Compare commits
11 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
665eea7393 | ||
|
|
4d8cbfb2a7 | ||
|
|
a248228b68 | ||
|
|
fc3e44b66e | ||
|
|
a1db318adc | ||
|
|
d8c1121766 | ||
|
|
abc1702097 | ||
|
|
6b2ba15f7f | ||
|
|
0c59fdf676 | ||
|
|
5ad75932d8 | ||
|
|
13ff6ced57 |
@ -10,7 +10,6 @@ import org.springframework.web.bind.annotation.GetMapping;
|
||||
import org.springframework.web.bind.annotation.PathVariable;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
import org.springframework.web.bind.annotation.RequestBody;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.bind.annotation.ResponseBody;
|
||||
import org.springframework.web.bind.annotation.ResponseStatus;
|
||||
@ -61,7 +60,7 @@ public interface UserResource {
|
||||
@ResponseBody
|
||||
@ResponseStatus(value = HttpStatus.OK)
|
||||
@Operation(summary = "Update a user profile", description = "None")
|
||||
@ApiResponses(value = {@ApiResponse(responseCode = "204", description = "OK"), @ApiResponse(responseCode = "400", description = "Failed to update profile, e-mail invalid")})
|
||||
@ApiResponses(value = {@ApiResponse(responseCode = "204", description = "OK"), @ApiResponse(responseCode = "400", description = "Failed to update profile, e-mail invalid"), @ApiResponse(responseCode = "404", description = "The userId cannot be found.")})
|
||||
@PostMapping(value = UPDATE_USER_PROFILE_PATH + USER_ID_PATH_VARIABLE, consumes = MediaType.APPLICATION_JSON_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
|
||||
User updateProfile(@PathVariable(USER_ID) String userId, @RequestBody UpdateProfileRequest updateProfileRequest);
|
||||
|
||||
@ -99,7 +98,7 @@ public interface UserResource {
|
||||
|
||||
@ResponseBody
|
||||
@Operation(summary = "Gets the user in realm including role info", description = "None")
|
||||
@ApiResponses(value = {@ApiResponse(responseCode = "200", description = "OK"), @ApiResponse(responseCode = "404", description = "The " + "userId cannot be found."), @ApiResponse(responseCode = "400", description = "The provided user id is empty or " + "null.")})
|
||||
@ApiResponses(value = {@ApiResponse(responseCode = "200", description = "OK"), @ApiResponse(responseCode = "404", description = "The userId cannot be found."), @ApiResponse(responseCode = "400", description = "The provided user id is empty or null.")})
|
||||
@GetMapping(value = USER_REST_PATH + USER_ID_PATH_VARIABLE, produces = MediaType.APPLICATION_JSON_VALUE)
|
||||
User getUserById(@PathVariable(USER_ID) String userId);
|
||||
|
||||
@ -120,8 +119,7 @@ public interface UserResource {
|
||||
|
||||
@ResponseBody
|
||||
@Operation(summary = "Activate/deactivate a user profile", description = "None")
|
||||
@ApiResponses(value = {@ApiResponse(responseCode = "200", description = "OK"), @ApiResponse(responseCode = "400", description = "Failed to activate/deactivate profile"),
|
||||
@ApiResponse(responseCode = "403", description = "Cannot activate/deactivate users with higher rank roles")})
|
||||
@ApiResponses(value = {@ApiResponse(responseCode = "200", description = "OK"), @ApiResponse(responseCode = "400", description = "Failed to activate/deactivate profile"), @ApiResponse(responseCode = "403", description = "Cannot activate/deactivate users with higher rank roles"), @ApiResponse(responseCode = "404", description = "The userId cannot be found.")})
|
||||
@PostMapping(value = ACTIVATE_USER_PROFILE_PATH + USER_ID_PATH_VARIABLE, produces = MediaType.APPLICATION_JSON_VALUE)
|
||||
User activateProfile(@PathVariable(USER_ID) String userId, @RequestParam(IS_ACTIVE_PARAM) boolean isActive);
|
||||
|
||||
|
||||
@ -57,7 +57,7 @@ public class SMTPConfigurationController implements SMTPConfigurationResource, P
|
||||
var propertiesMap = convertSMTPConfigurationModelToMap(smtpConfigurationModel);
|
||||
realmRepresentation.setSmtpServer(propertiesMap);
|
||||
|
||||
if (!smtpConfigurationModel.getPassword().matches("\\**")) {
|
||||
if (smtpConfigurationModel.getPassword() != null && !smtpConfigurationModel.getPassword().matches("\\**")) {
|
||||
realmRepresentation.getAttributesOrEmpty().put(SMTP_PASSWORD_KEY, encryptionDecryptionService.encrypt(smtpConfigurationModel.getPassword()));
|
||||
}
|
||||
|
||||
|
||||
@ -1,5 +1,6 @@
|
||||
package com.knecon.fforesight.tenantusermanagement.controller.external;
|
||||
|
||||
import static com.knecon.fforesight.tenantusermanagement.permissions.ApplicationRoles.KNECON_ROLE_FILTER;
|
||||
import static com.knecon.fforesight.tenantusermanagement.permissions.UserManagementPermissions.READ_ALL_USERS;
|
||||
import static com.knecon.fforesight.tenantusermanagement.permissions.UserManagementPermissions.READ_USERS;
|
||||
import static com.knecon.fforesight.tenantusermanagement.permissions.UserManagementPermissions.UPDATE_MY_PROFILE;
|
||||
@ -39,19 +40,6 @@ import lombok.extern.slf4j.Slf4j;
|
||||
@RequiredArgsConstructor
|
||||
public class UserController implements UserResource, PublicResource {
|
||||
|
||||
public static final Predicate<User> KNECON_ROLE_FILTER = user -> {
|
||||
Set<String> filteredRoles = user.getRoles()
|
||||
.stream()
|
||||
.filter(ApplicationRoles::isNoKneconRole)
|
||||
.collect(Collectors.toSet());
|
||||
|
||||
if (!user.getRoles().isEmpty() && filteredRoles.isEmpty()) {
|
||||
return false;
|
||||
}
|
||||
|
||||
user.setRoles(filteredRoles);
|
||||
return true;
|
||||
};
|
||||
|
||||
private final UserService userService;
|
||||
private final TenantUserManagementProperties tenantUserManagementProperties;
|
||||
|
||||
@ -1,6 +1,10 @@
|
||||
package com.knecon.fforesight.tenantusermanagement.permissions;
|
||||
|
||||
import java.util.Set;
|
||||
import java.util.function.Predicate;
|
||||
import java.util.stream.Collectors;
|
||||
|
||||
import com.knecon.fforesight.tenantusermanagement.model.User;
|
||||
|
||||
public final class ApplicationRoles {
|
||||
|
||||
@ -15,6 +19,21 @@ public final class ApplicationRoles {
|
||||
public static final Set<String> RED_ROLES = Set.of(RED_USER_ROLE, RED_MANAGER_ROLE, RED_ADMIN_ROLE, RED_USER_ADMIN_ROLE);
|
||||
|
||||
|
||||
public static final Predicate<User> KNECON_ROLE_FILTER = user -> {
|
||||
Set<String> filteredRoles = user.getRoles()
|
||||
.stream()
|
||||
.filter(ApplicationRoles::isNoKneconRole)
|
||||
.collect(Collectors.toSet());
|
||||
|
||||
if (!user.getRoles().isEmpty() && filteredRoles.isEmpty()) {
|
||||
return false;
|
||||
}
|
||||
|
||||
user.setRoles(filteredRoles);
|
||||
return true;
|
||||
};
|
||||
|
||||
|
||||
public static boolean isNoKneconRole(String role) {
|
||||
|
||||
return !KNECON_ROLES.contains(role);
|
||||
|
||||
@ -0,0 +1,120 @@
|
||||
package com.knecon.fforesight.tenantusermanagement.service;
|
||||
|
||||
import org.bson.BsonArray;
|
||||
import org.bson.BsonDocument;
|
||||
import org.bson.BsonString;
|
||||
import org.springframework.beans.factory.annotation.Value;
|
||||
import org.springframework.stereotype.Service;
|
||||
import org.springframework.transaction.annotation.Transactional;
|
||||
|
||||
import com.knecon.fforesight.tenantcommons.EncryptionDecryptionService;
|
||||
import com.knecon.fforesight.tenantcommons.model.MongoDBConnection;
|
||||
import com.knecon.fforesight.tenantcommons.utils.MongoConnectionStringHelper;
|
||||
import com.knecon.fforesight.tenantusermanagement.entity.MongoDBConnectionEntity;
|
||||
import com.knecon.fforesight.tenantusermanagement.entity.TenantEntity;
|
||||
import com.knecon.fforesight.tenantusermanagement.properties.TenantUserManagementProperties;
|
||||
import com.knecon.fforesight.tenantusermanagement.repository.TenantRepository;
|
||||
import com.mongodb.MongoCommandException;
|
||||
import com.mongodb.client.MongoClient;
|
||||
import com.mongodb.client.MongoClients;
|
||||
import com.mongodb.client.MongoDatabase;
|
||||
|
||||
import lombok.RequiredArgsConstructor;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
|
||||
// This is just for migration from 4.0 to 4.1 and can be removed afterward.
