Compare commits
33 Commits
cc9e7852e1
...
feat/66-ap
| Author | SHA1 | Date | |
|---|---|---|---|
| fcdb117768 | |||
| c3f0710a18 | |||
| 7c363099ff | |||
| a069ab07a2 | |||
| 34969659f7 | |||
| fd90c4abe2 | |||
| 3824f85af6 | |||
| ef877ebc80 | |||
| 9c961f9a13 | |||
| 0b82841b14 | |||
| 5a4331a416 | |||
| 96d447832f | |||
| a07d8277d6 | |||
| 69d6e80378 | |||
| 5d32d4f15e | |||
| d767430ad7 | |||
| 751ca006a7 | |||
| fea806848b | |||
| 2f5d656b54 | |||
| 72efab3ae0 | |||
| 1edd34e2db | |||
| f885e0a3be | |||
| ac874bf746 | |||
| 67f0ffb88d | |||
| 5a3f28ac6d | |||
| e9a873c152 | |||
| 79dcd8f14b | |||
| 22ab38f328 | |||
| 0d34d60797 | |||
| 6d4adaf957 | |||
| 39b2388a9d | |||
| 8d176c2603 | |||
| 53751fd1bc |
17
.editorconfig
Normal file
17
.editorconfig
Normal file
@@ -0,0 +1,17 @@
|
||||
# Editor configuration, see http://editorconfig.org
|
||||
root = true
|
||||
|
||||
[*]
|
||||
indent_style = space
|
||||
indent_size = 2
|
||||
insert_final_newline = true
|
||||
trim_trailing_whitespace = true
|
||||
|
||||
# .NET sources use 4-space indent (dotnet format enforces this). The 2-space default
|
||||
# above is for the frontend (TS/HTML/CSS/JSON); C# keeps the .NET convention.
|
||||
[*.cs]
|
||||
indent_size = 4
|
||||
|
||||
[*.md]
|
||||
max_line_length = off
|
||||
trim_trailing_whitespace = false
|
||||
@@ -43,6 +43,20 @@ jobs:
|
||||
dotnet-version: '10.0.x'
|
||||
- run: make unit
|
||||
|
||||
# Frontend (Nx/Angular) lane: install with pnpm, then Nx lint + test + build.
|
||||
frontend:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: https://github.com/actions/checkout@v4
|
||||
- uses: https://github.com/pnpm/action-setup@v4
|
||||
with:
|
||||
version: 11
|
||||
- uses: https://github.com/actions/setup-node@v4
|
||||
with:
|
||||
node-version: '24'
|
||||
cache: 'pnpm'
|
||||
- run: make frontend
|
||||
|
||||
mutation:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
@@ -51,23 +65,41 @@ jobs:
|
||||
with:
|
||||
dotnet-version: '10.0.x'
|
||||
- run: make mutation
|
||||
# Publish the Stryker HTML report. `if: always()` uploads it even when the
|
||||
# Publish the Stryker HTML reports. `if: always()` uploads them even when the
|
||||
# ratchet fails — that is exactly when you want to inspect the survivors.
|
||||
# Glob handles Stryker's non-deterministic StrykerOutput/<timestamp>/ dir.
|
||||
# Pinned to @v3 deliberately: @v4 refuses to run on Gitea (GHES guard) —
|
||||
# see docs/runbooks/gitea-actions-gotchas.md §4.
|
||||
# `continue-on-error` keeps the upload best-effort: the mutation *gate* is the
|
||||
# ratchet (make mutation's exit code), not the report, so a Gitea artifact-backend
|
||||
# 500 must not fail the job (gitea-actions-gotchas.md §4). Glob handles Stryker's
|
||||
# non-deterministic StrykerOutput/<timestamp>/ dir. Pinned @v3: @v4's bundled
|
||||
# @actions/artifact hard-aborts on non-github.com (GHES guard) — see the runbook.
|
||||
- uses: https://github.com/actions/upload-artifact@v3
|
||||
if: always()
|
||||
continue-on-error: true
|
||||
with:
|
||||
name: acl-mutation-report
|
||||
path: services/acl/StrykerOutput/**/reports/mutation-report.html
|
||||
if-no-files-found: warn
|
||||
- uses: https://github.com/actions/upload-artifact@v3
|
||||
if: always()
|
||||
continue-on-error: true
|
||||
with:
|
||||
name: event-subscriber-mutation-report
|
||||
path: services/event-subscriber/StrykerOutput/**/reports/mutation-report.html
|
||||
if-no-files-found: warn
|
||||
- uses: https://github.com/actions/upload-artifact@v3
|
||||
if: always()
|
||||
continue-on-error: true
|
||||
with:
|
||||
name: domain-mutation-report
|
||||
path: services/domain/StrykerOutput/**/reports/mutation-report.html
|
||||
if-no-files-found: warn
|
||||
- uses: https://github.com/actions/upload-artifact@v3
|
||||
if: always()
|
||||
continue-on-error: true
|
||||
with:
|
||||
name: bff-mutation-report
|
||||
path: services/bff/StrykerOutput/**/reports/mutation-report.html
|
||||
if-no-files-found: warn
|
||||
|
||||
# One stage for every check that needs the live stack. On the single self-hosted
|
||||
# runner jobs run sequentially, so booting OpenZaak once (instead of once per job)
|
||||
@@ -88,10 +120,14 @@ jobs:
|
||||
run: make verify-nrc
|
||||
- name: OpenZaak → NRC → Event Subscriber → projection-api
|
||||
run: make verify-projection
|
||||
- name: Domain → Flowable → ACL → OpenZaak
|
||||
run: make verify-domain
|
||||
- name: BFF → Keycloak + domain + projection
|
||||
run: make verify-bff
|
||||
# Log dump must precede teardown (which removes the containers).
|
||||
- name: Dump container logs on failure
|
||||
if: failure()
|
||||
run: docker compose -f infra/docker-compose.yml logs --no-color --tail=100 oz-init openzaak nrc-init nrc-web nrc-celery nrc-beat flowable-init keycloak acl bff projection-db event-subscriber projection-api 2>&1 || true
|
||||
run: docker compose -f infra/docker-compose.yml logs --no-color --tail=100 oz-init openzaak nrc-init nrc-web nrc-celery nrc-beat flowable-db flowable-rest flowable-init keycloak acl bff domain projection-db event-subscriber projection-api 2>&1 || true
|
||||
- name: Tear down
|
||||
if: always()
|
||||
run: make down
|
||||
|
||||
17
.gitignore
vendored
17
.gitignore
vendored
@@ -35,3 +35,20 @@ site/
|
||||
# OS
|
||||
.DS_Store
|
||||
Thumbs.db
|
||||
|
||||
# ── Frontend (Nx / Angular / pnpm) ──
|
||||
node_modules/
|
||||
dist/
|
||||
tmp/
|
||||
out-tsc/
|
||||
/coverage
|
||||
.angular/
|
||||
.nx/cache
|
||||
.nx/workspace-data
|
||||
.nx/self-healing
|
||||
.nx/migrate-runs
|
||||
.nx/polygraph
|
||||
vite.config.*.timestamp*
|
||||
vitest.config.*.timestamp*
|
||||
|
||||
.angular
|
||||
|
||||
8
.prettierignore
Normal file
8
.prettierignore
Normal file
@@ -0,0 +1,8 @@
|
||||
# Add files here to ignore them from prettier formatting
|
||||
/dist
|
||||
/coverage
|
||||
/.nx/cache
|
||||
/.nx/workspace-data
|
||||
.angular
|
||||
|
||||
.nx/self-healing
|
||||
3
.prettierrc
Normal file
3
.prettierrc
Normal file
@@ -0,0 +1,3 @@
|
||||
{
|
||||
"singleQuote": true
|
||||
}
|
||||
17
BACKLOG.md
17
BACKLOG.md
@@ -151,17 +151,16 @@ The skeleton proves the spine end-to-end: a registration, a workflow, a zaak in
|
||||
|
||||
### S-08 · Self-Service portal (Angular, NL DS) — submit a registration
|
||||
|
||||
**Outcome:** The self-service Angular app, in the Nx monorepo, lets a zorgprofessional log in via mock DigiD and submit a registration. NL Design System styling. Generated API client.
|
||||
> **S-08 was split** (CLAUDE.md §13; issue #9 closed) into the sub-slices below — it bundled the
|
||||
> Nx bootstrap, the generated client, the NL DS + DigiD form, and a full-stack Playwright e2e, well
|
||||
> past 1–2 days. Each sub-slice is independently demoable and CI-green.
|
||||
|
||||
**Acceptance:**
|
||||
- **S-08a (#65)** · Nx monorepo + Angular tooling + CI Node lane. Placeholder `self-service` app; `nx lint/test/build` green in a new CI Node lane.
|
||||
- **S-08b (#66)** · Generated api-client lib from `services/bff/openapi.json` (never hand-written, §10) + a mocked-BFF unit test.
|
||||
- **S-08c (#67)** · Self-service submit form — NL Design System `libs/ui`, DigiD OIDC `libs/auth`, component tests (Angular Testing Library), axe WCAG 2.1 AA on the submit page.
|
||||
- **S-08d (#68)** · Playwright happy-path e2e (login → submit → success) against the full stack + compose serving + CI e2e lane.
|
||||
|
||||
- E2E test (Playwright): full happy path, login → submit → success page.
|
||||
- Component tests (Testing Library) for the form.
|
||||
- Accessibility audit (axe-core) passes WCAG 2.1 AA on the submit page.
|
||||
|
||||
**Touches:** `apps/self-service/`, `libs/ui/`, `libs/auth/`, `libs/api-client/`, tests.
|
||||
|
||||
**Out of scope:** document upload, status tracking page.
|
||||
**Out of scope (whole of S-08):** document upload, status tracking page.
|
||||
|
||||
### S-09 · Openbaar Register portal — public lookup
|
||||
|
||||
|
||||
33
Makefile
33
Makefile
@@ -10,7 +10,7 @@ COMPOSE := infra/docker-compose.yml
|
||||
# Long-running services with a healthcheck — the smoke polls these for readiness
|
||||
# (infra/wait-healthy.sh). One-shot init jobs (oz-init, nrc-init, flowable-init)
|
||||
# are not polled; they only need to have run. See docs/runbooks/gitea-actions-gotchas.md.
|
||||
WAIT_SVCS := openzaak nrc-web acl bff event-subscriber projection-api
|
||||
WAIT_SVCS := openzaak nrc-web acl bff domain event-subscriber projection-api
|
||||
# Config files (OpenZaak data.yaml, Keycloak realms, Flowable BPMN) are streamed
|
||||
# into external named volumes via `docker cp` (infra/seed-config.sh) instead of
|
||||
# bind-mounted, because bind mounts don't reach sibling containers on the
|
||||
@@ -43,11 +43,16 @@ export DOCKER_HOST := unix://$(PODMAN_SOCK)
|
||||
endif
|
||||
endif
|
||||
|
||||
.PHONY: ci lint build unit mutation integration verify verify-up verify-acl verify-nrc verify-projection verify-notifications smoke up down local local-down changelog openzaak-up openzaak-smoke openzaak-seed openzaak-down stack-up stack-smoke stack-down keycloak-up keycloak-smoke keycloak-down flowable-up flowable-smoke flowable-down help
|
||||
.PHONY: ci lint build unit mutation frontend integration verify verify-up verify-acl verify-nrc verify-projection verify-bff verify-domain verify-notifications smoke up down local local-down changelog openzaak-up openzaak-smoke openzaak-seed openzaak-down stack-up stack-smoke stack-down keycloak-up keycloak-smoke keycloak-down flowable-up flowable-smoke flowable-down help
|
||||
|
||||
## ci: run the full pipeline — lint, build, unit, mutation, verify (mirrors Gitea Actions)
|
||||
## ci: run the full pipeline — lint, build, unit, mutation, frontend, verify (mirrors Gitea Actions)
|
||||
## `verify` is the live-stack stage (full stack up once → ACL + notification checks).
|
||||
ci: lint build unit mutation verify
|
||||
ci: lint build unit mutation frontend verify
|
||||
|
||||
## frontend: install deps and run the Nx lint/test/build for the portals (pnpm + Node required)
|
||||
frontend:
|
||||
pnpm install --frozen-lockfile
|
||||
pnpm nx run-many -t lint test build
|
||||
|
||||
## lint: verify formatting (no changes)
|
||||
lint:
|
||||
@@ -64,12 +69,14 @@ unit:
|
||||
## mutation: run the Stryker.NET ratchet on each service with branching logic (fails below baseline)
|
||||
# Stryker is pinned as a local dotnet tool (.config/dotnet-tools.json); `tool restore`
|
||||
# makes `make mutation` work from a fresh clone. Each service owns its config + break
|
||||
# threshold (the ratchet, CLAUDE.md §5): services/acl/stryker-config.json and
|
||||
# services/event-subscriber/stryker-config.json. Scores never regress below baseline.
|
||||
# threshold (the ratchet, CLAUDE.md §5): each services/<svc>/stryker-config.json.
|
||||
# Scores never regress below baseline.
|
||||
mutation:
|
||||
dotnet tool restore
|
||||
cd services/acl && dotnet stryker
|
||||
cd services/event-subscriber && dotnet stryker
|
||||
cd services/domain && dotnet stryker
|
||||
cd services/bff && dotnet stryker
|
||||
|
||||
## smoke: seed config, bring the whole stack up, wait for health-checked services, tear down
|
||||
# SEED populates the external config volumes first (upstream images used verbatim;
|
||||
@@ -136,6 +143,16 @@ verify-nrc:
|
||||
verify-projection:
|
||||
bash infra/run-projection-check.sh
|
||||
|
||||
## verify-domain: domain → Flowable → ACL → OpenZaak end-to-end (S-05), against the
|
||||
## already-running stack. Recreates the acl service to inject the seeded zaaktype URL.
|
||||
verify-domain:
|
||||
bash infra/run-domain-check.sh
|
||||
|
||||
## verify-bff: BFF end-to-end (S-07) against the up stack — token validation on self-service
|
||||
## + anonymous public-safe openbaar register (ADR-0010).
|
||||
verify-bff:
|
||||
bash infra/run-bff-check.sh
|
||||
|
||||
## verify: local mirror of the CI verify-stack job — full stack up once, all checks,
|
||||
## tear down (always). For fast single-concern local iteration use `integration`
|
||||
## (oz-only) or `verify-notifications` (oz+nrc) instead.
|
||||
@@ -146,7 +163,9 @@ verify:
|
||||
WAIT_TIMEOUT=420 bash infra/wait-healthy.sh $(WAIT_SVCS) \
|
||||
&& bash infra/run-acl-integration.sh \
|
||||
&& bash infra/run-notification-check.sh \
|
||||
&& bash infra/run-projection-check.sh || rc=$$?; \
|
||||
&& bash infra/run-projection-check.sh \
|
||||
&& bash infra/run-domain-check.sh \
|
||||
&& bash infra/run-bff-check.sh || rc=$$?; \
|
||||
docker compose -f $(COMPOSE) down --volumes >/dev/null 2>&1; \
|
||||
docker volume rm -f $(CFG_VOLS) >/dev/null 2>&1; \
|
||||
exit $$rc'
|
||||
|
||||
34
apps/self-service/eslint.config.mjs
Normal file
34
apps/self-service/eslint.config.mjs
Normal file
@@ -0,0 +1,34 @@
|
||||
import nx from '@nx/eslint-plugin';
|
||||
import baseConfig from '../../eslint.config.mjs';
|
||||
|
||||
export default [
|
||||
...nx.configs['flat/angular'],
|
||||
...nx.configs['flat/angular-template'],
|
||||
...baseConfig,
|
||||
{
|
||||
files: ['**/*.ts'],
|
||||
rules: {
|
||||
'@angular-eslint/directive-selector': [
|
||||
'error',
|
||||
{
|
||||
type: 'attribute',
|
||||
prefix: 'app',
|
||||
style: 'camelCase',
|
||||
},
|
||||
],
|
||||
'@angular-eslint/component-selector': [
|
||||
'error',
|
||||
{
|
||||
type: 'element',
|
||||
prefix: 'app',
|
||||
style: 'kebab-case',
|
||||
},
|
||||
],
|
||||
},
|
||||
},
|
||||
{
|
||||
files: ['**/*.html'],
|
||||
// Override or add rules here
|
||||
rules: {},
|
||||
},
|
||||
];
|
||||
80
apps/self-service/project.json
Normal file
80
apps/self-service/project.json
Normal file
@@ -0,0 +1,80 @@
|
||||
{
|
||||
"name": "self-service",
|
||||
"$schema": "../../node_modules/nx/schemas/project-schema.json",
|
||||
"projectType": "application",
|
||||
"prefix": "app",
|
||||
"sourceRoot": "apps/self-service/src",
|
||||
"tags": [],
|
||||
"targets": {
|
||||
"build": {
|
||||
"executor": "@angular/build:application",
|
||||
"outputs": ["{options.outputPath}"],
|
||||
"defaultConfiguration": "production",
|
||||
"options": {
|
||||
"outputPath": "dist/apps/self-service",
|
||||
"browser": "apps/self-service/src/main.ts",
|
||||
"tsConfig": "apps/self-service/tsconfig.app.json",
|
||||
"assets": [
|
||||
{
|
||||
"glob": "**/*",
|
||||
"input": "apps/self-service/public"
|
||||
}
|
||||
],
|
||||
"styles": ["apps/self-service/src/styles.css"]
|
||||
},
|
||||
"configurations": {
|
||||
"production": {
|
||||
"budgets": [
|
||||
{
|
||||
"type": "initial",
|
||||
"maximumWarning": "500kb",
|
||||
"maximumError": "1mb"
|
||||
},
|
||||
{
|
||||
"type": "anyComponentStyle",
|
||||
"maximumWarning": "4kb",
|
||||
"maximumError": "8kb"
|
||||
}
|
||||
],
|
||||
"outputHashing": "all"
|
||||
},
|
||||
"development": {
|
||||
"optimization": false,
|
||||
"extractLicenses": false,
|
||||
"sourceMap": true
|
||||
}
|
||||
}
|
||||
},
|
||||
"serve": {
|
||||
"continuous": true,
|
||||
"executor": "@angular/build:dev-server",
|
||||
"defaultConfiguration": "development",
|
||||
"configurations": {
|
||||
"production": {
|
||||
"buildTarget": "self-service:build:production"
|
||||
},
|
||||
"development": {
|
||||
"buildTarget": "self-service:build:development"
|
||||
}
|
||||
}
|
||||
},
|
||||
"lint": {
|
||||
"executor": "@nx/eslint:lint"
|
||||
},
|
||||
"test": {
|
||||
"executor": "@angular/build:unit-test",
|
||||
"options": {
|
||||
"watch": false
|
||||
}
|
||||
},
|
||||
"serve-static": {
|
||||
"continuous": true,
|
||||
"executor": "@nx/web:file-server",
|
||||
"options": {
|
||||
"buildTarget": "self-service:build",
|
||||
"staticFilePath": "dist/apps/self-service/browser",
|
||||
"spa": true
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
BIN
apps/self-service/public/favicon.ico
Normal file
BIN
apps/self-service/public/favicon.ico
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 15 KiB |
10
apps/self-service/src/app/app.config.ts
Normal file
10
apps/self-service/src/app/app.config.ts
Normal file
@@ -0,0 +1,10 @@
|
||||
import {
|
||||
ApplicationConfig,
|
||||
provideBrowserGlobalErrorListeners,
|
||||
} from '@angular/core';
|
||||
import { provideRouter } from '@angular/router';
|
||||
import { appRoutes } from './app.routes';
|
||||
|
||||
export const appConfig: ApplicationConfig = {
|
||||
providers: [provideBrowserGlobalErrorListeners(), provideRouter(appRoutes)],
|
||||
};
|
||||
0
apps/self-service/src/app/app.css
Normal file
0
apps/self-service/src/app/app.css
Normal file
5
apps/self-service/src/app/app.html
Normal file
5
apps/self-service/src/app/app.html
Normal file
@@ -0,0 +1,5 @@
|
||||
<main>
|
||||
<h1>Zelfservice — BIG-registratie</h1>
|
||||
<p>Portaal voor zorgprofessionals. Inloggen en indienen volgt in S-08c.</p>
|
||||
<router-outlet></router-outlet>
|
||||
</main>
|
||||
3
apps/self-service/src/app/app.routes.ts
Normal file
3
apps/self-service/src/app/app.routes.ts
Normal file
@@ -0,0 +1,3 @@
|
||||
import { Route } from '@angular/router';
|
||||
|
||||
export const appRoutes: Route[] = [];
|
||||
17
apps/self-service/src/app/app.spec.ts
Normal file
17
apps/self-service/src/app/app.spec.ts
Normal file
@@ -0,0 +1,17 @@
|
||||
import { TestBed } from '@angular/core/testing';
|
||||
import { App } from './app';
|
||||
|
||||
describe('App', () => {
|
||||
beforeEach(async () => {
|
||||
await TestBed.configureTestingModule({
|
||||
imports: [App],
|
||||
}).compileComponents();
|
||||
});
|
||||
|
||||
it('renders the self-service portal heading', async () => {
|
||||
const fixture = TestBed.createComponent(App);
|
||||
await fixture.whenStable();
|
||||
const compiled = fixture.nativeElement as HTMLElement;
|
||||
expect(compiled.querySelector('h1')?.textContent).toContain('Zelfservice');
|
||||
});
|
||||
});
|
||||
12
apps/self-service/src/app/app.ts
Normal file
12
apps/self-service/src/app/app.ts
Normal file
@@ -0,0 +1,12 @@
|
||||
import { Component } from '@angular/core';
|
||||
import { RouterModule } from '@angular/router';
|
||||
|
||||
@Component({
|
||||
imports: [RouterModule],
|
||||
selector: 'app-root',
|
||||
templateUrl: './app.html',
|
||||
styleUrl: './app.css',
|
||||
})
|
||||
export class App {
|
||||
protected title = 'self-service';
|
||||
}
|
||||
13
apps/self-service/src/index.html
Normal file
13
apps/self-service/src/index.html
Normal file
@@ -0,0 +1,13 @@
|
||||
<!doctype html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
<meta charset="utf-8" />
|
||||
<title>self-service</title>
|
||||
<base href="/" />
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1" />
|
||||
<link rel="icon" type="image/x-icon" href="favicon.ico" />
|
||||
</head>
|
||||
<body>
|
||||
<app-root></app-root>
|
||||
</body>
|
||||
</html>
|
||||
5
apps/self-service/src/main.ts
Normal file
5
apps/self-service/src/main.ts
Normal file
@@ -0,0 +1,5 @@
|
||||
import { bootstrapApplication } from '@angular/platform-browser';
|
||||
import { appConfig } from './app/app.config';
|
||||
import { App } from './app/app';
|
||||
|
||||
bootstrapApplication(App, appConfig).catch((err) => console.error(err));
|
||||
1
apps/self-service/src/styles.css
Normal file
1
apps/self-service/src/styles.css
Normal file
@@ -0,0 +1 @@
|
||||
/* You can add global styles to this file, and also import other style files */
|
||||
9
apps/self-service/tsconfig.app.json
Normal file
9
apps/self-service/tsconfig.app.json
Normal file
@@ -0,0 +1,9 @@
|
||||
{
|
||||
"extends": "./tsconfig.json",
|
||||
"compilerOptions": {
|
||||
"outDir": "../../dist/out-tsc",
|
||||
"types": []
|
||||
},
|
||||
"include": ["src/**/*.ts"],
|
||||
"exclude": ["src/**/*.spec.ts", "src/**/*.test.ts"]
|
||||
}
|
||||
31
apps/self-service/tsconfig.json
Normal file
31
apps/self-service/tsconfig.json
Normal file
@@ -0,0 +1,31 @@
|
||||
{
|
||||
"extends": "../../tsconfig.base.json",
|
||||
"compilerOptions": {
|
||||
"strict": true,
|
||||
"noImplicitOverride": true,
|
||||
"noPropertyAccessFromIndexSignature": true,
|
||||
"noImplicitReturns": true,
|
||||
"noFallthroughCasesInSwitch": true,
|
||||
"isolatedModules": true,
|
||||
"target": "es2022",
|
||||
"moduleResolution": "bundler",
|
||||
"emitDecoratorMetadata": false,
|
||||
"module": "preserve"
|
||||
},
|
||||
"angularCompilerOptions": {
|
||||
"enableI18nLegacyMessageIdFormat": false,
|
||||
"strictInjectionParameters": true,
|
||||
"strictInputAccessModifiers": true,
|
||||
"strictTemplates": true
|
||||
},
|
||||
"files": [],
|
||||
"include": [],
|
||||
"references": [
|
||||
{
|
||||
"path": "./tsconfig.app.json"
|
||||
},
|
||||
{
|
||||
"path": "./tsconfig.spec.json"
|
||||
}
|
||||
]
|
||||
}
|
||||
8
apps/self-service/tsconfig.spec.json
Normal file
8
apps/self-service/tsconfig.spec.json
Normal file
@@ -0,0 +1,8 @@
|
||||
{
|
||||
"extends": "./tsconfig.json",
|
||||
"compilerOptions": {
|
||||
"outDir": "../../dist/out-tsc",
|
||||
"types": ["vitest/globals"]
|
||||
},
|
||||
"include": ["src/**/*.ts", "src/**/*.d.ts"]
|
||||
}
|
||||
74
docs/architecture/adr-0010-bff-oidc.md
Normal file
74
docs/architecture/adr-0010-bff-oidc.md
Normal file
@@ -0,0 +1,74 @@
|
||||
# ADR-0010: The BFF validates Keycloak tokens and is the portals' only backend
|
||||
|
||||
- **Status:** Accepted
|
||||
- **Date:** 2026-07-01
|
||||
- **Deciders:** Respellion engineering
|
||||
- **Relates to:** S-07 (#8); proposal #63; builds on ADR-0001 (loose coupling, §8.3), S-02 (#3, Keycloak realms), S-05 (#6, Domain Service), S-06 (#7, read projection)
|
||||
|
||||
## Context
|
||||
|
||||
S-07 (#8) adds the **BFF (Backend-for-Frontend)** — the single backend the Angular portals talk
|
||||
to (CLAUDE.md §8.3). For the walking skeleton it exposes two endpoints and fans out to services
|
||||
already built:
|
||||
|
||||
- `POST /self-service/registrations` → Domain Service `POST /registrations` (S-05).
