chore: Set GRDF token refresh as an option

.env.template

@@ -22,5 +22,6 @@ DATABASE_NAME
 
 BO_API_TOKEN
 
+FETCH_GRDF_TOKEN=true
 GRDF_CLIENT_ID
 GRDF_CLIENT_SECRET

.gitlab-ci.yml

@@ -25,7 +25,7 @@ stages:
   - deploy
 
 import-convert-assets:
-  image: alpine:3.16.2
+  image: alpine:3.20.3
   stage: import-convert-assets
   before_script:
     - apk add inkscape curl
@@ -142,6 +142,7 @@ deploy_rec:
     - sed -i "s/{{CLIENT_ID}}/$REC_CLIENT_ID/" ./k8s/secrets/ecolyo-agent-server-config.yml
     - sed -i "s/{{CLIENT_SECRET}}/$REC_CLIENT_SECRET/" ./k8s/secrets/ecolyo-agent-server-config.yml
     - sed -i "s/{{BO_API_TOKEN}}/$REC_BO_API_TOKEN/" ./k8s/secrets/ecolyo-agent-server-config.yml
+    - sed -i "s/{{FETCH_GRDF_TOKEN}}/\"$REC_FETCH_GRDF_TOKEN\"/" ./k8s/secrets/ecolyo-agent-server-config.yml
     - sed -i "s/{{GRDF_CLIENT_ID}}/$GRDF_CLIENT_ID/" ./k8s/secrets/ecolyo-agent-server-config.yml
     - sed -i "s/{{GRDF_CLIENT_SECRET}}/$GRDF_CLIENT_SECRET/" ./k8s/secrets/ecolyo-agent-server-config.yml
     - sed -i "s/{{HOSTNAME}}/ecolyo-agent-rec.apps.grandlyon.com/g" ./k8s/secrets/ecolyo-agent-server-config.yml
@@ -152,7 +153,7 @@ deploy_rec:
   script:
     - find k8s/ -name '*.yml' -exec sed -i "s/{{NS}}/$NAMESPACE/g" {} \;
 
-    - oc create secret -n $NAMESPACE docker-registry llle-project --docker-server=$CI_REGISTRY --docker-username=llle-project --docker-password=$READ_REGISTRY_TOKEN --dry-run=client -o yaml | oc apply -f -
+    - oc create secret -n $NAMESPACE docker-registry forge-secret --docker-server=$CI_REGISTRY --docker-username=read_registry --docker-password=$READ_REGISTRY_TOKEN --dry-run=client -o yaml | oc apply -f -
 
     - oc apply -f k8s/secrets
     - oc apply -f k8s/deployments
@@ -174,6 +175,7 @@ deploy_prod:
     - sed -i "s/{{CLIENT_ID}}/$PROD_CLIENT_ID/" ./k8s/secrets/ecolyo-agent-server-config.yml
     - sed -i "s/{{CLIENT_SECRET}}/$PROD_CLIENT_SECRET/" ./k8s/secrets/ecolyo-agent-server-config.yml
     - sed -i "s/{{BO_API_TOKEN}}/$PROD_BO_API_TOKEN/" ./k8s/secrets/ecolyo-agent-server-config.yml
+    - sed -i "s/{{FETCH_GRDF_TOKEN}}/\"$PROD_FETCH_GRDF_TOKEN\"/" ./k8s/secrets/ecolyo-agent-server-config.yml
     - sed -i "s/{{GRDF_CLIENT_ID}}/$GRDF_CLIENT_ID/" ./k8s/secrets/ecolyo-agent-server-config.yml
     - sed -i "s/{{GRDF_CLIENT_SECRET}}/$GRDF_CLIENT_SECRET/" ./k8s/secrets/ecolyo-agent-server-config.yml
     - sed -i "s/{{HOSTNAME}}/ecolyo-agent.apps.grandlyon.com/g" ./k8s/secrets/ecolyo-agent-server-config.yml
@@ -184,7 +186,7 @@ deploy_prod:
   script:
     - find k8s/ -name '*.yml' -exec sed -i "s/{{NS}}/$NAMESPACE/g" {} \;
 
-    - oc create secret -n $NAMESPACE docker-registry llle-project --docker-server=$CI_REGISTRY --docker-username=llle-project --docker-password=$READ_REGISTRY_TOKEN --dry-run=client -o yaml | oc apply -f -
+    - oc create secret -n $NAMESPACE docker-registry forge-secret --docker-server=$CI_REGISTRY --docker-username=read_registry --docker-password=$READ_REGISTRY_TOKEN --dry-run=client -o yaml | oc apply -f -
 
