Merge branch 'main' into EW-1061

hpi-schul-cloud · Jan 20, 2025 · c8a1d45 · c8a1d45
2 parents 581bdc3 + 6768816
commit c8a1d45
Show file tree

Hide file tree

Showing 973 changed files with 11,241 additions and 5,936 deletions.
diff --git a/.eslintrc.js b/.eslintrc.js
@@ -150,6 +150,24 @@ module.exports = {
 						'@typescript-eslint/explicit-member-accessibility': 'off',
 					},
 				},
+				{
+					files: ['apps/server/src/migrations/**/*.ts'],
+					rules: {
+						'@typescript-eslint/no-restricted-imports': [
+							'warn',
+							{
+								patterns: [
+									{
+										group: ['@apps/**', '@infra/**', '@shared/**', 'apps/server/src/migrations/**'],
+										message: 'apps/server/src/migrations may NOT import from @apps, @infra, @shared, or migrations',
+									},
+								],
+							},
+						],
+						'filename-rules/match': [1, 'PascalCase'],
+						'no-console': 'off',
+					},
+				},
 				{
 					files: ['apps/server/src/apps/**/*.ts'],
 					rules: {
@@ -158,8 +176,8 @@ module.exports = {
 							{
 								patterns: [
 									{
-										group: ['@apps/**', '@infra/**', '@shared/**'],
-										message: 'apps-modules may NOT import from @apps, @infra or @shared',
+										group: ['@apps/**', '@infra/**', '@shared/**', 'apps/server/src/migrations/**'],
+										message: 'apps-modules may NOT import from @apps, @infra, @shared, or migrations',
 									},
 								],
 							},
@@ -175,7 +193,7 @@ module.exports = {
 								patterns: [
 									{
 										group: ['@apps/**', '@core/**', '@infra/**', '@modules/**'],
-										message: 'core-modules may NOT import from @apps, @core, @infra or @modules',
+										message: 'core-modules may NOT import from @apps, @core, @infra, or @modules',
 									},
 								],
 							},
@@ -190,8 +208,8 @@ module.exports = {
 							{
 								patterns: [
 									{
-										group: ['@apps/**', '@core/**', '@modules/**'],
-										message: 'infra-modules may NOT import from @apps, @core or @modules',
+										group: ['@apps/**', '@core/**', '@modules/**', 'apps/server/src/migrations/**'],
+										message: 'infra-modules may NOT import from @apps, @core, @modules, or migrations',
 									},
 								],
 							},
@@ -222,8 +240,16 @@ module.exports = {
 							{
 								patterns: [
 									{
-										group: ['@apps/**', '@core/**', '@infra/**', '@modules/**', '@shared/**'],
-										message: 'shared modules may NOT import from @apps, @core, @infra, @modules or @shared',
+										group: [
+											'@apps/**',
+											'@core/**',
+											'@infra/**',
+											'@modules/**',
+											'@shared/**',
+											'apps/server/src/migrations/**',
+										],
+										message:
+											'shared modules may NOT import from @apps, @core, @infra, @modules, @shared, or migrations',
 									},
 								],
 							},

diff --git a/.github/workflows/migrations.yml b/.github/workflows/migrations.yml
@@ -22,7 +22,7 @@ jobs:
     steps:
     - uses: actions/checkout@v4
     - name: mongodb setup
-      uses: supercharge/mongodb-github-action@1.10.0
+      uses: supercharge/mongodb-github-action@1.12.0
     - name: setup
       uses: actions/setup-node@v4
       with:

diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
@@ -59,7 +59,7 @@ jobs:
 
       - name: Build and push ${{ github.repository }}
         if: ${{ env.IMAGE_EXISTS == 0 }}
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           file: ./Dockerfile
@@ -90,7 +90,7 @@ jobs:
 
       - name: Build and push ${{ github.repository }} (file preview)
         if: ${{ env.IMAGE_EXISTS == 0 }}
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           build-args: |
             BASE_IMAGE=ghcr.io/${{ github.repository }}:${{ needs.branch_meta.outputs.sha }}
@@ -172,7 +172,7 @@ jobs:
       security-events: write
     steps:
       - name: run trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2
+        uses: aquasecurity/trivy-action@0.29.0
         with:
           image-ref: 'ghcr.io/${{ github.repository }}:${{ needs.branch_meta.outputs.sha }}'
           format: 'sarif'

diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml
@@ -39,7 +39,7 @@ jobs:
           password: ${{ secrets.QUAY_TOKEN }}
 
