[VAS] Story #11619: Multiple organizations on same domain mail

[bbenaissa]

Description

L'objectif de cette PR est de faire évoluer Vitamui pour q'un même domaine mail puisse pouvoir être intégré dans deux organisations différentes afin de pouvoir accéder aux archives des organisations.

Cette évolution concerne les parties suivantes :

• l'authentification dans les modes suivants:
  • Interne
  • SSO en Open Id Connect
  • SSO en Saml2
  • Par Certificat
• Subrogation avec compte interne et avec compte en délagation.
• Mise à jour des écrans
• l'ensemble des Workdlow de gestion des mot de passe

Type de changement:

• Nouveau Code

• Correction

Tests:

manuel

environnement

TU

Contributeur

VAS (Vitam Accessible en Service)

[vitam-devops]

Checkmarx One – Scan Summary & Details – feefc6dc-edd3-4921-9e8c-e59f574c70fe

New Issues

Severity	Issue	Source File / Package	Checkmarx Insight
	Passwords And Secrets - Generic Password	/docker-compose.yml: 20	Query to find passwords and secrets in infrastructure code.
	Passwords And Secrets - Generic Password	/docker-compose.yml: 53	Query to find passwords and secrets in infrastructure code.
	Passwords And Secrets - Generic Password	/docker-compose.yml: 50	Query to find passwords and secrets in infrastructure code.
	Passwords And Secrets - Generic Password	/docker-compose.yml: 18	Query to find passwords and secrets in infrastructure code.
	Passwords And Secrets - Generic Password	/docker-compose.yml: 26	Query to find passwords and secrets in infrastructure code.
	Cleartext_Submission_of_Sensitive_Information	/api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/user/service/UserEmailInternalService.java: 98	Attack Vector
	Cleartext_Submission_of_Sensitive_Information	/api/api-iam/iam-external-client/src/main/java/fr/gouv/vitamui/iam/external/client/CasExternalRestClient.java: 84	Attack Vector
	Container Traffic Not Bound To Host Interface	/docker-compose.yml: 14	Incoming container traffic should be bound to a specific host interface
	Container Traffic Not Bound To Host Interface	/docker-compose.yml: 47	Incoming container traffic should be bound to a specific host interface
	Healthcheck Not Set	/docker-compose.yml: 41	Check containers periodically to see if they are running properly.
	Healthcheck Not Set	/docker-compose.yml: 4	Check containers periodically to see if they are running properly.
	Memory Not Limited	/docker-compose.yml: 4	Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than t...
	Memory Not Limited	/docker-compose.yml: 41	Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than t...
	Privacy_Violation	/api/api-iam/iam-external-client/src/main/java/fr/gouv/vitamui/iam/external/client/CasExternalRestClient.java: 211	Attack Vector
	Privacy_Violation	/api/api-iam/iam-external-client/src/main/java/fr/gouv/vitamui/iam/external/client/CasExternalRestClient.java: 131	Attack Vector
	Privacy_Violation	/api/api-iam/iam-external-client/src/main/java/fr/gouv/vitamui/iam/external/client/CasExternalRestClient.java: 131	Attack Vector
	Privacy_Violation	/api/api-iam/iam-external-client/src/main/java/fr/gouv/vitamui/iam/external/client/CasExternalRestClient.java: 158	Attack Vector
	Privacy_Violation	/api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/CasInternalController.java: 180	Attack Vector
	Privacy_Violation	/api/api-iam/iam-external/src/main/java/fr/gouv/vitamui/iam/external/server/rest/CasExternalController.java: 100	Attack Vector
	Privacy_Violation	/api/api-iam/iam-external-client/src/main/java/fr/gouv/vitamui/iam/external/client/CasExternalRestClient.java: 211	Attack Vector
	Privacy_Violation	/api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/CasInternalController.java: 180	Attack Vector
	Privacy_Violation	/api/api-iam/iam-external-client/src/main/java/fr/gouv/vitamui/iam/external/client/CasExternalRestClient.java: 131	Attack Vector
	Privacy_Violation	/api/api-iam/iam-external-client/src/main/java/fr/gouv/vitamui/iam/external/client/CasExternalRestClient.java: 131	Attack Vector
	Privacy_Violation	/api/api-iam/iam-external-client/src/main/java/fr/gouv/vitamui/iam/external/client/CasExternalRestClient.java: 158	Attack Vector
	Privacy_Violation	/api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/CasInternalController.java: 180	Attack Vector
	Privacy_Violation	/api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/CasInternalController.java: 184	Attack Vector
	SSRF	/api/api-iam/iam-external/src/main/java/fr/gouv/vitamui/iam/external/server/rest/CasExternalController.java: 163	Attack Vector
	SSRF	/api/api-iam/iam-external/src/main/java/fr/gouv/vitamui/iam/external/server/rest/CasExternalController.java: 163	Attack Vector
	SSRF	/api/api-iam/iam-external/src/main/java/fr/gouv/vitamui/iam/external/server/rest/CasExternalController.java: 164	Attack Vector
	SSRF	/api/api-iam/iam-external/src/main/java/fr/gouv/vitamui/iam/external/server/rest/CasExternalController.java: 143	Attack Vector
	SSRF	/api/api-iam/iam-external/src/main/java/fr/gouv/vitamui/iam/external/server/rest/CasExternalController.java: 142	Attack Vector
	SSRF	/api/api-iam/iam-external/src/main/java/fr/gouv/vitamui/iam/external/server/rest/CasExternalController.java: 100	Attack Vector
	SSRF	/api/api-iam/iam-external/src/main/java/fr/gouv/vitamui/iam/external/server/rest/CasExternalController.java: 101	Attack Vector
	SSRF	/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/authentication/UserAuthenticationHandler.java: 107	Attack Vector
	Security Opt Not Set	/docker-compose.yml: 4	Attribute 'security_opt' should be defined.
	Security Opt Not Set	/docker-compose.yml: 41	Attribute 'security_opt' should be defined.
	Client_JQuery_Deprecated_Symbols	/cas/cas-server/src/main/resources/static/js/cas.js: 74	Attack Vector
	Client_JQuery_Deprecated_Symbols	/cas/cas-server/src/main/resources/static/js/cas.js: 40	Attack Vector
	Client_JQuery_Deprecated_Symbols	/cas/cas-server/src/main/resources/static/js/cas.js: 39	Attack Vector
	Container Capabilities Unrestricted	/docker-compose.yml: 4	Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessa...
	Container Capabilities Unrestricted	/docker-compose.yml: 41	Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessa...
	Cpus Not Limited	/docker-compose.yml: 4	CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests
	Cpus Not Limited	/docker-compose.yml: 41	CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests
	Healthcheck Instruction Missing	/Dockerfile: 6	Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working
	Heap_Inspection	/api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/user/service/UserInternalService.java: 539	Attack Vector
	Heap_Inspection	/api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/cas/service/CasInternalService.java: 243	Attack Vector
	Heap_Inspection	/api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/cas/service/CasInternalService.java: 225	Attack Vector
	Heap_Inspection	/api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/cas/service/CasInternalService.java: 234	Attack Vector
	Heap_Inspection	/api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/cas/service/CasInternalService.java: 240	Attack Vector
	Use_Of_Hardcoded_Password	/deployment/scripts/mongod/1.0.0/101_iam_system_demo.js: 315	Attack Vector
	Use_Of_Hardcoded_Password	/deployment/scripts/mongod/1.0.0/101_iam_system_demo.js: 269	Attack Vector
	Use_Of_Hardcoded_Password	/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/configurer/CustomLoginWebflowConfigurer.java: 76	Attack Vector
	Use_Of_Hardcoded_Password	/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/configurer/CustomLoginWebflowConfigurer.java: 66	Attack Vector
	Use_Of_Hardcoded_Password	/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/configurer/CustomLoginWebflowConfigurer.java: 82	Attack Vector
	Use_Of_Hardcoded_Password	/cas/cas-server/src/main/java/fr/gouv/vitamui/cas/webflow/configurer/CustomLoginWebflowConfigurer.java: 68	Attack Vector