     - oc apply -f k8s/secrets
     - oc apply -f k8s/deployments

Dockerfile

@@ -48,7 +48,7 @@ RUN chown -Rf "${UID}" ./*
 ##############################
 # STEP 2 build a small image #
 ##############################
-FROM curlimages/curl:8.00.1
+FROM curlimages/curl:8.11.0
 
 WORKDIR /app
 

go.mod

@@ -3,12 +3,12 @@ module forge.grandlyon.com/web-et-numerique/factory/llle_project/backoffice-serv
 go 1.18
 
 require (
-	github.com/go-chi/chi/v5 v5.0.11
+	github.com/go-chi/chi/v5 v5.1.0
 	github.com/google/uuid v1.5.0
 	golang.org/x/oauth2 v0.16.0
-	gorm.io/driver/mysql v1.5.2
+	gorm.io/driver/mysql v1.5.7
 	gorm.io/driver/sqlite v1.5.4
-	gorm.io/gorm v1.25.5
+	gorm.io/gorm v1.25.7
 )
 
 require (

go.sum

 github.com/go-chi/chi/v5 v5.0.11 h1:BnpYbFZ3T3S1WMpD79r7R5ThWX40TaFB7L31Y8xqSwA=
 github.com/go-chi/chi/v5 v5.0.11/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
+github.com/go-chi/chi/v5 v5.1.0 h1:acVI1TYaD+hhedDJ3r54HyA6sExp3HfXq7QWEEY/xMw=
+github.com/go-chi/chi/v5 v5.1.0/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
 github.com/go-sql-driver/mysql v1.7.0/go.mod h1:OXbVy3sEdcQ2Doequ6Z5BW6fXNQTmx+9S1MCJN5yJMI=
 github.com/go-sql-driver/mysql v1.7.1 h1:lUIinVbN1DY0xBg0eMOzmmtGoHwWBbvnWubQUrtU8EI=
 github.com/go-sql-driver/mysql v1.7.1/go.mod h1:OXbVy3sEdcQ2Doequ6Z5BW6fXNQTmx+9S1MCJN5yJMI=
@@ -52,8 +54,12 @@ google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7
 google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gorm.io/driver/mysql v1.5.2 h1:QC2HRskSE75wBuOxe0+iCkyJZ+RqpudsQtqkp+IMuXs=
 gorm.io/driver/mysql v1.5.2/go.mod h1:pQLhh1Ut/WUAySdTHwBpBv6+JKcj+ua4ZFx1QQTBzb8=
+gorm.io/driver/mysql v1.5.7 h1:MndhOPYOfEp2rHKgkZIhJ16eVUIRf2HmzgoPmh7FCWo=
+gorm.io/driver/mysql v1.5.7/go.mod h1:sEtPWMiqiN1N1cMXoXmBbd8C6/l+TESwriotuRRpkDM=
 gorm.io/driver/sqlite v1.5.4 h1:IqXwXi8M/ZlPzH/947tn5uik3aYQslP9BVveoax0nV0=
 gorm.io/driver/sqlite v1.5.4/go.mod h1:qxAuCol+2r6PannQDpOP1FP6ag3mKi4esLnB/jHed+4=
 gorm.io/gorm v1.25.2-0.20230530020048-26663ab9bf55/go.mod h1:L4uxeKpfBml98NYqVqwAdmV1a2nBtAec/cf3fpucW/k=
 gorm.io/gorm v1.25.5 h1:zR9lOiiYf09VNh5Q1gphfyia1JpiClIWG9hQaxB/mls=
 gorm.io/gorm v1.25.5/go.mod h1:hbnx/Oo0ChWMn1BIhpy1oYozzpM15i4YPuHDmfYtwg8=
+gorm.io/gorm v1.25.7 h1:VsD6acwRjz2zFxGO50gPO6AkNs7KKnvfzUjHQhZDz/A=
+gorm.io/gorm v1.25.7/go.mod h1:hbnx/Oo0ChWMn1BIhpy1oYozzpM15i4YPuHDmfYtwg8=

internal/models/consent_cleanup.go

+package models
+
+import (
+	"log"
+	"time"
+)
+
+// deleteOutdatedConsents hard deletes outdated consents where end_date is more than 5 years old
+func deleteOutdatedConsents[T GrdfConsent | SgeConsent](dh *DataHandler, model *T, consentType string) {
+	log.Printf("Running %v outdated consents cleanup", consentType)
+	cutoffDate := time.Now().AddDate(-5, 0, 0)
+
+	result := dh.sqlClient.Unscoped().
+		Where("end_date < ?", cutoffDate).
+		Delete(model)
+
+	log.Printf("nb of rows %v", result.RowsAffected)
+
+	if result.Error != nil {
+		log.Printf("Error deleting outdated %s consents: %v\n", consentType, result.Error)
+		return
+	}
+
+	if result.RowsAffected > 0 {
+		log.Printf("Successfully deleted %d outdated %s consent(s) created before %v\n",
+			result.RowsAffected,
+			consentType,
+			cutoffDate.Format("2006-01-02"))
+	}
+}
+
+func DeleteOutdatedConsents(dh *DataHandler) {
+	deleteOutdatedConsents(dh, &GrdfConsent{}, "GRDF")
+	deleteOutdatedConsents(dh, &SgeConsent{}, "SGE")
+}