       - name: Build and push ${{ github.repository }}
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           file: ./Dockerfile
@@ -60,7 +60,7 @@ jobs:
           labels: |
             org.opencontainers.image.title=schulcloud-file-storage
       - name: Build and push ${{ github.repository }} (file-storage)
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           build-args: |
             BASE_IMAGE=quay.io/schulcloudverbund/schulcloud-server:${{ github.ref_name }}
@@ -81,14 +81,14 @@ jobs:
       contents: write
     steps:
       - name: create sbom
-        uses: aquasecurity/trivy-action@1f6384b6ceecbbc6673526f865b818a2a06b07c9
+        uses: aquasecurity/trivy-action@0.29.0
         with:
           scan-type: 'image'
           format: 'cyclonedx'
           image-ref: 'docker.io/schulcloud/schulcloud-server:${{ github.ref_name }}'
           output: 'dependency-results.sbom.json'
       - name: create release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
         with:
           body: 'refer to the schulcloud-client release notes https://github.com/hpi-schul-cloud/schulcloud-client/releases/'
           files: dependency-results.sbom.json
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -25,7 +25,7 @@ jobs:
         with:
           node-version: ${{ env.NODE_VERSION }}
       - name: Start MongoDB
-        uses: supercharge/mongodb-github-action@1.10.0
+        uses: supercharge/mongodb-github-action@1.12.0
         with:
           mongodb-version: ${{ env.MONGODB_VERSION }}
       - name: environment setup
@@ -53,7 +53,7 @@ jobs:
         with:
           node-version: ${{ env.NODE_VERSION }}
       - name: Start MongoDB
-        uses: supercharge/mongodb-github-action@1.10.0
+        uses: supercharge/mongodb-github-action@1.12.0
         with:
           mongodb-version: ${{ env.MONGODB_VERSION }}
       - name: npm ci
@@ -90,7 +90,7 @@ jobs:
           distribution: 'temurin'
           java-version: '17'
       - name: SonarCloud upload coverage
-        uses: SonarSource/sonarcloud-github-action@v2.1.1
+        uses: SonarSource/sonarcloud-github-action@v4.0.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONARCLOUD_TOKEN }}

