin.Api/Constants/Security.cs
@@ -5,6 +5,7 @@ public static class Security
     public static class ClaimTypes
     {
         public const string Scope = "scope";
+        public const string ClientId = "client_id";
     }
 
     public static class Scopes

diff --git a/src/AssociationRegistry.Admin.Api/Infrastructure/ConfigurationBindings/AppSettings.cs b/src/AssociationRegistry.Admin.Api/Infrastructure/ConfigurationBindings/AppSettings.cs
@@ -1,19 +1,14 @@
 namespace AssociationRegistry.Admin.Api.Infrastructure.ConfigurationBindings;
 
+using System;
+
 public class AppSettings
 {
     private string? _baseUrl;
-    private string? _beheerApiBaseUrl;
     private string? _beheerProjectionHostBaseUrl;
     private string? _publicApiBaseUrl;
     private string? _publicProjectionHostBaseUrl;
 
-    public string BeheerApiBaseUrl
-    {
-        get => _beheerApiBaseUrl?.TrimEnd(trimChar: '/') ?? string.Empty;
-        set => _beheerApiBaseUrl = value;
-    }
-
     public string BeheerProjectionHostBaseUrl
     {
         get => _beheerProjectionHostBaseUrl?.TrimEnd(trimChar: '/') ?? string.Empty;
@@ -38,6 +33,7 @@ public string BaseUrl
         set => _baseUrl = value;
     }
 
+    public string[] SuperAdminClientIds { get; set; } = Array.Empty<string>();
     public string Salt { get; set; } = null!;
     public ApiDocsSettings ApiDocs { get; set; } = new();
     public SearchSettings Search { get; set; } = new();

diff --git a/...AssociationRegistry.Admin.Api/Infrastructure/HttpClients/AdminProjectionHostHttpClient.cs b/...AssociationRegistry.Admin.Api/Infrastructure/HttpClients/AdminProjectionHostHttpClient.cs
@@ -15,20 +15,20 @@ public AdminProjectionHostHttpClient(HttpClient httpClient)
     }
 
     public async Task<HttpResponseMessage> RebuildAllProjections(CancellationToken cancellationToken)
-        => await _httpClient.PostAsync(requestUri: "/projections/all/rebuild", content: null, cancellationToken);
+        => await _httpClient.PostAsync(requestUri: "/v1/projections/all/rebuild", content: null, cancellationToken);
 
     public async Task<HttpResponseMessage> RebuildDetailProjection(CancellationToken cancellationToken)
-        => await _httpClient.PostAsync(requestUri: "/projections/detail/rebuild", content: null, cancellationToken);
+        => await _httpClient.PostAsync(requestUri: "/v1/projections/detail/rebuild", content: null, cancellationToken);
 
     public async Task<HttpResponseMessage> RebuildHistoriekProjection(CancellationToken cancellationToken)
-        => await _httpClient.PostAsync(requestUri: "/projections/historiek/rebuild", content: null, cancellationToken);
+        => await _httpClient.PostAsync(requestUri: "/v1/projections/historiek/rebuild", content: null, cancellationToken);
 
     public async Task<HttpResponseMessage> RebuildZoekenProjection(CancellationToken cancellationToken)
-        => await _httpClient.PostAsync(requestUri: "/projections/search/rebuild", content: null, cancellationToken);
+        => await _httpClient.PostAsync(requestUri: "/v1/projections/search/rebuild", content: null, cancellationToken);
 
     public async Task<HttpResponseMessage> GetStatus(CancellationToken cancellationToken)
     {
-        var request = new HttpRequestMessage(HttpMethod.Get, requestUri: "/projections/status");
+        var request = new HttpRequestMessage(HttpMethod.Get, requestUri: "/v1/projections/status");
         request.Headers.Add(name: "X-Correlation-Id", Guid.NewGuid().ToString());
 
         return await _httpClient.SendAsync(request, cancellationToken);

diff --git a/...ssociationRegistry.Admin.Api/Infrastructure/HttpClients/PublicProjectionHostHttpClient.cs b/...ssociationRegistry.Admin.Api/Infrastructure/HttpClients/PublicProjectionHostHttpClient.cs
@@ -15,13 +15,13 @@ public PublicProjectionHostHttpClient(HttpClient httpClient)
     }
 
     public async Task<HttpResponseMessage> RebuildDetailProjection(CancellationToken cancellationToken)
-        => await _httpClient.PostAsync(requestUri: "/projections/detail/rebuild", content: null, cancellationToken);
+        => await _httpClient.PostAsync(requestUri: "/v1/projections/detail/rebuild", content: null, cancellationToken);
 