|
||||
- `GET /openbaar/register?q=…` → projection-api `GET /register` (S-06).
|
||||
|
||||
It must validate tokens issued by Keycloak (S-02). This is an ADR-worthy moment (§14): a new
|
||||
dependency (JWT bearer authentication) and two new service boundaries (BFF→domain, BFF→projection).
|
||||
|
||||
## Decision
|
||||
|
||||
**The BFF is the portals' only backend; it validates Keycloak `digid`-realm JWTs on the
|
||||
self-service endpoint, leaves the openbaar lookup anonymous, and fans out to the domain and
|
||||
projection over typed HTTP clients.**
|
||||
|
||||
- **Auth model.** `POST /self-service/registrations` requires a valid `digid`-realm bearer token;
|
||||
the BFF reads the `bsn` claim and forwards it to the domain. Missing / invalid / expired token →
|
||||
**401**. `GET /openbaar/register` is **anonymous** — the openbaar register is a public lookup
|
||||
(S-09), so no token is required.
|
||||
- **Portals talk only to the BFF (§8.3).** They never call the Domain Service, ACL, projection, or
|
||||
OpenZaak directly. The BFF orchestrates via typed `HttpClient`s whose base URLs come from config.
|
||||
Downstream calls are unauthenticated on the internal network for the walking skeleton; a
|
||||
service-to-service auth story (e.g. client-credentials) is a later slice, not this one.
|
||||
- **Validation is `Microsoft.AspNetCore.Authentication.JwtBearer`** pointed at the Keycloak `digid`
|
||||
realm authority. **New dependency justification:** it gives us standards-based OIDC/JWT validation
|
||||
(signature, issuer, expiry, audience) maintained by the framework; rolling our own JWT validation
|
||||
would be error-prone security code; the risk is a first-party ASP.NET Core package — minimal.
|
||||
- **Tests mint their own tokens.** `WebApplicationFactory` tests override the bearer options with a
|
||||
**test signing key**, so valid / invalid / expired tokens are minted in-process without a live
|
||||
Keycloak. Real Keycloak validation is exercised by a live-stack `verify-bff` check.
|
||||
- **OpenAPI is generated and committed** (`services/bff/openapi.json`) from .NET's built-in OpenAPI,
|
||||
so S-08's Angular client is generated from the spec, never hand-written (§10).
|
||||
|
||||
## Known wrinkle — container OIDC issuer mismatch
|
||||
|
||||
Keycloak stamps tokens with an `iss` equal to its **browser-facing** URL (what the portal used to
|
||||
log in), which differs from the BFF's **in-container** authority (`http://keycloak:8080/realms/digid`).
|
||||
Strict issuer validation then rejects otherwise-valid tokens. Unit tests avoid this (test key).
|
||||
`verify-bff` handles it by aligning the configured authority/issuer with the token's `iss` (and, if
|
||||
needed, disabling metadata address rewriting). Recorded so it is not rediscovered each time.
|
||||
|
||||
## Consequences
|
||||
|
||||
- **Positive:** the walking skeleton gains its front door; §8.3 holds with all portal traffic going
|
||||
through one backend; token validation is standard and testable without infra; the committed
|
||||
OpenAPI unblocks S-08.
|
||||
- **Negative / deferred:**
|
||||
- Downstream service-to-service auth is deferred (internal-network trust for now).
|
||||
- The openbaar endpoint is anonymous; when public-safe field filtering tightens (S-09) it stays
|
||||
anonymous but the projection query narrows.
|
||||
- The issuer-mismatch handling is dev-oriented; a production reverse-proxy setup would align the
|
||||
browser and internal issuer URLs instead.
|
||||
|
||||
## Alternatives considered
|
||||
|
||||
- **Token-gate the openbaar endpoint too** — rejected: the openbaar register is public by design
|
||||
(S-09); requiring a login would contradict the slice's intent.
|
||||
- **Validate tokens by calling Keycloak's introspection endpoint per request** — rejected: adds a
|
||||
network hop per call and a Keycloak dependency on the hot path; local JWT signature validation via
|
||||
the realm's JWKS is the standard, faster choice.
|
||||
- **Hand-written JWT parsing** — rejected: security-sensitive code we shouldn't own when a
|
||||
first-party validator exists.
|
||||
- **Generate the OpenAPI client by hand / keep the spec uncommitted** — rejected: §10 requires a
|
||||
generated client from a committed spec.
|
||||
@@ -5,6 +5,96 @@ copy-pasteable walkthrough against a local `make up` stack.
|
||||
|
||||
---
|
||||
|
||||
## S-08a — Nx workspace + self-service portal skeleton
|
||||
|
||||
**Outcome:** the frontend foundation — an Nx (pnpm) monorepo with the `self-service` Angular app
|
||||
(standalone + signals), lint/test/build green in a CI Node lane. The login + submit form follow in
|
||||
S-08c.
|
||||
|
||||
```bash
|
||||
# From a fresh clone (Node 24 + pnpm 11):
|
||||
pnpm install # native builds are pre-approved in pnpm-workspace.yaml
|
||||
pnpm nx test self-service # Vitest component test
|
||||
pnpm nx build self-service # production build
|
||||
pnpm nx serve self-service # → http://localhost:4200 (placeholder page)
|
||||
# Or the CI-equivalent one-shot:
|
||||
make frontend # install + nx lint/test/build
|
||||
```
|
||||
|
||||
> Nx manages only `apps/`+`libs/`; the .NET services stay on `dotnet`/the Makefile. NL Design System
|
||||
> and the real form arrive in S-08c (#67); see `docs/frontend-decisions.md`.
|
||||
|
||||
---
|
||||
|
||||
## S-07 — BFF: the portals' single backend
|
||||
|
||||
**Outcome:** the BFF validates Keycloak `digid` tokens on the self-service submit (forwarding the
|
||||
bsn to the domain) and serves the openbaar register anonymously with only public-safe fields — the
|
||||
front door the portals (S-08/S-09) will talk to.
|
||||
|
||||
**The path:** portal → BFF `POST /self-service/registrations` (token-gated) → domain; and
|
||||
BFF `GET /openbaar/register` (anonymous) → projection-api. See ADR-0010.
|
||||
|
||||
```bash
|
||||
# 1. Bring the full stack up.
|
||||
make up
|
||||
|
||||
# 2. Drive the BFF end-to-end (401 without a token, 202 with a real digid token, anonymous openbaar).
|
||||
make verify-bff # → "OK — BFF: 401 without token, 202 with a digid token, anonymous ..."
|
||||
|
||||
# 3. Try it by hand (BFF on host port 8080).
|
||||
# a) A digid access token for the mock user jan-burger (bsn 123456782):
|
||||
tok=$(curl -s -X POST http://localhost:8180/realms/digid/protocol/openid-connect/token \
|
||||
-d grant_type=password -d client_id=big-portal -d username=jan-burger -d password=test123 \
|
||||
| python3 -c "import sys,json;print(json.load(sys.stdin)['access_token'])")
|
||||
|
||||
# b) Submit — without the token it is 401; with it, 202:
|
||||
curl -s -o /dev/null -w "no token -> %{http_code}\n" -X POST http://localhost:8080/self-service/registrations
|
||||
curl -s -o /dev/null -w "with token-> %{http_code}\n" -X POST http://localhost:8080/self-service/registrations \
|
||||
-H "Authorization: Bearer $tok"
|
||||
|
||||
# c) The openbaar register is anonymous and exposes only id + status (never the bsn):
|
||||
curl -fsS http://localhost:8080/openbaar/register | jq
|
||||
```
|
||||
|
||||
> The self-service token is validated against Keycloak's `digid` realm; the openbaar lookup needs no
|
||||
> token (S-09). The generated contract lives at `services/bff/openapi.json` — S-08's client is built
|
||||
> from it.
|
||||
|
||||
---
|
||||
|
||||
## S-05 — BIG Domain Service: submit a registration
|
||||
|
||||
**Outcome:** submitting a registration starts a Flowable process; the external-task worker
|
||||
opens a zaak via the ACL and records it on the aggregate — the upstream half of the skeleton
|
||||
that produces the zaak S-06 then projects.
|
||||
|
||||
**The path:** domain `POST /registrations` → Flowable `registratie` process → `OpenZaakAanmaken`
|
||||
worker → ACL → OpenZaak; `GET /registrations/{id}` shows the opened zaak (ADR-0009).
|
||||
|
||||
```bash
|
||||
# 1. Bring the full stack up (seeds config, builds our services, waits for health).
|
||||
make up
|
||||
|
||||
# 2. Drive the full path end-to-end. This also seeds a published BIG zaaktype and points the
|
||||
# ACL at it (the zaak's zaaktype URL is server-assigned, so it isn't known at bring-up).
|
||||
make verify-domain # → "OK — the domain opened a zaak and recorded it on the registration"
|
||||
|
||||
# 3. Submit one yourself (domain on host port 8130). Returns 202 + a Location to read back.
|
||||
loc=$(curl -fsS -D - -o /dev/null -X POST http://localhost:8130/registrations \
|
||||
-H 'Content-Type: application/json' -d '{"bsn":"123456782"}' | sed -n 's/\r$//; s/^[Ll]ocation: //p')
|
||||
|
||||
# 4. The worker opens the zaak off the request path (eventual consistency, ADR-0009); poll
|
||||
# until zaakUrl is filled. (Step 2 must have run first, so the ACL knows the zaaktype.)
|
||||
curl -fsS "http://localhost:8130$loc" | jq
|
||||
# → { "registrationId": "...", "status": "Ingediend", "zaakUrl": "http://.../zaken/api/v1/zaken/<uuid>" }
|
||||
```
|
||||
|
||||
> Registration state is in-memory for this slice (ADR-0009); the rebuildable read model is the
|
||||
> projection (S-06), fed by the very zaak this flow opens.
|
||||
|
||||
---
|
||||
|
||||
## S-06 — Event Subscriber + read projection
|
||||
|
||||
**Outcome:** a zaak created in OpenZaak flows through NRC to the Event Subscriber, which
|
||||
|
||||
50
docs/frontend-decisions.md
Normal file
50
docs/frontend-decisions.md
Normal file
@@ -0,0 +1,50 @@
|
||||
# Frontend decisions
|
||||
|
||||
A running log of frontend tooling and component decisions (CLAUDE.md §10). One entry per
|
||||
decision; record *why*, and note any deviation from NL Design System.
|
||||
|
||||
---
|
||||
|
||||
## Workspace & tooling (S-08a, #65)
|
||||
|
||||
The portals live in an **Nx monorepo at the repository root**, alongside the .NET `services/`.
|
||||
|
||||
- **Package manager: pnpm.** Native build scripts are approved explicitly in `pnpm-workspace.yaml`
|
||||
under `allowBuilds` (pnpm 11 fails the install otherwise). Node 24, pnpm 11.
|
||||
- **Angular, standalone components + signals, no NgModules** (§10). Apps are generated with
|
||||
`@nx/angular:application`.
|
||||
- **Unit tests: Vitest** via Angular's built-in `@angular/build:unit-test` (the `vitest-angular`
|
||||
runner). **Angular Testing Library** is added for component tests when the first real components
|
||||
land (S-08c); the S-08a placeholder uses a plain `TestBed` render assertion.
|
||||
- **Lint: ESLint** (flat config, `@nx/eslint`).
|
||||
- **Nx is scoped to `apps/` + `libs/` only.** The `@nx/docker` and `@nx/dotnet` plugins are **not**
|
||||
installed — the .NET services are built by `dotnet`/the Makefile, and `@nx/docker` would otherwise
|
||||
infer every `services/*/Dockerfile` as an unnamed Nx project and break the project graph.
|
||||
- **No Nx Cloud.** `nxCloudId` is stripped from `nx.json`; remote caching would depend on an
|
||||
external service, and the repo is Gitea-only (§8.7). Nx's "configure-ai-agents" additions
|
||||
(`.claude/settings.json`, a CLAUDE.md section referencing a GitHub marketplace) are **not**
|
||||
committed for the same reason.
|
||||
- **CI:** a `frontend` job (`make frontend` → `pnpm install --frozen-lockfile` + `nx run-many -t
|
||||
lint test build`) runs on pnpm + Node, with pinned action URLs (§15).
|
||||
|
||||
**NL Design System:** not yet introduced — the S-08a app is a placeholder. NL DS components arrive
|
||||
with the submit form (S-08c, #67); any deviation from NL DS will be recorded here.
|
||||
|
||||
---
|
||||
|
||||
## API client generator (S-08b, #66)
|
||||
|
||||
`libs/api-client` is **generated from `services/bff/openapi.json`** — never hand-written (§10).
|
||||
|
||||
- **Generator: orval** (`client: 'angular'`), a **node-based** generator (no Java, unlike
|
||||
`openapi-generator`), so it runs in the pnpm/Node CI lane. It emits an injectable
|
||||
`BffApiV1Service` using Angular's `HttpClient` — which means the DigiD bearer token can be attached
|
||||
by an **`HttpInterceptor`** (S-08c), the idiomatic Angular approach; a fetch-based SDK would bypass
|
||||
the interceptor pipeline.
|
||||
- **Config:** `libs/api-client/orval.config.ts` (single-file output into `src/lib/generated/`,
|
||||
`clean: true`, prettier). **Regenerate with `nx run api-client:generate`** after the BFF spec
|
||||
changes; the output is deterministic (idempotent), and `src/lib/generated/` is never hand-edited.
|
||||
- **Tested** against a mocked BFF via `HttpClientTesting` (`libs/api-client/src/lib/bff-api.spec.ts`).
|
||||
- The BFF endpoints carry no `operationId`, so orval synthesises method names
|
||||
(`postSelfServiceRegistrations`, `getOpenbaarRegister`); adding explicit operation ids to the BFF
|
||||
is a possible later polish.
|
||||
@@ -14,6 +14,7 @@ those containers share a filesystem — or a `localhost` — breaks.
|
||||
| `docker compose up --wait` is unsupported / flaky | poll health with `docker inspect` | `infra/wait-healthy.sh` |
|
||||
| `pg_isready` passes before PostGIS is ready | add a `PostGIS_Version()` probe | the db healthchecks |
|
||||
| `upload-artifact@v4` fails ("not supported on GHES") | pin `@v3` | `.gitea/workflows/ci.yaml` (`mutation` job) |
|
||||
| `upload-artifact@v3` fails with "Artifact service responded with 500" | mark the upload `continue-on-error: true` (server-side; issue #62) | `.gitea/workflows/ci.yaml` (`mutation` job) |
|
||||
|
||||
---
|
||||
|
||||
@@ -125,6 +126,22 @@ guard. Inputs are the same (`name`, `path`, `if-no-files-found`), so it is a dro
|
||||
swap. Do **not** bump to `@v4` until act_runner advertises github.com-compatible
|
||||
artifact support.
|
||||
|
||||
**Second failure mode — the server's artifact backend returns 500.** Even on the
|
||||
correctly-pinned `@v3`, uploads can fail with:
|
||||
|
||||
```
|
||||
Create Artifact Container - Attempt 5 of 5 failed with error: Artifact service responded with 500
|
||||
::error::Create Artifact Container failed: Artifact service responded with 500
|
||||
```
|
||||
|
||||
This is the **Gitea server's** artifact storage failing (not the action's GHES guard),
|
||||
so it is outside the repo's control. Because the `mutation` job's upload steps run with
|
||||
`if: always()`, that 500 would fail the job even though the ratchet passed. **Fix:** mark
|
||||
the uploads `continue-on-error: true` (issue #62). The mutation *gate* is the Stryker
|
||||
ratchet — `make mutation`'s exit code fails the job on a real regression — so the report
|
||||
upload is best-effort: when the server's artifact storage is restored, reports publish
|
||||
again with no workflow change.
|
||||
|
||||
---
|
||||
|
||||
## 5. A runner process can't reach a service container's published port
|
||||
|
||||
58
eslint.config.mjs
Normal file
58
eslint.config.mjs
Normal file
@@ -0,0 +1,58 @@
|
||||
import nx from '@nx/eslint-plugin';
|
||||
|
||||
export default [
|
||||
...nx.configs['flat/base'],
|
||||
...nx.configs['flat/typescript'],
|
||||
...nx.configs['flat/javascript'],
|
||||
{
|
||||
ignores: [
|
||||
'**/dist',
|
||||
'**/vite.config.*.timestamp*',
|
||||
'**/vitest.config.*.timestamp*',
|
||||
],
|
||||
},
|
||||
{
|
||||
files: ['**/*.ts', '**/*.tsx', '**/*.js', '**/*.jsx'],
|
||||
rules: {
|
||||
'@nx/enforce-module-boundaries': [
|
||||
'error',
|
||||
{
|
||||
enforceBuildableLibDependency: true,
|
||||
allow: ['^.*/eslint(\\.base)?\\.config\\.[cm]?[jt]s$'],
|
||||
depConstraints: [
|
||||
{
|
||||
sourceTag: 'scope:shared',
|
||||
onlyDependOnLibsWithTags: ['scope:shared'],
|
||||
},
|
||||
{
|
||||
sourceTag: 'scope:shop',
|
||||
onlyDependOnLibsWithTags: ['scope:shop', 'scope:shared'],
|
||||
},
|
||||
{
|
||||
sourceTag: 'scope:api',
|
||||
onlyDependOnLibsWithTags: ['scope:api', 'scope:shared'],
|
||||
},
|
||||
{
|
||||
sourceTag: 'type:data',
|
||||
onlyDependOnLibsWithTags: ['type:data'],
|
||||
},
|
||||
],
|
||||
},
|
||||
],
|
||||
},
|
||||
},
|
||||
{
|
||||
files: [
|
||||
'**/*.ts',
|
||||
'**/*.tsx',
|
||||
'**/*.cts',
|
||||
'**/*.mts',
|
||||
'**/*.js',
|
||||
'**/*.jsx',
|
||||
'**/*.cjs',
|
||||
'**/*.mjs',
|
||||
],
|
||||
// Override or add rules here
|
||||
rules: {},
|
||||
},
|
||||
];
|
||||
@@ -285,7 +285,9 @@ services:
|
||||
dockerfile: Dockerfile
|
||||
image: register-referentie/acl:dev
|
||||
environment:
|
||||
Acl__OpenZaak__BaseUrl: http://openzaak:8000/
|
||||
# Overridable so verify-domain can point the ACL at the same OpenZaak host that
|
||||
# owns the seeded zaaktype URL (host-consistent zaak creation, ADR-0009).
|
||||
Acl__OpenZaak__BaseUrl: ${ACL_OPENZAAK_BASEURL:-http://openzaak:8000/}
|
||||
Acl__OpenZaak__ClientId: big-reference-seed
|
||||
Acl__OpenZaak__Secret: insecure-dev-secret-change-me
|
||||
Acl__Defaults__Bronorganisatie: "517439943"
|
||||
@@ -306,12 +308,49 @@ services:
|
||||
condition: service_healthy
|
||||
networks: [cg]
|
||||
|
||||
# ── BIG Domain Service (S-05) ──────────────────────────────────────────────
|
||||
# Orchestrates a registration: POST /registrations creates the aggregate and
|
||||
# starts the registratie Flowable process; a hosted worker acquires the
|
||||
# OpenZaakAanmaken job, opens a zaak via the ACL and completes it (ADR-0009).
|
||||
# Talks only to Flowable (Workflow Client, §8.2) and the ACL (§8.1).
|
||||
domain:
|
||||
build:
|
||||
context: ../services/domain
|
||||
dockerfile: Dockerfile
|
||||
image: register-referentie/domain:dev
|
||||
environment:
|
||||
Flowable__BaseUrl: http://flowable-rest:8080/flowable-rest/
|
||||
Flowable__Username: rest-admin
|
||||
Flowable__Password: test
|
||||
Acl__BaseUrl: http://acl:8080/
|
||||
ports:
|
||||
- "8130:8080"
|
||||
healthcheck:
|
||||
test: ["CMD", "curl", "-fsS", "http://localhost:8080/health"]
|
||||
interval: 5s
|
||||
timeout: 3s
|
||||
retries: 5
|
||||
start_period: 10s
|
||||
depends_on:
|
||||
acl:
|
||||
condition: service_healthy
|
||||
flowable-init:
|
||||
condition: service_completed_successfully
|
||||
networks: [cg]
|
||||
|
||||
# ── BFF ──────────────────────────────────────────────────────────────────
|
||||
bff:
|
||||
build:
|
||||
context: ../services/bff
|
||||
dockerfile: Dockerfile
|
||||
image: register-referentie/bff:dev
|
||||
environment:
|
||||
# The BFF is the portals' only backend; it validates digid tokens and fans out (ADR-0010).
|
||||
# Keycloak (start-dev) derives the issuer from the request host, so the BFF authority and the
|
||||
# verify token request both use keycloak:8080 to keep the issuer consistent.
|
||||
Keycloak__Authority: http://keycloak:8080/realms/digid
|
||||
Downstream__Domain__BaseUrl: http://domain:8080/
|
||||
Downstream__Projection__BaseUrl: http://projection-api:8080/
|
||||
ports:
|
||||
- "8080:8080"
|
||||
healthcheck:
|
||||
@@ -320,6 +359,13 @@ services:
|
||||
timeout: 3s
|
||||
retries: 5
|
||||
start_period: 10s
|
||||
depends_on:
|
||||
domain:
|
||||
condition: service_healthy
|
||||
projection-api:
|
||||
condition: service_healthy
|
||||
keycloak:
|
||||
condition: service_started
|
||||
networks: [cg]
|
||||
|
||||
# ── Read projection (S-06) ────────────────────────────────────────────────
|
||||
|
||||
@@ -210,6 +210,10 @@ def main():
|
||||
print(f"zaaktypen in BIG: {names}")
|
||||
assert "BIG-REGISTRATIE" in names, "BIG-REGISTRATIE not listed"
|
||||
state = "published" if PUBLISH else "concept"
|
||||
# Machine-readable line so callers (e.g. infra/run-domain-check.sh) can capture the
|
||||
# zaaktype URL to configure the ACL's default-fill (ADR-0003/0009).
|
||||
zt_url = next(z["url"] for z in zaaktypen if z.get("identificatie") == "BIG-REGISTRATIE")
|
||||
print(f"ZAAKTYPE_URL {zt_url}")
|
||||
print(f"OK — BIG catalogus seeded (BIG-REGISTRATIE {state} + bsn eigenschap)")
|
||||
|
||||
|
||||
|
||||
58
infra/run-bff-check.sh
Executable file
58
infra/run-bff-check.sh
Executable file
@@ -0,0 +1,58 @@
|
||||
#!/usr/bin/env bash
|
||||
#
|
||||
# Verify the BFF end-to-end (S-07) against an ALREADY-RUNNING full stack. The BFF is the portals'
|
||||
# only backend (§8.3): it validates Keycloak digid tokens on the self-service submit and serves the
|
||||
# openbaar register anonymously with only public-safe fields (ADR-0010).
|
||||
#
|
||||
# Checks, in-network (services reached by container IP; Keycloak by its service name so the token's
|
||||
# host-derived issuer matches the BFF's authority — see the compose bff env and ADR-0010):
|
||||
# 1. POST /self-service/registrations without a token -> 401
|
||||
# 2. mint a real digid access token (direct grant) and POST it -> 202 (forwarded to the domain)
|
||||
# 3. GET /openbaar/register (anonymous) -> 200 JSON array, never a bsn
|
||||
#
|
||||
# Does NOT manage the stack lifecycle (the caller owns bring-up + teardown). Plain docker primitives.
|
||||
set -euo pipefail
|
||||
|
||||
ip() { docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' "$1"; }
|
||||
|
||||
bff="$(docker ps -q --filter 'name=[-_]bff[-_]' | head -1)"
|
||||
kc="$(docker ps -q --filter 'name=keycloak' | head -1)"
|
||||
[ -n "$bff" ] || { echo "ERROR: no running bff container — bring the stack up first" >&2; exit 1; }
|
||||
[ -n "$kc" ] || { echo "ERROR: no running keycloak container — bring the stack up first" >&2; exit 1; }
|
||||
net="$(docker inspect -f '{{range $k,$_ := .NetworkSettings.Networks}}{{$k}}{{"\n"}}{{end}}' "$bff" | head -1)"
|
||||
bff_ip="$(ip "$bff")"
|
||||
echo ">> bff=$bff_ip network=$net"
