feat: Newsfeed in Portal based on XWiki blog feature

2025-12-06 07:21:36 +01:00 · 2024-11-26 11:31:47 +01:00
parent e4d9106c45
commit 3ad285a869
7 changed files with 92 additions and 9 deletions
--- a/docs/architecture.md
+++ b/docs/architecture.md
@@ -23,6 +23,7 @@ SPDX-License-Identifier: Apache-2.0
  * [Central Contacts](#central-contacts)
  * [Central Navigation](#central-navigation)
  * [Filepicker](#filepicker)
+  * [Newsfeed](#newsfeed)
  * [(OpenProject) File Store](#openproject-file-store)
 * [Applications vs. Services](#applications-vs-services)
  * [Collabora (Office)](#collabora-office)
@@ -256,6 +257,7 @@ flowchart TD
 Intercom_Service-->|Silent Login, Token Exchange|IdP
 Intercom_Service-->|Filepicker|Nextcloud
 Intercom_Service-->|Central Navigations|Portal
+ Intercom_Service-->|Newsfeed|XWiki
 OX-AppSuite_Backend-->|Filepicker|Nextcloud
 OX-AppSuite_Backend-->|Videoconferences|Element
 Nextcloud-->|Central Navigation|Portal
@@ -264,6 +266,7 @@ flowchart TD
 XWiki-->|Central Navigation|Portal
 Nextcloud-->|Central Contacts|OX-AppSuite_Backend
 OX-AppSuite_Frontend-->|Filepicker|OX-AppSuite_Backend
+ Portal-->|Newsfeed|Intercom_Service
 ```

 Details can be found in the upstream documentation that is linked in the respective sections.
@@ -325,6 +328,14 @@ when adding a file to an email or storing a file into Nextcloud to avoid passing
 **Links**
 - [OX AppSuite Nextcloud Integration upstream documentation](https://gitlab.open-xchange.com/extensions/nextcloud-integration/-/tree/main/documentation).

+## Newsfeed
+
+The portal renders a newsfeed based on entries of a predefined openDesk blog in XWiki. It accesses the required XWiki
+service through the Intercom Service's `/wiki` endpoint, in combination with the previously described silent login.
+
+**Links:**
+- [XWiki Blog feature](https://extensions.xwiki.org/xwiki/bin/view/Extension/Blog%20Application)
+
 ## (OpenProject) File Store

 While OpenProject allows you to attach files to work packages directly, it is often preferred that the files are
--- a/helmfile/apps/nubus/values-intercom-service.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-intercom-service.yaml.gotmpl
@@ -53,7 +53,8 @@ ics:
  secret: {{ .Values.secrets.intercom.secret | quote }}
  issuerBaseUrl: "https://{{ .Values.global.hosts.keycloak }}.{{ .Values.global.domain }}/realms/{{ .Values.platform.realm }}"
  originRegex: "{{ .Values.global.domain }}"
-  userUniqueMapper: {{ if .Values.functional.chat.matrix.profile.useImmutableIdentifierForLocalpart }}"entryuuid"{{ else }}"phoenixusername"{{ end }}
+  userUniqueMapper: {{ if .Values.functional.chat.matrix.profile.useImmutableIdentifierForLocalpart }}"entryuuid"{{ else }}"opendesk_username"{{ end }}
+  usernameClaim: "opendesk_username"
  keycloak:
    realm: {{ .Values.platform.realm | quote }}
  default:
@@ -77,6 +78,9 @@ ics:
    oci: true
    url: "https://{{ .Values.global.hosts.openxchange }}.{{ .Values.global.domain }}"
    audience: "opendesk-oxappsuite"
+  xwiki:
+    subdomain: {{ .Values.global.hosts.xwiki | quote }}
+    audience: "opendesk-xwiki"
  nextcloud:
    origin: {{ .Values.global.hosts.nextcloud | quote }}
    subdomain: {{ .Values.global.hosts.nextcloud | quote }}
@@ -103,7 +107,9 @@ podSecurityContext:
  fsGroupChangePolicy: "Always"

 provisioning:
-  enabled: true
+  # intercom OIDC client is created by opendesk-keycloak-bootstrap, as we have control over the
+  # client's claims this way.