|
||||
|
||||
@Service
|
||||
@RequiredArgsConstructor
|
||||
public class MongoDbOntheFlyMigrationService {
|
||||
|
||||
private final EncryptionDecryptionService encryptionService;
|
||||
private final TenantUserManagementProperties tenantUserManagementProperties;
|
||||
private final TenantRepository tenantRepository;
|
||||
|
||||
@Value("${default.mongodb.username:}")
|
||||
private String defaultMongoDBUsername;
|
||||
|
||||
@Value("${default.mongodb.password:}")
|
||||
private String defaultMongoDBPassword;
|
||||
|
||||
@Value("${default.mongodb.address:}")
|
||||
private String defaultMongoDBAddress;
|
||||
|
||||
@Value("${default.mongodb.prefix:}")
|
||||
private String defaultMongoDBPrefix;
|
||||
|
||||
@Value("${default.mongodb.options:}")
|
||||
private String defaultMongoDBOptions;
|
||||
|
||||
|
||||
@Transactional
|
||||
public TenantEntity updateMongoDatabaseConnection(TenantEntity tenantEntity) {
|
||||
|
||||
if ((tenantEntity.getMongoDBConnection() == null || tenantEntity.getMongoDBConnection().getUsername() == null) && defaultMongoDBUsername != null && !defaultMongoDBUsername.isEmpty()) {
|
||||
tenantEntity.setMongoDBConnection(MongoDBConnectionEntity.builder()
|
||||
.prefix(defaultMongoDBPrefix)
|
||||
.username(defaultMongoDBUsername)
|
||||
.password(encryptionService.encrypt(defaultMongoDBPassword))
|
||||
.address(defaultMongoDBAddress)
|
||||
.database(buildIndexPrefix(tenantEntity.getTenantId()))
|
||||
.options(defaultMongoDBOptions)
|
||||
.build());
|
||||
tenantRepository.save(tenantEntity);
|
||||
createMongoDBDatabase(convert(tenantEntity.getMongoDBConnection()));
|
||||
}
|
||||
|
||||
return tenantEntity;
|
||||
}
|
||||
|
||||
|
||||
private String buildIndexPrefix(String tenantId) {
|
||||
|
||||
return tenantUserManagementProperties.getAppPrefix() + "_" + tenantId;
|
||||
}
|
||||
|
||||
|
||||
private MongoDBConnection convert(MongoDBConnectionEntity mongoDBConnectionEntity) {
|
||||
|
||||
return MongoDBConnection.builder()
|
||||
.prefix(mongoDBConnectionEntity.getPrefix())
|
||||
.username(mongoDBConnectionEntity.getUsername())
|
||||
.password(mongoDBConnectionEntity.getPassword())
|
||||
.address(mongoDBConnectionEntity.getAddress())
|
||||
.database(mongoDBConnectionEntity.getDatabase())
|
||||
.options(mongoDBConnectionEntity.getOptions())
|
||||
.build();
|
||||
}
|
||||
|
||||
|
||||
private void createMongoDBDatabase(MongoDBConnection mongoDBConnection) {
|
||||
|
||||
mongoDBConnection.setPassword(encryptionService.decrypt(mongoDBConnection.getPassword()));
|
||||
|
||||
try (MongoClient mongoClient = MongoClients.create(MongoConnectionStringHelper.buildGenericMongoConnectionString(mongoDBConnection))) {
|
||||
String databaseName = mongoDBConnection.getDatabase();
|
||||
String username = mongoDBConnection.getUsername();
|
||||
|
||||
MongoDatabase database = mongoClient.getDatabase(databaseName);
|
||||
BsonDocument createUserCommand = new BsonDocument();
|
||||
createUserCommand.append("createUser", new BsonString(username));
|
||||
createUserCommand.append("pwd", new BsonString(mongoDBConnection.getPassword()));
|
||||
BsonArray roles = new BsonArray();
|
||||
roles.add(new BsonDocument("role", new BsonString("dbOwner")).append("db", new BsonString(databaseName)));
|
||||
createUserCommand.append("roles", roles);
|
||||
|
||||
try {
|
||||
database.runCommand(createUserCommand);
|
||||
} catch (MongoCommandException mongoCommandException) {
|
||||
// ignore user already exists (51003) because of possibly already created users being present
|
||||
// and command not supported (115) because of azure deployment having a different user management
|
||||
if (mongoCommandException.getErrorCode() != 51003 && mongoCommandException.getErrorCode() != 115) {
|
||||
throw mongoCommandException;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
@ -104,6 +104,7 @@ public class TenantManagementService implements TenantProvider {
|
||||
private final RealmService realmService;
|
||||
private final RabbitTemplate rabbitTemplate;
|
||||
private final StorageConfiguration storageConfiguration;
|
||||
private final MongoDbOntheFlyMigrationService mongoDbOntheFlyMigrationService;
|
||||
|
||||
@Value("${fforesight.tenant-exchange.name}")
|
||||
private String tenantExchangeName;
|
||||
@ -116,11 +117,7 @@ public class TenantManagementService implements TenantProvider {
|
||||
updateMasterTheme(tenantUserManagementProperties.getLoginTheme());
|
||||
updateMasterDisplayName(tenantUserManagementProperties.getApplicationName());
|
||||
|
||||
log.info("Tenants are: {}",
|
||||
tenantRepository.findAll()
|
||||
.stream()
|
||||
.map(TenantEntity::getTenantId)
|
||||
.toList());
|
||||
log.info("Tenants are: {}", tenantRepository.findAll().stream().map(TenantEntity::getTenantId).toList());
|
||||
log.info("Requested to create tenant for: {}", tenantRequest.getTenantId());
|
||||
|
||||
try {
|
||||
@ -137,34 +134,34 @@ public class TenantManagementService implements TenantProvider {
|
||||
.displayName(tenantRequest.getDisplayName())
|
||||
.guid(UUID.randomUUID().toString())
|
||||
.databaseConnection(DatabaseConnectionEntity.builder()
|
||||
.driver(databaseConnection.getDriver())
|
||||
.host(databaseConnection.getHost())
|
||||
.port(databaseConnection.getPort())
|
||||
.database(databaseConnection.getDatabase())
|
||||
.schema(databaseConnection.getSchema())
|
||||
.username(databaseConnection.getUsername())
|
||||
.password(encryptionService.encrypt(databaseConnection.getPassword()))
|
||||
.build())
|
||||
.driver(databaseConnection.getDriver())
|
||||
.host(databaseConnection.getHost())
|
||||
.port(databaseConnection.getPort())
|
||||
.database(databaseConnection.getDatabase())
|
||||
.schema(databaseConnection.getSchema())
|
||||
.username(databaseConnection.getUsername())
|
||||
.password(encryptionService.encrypt(databaseConnection.getPassword()))
|
||||
.build())
|
||||
.searchConnection(SearchConnectionEntity.builder()
|
||||
.hosts(searchConnection.getHosts())
|
||||
.port(searchConnection.getPort())
|
||||
.scheme(searchConnection.getScheme())
|
||||
.username(searchConnection.getUsername())
|
||||
.password(encryptionService.encrypt(searchConnection.getPassword()))
|
||||
.numberOfShards(searchConnection.getNumberOfShards())
|
||||
.numberOfReplicas(searchConnection.getNumberOfReplicas())
|
||||
.indexPrefix(buildIndexPrefix(tenantRequest.getTenantId()))
|
||||
.build());
|
||||
.hosts(searchConnection.getHosts())
|
||||
.port(searchConnection.getPort())
|
||||
.scheme(searchConnection.getScheme())