|
||||
|
||||
# Helper: run curl inside a throwaway container on the stack network (reaches services by name/IP).
|
||||
net_curl() { docker run --rm --network "$net" curlimages/curl:latest "$@"; }
|
||||
|
||||
echo ">> 1. self-service submit without a token must be 401"
|
||||
code="$(net_curl -s -o /dev/null -w '%{http_code}' -X POST "http://$bff_ip:8080/self-service/registrations" \
|
||||
-H 'Content-Type: application/json' -d '{}')"
|
||||
echo " -> $code"; [ "$code" = "401" ] || { echo "FAIL: expected 401, got $code" >&2; exit 1; }
|
||||
|
||||
echo ">> 2. minting a digid token (direct grant) via keycloak:8080 (host-consistent issuer)"
|
||||
token=""
|
||||
for _ in $(seq 1 20); do
|
||||
token="$(net_curl -s -X POST "http://keycloak:8080/realms/digid/protocol/openid-connect/token" \
|
||||
-H 'Content-Type: application/x-www-form-urlencoded' \
|
||||
--data-urlencode 'grant_type=password' --data-urlencode 'client_id=big-portal' \
|
||||
--data-urlencode 'username=jan-burger' --data-urlencode 'password=test123' \
|
||||
| sed -n 's/.*"access_token":"\([^"]*\)".*/\1/p')"
|
||||
[ -n "$token" ] && break
|
||||
sleep 3
|
||||
done
|
||||
[ -n "$token" ] || { echo "FAIL: could not obtain a digid access token" >&2; exit 1; }
|
||||
echo " -> got a token"
|
||||
|
||||
echo ">> 2b. self-service submit with the token must be 202"
|
||||
code="$(net_curl -s -o /dev/null -w '%{http_code}' -X POST "http://$bff_ip:8080/self-service/registrations" \
|
||||
-H "Authorization: Bearer $token" -H 'Content-Type: application/json' -d '{}')"
|
||||
echo " -> $code"; [ "$code" = "202" ] || { echo "FAIL: expected 202, got $code" >&2; docker logs "$bff" 2>&1 | tail -15 >&2; exit 1; }
|
||||
|
||||
echo ">> 3. openbaar register (anonymous) must be 200 JSON, never a bsn"
|
||||
body="$(net_curl -s "http://$bff_ip:8080/openbaar/register")"
|
||||
echo "$body" | grep -q '^\[' || { echo "FAIL: openbaar did not return a JSON array: $body" >&2; exit 1; }
|
||||
if echo "$body" | grep -q '"bsn"'; then echo "FAIL: openbaar leaked a bsn field" >&2; exit 1; fi
|
||||
|
||||
echo "OK — BFF: 401 without token, 202 with a digid token, anonymous public-safe openbaar register"
|
||||
68
infra/run-domain-check.sh
Executable file
68
infra/run-domain-check.sh
Executable file
@@ -0,0 +1,68 @@
|
||||
#!/usr/bin/env bash
|
||||
#
|
||||
# Verify the BIG Domain Service end-to-end (S-05) against an ALREADY-RUNNING full stack:
|
||||
# domain → Flowable (start the registratie process + external-task worker) → ACL → OpenZaak.
|
||||
# Submits a registration to the domain and asserts the worker opens a zaak in OpenZaak and
|
||||
# records its URL on the aggregate (ADR-0009).
|
||||
#
|
||||
# The seeded zaaktype URL is server-assigned, so it isn't knowable at initial bring-up. This
|
||||
# script therefore seeds a published BIG zaaktype and recreates the `acl` service configured to
|
||||
# default-fill it — pointing the ACL at the SAME OpenZaak host that owns the URL, so zaak creation
|
||||
# is host-consistent (exactly the configuration the ACL integration test proves, ADR-0006). That
|
||||
# one recreate aside, the caller owns stack bring-up + teardown.
|
||||
#
|
||||
# All in-network, reaching services by container IP (a single-label host isn't URL-valid; the
|
||||
# runner can't reach published ports — gitea-actions-gotchas.md §5/§6). Plain docker primitives.
|
||||
set -euo pipefail
|
||||
|
||||
here="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||
root="$(cd "$here/.." && pwd)"
|
||||
compose="$root/infra/docker-compose.yml"
|
||||
|
||||
ip() { docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' "$1"; }
|
||||
|
||||
oz="$(docker ps -q --filter 'name=[-_]openzaak[-_]' | head -1)"
|
||||
dom="$(docker ps -q --filter 'name=domain' | head -1)"
|
||||
[ -n "$oz" ] || { echo "ERROR: no running OpenZaak container — bring the stack up first" >&2; exit 1; }
|
||||
[ -n "$dom" ] || { echo "ERROR: no running domain container — bring the stack up first" >&2; exit 1; }
|
||||
net="$(docker inspect -f '{{range $k,$_ := .NetworkSettings.Networks}}{{$k}}{{"\n"}}{{end}}' "$oz" | head -1)"
|
||||
oz_ip="$(ip "$oz")"; dom_ip="$(ip "$dom")"
|
||||
oz_base="http://$oz_ip:8000"
|
||||
echo ">> openzaak=$oz_ip domain=$dom_ip network=$net"
|
||||
|
||||
echo ">> seeding a published BIG zaaktype (idempotent) and capturing its URL"
|
||||
sid="$(docker create --network "$net" -e "OZ_BASE=$oz_base" -e OZ_PUBLISH=1 python:3-slim python /seed.py)"
|
||||
docker cp "$here/openzaak/seed_catalogus.py" "$sid:/seed.py" >/dev/null
|
||||
zt_url="$(docker start -a "$sid" | sed -n 's/^ZAAKTYPE_URL //p' | head -1)"
|
||||
docker rm -f "$sid" >/dev/null
|
||||
[ -n "$zt_url" ] || { echo "ERROR: seed did not report a ZAAKTYPE_URL" >&2; exit 1; }
|
||||
echo ">> zaaktype: $zt_url"
|
||||
|
||||
echo ">> recreating the acl service pointed at the seeded zaaktype (host-consistent)"
|
||||
ACL_ZAAKTYPE_URL="$zt_url" ACL_OPENZAAK_BASEURL="$oz_base/" docker compose -f "$compose" up -d acl
|
||||
WAIT_TIMEOUT="${WAIT_TIMEOUT:-120}" bash "$here/wait-healthy.sh" acl
|
||||
|
||||
echo ">> submitting a registration to the domain"
|
||||
loc="$(docker run --rm --network "$net" curlimages/curl:latest \
|
||||
-fsS -D - -o /dev/null -X POST "http://$dom_ip:8080/registrations" \
|
||||
-H 'Content-Type: application/json' -d '{"bsn":"123456782"}' \
|
||||
| sed -n 's/\r$//; s/^[Ll]ocation: //p' | head -1)"
|
||||
[ -n "$loc" ] || { echo "ERROR: POST /registrations returned no Location" >&2; exit 1; }
|
||||
echo ">> registration accepted at $loc"
|
||||
|
||||
echo ">> polling the domain until the worker records the opened zaak"
|
||||
for _ in $(seq 1 30); do
|
||||
body="$(docker run --rm --network "$net" curlimages/curl:latest \
|
||||
-fsS "http://$dom_ip:8080$loc" 2>/dev/null || true)"
|
||||
if echo "$body" | grep -q '/zaken/api/v1/zaken/'; then
|
||||
echo "OK — the domain opened a zaak and recorded it on the registration:"
|
||||
echo "$body" | cut -c1-300
|
||||
exit 0
|
||||
fi
|
||||
sleep 2
|
||||
done
|
||||
echo "FAIL — the registration never received a zaak URL" >&2
|
||||
echo "--- domain log ---" >&2; docker logs "$dom" 2>&1 | tail -15 >&2
|
||||
acl="$(docker ps -q --filter 'name=[-_]acl[-_]' | head -1)"
|
||||
[ -n "$acl" ] && { echo "--- acl log ---" >&2; docker logs "$acl" 2>&1 | tail -15 >&2; }
|
||||
exit 1
|
||||
7
libs/api-client/README.md
Normal file
7
libs/api-client/README.md
Normal file
@@ -0,0 +1,7 @@
|
||||
# api-client
|
||||
|
||||
This library was generated with [Nx](https://nx.dev).
|
||||
|
||||
## Running unit tests
|
||||
|
||||
Run `nx test api-client` to execute the unit tests.
|
||||
34
libs/api-client/eslint.config.mjs
Normal file
34
libs/api-client/eslint.config.mjs
Normal file
@@ -0,0 +1,34 @@
|
||||
import nx from '@nx/eslint-plugin';
|
||||
import baseConfig from '../../eslint.config.mjs';
|
||||
|
||||
export default [
|
||||
...nx.configs['flat/angular'],
|
||||
...nx.configs['flat/angular-template'],
|
||||
...baseConfig,
|
||||
{
|
||||
files: ['**/*.ts'],
|
||||
rules: {
|
||||
'@angular-eslint/directive-selector': [
|
||||
'error',
|
||||
{
|
||||
type: 'attribute',
|
||||
prefix: 'lib',
|
||||
style: 'camelCase',
|
||||
},
|
||||
],
|
||||
'@angular-eslint/component-selector': [
|
||||
'error',
|
||||
{
|
||||
type: 'element',
|
||||
prefix: 'lib',
|
||||
style: 'kebab-case',
|
||||
},
|
||||
],
|
||||
},
|
||||
},
|
||||
{
|
||||
files: ['**/*.html'],
|
||||
// Override or add rules here
|
||||
rules: {},
|
||||
},
|
||||
];
|
||||
17
libs/api-client/orval.config.ts
Normal file
17
libs/api-client/orval.config.ts
Normal file
@@ -0,0 +1,17 @@
|
||||
import { defineConfig } from 'orval';
|
||||
|
||||
// Generates the BFF client (Angular HttpClient service + models) from the committed
|
||||
// OpenAPI contract. Never hand-edit the generated output — re-run `nx run api-client:generate`
|
||||
// after the BFF spec changes (CLAUDE.md §10; docs/frontend-decisions.md).
|
||||
export default defineConfig({
|
||||
bff: {
|
||||
input: '../../services/bff/openapi.json',
|
||||
output: {
|
||||
target: './src/lib/generated/bff-api.ts',
|
||||
client: 'angular',
|
||||
mode: 'single',
|
||||
clean: true,
|
||||
prettier: true,
|
||||
},
|
||||
},
|
||||
});
|
||||
20
libs/api-client/project.json
Normal file
20
libs/api-client/project.json
Normal file
@@ -0,0 +1,20 @@
|
||||
{
|
||||
"name": "api-client",
|
||||
"$schema": "../../node_modules/nx/schemas/project-schema.json",
|
||||
"sourceRoot": "libs/api-client/src",
|
||||
"prefix": "lib",
|
||||
"projectType": "library",
|
||||
"tags": [],
|
||||
"targets": {
|
||||
"lint": {
|
||||
"executor": "@nx/eslint:lint"
|
||||
},
|
||||
"generate": {
|
||||
"executor": "nx:run-commands",
|
||||
"options": {
|
||||
"command": "orval --config orval.config.ts",
|
||||
"cwd": "libs/api-client"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
3
libs/api-client/src/index.ts
Normal file
3
libs/api-client/src/index.ts
Normal file
@@ -0,0 +1,3 @@
|
||||
// The BFF API client is generated from services/bff/openapi.json (orval); never hand-edit
|
||||
// src/lib/generated. Re-run `nx run api-client:generate` after the BFF spec changes.
|
||||
export * from './lib/generated/bff-api';
|
||||
50
libs/api-client/src/lib/bff-api.spec.ts
Normal file
50
libs/api-client/src/lib/bff-api.spec.ts
Normal file
@@ -0,0 +1,50 @@
|
||||
import { provideHttpClient } from '@angular/common/http';
|
||||
import {
|
||||
HttpTestingController,
|
||||
provideHttpClientTesting,
|
||||
} from '@angular/common/http/testing';
|
||||
import { TestBed } from '@angular/core/testing';
|
||||
import {
|
||||
BffApiV1Service,
|
||||
type OpenbaarEntry,
|
||||
type SubmitAccepted,
|
||||
} from '../index';
|
||||
|
||||
describe('BffApiV1Service (generated from services/bff/openapi.json)', () => {
|
||||
let service: BffApiV1Service;
|
||||
let http: HttpTestingController;
|
||||
|
||||
beforeEach(() => {
|
||||
TestBed.configureTestingModule({
|
||||
providers: [provideHttpClient(), provideHttpClientTesting()],
|
||||
});
|
||||
service = TestBed.inject(BffApiV1Service);
|
||||
http = TestBed.inject(HttpTestingController);
|
||||
});
|
||||
|
||||
afterEach(() => http.verify());
|
||||
|
||||
it('submits a registration via POST /self-service/registrations', () => {
|
||||
let result: SubmitAccepted | undefined;
|
||||
service.postSelfServiceRegistrations().subscribe((r) => (result = r));
|
||||
|
||||
const req = http.expectOne('/self-service/registrations');
|
||||
expect(req.request.method).toBe('POST');
|
||||
req.flush({ registrationId: 'reg-1', status: 'Ingediend' });
|
||||
|
||||
expect(result?.registrationId).toBe('reg-1');
|
||||
expect(result?.status).toBe('Ingediend');
|
||||
});
|
||||
|
||||
it('reads the openbaar register via GET /openbaar/register with the query', () => {
|
||||
let rows: OpenbaarEntry[] | undefined;
|
||||
service.getOpenbaarRegister({ q: 'abc' }).subscribe((r) => (rows = r));
|
||||
|
||||
const req = http.expectOne((r) => r.url === '/openbaar/register');
|
||||
expect(req.request.method).toBe('GET');
|
||||
expect(req.request.params.get('q')).toBe('abc');
|
||||
req.flush([{ id: 'abc-111', status: 'INGEDIEND' }]);
|
||||
|
||||
expect(rows?.[0].id).toBe('abc-111');
|
||||
});
|
||||
});
|
||||
216
libs/api-client/src/lib/generated/bff-api.ts
Normal file
216
libs/api-client/src/lib/generated/bff-api.ts
Normal file
@@ -0,0 +1,216 @@
|
||||
/**
|
||||
* Generated by orval v8.19.0 🍺
|
||||
* Do not edit manually.
|
||||
* Bff.Api | v1
|
||||
* OpenAPI spec version: 1.0.0
|
||||
*/
|
||||
import {
|
||||
HttpClient,
|
||||
HttpHeaders,
|
||||
HttpResponse as AngularHttpResponse
|
||||
} from '@angular/common/http';
|
||||
import type {
|
||||
HttpContext,
|
||||
HttpEvent,
|
||||
HttpParams
|
||||
} from '@angular/common/http';
|
||||
|
||||
import {
|
||||
Injectable,
|
||||
inject
|
||||
} from '@angular/core';
|
||||
|
||||
import {
|
||||
Observable
|
||||
} from 'rxjs';
|
||||
|
||||
export interface OpenbaarEntry {
|
||||
id: string;
|
||||
status: string;
|
||||
}
|
||||
|
||||
export interface SubmitAccepted {
|
||||
registrationId: string;
|
||||
status: string;
|
||||
}
|
||||
|
||||
export type GetOpenbaarRegisterParams = {
|
||||
q?: string;
|
||||
};
|
||||
|
||||
interface HttpClientOptions {
|
||||
readonly headers?: HttpHeaders | Record<string, string | string[]>;
|
||||
readonly context?: HttpContext;
|
||||
readonly params?:
|
||||
| HttpParams
|
||||
| Record<string, string | number | boolean | Array<string | number | boolean>>;
|
||||
readonly reportProgress?: boolean;
|
||||
readonly withCredentials?: boolean;
|
||||
readonly credentials?: RequestCredentials;
|
||||
readonly keepalive?: boolean;
|
||||
readonly priority?: RequestPriority;
|
||||
readonly cache?: RequestCache;
|
||||
readonly mode?: RequestMode;
|
||||
readonly redirect?: RequestRedirect;
|
||||
readonly referrer?: string;
|
||||
readonly integrity?: string;
|
||||
readonly referrerPolicy?: ReferrerPolicy;
|
||||
readonly transferCache?: {includeHeaders?: string[]} | boolean;
|
||||
readonly timeout?: number;
|
||||
}
|
||||
|
||||
type HttpClientBodyOptions = HttpClientOptions & {
|
||||
readonly observe?: 'body';
|
||||
};
|
||||
|
||||
type HttpClientEventOptions = HttpClientOptions & {
|
||||
readonly observe: 'events';
|
||||
};
|
||||
|
||||
type HttpClientResponseOptions = HttpClientOptions & {
|
||||
readonly observe: 'response';
|
||||
};
|
||||
|
||||
type HttpClientObserveOptions = HttpClientOptions & {
|
||||
readonly observe?: 'body' | 'events' | 'response';
|
||||
};
|
||||
|
||||
type AngularHttpParamValue = string | number | boolean | Array<string | number | boolean>;
|
||||
type AngularHttpParamValueWithNullable = AngularHttpParamValue | null;
|
||||
|
||||
function filterParams(
|
||||
params: Record<string, unknown>,
|
||||
requiredNullableKeys?: ReadonlySet<string>,
|
||||
preserveRequiredNullables?: false,
|
||||
passthroughKeys?: undefined,
|
||||
): Record<string, AngularHttpParamValue>;
|
||||
function filterParams(
|
||||
params: Record<string, unknown>,
|
||||
requiredNullableKeys: ReadonlySet<string> | undefined,
|
||||
preserveRequiredNullables: true,
|
||||
passthroughKeys?: undefined,
|
||||
): Record<string, AngularHttpParamValueWithNullable>;
|
||||
function filterParams(
|
||||
params: Record<string, unknown>,
|
||||
requiredNullableKeys: ReadonlySet<string> | undefined,
|
||||
preserveRequiredNullables: boolean | undefined,
|
||||
passthroughKeys: ReadonlySet<string>,
|
||||
): Record<string, unknown>;
|
||||
function filterParams(
|
||||
params: Record<string, unknown>,
|
||||
requiredNullableKeys: ReadonlySet<string> = new Set(),
|
||||
preserveRequiredNullables = false,
|
||||
passthroughKeys: ReadonlySet<string> = new Set(),
|
||||
): Record<string, unknown> {
|
||||
const filteredParams: Record<string, unknown> = {};
|
||||
for (const [key, value] of Object.entries(params)) {
|
||||
if (passthroughKeys.has(key)) {
|
||||
if (value !== undefined) {
|
||||
filteredParams[key] = value;
|
||||
}
|
||||
continue;
|
||||
}
|
||||
if (Array.isArray(value)) {
|
||||
const filtered = value.filter(
|
||||
(item) =>
|
||||
item != null &&
|
||||
(typeof item === 'string' ||
|
||||
typeof item === 'number' ||
|
||||
typeof item === 'boolean'),
|
||||
) as Array<string | number | boolean>;
|
||||
if (filtered.length) {
|
||||
filteredParams[key] = filtered;
|
||||
}
|
||||
} else if (
|
||||
preserveRequiredNullables &&
|
||||
value === null &&
|
||||
requiredNullableKeys.has(key)
|
||||
) {
|
||||
filteredParams[key] = null;
|
||||
} else if (
|
||||
value != null &&
|
||||
(typeof value === 'string' ||
|
||||
typeof value === 'number' ||
|
||||
typeof value === 'boolean')
|
||||
) {
|
||||
filteredParams[key] = value;
|
||||
}
|
||||
}
|
||||
return filteredParams;
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@Injectable({ providedIn: 'root' })
|
||||
export class BffApiV1Service {
|
||||
private readonly http = inject(HttpClient);
|
||||
postSelfServiceRegistrations<TData = SubmitAccepted>( options?: HttpClientBodyOptions): Observable<TData>;
|
||||
postSelfServiceRegistrations<TData = SubmitAccepted>( options?: HttpClientEventOptions): Observable<HttpEvent<TData>>;
|
||||
postSelfServiceRegistrations<TData = SubmitAccepted>( options?: HttpClientResponseOptions): Observable<AngularHttpResponse<TData>>;
|
||||
postSelfServiceRegistrations<TData = SubmitAccepted>(
|
||||
options?: HttpClientObserveOptions): Observable<TData | HttpEvent<TData> | AngularHttpResponse<TData>> {
|
||||
if (options?.observe === 'events') {
|
||||
return this.http.post<TData>(
|
||||
`/self-service/registrations`,
|
||||
undefined,{
|
||||
...(options as Omit<NonNullable<typeof options>, 'observe'>),
|
||||
observe: 'events',
|
||||
}
|
||||
);
|
||||
}
|
||||
|
||||
if (options?.observe === 'response') {
|
||||
return this.http.post<TData>(
|
||||
`/self-service/registrations`,
|
||||
undefined,{
|
||||
...(options as Omit<NonNullable<typeof options>, 'observe'>),
|
||||
observe: 'response',
|
||||
}
|
||||
);
|
||||
}
|
||||
|
||||
return this.http.post<TData>(
|
||||
`/self-service/registrations`,
|
||||
undefined,{
|
||||
...(options as Omit<NonNullable<typeof options>, 'observe'>),
|
||||
observe: 'body',
|
||||
}
|
||||
);
|
||||
}
|
||||
|
||||
getOpenbaarRegister<TData = OpenbaarEntry[]>(params?: GetOpenbaarRegisterParams, options?: HttpClientBodyOptions): Observable<TData>;
|
||||
getOpenbaarRegister<TData = OpenbaarEntry[]>(params?: GetOpenbaarRegisterParams, options?: HttpClientEventOptions): Observable<HttpEvent<TData>>;
|
||||
getOpenbaarRegister<TData = OpenbaarEntry[]>(params?: GetOpenbaarRegisterParams, options?: HttpClientResponseOptions): Observable<AngularHttpResponse<TData>>;
|
||||
getOpenbaarRegister<TData = OpenbaarEntry[]>(
|
||||
params?: GetOpenbaarRegisterParams, options?: HttpClientObserveOptions): Observable<TData | HttpEvent<TData> | AngularHttpResponse<TData>> {
|
||||
const filteredParams = filterParams({...params, ...options?.params}, new Set<string>([]));
|
||||
|
||||
if (options?.observe === 'events') {
|
||||
return this.http.get<TData>(
|
||||
`/openbaar/register`,{
|
||||
...(options as Omit<NonNullable<typeof options>, 'observe'>),
|
||||
observe: 'events',
|
||||
params: filteredParams,}
|
||||
);
|
||||
}
|
||||
|
||||
if (options?.observe === 'response') {
|
||||
return this.http.get<TData>(
|
||||
`/openbaar/register`,{
|
||||
...(options as Omit<NonNullable<typeof options>, 'observe'>),
|
||||
observe: 'response',
|
||||
params: filteredParams,}
|
||||
);
|
||||
}
|
||||
|
||||
return this.http.get<TData>(
|
||||
`/openbaar/register`,{
|
||||
...(options as Omit<NonNullable<typeof options>, 'observe'>),
|
||||
observe: 'body',
|
||||
params: filteredParams,}
|
||||
);
|
||||
}
|
||||
|
||||
};
|
||||
5
libs/api-client/src/test-setup.ts
Normal file
5
libs/api-client/src/test-setup.ts
Normal file
@@ -0,0 +1,5 @@
|
||||
import '@angular/compiler';
|
||||
import '@analogjs/vitest-angular/setup-snapshots';
|
||||
import { setupTestBed } from '@analogjs/vitest-angular/setup-testbed';
|
||||
|
||||
setupTestBed({ zoneless: false });
|
||||
31
libs/api-client/tsconfig.json
Normal file
31
libs/api-client/tsconfig.json
Normal file
@@ -0,0 +1,31 @@
|
||||
{
|
||||
"extends": "../../tsconfig.base.json",
|
||||
"compilerOptions": {
|
||||
"isolatedModules": true,
|
||||
"target": "es2022",
|
||||
"moduleResolution": "bundler",
|
||||
"strict": true,
|
||||
"noImplicitOverride": true,
|
||||
"noPropertyAccessFromIndexSignature": true,
|
||||
"noImplicitReturns": true,
|
||||
"noFallthroughCasesInSwitch": true,
|
||||
"emitDecoratorMetadata": false,
|
||||
"module": "preserve"
|
||||
},
|
||||
"angularCompilerOptions": {
|
||||
"enableI18nLegacyMessageIdFormat": false,
|
||||
"strictInjectionParameters": true,
|
||||
"strictInputAccessModifiers": true,
|
||||
"strictTemplates": true
|
||||
},
|
||||
"files": [],
|
||||
"include": [],
|
||||
"references": [
|
||||
{
|
||||
"path": "./tsconfig.lib.json"
|
||||
},
|
||||
{
|
||||
"path": "./tsconfig.spec.json"
|
||||
}
|
||||
]
|
||||
}
|
||||
26
libs/api-client/tsconfig.lib.json
Normal file
26
libs/api-client/tsconfig.lib.json
Normal file
@@ -0,0 +1,26 @@
|
||||
{
|
||||
"extends": "./tsconfig.json",
|
||||
"compilerOptions": {
|
||||
"outDir": "../../dist/out-tsc",
|
||||
"declaration": true,
|
||||
"declarationMap": true,
|
||||
"inlineSources": true,
|
||||
"types": []
|
||||
},
|
||||
"include": ["src/**/*.ts"],
|
||||
"exclude": [
|
||||
"src/**/*.spec.ts",
|
||||
"src/**/*.test.ts",
|
||||
"vite.config.ts",
|
||||
"vite.config.mts",
|
||||
"vitest.config.ts",
|
||||
"vitest.config.mts",
|
||||
"src/**/*.test.tsx",
|
||||
"src/**/*.spec.tsx",
|
||||
"src/**/*.test.js",
|
||||
"src/**/*.spec.js",
|
||||
"src/**/*.test.jsx",
|
||||
"src/**/*.spec.jsx",
|
||||
"src/test-setup.ts"
|
||||
]
|
||||
}
|
||||
29
libs/api-client/tsconfig.spec.json
Normal file
29
libs/api-client/tsconfig.spec.json
Normal file
@@ -0,0 +1,29 @@
|
||||
{
|
||||
"extends": "./tsconfig.json",
|
||||
"compilerOptions": {
|
||||
"outDir": "../../dist/out-tsc",
|
||||
"types": [
|
||||
"vitest/globals",
|
||||
"vitest/importMeta",
|
||||
"vite/client",
|
||||
"node",
|
||||
"vitest"
|
||||
]
|
||||
},
|
||||
"include": [
|
||||
"vite.config.ts",
|
||||
"vite.config.mts",
|
||||
"vitest.config.ts",
|
||||
"vitest.config.mts",
|
||||
"src/**/*.test.ts",
|
||||
"src/**/*.spec.ts",
|
||||
"src/**/*.test.tsx",
|
||||
"src/**/*.spec.tsx",
|
||||
"src/**/*.test.js",
|
||||
"src/**/*.spec.js",
|
||||
"src/**/*.test.jsx",
|
||||
"src/**/*.spec.jsx",
|
||||
"src/**/*.d.ts"
|
||||
],
|
||||
"files": ["src/test-setup.ts"]
|
||||
}
|
||||
28
libs/api-client/vite.config.mts
Normal file
28
libs/api-client/vite.config.mts
Normal file
@@ -0,0 +1,28 @@
|
||||
/// <reference types='vitest' />
|
||||
import { defineConfig } from 'vite';
|
||||
import angular from '@analogjs/vite-plugin-angular';
|
||||
import { nxViteTsPaths } from '@nx/vite/plugins/nx-tsconfig-paths.plugin';
|
||||
import { nxCopyAssetsPlugin } from '@nx/vite/plugins/nx-copy-assets.plugin';
|
||||
|
||||
export default defineConfig(() => ({
|
||||
root: __dirname,
|
||||
cacheDir: '../../node_modules/.vite/libs/api-client',
|
||||
plugins: [angular(), nxViteTsPaths(), nxCopyAssetsPlugin(['*.md'])],
|
||||
// Uncomment this if you are using workers.