[GiooDev]

Pourquoi ces sauts de lignes ici ?

[lgheribi]

Simple formatage. Markdown ignore les simples hauts

[ebernard]

À faire maintenant ou créer une story pour pas l'oublier.

[bbenaissa]

à faire plus tard en clean code

[leleuj]

Attention à la divergence de code avec la future CAS v7.

[ebernard]

À faire maintenant ou créer une story pour pas l'oublier.

[ebernard]

La documentation de l'annotation VisibleForTesting indique :

Do not use this interface for public or protected declarations: it is a fig leaf for bad design, and it does not prevent anyone from using the declaration

(voir https://guava.dev/releases/snapshot-jre/api/docs/com/google/common/annotations/VisibleForTesting.html)

[lgheribi]

OK, en plus c'était pas si test only. Je supprime

[ebernard]

jquery

[ebernard]

jquery

[ebernard]

Ces changements ne devraient-ils pas être faits dans v7.1 plutôt ?

[ebernard]

Mes retours sont non bloquants, vous pouvez merger, mais il faudra peut-être les traiter par la suite.

[leleuj]

Je ne vois pas de tests sur les nouvelles méthodes : findAllByUserIdentifier, findByUserIdentifierAndCustomerId et identifierMatchProviderPattern.

[leleuj]

Exemple de test manquant : je ne crois pas que ce cas soit testé quelque part...

[lgheribi]

J'ai l'impression que ce bloc est statique + des soucis de substitution :