|
||||
.username(searchConnection.getUsername())
|
||||
.password(encryptionService.encrypt(searchConnection.getPassword()))
|
||||
.numberOfShards(searchConnection.getNumberOfShards())
|
||||
.numberOfReplicas(searchConnection.getNumberOfReplicas())
|
||||
.indexPrefix(buildIndexPrefix(tenantRequest.getTenantId()))
|
||||
.build());
|
||||
MongoDBConnection mongoDBConnection = tenantRequest.getMongoDBConnection();
|
||||
if (mongoDBConnection != null) {
|
||||
tenantEntityBuilder.mongoDBConnection(MongoDBConnectionEntity.builder()
|
||||
.prefix(mongoDBConnection.getPrefix())
|
||||
.username(mongoDBConnection.getUsername())
|
||||
.password(encryptionService.encrypt(mongoDBConnection.getPassword()))
|
||||
.address(mongoDBConnection.getAddress())
|
||||
.database(mongoDBConnection.getDatabase())
|
||||
.options(mongoDBConnection.getOptions())
|
||||
.build());
|
||||
.prefix(mongoDBConnection.getPrefix())
|
||||
.username(mongoDBConnection.getUsername())
|
||||
.password(encryptionService.encrypt(mongoDBConnection.getPassword()))
|
||||
.address(mongoDBConnection.getAddress())
|
||||
.database(mongoDBConnection.getDatabase())
|
||||
.options(mongoDBConnection.getOptions())
|
||||
.build());
|
||||
}
|
||||
TenantEntity tenantEntity = tenantEntityBuilder.build();
|
||||
|
||||
@ -173,9 +170,9 @@ public class TenantManagementService implements TenantProvider {
|
||||
testAzureConnection(azureStorageConnection.getConnectionString(), azureStorageConnection.getContainerName());
|
||||
|
||||
tenantEntity.setAzureStorageConnection(AzureStorageConnectionEntity.builder()
|
||||
.connectionString(encryptionService.encrypt(azureStorageConnection.getConnectionString()))
|
||||
.containerName(azureStorageConnection.getContainerName())
|
||||
.build());
|
||||
.connectionString(encryptionService.encrypt(azureStorageConnection.getConnectionString()))
|
||||
.containerName(azureStorageConnection.getContainerName())
|
||||
.build());
|
||||
}
|
||||
|
||||
S3StorageConnection s3StorageConnection = tenantRequest.getS3StorageConnection();
|
||||
@ -183,13 +180,13 @@ public class TenantManagementService implements TenantProvider {
|
||||
testS3Connection(s3StorageConnection);
|
||||
|
||||
tenantEntity.setS3StorageConnection(S3StorageConnectionEntity.builder()
|
||||
.key(s3StorageConnection.getKey())
|
||||
.secret(encryptionService.encrypt(s3StorageConnection.getSecret()))
|
||||
.signerType(s3StorageConnection.getSignerType())
|
||||
.bucketName(s3StorageConnection.getBucketName())
|
||||
.region(s3StorageConnection.getRegion())
|
||||
.endpoint(s3StorageConnection.getEndpoint())
|
||||
.build());
|
||||
.key(s3StorageConnection.getKey())
|
||||
.secret(encryptionService.encrypt(s3StorageConnection.getSecret()))
|
||||
.signerType(s3StorageConnection.getSignerType())
|
||||
.bucketName(s3StorageConnection.getBucketName())
|
||||
.region(s3StorageConnection.getRegion())
|
||||
.endpoint(s3StorageConnection.getEndpoint())
|
||||
.build());
|
||||
}
|
||||
|
||||
createSchema(tenantRequest);
|
||||
@ -265,17 +262,17 @@ public class TenantManagementService implements TenantProvider {
|
||||
var s3StorageConnectionTemplate = tenant.getS3StorageConnection();
|
||||
com.iqser.red.storage.commons.model.S3StorageConnection s3StorageConnection;
|
||||
s3StorageConnection = new com.iqser.red.storage.commons.model.S3StorageConnection(s3StorageConnectionTemplate.getKey(),
|
||||
encryptionService.decrypt(s3StorageConnectionTemplate.getSecret()),
|
||||
s3StorageConnectionTemplate.getSignerType(),
|
||||
s3StorageConnectionTemplate.getBucketName(),
|
||||
s3StorageConnectionTemplate.getRegion(),
|
||||
s3StorageConnectionTemplate.getEndpoint());
|
||||
encryptionService.decrypt(s3StorageConnectionTemplate.getSecret()),
|
||||
s3StorageConnectionTemplate.getSignerType(),
|
||||
s3StorageConnectionTemplate.getBucketName(),
|
||||
s3StorageConnectionTemplate.getRegion(),
|
||||
s3StorageConnectionTemplate.getEndpoint());
|
||||
log.info("Deleting s3 bucket for tenant: {}", tenantId);
|
||||
try (var client = storageConfiguration.getS3StorageService().initAmazonS3(s3StorageConnection)) {
|
||||
String bucketName = s3StorageConnection.getBucketName();
|
||||
ListObjectsRequest listObjects = ListObjectsRequest.builder().bucket(bucketName).build();
|
||||
try {
|
||||
ListObjectsResponse objectList = client.listObjects(listObjects);
|
||||
ListObjectsResponse objectList = client.listObjects(listObjects);
|
||||
for (S3Object object : objectList.contents()) {
|
||||
// Delete each object
|
||||
client.deleteObject(DeleteObjectRequest.builder().bucket(bucketName).key(object.key()).build());
|
||||
@ -353,8 +350,8 @@ public class TenantManagementService implements TenantProvider {
|
||||
|
||||
var jdbcUrl = JDBCUtils.buildJdbcUrl(tenantRequest.getDatabaseConnection());
|
||||
try (Connection connection = DriverManager.getConnection(jdbcUrl,
|
||||
tenantRequest.getDatabaseConnection().getUsername(),
|
||||
tenantRequest.getDatabaseConnection().getPassword())) {
|
||||
tenantRequest.getDatabaseConnection().getUsername(),
|
||||
tenantRequest.getDatabaseConnection().getPassword())) {
|
||||
DataSource tenantDataSource = new SingleConnectionDataSource(connection, false);
|
||||
JdbcTemplate jdbcTemplate = new JdbcTemplate(tenantDataSource);
|
||||
String createStatement = "CREATE SCHEMA IF NOT EXISTS \"" + tenantRequest.getDatabaseConnection().getSchema() + "\"";
|
||||
@ -374,8 +371,8 @@ public class TenantManagementService implements TenantProvider {
|
||||
log.info("Deleting schema for tenant: {}", tenant.getTenantId());
|
||||
var jdbcUrl = JDBCUtils.buildJdbcUrl(tenant.getDatabaseConnection());
|
||||
try (Connection connection = DriverManager.getConnection(jdbcUrl,
|
||||
tenant.getDatabaseConnection().getUsername(),
|
||||
this.encryptionService.decrypt(tenant.getDatabaseConnection().getPassword()))) {
|
||||
tenant.getDatabaseConnection().getUsername(),
|
||||
this.encryptionService.decrypt(tenant.getDatabaseConnection().getPassword()))) {
|
||||
DataSource tenantDataSource = new SingleConnectionDataSource(connection, false);
|
||||
JdbcTemplate jdbcTemplate = new JdbcTemplate(tenantDataSource);
|
||||
String deleteStatement = "DROP SCHEMA IF EXISTS \"" + tenant.getDatabaseConnection().getSchema() + "\" CASCADE;";
|
||||
@ -446,9 +443,7 @@ public class TenantManagementService implements TenantProvider {
|
||||
realm.setRoles(getRealmRoles());
|
||||
|
||||
if (users != null) {
|
||||
realm.setUsers(users.stream()
|
||||
.map(this::toUserRepresentation)
|