|
||||
// worker: {
|
||||
// plugins: () => [ nxViteTsPaths() ],
|
||||
// },
|
||||
test: {
|
||||
name: 'api-client',
|
||||
watch: false,
|
||||
globals: true,
|
||||
environment: 'jsdom',
|
||||
include: ['{src,tests}/**/*.{test,spec}.{js,mjs,cjs,ts,mts,cts,jsx,tsx}'],
|
||||
setupFiles: ['src/test-setup.ts'],
|
||||
reporters: ['default'],
|
||||
coverage: {
|
||||
reportsDirectory: '../../coverage/libs/api-client',
|
||||
provider: 'v8' as const,
|
||||
},
|
||||
},
|
||||
}));
|
||||
@@ -31,7 +31,9 @@ nav:
|
||||
- "ADR-0007: OpenZaak → NRC notification wiring": architecture/adr-0007-notification-wiring.md
|
||||
- "ADR-0008: Read projection store": architecture/adr-0008-read-projection-store.md
|
||||
- "ADR-0009: External-task job worker": architecture/adr-0009-external-task-job-worker.md
|
||||
- "ADR-0010: BFF OIDC validation": architecture/adr-0010-bff-oidc.md
|
||||
- Working in Gitea: gitea-workflow.md
|
||||
- Frontend decisions: frontend-decisions.md
|
||||
- Demo script: demo-script.md
|
||||
- Runbooks:
|
||||
- CI: runbooks/ci.md
|
||||
|
||||
120
nx.json
Normal file
120
nx.json
Normal file
@@ -0,0 +1,120 @@
|
||||
{
|
||||
"$schema": "./node_modules/nx/schemas/nx-schema.json",
|
||||
"namedInputs": {
|
||||
"default": [
|
||||
"{projectRoot}/**/*",
|
||||
"sharedGlobals"
|
||||
],
|
||||
"production": [
|
||||
"default",
|
||||
"!{projectRoot}/.eslintrc.json",
|
||||
"!{projectRoot}/eslint.config.mjs",
|
||||
"!{projectRoot}/**/?(*.)+(spec|test).[jt]s?(x)?(.snap)",
|
||||
"!{projectRoot}/tsconfig.spec.json",
|
||||
"!{projectRoot}/src/test-setup.[jt]s",
|
||||
"!{projectRoot}/jest.config.[jt]s",
|
||||
"!{projectRoot}/test-setup.[jt]s"
|
||||
],
|
||||
"sharedGlobals": []
|
||||
},
|
||||
"targetDefaults": {
|
||||
"@angular/build:application": {
|
||||
"cache": true,
|
||||
"dependsOn": [
|
||||
"^build"
|
||||
],
|
||||
"inputs": [
|
||||
"production",
|
||||
"^production"
|
||||
]
|
||||
},
|
||||
"@nx/eslint:lint": {
|
||||
"cache": true,
|
||||
"inputs": [
|
||||
"default",
|
||||
"^default",
|
||||
"{workspaceRoot}/.eslintrc.json",
|
||||
"{workspaceRoot}/.eslintignore",
|
||||
"{workspaceRoot}/eslint.config.mjs",
|
||||
"{workspaceRoot}/tools/eslint-rules/**/*"
|
||||
]
|
||||
},
|
||||
"@nx/esbuild:esbuild": {
|
||||
"cache": true,
|
||||
"dependsOn": [
|
||||
"^build"
|
||||
],
|
||||
"inputs": [
|
||||
"production",
|
||||
"^production"
|
||||
]
|
||||
},
|
||||
"@nx/js:tsc": {
|
||||
"cache": true,
|
||||
"dependsOn": [
|
||||
"^build"
|
||||
],
|
||||
"inputs": [
|
||||
"production",
|
||||
"^production"
|
||||
]
|
||||
},
|
||||
"@nx/vitest:test": {
|
||||
"cache": true,
|
||||
"inputs": [
|
||||
"default",
|
||||
"^production"
|
||||
]
|
||||
},
|
||||
"@angular/build:unit-test": {
|
||||
"cache": true,
|
||||
"inputs": [
|
||||
"default",
|
||||
"^production"
|
||||
]
|
||||
}
|
||||
},
|
||||
"plugins": [
|
||||
{
|
||||
"plugin": "@nx/eslint/plugin",
|
||||
"options": {
|
||||
"targetName": "lint"
|
||||
}
|
||||
},
|
||||
{
|
||||
"plugin": "@nx/vite/plugin",
|
||||
"options": {
|
||||
"buildTargetName": "build",
|
||||
"serveTargetName": "serve",
|
||||
"devTargetName": "dev",
|
||||
"previewTargetName": "preview",
|
||||
"serveStaticTargetName": "serve-static",
|
||||
"typecheckTargetName": "typecheck",
|
||||
"buildDepsTargetName": "build-deps",
|
||||
"watchDepsTargetName": "watch-deps"
|
||||
}
|
||||
},
|
||||
{
|
||||
"plugin": "@nx/vitest",
|
||||
"options": {
|
||||
"testTargetName": "test"
|
||||
}
|
||||
}
|
||||
],
|
||||
"generators": {
|
||||
"@nx/angular:application": {
|
||||
"e2eTestRunner": "playwright",
|
||||
"linter": "eslint",
|
||||
"style": "css",
|
||||
"unitTestRunner": "vitest-analog"
|
||||
},
|
||||
"@nx/angular:library": {
|
||||
"linter": "eslint",
|
||||
"unitTestRunner": "vitest-analog"
|
||||
},
|
||||
"@nx/angular:component": {
|
||||
"style": "css"
|
||||
}
|
||||
},
|
||||
"analytics": false
|
||||
}
|
||||
65
package.json
Normal file
65
package.json
Normal file
@@ -0,0 +1,65 @@
|
||||
{
|
||||
"name": "register-referentie",
|
||||
"version": "0.0.0",
|
||||
"license": "MIT",
|
||||
"scripts": {},
|
||||
"private": true,
|
||||
"dependencies": {
|
||||
"@angular-devkit/build-angular": "21.2.7",
|
||||
"@angular/common": "21.2.9",
|
||||
"@angular/compiler": "21.2.9",
|
||||
"@angular/core": "21.2.9",
|
||||
"@angular/forms": "21.2.9",
|
||||
"@angular/platform-browser": "21.2.9",
|
||||
"@angular/router": "21.2.9",
|
||||
"rxjs": "~7.8.0",
|
||||
"zone.js": "0.16.0"
|
||||
},
|
||||
"devDependencies": {
|
||||
"@analogjs/vite-plugin-angular": "2.2.0",
|
||||
"@analogjs/vitest-angular": "2.2.0",
|
||||
"@angular-devkit/core": "21.2.7",
|
||||
"@angular-devkit/schematics": "21.2.7",
|
||||
"@angular/build": "21.2.7",
|
||||
"@angular/cli": "21.2.7",
|
||||
"@angular/compiler-cli": "21.2.9",
|
||||
"@angular/language-service": "21.2.9",
|
||||
"@eslint/js": "^9.8.0",
|
||||
"@nx/angular": "23.0.1",
|
||||
"@nx/devkit": "23.0.1",
|
||||
"@nx/esbuild": "23.0.1",
|
||||
"@nx/eslint": "23.0.1",
|
||||
"@nx/eslint-plugin": "23.0.1",
|
||||
"@nx/js": "23.0.1",
|
||||
"@nx/vite": "23.0.1",
|
||||
"@nx/vitest": "23.0.1",
|
||||
"@nx/web": "23.0.1",
|
||||
"@nx/workspace": "23.0.1",
|
||||
"@oxc-project/runtime": "^0.115.0",
|
||||
"@schematics/angular": "21.2.7",
|
||||
"@swc-node/register": "1.11.1",
|
||||
"@swc/core": "1.15.8",
|
||||
"@swc/helpers": "0.5.18",
|
||||
"@types/node": "20.19.9",
|
||||
"@typescript-eslint/utils": "^8.40.0",
|
||||
"@vitest/coverage-v8": "~4.1.0",
|
||||
"@vitest/ui": "~4.1.0",
|
||||
"angular-eslint": "21.3.1",
|
||||
"esbuild": "^0.27.0",
|
||||
"eslint": "^9.8.0",
|
||||
"eslint-config-prettier": "^10.0.0",
|
||||
"jiti": "2.4.2",
|
||||
"jsdom": "~22.1.0",
|
||||
"jsonc-eslint-parser": "^2.1.0",
|
||||
"nx": "23.0.1",
|
||||
"orval": "^8.19.0",
|
||||
"prettier": "^3.8.1",
|
||||
"ts-node": "10.9.1",
|
||||
"tslib": "^2.3.0",
|
||||
"typescript": "~5.9.2",
|
||||
"typescript-eslint": "^8.40.0",
|
||||
"vite": "8.0.9",
|
||||
"vite-tsconfig-paths": "^5.1.4",
|
||||
"vitest": "~4.1.0"
|
||||
}
|
||||
}
|
||||
18668
pnpm-lock.yaml
generated
Normal file
18668
pnpm-lock.yaml
generated
Normal file
File diff suppressed because it is too large
Load Diff
10
pnpm-workspace.yaml
Normal file
10
pnpm-workspace.yaml
Normal file
@@ -0,0 +1,10 @@
|
||||
packages: []
|
||||
allowBuilds:
|
||||
'@parcel/watcher': true
|
||||
less: true
|
||||
esbuild: true
|
||||
'@swc/core': true
|
||||
nx: true
|
||||
unrs-resolver: true
|
||||
lmdb: true
|
||||
msgpackr-extract: true
|
||||
@@ -9,6 +9,9 @@
|
||||
</Folder>
|
||||
<Folder Name="/services/domain/">
|
||||
<Project Path="services/domain/Big.Domain/Big.Domain.csproj" />
|
||||
<Project Path="services/domain/Big.Application/Big.Application.csproj" />
|
||||
<Project Path="services/domain/Big.Infrastructure/Big.Infrastructure.csproj" />
|
||||
<Project Path="services/domain/Big.Api/Big.Api.csproj" />
|
||||
<Project Path="services/domain/Big.Tests/Big.Tests.csproj" />
|
||||
</Folder>
|
||||
<Folder Name="/services/bff/">
|
||||
|
||||
@@ -6,4 +6,10 @@
|
||||
<ImplicitUsings>enable</ImplicitUsings>
|
||||
</PropertyGroup>
|
||||
|
||||
<ItemGroup>
|
||||
<!-- OIDC/JWT validation of Keycloak-issued tokens (ADR-0010) and OpenAPI generation. -->
|
||||
<PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="10.0.8" />
|
||||
<PackageReference Include="Microsoft.AspNetCore.OpenApi" Version="10.0.8" />
|
||||
</ItemGroup>
|
||||
|
||||
</Project>
|
||||
|
||||
47
services/bff/Bff.Api/DownstreamClients.cs
Normal file
47
services/bff/Bff.Api/DownstreamClients.cs
Normal file
@@ -0,0 +1,47 @@
|
||||
using System.Net.Http.Json;
|
||||
|
||||
namespace Bff.Api;
|
||||
|
||||
/// <summary>What the self-service submit returns to the portal (the domain's registration id + status).</summary>
|
||||
public sealed record SubmitAccepted(string RegistrationId, string Status);
|
||||
|
||||
/// <summary>A projection row as the projection-api serves it. <c>Bsn</c>/<c>NaamPlaceholder</c> are
|
||||
/// read but never surfaced by the openbaar endpoint (public-safe filtering, ADR-0010/S-09).</summary>
|
||||
public sealed record ProjectionEntry(string Id, string Status, string? Bsn, string? NaamPlaceholder);
|
||||
|
||||
/// <summary>A public-safe openbaar register row — only non-sensitive fields leave the BFF.</summary>
|
||||
public sealed record OpenbaarEntry(string Id, string Status);
|
||||
|
||||
/// <summary>Port to the Domain Service (§8.3: the BFF is the portals' only backend; it fans out).</summary>
|
||||
public interface IDomainClient
|
||||
{
|
||||
Task<SubmitAccepted> SubmitRegistrationAsync(string bsn, CancellationToken ct = default);
|
||||
}
|
||||
|
||||
/// <summary>Port to the read projection.</summary>
|
||||
public interface IProjectionClient
|
||||
{
|
||||
Task<IReadOnlyList<ProjectionEntry>> GetRegisterAsync(CancellationToken ct = default);
|
||||
}
|
||||
|
||||
/// <summary>Calls the Domain Service's <c>POST /registrations</c>.</summary>
|
||||
public sealed class DomainClient(HttpClient http) : IDomainClient
|
||||
{
|
||||
public async Task<SubmitAccepted> SubmitRegistrationAsync(string bsn, CancellationToken ct = default)
|
||||
{
|
||||
using var response = await http.PostAsJsonAsync("registrations", new { bsn }, ct);
|
||||
response.EnsureSuccessStatusCode();
|
||||
var dto = await response.Content.ReadFromJsonAsync<DomainResponse>(ct)
|
||||
?? throw new InvalidOperationException("The Domain Service returned an empty registration response.");
|
||||
return new SubmitAccepted(dto.RegistrationId, dto.Status);
|
||||
}
|
||||
|
||||
private sealed record DomainResponse(string RegistrationId, string Status, string? ZaakUrl);
|
||||
}
|
||||
|
||||
/// <summary>Calls the projection-api's <c>GET /register</c>.</summary>
|
||||
public sealed class ProjectionClient(HttpClient http) : IProjectionClient
|
||||
{
|
||||
public async Task<IReadOnlyList<ProjectionEntry>> GetRegisterAsync(CancellationToken ct = default)
|
||||
=> await http.GetFromJsonAsync<List<ProjectionEntry>>("register", ct) ?? [];
|
||||
}
|
||||
18
services/bff/Bff.Api/OpenbaarProjection.cs
Normal file
18
services/bff/Bff.Api/OpenbaarProjection.cs
Normal file
@@ -0,0 +1,18 @@
|
||||
namespace Bff.Api;
|
||||
|
||||
/// <summary>
|
||||
/// The public view of the read projection: filters rows by the openbaar search term and maps each to
|
||||
/// a public-safe <see cref="OpenbaarEntry"/> (only <c>id</c> + <c>status</c> — bsn/naam never leave the
|
||||
/// BFF). Pure so it is unit- and mutation-tested directly (ADR-0010).
|
||||
/// </summary>
|
||||
public static class OpenbaarProjection
|
||||
{
|
||||
public static IReadOnlyList<OpenbaarEntry> PublicView(IReadOnlyList<ProjectionEntry> entries, string? q)
|
||||
{
|
||||
var filtered = string.IsNullOrWhiteSpace(q)
|
||||
? entries
|
||||
: entries.Where(e => e.Id.Contains(q, StringComparison.OrdinalIgnoreCase));
|
||||
|
||||
return [.. filtered.Select(e => new OpenbaarEntry(e.Id, e.Status))];
|
||||
}
|
||||
}
|
||||
@@ -1,10 +1,72 @@
|
||||
using System.Security.Claims;
|
||||
using Bff.Api;
|
||||
using Microsoft.AspNetCore.Authentication.JwtBearer;
|
||||
|
||||
var builder = WebApplication.CreateBuilder(args);
|
||||
|
||||
var keycloakAuthority = builder.Configuration["Keycloak:Authority"]
|
||||
?? throw new InvalidOperationException("Missing configuration 'Keycloak:Authority'");
|
||||
var domainBaseUrl = builder.Configuration["Downstream:Domain:BaseUrl"]
|
||||
?? throw new InvalidOperationException("Missing configuration 'Downstream:Domain:BaseUrl'");
|
||||
var projectionBaseUrl = builder.Configuration["Downstream:Projection:BaseUrl"]
|
||||
?? throw new InvalidOperationException("Missing configuration 'Downstream:Projection:BaseUrl'");
|
||||
|
||||
// Validate Keycloak-issued tokens (ADR-0010). Audience validation is off for the walking skeleton —
|
||||
// Keycloak's audience mapping is a later hardening; signature/issuer/expiry are validated.
|
||||
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
|
||||
.AddJwtBearer(options =>
|
||||
{
|
||||
options.Authority = keycloakAuthority;
|
||||
options.RequireHttpsMetadata = false;
|
||||
options.TokenValidationParameters.ValidateAudience = false;
|
||||
});
|
||||
builder.Services.AddAuthorization();
|
||||
|
||||
// The BFF is the portals' only backend; it fans out to the domain and projection (§8.3).
|
||||
builder.Services.AddHttpClient<IDomainClient, DomainClient>(c => c.BaseAddress = new Uri(domainBaseUrl));
|
||||
builder.Services.AddHttpClient<IProjectionClient, ProjectionClient>(c => c.BaseAddress = new Uri(projectionBaseUrl));
|
||||
|
||||
builder.Services.AddHealthChecks();
|
||||
// Clear the auto-populated `servers` block so the committed spec is stable regardless of the host
|
||||
// the doc was generated from (the client sets its own base URL). Keeps the drift guard deterministic.
|
||||
builder.Services.AddOpenApi(options =>
|
||||
options.AddDocumentTransformer((document, _, _) =>
|
||||
{
|
||||
document.Servers?.Clear();
|
||||
return Task.CompletedTask;
|
||||
}));
|
||||
|
||||
var app = builder.Build();
|
||||
|
||||
app.MapGet("/", () => "BFF placeholder");
|
||||
app.UseAuthentication();
|
||||
app.UseAuthorization();
|
||||
|
||||
app.MapHealthChecks("/health");
|
||||
app.MapOpenApi();
|
||||
|
||||
// Self-service submit: requires a valid digid token; the bsn comes from the token, not the body,
|
||||
// and is forwarded to the domain (ADR-0010). Returns 202 — the zaak is opened asynchronously (S-05).
|
||||
app.MapPost("/self-service/registrations", async (ClaimsPrincipal user, IDomainClient domain, CancellationToken ct) =>
|
||||
{
|
||||
var bsn = user.FindFirstValue("bsn");
|
||||
if (string.IsNullOrWhiteSpace(bsn))
|
||||
return Results.BadRequest("The token carries no bsn claim.");
|
||||
|
||||
var accepted = await domain.SubmitRegistrationAsync(bsn, ct);
|
||||
return Results.Accepted($"/self-service/registrations/{accepted.RegistrationId}", accepted);
|
||||
})
|
||||
.RequireAuthorization()
|
||||
.Produces<SubmitAccepted>(StatusCodes.Status202Accepted)
|
||||
.Produces(StatusCodes.Status400BadRequest)
|
||||
.Produces(StatusCodes.Status401Unauthorized);
|
||||
|
||||
// Openbaar register: an anonymous public lookup that exposes only public-safe fields (S-09).
|
||||
app.MapGet("/openbaar/register", async (string? q, IProjectionClient projection, CancellationToken ct) =>
|
||||
{
|
||||
var entries = await projection.GetRegisterAsync(ct);
|
||||
return Results.Ok(OpenbaarProjection.PublicView(entries, q));
|
||||
})
|
||||
.Produces<IReadOnlyList<OpenbaarEntry>>(StatusCodes.Status200OK);
|
||||
|
||||
app.Run();
|
||||
|
||||
|
||||
@@ -5,5 +5,12 @@
|
||||
"Microsoft.AspNetCore": "Warning"
|
||||
}
|
||||
},
|
||||
"AllowedHosts": "*"
|
||||
"AllowedHosts": "*",
|
||||
"Keycloak": {
|
||||
"Authority": "http://localhost:8180/realms/digid"
|
||||
},
|
||||
"Downstream": {
|
||||
"Domain": { "BaseUrl": "http://localhost:8130/" },
|
||||
"Projection": { "BaseUrl": "http://localhost:8120/" }
|
||||
}
|
||||
}
|
||||
|
||||
78
services/bff/Bff.Tests/BffFactory.cs
Normal file
78
services/bff/Bff.Tests/BffFactory.cs
Normal file
@@ -0,0 +1,78 @@
|
||||
using System.Text;
|
||||
using Bff.Api;
|
||||
using Microsoft.AspNetCore.Authentication.JwtBearer;
|
||||
using Microsoft.AspNetCore.Hosting;
|
||||
using Microsoft.AspNetCore.Mvc.Testing;
|
||||
using Microsoft.AspNetCore.TestHost;
|
||||
using Microsoft.Extensions.DependencyInjection;
|
||||
using Microsoft.IdentityModel.Protocols.OpenIdConnect;
|
||||
using Microsoft.IdentityModel.Tokens;
|
||||
|
||||
namespace Bff.Tests;
|
||||
|
||||
/// <summary>
|
||||
/// Test host for the BFF. It swaps the downstream clients for in-memory fakes and reconfigures the
|
||||
/// JWT bearer to validate against a local test key (no live Keycloak) — so token validation is
|
||||
/// exercised in-process with tokens the tests mint (ADR-0010).
|
||||
/// </summary>
|
||||
internal sealed class BffFactory : WebApplicationFactory<Program>
|
||||
{
|
||||
public static readonly SymmetricSecurityKey TestSigningKey =
|
||||
new(Encoding.UTF8.GetBytes("bff-test-signing-key-that-is-at-least-256-bits-long!"));
|
||||
|
||||
public FakeDomainClient Domain { get; } = new();
|
||||
public FakeProjectionClient Projection { get; } = new();
|
||||
|
||||
protected override void ConfigureWebHost(IWebHostBuilder builder)
|
||||
{
|
||||
builder.UseSetting("Keycloak:Authority", "https://keycloak.invalid/realms/digid");
|
||||
builder.UseSetting("Downstream:Domain:BaseUrl", "http://domain.invalid/");
|
||||
builder.UseSetting("Downstream:Projection:BaseUrl", "http://projection.invalid/");
|
||||
|
||||
builder.ConfigureTestServices(services =>
|
||||
{
|
||||
services.AddSingleton<IDomainClient>(Domain);
|
||||
services.AddSingleton<IProjectionClient>(Projection);
|
||||
|
||||
services.Configure<JwtBearerOptions>(JwtBearerDefaults.AuthenticationScheme, options =>
|
||||
{
|
||||
// Validate locally against the test key; never reach out for OIDC metadata.
