Merge branch 'main' into devJsonExtraction

Author: loichenninger

.github/workflows/create-release.yaml

@@ -21,7 +21,7 @@ jobs:
       should_run_next_job:  ${{ steps.check-tag.outputs.should_continue }}
     steps:
       - name: Set up JDK 21
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@v5
         with:
           distribution: 'temurin'
           java-version: '21'
@@ -64,7 +64,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Set up JDK 21
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@v5
         with:
           distribution: 'temurin'
           java-version: '21'

.github/workflows/docker.yaml

@@ -21,7 +21,7 @@ jobs:
           ref: ${{ steps.extract_branch.outputs.branch }}
 
       - name: Set up JDK 21
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@v5
         with:
           distribution: "temurin"
           java-version: "21"

.github/workflows/maven.yml

@@ -23,7 +23,7 @@ jobs:
     - uses: actions/checkout@v5
 
     - name: Set up JDK 21
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@v5
       with:
         java-version: '21'
         distribution: 'temurin'

.github/workflows/scheduled-version-update.yaml

@@ -6,7 +6,12 @@ permissions:
 
 on:
   schedule:
-    - cron: 45 7 * * 4
+    # 08:30 Europe/Paris pendant l'heure d'été (CEST = UTC+2)
+    # mois 3-10 (mars à octobre inclus)
+    - cron: '30 6 * 3-10 4'
+    # 08:30 Europe/Paris pendant l'heure d'hiver (CET = UTC+1)
+    # mois 11,12,1,2 (novembre, décembre, janvier, février)
+    - cron: '30 7 * 11,12,1,2 4'
   workflow_dispatch:
 
 jobs:
@@ -24,7 +29,13 @@ jobs:
         id: current_sha
         run: |
           cd genesis
-          CURRENT_SHA=$(git log -n 1 --pretty=format:"%H")
+          CURRENT_SHA=$(
+            git log --pretty=format:"%H" \
+            --invert-grep --grep="^ci:" \
+            --invert-grep --grep="^Merge branch 'main'" \
+            --invert-grep --grep="^Revert " \
+            -n 1
+          )
           echo "last commit SHA : $CURRENT_SHA"
           echo "current_sha=$CURRENT_SHA" >> $GITHUB_OUTPUT
 
@@ -44,7 +55,7 @@ jobs:
         run: |
           if [ "${{ steps.current_sha.outputs.current_sha }}" = "${{ steps.last_tag.outputs.tag_sha }}" ]; then
             echo "No new commit since version. Exiting."
-            exit 0
+            exit 1
           fi
 
       - name: Get version from changelog
@@ -122,19 +133,21 @@ jobs:
                 ' "$FILE"; then
                 echo "Adding BPM ${BPM_VERSION} to existing updated section"
                 awk -v ver="^## ${NEW_VERSION_NO_V}" -v newline="$NEW_LINE" '
-                $0 ~ ver {print; in_ver=1; next}
-                in_ver && /^## / {in_ver=0}
-                in_ver && /^### Updated/ {print; print newline; next}
-                {print}
+                  $0 ~ ver {print; in_ver=1; next}
+                  in_ver && /^## / {in_ver=0}
+                  in_ver && !done && /^### Updated/ {print; print newline; done=1; next}
+                  {print}
                 ' "$FILE" > tmp && mv tmp "$FILE"
               else
                 ### New changed section
                 echo "Adding BPM ${BPM_VERSION} to a new updated section"
                 awk -v ver="^## ${NEW_VERSION_NO_V}" -v newline="$NEW_LINE" '
-                $0 ~ ver {print; in_ver=1; next}
-                in_ver && /^## / {print "### Updated"; print newline; in_ver=0}
-                {print}
-                END { if(in_ver) {print "### Updated"; print newline} }
+                  $0 ~ ver {print; in_ver=1; next}
+                  in_ver && /^## / && !done {
+                    print "### Updated"; print newline; in_ver=0; done=1
+                  }
+                  {print}
+                  END { if(in_ver && !done) {print "### Updated"; print newline} }
                 ' "$FILE" > tmp && mv tmp "$FILE"
               fi
             fi

CHANGELOG.md

@@ -1,4 +1,19 @@
 # Changelog
+## 1.8.4 [2025-09-11]
+### Updated
+- Sonar 5.2.0.4988
+- Springdoc openapi webmvc 2.8.13
+- Cucumber 7.28.2
+
+
+## 1.8.3 [2025-08-28]
+### Updated
+- Springboot 3.5.5
+- Springdoc openapi webmvc 2.8.11
+
+### Added
+- CI pipeline
+
 ## 1.8.2 [2025-08-19]
 ### Updated
 - BPM 1.0.13

pom.xml

@@ -4,21 +4,21 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>fr.insee.genesis</groupId>
     <artifactId>genesis-api</artifactId>
-    <version>1.8.2</version>
+    <version>1.8.4</version>
     <packaging>jar</packaging>
     <name>genesis-api</name>
 
     <parent>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-parent</artifactId>
-        <version>3.5.4</version>
+        <version>3.5.5</version>
     </parent>
 