||||
.toList());
|
||||
realm.setUsers(users.stream().map(this::toUserRepresentation).toList());
|
||||
}
|
||||
|
||||
keycloak.getAdminClient().realms().create(realm);
|
||||
@ -480,15 +475,12 @@ public class TenantManagementService implements TenantProvider {
|
||||
existingRealm.setAccessTokenLifespan(tenantUserManagementProperties.getAccessTokenLifeSpan());
|
||||
existingRealm.setSsoSessionIdleTimeout(tenantUserManagementProperties.getSsoSessionIdleTimeout());
|
||||
var clients = getRealmClients();
|
||||
var relevantClientNames = clients.stream()
|
||||
.map(c -> c.getClientId().toLowerCase(Locale.getDefault()))
|
||||
.collect(Collectors.toSet());
|
||||
var relevantClientNames = clients.stream().map(c -> c.getClientId().toLowerCase(Locale.getDefault())).collect(Collectors.toSet());
|
||||
var existingClients = keycloak.getAdminClient().realm(tenantId).clients().findAll();
|
||||
existingClients.forEach(ec -> {
|
||||
if (relevantClientNames.contains(ec.getClientId().toLowerCase(Locale.getDefault()))) {
|
||||
log.info("Removing client: {}", ec.getName());
|
||||
keycloak.getAdminClient().realm(tenantId).clients()
|
||||
.get(ec.getId()).remove();
|
||||
keycloak.getAdminClient().realm(tenantId).clients().get(ec.getId()).remove();
|
||||
}
|
||||
});
|
||||
|
||||
@ -598,9 +590,7 @@ public class TenantManagementService implements TenantProvider {
|
||||
private boolean tryToAccessRealm(String tenantId) {
|
||||
|
||||
try {
|
||||
return keycloak.getAdminClient().realms().findAll()
|
||||
.stream()
|
||||
.anyMatch(r -> r.getRealm().equals(tenantId));
|
||||
return keycloak.getAdminClient().realms().findAll().stream().anyMatch(r -> r.getRealm().equals(tenantId));
|
||||
} catch (Exception e) {
|
||||
return false;
|
||||
}
|
||||
@ -656,9 +646,9 @@ public class TenantManagementService implements TenantProvider {
|
||||
|
||||
public TenantResponse getTenant(String tenantId) {
|
||||
|
||||
return tenantRepository.findById(tenantId)
|
||||
.map(this::convert)
|
||||
.orElseThrow(() -> new ResponseStatusException(HttpStatus.NOT_FOUND, "Tenant does not exist"));
|
||||
var tenantEntity = tenantRepository.findById(tenantId).orElseThrow(() -> new ResponseStatusException(HttpStatus.NOT_FOUND, "Tenant does not exist"));
|
||||
|
||||
return convert(mongoDbOntheFlyMigrationService.updateMongoDatabaseConnection(tenantEntity));
|
||||
}
|
||||
|
||||
|
||||
@ -677,29 +667,29 @@ public class TenantManagementService implements TenantProvider {
|
||||
var databaseConnection = tenantRequest.getDatabaseConnection();
|
||||
if (databaseConnection != null) {
|
||||
tenantEntity.setDatabaseConnection(DatabaseConnectionEntity.builder()
|
||||
.driver(databaseConnection.getDriver())
|
||||
.host(databaseConnection.getHost())
|
||||
.port(databaseConnection.getPort())
|
||||
.database(databaseConnection.getDatabase())
|
||||
.schema(databaseConnection.getSchema())
|
||||
.username(databaseConnection.getUsername())
|
||||
.password(encryptionService.encrypt(databaseConnection.getPassword()))
|
||||
.params(databaseConnection.getParams())
|
||||
.build());
|
||||
.driver(databaseConnection.getDriver())
|
||||
.host(databaseConnection.getHost())
|
||||
.port(databaseConnection.getPort())
|
||||
.database(databaseConnection.getDatabase())
|
||||
.schema(databaseConnection.getSchema())
|
||||
.username(databaseConnection.getUsername())
|
||||
.password(encryptionService.encrypt(databaseConnection.getPassword()))
|
||||
.params(databaseConnection.getParams())
|
||||
.build());
|
||||
}
|
||||
|
||||
var searchConnection = tenantRequest.getSearchConnection();
|
||||
if (searchConnection != null) {
|
||||
tenantEntity.setSearchConnection(SearchConnectionEntity.builder()
|
||||
.hosts(searchConnection.getHosts())
|
||||
.port(searchConnection.getPort())
|
||||
.scheme(searchConnection.getScheme())
|
||||
.username(searchConnection.getUsername())
|
||||
.password(encryptionService.encrypt(searchConnection.getPassword()))
|
||||
.numberOfShards(searchConnection.getNumberOfShards())
|
||||
.numberOfReplicas(searchConnection.getNumberOfReplicas())
|
||||
.indexPrefix(tenantEntity.getSearchConnection().getIndexPrefix())
|
||||
.build());
|
||||
.hosts(searchConnection.getHosts())
|
||||
.port(searchConnection.getPort())
|
||||
.scheme(searchConnection.getScheme())
|
||||
.username(searchConnection.getUsername())
|
||||
.password(encryptionService.encrypt(searchConnection.getPassword()))
|
||||
.numberOfShards(searchConnection.getNumberOfShards())
|
||||
.numberOfReplicas(searchConnection.getNumberOfReplicas())
|
||||
.indexPrefix(tenantEntity.getSearchConnection().getIndexPrefix())
|
||||
.build());
|
||||
}
|
||||
|
||||
var azureStorageConnection = tenantRequest.getAzureStorageConnection();
|
||||
@ -709,9 +699,9 @@ public class TenantManagementService implements TenantProvider {
|
||||
}
|
||||
testAzureConnection(azureStorageConnection.getConnectionString(), azureStorageConnection.getContainerName());
|
||||
tenantEntity.setAzureStorageConnection(AzureStorageConnectionEntity.builder()
|
||||
.connectionString(encryptionService.encrypt(azureStorageConnection.getConnectionString()))
|
||||
.containerName(azureStorageConnection.getContainerName())
|
||||
.build());
|
||||
.connectionString(encryptionService.encrypt(azureStorageConnection.getConnectionString()))
|
||||
.containerName(azureStorageConnection.getContainerName())
|
||||
.build());
|
||||
} else {
|
||||
tenantEntity.setAzureStorageConnection(null);
|
||||
}
|
||||
@ -723,13 +713,13 @@ public class TenantManagementService implements TenantProvider {
|
||||
}
|
||||
testS3Connection(s3StorageConnection);
|
||||
tenantEntity.setS3StorageConnection(S3StorageConnectionEntity.builder()
|
||||
.key(s3StorageConnection.getKey())
|
||||
.secret(encryptionService.encrypt(s3StorageConnection.getSecret()))
|
||||
.signerType(s3StorageConnection.getSignerType())
|
||||
.bucketName(s3StorageConnection.getBucketName())
|
||||
.region(s3StorageConnection.getRegion())
|
||||
.endpoint(s3StorageConnection.getEndpoint())
|
||||
.build());
|
||||
.key(s3StorageConnection.getKey())
|
||||
.secret(encryptionService.encrypt(s3StorageConnection.getSecret()))
|
||||
.signerType(s3StorageConnection.getSignerType())
|
||||
.bucketName(s3StorageConnection.getBucketName())
|
||||
.region(s3StorageConnection.getRegion())
|
||||
.endpoint(s3StorageConnection.getEndpoint())
|
||||
.build());
|
||||
} else {
|
||||
tenantEntity.setS3StorageConnection(null);
|
||||
}
|
||||
@ -737,13 +727,13 @@ public class TenantManagementService implements TenantProvider {
