As technology, I should support Usage of unique identities ensuring accountability of users, devices, systems

[olivierlemee]

https://www.notion.so/cybnity/472-102e61be3cf443f08997ab4286d0aa0f

REQ_SEC_21: The users, their devices, the third-parties systems or any solution using the applications are uniquely identified (e.g based on logical information like name, contact, a digital object; and/or based on physical information like owned object, device id, biometrics) during their interactions

An identity may represent an actual user or a process with its own identity, e.g., a program making a remote access. Unique identities are a required element in order to be able to: • Maintain accountability and traceability of a user or process • Assign specific rights to an individual user or process • Provide for non-repudiation • Enforce access control decisions • Establish the identity of a peer in a secure communications path • Prevent unauthorized users from masquerading as an authorized user.

help: identity/account implementation in access-control domain shall be inspired by https://freeduse.atlassian.net/wiki/spaces/IR/pages/6225984/BAI03.01+Entities+Design+Specification for mapping/integration and encapsulation of Keycloack api

• [x] url and ports documentation about the local-dev environment helping to enhance the development context easily when new pod/service are included into the dev cluster

HAProxy APIs Gateway

• [x] packaged module for minikube deployment as apis gateway
• [x] plug with keycloak routes allowing oauth2 authentication for web-reactive-frontend application
• [x] plug and usage of Ingress Controller by HAProxy service regarding url path-based routing (in place of services/ports mapping)

Node.JS

• Implementation of foundation web-reactive-frontend integration with keycloak
  • [x] base html/react js page as default html single page
    • [x] requiring secure access
  • [x] Configuration of the reverse proxy for routing rule from external 80 to frontend + sameSite cookie modification in header (allowing browser with tracking protection) JAVA
• ADMINISTRATION FEATURES
  • [x] created sub-project dedicated to ac-adapter-impl/keycloak-adapter-impl as default implementation (allowing to

[olivierlemee]

Keycloak services, postgresql, documentation and realms CYBNITY for local-dev instance (in minikube) is running test account is created and validated as operational admin account is operational Helm configuration of deployable keycloak instance as access-control-sso-system is coded, tested and deployed in minikub local environment

[olivierlemee]

NGINX module is deployed but missing configuration of route/header of traffic to keycloak, backend, frontend modules

[olivierlemee]

upgrade of minikube cluster resources (K8s profile), creation of nodes (areas for deployment), upgrade of helm charts and re-installations into new minikube platform profile the kafka brokers is configured to be deployed in domains-io area with success, but an error is thrown when a pod try to create repository in the /bitnami/config or /bitnami/logs volume (of PVC permissions?)

TODO: restart configuration of gravitee https://community.gravitee.io/t/kubernetes-helm-gravitee-installation-complete-tutorial/373 with install of NGINX in standard mode (none renaming because generate conflicts and failure of elastic search pods) on nodes

[olivierlemee]

haproxy route configuration is accepted by none response from external ip on ports

[olivierlemee]

HAProxy is tested as operational like packaged via Helm dedicated project; and is tested with success for routes to UI front and to Keycloak sso system

[olivierlemee]

\ default path arrive to the configMap usage with auto-routing to the frontend. But path are ignored

[olivierlemee]

the authentication via haproxy replicaset > proxy service > pod > keycloak is operational and routing is tested. COnnection to CYBNITY realms, to master realm, to admin console is performed with success since http port 80 . The keycloak configuration injected in nodejs is changed (but is not taken in consideration during the npm start when tested on the page).

[olivierlemee]

authentification from webbrowser is tested and operational via keycloak rerouting. The test of access to a protected resources exposed by the frontend server (nodejs+express) does not accept for cause of CORS issue (headers missing): Access to XMLHttpRequest at 'http://10.101.238.65/auth/realms/CYBNITY/protocol/openid-connect/token' from origin 'http://localhost:3000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Is blocked by the haproxy or by keycloak configuration ?

• explained CORS protocol : https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
• react routes with keycloak : https://cagline.medium.com/authenticate-and-authorize-react-routes-component-with-keycloak-666e85662636
• nodejs apdater: https://wjw465150.gitbooks.io/keycloak-documentation/content/securing_apps/topics/oidc/nodejs-adapter.html
• cookie on react: https://reactgo.com/react-set-cookie/