diff --git a/ansible/roles/media-licenses/defaults/main.yml b/ansible/roles/media-licenses/defaults/main.yml
@@ -0,0 +1,3 @@
+SERVER_VIDIS_SYNC_CRONJOB_SCHEDULE: "20 4 * * *"
+VIDIS_API_CLIENT_BASE_URL: ""
+VIDIS_SYNC_REGION: ""
diff --git a/ansible/roles/media-licenses/meta/main.yml b/ansible/roles/media-licenses/meta/main.yml
@@ -0,0 +1,9 @@
+galaxy_info:
+  role_name: media-licenses
+  author: Schul-Cloud Verbund
+  description: media-licenses role for the vidis synchronization purposes
+  company: Schul-Cloud Verbund
+  license: license (AGPLv3)
+  min_ansible_version: 2.8
+  galaxy_tags: []
+dependencies: []
diff --git a/ansible/roles/media-licenses/tasks/main.yml b/ansible/roles/media-licenses/tasks/main.yml
@@ -0,0 +1,17 @@
+- name: media licenses sync CronJob ConfigMap
+  kubernetes.core.k8s:
+    kubeconfig: ~/.kube/config
+    namespace: "{{ NAMESPACE }}"
+    template: vidis-sync-cronjob-configmap.yml.j2
+    state: "{{ 'present' if WITH_MEDIA_LICENSES is defined and WITH_MEDIA_LICENSES|bool else 'absent'}}"
+  tags:
+    - configmap
+
+- name: media licenses sync CronJob
+  kubernetes.core.k8s:
+    kubeconfig: ~/.kube/config
+    namespace: "{{ NAMESPACE }}"
+    template: vidis-sync-cronjob.yml.j2
+    state: "{{ 'present' if WITH_MEDIA_LICENSES is defined and WITH_MEDIA_LICENSES|bool else 'absent'}}"
+  tags:
+    - cronjob
diff --git a/ansible/roles/media-licenses/templates/vidis-sync-cronjob-configmap.yml.j2 b/ansible/roles/media-licenses/templates/vidis-sync-cronjob-configmap.yml.j2
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: {{ NAMESPACE }}
+  name: vidis-sync-cronjob-configmap
+  labels:
+    app: vidis-sync-cronjob
+data:
+  NODE_OPTIONS: "--max-old-space-size=3072"
+  NEST_LOG_LEVEL: "error"
+  EXIT_ON_ERROR: "true"
+  VIDIS_API_CLIENT_BASE_URL: "{{ VIDIS_API_CLIENT_BASE_URL }}"
+  VIDIS_SYNC_REGION: "{{ VIDIS_SYNC_REGION }}"
diff --git a/ansible/roles/media-licenses/templates/vidis-sync-cronjob.yml.j2 b/ansible/roles/media-licenses/templates/vidis-sync-cronjob.yml.j2
@@ -0,0 +1,97 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  namespace: {{ NAMESPACE }}
+  labels:
+    app: vidis-sync-cronjob
+    app.kubernetes.io/part-of: schulcloud-verbund
+    app.kubernetes.io/version: {{ SCHULCLOUD_SERVER_IMAGE_TAG }}
+    app.kubernetes.io/name: vidis-sync-cronjob
+    app.kubernetes.io/component: sync
+    app.kubernetes.io/managed-by: ansible
+    git.branch: {{ SCHULCLOUD_SERVER_BRANCH_NAME }}
+    git.repo: {{ SCHULCLOUD_SERVER_REPO_NAME }}
+  name: vidis-sync-cronjob
+spec:
+  schedule: {{ SERVER_VIDIS_SYNC_CRONJOB_SCHEDULE|default("20 4 * * *", true) }}
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          labels:
+            app: vidis-sync-cronjob
+            app.kubernetes.io/part-of: schulcloud-verbund
+            app.kubernetes.io/version: {{ SCHULCLOUD_SERVER_IMAGE_TAG }}
+            app.kubernetes.io/name: vidis-sync-cronjob
+            app.kubernetes.io/component: sync
+            app.kubernetes.io/managed-by: ansible
+            git.branch: {{ SCHULCLOUD_SERVER_BRANCH_NAME }}
+            git.repo: {{ SCHULCLOUD_SERVER_REPO_NAME }}
+        spec:
+          containers:
+          - name: vidis-sync-cronjob
+            image: {{ SCHULCLOUD_SERVER_IMAGE }}:{{ SCHULCLOUD_SERVER_IMAGE_TAG }}
+            envFrom:
+            - configMapRef:
+                name: api-configmap
+            - secretRef:
+                name: api-secret
+            - configMapRef:
+                name: vidis-sync-cronjob-configmap
+            command: ['/bin/sh','-c']
+            args: ['npm run nest:start:sync:vidis']
+            resources:
+              limits:
+                cpu: {{ MEDIA_ACTIVATION_CPU_LIMITS|default("2000m", true) }}
+                memory: {{ MEDIA_ACTIVATION_MEMORY_LIMITS|default("2Gi", true) }}
+              requests:
+                cpu: {{ MEDIA_ACTIVATION_CPU_REQUESTS|default("100m", true) }}
+                memory: {{ MEDIA_ACTIVATION_MEMORY_REQUESTS|default("150Mi", true) }}
+          restartPolicy: OnFailure
+{% if AFFINITY_ENABLE is defined and AFFINITY_ENABLE|bool %}
+          affinity:
+            podAffinity:
+              preferredDuringSchedulingIgnoredDuringExecution:
+              - weight: 20
+                podAffinityTerm:
+                  labelSelector:
+                    matchExpressions:
+                    - key: app.kubernetes.io/part-of
+                      operator: In
+                      values:
+                      - schulcloud-verbund
+                  topologyKey: "kubernetes.io/hostname"
+                  namespaceSelector: {}
+              - weight: 10
+                podAffinityTerm:
+                  labelSelector:
+                    matchExpressions:
+                    - key: git.repo
+                      operator: In
+                      values:
+                      - {{ SCHULCLOUD_SERVER_REPO_NAME }}
+                  topologyKey: "kubernetes.io/hostname"
+                  namespaceSelector: {}
+              - weight: 10
+                podAffinityTerm:
+                  labelSelector:
+                    matchExpressions:
+                    - key: git.branch
+                      operator: In
+                      values:
+                      - {{ SCHULCLOUD_SERVER_BRANCH_NAME }}
+                  topologyKey: "kubernetes.io/hostname"
+                  namespaceSelector: {}
+              - weight: 10
+                podAffinityTerm:
+                  labelSelector:
+                    matchExpressions:
+                    - key: app.kubernetes.io/version
+                      operator: In
+                      values:
+                      - {{ SCHULCLOUD_SERVER_IMAGE_TAG }}
+                  topologyKey: "kubernetes.io/hostname"
+                  namespaceSelector: {}
+{% endif %}
+
diff --git a/ansible/roles/schulcloud-server-init/templates/configmap_file_init.yml.j2 b/ansible/roles/schulcloud-server-init/templates/configmap_file_init.yml.j2
@@ -537,15 +537,15 @@ data:
             "oauthConfig": {
               "clientId": "'$TSP_SYSTEM_OAUTH_CLIENT_ID'",
               "clientSecret": "'$TSP_SYSTEM_OAUTH_CLIENT_SECRET'",
-              "tokenEndpoint": "https://test2.schulportal-thueringen.de/auth/realms/TIS/protocol/openid-connect/token",
+              "tokenEndpoint": "https://test.schulportal-thueringen.de/auth/realms/TIS/protocol/openid-connect/token",
               "grantType": "authorization_code",
               "scope": "openid",
               "responseType": "code",
               "redirectUri": "https://{{ NAMESPACE }}.thr.dbildungscloud.dev/api/v3/sso/oauth",
-              "authEndpoint": "https://test2.schulportal-thueringen.de/auth/realms/TIS/protocol/openid-connect/auth",
+              "authEndpoint": "https://test.schulportal-thueringen.de/auth/realms/TIS/protocol/openid-connect/auth",
               "provider": "tsp",
-              "jwksEndpoint": "https://test2.schulportal-thueringen.de/auth/realms/TIS/protocol/openid-connect/certs",
-              "issuer": "https://test2.schulportal-thueringen.de/auth/realms/TIS"
+              "jwksEndpoint": "https://test.schulportal-thueringen.de/auth/realms/TIS/protocol/openid-connect/certs",
+              "issuer": "https://test.schulportal-thueringen.de/auth/realms/TIS"
             }
           }
       );'
@@ -554,3 +554,29 @@ data:
     fi
     # ========== End of TSP system creation
 