|
||||
var mongoDBConnection = tenantRequest.getMongoDBConnection();
|
||||
if (mongoDBConnection != null) {
|
||||
tenantEntity.setMongoDBConnection(MongoDBConnectionEntity.builder()
|
||||
.prefix(mongoDBConnection.getPrefix())
|
||||
.username(mongoDBConnection.getUsername())
|
||||
.password(encryptionService.encrypt(mongoDBConnection.getPassword()))
|
||||
.address(mongoDBConnection.getAddress())
|
||||
.database(mongoDBConnection.getDatabase())
|
||||
.options(mongoDBConnection.getOptions())
|
||||
.build());
|
||||
.prefix(mongoDBConnection.getPrefix())
|
||||
.username(mongoDBConnection.getUsername())
|
||||
.password(encryptionService.encrypt(mongoDBConnection.getPassword()))
|
||||
.address(mongoDBConnection.getAddress())
|
||||
.database(mongoDBConnection.getDatabase())
|
||||
.options(mongoDBConnection.getOptions())
|
||||
.build());
|
||||
}
|
||||
|
||||
return convert(tenantRepository.save(tenantEntity));
|
||||
@ -755,10 +745,7 @@ public class TenantManagementService implements TenantProvider {
|
||||
|
||||
public List<TenantResponse> getTenants() {
|
||||
|
||||
return tenantRepository.findAll()
|
||||
.stream()
|
||||
.map(this::convert)
|
||||
.toList();
|
||||
return tenantRepository.findAll().stream().map(mongoDbOntheFlyMigrationService::updateMongoDatabaseConnection).map(this::convert).toList();
|
||||
}
|
||||
|
||||
|
||||
@ -802,53 +789,53 @@ public class TenantManagementService implements TenantProvider {
|
||||
.authDetails(authDetails)
|
||||
.details(entity.getDetails())
|
||||
.databaseConnection(DatabaseConnection.builder()
|
||||
.driver(entity.getDatabaseConnection().getDriver())
|
||||
.host(entity.getDatabaseConnection().getHost())
|
||||
.port(entity.getDatabaseConnection().getPort())
|
||||
.database(entity.getDatabaseConnection().getDatabase())
|
||||
.schema(entity.getDatabaseConnection().getSchema())
|
||||
.username(entity.getDatabaseConnection().getUsername())
|
||||
.params(entity.getDatabaseConnection().getParams())
|
||||
.password(entity.getDatabaseConnection().getPassword())
|
||||
.build())
|
||||
.driver(entity.getDatabaseConnection().getDriver())
|
||||
.host(entity.getDatabaseConnection().getHost())
|
||||
.port(entity.getDatabaseConnection().getPort())
|
||||
.database(entity.getDatabaseConnection().getDatabase())
|
||||
.schema(entity.getDatabaseConnection().getSchema())
|
||||
.username(entity.getDatabaseConnection().getUsername())
|
||||
.params(entity.getDatabaseConnection().getParams())
|
||||
.password(entity.getDatabaseConnection().getPassword())
|
||||
.build())
|
||||
.searchConnection(SearchConnection.builder()
|
||||
.hosts(entity.getSearchConnection().getHosts())
|
||||
.port(entity.getSearchConnection().getPort())
|
||||
.scheme(entity.getSearchConnection().getScheme())
|
||||
.username(entity.getSearchConnection().getUsername())
|
||||
.numberOfShards(entity.getSearchConnection().getNumberOfShards())
|
||||
.numberOfReplicas(entity.getSearchConnection().getNumberOfReplicas())
|
||||
.password(entity.getSearchConnection().getPassword())
|
||||
.indexPrefix(entity.getSearchConnection().getIndexPrefix())
|
||||
.build());
|
||||
.hosts(entity.getSearchConnection().getHosts())
|
||||
.port(entity.getSearchConnection().getPort())
|
||||
.scheme(entity.getSearchConnection().getScheme())
|
||||
.username(entity.getSearchConnection().getUsername())
|
||||
.numberOfShards(entity.getSearchConnection().getNumberOfShards())
|
||||
.numberOfReplicas(entity.getSearchConnection().getNumberOfReplicas())
|
||||
.password(entity.getSearchConnection().getPassword())
|
||||
.indexPrefix(entity.getSearchConnection().getIndexPrefix())
|
||||
.build());
|
||||
|
||||
if (entity.getMongoDBConnection() != null) {
|
||||
tenantResponseBuilder.mongoDBConnection(MongoDBConnection.builder()
|
||||
.prefix(entity.getMongoDBConnection().getPrefix())
|
||||
.username(entity.getMongoDBConnection().getUsername())
|
||||
.password(entity.getMongoDBConnection().getPassword())
|
||||
.address(entity.getMongoDBConnection().getAddress())
|
||||
.database(entity.getMongoDBConnection().getDatabase())
|
||||
.options(entity.getMongoDBConnection().getOptions())
|
||||
.build());
|
||||
.prefix(entity.getMongoDBConnection().getPrefix())
|
||||
.username(entity.getMongoDBConnection().getUsername())
|
||||
.password(entity.getMongoDBConnection().getPassword())
|
||||
.address(entity.getMongoDBConnection().getAddress())
|
||||
.database(entity.getMongoDBConnection().getDatabase())
|
||||
.options(entity.getMongoDBConnection().getOptions())
|
||||
.build());
|
||||
}
|
||||
|
||||
if (entity.getAzureStorageConnection() != null) {
|
||||
tenantResponseBuilder.azureStorageConnection(AzureStorageConnection.builder()
|
||||
.connectionString(entity.getAzureStorageConnection().getConnectionString())
|
||||
.containerName(entity.getAzureStorageConnection().getContainerName())
|
||||
.build());
|
||||
.connectionString(entity.getAzureStorageConnection().getConnectionString())
|
||||
.containerName(entity.getAzureStorageConnection().getContainerName())
|
||||
.build());
|
||||
}
|
||||
|
||||
if (entity.getS3StorageConnection() != null) {
|
||||
tenantResponseBuilder.s3StorageConnection(S3StorageConnection.builder()
|
||||
.key(entity.getS3StorageConnection().getKey())
|
||||
.secret(entity.getS3StorageConnection().getSecret())
|
||||
.signerType(entity.getS3StorageConnection().getSignerType())
|
||||
.bucketName(entity.getS3StorageConnection().getBucketName())
|
||||
.region(entity.getS3StorageConnection().getRegion())
|
||||
.endpoint(entity.getS3StorageConnection().getEndpoint())
|
||||
.build());
|
||||
.key(entity.getS3StorageConnection().getKey())
|
||||
.secret(entity.getS3StorageConnection().getSecret())
|
||||
.signerType(entity.getS3StorageConnection().getSignerType())
|
||||
.bucketName(entity.getS3StorageConnection().getBucketName())
|
||||
.region(entity.getS3StorageConnection().getRegion())
|
||||
.endpoint(entity.getS3StorageConnection().getEndpoint())
|
||||
.build());
|
||||
}
|
||||
|
||||
return tenantResponseBuilder.build();
|
||||
@ -869,11 +856,11 @@ public class TenantManagementService implements TenantProvider {
|
||||
|
||||
var connection = storageConfiguration.getS3StorageService()
|
||||
.testConnection(s3StorageConnection.getKey(),
|
||||
s3StorageConnection.getSecret(),
|
||||
s3StorageConnection.getSignerType(),
|
||||
s3StorageConnection.getBucketName(),
|
||||
s3StorageConnection.getRegion(),
|
||||
s3StorageConnection.getEndpoint());
|
||||
s3StorageConnection.getSecret(),
