Merge branch 'release/v1.3'

Author: beshkenadze

config/packages/dev/framework.yaml

@@ -0,0 +1,5 @@
+framework:
+    session:
+        handler_id: ~
+        cookie_secure: false
+

config/packages/framework.yaml

@@ -6,6 +6,8 @@ framework:
     secret: '%env(APP_SECRET)%'
     session:
         handler_id: ~
+        cookie_secure: true
+        cookie_httponly: true
     templating:
         engines: ['twig']
     csrf_protection: false

config/packages/lexik_jwt_authentication.yaml

@@ -4,4 +4,15 @@ lexik_jwt_authentication:
     secret_key: '%kernel.root_dir%/../var/jwt/private.pem'
     public_key:  '%kernel.root_dir%/../var/jwt/public.pem'
     pass_phrase:      '%env(JWT_PASSPHRASE)%'
-    token_ttl:        '%env(JWT_TOKEN_TTL)%'
+    token_ttl:        '%env(JWT_TOKEN_TTL)%'
+    token_extractors:
+        # look for a token as Authorization Header
+        authorization_header:
+            enabled: false
+            prefix:  Bearer
+            name:    Authorization
+
+        # check token in a cookie
+        cookie:
+            enabled: true
+            name:    token

config/packages/security.yaml

@@ -32,15 +32,6 @@ security:
             anonymous: false
             context: admin
             provider: fos.user.provider
-        share:
-            pattern: "^/api/share/[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$"
-            provider:  fos.user.provider
-            stateless: true
-            anonymous: ~
-            logout: ~
-            guard:
-                authenticators:
-                    - App\Security\ShareAuthenticator
         srp:
             pattern: ^/api/auth/srpp
             stateless: true

k8s/deployment.yaml

@@ -54,12 +54,14 @@ spec:
           containerPort: 9000
         volumeMounts:
         - mountPath: /var/www/html/public
-          name: caesar-shared-static
+          name: caesar-static-files
         - mountPath: /var/www/html/var/jwt
           name: caesar-certificate  
       - name: nginx
         image: "nginx:alpine"
         imagePullPolicy: IfNotPresent
+        securityContext:
+          runAsUser: 0  
         ports:
         - name: http
           containerPort: 80
@@ -68,23 +70,26 @@ spec:
           name: nginx-config-volume
           subPath: nginx.conf
         - mountPath: /var/www/html/public
-          name: caesar-shared-static
+          name: caesar-static-files
       initContainers:
       - name: copy-public
         image: "caesarteam/caesar-server:${CICD_GIT_BRANCH}"
         imagePullPolicy: IfNotPresent
         command: [ "/bin/cp", "-r", "public/.", "public_site/" ]
         volumeMounts:
         - mountPath: /var/www/html/public_site
-          name: caesar-shared-static
+          name: caesar-static-files
+      securityContext:
+        runAsUser: 82
+        runAsGroup: 82
+        fsGroup: 82
       volumes:
       - name: caesar-certificate
         persistentVolumeClaim:
           claimName: caesar-certificate
-      - name: caesar-shared-static
-        emptyDir:
-          medium: Memory
-          sizeLimit: "1Gi"
+      - name: caesar-static-files
+        persistentVolumeClaim:
+          claimName: caesar-static-files
       - configMap:
           defaultMode: 256
           name: nginx-config