     public async Task<HttpResponseMessage> RebuildZoekenProjection(CancellationToken cancellationToken)
-        => await _httpClient.PostAsync(requestUri: "/projections/search/rebuild", content: null, cancellationToken);
+        => await _httpClient.PostAsync(requestUri: "/v1/projections/search/rebuild", content: null, cancellationToken);
 
     public async Task<HttpResponseMessage> GetStatus(CancellationToken cancellationToken)
-        => await _httpClient.GetAsync(requestUri: "/projections/status", cancellationToken);
+        => await _httpClient.GetAsync(requestUri: "/v1/projections/status", cancellationToken);
 
     public void Dispose()
     {

diff --git a/src/AssociationRegistry.Admin.Api/Infrastructure/ProjectionHostController.cs b/src/AssociationRegistry.Admin.Api/Infrastructure/ProjectionHostController.cs
@@ -2,7 +2,9 @@
 
 using Be.Vlaanderen.Basisregisters.Api;
 using HttpClients;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
+using System.Net.Http;
 using System.Net.Http.Json;
 using System.Text.Json;
 using System.Threading;
@@ -12,6 +14,7 @@
 [AdvertiseApiVersions("1.0")]
 [ApiRoute("projections")]
 [ApiExplorerSettings(IgnoreApi = true)]
+[Authorize(Policy = Program.SuperAdminPolicyName)]
 public class ProjectionHostController : ApiController
 {
     private readonly AdminProjectionHostHttpClient _adminHttpClient;
@@ -34,82 +37,86 @@ public async Task<IActionResult> RebuildAdminProjectionAll(CancellationToken can
     {
         var response = await _adminHttpClient.RebuildAllProjections(cancellationToken);
 
-        return response.IsSuccessStatusCode
-            ? Ok()
-            : UnprocessableEntity();
+        return await OkOrForwardedResponse(cancellationToken, response);
     }
 
     [HttpPost("admin/detail/rebuild")]
     public async Task<IActionResult> RebuildAdminProjectionDetail(CancellationToken cancellationToken)
     {
         var response = await _adminHttpClient.RebuildDetailProjection(cancellationToken);
 
-        return response.IsSuccessStatusCode
-            ? Ok()
-            : UnprocessableEntity();
+        return await OkOrForwardedResponse(cancellationToken, response);
     }
 
     [HttpPost("admin/historiek/rebuild")]
     public async Task<IActionResult> RebuildAdminProjectionHistoriek(CancellationToken cancellationToken)
     {
         var response = await _adminHttpClient.RebuildHistoriekProjection(cancellationToken);
 
-        return response.IsSuccessStatusCode
-            ? Ok()
-            : UnprocessableEntity();
+        return await OkOrForwardedResponse(cancellationToken, response);
     }
 
     [HttpPost("admin/search/rebuild")]
     public async Task<IActionResult> RebuildAdminProjectionZoeken(CancellationToken cancellationToken)
     {
         var response = await _adminHttpClient.RebuildZoekenProjection(cancellationToken);
 
-        return response.IsSuccessStatusCode
-            ? Ok()
-            : UnprocessableEntity();
+        return await OkOrForwardedResponse(cancellationToken, response);
     }
 
     [HttpGet("admin/status")]
     public async Task<IActionResult> GetAdminProjectionStatus(CancellationToken cancellationToken)
     {
         var response = await _adminHttpClient.GetStatus(cancellationToken);
 
-        if (!response.IsSuccessStatusCode) return BadRequest();
-
-        var projectionProgress = await response.Content.ReadFromJsonAsync<ProjectionStatus[]>(_jsonSerializerOptions, cancellationToken);
-
-        return new OkObjectResult(projectionProgress);
+        return await OkObjectOrForwardedResponse(cancellationToken, response);
     }
 
     [HttpPost("public/detail/rebuild")]
     public async Task<IActionResult> RebuildPublicProjectionDetail(CancellationToken cancellationToken)
     {
         var response = await _publicHttpClient.RebuildDetailProjection(cancellationToken);
 
-        return response.IsSuccessStatusCode
-            ? Ok()
-            : UnprocessableEntity();
+        return await OkOrForwardedResponse(cancellationToken, response);
     }
 
     [HttpPost("public/search/rebuild")]
     public async Task<IActionResult> RebuildPublicProjectionZoeken(CancellationToken cancellationToken)
     {
         var response = await _publicHttpClient.RebuildZoekenProjection(cancellationToken);
 
-        return response.IsSuccessStatusCode
-            ? Ok()
-            : UnprocessableEntity();
+        return await OkOrForwardedResponse(cancellationToken, response);
     }
 
     [HttpGet("public/status")]
     public async Task<IActionResult> GetPublicProjectionStatus(CancellationToken cancellationToken)
     {
         var response = await _publicHttpClient.GetStatus(cancellationToken);
 