|
||||
options.Authority = null;
|
||||
options.MetadataAddress = null!;
|
||||
options.RequireHttpsMetadata = false;
|
||||
options.Configuration = new OpenIdConnectConfiguration();
|
||||
options.TokenValidationParameters = new TokenValidationParameters
|
||||
{
|
||||
ValidateIssuer = false,
|
||||
ValidateAudience = false,
|
||||
ValidateLifetime = true,
|
||||
ValidateIssuerSigningKey = true,
|
||||
IssuerSigningKey = TestSigningKey,
|
||||
ClockSkew = TimeSpan.Zero,
|
||||
};
|
||||
});
|
||||
});
|
||||
}
|
||||
}
|
||||
|
||||
/// <summary>Captures the bsn the BFF forwarded and returns a canned acceptance.</summary>
|
||||
internal sealed class FakeDomainClient : IDomainClient
|
||||
{
|
||||
public string? SubmittedBsn { get; private set; }
|
||||
public SubmitAccepted Result { get; set; } = new("reg-123", "Ingediend");
|
||||
|
||||
public Task<SubmitAccepted> SubmitRegistrationAsync(string bsn, CancellationToken ct = default)
|
||||
{
|
||||
SubmittedBsn = bsn;
|
||||
return Task.FromResult(Result);
|
||||
}
|
||||
}
|
||||
|
||||
/// <summary>Serves a configurable set of projection rows.</summary>
|
||||
internal sealed class FakeProjectionClient : IProjectionClient
|
||||
{
|
||||
public List<ProjectionEntry> Entries { get; } = [];
|
||||
|
||||
public Task<IReadOnlyList<ProjectionEntry>> GetRegisterAsync(CancellationToken ct = default)
|
||||
=> Task.FromResult<IReadOnlyList<ProjectionEntry>>(Entries);
|
||||
}
|
||||
34
services/bff/Bff.Tests/OpenApiSpecTests.cs
Normal file
34
services/bff/Bff.Tests/OpenApiSpecTests.cs
Normal file
@@ -0,0 +1,34 @@
|
||||
using System.Runtime.CompilerServices;
|
||||
using System.Text.Json;
|
||||
|
||||
namespace Bff.Tests;
|
||||
|
||||
/// <summary>
|
||||
/// Guards the committed OpenAPI contract (<c>services/bff/openapi.json</c>) against drift: it must
|
||||
/// equal the document the running BFF serves. S-08's Angular client is generated from this file, so a
|
||||
/// stale spec is a bug. To regenerate: run the BFF and save <c>/openapi/v1.json</c> over the file.
|
||||
/// </summary>
|
||||
public class OpenApiSpecTests
|
||||
{
|
||||
[Fact]
|
||||
public async Task Committed_openapi_spec_matches_the_served_document()
|
||||
{
|
||||
using var factory = new BffFactory();
|
||||
|
||||
var served = await factory.CreateClient().GetStringAsync("/openapi/v1.json");
|
||||
var committed = await File.ReadAllTextAsync(SpecPath());
|
||||
|
||||
Assert.Equal(Canonical(committed), Canonical(served));
|
||||
}
|
||||
|
||||
// Reformat both sides identically so the comparison is about content, not whitespace.
|
||||
private static string Canonical(string json)
|
||||
{
|
||||
using var doc = JsonDocument.Parse(json);
|
||||
return JsonSerializer.Serialize(doc.RootElement, new JsonSerializerOptions { WriteIndented = true });
|
||||
}
|
||||
|
||||
// The committed spec sits at services/bff/openapi.json — one level up from this test file.
|
||||
private static string SpecPath([CallerFilePath] string thisFile = "")
|
||||
=> Path.Combine(Path.GetDirectoryName(thisFile)!, "..", "openapi.json");
|
||||
}
|
||||
38
services/bff/Bff.Tests/OpenbaarEndpointTests.cs
Normal file
38
services/bff/Bff.Tests/OpenbaarEndpointTests.cs
Normal file
@@ -0,0 +1,38 @@
|
||||
using System.Net;
|
||||
using System.Net.Http.Json;
|
||||
using Bff.Api;
|
||||
|
||||
namespace Bff.Tests;
|
||||
|
||||
public class OpenbaarEndpointTests
|
||||
{
|
||||
[Fact]
|
||||
public async Task Serves_public_safe_rows_anonymously()
|
||||
{
|
||||
using var factory = new BffFactory();
|
||||
factory.Projection.Entries.Add(new ProjectionEntry("abc-111", "INGEDIEND", "123456782", "Jan"));
|
||||
|
||||
// No Authorization header — the openbaar register is a public lookup (ADR-0010/S-09).
|
||||
var response = await factory.CreateClient().GetAsync("/openbaar/register");
|
||||
|
||||
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
|
||||
var body = await response.Content.ReadAsStringAsync();
|
||||
Assert.Contains("abc-111", body);
|
||||
Assert.Contains("INGEDIEND", body);
|
||||
// The bsn must never appear in a public response.
|
||||
Assert.DoesNotContain("123456782", body);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Filters_by_the_query_parameter()
|
||||
{
|
||||
using var factory = new BffFactory();
|
||||
factory.Projection.Entries.Add(new ProjectionEntry("abc-111", "INGEDIEND", null, null));
|
||||
factory.Projection.Entries.Add(new ProjectionEntry("def-222", "INGEDIEND", null, null));
|
||||
|
||||
var rows = await factory.CreateClient()
|
||||
.GetFromJsonAsync<List<OpenbaarEntry>>("/openbaar/register?q=abc");
|
||||
|
||||
Assert.Equal("abc-111", Assert.Single(rows!).Id);
|
||||
}
|
||||
}
|
||||
48
services/bff/Bff.Tests/OpenbaarProjectionTests.cs
Normal file
48
services/bff/Bff.Tests/OpenbaarProjectionTests.cs
Normal file
@@ -0,0 +1,48 @@
|
||||
using Bff.Api;
|
||||
|
||||
namespace Bff.Tests;
|
||||
|
||||
public class OpenbaarProjectionTests
|
||||
{
|
||||
private static readonly ProjectionEntry[] Sample =
|
||||
[
|
||||
new("abc-111", "INGEDIEND", "123456782", "Jan"),
|
||||
new("def-222", "INGEDIEND", "987654321", "Piet"),
|
||||
];
|
||||
|
||||
[Fact]
|
||||
public void Maps_every_row_to_public_safe_fields_when_no_query()
|
||||
{
|
||||
var view = OpenbaarProjection.PublicView(Sample, null);
|
||||
|
||||
Assert.Equal(2, view.Count);
|
||||
Assert.Equal("abc-111", view[0].Id);
|
||||
Assert.Equal("INGEDIEND", view[0].Status);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void Public_view_exposes_only_id_and_status()
|
||||
{
|
||||
// OpenbaarEntry structurally carries only Id + Status — bsn/naam can never leak.
|
||||
var props = typeof(OpenbaarEntry).GetProperties().Select(p => p.Name).ToArray();
|
||||
Assert.Equal(["Id", "Status"], props);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[InlineData("abc", 1)]
|
||||
[InlineData("ABC", 1)]
|
||||
[InlineData("2", 1)]
|
||||
[InlineData("zzz", 0)]
|
||||
public void Filters_by_id_containing_the_query_case_insensitively(string q, int expected)
|
||||
{
|
||||
var view = OpenbaarProjection.PublicView(Sample, q);
|
||||
|
||||
Assert.Equal(expected, view.Count);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void Blank_query_is_treated_as_no_filter()
|
||||
{
|
||||
Assert.Equal(2, OpenbaarProjection.PublicView(Sample, " ").Count);
|
||||
}
|
||||
}
|
||||
75
services/bff/Bff.Tests/SelfServiceEndpointTests.cs
Normal file
75
services/bff/Bff.Tests/SelfServiceEndpointTests.cs
Normal file
@@ -0,0 +1,75 @@
|
||||
using System.Net;
|
||||
using System.Net.Http.Headers;
|
||||
using System.Net.Http.Json;
|
||||
|
||||
namespace Bff.Tests;
|
||||
|
||||
public class SelfServiceEndpointTests
|
||||
{
|
||||
private static HttpRequestMessage Submit(string? bearer)
|
||||
{
|
||||
var request = new HttpRequestMessage(HttpMethod.Post, "/self-service/registrations")
|
||||
{
|
||||
Content = JsonContent.Create(new { }),
|
||||
};
|
||||
if (bearer is not null)
|
||||
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", bearer);
|
||||
return request;
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Rejects_a_request_without_a_token()
|
||||
{
|
||||
using var factory = new BffFactory();
|
||||
var client = factory.CreateClient();
|
||||
|
||||
var response = await client.SendAsync(Submit(bearer: null));
|
||||
|
||||
Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
|
||||
Assert.Null(factory.Domain.SubmittedBsn);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[InlineData("not-a-jwt")]
|
||||
public async Task Rejects_a_malformed_token(string bearer)
|
||||
{
|
||||
using var factory = new BffFactory();
|
||||
var response = await factory.CreateClient().SendAsync(Submit(bearer));
|
||||
|
||||
Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Rejects_a_token_signed_with_the_wrong_key()
|
||||
{
|
||||
using var factory = new BffFactory();
|
||||
var response = await factory.CreateClient().SendAsync(Submit(TestTokens.WrongKey("123456782")));
|
||||
|
||||
Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Rejects_an_expired_token()
|
||||
{
|
||||
using var factory = new BffFactory();
|
||||
var response = await factory.CreateClient().SendAsync(Submit(TestTokens.Expired("123456782")));
|
||||
|
||||
Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Accepts_a_valid_token_and_forwards_the_bsn_to_the_domain()
|
||||
{
|
||||
using var factory = new BffFactory();
|
||||
var client = factory.CreateClient();
|
||||
|
||||
var response = await client.SendAsync(Submit(TestTokens.Valid("123456782")));
|
||||
|
||||
Assert.Equal(HttpStatusCode.Accepted, response.StatusCode);
|
||||
Assert.Equal("123456782", factory.Domain.SubmittedBsn);
|
||||
var body = await response.Content.ReadFromJsonAsync<SubmitAcceptedDto>();
|
||||
Assert.Equal("reg-123", body!.RegistrationId);
|
||||
}
|
||||
|
||||
private sealed record SubmitAcceptedDto(string RegistrationId, string Status);
|
||||
}
|
||||
30
services/bff/Bff.Tests/TestTokens.cs
Normal file
30
services/bff/Bff.Tests/TestTokens.cs
Normal file
@@ -0,0 +1,30 @@
|
||||
using System.Text;
|
||||
using Microsoft.IdentityModel.JsonWebTokens;
|
||||
using Microsoft.IdentityModel.Tokens;
|
||||
|
||||
namespace Bff.Tests;
|
||||
|
||||
/// <summary>Mints JWTs for the BFF tests — signed with the factory's test key (valid) or otherwise
|
||||
/// (a wrong key / expired) to exercise the bearer validation the BFF configures.</summary>
|
||||
internal static class TestTokens
|
||||
{
|
||||
public static string Valid(string bsn) => Create(bsn, BffFactory.TestSigningKey, expired: false);
|
||||
|
||||
public static string Expired(string bsn) => Create(bsn, BffFactory.TestSigningKey, expired: true);
|
||||
|
||||
public static string WrongKey(string bsn) => Create(
|
||||
bsn,
|
||||
new SymmetricSecurityKey(Encoding.UTF8.GetBytes("a-different-signing-key-256-bits-long-indeed-yes!")),
|
||||
expired: false);
|
||||
|
||||
private static string Create(string bsn, SymmetricSecurityKey key, bool expired)
|
||||
{
|
||||
var handler = new JsonWebTokenHandler();
|
||||
return handler.CreateToken(new SecurityTokenDescriptor
|
||||
{
|
||||
Claims = new Dictionary<string, object> { ["bsn"] = bsn },
|
||||
Expires = DateTime.UtcNow.AddMinutes(expired ? -5 : 30),
|
||||
SigningCredentials = new SigningCredentials(key, SecurityAlgorithms.HmacSha256),
|
||||
});
|
||||
}
|
||||
}
|
||||
104
services/bff/openapi.json
Normal file
104
services/bff/openapi.json
Normal file
@@ -0,0 +1,104 @@
|
||||
{
|
||||
"openapi": "3.1.1",
|
||||
"info": {
|
||||
"title": "Bff.Api | v1",
|
||||
"version": "1.0.0"
|
||||
},
|
||||
"paths": {
|
||||
"/self-service/registrations": {
|
||||
"post": {
|
||||
"tags": [
|
||||
"Bff.Api"
|
||||
],
|
||||
"responses": {
|
||||
"202": {
|
||||
"description": "Accepted",
|
||||
"content": {
|
||||
"application/json": {
|
||||
"schema": {
|
||||
"$ref": "#/components/schemas/SubmitAccepted"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"400": {
|
||||
"description": "Bad Request"
|
||||
},
|
||||
"401": {
|
||||
"description": "Unauthorized"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"/openbaar/register": {
|
||||
"get": {
|
||||
"tags": [
|
||||
"Bff.Api"
|
||||
],
|
||||
"parameters": [
|
||||
{
|
||||
"name": "q",
|
||||
"in": "query",
|
||||
"schema": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
],
|
||||
"responses": {
|
||||
"200": {
|
||||
"description": "OK",
|
||||
"content": {
|
||||
"application/json": {
|
||||
"schema": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"$ref": "#/components/schemas/OpenbaarEntry"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"components": {
|
||||
"schemas": {
|
||||
"OpenbaarEntry": {
|
||||
"required": [
|
||||
"id",
|
||||
"status"
|
||||
],
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"id": {
|
||||
"type": "string"
|
||||
},
|
||||
"status": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
},
|
||||
"SubmitAccepted": {
|
||||
"required": [
|
||||
"registrationId",
|
||||
"status"
|
||||
],
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"registrationId": {
|
||||
"type": "string"
|
||||
},
|
||||
"status": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"tags": [
|
||||
{
|
||||
"name": "Bff.Api"
|
||||
}
|
||||
]
|
||||
}
|
||||
16
services/bff/stryker-config.json
Normal file
16
services/bff/stryker-config.json
Normal file
@@ -0,0 +1,16 @@
|
||||
{
|
||||
"stryker-config": {
|
||||
"solution": "Bff.slnx",
|
||||
"test-projects": ["Bff.Tests/Bff.Tests.csproj"],
|
||||
"reporters": ["progress", "html"],
|
||||
"mutate": [
|
||||
"!**/Program.cs",
|
||||
"!**/DownstreamClients.cs"
|
||||
],
|
||||
"thresholds": {
|
||||
"high": 95,
|
||||
"low": 90,
|
||||
"break": 90
|
||||
}
|
||||
}
|
||||
}
|
||||
4
services/domain/.dockerignore
Normal file
4
services/domain/.dockerignore
Normal file
@@ -0,0 +1,4 @@
|
||||
**/bin
|
||||
**/obj
|
||||
**/*.user
|
||||
StrykerOutput
|
||||
14
services/domain/Big.Api/Big.Api.csproj
Normal file
14
services/domain/Big.Api/Big.Api.csproj
Normal file
@@ -0,0 +1,14 @@
|
||||
<Project Sdk="Microsoft.NET.Sdk.Web">
|
||||
|
||||
<ItemGroup>
|
||||
<ProjectReference Include="..\Big.Application\Big.Application.csproj" />
|
||||
<ProjectReference Include="..\Big.Infrastructure\Big.Infrastructure.csproj" />
|
||||
</ItemGroup>
|
||||
|
||||
<PropertyGroup>
|
||||
<TargetFramework>net10.0</TargetFramework>
|
||||
<Nullable>enable</Nullable>
|
||||
<ImplicitUsings>enable</ImplicitUsings>
|
||||
</PropertyGroup>
|
||||
|
||||
</Project>
|
||||
64
services/domain/Big.Api/Program.cs
Normal file
64
services/domain/Big.Api/Program.cs
Normal file
@@ -0,0 +1,64 @@
|
||||
using Big.Application;
|
||||
using Big.Domain;
|
||||
using Big.Infrastructure;
|
||||
|
||||
var builder = WebApplication.CreateBuilder(args);
|
||||
|
||||
// Options bound from configuration (compose sets Flowable__* and Acl__* env vars).
|
||||
builder.Services.AddSingleton(sp => sp.GetRequiredService<IConfiguration>()
|
||||
.GetSection("Flowable").Get<FlowableOptions>()
|
||||
?? throw new InvalidOperationException("Missing configuration section 'Flowable'"));
|
||||
builder.Services.AddSingleton(sp => sp.GetRequiredService<IConfiguration>()
|
||||
.GetSection("Acl").Get<AclOptions>()
|
||||
?? throw new InvalidOperationException("Missing configuration section 'Acl'"));
|
||||
|
||||
// The in-memory registration store is shared between the submit endpoint and the worker (ADR-0009).
|
||||
builder.Services.AddSingleton<IRegistrationStore, InMemoryRegistrationStore>();
|
||||
|
||||
// The Workflow Client is one type behind two ports (start side + worker side); both resolve to the
|
||||
// same HttpClient-backed implementation — the only code that talks to Flowable (§8.2).
|
||||
builder.Services.AddHttpClient<FlowableWorkflowClient>();
|
||||
builder.Services.AddTransient<IWorkflowClient>(sp => sp.GetRequiredService<FlowableWorkflowClient>());
|
||||
builder.Services.AddTransient<IExternalWorkerClient>(sp => sp.GetRequiredService<FlowableWorkflowClient>());
|
||||
builder.Services.AddHttpClient<IAclClient, AclHttpClient>();
|
||||
|
||||
builder.Services.AddScoped<SubmitRegistration>();
|
||||
builder.Services.AddScoped<OpenZaakWorker>();
|
||||
builder.Services.AddScoped<OpenZaakJobProcessor>();
|
||||
|
||||
// The hosted external-task job worker polls Flowable and drives OpenZaakAanmaken to completion.
|
||||
builder.Services.AddHostedService<OpenZaakJobPump>();
|
||||
|
||||
var app = builder.Build();
|
||||
|
||||
app.MapGet("/health", () => "Healthy");
|
||||
|
||||
// Submit a registration. The aggregate is created (INGEDIEND) and the registratie process started;
|
||||
// the zaak is opened later, off the request path, by the worker — so this returns 202 Accepted with
|
||||
// a location to read the registration's progress (ADR-0009, eventual consistency).
|
||||
app.MapPost("/registrations", async (SubmitRegistrationRequest body, SubmitRegistration submit, CancellationToken ct) =>
|
||||
{
|
||||
var id = await submit.HandleAsync(new SubmitRegistrationCommand(body.Bsn), ct);
|
||||
return Results.Accepted($"/registrations/{id}", new RegistrationResponse(id.ToString(), RegistrationStatus.Ingediend.ToString(), null));
|
||||
});
|
||||
|
||||
// Read a registration. Its zaak URL appears once the worker has opened the zaak (eventually).
|
||||
app.MapGet("/registrations/{id}", async (string id, IRegistrationStore store, CancellationToken ct) =>
|
||||
{
|
||||
if (!Guid.TryParse(id, out var guid))
|
||||
return Results.NotFound();
|
||||
|
||||
var registration = await store.GetAsync(new RegistrationId(guid), ct);
|
||||
return registration is null
|
||||
? Results.NotFound()
|
||||
: Results.Ok(new RegistrationResponse(
|
||||
registration.Id.ToString(), registration.Status.ToString(), registration.ZaakUrl?.ToString()));
|
||||
});
|
||||
|
||||
await app.RunAsync();
|
||||
|
||||
public sealed record SubmitRegistrationRequest(string Bsn);
|
||||
|
||||
public sealed record RegistrationResponse(string RegistrationId, string Status, string? ZaakUrl);
|
||||
|
||||
public partial class Program;
|
||||
9
services/domain/Big.Api/appsettings.json
Normal file
9
services/domain/Big.Api/appsettings.json
Normal file
@@ -0,0 +1,9 @@
|
||||
{
|
||||
"Logging": {
|
||||
"LogLevel": {
|
||||
"Default": "Information",
|
||||
"Microsoft.AspNetCore": "Warning"
|
||||
}
|
||||
},
|
||||
"AllowedHosts": "*"
|
||||
}
|
||||
15
services/domain/Big.Application/Big.Application.csproj
Normal file
15
services/domain/Big.Application/Big.Application.csproj
Normal file
@@ -0,0 +1,15 @@
|
||||
<Project Sdk="Microsoft.NET.Sdk">
|
||||
|
||||
<!-- The application layer (CLAUDE.md §9): use cases over ports. Depends on Domain only;
|
||||
Infrastructure implements the ports. -->
|
||||
<PropertyGroup>
|
||||
<TargetFramework>net10.0</TargetFramework>
|
||||
<ImplicitUsings>enable</ImplicitUsings>
|
||||
<Nullable>enable</Nullable>
|
||||
</PropertyGroup>
|
||||
|
||||
<ItemGroup>
|
||||
<ProjectReference Include="..\Big.Domain\Big.Domain.csproj" />
|
||||
</ItemGroup>
|
||||
|
||||
</Project>
|
||||
36
services/domain/Big.Application/OpenZaakWorker.cs
Normal file
36
services/domain/Big.Application/OpenZaakWorker.cs
Normal file
@@ -0,0 +1,36 @@
|
||||
using Big.Domain;
|
||||
|
||||
namespace Big.Application;
|
||||
|
||||
/// <summary>
|
||||
/// Handles one acquired <c>OpenZaakAanmaken</c> external-worker job (ADR-0009): load the registration
|
||||
/// the job correlates to, open a zaak for it via the ACL (§8.1), attach the zaak to the aggregate, and
|
||||
/// return the zaak URL so the caller can complete the Flowable job. Pure application logic over ports —
|
||||
/// it knows nothing of Flowable; the polling loop that feeds it jobs lives in Infrastructure.
|
||||
/// </summary>
|
||||
public sealed class OpenZaakWorker(IRegistrationStore store, IAclClient acl)
|
||||
{
|
||||
/// <summary>
|
||||
/// Process the job and return the URL of the (existing or newly opened) zaak. Idempotent: if the
|
||||
/// registration already has a zaak — a job redelivered after its completion was lost — it returns
|
||||
/// that zaak without opening a second one (§8.6, at-least-once delivery). An unknown registration
|
||||
/// is an error: it throws, leaving the job un-completed for Flowable to redeliver.
|
||||
/// </summary>
|
||||
public async Task<Uri> HandleAsync(OpenZaakJob job, CancellationToken ct = default)
|
||||
{
|
||||
ArgumentNullException.ThrowIfNull(job);
|
||||
|
||||
var registration = await store.GetAsync(job.RegistrationId, ct)
|
||||
?? throw new InvalidOperationException(
|
||||
$"No registration {job.RegistrationId} for OpenZaakAanmaken job {job.JobId}.");
|
||||
|
||||
// A redelivered job whose zaak was already opened completes without opening a second one.
|
||||
if (registration.ZaakUrl is not null)
|
||||
return registration.ZaakUrl;
|
||||
|
||||
var zaakUrl = await acl.OpenZaakAsync(registration.Bsn, ct);
|
||||
registration.AttachZaak(zaakUrl);
|
||||
await store.SaveAsync(registration, ct);
|
||||
return zaakUrl;
|
||||
}
|
||||
}
|
||||
47
services/domain/Big.Application/Ports.cs
Normal file
47
services/domain/Big.Application/Ports.cs
Normal file
@@ -0,0 +1,47 @@
|
||||
using Big.Domain;
|
||||
|
||||
namespace Big.Application;
|
||||
|
||||
/// <summary>
|
||||
/// The port to the workflow engine. Implemented by the Workflow Client in Infrastructure — the
|
||||
/// <em>only</em> code that talks to Flowable (CLAUDE.md §8.2). The application asks it to start the
|
||||
/// registratie process; it never knows Flowable exists.
|
||||
/// </summary>
|
||||
public interface IWorkflowClient
|
||||
{
|
||||
/// <summary>
|
||||
/// Start one <c>registratie</c> process instance for the given registration, carrying the
|
||||
/// registration id so the <c>OpenZaakAanmaken</c> external task can be correlated back to its
|
||||
/// aggregate. Returns the process instance id.
|
||||
/// </summary>
|
||||
Task<string> StartRegistrationProcessAsync(RegistrationId registrationId, CancellationToken ct = default);
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// The port to the Anti-Corruption Layer. Implemented in Infrastructure by an HTTP client to the
|
||||
/// ACL service — the <em>only</em> code that talks to ZGW (CLAUDE.md §8.1). The domain hands over a
|
||||
/// bsn; the ACL default-fills the ZGW-mandatory fields (ADR-0003) and returns the created zaak URL.
|
||||
/// </summary>
|
||||
public interface IAclClient
|
||||
{
|
||||
Task<Uri> OpenZaakAsync(string bsn, CancellationToken ct = default);
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Persistence port for the <see cref="Registration"/> aggregate. In-memory for the minimal slice
|
||||
/// (ADR-0009); an EF-backed store is a documented follow-up, and this port keeps that change additive.
