From afba44bb0c28b564ab98a4e10e86c5987b9d6727 Mon Sep 17 00:00:00 2001
From: Romain Sauvaire <romain.sauvaire@kleegroup.com>
Date: Mon, 25 Jul 2022 16:18:07 +0200
Subject: [PATCH] fix: deploiement + non rejet tls en recette

---
 .infra/cegedim/deploy.yaml                    |  2 +-
 .../cegedim/generate-client-certificate.yaml  | 63 +++++++++++++++++++
 .infra/cegedim/scripts/push-images.sh         |  4 ++
 .infra/cegedim/setup.yaml                     |  3 +-
 server/src/common/apis/ApiAgecap.js           |  5 ++
 5 files changed, 75 insertions(+), 2 deletions(-)
 create mode 100644 .infra/cegedim/generate-client-certificate.yaml

diff --git a/.infra/cegedim/deploy.yaml b/.infra/cegedim/deploy.yaml
index 05a0d91b..0b8bc458 100644
--- a/.infra/cegedim/deploy.yaml
+++ b/.infra/cegedim/deploy.yaml
@@ -4,7 +4,7 @@
     become: true
     gather_facts: false
     vars_files:
-    - "vault-{{ env }}.yml"
+      - "vault-{{ env }}.yml"
     tasks:
       - name: login sur le registry
         docker_login:
diff --git a/.infra/cegedim/generate-client-certificate.yaml b/.infra/cegedim/generate-client-certificate.yaml
new file mode 100644
index 00000000..01bfd067
--- /dev/null
+++ b/.infra/cegedim/generate-client-certificate.yaml
@@ -0,0 +1,63 @@
+---
+  - hosts: "{{ env }}-app"
+    name: certificats agecap
+    become: true
+    vars_files:
+      - "vault-{{ env }}.yml"
+    tasks:
+      - name: Check if certificate exists
+        stat: path=/opt/pdigi/data/server/agecap/ca-key.pem
+        register: certificate_output
+
+      - name: Création du répertoire certificates
+        file:
+          path: /opt/pdigi/data/server/agecap
+          state: directory
+
+      - name: Generate client certificate for AGECAP
+        block:
+          - name: Create CA key (Certification Authority)
+            openssl_privatekey:
+              path: /opt/pdigi/data/server/agecap/ca-key.pem
+              passphrase: "{{ vault.TLS_CA_PASSPHRASE }}"
+              cipher: auto
+
+          - name: Create CSR (Certificate Signing Request)
+            openssl_csr:
+              path: /opt/pdigi/data/server/agecap/ca-csr.pem
+              privatekey_path: /opt/pdigi/data/server/agecap/ca-key.pem
+              privatekey_passphrase: "{{ vault.TLS_CA_PASSPHRASE }}"
+              common_name: "{{ hostname }}"
+              basic_constraints:
+                - 'CA:TRUE'
+
+          - name: Generate CA certificate
+            community.crypto.x509_certificate:
+              path: /opt/pdigi/data/server/agecap/ca-crt.pem
+              csr_path: /opt/pdigi/data/server/agecap/ca-csr.pem
+              privatekey_path: /opt/pdigi/data/server/agecap/ca-key.pem
+              privatekey_passphrase: "{{ vault.TLS_CA_PASSPHRASE }}"
+              provider: selfsigned
+
+          - name: Generate client key
+            openssl_privatekey:
+              path: /opt/pdigi/data/server/agecap/client-key.pem
+              passphrase: "{{ vault.TLS_CLIENT_PASSPHRASE }}"
+              cipher: auto
+
+          - name: Create the client CSR
+            openssl_csr:
+              path: /opt/pdigi/data/server/agecap/client-csr.pem
+              privatekey_path: /opt/pdigi/data/server/agecap/client-key.pem
+              privatekey_passphrase: "{{ vault.TLS_CLIENT_PASSPHRASE }}"
+              common_name: "{{ hostname }}"
+
+          - name: Generate the client certificate
+            community.crypto.x509_certificate:
+              path: /opt/pdigi/data/server/agecap/client-crt.pem
+              csr_path: /opt/pdigi/data/server/agecap/client-csr.pem
+              provider: ownca
+              ownca_path: /opt/pdigi/data/server/agecap/ca-crt.pem
+              ownca_privatekey_path: /opt/pdigi/data/server/agecap/ca-key.pem
+              ownca_privatekey_passphrase: "{{ vault.TLS_CA_PASSPHRASE }}"
+        when: certificate_output.stat.exists == False
diff --git a/.infra/cegedim/scripts/push-images.sh b/.infra/cegedim/scripts/push-images.sh
index a59c14c6..527ff764 100644
--- a/.infra/cegedim/scripts/push-images.sh
+++ b/.infra/cegedim/scripts/push-images.sh
@@ -65,10 +65,14 @@ docker build ./reverse_proxy -t registry.kleegroup.com/dgefp-pdigi/cerfa_reverse
 # On supprime le fichier location_metabase.conf.template
 rm ./reverse_proxy/app/nginx/templates/includes/location_metabase.conf.template
 
+# L'enchainement de commande plante régulièrement => Le sleep 3 résoud en partie le problème
+sleep 3
 echo "Push des images locales sur le registry"
 echo "Pushing cerfa_ui:$v ..."
 docker push registry.kleegroup.com/dgefp-pdigi/cerfa_ui:"$v"
+sleep 3
 echo "Pushing cerfa_server:$v ..."
 docker push registry.kleegroup.com/dgefp-pdigi/cerfa_server:"$v"
+sleep 3
 echo "Pushing cerfa_reverse_proxy:$v ..."
 docker push registry.kleegroup.com/dgefp-pdigi/cerfa_reverse_proxy:"$v"
diff --git a/.infra/cegedim/setup.yaml b/.infra/cegedim/setup.yaml
index fc06d94f..991553f0 100644
--- a/.infra/cegedim/setup.yaml
+++ b/.infra/cegedim/setup.yaml
@@ -77,7 +77,8 @@
 
       - name: "Install requisites"
         apt:
-          name: 
+          name:
+          - vim
           - docker-ce
           - python3-pip
           - python3-docker
diff --git a/server/src/common/apis/ApiAgecap.js b/server/src/common/apis/ApiAgecap.js
index aeb2fc6f..a8353e55 100644
--- a/server/src/common/apis/ApiAgecap.js
+++ b/server/src/common/apis/ApiAgecap.js
@@ -9,6 +9,7 @@ const { oleoduc, writeData } = require("oleoduc");
 const { PassThrough } = require("stream");
 const Boom = require("boom");
 const { getS3ObjectAsStream } = require("../utils/S3Utils");
+const https = require("https");
 
 // Cf Documentation : Api Agecap
 const executeWithRateLimiting = apiRateLimiter("apiAgecap", {
@@ -19,6 +20,9 @@ const executeWithRateLimiting = apiRateLimiter("apiAgecap", {
     baseURL: config.agecap.url,
     timeout: 5000,
     headers: { Authorization: `Basic ${config.agecap.key}` },
+    httpsAgent: new https.Agent({
+      rejectUnauthorized: config.env !== "recette",
+    }),
   }),
 });
 
@@ -33,6 +37,7 @@ class ApiAgecap {
       if (this.auth) return true;
       try {
         logger.debug(`[Agecap API] Authenticate`);
+        console.log(`Basic ${config.agecap.key}`);
         let response = await client.post(`authenticate`);
         if (!response?.data?.token) {
           throw new ApiError("Api Agecap", ` Authenticate: Something went wrong`);