|
||||
s3StorageConnection.getSignerType(),
|
||||
s3StorageConnection.getBucketName(),
|
||||
s3StorageConnection.getRegion(),
|
||||
s3StorageConnection.getEndpoint());
|
||||
|
||||
if (!connection) {
|
||||
throw new ResponseStatusException(HttpStatus.BAD_REQUEST, "Could not connect to S3 storage");
|
||||
|
||||
@ -166,9 +166,9 @@ public class UserService {
|
||||
|
||||
var currentUserRoles = this.getUserRoles(KeycloakSecurity.getUserId());
|
||||
|
||||
if (!userId.equalsIgnoreCase(KeycloakSecurity.getUserId()) && roles.stream()
|
||||
.anyMatch(ApplicationRoles::isKneconRole) && currentUserRoles.stream()
|
||||
.noneMatch(ApplicationRoles::isKneconRole)) {
|
||||
Set<String> oldRoles = getRoles(userId);
|
||||
if (!userId.equalsIgnoreCase(KeycloakSecurity.getUserId()) && !oldRoles.isEmpty() && oldRoles.stream()
|
||||
.allMatch(ApplicationRoles::isKneconRole)) {
|
||||
throw new NotFoundException("User with id: " + userId + " does not exist");
|
||||
}
|
||||
|
||||
@ -182,19 +182,18 @@ public class UserService {
|
||||
var allRoles = tenantUserManagementProperties.getKcRoleMapping().getAllRoles();
|
||||
newRoles.forEach(role -> {
|
||||
|
||||
if (!allRoles.contains(role) || ApplicationRoles.isKneconRole(role) && currentUserRoles.stream()
|
||||
.noneMatch(ApplicationRoles::isKneconRole)) {
|
||||
if (!allRoles.contains(role) || ApplicationRoles.isKneconRole(role)) {
|
||||
throw new ResponseStatusException(HttpStatus.BAD_REQUEST, "Invalid role: " + role);
|
||||
}
|
||||
});
|
||||
|
||||
var userResource = getUserResource(userId);
|
||||
var userRoles = userResource.roles().realmLevel().listEffective()
|
||||
var oldRoles = userResource.roles().realmLevel().listEffective()
|
||||
.stream()
|
||||
.map(RoleRepresentation::getName)
|
||||
.collect(Collectors.toSet());
|
||||
|
||||
validateSufficientRoles(userId, userRoles, newRoles, currentUserRoles);
|
||||
validateSufficientRoles(userId, oldRoles, newRoles, currentUserRoles);
|
||||
|
||||
var currentRolesAsRoleRepresentation = allRoles.stream()
|
||||
.map(this::getRoleRepresentation)
|
||||
@ -207,12 +206,33 @@ public class UserService {
|
||||
userResource.roles().realmLevel().add(newMappedRoles);
|
||||
|
||||
var userWithNewRoles = getUserByUsername(userResource.toRepresentation().getUsername());
|
||||
this.rabbitTemplate.convertAndSend(userExchangeName, "user.rolesUpdated", (new UserRolesUpdatedEvent(userWithNewRoles, userRoles, newRoles, KeycloakSecurity.getUserId())));
|
||||
this.rabbitTemplate.convertAndSend(userExchangeName, "user.rolesUpdated", (new UserRolesUpdatedEvent(userWithNewRoles, oldRoles, newRoles, KeycloakSecurity.getUserId())));
|
||||
|
||||
return userWithNewRoles;
|
||||
}
|
||||
|
||||
|
||||
@CacheEvict(value = "${commons.keycloak.userCache}", allEntries = true, beforeInvocation = true)
|
||||
public void removeRolesForDeletion(String userId, Set<String> roles) {
|
||||
|
||||
var allRoles = tenantUserManagementProperties.getKcRoleMapping().getAllRoles();
|
||||
roles.forEach(role -> {
|
||||
|
||||
if (!allRoles.contains(role)) {
|
||||
throw new ResponseStatusException(HttpStatus.BAD_REQUEST, "Invalid role: " + role);
|
||||
}
|
||||
});
|
||||
|
||||
var userResource = getUserResource(userId);
|
||||
|
||||
var currentRolesAsRoleRepresentation = roles.stream()
|
||||
.map(this::getRoleRepresentation)
|
||||
.collect(Collectors.toList());
|
||||
|
||||
userResource.roles().realmLevel().remove(currentRolesAsRoleRepresentation);
|
||||
}
|
||||
|
||||
|
||||
@CacheEvict(value = "${commons.keycloak.userCache}", allEntries = true, beforeInvocation = true)
|
||||
public void validateSufficientRoles(String userId, Set<String> userRoles, Set<String> newRoles, Set<String> currentUserRoles) {
|
||||
|
||||
@ -231,7 +251,7 @@ public class UserService {
|
||||
var untouchableRoles = userRoles.stream()
|
||||
.filter(roleMapping::isValidRole)
|
||||
.map(roleMapping::getRole)
|
||||
.filter(r -> r.getRank() > maxRank)
|
||||
.filter(r -> r.getRank() > maxRank || ApplicationRoles.isKneconRole(r.getName()))
|
||||
.map(KCRole::getName)
|
||||
.collect(Collectors.toSet());
|
||||
|
||||
@ -288,6 +308,10 @@ public class UserService {
|
||||
}
|
||||
|
||||
var updatedProfile = getUserByUsername(userRepresentation.getUsername());
|
||||
updatedProfile.setRoles(updatedProfile.getRoles()
|
||||
.stream()
|
||||
.filter(ApplicationRoles::isNoKneconRole)
|
||||
.collect(Collectors.toSet()));
|
||||
|
||||
this.rabbitTemplate.convertAndSend(userExchangeName, "user.ownProfileUpdated", (new UserUpdatedOwnProfileEvent(updatedProfile)));
|
||||
|
||||
@ -419,18 +443,25 @@ public class UserService {
|
||||
return;
|
||||
}
|
||||
|
||||
var status = validateExecution(KeycloakSecurity.getUserId(), userId);
|
||||
var status = validateExecutionForDeletion(KeycloakSecurity.getUserId(), userId);
|
||||
|
||||
if (status.equals(ValidationStatus.FORBIDDEN)) {
|
||||
if (status.equals(ValidationResult.FORBIDDEN)) {
|
||||
throw new ResponseStatusException(HttpStatus.FORBIDDEN, "It is not allowed to delete a user with higher ranking roles");
|
||||
} else if (status.equals(ValidationStatus.INVALID)) {
|
||||
} else if (status.equals(ValidationResult.INVALID)) {
|
||||
return;
|
||||
}
|
||||
|
||||
var userResource = getUserResource(userId);
|
||||
|
||||
var userToBeRemoved = getUserByUsername(userResource.toRepresentation().getUsername());
|
||||
userResource.remove();
|
||||
|
||||
if (status.equals(ValidationResult.ROLE_REMOVAL)) {
|
||||
removeRolesForDeletion(userId,
|
||||
getRoles(userId).stream()
|
||||
.filter(ApplicationRoles::isNoKneconRole)
|
||||
.collect(Collectors.toSet()));
|
||||
} else {
|
||||
userResource.remove();
|
||||
}
|
||||
|
||||
this.rabbitTemplate.convertAndSend(userExchangeName, "user.deleted", (new UserRemovedEvent(userToBeRemoved, KeycloakSecurity.getUserId())));
|
||||
|
||||
@ -443,8 +474,9 @@ public class UserService {
|
||||
var user = this.getUserResource(userId);
|
||||
var userRepresentation = user.toRepresentation();
|
||||
|
||||
if (getRoles(userId).stream()
|
||||
.anyMatch(ApplicationRoles::isKneconRole)) {
|
||||
Set<String> currentRoles = getRoles(userId);
|
||||
if (!userExists(userId) || !currentRoles.isEmpty() && currentRoles.stream()
|
||||
.allMatch(ApplicationRoles::isKneconRole)) {
|
||||
throw new NotFoundException("User with id: " + userId + " does not exist");
|
||||
}
|
||||
|
||||
@ -467,6 +499,10 @@ public class UserService {
|
||||
setRoles(userId, updateProfileRequest.getRoles());
|
||||
|
||||