+    # ========== Start of inserting VIDIS media source section.
+    if [ -n "$MEDIA_SOURCE_VIDIS_USERNAME" ] && [ -n "$MEDIA_SOURCE_VIDIS_PASSWORD" ]; then
+         echo "Inserting VIDIS media source to the DB..."
+         # Encrypt the credentials for accessing the VIDIS media source
+         MEDIA_SOURCE_VIDIS_ID=675b0b71553441da9a893bf9
+         MEDIA_SOURCE_VIDIS_USERNAME=$(get_secret $MEDIA_SOURCE_VIDIS_USERNAME)
+         MEDIA_SOURCE_VIDIS_PASSWORD=$(get_secret $MEDIA_SOURCE_VIDIS_PASSWORD)
+         mongosh $DATABASE__URL --quiet --eval 'db.getCollection("media-sources").insertOne(
+             {
+                "_id": ObjectId("'$MEDIA_SOURCE_VIDIS_ID'"),
+                "format" : "VIDIS",
+                "name" : "vidis",
+                "sourceId" : "vidis.fwu.de",
+                "createdAt": new Date(),
+                "updatedAt": new Date(),
+                "basicAuthConfig" : {
+                   "username" : "'$MEDIA_SOURCE_VIDIS_USERNAME'",
+                   "password" : "'$MEDIA_SOURCE_VIDIS_PASSWORD'",
+                   "authEndpoint" : "https://service-stage.vidis.schule/o/vidis-rest/v1.0/offers/activated/by-region/test-region"
+                }
+             }
+         );'
+         echo "Inserted VIDIS media source to the DB."
+    fi
+
+    # ========== End of inserting VIDIS media source section.
diff --git a/apps/server/doc/file-structure.md b/apps/server/doc/file-structure.md
@@ -129,7 +129,7 @@ This possibility should not be used for new features in Feathers, but it can hel
 
 ```TypeScript
     // main.ts
-    async function bootstrap() {
+    async function bootstrap(): Promise<void> {
         // (...)
         feathersExpress.services['nest-rocket-chat'] = nestApp.get(RocketChatService);
         // (...)