+  enabled: false
  config:
    nubusBaseUrl: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}"
    keycloak:
--- a/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
+++ b/helmfile/apps/nubus/values-opendesk-keycloak-bootstrap.yaml.gotmpl
@@ -375,6 +375,71 @@ config:
              claim.name: "opendesk_username"
              jsonType.label: "String"
    clients:
+      - name: "opendesk-intercom"
+        clientId: "opendesk-intercom"
+        protocol: "openid-connect"
+        clientAuthenticatorType: "client-secret"
+        secret: {{ .Values.secrets.keycloak.clientSecret.intercom | quote }}
+        redirectUris:
+          - "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/callback"
+        consentRequired: false
+        frontchannelLogout: false
+        publicClient: false
+        authorizationServicesEnabled: false
+        attributes:
+          backchannel.logout.session.required: true
+          backchannel.logout.revoke.offline.tokens: true
+          backchannel.logout.url: "https://{{ .Values.global.hosts.intercomService }}.{{ .Values.global.domain }}/backchannel-logout"
+        protocolMappers:
+          - name: "intercom-audience"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-audience-mapper"
+            consentRequired: false
+            config:
+              included.client.audience: "opendesk-intercom"
+              id.token.claim: false
+              access.token.claim: true
+          # temporary additional claim while entryuuid is a hardcoded attribute in IntercomService and we cannot set
+          # it to `opendesk_useruuid` standard claim. For reference:
+          # https://github.com/univention/intercom-service/blob/cd819b6ced6433e532e74a8878943d05412c1416/intercom/app.js#L89
+          - name: "entryuuid_temp"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "entryUUID"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "entryuuid"
+              jsonType.label: "String"
+          # temporary additional claim while phoenixusername is a hardcoded attribute in IntercomService and we cannot
+          # set it to `opendesk_username` standard claim. For reference:
+          # https://github.com/univention/intercom-service/blob/cd819b6ced6433e532e74a8878943d05412c1416/intercom/routes/navigation.js#L27
+          - name: "phoenixusername_temp"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "phoenixusername"
+              jsonType.label: "String"
+          - name: "opendesk_username"
+            protocol: "openid-connect"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            consentRequired: false
+            config:
+              userinfo.token.claim: true
+              user.attribute: "uid"
+              id.token.claim: true
+              access.token.claim: true
+              claim.name: "opendesk_username"
+              jsonType.label: "String"
+        defaultClientScopes:
+          - "offline_access"
      - name: "opendesk-dovecot"
        clientId: "opendesk-dovecot"
        protocol: "openid-connect"
--- a/helmfile/apps/xwiki/helmfile-child.yaml.gotmpl
+++ b/helmfile/apps/xwiki/helmfile-child.yaml.gotmpl
@@ -11,7 +11,7 @@ repositories:
    password: {{ env "OD_PRIVATE_REGISTRY_PASSWORD" | quote }}
    oci: true
    url: "{{ .Values.global.helmRegistry | default .Values.charts.xwiki.registry }}/{{ .Values.charts.xwiki.repository }}"
-
+    
 releases:
  - name: "xwiki"
    chart: "xwiki-repo/{{ .Values.charts.xwiki.name }}"
--- a/helmfile/apps/xwiki/values.yaml.gotmpl
+++ b/helmfile/apps/xwiki/values.yaml.gotmpl
@@ -147,6 +147,7 @@ properties:
  "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.secure": 1
  "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.server": "{{ .Values.global.hosts.xwiki }}.{{ .Values.global.domain }}"
  "property:xwiki:XWiki.XWikiServerXwiki^XWiki.XWikiServerClass.port": 443
+
  ## This option overwrites the LDAP group mappings including all dynamically created mappings, therefore on XWiki restart an LDAP sync is triggered to load the dynamic mapping.