|
||||
/// </summary>
|
||||
public interface IRegistrationStore
|
||||
{
|
||||
/// <summary>Insert or update the registration, keyed on its id.</summary>
|
||||
Task SaveAsync(Registration registration, CancellationToken ct = default);
|
||||
|
||||
/// <summary>Load a registration by id, or <c>null</c> if none exists.</summary>
|
||||
Task<Registration?> GetAsync(RegistrationId id, CancellationToken ct = default);
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// An acquired <c>OpenZaakAanmaken</c> external-worker job: the Flowable job id (needed to complete
|
||||
/// it) and the registration id it carries as a process variable.
|
||||
/// </summary>
|
||||
public sealed record OpenZaakJob(string JobId, RegistrationId RegistrationId);
|
||||
33
services/domain/Big.Application/SubmitRegistration.cs
Normal file
33
services/domain/Big.Application/SubmitRegistration.cs
Normal file
@@ -0,0 +1,33 @@
|
||||
using Big.Domain;
|
||||
|
||||
namespace Big.Application;
|
||||
|
||||
/// <summary>A zorgprofessional's request to register, in domain language. No ZGW concepts.</summary>
|
||||
public sealed record SubmitRegistrationCommand(string Bsn);
|
||||
|
||||
/// <summary>
|
||||
/// The submit use case: create the <see cref="Registration"/> aggregate (INGEDIEND), persist it,
|
||||
/// then start the registratie workflow process and record its instance id. It returns as soon as
|
||||
/// the process is started — opening the zaak happens later, off the request path, in the external-task
|
||||
/// worker (ADR-0009). Persisting <em>before</em> starting the process closes the race where the worker
|
||||
/// acquires the OpenZaakAanmaken job before the aggregate it correlates to exists.
|
||||
/// </summary>
|
||||
public sealed class SubmitRegistration(IRegistrationStore store, IWorkflowClient workflow)
|
||||
{
|
||||
public async Task<RegistrationId> HandleAsync(SubmitRegistrationCommand command, CancellationToken ct = default)
|
||||
{
|
||||
ArgumentNullException.ThrowIfNull(command);
|
||||
|
||||
var registration = Registration.Submit(command.Bsn);
|
||||
|
||||
// Persist before starting the process so the worker can correlate the OpenZaakAanmaken
|
||||
// job back to an aggregate that already exists (ADR-0009).
|
||||
await store.SaveAsync(registration, ct);
|
||||
|
||||
var processInstanceId = await workflow.StartRegistrationProcessAsync(registration.Id, ct);
|
||||
registration.RecordProcessStarted(processInstanceId);
|
||||
await store.SaveAsync(registration, ct);
|
||||
|
||||
return registration.Id;
|
||||
}
|
||||
}
|
||||
@@ -7,8 +7,6 @@ namespace Big.Domain;
|
||||
/// </summary>
|
||||
public sealed class Registration
|
||||
{
|
||||
// STUB (red): mutators are no-ops and Submit leaves the bsn empty so the behaviour tests
|
||||
// compile and fail on their assertions. The green commit implements the invariants.
|
||||
private Registration(RegistrationId id, string bsn)
|
||||
{
|
||||
Id = id;
|
||||
@@ -31,17 +29,39 @@ public sealed class Registration
|
||||
public Uri? ZaakUrl { get; private set; }
|
||||
|
||||
/// <summary>Submit a new registration. It begins in <see cref="RegistrationStatus.Ingediend"/>.</summary>
|
||||
public static Registration Submit(string bsn) => new(RegistrationId.New(), string.Empty);
|
||||
public static Registration Submit(string bsn)
|
||||
{
|
||||
ArgumentException.ThrowIfNullOrWhiteSpace(bsn);
|
||||
return new Registration(RegistrationId.New(), bsn);
|
||||
}
|
||||
|
||||
/// <summary>Record that the registratie workflow process has been started for this registration.</summary>
|
||||
public void RecordProcessStarted(string processInstanceId)
|
||||
{
|
||||
// STUB (red).
|
||||
ArgumentException.ThrowIfNullOrWhiteSpace(processInstanceId);
|
||||
ProcessInstanceId = processInstanceId;
|
||||
}
|
||||
|
||||
/// <summary>Attach the zaak the ACL opened. Idempotent on the same URL; a conflicting URL is rejected.</summary>
|
||||
/// <summary>
|
||||
/// Attach the zaak the ACL opened. The external-task worker may deliver the same job more than
|
||||
/// once (at-least-once), so re-attaching the identical URL is a no-op; a different URL signals a
|
||||
/// genuine conflict and is rejected. The status stays <see cref="RegistrationStatus.Ingediend"/>:
|
||||
/// opening the zaak does not advance the registration's lifecycle in this slice.
|
||||
/// </summary>
|
||||
public void AttachZaak(Uri zaakUrl)
|
||||
{
|
||||
// STUB (red).
|
||||
ArgumentNullException.ThrowIfNull(zaakUrl);
|
||||
|
||||
if (ZaakUrl is not null)
|
||||
{
|
||||
if (ZaakUrl != zaakUrl)
|
||||
throw new InvalidOperationException(
|
||||
$"Registration {Id} already has zaak {ZaakUrl}; cannot attach a different zaak {zaakUrl}.");
|
||||
// Stryker disable once Statement : equivalent — re-assigning the identical URL below is a
|
||||
// no-op, so removing this early return is behaviourally indistinguishable.
|
||||
return;
|
||||
}
|
||||
|
||||
ZaakUrl = zaakUrl;
|
||||
}
|
||||
}
|
||||
|
||||
28
services/domain/Big.Infrastructure/AclHttpClient.cs
Normal file
28
services/domain/Big.Infrastructure/AclHttpClient.cs
Normal file
@@ -0,0 +1,28 @@
|
||||
using System.Net.Http.Json;
|
||||
using System.Text.Json.Serialization;
|
||||
using Big.Application;
|
||||
|
||||
namespace Big.Infrastructure;
|
||||
|
||||
/// <summary>
|
||||
/// HTTP client to the ACL service — the boundary the domain crosses to open a zaak (§8.1). It POSTs
|
||||
/// the bsn to the ACL's <c>/zaken</c> endpoint and returns the created zaak URL; it never constructs
|
||||
/// ZGW URLs or talks to OpenZaak itself.
|
||||
/// </summary>
|
||||
public sealed class AclHttpClient(HttpClient http, AclOptions options) : IAclClient
|
||||
{
|
||||
public async Task<Uri> OpenZaakAsync(string bsn, CancellationToken ct = default)
|
||||
{
|
||||
using var response = await http.PostAsJsonAsync(
|
||||
new Uri(options.BaseUrl, "zaken"), new OpenZaakRequest(bsn), ct);
|
||||
response.EnsureSuccessStatusCode();
|
||||
|
||||
var opened = await response.Content.ReadFromJsonAsync<OpenZaakResponse>(ct)
|
||||
?? throw new InvalidOperationException("The ACL returned an empty zaak response.");
|
||||
return new Uri(opened.ZaakUrl);
|
||||
}
|
||||
|
||||
private sealed record OpenZaakRequest([property: JsonPropertyName("bsn")] string Bsn);
|
||||
|
||||
private sealed record OpenZaakResponse([property: JsonPropertyName("zaakUrl")] string ZaakUrl);
|
||||
}
|
||||
24
services/domain/Big.Infrastructure/Big.Infrastructure.csproj
Normal file
24
services/domain/Big.Infrastructure/Big.Infrastructure.csproj
Normal file
@@ -0,0 +1,24 @@
|
||||
<Project Sdk="Microsoft.NET.Sdk">
|
||||
|
||||
<!-- The infrastructure layer (CLAUDE.md §9): adapters implementing the Application ports.
|
||||
The Workflow Client (Flowable REST) and the ACL HTTP client live here — the only code
|
||||
that talks to Flowable (§8.2) and to the ACL respectively. -->
|
||||
<PropertyGroup>
|
||||
<TargetFramework>net10.0</TargetFramework>
|
||||
<ImplicitUsings>enable</ImplicitUsings>
|
||||
<Nullable>enable</Nullable>
|
||||
</PropertyGroup>
|
||||
|
||||
<ItemGroup>
|
||||
<ProjectReference Include="..\Big.Application\Big.Application.csproj" />
|
||||
</ItemGroup>
|
||||
|
||||
<ItemGroup>
|
||||
<!-- The external-task job worker is a hosted BackgroundService (ADR-0009); it logs and
|
||||
resolves a per-tick scope. Abstractions only — the host (Api) brings the implementations. -->
|
||||
<PackageReference Include="Microsoft.Extensions.Hosting.Abstractions" Version="10.0.0" />
|
||||
<PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="10.0.0" />
|
||||
<PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="10.0.0" />
|
||||
</ItemGroup>
|
||||
|
||||
</Project>
|
||||
110
services/domain/Big.Infrastructure/FlowableWorkflowClient.cs
Normal file
110
services/domain/Big.Infrastructure/FlowableWorkflowClient.cs
Normal file
@@ -0,0 +1,110 @@
|
||||
using System.Net.Http.Headers;
|
||||
using System.Net.Http.Json;
|
||||
using System.Text;
|
||||
using System.Text.Json;
|
||||
using System.Text.Json.Serialization;
|
||||
using Big.Application;
|
||||
using Big.Domain;
|
||||
|
||||
namespace Big.Infrastructure;
|
||||
|
||||
/// <summary>
|
||||
/// The Workflow Client — the only code that talks to Flowable (§8.2). It starts registratie process
|
||||
/// instances and drives the <c>OpenZaakAanmaken</c> external-worker jobs over Flowable's REST API
|
||||
/// (start: <c>service/runtime/process-instances</c>; acquire/complete: <c>external-job-api/…</c>).
|
||||
/// The REST contract here is the one verified against a live flowable-rest engine (ADR-0009).
|
||||
/// </summary>
|
||||
public sealed class FlowableWorkflowClient(HttpClient http, FlowableOptions options)
|
||||
: IWorkflowClient, IExternalWorkerClient
|
||||
{
|
||||
private const string Topic = "OpenZaakAanmaken";
|
||||
private const string ProcessDefinitionKey = "registratie";
|
||||
private const string RegistrationIdVariable = "registrationId";
|
||||
private const string ZaakUrlVariable = "zaakUrl";
|
||||
|
||||
public async Task<string> StartRegistrationProcessAsync(RegistrationId registrationId, CancellationToken ct = default)
|
||||
{
|
||||
var request = new StartProcessRequest(
|
||||
ProcessDefinitionKey,
|
||||
[new Variable(RegistrationIdVariable, "string", registrationId.ToString())]);
|
||||
|
||||
var created = await PostAsync<StartProcessRequest, ProcessInstance>(
|
||||
"service/runtime/process-instances", request, ct)
|
||||
?? throw new InvalidOperationException("Flowable returned an empty process-instance response.");
|
||||
return created.Id;
|
||||
}
|
||||
|
||||
public async Task<IReadOnlyList<OpenZaakJob>> AcquireOpenZaakJobsAsync(int maxJobs, CancellationToken ct = default)
|
||||
{
|
||||
var request = new AcquireJobsRequest(Topic, options.LockDuration, maxJobs, options.WorkerId);
|
||||
|
||||
var jobs = await PostAsync<AcquireJobsRequest, List<AcquiredJob>>(
|
||||
"external-job-api/acquire/jobs", request, ct) ?? [];
|
||||
|
||||
return [.. jobs.Select(job => new OpenZaakJob(job.Id, RegistrationId.Parse(job.RegistrationId())))];
|
||||
}
|
||||
|
||||
public async Task CompleteOpenZaakJobAsync(string jobId, Uri zaakUrl, CancellationToken ct = default)
|
||||
{
|
||||
var request = new CompleteJobRequest(
|
||||
options.WorkerId,
|
||||
[new Variable(ZaakUrlVariable, "string", zaakUrl.ToString())]);
|
||||
|
||||
using var response = await SendAsync(
|
||||
$"external-job-api/acquire/jobs/{jobId}/complete", request, ct);
|
||||
response.EnsureSuccessStatusCode();
|
||||
}
|
||||
|
||||
private async Task<TResponse?> PostAsync<TRequest, TResponse>(string path, TRequest body, CancellationToken ct)
|
||||
{
|
||||
using var response = await SendAsync(path, body, ct);
|
||||
response.EnsureSuccessStatusCode();
|
||||
return await response.Content.ReadFromJsonAsync<TResponse>(ct);
|
||||
}
|
||||
|
||||
private Task<HttpResponseMessage> SendAsync<TRequest>(string path, TRequest body, CancellationToken ct)
|
||||
{
|
||||
var message = new HttpRequestMessage(HttpMethod.Post, new Uri(options.BaseUrl, path))
|
||||
{
|
||||
Content = JsonContent.Create(body),
|
||||
};
|
||||
message.Headers.Authorization = new AuthenticationHeaderValue("Basic", BasicCredentials());
|
||||
return http.SendAsync(message, ct);
|
||||
}
|
||||
|
||||
private string BasicCredentials()
|
||||
=> Convert.ToBase64String(Encoding.ASCII.GetBytes($"{options.Username}:{options.Password}"));
|
||||
|
||||
private sealed record StartProcessRequest(
|
||||
[property: JsonPropertyName("processDefinitionKey")] string ProcessDefinitionKey,
|
||||
[property: JsonPropertyName("variables")] IReadOnlyList<Variable> Variables);
|
||||
|
||||
private sealed record AcquireJobsRequest(
|
||||
[property: JsonPropertyName("topic")] string Topic,
|
||||
[property: JsonPropertyName("lockDuration")] string LockDuration,
|
||||
[property: JsonPropertyName("numberOfTasks")] int NumberOfTasks,
|
||||
[property: JsonPropertyName("workerId")] string WorkerId);
|
||||
|
||||
private sealed record CompleteJobRequest(
|
||||
[property: JsonPropertyName("workerId")] string WorkerId,
|
||||
[property: JsonPropertyName("variables")] IReadOnlyList<Variable> Variables);
|
||||
|
||||
private sealed record Variable(
|
||||
[property: JsonPropertyName("name")] string Name,
|
||||
[property: JsonPropertyName("type")] string Type,
|
||||
[property: JsonPropertyName("value")] string Value);
|
||||
|
||||
private sealed record ProcessInstance([property: JsonPropertyName("id")] string Id);
|
||||
|
||||
private sealed record AcquiredJob(
|
||||
[property: JsonPropertyName("id")] string Id,
|
||||
[property: JsonPropertyName("variables")] IReadOnlyList<Variable> Variables)
|
||||
{
|
||||
/// <summary>The registration id this job carries as a process variable.</summary>
|
||||
public string RegistrationId() =>
|
||||
// Stryker disable once Linq : equivalent — Single and SingleOrDefault both throw on a job
|
||||
// with no registrationId variable (the only untested branch), so the mutant is indistinguishable.
|
||||
Variables.SingleOrDefault(v => v.Name == "registrationId")?.Value
|
||||
?? throw new InvalidOperationException($"OpenZaakAanmaken job {Id} carries no registrationId variable.");
|
||||
}
|
||||
}
|
||||
18
services/domain/Big.Infrastructure/IExternalWorkerClient.cs
Normal file
18
services/domain/Big.Infrastructure/IExternalWorkerClient.cs
Normal file
@@ -0,0 +1,18 @@
|
||||
using Big.Application;
|
||||
|
||||
namespace Big.Infrastructure;
|
||||
|
||||
/// <summary>
|
||||
/// The worker-facing side of the Workflow Client: acquiring and completing Flowable external-worker
|
||||
/// jobs (ADR-0009). Kept separate from the Application's <see cref="IWorkflowClient"/> because job
|
||||
/// acquisition is a Flowable-specific polling mechanic the application never needs to know about.
|
||||
/// Implemented by <see cref="FlowableWorkflowClient"/> — the only code that talks to Flowable (§8.2).
|
||||
/// </summary>
|
||||
public interface IExternalWorkerClient
|
||||
{
|
||||
/// <summary>Acquire and lock up to <paramref name="maxJobs"/> <c>OpenZaakAanmaken</c> jobs.</summary>
|
||||
Task<IReadOnlyList<OpenZaakJob>> AcquireOpenZaakJobsAsync(int maxJobs, CancellationToken ct = default);
|
||||
|
||||
/// <summary>Complete an acquired job, passing the opened zaak URL back into the process.</summary>
|
||||
Task CompleteOpenZaakJobAsync(string jobId, Uri zaakUrl, CancellationToken ct = default);
|
||||
}
|
||||
@@ -0,0 +1,25 @@
|
||||
using System.Collections.Concurrent;
|
||||
using Big.Application;
|
||||
using Big.Domain;
|
||||
|
||||
namespace Big.Infrastructure;
|
||||
|
||||
/// <summary>
|
||||
/// In-memory <see cref="IRegistrationStore"/> for the minimal slice (ADR-0009). The walking
|
||||
/// skeleton's read path is the projection (S-06), not this store, so durable domain persistence is a
|
||||
/// documented follow-up. Registered as a singleton so the submit endpoint and the worker share it.
|
||||
/// </summary>
|
||||
public sealed class InMemoryRegistrationStore : IRegistrationStore
|
||||
{
|
||||
private readonly ConcurrentDictionary<RegistrationId, Registration> _byId = new();
|
||||
|
||||
public Task SaveAsync(Registration registration, CancellationToken ct = default)
|
||||
{
|
||||
ArgumentNullException.ThrowIfNull(registration);
|
||||
_byId[registration.Id] = registration;
|
||||
return Task.CompletedTask;
|
||||
}
|
||||
|
||||
public Task<Registration?> GetAsync(RegistrationId id, CancellationToken ct = default)
|
||||
=> Task.FromResult(_byId.GetValueOrDefault(id));
|
||||
}
|
||||
39
services/domain/Big.Infrastructure/OpenZaakJobProcessor.cs
Normal file
39
services/domain/Big.Infrastructure/OpenZaakJobProcessor.cs
Normal file
@@ -0,0 +1,39 @@
|
||||
using Big.Application;
|
||||
using Microsoft.Extensions.Logging;
|
||||
|
||||
namespace Big.Infrastructure;
|
||||
|
||||
/// <summary>
|
||||
/// One poll tick of the external-task worker (ADR-0009): acquire the parked <c>OpenZaakAanmaken</c>
|
||||
/// jobs, hand each to the <see cref="OpenZaakWorker"/> to open a zaak via the ACL, and complete the
|
||||
/// Flowable job with the resulting zaak URL. A job that fails is logged and left un-completed so
|
||||
/// Flowable redelivers it (§8.6). Split out from the hosted <see cref="OpenZaakJobPump"/> so the
|
||||
/// acquire→process→complete logic is unit-testable without a running host.
|
||||
/// </summary>
|
||||
public sealed class OpenZaakJobProcessor(
|
||||
IExternalWorkerClient client,
|
||||
OpenZaakWorker worker,
|
||||
ILogger<OpenZaakJobProcessor> logger)
|
||||
{
|
||||
/// <summary>Acquire and process up to <paramref name="maxJobs"/> jobs. Returns the number acquired.</summary>
|
||||
public async Task<int> PumpOnceAsync(int maxJobs, CancellationToken ct = default)
|
||||
{
|
||||
var jobs = await client.AcquireOpenZaakJobsAsync(maxJobs, ct);
|
||||
|
||||
foreach (var job in jobs)
|
||||
{
|
||||
try
|
||||
{
|
||||
var zaakUrl = await worker.HandleAsync(job, ct);
|
||||
await client.CompleteOpenZaakJobAsync(job.JobId, zaakUrl, ct);
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
// Leave the job un-completed: its lock expires and Flowable redelivers it (§8.6).
|
||||
logger.LogError(ex, "OpenZaakAanmaken job {JobId} failed; leaving it for redelivery.", job.JobId);
|
||||
}
|
||||
}
|
||||
|
||||
return jobs.Count;
|
||||
}
|
||||
}
|
||||
48
services/domain/Big.Infrastructure/OpenZaakJobPump.cs
Normal file
48
services/domain/Big.Infrastructure/OpenZaakJobPump.cs
Normal file
@@ -0,0 +1,48 @@
|
||||
using Microsoft.Extensions.DependencyInjection;
|
||||
using Microsoft.Extensions.Hosting;
|
||||
using Microsoft.Extensions.Logging;
|
||||
|
||||
namespace Big.Infrastructure;
|
||||
|
||||
/// <summary>
|
||||
/// The hosted polling loop of the external-task job worker (ADR-0009): on an interval it resolves a
|
||||
/// scoped <see cref="OpenZaakJobProcessor"/> and asks it to drain the parked <c>OpenZaakAanmaken</c>
|
||||
/// jobs. A deliberately thin shell — all acquire/process/complete logic lives in the processor, which
|
||||
/// is unit-tested; this class only owns the timer, the per-tick scope, and loop resilience.
|
||||
/// </summary>
|
||||
public sealed class OpenZaakJobPump(
|
||||
IServiceScopeFactory scopeFactory,
|
||||
FlowableOptions options,
|
||||
ILogger<OpenZaakJobPump> logger) : BackgroundService
|
||||
{
|
||||
protected override async Task ExecuteAsync(CancellationToken stoppingToken)
|
||||
{
|
||||
while (!stoppingToken.IsCancellationRequested)
|
||||
{
|
||||
try
|
||||
{
|
||||
using var scope = scopeFactory.CreateScope();
|
||||
var processor = scope.ServiceProvider.GetRequiredService<OpenZaakJobProcessor>();
|
||||
await processor.PumpOnceAsync(options.MaxJobsPerPoll, stoppingToken);
|
||||
}
|
||||
catch (OperationCanceledException) when (stoppingToken.IsCancellationRequested)
|
||||
{
|
||||
break;
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
// A transient fault (e.g. Flowable briefly unreachable) must not kill the loop.