     <properties>
         <java.version>21</java.version>
-        <springdoc.version>2.8.9</springdoc.version>
+        <springdoc.version>2.8.13</springdoc.version>
         <mapstruct.version>1.6.3</mapstruct.version>
-        <cucumber.version>7.27.2</cucumber.version>
+        <cucumber.version>7.28.2</cucumber.version>
         <junit-jupiter.version>5.13.4</junit-jupiter.version>
 
         <!-- Proprietes sonar -->
@@ -34,7 +34,7 @@
         <pitest.version>1.20.2</pitest.version>
         <pitest.junit.version>1.2.3</pitest.junit.version>
         <jackson.version>2.19.0</jackson.version>
-        <bpm.version>1.0.13</bpm.version>
+        <bpm.version>1.0.15</bpm.version>
     </properties>
     <dependencies>
         <dependency>
@@ -171,7 +171,7 @@
                 <plugin>
                     <groupId>org.sonarsource.scanner.maven</groupId>
                     <artifactId>sonar-maven-plugin</artifactId>
-                    <version>5.1.0.4751</version>
+                    <version>5.2.0.4988</version>
                 </plugin>
                 <plugin>
                     <groupId>org.jacoco</groupId>

src/main/java/fr/insee/genesis/configuration/auth/security/OIDCSecurityConfig.java

@@ -26,6 +26,7 @@
 import org.springframework.security.oauth2.server.resource.authentication.JwtIssuerAuthenticationManagerResolver;
 import org.springframework.security.web.SecurityFilterChain;
 
+import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.HashMap;
@@ -112,39 +113,47 @@ Converter<Jwt, Collection<GrantedAuthority>> jwtGrantedAuthoritiesConverter() {
             @Override
             @SuppressWarnings({"unchecked"})
             public Collection<GrantedAuthority> convert(Jwt source) {
-
-                String[] claimPath = inseeSecurityTokenProperties.getOidcClaimRole().split("\\.");
-                Map<String, Object> claims = source.getClaims();
                 try {
+                    List<String> allTokenClaims = new ArrayList<>();
+
+                    // 🔹 1. Retrieve roles from realm_access.roles
+                    String[] claimPath = inseeSecurityTokenProperties.getOidcClaimRole().split("\\.");
+                    Map<String, Object> claims = source.getClaims();
                     for (int i = 0; i < claimPath.length - 1; i++) {
                         claims = (Map<String, Object>) claims.get(claimPath[i]);
                     }
                     if (claims != null) {
                         List<String> tokenClaims = (List<String>) claims.getOrDefault(claimPath[claimPath.length - 1], List.of());
-                        // Collect distinct values from mapping associated with input keys
-                        List<String> claimedRoles = tokenClaims.stream()
-                                .filter(roleConfiguration.getRolesByClaim()::containsKey) // Ensure the key exists in the mapping
-                                .flatMap(key -> roleConfiguration.getRolesByClaim().get(key).stream()) // Get the list of values associated with the key
-                                .distinct() // Remove duplicates
-                                .toList();
-
-                        return Collections.unmodifiableCollection(claimedRoles.stream().map(s -> new GrantedAuthority() {
-                            @Override
-                            public String getAuthority() {
-                                return ROLE_PREFIX + s;
-                            }
-
-                            @Override
-                            public String toString() {
-                                return getAuthority();
-                            }
-                        }).toList());
+                        allTokenClaims.addAll(tokenClaims);
+                    }
+
+                    // 🔹 2. Retrieve roles from inseegroupedefaut
+                    Object inseeGroups = source.getClaims().get("inseegroupedefaut");
+                    if (inseeGroups instanceof List<?> groups) {
+                        groups.stream()
+                                .filter(String.class::isInstance)
+                                .map(String.class::cast)
+                                .forEach(allTokenClaims::add);
                     }
+
+                    // 🔹 3. Mapping with Spring roles
+                    List<String> claimedRoles = allTokenClaims.stream()
+                            .filter(roleConfiguration.getRolesByClaim()::containsKey)
+                            .flatMap(key -> roleConfiguration.getRolesByClaim().get(key).stream())
+                            .distinct()
+                            .toList();
+
+                    // 🔹 4. Transforms in GrantedAuthority
+                    return Collections.unmodifiableCollection(
+                            claimedRoles.stream()
+                                    .map(s -> (GrantedAuthority) () -> ROLE_PREFIX + s)
+                                    .toList()
+                    );
+
                 } catch (ClassCastException e) {
                     // role path not correctly found, assume that no role for this user
                     return List.of();
                 }
-                return List.of();
             }
         };
     }

src/main/java/fr/insee/genesis/controller/rest/DataProcessingContextController.java

@@ -46,7 +46,7 @@ public class DataProcessingContextController {
 
     @Operation(summary = "Create or update a data processing context")
     @PutMapping(path = "/review")
-    @PreAuthorize("hasRole('USER_BACK_OFFICE')")
+    @PreAuthorize("hasAnyRole('USER_BACK_OFFICE','SCHEDULER')")
     public ResponseEntity<Object> saveContext(
             @Parameter(description = "Identifier of the partition", required = true) @RequestParam("partitionId") String partitionId,
             @Parameter(description = "Allow reviewing") @RequestParam(value = "withReview", defaultValue = "false") Boolean withReview