  "property:xwiki:XWiki.XWikiPreferences^XWiki.XWikiPreferences.ldap_group_mapping": "xwiki:XWiki.XWikiAdminGroup=cn=managed-by-attribute-KnowledgemanagementAdmin,cn=groups,dc=swp-ldap,dc=internal"
  ## SMTP settings
@@ -175,7 +176,7 @@ properties:
  # yamllint disable-line rule:line-length
  "property:xwiki:FlamingoThemes.Iceberg^FlamingoThemesCode.ThemeClass.lessCode": "li#tmWorkplaceServices { padding-left: 16px; padding-top: 5px; } .navbar-right { padding-top: 8px; } .navbar { border-bottom: 1px solid #ddd !important; height: 64px;} div#companylogo { width: 90px; height: auto; padding-top: 7px; padding-left: 9px; }"

-  "property:xwiki:XWiki.AuthService.Configuration^XWiki.AuthService.ConfigurationClass.authService": "oidc"
+  "property:xwiki:XWiki.AuthService.Configuration^XWiki.AuthService.ConfigurationClass.authService": "keycloak-bridge-auth"
  ## Fields to search in when importing users from the administration UI (not completely in scope for now)
  "property:xwiki:LDAPUserImport.WebHome^LDAPUserImport.LDAPUserImportConfigClass.ldapUserAttributes":
    "sn,givenname,uid,mailPrimaryAddress"
--- a/helmfile/environments/default/charts.yaml.gotmpl
+++ b/helmfile/environments/default/charts.yaml.gotmpl
@@ -139,7 +139,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/charts-mirror"
    name: "intercom-service"
-    version: "2.7.1"
+    version: "2.7.3"
    verify: true
  jitsi:
    # providerCategory: "Platform"
@@ -321,7 +321,7 @@ charts:
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/charts/opendesk-keycloak-bootstrap"
    name: "opendesk-keycloak-bootstrap"
-    version: "2.1.3"
+    version: "2.1.4"
    verify: true
  openproject:
    # providerCategory: "Supplier"
--- a/helmfile/environments/default/images.yaml.gotmpl
+++ b/helmfile/environments/default/images.yaml.gotmpl
@@ -79,7 +79,7 @@ images:
    # upstreamMirrorStartFrom: ["2", "1", "0"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/univention/images-mirror/intercom-service"
-    tag: "2.4.0@sha256:df743b7ea30077dc941815ccc60198820d67bbba94853fa7a6f939c0f36af335"
+    tag: "2.7.3@sha256:bae60a9a14df53431f81846bf98520e3340dbfc1abae88622ccbd3c6e81cd930"
  jibri:
    # providerCategory: "Supplier"
    # providerResponsible: "Nordeck"
@@ -469,7 +469,7 @@ images:
    # upstreamRepository: "nubus/images/portal-frontend"
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/platform-development/images/opendesk-nubus-portal-update"
-    tag: "1.10.5@sha256:75461683a2233c2e5c99499791ceb576b717c68baa28eef2c307e7052aaaf754"
+    tag: "1.10.13@sha256:2f84f50af5d6ed31587e5ea9d043c9c30599d91350e13ea1ca31c9c9737a32cc"
  nubusPortalServer:
    # providerCategory: "Supplier"
    # providerResponsible: "Univention"
@@ -837,5 +837,5 @@ images:
    # upstreamMirrorStartFrom: ["0", "12"]
    registry: "registry.opencode.de"
    repository: "bmi/opendesk/components/supplier/xwiki/images-mirror/xwiki"
-    tag: "0.22-mariadb-jetty-alpine@sha256:ba29f44befc558c4a4d969f103b216c13a55194dbc532adc43567bee4943d65f"
+    tag: "0.23-mariadb-jetty-alpine@sha256:d358212cc5c3addc4be02cfd0f2b08aa8b88399ac5848e152111f231356558da"
 ...