|
||||
logger.LogError(ex, "OpenZaakAanmaken job poll failed; retrying after the poll interval.");
|
||||
}
|
||||
|
||||
try
|
||||
{
|
||||
await Task.Delay(options.PollInterval, stoppingToken);
|
||||
}
|
||||
catch (OperationCanceledException) when (stoppingToken.IsCancellationRequested)
|
||||
{
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
29
services/domain/Big.Infrastructure/Options.cs
Normal file
29
services/domain/Big.Infrastructure/Options.cs
Normal file
@@ -0,0 +1,29 @@
|
||||
namespace Big.Infrastructure;
|
||||
|
||||
/// <summary>Configuration for the Flowable Workflow Client. <see cref="BaseUrl"/> is the flowable-rest
|
||||
/// root and must end with a slash (e.g. <c>http://flowable-rest:8080/flowable-rest/</c>) so the
|
||||
/// <c>service/…</c> and <c>external-job-api/…</c> sub-paths resolve correctly.</summary>
|
||||
public sealed class FlowableOptions
|
||||
{
|
||||
public Uri BaseUrl { get; set; } = null!;
|
||||
public string Username { get; set; } = "";
|
||||
public string Password { get; set; } = "";
|
||||
|
||||
/// <summary>The id this worker locks jobs under, so two workers don't process the same job.</summary>
|
||||
public string WorkerId { get; set; } = "big-domain-worker";
|
||||
|
||||
/// <summary>How long an acquired job stays locked to this worker (ISO-8601 duration).</summary>
|
||||
public string LockDuration { get; set; } = "PT5M";
|
||||
|
||||
/// <summary>How many OpenZaakAanmaken jobs to acquire per poll.</summary>
|
||||
public int MaxJobsPerPoll { get; set; } = 5;
|
||||
|
||||
/// <summary>How often the worker polls Flowable for new jobs.</summary>
|
||||
public TimeSpan PollInterval { get; set; } = TimeSpan.FromSeconds(2);
|
||||
}
|
||||
|
||||
/// <summary>Configuration for the ACL HTTP client. <see cref="BaseUrl"/> is the ACL service root.</summary>
|
||||
public sealed class AclOptions
|
||||
{
|
||||
public Uri BaseUrl { get; set; } = null!;
|
||||
}
|
||||
44
services/domain/Big.Tests/AclHttpClientTests.cs
Normal file
44
services/domain/Big.Tests/AclHttpClientTests.cs
Normal file
@@ -0,0 +1,44 @@
|
||||
using System.Net;
|
||||
using Big.Infrastructure;
|
||||
|
||||
namespace Big.Tests;
|
||||
|
||||
public class AclHttpClientTests
|
||||
{
|
||||
private static AclHttpClient Client(StubHandler handler) => new(
|
||||
new HttpClient(handler), new AclOptions { BaseUrl = new("http://acl/") });
|
||||
|
||||
[Fact]
|
||||
public async Task Opens_a_zaak_by_posting_the_bsn_and_returns_the_zaak_url()
|
||||
{
|
||||
var capture = new RequestCapture();
|
||||
var client = Client(capture.Responds(HttpStatusCode.OK,
|
||||
"""{"zaakUrl":"http://openzaak/zaken/api/v1/zaken/abc"}"""));
|
||||
|
||||
var url = await client.OpenZaakAsync("123456782");
|
||||
|
||||
Assert.Equal("http://openzaak/zaken/api/v1/zaken/abc", url.ToString());
|
||||
Assert.Equal(HttpMethod.Post, capture.Seen!.Method);
|
||||
Assert.Equal("http://acl/zaken", capture.Seen.RequestUri!.ToString());
|
||||
Assert.Contains("\"bsn\":\"123456782\"", capture.Body);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Throws_when_the_acl_rejects_the_request()
|
||||
{
|
||||
var capture = new RequestCapture();
|
||||
var client = Client(capture.Responds(HttpStatusCode.BadGateway));
|
||||
|
||||
await Assert.ThrowsAsync<HttpRequestException>(() => client.OpenZaakAsync("123456782"));
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Throws_when_the_acl_returns_an_empty_body()
|
||||
{
|
||||
var capture = new RequestCapture();
|
||||
var client = Client(capture.Responds(HttpStatusCode.OK, "null"));
|
||||
|
||||
var ex = await Assert.ThrowsAsync<InvalidOperationException>(() => client.OpenZaakAsync("123456782"));
|
||||
Assert.Contains("empty", ex.Message, StringComparison.OrdinalIgnoreCase);
|
||||
}
|
||||
}
|
||||
@@ -20,6 +20,8 @@
|
||||
|
||||
<ItemGroup>
|
||||
<ProjectReference Include="..\Big.Domain\Big.Domain.csproj" />
|
||||
<ProjectReference Include="..\Big.Application\Big.Application.csproj" />
|
||||
<ProjectReference Include="..\Big.Infrastructure\Big.Infrastructure.csproj" />
|
||||
</ItemGroup>
|
||||
|
||||
</Project>
|
||||
|
||||
24
services/domain/Big.Tests/CapturingLogger.cs
Normal file
24
services/domain/Big.Tests/CapturingLogger.cs
Normal file
@@ -0,0 +1,24 @@
|
||||
using Microsoft.Extensions.Logging;
|
||||
|
||||
namespace Big.Tests;
|
||||
|
||||
/// <summary>A minimal <see cref="ILogger{T}"/> that records the level and rendered message of each
|
||||
/// entry, so tests can assert that (for example) a failing job was logged.</summary>
|
||||
internal sealed class CapturingLogger<T> : ILogger<T>
|
||||
{
|
||||
public List<(LogLevel Level, string Message)> Entries { get; } = [];
|
||||
|
||||
public IDisposable BeginScope<TState>(TState state) where TState : notnull => NullScope.Instance;
|
||||
|
||||
public bool IsEnabled(LogLevel logLevel) => true;
|
||||
|
||||
public void Log<TState>(LogLevel logLevel, EventId eventId, TState state, Exception? exception,
|
||||
Func<TState, Exception?, string> formatter)
|
||||
=> Entries.Add((logLevel, formatter(state, exception)));
|
||||
|
||||
private sealed class NullScope : IDisposable
|
||||
{
|
||||
public static readonly NullScope Instance = new();
|
||||
public void Dispose() { }
|
||||
}
|
||||
}
|
||||
61
services/domain/Big.Tests/Fakes.cs
Normal file
61
services/domain/Big.Tests/Fakes.cs
Normal file
@@ -0,0 +1,61 @@
|
||||
using Big.Application;
|
||||
using Big.Domain;
|
||||
|
||||
namespace Big.Tests;
|
||||
|
||||
/// <summary>An in-memory <see cref="IRegistrationStore"/> for the application-layer tests. Upserts
|
||||
/// keyed on the registration id, mirroring the production store (kept distinct from the production
|
||||
/// <c>InMemoryRegistrationStore</c> so tests can seed and inspect save counts).</summary>
|
||||
internal sealed class FakeRegistrationStore : IRegistrationStore
|
||||
{
|
||||
private readonly Dictionary<RegistrationId, Registration> _byId = [];
|
||||
|
||||
public int SaveCount { get; private set; }
|
||||
|
||||
public Task SaveAsync(Registration registration, CancellationToken ct = default)
|
||||
{
|
||||
SaveCount++;
|
||||
_byId[registration.Id] = registration;
|
||||
return Task.CompletedTask;
|
||||
}
|
||||
|
||||
public Task<Registration?> GetAsync(RegistrationId id, CancellationToken ct = default)
|
||||
=> Task.FromResult(_byId.GetValueOrDefault(id));
|
||||
|
||||
public void Seed(Registration registration) => _byId[registration.Id] = registration;
|
||||
}
|
||||
|
||||
/// <summary>A fake Workflow Client that records the registration it was asked to start a process for
|
||||
/// and returns a fixed process-instance id. An optional callback runs at start time, letting a test
|
||||
/// assert ordering (e.g. that the registration was persisted before the process started).</summary>
|
||||
internal sealed class FakeWorkflowClient(string processInstanceId = "proc-1", Action<RegistrationId>? onStart = null)
|
||||
: IWorkflowClient
|
||||
{
|
||||
public RegistrationId? StartedFor { get; private set; }
|
||||
|
||||
public Task<string> StartRegistrationProcessAsync(RegistrationId registrationId, CancellationToken ct = default)
|
||||
{
|
||||
onStart?.Invoke(registrationId);
|
||||
StartedFor = registrationId;
|
||||
return Task.FromResult(processInstanceId);
|
||||
}
|
||||
}
|
||||
|
||||
/// <summary>A fake ACL client that records the bsn it was asked to open a zaak for and returns a
|
||||
/// fixed zaak URL.</summary>
|
||||
internal sealed class FakeAclClient(Uri? zaakUrl = null) : IAclClient
|
||||
{
|
||||
public static readonly Uri DefaultZaakUrl = new("http://openzaak/zaken/api/v1/zaken/abc");
|
||||
|
||||
private readonly Uri _zaakUrl = zaakUrl ?? DefaultZaakUrl;
|
||||
|
||||
public string? OpenedForBsn { get; private set; }
|
||||
public int CallCount { get; private set; }
|
||||
|
||||
public Task<Uri> OpenZaakAsync(string bsn, CancellationToken ct = default)
|
||||
{
|
||||
CallCount++;
|
||||
OpenedForBsn = bsn;
|
||||
return Task.FromResult(_zaakUrl);
|
||||
}
|
||||
}
|
||||
139
services/domain/Big.Tests/FlowableWorkflowClientTests.cs
Normal file
139
services/domain/Big.Tests/FlowableWorkflowClientTests.cs
Normal file
@@ -0,0 +1,139 @@
|
||||
using System.Net;
|
||||
using System.Text;
|
||||
using Big.Domain;
|
||||
using Big.Infrastructure;
|
||||
|
||||
namespace Big.Tests;
|
||||
|
||||
public class FlowableWorkflowClientTests
|
||||
{
|
||||
private static readonly Uri Base = new("http://flowable/flowable-rest/");
|
||||
|
||||
private static FlowableWorkflowClient Client(StubHandler handler) => new(
|
||||
new HttpClient(handler),
|
||||
new FlowableOptions { BaseUrl = Base, Username = "rest-admin", Password = "test", WorkerId = "worker-x" });
|
||||
|
||||
private static string DecodeBasic(HttpRequestMessage request)
|
||||
=> Encoding.ASCII.GetString(Convert.FromBase64String(request.Headers.Authorization!.Parameter!));
|
||||
|
||||
[Fact]
|
||||
public async Task Start_posts_the_registration_id_variable_and_returns_the_instance_id()
|
||||
{
|
||||
var capture = new RequestCapture();
|
||||
var client = Client(capture.Responds(HttpStatusCode.Created, """{"id":"pi-1"}"""));
|
||||
var rid = RegistrationId.New();
|
||||
|
||||
var pid = await client.StartRegistrationProcessAsync(rid);
|
||||
|
||||
Assert.Equal("pi-1", pid);
|
||||
Assert.Equal(HttpMethod.Post, capture.Seen!.Method);
|
||||
Assert.Equal("http://flowable/flowable-rest/service/runtime/process-instances",
|
||||
capture.Seen.RequestUri!.ToString());
|
||||
Assert.Equal("Basic", capture.Seen.Headers.Authorization!.Scheme);
|
||||
Assert.Equal("rest-admin:test", DecodeBasic(capture.Seen));
|
||||
Assert.Contains("\"processDefinitionKey\":\"registratie\"", capture.Body);
|
||||
Assert.Contains("\"name\":\"registrationId\"", capture.Body);
|
||||
Assert.Contains("\"type\":\"string\"", capture.Body);
|
||||
Assert.Contains($"\"value\":\"{rid}\"", capture.Body);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Start_uses_the_configured_worker_credentials_and_defaults()
|
||||
{
|
||||
var capture = new RequestCapture();
|
||||
// Only BaseUrl set — the worker id and (empty) credentials must come from the defaults.
|
||||
var client = new FlowableWorkflowClient(
|
||||
new HttpClient(capture.Responds(HttpStatusCode.OK, "[]")),
|
||||
new FlowableOptions { BaseUrl = Base });
|
||||
|
||||
await client.AcquireOpenZaakJobsAsync(1);
|
||||
|
||||
Assert.Equal(":", DecodeBasic(capture.Seen!));
|
||||
Assert.Contains("\"workerId\":\"big-domain-worker\"", capture.Body);
|
||||
Assert.Contains("\"lockDuration\":\"PT5M\"", capture.Body);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Acquire_posts_the_topic_and_parses_jobs_with_their_registration_id()
|
||||
{
|
||||
var rid = RegistrationId.New();
|
||||
var capture = new RequestCapture();
|
||||
var client = Client(capture.Responds(HttpStatusCode.OK,
|
||||
$$"""[{"id":"job-1","variables":[{"name":"registrationId","type":"string","value":"{{rid}}"}]}]"""));
|
||||
|
||||
var jobs = await client.AcquireOpenZaakJobsAsync(3);
|
||||
|
||||
var job = Assert.Single(jobs);
|
||||
Assert.Equal("job-1", job.JobId);
|
||||
Assert.Equal(rid, job.RegistrationId);
|
||||
Assert.Equal("http://flowable/flowable-rest/external-job-api/acquire/jobs",
|
||||
capture.Seen!.RequestUri!.ToString());
|
||||
Assert.Contains("\"topic\":\"OpenZaakAanmaken\"", capture.Body);
|
||||
Assert.Contains("\"numberOfTasks\":3", capture.Body);
|
||||
Assert.Contains("\"workerId\":\"worker-x\"", capture.Body);
|
||||
Assert.Contains("\"lockDuration\":\"PT5M\"", capture.Body);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[InlineData("[]")]
|
||||
[InlineData("null")]
|
||||
public async Task Acquire_returns_empty_when_flowable_has_no_parked_jobs(string body)
|
||||
{
|
||||
var capture = new RequestCapture();
|
||||
var client = Client(capture.Responds(HttpStatusCode.OK, body));
|
||||
|
||||
var jobs = await client.AcquireOpenZaakJobsAsync(1);
|
||||
|
||||
Assert.NotNull(capture.Seen);
|
||||
Assert.Empty(jobs);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Acquire_throws_when_a_job_carries_no_registration_id()
|
||||
{
|
||||
var capture = new RequestCapture();
|
||||
var client = Client(capture.Responds(HttpStatusCode.OK, """[{"id":"job-1","variables":[]}]"""));
|
||||
|
||||
var ex = await Assert.ThrowsAsync<InvalidOperationException>(() => client.AcquireOpenZaakJobsAsync(1));
|
||||
Assert.Contains("job-1", ex.Message);
|
||||
Assert.Contains("registrationId", ex.Message);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Complete_posts_the_zaak_url_variable_to_the_job_complete_endpoint()
|
||||
{
|
||||
var capture = new RequestCapture();
|
||||
var client = Client(capture.Responds(HttpStatusCode.NoContent));
|
||||
|
||||
await client.CompleteOpenZaakJobAsync("job-1", new Uri("http://openzaak/zaken/api/v1/zaken/abc"));
|
||||
|
||||
Assert.NotNull(capture.Seen);
|
||||
Assert.Equal(HttpMethod.Post, capture.Seen!.Method);
|
||||
Assert.Equal("http://flowable/flowable-rest/external-job-api/acquire/jobs/job-1/complete",
|
||||
capture.Seen.RequestUri!.ToString());
|
||||
Assert.Contains("\"workerId\":\"worker-x\"", capture.Body);
|
||||
Assert.Contains("\"name\":\"zaakUrl\"", capture.Body);
|
||||
Assert.Contains("\"type\":\"string\"", capture.Body);
|
||||
Assert.Contains("\"value\":\"http://openzaak/zaken/api/v1/zaken/abc\"", capture.Body);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Start_throws_when_flowable_rejects_the_request()
|
||||
{
|
||||
var capture = new RequestCapture();
|
||||
var client = Client(capture.Responds(HttpStatusCode.InternalServerError));
|
||||
|
||||
await Assert.ThrowsAsync<HttpRequestException>(
|
||||
() => client.StartRegistrationProcessAsync(RegistrationId.New()));
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Complete_throws_when_flowable_rejects_the_request()
|
||||
{
|
||||
var capture = new RequestCapture();
|
||||
var client = Client(capture.Responds(HttpStatusCode.InternalServerError));
|
||||
|
||||
await Assert.ThrowsAsync<HttpRequestException>(
|
||||
() => client.CompleteOpenZaakJobAsync("job-1", new Uri("http://openzaak/zaken/api/v1/zaken/abc")));
|
||||
}
|
||||
}
|
||||
30
services/domain/Big.Tests/HttpStubs.cs
Normal file
30
services/domain/Big.Tests/HttpStubs.cs
Normal file
@@ -0,0 +1,30 @@
|
||||
using System.Net;
|
||||
|
||||
namespace Big.Tests;
|
||||
|
||||
/// <summary>A test double for <see cref="HttpMessageHandler"/> that records the last request and
|
||||
/// returns a scripted response — the same approach the ACL gateway tests use.</summary>
|
||||
internal sealed class StubHandler(Func<HttpRequestMessage, Task<HttpResponseMessage>> onSend) : HttpMessageHandler
|
||||
{
|
||||
protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken ct)
|
||||
=> onSend(request);
|
||||
}
|
||||
|
||||
/// <summary>Captures the request a client sent, including the (buffered) body.</summary>
|
||||
internal sealed class RequestCapture
|
||||
{
|
||||
public HttpRequestMessage? Seen { get; private set; }
|
||||
public string? Body { get; private set; }
|
||||
|
||||
/// <summary>A handler that records the request, then replies with <paramref name="status"/> and
|
||||
/// <paramref name="json"/>.</summary>
|
||||
public StubHandler Responds(HttpStatusCode status, string? json = null) => new(async req =>
|
||||
{
|
||||
Seen = req;
|
||||
Body = req.Content is null ? null : await req.Content.ReadAsStringAsync();
|
||||
var response = new HttpResponseMessage(status);
|
||||
if (json is not null)
|
||||
response.Content = new StringContent(json, System.Text.Encoding.UTF8, "application/json");
|
||||
return response;
|
||||
});
|
||||
}
|
||||
44
services/domain/Big.Tests/InMemoryRegistrationStoreTests.cs
Normal file
44
services/domain/Big.Tests/InMemoryRegistrationStoreTests.cs
Normal file
@@ -0,0 +1,44 @@
|
||||
using Big.Domain;
|
||||
using Big.Infrastructure;
|
||||
|
||||
namespace Big.Tests;
|
||||
|
||||
public class InMemoryRegistrationStoreTests
|
||||
{
|
||||
[Fact]
|
||||
public async Task Saves_and_reads_back_a_registration_by_id()
|
||||
{
|
||||
var store = new InMemoryRegistrationStore();
|
||||
var registration = Registration.Submit("123456782");
|
||||
|
||||
await store.SaveAsync(registration);
|
||||
|
||||
var loaded = await store.GetAsync(registration.Id);
|
||||
Assert.NotNull(loaded);
|
||||
Assert.Equal(registration.Id, loaded.Id);
|
||||
Assert.Null(await store.GetAsync(RegistrationId.New()));
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Saving_the_same_id_upserts()
|
||||
{
|
||||
var store = new InMemoryRegistrationStore();
|
||||
var registration = Registration.Submit("123456782");
|
||||
await store.SaveAsync(registration);
|
||||
|
||||
registration.AttachZaak(new Uri("http://openzaak/zaken/api/v1/zaken/abc"));
|
||||
await store.SaveAsync(registration);
|
||||
|
||||
var loaded = await store.GetAsync(registration.Id);
|
||||
Assert.NotNull(loaded);
|
||||
Assert.Equal("http://openzaak/zaken/api/v1/zaken/abc", loaded.ZaakUrl!.ToString());
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Saving_a_null_registration_is_rejected()
|
||||
{
|
||||
var store = new InMemoryRegistrationStore();
|
||||
|
||||
await Assert.ThrowsAsync<ArgumentNullException>(() => store.SaveAsync(null!));
|
||||
}
|
||||
}
|
||||
83
services/domain/Big.Tests/OpenZaakJobProcessorTests.cs
Normal file
83
services/domain/Big.Tests/OpenZaakJobProcessorTests.cs
Normal file
@@ -0,0 +1,83 @@
|
||||
using Big.Application;
|
||||
using Big.Domain;
|
||||
using Big.Infrastructure;
|
||||
using Microsoft.Extensions.Logging;
|
||||
using Microsoft.Extensions.Logging.Abstractions;
|
||||
|
||||
namespace Big.Tests;
|
||||
|
||||
public class OpenZaakJobProcessorTests
|
||||
{
|
||||
/// <summary>A fake external-worker client: scripts the jobs to acquire and records completions.</summary>
|
||||
private sealed class FakeExternalWorkerClient(params OpenZaakJob[] jobs) : IExternalWorkerClient
|
||||
{
|
||||
public int AcquireCount { get; private set; }
|
||||
public List<(string JobId, Uri ZaakUrl)> Completed { get; } = [];
|
||||
|
||||
public Task<IReadOnlyList<OpenZaakJob>> AcquireOpenZaakJobsAsync(int maxJobs, CancellationToken ct = default)
|
||||
{
|
||||
AcquireCount++;
|
||||
return Task.FromResult<IReadOnlyList<OpenZaakJob>>(jobs.Take(maxJobs).ToList());
|
||||
}
|
||||
|
||||
public Task CompleteOpenZaakJobAsync(string jobId, Uri zaakUrl, CancellationToken ct = default)
|
||||
{
|
||||
Completed.Add((jobId, zaakUrl));
|
||||
return Task.CompletedTask;
|
||||
}
|
||||
}
|
||||
|
||||
private static OpenZaakJobProcessor Processor(IExternalWorkerClient client, IRegistrationStore store, FakeAclClient acl)
|
||||
=> new(client, new OpenZaakWorker(store, acl), NullLogger<OpenZaakJobProcessor>.Instance);
|
||||
|
||||
[Fact]
|
||||
public async Task Acquires_a_job_opens_the_zaak_and_completes_it()
|
||||
{
|
||||
var registration = Registration.Submit("123456782");
|
||||
var store = new FakeRegistrationStore();
|
||||
store.Seed(registration);
|
||||
var client = new FakeExternalWorkerClient(new OpenZaakJob("job-1", registration.Id));
|
||||
var acl = new FakeAclClient();
|
||||
|
||||
var acquired = await Processor(client, store, acl).PumpOnceAsync(5);
|
||||
|
||||
Assert.Equal(1, acquired);
|
||||
var completed = Assert.Single(client.Completed);
|
||||
Assert.Equal("job-1", completed.JobId);
|
||||
Assert.Equal(FakeAclClient.DefaultZaakUrl, completed.ZaakUrl);
|
||||
Assert.Equal(FakeAclClient.DefaultZaakUrl, (await store.GetAsync(registration.Id))!.ZaakUrl);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task A_failing_job_is_left_uncompleted_for_flowable_to_redeliver()
|
||||
{
|
||||
var store = new FakeRegistrationStore();
|
||||
var acl = new FakeAclClient();
|
||||
// The job correlates to a registration that is not in the store, so the worker throws.
|
||||
var client = new FakeExternalWorkerClient(new OpenZaakJob("job-1", RegistrationId.New()));
|
||||
var logger = new CapturingLogger<OpenZaakJobProcessor>();
|
||||
var processor = new OpenZaakJobProcessor(client, new OpenZaakWorker(store, acl), logger);
|
||||
|
||||
var acquired = await processor.PumpOnceAsync(5);
|
||||
|
||||
Assert.Equal(1, acquired);
|
||||
Assert.Empty(client.Completed);
|
||||
// The failure is logged (and the job left for redelivery), not swallowed silently.
|
||||
var error = Assert.Single(logger.Entries, e => e.Level == LogLevel.Error);
|
||||
Assert.Contains("job-1", error.Message);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Does_nothing_but_poll_when_there_are_no_jobs()
|
||||
{
|
||||
var store = new FakeRegistrationStore();
|
||||
var acl = new FakeAclClient();
|
||||
var client = new FakeExternalWorkerClient();
|
||||
|
||||
var acquired = await Processor(client, store, acl).PumpOnceAsync(5);
|
||||
|
||||
Assert.Equal(0, acquired);
|
||||
Assert.Equal(1, client.AcquireCount);
|
||||
Assert.Empty(client.Completed);
|
||||
}
|
||||
}
|
||||
70
services/domain/Big.Tests/OpenZaakWorkerTests.cs
Normal file
70
services/domain/Big.Tests/OpenZaakWorkerTests.cs
Normal file
@@ -0,0 +1,70 @@
|
||||
using Big.Application;
|
||||
using Big.Domain;
|
||||
|
||||
namespace Big.Tests;
|
||||
|
||||
public class OpenZaakWorkerTests
|
||||
{
|
||||
private static Registration Submitted(string bsn = "123456782")
|
||||
{
|
||||
var registration = Registration.Submit(bsn);
|
||||
registration.RecordProcessStarted("proc-1");
|
||||
return registration;
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Handling_a_job_opens_a_zaak_via_the_acl_and_attaches_it()
|
||||
{
|
||||
var registration = Submitted();
|
||||
var store = new FakeRegistrationStore();
|
||||
store.Seed(registration);
|
||||
var acl = new FakeAclClient();
|
||||
var worker = new OpenZaakWorker(store, acl);
|
||||
|
||||
var zaakUrl = await worker.HandleAsync(new OpenZaakJob("job-1", registration.Id));
|
||||
|
||||
Assert.Equal(FakeAclClient.DefaultZaakUrl, zaakUrl);
|
||||
Assert.Equal("123456782", acl.OpenedForBsn);
|
||||
var saved = await store.GetAsync(registration.Id);
|
||||
Assert.Equal(FakeAclClient.DefaultZaakUrl, saved!.ZaakUrl);
|
||||
Assert.Equal(1, store.SaveCount);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Handling_a_null_job_is_rejected()
|
||||
{
|
||||
var worker = new OpenZaakWorker(new FakeRegistrationStore(), new FakeAclClient());
|
||||
|
||||
await Assert.ThrowsAsync<ArgumentNullException>(() => worker.HandleAsync(null!));
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Handling_a_job_for_an_unknown_registration_throws_and_opens_no_zaak()
|
||||
{
|
||||
var store = new FakeRegistrationStore();
|
||||
var acl = new FakeAclClient();
|
||||
var worker = new OpenZaakWorker(store, acl);
|
||||
|
||||
var job = new OpenZaakJob("job-1", RegistrationId.New());
|
||||
var ex = await Assert.ThrowsAsync<InvalidOperationException>(() => worker.HandleAsync(job));
|
||||
Assert.Contains(job.RegistrationId.ToString(), ex.Message);
|
||||
Assert.Equal(0, acl.CallCount);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Handling_a_redelivered_job_is_idempotent_and_does_not_open_a_second_zaak()
|
||||
{
|
||||
var registration = Submitted();
|
||||
var store = new FakeRegistrationStore();
|
||||
store.Seed(registration);
|
||||
var acl = new FakeAclClient();
|
||||
var worker = new OpenZaakWorker(store, acl);
|
||||
var job = new OpenZaakJob("job-1", registration.Id);
|
||||
|
||||
var first = await worker.HandleAsync(job);
|
||||
var second = await worker.HandleAsync(job);
|
||||
|
||||
Assert.Equal(first, second);
|
||||
Assert.Equal(1, acl.CallCount);
|
||||
}
|
||||
}
|
||||
@@ -21,7 +21,7 @@ public class RegistrationTests
|
||||
[InlineData(" ")]
|
||||
[InlineData(null)]
|
||||
public void Submitting_without_a_bsn_is_rejected(string? bsn)
|
||||
=> Assert.Throws<ArgumentException>(() => Registration.Submit(bsn!));
|
||||
=> Assert.ThrowsAny<ArgumentException>(() => Registration.Submit(bsn!));
|
||||
|
||||
[Fact]
|
||||
public void Recording_the_started_process_keeps_its_instance_id()
|
||||
@@ -33,6 +33,17 @@ public class RegistrationTests
|
||||
Assert.Equal("proc-42", registration.ProcessInstanceId);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[InlineData("")]
|
||||
[InlineData(" ")]
|
||||
[InlineData(null)]
|
||||
public void Recording_an_empty_process_instance_id_is_rejected(string? processInstanceId)
|
||||
{
|
||||
var registration = Registration.Submit("123456782");
|
||||
|
||||
Assert.ThrowsAny<ArgumentException>(() => registration.RecordProcessStarted(processInstanceId!));
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void Attaching_a_zaak_records_its_url_and_keeps_the_status_ingediend()
|
||||
{
|
||||
@@ -71,7 +82,9 @@ public class RegistrationTests
|
||||
var registration = Registration.Submit("123456782");
|
||||
registration.AttachZaak(new Uri("http://openzaak/zaken/api/v1/zaken/abc"));
|
||||
|
||||
Assert.Throws<InvalidOperationException>(
|
||||
var ex = Assert.Throws<InvalidOperationException>(
|
||||
() => registration.AttachZaak(new Uri("http://openzaak/zaken/api/v1/zaken/other")));
|
||||
Assert.Contains("/zaken/abc", ex.Message);
|
||||
Assert.Contains("/zaken/other", ex.Message);
|
||||
}
|
||||
}
|
||||
|
||||
66
services/domain/Big.Tests/SubmitRegistrationTests.cs
Normal file
66
services/domain/Big.Tests/SubmitRegistrationTests.cs
Normal file
@@ -0,0 +1,66 @@
|
||||
using Big.Application;
|
||||
using Big.Domain;
|
||||
|
||||
namespace Big.Tests;
|
||||
|
||||
public class SubmitRegistrationTests
|
||||
{
|
||||
[Fact]
|
||||
public async Task Submitting_persists_an_ingediend_registration_and_starts_the_process()
|
||||
{
|
||||
var store = new FakeRegistrationStore();
|
||||
var workflow = new FakeWorkflowClient(processInstanceId: "proc-42");
|
||||
var handler = new SubmitRegistration(store, workflow);
|
||||
|
||||
var id = await handler.HandleAsync(new SubmitRegistrationCommand("123456782"));
|
||||
|
||||
var saved = await store.GetAsync(id);
|
||||
Assert.NotNull(saved);
|
||||
Assert.Equal("123456782", saved.Bsn);
|
||||
Assert.Equal(RegistrationStatus.Ingediend, saved.Status);
|
||||
Assert.Equal("proc-42", saved.ProcessInstanceId);
|
||||
Assert.Equal(id, workflow.StartedFor);
|
||||
Assert.Null(saved.ZaakUrl);
|
||||
// Persisted twice: once before starting the process, once after recording the instance id.