k8s/README.md

@@ -31,10 +31,10 @@ Configuration:
 - Depuis la console Web, se rendre dans la section "Workloads > Secrets"
 - Cliquer sur le bouton bleu "Create" puis "Image pull secret"
 - Donner les informations :
-  - Secret name : llle-project
+  - Secret name : forge-secret
   - Authentification type : Image registry credentials
   - Registry server address : registry.forge.grandlyon.com
-  - Username: llle-project
+  - Username: read_registry
   - Password: demander le password
 - Cliquer sur Create
 

k8s/deployments/ecolyo-agent-database-deployment.yml

@@ -40,7 +40,7 @@ spec:
           resources:
             limits:
               cpu: 100m
-              memory: 512Mi
+              memory: 1Gi
             requests:
               cpu: 100m
-              memory: 512Mi
+              memory: 1Gi

k8s/deployments/ecolyo-agent-server-deployment.yml

@@ -54,4 +54,4 @@ spec:
               cpu: 100m
               memory: 64Mi   
       imagePullSecrets:
-        - name: llle-project
+        - name: forge-secret

k8s/secrets/ecolyo-agent-server-config.yml

@@ -20,6 +20,7 @@ stringData:
   BO_API_TOKEN: {{BO_API_TOKEN}}
   TOKEN_URL: {{TOKEN_URL}}
   USERINFO_URL: {{USERINFO_URL}}
+  FETCH_GRDF_TOKEN: {{FETCH_GRDF_TOKEN}}
   GRDF_CLIENT_ID: {{GRDF_CLIENT_ID}}
   GRDF_CLIENT_SECRET: {{GRDF_CLIENT_SECRET}}
 type: Opaque

main.go

@@ -16,14 +16,15 @@ import (
 )
 
 var (
-	httpsPort  = common.IntValueFromEnv("HTTPS_PORT", 443)     // HTTPS port to serve on
-	debugMode  = common.BoolValueFromEnv("DEBUG_MODE", false)  // Debug mode, disable Secure attribute for cookies
-	mockOAuth2 = common.BoolValueFromEnv("MOCK_OAUTH2", false) // Enable mock OAuth2 login
+	httpsPort      = common.IntValueFromEnv("HTTPS_PORT", 443)         // HTTPS port to serve on
+	debugMode      = common.BoolValueFromEnv("DEBUG_MODE", false)      // Debug mode, disable Secure attribute for cookies
+	mockOAuth2     = common.BoolValueFromEnv("MOCK_OAUTH2", false)     // Enable mock OAuth2 login
+	fetchGrdfToken = common.BoolValueFromEnv("FETCH_GRDF_TOKEN", true) // HTTPS port to serve on
 )
 
 func main() {
 
-	log.Println("--- Server is starting ---")
+	log.Printf("--- Server is starting on port %v ---", httpsPort)
 
 	// Initializations
 	tokens.Init("./mnt/configs/tokenskey.json", debugMode)
@@ -41,19 +42,38 @@ func main() {
 		fmt.Println("Mock OAuth2 server Listening on: http://localhost" + mockOAuth2Port)
 	}
 
-	// Call the function immediately when the server starts
-	models.FetchGRDFAuthAPI()
-
-	// then call GRDF auth api every two hours
-	ticker := time.NewTicker(time.Hour * 2)
 	quit := make(chan struct{})
+
+	// If needed, we shall request a new GRDF token every 2-hours
+	if fetchGrdfToken {
+		// Call the function immediately when the server starts
+		models.FetchGRDFAuthAPI()
+
+		// then call GRDF auth api every two hours
+		ticker := time.NewTicker(time.Hour * 2)
+		go func() {
+			for {
+				select {
+				case <-ticker.C:
+					models.FetchGRDFAuthAPI()
+				case <-quit:
+					ticker.Stop()
+					return
+				}
+			}
+		}()
+	}
+
+	// Deletes outdated consents every 24h
+	dh := models.NewDataHandler()
+	dailyTicker := time.NewTicker(time.Hour * 24)
 	go func() {
 		for {
 			select {
-			case <-ticker.C:
-				models.FetchGRDFAuthAPI()
+			case <-dailyTicker.C:
+				models.DeleteOutdatedConsents(dh)
 			case <-quit:
-				ticker.Stop()
+				dailyTicker.Stop()
 				return
 			}
 		}