var updatedUser = getUserByUsername(userRepresentation.getUsername());
|
||||
updatedUser.setRoles(updatedUser.getRoles()
|
||||
.stream()
|
||||
.filter(ApplicationRoles::isNoKneconRole)
|
||||
.collect(Collectors.toSet()));
|
||||
|
||||
this.rabbitTemplate.convertAndSend(userExchangeName, "user.updated", (new UserUpdatedEvent(updatedUser, KeycloakSecurity.getUserId())));
|
||||
|
||||
@ -479,9 +515,9 @@ public class UserService {
|
||||
if (!userId.equalsIgnoreCase(KeycloakSecurity.getUserId())) {
|
||||
var status = validateExecution(KeycloakSecurity.getUserId(), userId);
|
||||
|
||||
if (status.equals(ValidationStatus.FORBIDDEN)) {
|
||||
if (status.equals(ValidationResult.FORBIDDEN)) {
|
||||
throw new ResponseStatusException(HttpStatus.FORBIDDEN, "It is not allowed to activate/deactivate a user with higher ranking roles");
|
||||
} else if (status.equals(ValidationStatus.INVALID)) {
|
||||
} else if (status.equals(ValidationResult.INVALID)) {
|
||||
throw new NotFoundException("User with id: " + userId + " does not exist");
|
||||
}
|
||||
}
|
||||
@ -499,11 +535,14 @@ public class UserService {
|
||||
}
|
||||
|
||||
var toggledUser = getUserByUsername(userRepresentation.getUsername());
|
||||
toggledUser.setRoles(toggledUser.getRoles()
|
||||
.stream()
|
||||
.filter(ApplicationRoles::isNoKneconRole)
|
||||
.collect(Collectors.toSet()));
|
||||
|
||||
this.rabbitTemplate.convertAndSend(userExchangeName, "user.statusChanged", (new UserStatusToggleEvent(toggledUser, KeycloakSecurity.getUserId())));
|
||||
|
||||
return convert(this.getTenantUsersResource()
|
||||
.get(userId).toRepresentation());
|
||||
return toggledUser;
|
||||
}
|
||||
|
||||
|
||||
@ -512,9 +551,9 @@ public class UserService {
|
||||
if (!userId.equalsIgnoreCase(KeycloakSecurity.getUserId())) {
|
||||
var status = validateExecution(KeycloakSecurity.getUserId(), userId);
|
||||
|
||||
if (status.equals(ValidationStatus.FORBIDDEN)) {
|
||||
if (status.equals(ValidationResult.FORBIDDEN)) {
|
||||
throw new ResponseStatusException(HttpStatus.FORBIDDEN, "It is not allowed to reset the password of a user with higher ranking roles");
|
||||
} else if (status.equals(ValidationStatus.INVALID)) {
|
||||
} else if (status.equals(ValidationResult.INVALID)) {
|
||||
throw new NotFoundException("User with id: " + userId + " does not exist");
|
||||
}
|
||||
}
|
||||
@ -564,22 +603,48 @@ public class UserService {
|
||||
}
|
||||
|
||||
|
||||
private enum ValidationStatus {
|
||||
private enum ValidationResult {
|
||||
ALLOWED,
|
||||
FORBIDDEN,
|
||||
INVALID
|
||||
INVALID,
|
||||
ROLE_REMOVAL
|
||||
|
||||
}
|
||||
|
||||
|
||||
private ValidationStatus validateExecution(String executingUserId, String targetUserId) {
|
||||
private ValidationResult validateExecution(String executingUserId, String targetUserId) {
|
||||
|
||||
var currentUserResource = getUserResource(executingUserId);
|
||||
var currentRoles = getRoles(currentUserResource.toRepresentation().getId());
|
||||
var userRoles = getRoles(targetUserId);
|
||||
|
||||
if (userRoles.stream()
|
||||
.anyMatch(ApplicationRoles::isKneconRole)) {
|
||||
return ValidationStatus.INVALID;
|
||||
return validateRoleRanks(currentRoles, userRoles);
|
||||
}
|
||||
|
||||
|
||||
private ValidationResult validateExecutionForDeletion(String executingUserId, String targetUserId) {
|
||||
|
||||
var currentUserResource = getUserResource(executingUserId);
|
||||
var currentRoles = getRoles(currentUserResource.toRepresentation().getId());
|
||||
var userRoles = getRoles(targetUserId);
|
||||
|
||||
ValidationResult validationResult = validateRoleRanks(currentRoles, userRoles);
|
||||
if (validationResult == ValidationResult.ALLOWED) {
|
||||
if (userRoles.stream()
|
||||
.anyMatch(ApplicationRoles::isKneconRole) && userRoles.stream()
|
||||
.anyMatch(ApplicationRoles::isNoKneconRole)) {
|
||||
return ValidationResult.ROLE_REMOVAL;
|
||||
}
|
||||
}
|
||||
return validationResult;
|
||||
}
|
||||
|
||||
|
||||
private ValidationResult validateRoleRanks(Set<String> currentRoles, Set<String> userRoles) {
|
||||
|
||||
if (!userRoles.isEmpty() && userRoles.stream()
|
||||
.allMatch(ApplicationRoles::isKneconRole)) {
|
||||
return ValidationResult.INVALID;
|
||||
}
|
||||
|
||||
var roleMapping = tenantUserManagementProperties.getKcRoleMapping();
|
||||
@ -593,9 +658,9 @@ public class UserService {
|
||||
.orElse(-1);
|
||||
|
||||
if (targetRank <= maxRank) {
|
||||
return ValidationStatus.ALLOWED;
|
||||
return ValidationResult.ALLOWED;
|
||||
} else {
|
||||
return ValidationStatus.FORBIDDEN;
|
||||
return ValidationResult.FORBIDDEN;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -72,4 +72,22 @@ public class SMTPConfigurationTest extends AbstractTenantUserManagementIntegrati
|
||||
TenantContext.clear();
|
||||
}
|
||||
|
||||
|
||||
@Test
|
||||
public void testSMTPwithoutPassword() {
|
||||
TenantContext.setTenantId(AbstractTenantUserManagementIntegrationTest.TEST_TENANT_ID);
|
||||
|
||||
SMTPConfiguration smtpConfiguration = new SMTPConfiguration();
|
||||
smtpConfiguration.setFrom("from@knecon.com");
|
||||
smtpConfiguration.setHost("test.knecon.com");
|
||||
|
||||
smtpConfigurationClient.updateSMTPConfiguration(smtpConfiguration);
|
||||
|
||||
var current = smtpConfigurationClient.getCurrentSMTPConfiguration();
|
||||
|
||||
assertThat(current.getPassword()).matches("\\**");
|
||||
|
||||
TenantContext.clear();
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@ -9,11 +9,13 @@ import static org.junit.jupiter.api.Assertions.assertTrue;
|
||||
|
||||
import java.util.HashSet;
|
||||
import java.util.List;
|
||||
import java.util.Optional;
|
||||
import java.util.Set;
|
||||
import java.util.stream.Collectors;
|
||||
|
||||
import org.junit.jupiter.api.Test;
|
||||
import org.keycloak.admin.client.resource.UserResource;
|
||||
import org.keycloak.admin.client.resource.UsersResource;
|
||||
import org.keycloak.representations.idm.RoleRepresentation;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
|
||||
import com.knecon.fforesight.tenantcommons.TenantContext;
|
||||
@ -26,6 +28,7 @@ import com.knecon.fforesight.tenantusermanagement.model.UpdateProfileRequest;
|
||||
import com.knecon.fforesight.tenantusermanagement.model.User;
|
||||
import com.knecon.fforesight.tenantusermanagement.permissions.ApplicationRoles;
|
||||
import com.knecon.fforesight.tenantusermanagement.properties.TenantUserManagementProperties;
|
||||
import com.knecon.fforesight.tenantusermanagement.service.RealmService;
|
||||
|
||||
import feign.FeignException;