|
||||
Assert.Equal(2, store.SaveCount);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Rejects_a_null_command_without_touching_the_store_or_workflow()
|
||||
{
|
||||
var store = new FakeRegistrationStore();
|
||||
var workflow = new FakeWorkflowClient();
|
||||
var handler = new SubmitRegistration(store, workflow);
|
||||
|
||||
await Assert.ThrowsAsync<ArgumentNullException>(() => handler.HandleAsync(null!));
|
||||
Assert.Equal(0, store.SaveCount);
|
||||
Assert.Null(workflow.StartedFor);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Submitting_persists_the_registration_before_starting_the_process()
|
||||
{
|
||||
// The worker correlates the OpenZaakAanmaken job back to the aggregate by id, so the
|
||||
// aggregate must already be persisted when the process starts (ADR-0009).
|
||||
var store = new FakeRegistrationStore();
|
||||
Registration? visibleAtStart = null;
|
||||
var workflow = new FakeWorkflowClient(onStart: id => visibleAtStart = store.GetAsync(id).Result);
|
||||
var handler = new SubmitRegistration(store, workflow);
|
||||
|
||||
await handler.HandleAsync(new SubmitRegistrationCommand("123456782"));
|
||||
|
||||
Assert.NotNull(visibleAtStart);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task Submitting_without_a_bsn_is_rejected_and_starts_no_process()
|
||||
{
|
||||
var store = new FakeRegistrationStore();
|
||||
var workflow = new FakeWorkflowClient();
|
||||
var handler = new SubmitRegistration(store, workflow);
|
||||
|
||||
await Assert.ThrowsAnyAsync<ArgumentException>(
|
||||
() => handler.HandleAsync(new SubmitRegistrationCommand("")));
|
||||
Assert.Null(workflow.StartedFor);
|
||||
}
|
||||
}
|
||||
@@ -1,4 +1,7 @@
|
||||
<Solution>
|
||||
<Project Path="Big.Domain/Big.Domain.csproj" />
|
||||
<Project Path="Big.Application/Big.Application.csproj" />
|
||||
<Project Path="Big.Infrastructure/Big.Infrastructure.csproj" />
|
||||
<Project Path="Big.Api/Big.Api.csproj" />
|
||||
<Project Path="Big.Tests/Big.Tests.csproj" />
|
||||
</Solution>
|
||||
|
||||
34
services/domain/Dockerfile
Normal file
34
services/domain/Dockerfile
Normal file
@@ -0,0 +1,34 @@
|
||||
# Multi-stage build for the BIG Domain Service (.NET 10).
|
||||
# Build context is services/domain (see infra/docker-compose.yml).
|
||||
FROM mcr.microsoft.com/dotnet/sdk:10.0 AS build
|
||||
WORKDIR /src
|
||||
|
||||
# Restore first (cached unless .csproj files change).
|
||||
COPY Big.Api/Big.Api.csproj Big.Api/
|
||||
COPY Big.Application/Big.Application.csproj Big.Application/
|
||||
COPY Big.Infrastructure/Big.Infrastructure.csproj Big.Infrastructure/
|
||||
COPY Big.Domain/Big.Domain.csproj Big.Domain/
|
||||
RUN dotnet restore Big.Api/Big.Api.csproj
|
||||
|
||||
COPY Big.Api/ Big.Api/
|
||||
COPY Big.Application/ Big.Application/
|
||||
COPY Big.Infrastructure/ Big.Infrastructure/
|
||||
COPY Big.Domain/ Big.Domain/
|
||||
RUN dotnet publish Big.Api/Big.Api.csproj -c Release -o /app/publish /p:UseAppHost=false
|
||||
|
||||
FROM mcr.microsoft.com/dotnet/aspnet:10.0 AS runtime
|
||||
WORKDIR /app
|
||||
|
||||
RUN apt-get update \
|
||||
&& apt-get install -y --no-install-recommends curl \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
|
||||
COPY --from=build /app/publish .
|
||||
|
||||
ENV ASPNETCORE_URLS=http://+:8080
|
||||
EXPOSE 8080
|
||||
|
||||
HEALTHCHECK --interval=5s --timeout=3s --start-period=10s --retries=5 \
|
||||
CMD curl -fsS http://localhost:8080/health || exit 1
|
||||
|
||||
ENTRYPOINT ["dotnet", "Big.Api.dll"]
|
||||
15
services/domain/stryker-config.json
Normal file
15
services/domain/stryker-config.json
Normal file
@@ -0,0 +1,15 @@
|
||||
{
|
||||
"stryker-config": {
|
||||
"solution": "Big.slnx",
|
||||
"test-projects": ["Big.Tests/Big.Tests.csproj"],
|
||||
"reporters": ["progress", "html"],
|
||||
"mutate": [
|
||||
"!**/OpenZaakJobPump.cs"
|
||||
],
|
||||
"thresholds": {
|
||||
"high": 95,
|
||||
"low": 90,
|
||||
"break": 90
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -9,6 +9,8 @@
|
||||
|
||||
<ItemGroup>
|
||||
<PackageReference Include="coverlet.collector" Version="6.0.4" />
|
||||
<!-- The BFF acceptance scenario drives the real HTTP endpoints in-process (ADR-0010). -->
|
||||
<PackageReference Include="Microsoft.AspNetCore.Mvc.Testing" Version="10.0.8" />
|
||||
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.1" />
|
||||
<PackageReference Include="Reqnroll.xUnit" Version="3.3.4" />
|
||||
<PackageReference Include="xunit" Version="2.9.3" />
|
||||
@@ -19,6 +21,8 @@
|
||||
<ProjectReference Include="..\..\services\acl\Acl.Application\Acl.Application.csproj" />
|
||||
<ProjectReference Include="..\..\services\acl\Acl.Infrastructure\Acl.Infrastructure.csproj" />
|
||||
<ProjectReference Include="..\..\services\event-subscriber\EventSubscriber.Application\EventSubscriber.Application.csproj" />
|
||||
<ProjectReference Include="..\..\services\domain\Big.Application\Big.Application.csproj" />
|
||||
<ProjectReference Include="..\..\services\bff\Bff.Api\Bff.Api.csproj" />
|
||||
</ItemGroup>
|
||||
|
||||
</Project>
|
||||
|
||||
22
tests/acceptance/Features/BffToegang.feature
Normal file
22
tests/acceptance/Features/BffToegang.feature
Normal file
@@ -0,0 +1,22 @@
|
||||
# language: en
|
||||
# Drives S-07 (#8). The BFF is the portals' only backend (§8.3): it validates Keycloak digid tokens
|
||||
# on the self-service submit and serves the openbaar register anonymously with only public-safe
|
||||
# fields (ADR-0010). Tokens are minted with a local test key; real Keycloak validation is verify-bff.
|
||||
Feature: Toegang via de BFF
|
||||
Als portaal wil ik uitsluitend via de BFF met de backend praten
|
||||
zodat tokenvalidatie en veilige velden centraal geregeld zijn.
|
||||
|
||||
Scenario: Indienen met een geldig token wordt doorgezet naar het domein
|
||||
Given a zorgprofessional with a valid DigiD token for BSN "123456782"
|
||||
When they submit a registration via the BFF
|
||||
Then the BFF accepts it and forwards BSN "123456782" to the domain
|
||||
|
||||
Scenario: Indienen zonder token wordt geweigerd
|
||||
Given a caller without a token
|
||||
When they submit a registration via the BFF
|
||||
Then the BFF rejects it as unauthorized
|
||||
|
||||
Scenario: Het openbaar register is anoniem en toont geen BSN
|
||||
Given the projection contains a zaak "abc-111" for BSN "123456782"
|
||||
When the openbaar register is queried anonymously
|
||||
Then the response lists "abc-111" without exposing the BSN
|
||||
18
tests/acceptance/Features/RegistratieIndienen.feature
Normal file
18
tests/acceptance/Features/RegistratieIndienen.feature
Normal file
@@ -0,0 +1,18 @@
|
||||
# language: en
|
||||
# Drives S-05 (#6). A zorgprofessional submits a registration; the Domain Service starts the
|
||||
# registratie process and, via the external-task worker, opens a zaak through the ACL and records
|
||||
# it on the aggregate (ADR-0009). This scenario exercises the use cases against in-memory stand-ins
|
||||
# for the Workflow Client and the ACL; real Flowable + ACL + OpenZaak delivery is verified by the
|
||||
# live-stack check (verify-domain).
|
||||
Feature: Een registratie indienen
|
||||
Als zorgprofessional wil ik mijn registratie indienen
|
||||
zodat er een registratieproces start en een zaak wordt geopend.
|
||||
|
||||
Scenario: Indienen start het registratieproces en opent een zaak
|
||||
Given a zorgprofessional submits a registration for BSN "123456782"
|
||||
When the domain service handles the submission
|
||||
Then a registratie process is started for the registration
|
||||
And the registration has status "INGEDIEND"
|
||||
When the OpenZaakAanmaken external task is handled for the registration
|
||||
Then a zaak is opened via the ACL for BSN "123456782"
|
||||
And the zaak is recorded on the registration
|
||||
83
tests/acceptance/Steps/BffToegangSteps.cs
Normal file
83
tests/acceptance/Steps/BffToegangSteps.cs
Normal file
@@ -0,0 +1,83 @@
|
||||
using System.Net;
|
||||
using System.Net.Http.Headers;
|
||||
using System.Net.Http.Json;
|
||||
using Acceptance.Support;
|
||||
using Bff.Api;
|
||||
using Reqnroll;
|
||||
using Xunit;
|
||||
|
||||
namespace Acceptance.Steps;
|
||||
|
||||
/// <summary>Bindings for <c>BffToegang.feature</c> (S-07). Drives the real BFF over HTTP with a
|
||||
/// fake domain + projection and locally-minted tokens (ADR-0010). One host per scenario.</summary>
|
||||
[Binding]
|
||||
public sealed class BffToegangSteps : IDisposable
|
||||
{
|
||||
private readonly BffAcceptanceHost _host = new();
|
||||
private HttpClient _client = null!;
|
||||
private string? _token;
|
||||
private HttpResponseMessage? _response;
|
||||
|
||||
[Given("a zorgprofessional with a valid DigiD token for BSN \"(.*)\"")]
|
||||
public void GivenAValidToken(string bsn)
|
||||
{
|
||||
_token = BffAcceptanceHost.MintToken(bsn);
|
||||
_client = _host.CreateClient();
|
||||
}
|
||||
|
||||
[Given("a caller without a token")]
|
||||
public void GivenNoToken() => _client = _host.CreateClient();
|
||||
|
||||
[Given("the projection contains a zaak \"(.*)\" for BSN \"(.*)\"")]
|
||||
public void GivenTheProjectionContains(string zaakId, string bsn)
|
||||
{
|
||||
_host.Projection.Entries.Add(new ProjectionEntry(zaakId, "INGEDIEND", bsn, null));
|
||||
_client = _host.CreateClient();
|
||||
}
|
||||
|
||||
[When("they submit a registration via the BFF")]
|
||||
public async Task WhenTheySubmit()
|
||||
{
|
||||
var request = new HttpRequestMessage(HttpMethod.Post, "/self-service/registrations")
|
||||
{
|
||||
Content = JsonContent.Create(new { }),
|
||||
};
|
||||
if (_token is not null)
|
||||
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", _token);
|
||||
_response = await _client.SendAsync(request);
|
||||
}
|
||||
|
||||
[When("the openbaar register is queried anonymously")]
|
||||
public async Task WhenTheOpenbaarRegisterIsQueried()
|
||||
=> _response = await _client.GetAsync("/openbaar/register");
|
||||
|
||||
[Then("the BFF accepts it and forwards BSN \"(.*)\" to the domain")]
|
||||
public void ThenAcceptedAndForwarded(string bsn)
|
||||
{
|
||||
Assert.Equal(HttpStatusCode.Accepted, _response!.StatusCode);
|
||||
Assert.Equal(bsn, _host.Domain.SubmittedBsn);
|
||||
}
|
||||
|
||||
[Then("the BFF rejects it as unauthorized")]
|
||||
public void ThenUnauthorized()
|
||||
{
|
||||
Assert.Equal(HttpStatusCode.Unauthorized, _response!.StatusCode);
|
||||
Assert.Null(_host.Domain.SubmittedBsn);
|
||||
}
|
||||
|
||||
[Then("the response lists \"(.*)\" without exposing the BSN")]
|
||||
public async Task ThenListsWithoutBsn(string zaakId)
|
||||
{
|
||||
Assert.Equal(HttpStatusCode.OK, _response!.StatusCode);
|
||||
var body = await _response.Content.ReadAsStringAsync();
|
||||
Assert.Contains(zaakId, body);
|
||||
Assert.DoesNotContain("123456782", body);
|
||||
}
|
||||
|
||||
public void Dispose()
|
||||
{
|
||||
_response?.Dispose();
|
||||
_client?.Dispose();
|
||||
_host.Dispose();
|
||||
}
|
||||
}
|
||||
54
tests/acceptance/Steps/RegistratieIndienenSteps.cs
Normal file
54
tests/acceptance/Steps/RegistratieIndienenSteps.cs
Normal file
@@ -0,0 +1,54 @@
|
||||
using Acceptance.Support;
|
||||
using Big.Application;
|
||||
using Big.Domain;
|
||||
using Reqnroll;
|
||||
using Xunit;
|
||||
|
||||
namespace Acceptance.Steps;
|
||||
|
||||
/// <summary>Bindings for <c>RegistratieIndienen.feature</c> (S-05). Drives the SubmitRegistration
|
||||
/// and OpenZaakWorker use cases against in-memory ports; one instance per scenario.</summary>
|
||||
[Binding]
|
||||
public sealed class RegistratieIndienenSteps
|
||||
{
|
||||
private readonly InMemoryWorkflowClient _workflow = new();
|
||||
private readonly InMemoryAclClient _acl = new();
|
||||
private readonly InMemoryRegistrationStore _store = new();
|
||||
private string _bsn = "";
|
||||
private RegistrationId _id;
|
||||
|
||||
[Given("a zorgprofessional submits a registration for BSN \"(.*)\"")]
|
||||
public void GivenAZorgprofessionalSubmitsARegistration(string bsn) => _bsn = bsn;
|
||||
|
||||
[When("the domain service handles the submission")]
|
||||
public async Task WhenTheDomainServiceHandlesTheSubmission()
|
||||
=> _id = await new SubmitRegistration(_store, _workflow).HandleAsync(new SubmitRegistrationCommand(_bsn));
|
||||
|
||||
[Then("a registratie process is started for the registration")]
|
||||
public void ThenARegistratieProcessIsStarted()
|
||||
=> Assert.Equal(_id, _workflow.StartedFor);
|
||||
|
||||
[Then("the registration has status \"(.*)\"")]
|
||||
public async Task ThenTheRegistrationHasStatus(string expected)
|
||||
{
|
||||
var registration = await _store.GetAsync(_id);
|
||||
Assert.NotNull(registration);
|
||||
Assert.Equal(expected, registration.Status.ToString().ToUpperInvariant());
|
||||
Assert.Equal(InMemoryWorkflowClient.StartedProcessInstanceId, registration.ProcessInstanceId);
|
||||
}
|
||||
|
||||
[When("the OpenZaakAanmaken external task is handled for the registration")]
|
||||
public async Task WhenTheExternalTaskIsHandled()
|
||||
=> await new OpenZaakWorker(_store, _acl).HandleAsync(new OpenZaakJob("job-acc-1", _id));
|
||||
|
||||
[Then("a zaak is opened via the ACL for BSN \"(.*)\"")]
|
||||
public void ThenAZaakIsOpenedViaTheAcl(string bsn)
|
||||
=> Assert.Equal(bsn, _acl.OpenedForBsn);
|
||||
|
||||
[Then("the zaak is recorded on the registration")]
|
||||
public async Task ThenTheZaakIsRecordedOnTheRegistration()
|
||||
{
|
||||
var registration = await _store.GetAsync(_id);
|
||||
Assert.Equal(InMemoryAclClient.OpenedZaakUrl, registration!.ZaakUrl);
|
||||
}
|
||||
}
|
||||
80
tests/acceptance/Support/BffAcceptanceHost.cs
Normal file
80
tests/acceptance/Support/BffAcceptanceHost.cs
Normal file
@@ -0,0 +1,80 @@
|
||||
using System.Text;
|
||||
using Bff.Api;
|
||||
using Microsoft.AspNetCore.Authentication.JwtBearer;
|
||||
using Microsoft.AspNetCore.Hosting;
|
||||
using Microsoft.AspNetCore.Mvc.Testing;
|
||||
using Microsoft.AspNetCore.TestHost;
|
||||
using Microsoft.Extensions.DependencyInjection;
|
||||
using Microsoft.IdentityModel.JsonWebTokens;
|
||||
using Microsoft.IdentityModel.Protocols.OpenIdConnect;
|
||||
using Microsoft.IdentityModel.Tokens;
|
||||
|
||||
namespace Acceptance.Support;
|
||||
|
||||
/// <summary>Hosts the real BFF in-process for the acceptance scenario, with fake downstreams and a
|
||||
/// local test signing key so tokens can be minted without a live Keycloak (ADR-0010).</summary>
|
||||
public sealed class BffAcceptanceHost : WebApplicationFactory<Program>
|
||||
{
|
||||
private static readonly SymmetricSecurityKey TestKey =
|
||||
new(Encoding.UTF8.GetBytes("acceptance-bff-signing-key-at-least-256-bits-long!!"));
|
||||
|
||||
public CapturingDomainClient Domain { get; } = new();
|
||||
public StubProjectionClient Projection { get; } = new();
|
||||
|
||||
public static string MintToken(string bsn) => new JsonWebTokenHandler().CreateToken(new SecurityTokenDescriptor
|
||||
{
|
||||
Claims = new Dictionary<string, object> { ["bsn"] = bsn },
|
||||
Expires = DateTime.UtcNow.AddMinutes(30),
|
||||
SigningCredentials = new SigningCredentials(TestKey, SecurityAlgorithms.HmacSha256),
|
||||
});
|
||||
|
||||
protected override void ConfigureWebHost(IWebHostBuilder builder)
|
||||
{
|
||||
builder.UseSetting("Keycloak:Authority", "https://keycloak.invalid/realms/digid");
|
||||
builder.UseSetting("Downstream:Domain:BaseUrl", "http://domain.invalid/");
|
||||
builder.UseSetting("Downstream:Projection:BaseUrl", "http://projection.invalid/");
|
||||
|
||||
builder.ConfigureTestServices(services =>
|
||||
{
|
||||
services.AddSingleton<IDomainClient>(Domain);
|
||||
services.AddSingleton<IProjectionClient>(Projection);
|
||||
services.Configure<JwtBearerOptions>(JwtBearerDefaults.AuthenticationScheme, options =>
|
||||
{
|
||||
options.Authority = null;
|
||||
options.MetadataAddress = null!;
|
||||
options.RequireHttpsMetadata = false;
|
||||
options.Configuration = new OpenIdConnectConfiguration();
|
||||
options.TokenValidationParameters = new TokenValidationParameters
|
||||
{
|
||||
ValidateIssuer = false,
|
||||
ValidateAudience = false,
|
||||
ValidateLifetime = true,
|
||||
ValidateIssuerSigningKey = true,
|
||||
IssuerSigningKey = TestKey,
|
||||
ClockSkew = TimeSpan.Zero,
|
||||
};
|
||||
});
|
||||
});
|
||||
}
|
||||
}
|
||||
|
||||
/// <summary>Records the bsn the BFF forwarded.</summary>
|
||||
public sealed class CapturingDomainClient : IDomainClient
|
||||
{
|
||||
public string? SubmittedBsn { get; private set; }
|
||||
|
||||
public Task<SubmitAccepted> SubmitRegistrationAsync(string bsn, CancellationToken ct = default)
|
||||
{
|
||||
SubmittedBsn = bsn;
|
||||
return Task.FromResult(new SubmitAccepted("reg-acc-1", "Ingediend"));
|
||||
}
|
||||
}
|
||||
|
||||
/// <summary>Serves configurable projection rows.</summary>
|
||||
public sealed class StubProjectionClient : IProjectionClient
|
||||
{
|
||||
public List<ProjectionEntry> Entries { get; } = [];
|
||||
|
||||
public Task<IReadOnlyList<ProjectionEntry>> GetRegisterAsync(CancellationToken ct = default)
|
||||
=> Task.FromResult<IReadOnlyList<ProjectionEntry>>(Entries);
|
||||
}
|
||||
50
tests/acceptance/Support/InMemoryDomainPorts.cs
Normal file
50
tests/acceptance/Support/InMemoryDomainPorts.cs
Normal file
@@ -0,0 +1,50 @@
|
||||
using Big.Application;
|
||||
using Big.Domain;
|
||||
|
||||
namespace Acceptance.Support;
|
||||
|
||||
/// <summary>An in-memory Workflow Client for the domain acceptance scenario: it records which
|
||||
/// registration a process was started for and returns a fixed instance id. The acceptance test
|
||||
/// drives the use case without a running Flowable (live verification is the verify-domain check).</summary>
|
||||
public sealed class InMemoryWorkflowClient : IWorkflowClient
|
||||
{
|
||||
public const string StartedProcessInstanceId = "proc-acc-1";
|
||||
|
||||
public RegistrationId? StartedFor { get; private set; }
|
||||
|
||||
public Task<string> StartRegistrationProcessAsync(RegistrationId registrationId, CancellationToken ct = default)
|
||||
{
|
||||
StartedFor = registrationId;
|
||||
return Task.FromResult(StartedProcessInstanceId);
|
||||
}
|
||||
}
|
||||
|
||||
/// <summary>An in-memory ACL stand-in: records the bsn it opened a zaak for and returns a fixed URL,
|
||||
/// so the scenario verifies the domain crosses the ACL boundary (§8.1) without a running OpenZaak.</summary>
|
||||
public sealed class InMemoryAclClient : IAclClient
|
||||
{
|
||||
public static readonly Uri OpenedZaakUrl = new("http://openzaak/zaken/api/v1/zaken/acc-zaak");
|
||||
|
||||
public string? OpenedForBsn { get; private set; }
|
||||
|
||||
public Task<Uri> OpenZaakAsync(string bsn, CancellationToken ct = default)
|
||||
{
|
||||
OpenedForBsn = bsn;
|
||||
return Task.FromResult(OpenedZaakUrl);
|
||||
}
|
||||
}
|
||||
|
||||
/// <summary>An in-memory registration store for the domain acceptance scenario.</summary>
|
||||
public sealed class InMemoryRegistrationStore : IRegistrationStore
|
||||
{
|
||||
private readonly Dictionary<RegistrationId, Registration> _byId = [];
|
||||
|
||||
public Task SaveAsync(Registration registration, CancellationToken ct = default)
|
||||
{
|
||||
_byId[registration.Id] = registration;
|
||||
return Task.CompletedTask;
|
||||
}
|
||||
|
||||
public Task<Registration?> GetAsync(RegistrationId id, CancellationToken ct = default)
|
||||
=> Task.FromResult(_byId.GetValueOrDefault(id));
|
||||
}
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user