-        if (!response.IsSuccessStatusCode) return BadRequest();
+        return await OkObjectOrForwardedResponse(cancellationToken, response);
+    }
 
-        var projectionProgress = await response.Content.ReadFromJsonAsync<ProjectionStatus[]>(_jsonSerializerOptions, cancellationToken);
+    private async Task<IActionResult> OkOrForwardedResponse(CancellationToken cancellationToken, HttpResponseMessage response)
+    {
+        if (response.IsSuccessStatusCode) return Ok();
 
-        return new OkObjectResult(projectionProgress);
+        return Problem(
+            title: response.ReasonPhrase,
+            statusCode: (int)response.StatusCode,
+            detail: await response.Content.ReadAsStringAsync(cancellationToken)
+        );
+    }
+
+    private async Task<IActionResult> OkObjectOrForwardedResponse(CancellationToken cancellationToken, HttpResponseMessage response)
+    {
+        if (response.IsSuccessStatusCode)
+            return new OkObjectResult(
+                await response.Content.ReadFromJsonAsync<ProjectionStatus[]>(_jsonSerializerOptions, cancellationToken));
+
+        return Problem(
+            title: response.ReasonPhrase,
+            statusCode: (int)response.StatusCode,
+            detail: await response.Content.ReadAsStringAsync(cancellationToken)
+        );
     }
 }
diff --git a/src/AssociationRegistry/ProjectionStatus.cs → ...in.Api/Infrastructure/ProjectionStatus.cs b/src/AssociationRegistry/ProjectionStatus.cs → ...in.Api/Infrastructure/ProjectionStatus.cs
@@ -1,4 +1,6 @@
-namespace AssociationRegistry;
+namespace AssociationRegistry.Admin.Api.Infrastructure;
+
+using System;
 
 public class ProjectionStatus
 {

diff --git a/src/AssociationRegistry.Admin.Api/Program.cs b/src/AssociationRegistry.Admin.Api/Program.cs
@@ -45,7 +45,6 @@ namespace AssociationRegistry.Admin.Api;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.DependencyInjection.Extensions;
 using Microsoft.Extensions.Diagnostics.HealthChecks;
-using Microsoft.Extensions.Hosting;
 using Microsoft.Extensions.Localization;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
@@ -75,6 +74,7 @@ namespace AssociationRegistry.Admin.Api;
 public class Program
 {
     private const string AdminGlobalPolicyName = "Admin Global";
+    public const string SuperAdminPolicyName = "Super Admin";
 
     public static async Task Main(string[] args)
     {
@@ -133,7 +133,10 @@ public static async Task Main(string[] args)
         app.UseRouting()
            .UseAuthentication()
            .UseAuthorization()
-           .UseEndpoints(routeBuilder => routeBuilder.MapControllers().RequireAuthorization(AdminGlobalPolicyName));
+           .UseEndpoints(routeBuilder =>
+            {
+                routeBuilder.MapControllers().RequireAuthorization(AdminGlobalPolicyName);
+            });
 
         ConfigureLifetimeHooks(app);
 
@@ -378,11 +381,20 @@ private static void ConfigureServices(WebApplicationBuilder builder)
                .AddControllersAsServices()
                .AddAuthorization(
                     options =>
+                    {
                         options.AddPolicy(
                             AdminGlobalPolicyName,
                             new AuthorizationPolicyBuilder()
                                .RequireClaim(Security.ClaimTypes.Scope, Security.Scopes.Admin)
-                               .Build()))
+                               .Build());
+
+                        options.AddPolicy(
+                            SuperAdminPolicyName,
+                            new AuthorizationPolicyBuilder()
+                               .RequireClaim(Security.ClaimTypes.Scope, Security.Scopes.Admin)
+                               .RequireClaim(Security.ClaimTypes.ClientId, appSettings.SuperAdminClientIds)
+                               .Build());
+                    })
                .AddNewtonsoftJson(
                     opt =>
                     {

diff --git a/src/AssociationRegistry.Admin.Api/appsettings.development.json b/src/AssociationRegistry.Admin.Api/appsettings.development.json
@@ -35,11 +35,14 @@
 
   "BaseUrl": "http://127.0.0.1:11004/",
 
-  "BeheerApiBaseUrl": "http://127.0.0.1:11004/",
   "BeheerProjectionHostBaseUrl":  "http://127.0.0.1:11006/",
   "PublicApiBaseUrl": "http://127.0.0.1:11003/",
   "PublicProjectionHostBaseUrl":  "http://127.0.0.1:11005/",
 
+  "SuperAdminClientIds": [
+    "superAdminClient"
+  ],
+
   "MagdaOptions": {
     "Afzender": "1234",
     "Hoedanigheid": "1234",