|
||||
import lombok.SneakyThrows;
|
||||
@ -35,6 +38,9 @@ public class UserTest extends AbstractTenantUserManagementIntegrationTest {
|
||||
@Autowired
|
||||
private UserClient userClient;
|
||||
|
||||
@Autowired
|
||||
private RealmService realmService;
|
||||
|
||||
@Autowired
|
||||
private TenantUserManagementProperties tenantUserManagementProperties;
|
||||
|
||||
@ -386,24 +392,24 @@ public class UserTest extends AbstractTenantUserManagementIntegrationTest {
|
||||
createUserRequest.setFirstName("All");
|
||||
createUserRequest.setLastName("Roles");
|
||||
createUserRequest.setUsername("AllRoles");
|
||||
createUserRequest.setRoles(allRoles);
|
||||
User user = userClient.createUser(createUserRequest);
|
||||
addRoles(user.getUserId(), allRoles);
|
||||
|
||||
var createUserRequest2 = new CreateUserRequest();
|
||||
createUserRequest2.setEmail("nokneconroles@notknecon.com");
|
||||
createUserRequest2.setFirstName("No Knecon");
|
||||
createUserRequest2.setLastName("Roles");
|
||||
createUserRequest2.setUsername("NoKneconRoles");
|
||||
createUserRequest2.setRoles(allButKneconRoles);
|
||||
User noKneconUser = userClient.createUser(createUserRequest2);
|
||||
addRoles(noKneconUser.getUserId(), allButKneconRoles);
|
||||
|
||||
var createUserRequest3 = new CreateUserRequest();
|
||||
createUserRequest3.setEmail("onlykneconroles@notknecon.com");
|
||||
createUserRequest3.setFirstName("Only Knecon");
|
||||
createUserRequest3.setLastName("Roles");
|
||||
createUserRequest3.setUsername("OnlyKneconRoles");
|
||||
createUserRequest3.setRoles(onlyKneconRoles);
|
||||
User onlyKneconUser = userClient.createUser(createUserRequest3);
|
||||
addRoles(onlyKneconUser.getUserId(), onlyKneconRoles);
|
||||
|
||||
var allUsers = userClient.getAllUsers(true);
|
||||
|
||||
@ -480,9 +486,13 @@ public class UserTest extends AbstractTenantUserManagementIntegrationTest {
|
||||
tokenService.setUser("red-user-admin@knecon.com", "Secret@secured!23");
|
||||
|
||||
// we should not be able to set roles of this user at all as it is not visible to us resulting in a 404
|
||||
e = assertThrows(FeignException.class, () -> userClient.setRoles(user.getUserId(), onlyKneconRoles));
|
||||
e = assertThrows(FeignException.class, () -> userClient.setRoles(onlyKneconUser.getUserId(), allButKneconRoles));
|
||||
assertEquals(404, e.status());
|
||||
|
||||
// we can not assign a knecon rule as it is not visible to us
|
||||
e = assertThrows(FeignException.class, () -> userClient.setRoles(user.getUserId(), onlyKneconRoles));
|
||||
assertEquals(400, e.status());
|
||||
|
||||
// we should not be able to assign ourselves a knecon role as it is not visible to us
|
||||
e = assertThrows(FeignException.class, () -> userClient.setRoles(redUserAdmin.getUserId(), allRoles));
|
||||
assertEquals(400, e.status());
|
||||
@ -490,59 +500,99 @@ public class UserTest extends AbstractTenantUserManagementIntegrationTest {
|
||||
// authenticate as knecon admin again
|
||||
tokenService.setUser("admin@knecon.com", "secret");
|
||||
|
||||
// this should be possible because we now have knecon roles
|
||||
userClient.setRoles(onlyKneconUser.getUserId(), allRoles);
|
||||
assertEquals(userClient.getUserById(onlyKneconUser.getUserId()).getRoles().size(), 2);
|
||||
// this should still not be possible
|
||||
e = assertThrows(FeignException.class, () -> userClient.setRoles(onlyKneconUser.getUserId(), allRoles));
|
||||
assertEquals(404, e.status());
|
||||
|
||||
// and this as well
|
||||
userClient.setRoles(user.getUserId(), allRoles);
|
||||
// and also not this
|
||||
e = assertThrows(FeignException.class, () -> userClient.setRoles(user.getUserId(), allRoles));
|
||||
assertEquals(400, e.status());
|
||||
|
||||
// we can also poll the user
|
||||
userClient.getUserById(user.getUserId());
|
||||
|
||||
e = assertThrows(FeignException.class, () -> userClient.getUserById(onlyKneconUser.getUserId()));
|
||||
assertEquals(404, e.status());
|
||||
|
||||
// back to having no rights
|
||||
tokenService.setUser("red-user-admin@knecon.com", "Secret@secured!23");
|
||||
|
||||
// we can not call update profile
|
||||
e = assertThrows(FeignException.class, () -> userClient.updateProfile(user.getUserId(), new UpdateProfileRequest()));
|
||||
e = assertThrows(FeignException.class, () -> userClient.updateProfile(onlyKneconUser.getUserId(), new UpdateProfileRequest()));
|
||||
assertEquals(404, e.status());
|
||||
|
||||
// or reset password
|
||||
e = assertThrows(FeignException.class, () -> userClient.resetPassword(user.getUserId(), new ResetPasswordRequest()));
|
||||
e = assertThrows(FeignException.class, () -> userClient.resetPassword(onlyKneconUser.getUserId(), new ResetPasswordRequest()));
|
||||
assertEquals(404, e.status());
|
||||
|
||||
// now as a knecon admin again
|
||||
tokenService.setUser("admin@knecon.com", "secret");
|
||||
|
||||
// we can also not see another knecon account and change their password
|
||||
e = assertThrows(FeignException.class, () -> userClient.resetPassword(user.getUserId(), new ResetPasswordRequest()));
|
||||
e = assertThrows(FeignException.class, () -> userClient.resetPassword(onlyKneconUser.getUserId(), new ResetPasswordRequest()));
|
||||
assertEquals(404, e.status());
|
||||
|
||||
// or activate the profile
|
||||
e = assertThrows(FeignException.class, () -> userClient.activateProfile(user.getUserId(), true));
|
||||
e = assertThrows(FeignException.class, () -> userClient.activateProfile(onlyKneconUser.getUserId(), true));
|
||||
assertEquals(404, e.status());
|
||||
|
||||
// but the user with all roles can be processed
|
||||
userClient.resetPassword(user.getUserId(), new ResetPasswordRequest("Secret@secured!23", false));
|
||||
User activated = userClient.activateProfile(user.getUserId(), true);
|
||||
activated.getRoles()
|
||||
.stream()
|
||||
.noneMatch(ApplicationRoles::isKneconRole);
|
||||
|
||||
// we create a new user with all roles
|
||||
var createUserRequest4 = new CreateUserRequest();
|
||||
createUserRequest4.setEmail("allroles2@knecon.com");
|
||||
createUserRequest4.setFirstName("All");
|
||||
createUserRequest4.setLastName("Roles2");
|
||||
createUserRequest4.setUsername("AllRoles2");
|
||||
createUserRequest4.setRoles(allRoles);
|
||||
User user4 = userClient.createUser(createUserRequest4);
|
||||
addRoles(user4.getUserId(), allRoles);
|
||||
|
||||
// we attempt to delete it
|
||||
userClient.deleteUser(user4.getUserId());
|
||||
// we attempt to delete it, should not be possible but still return 204
|
||||
userClient.deleteUser(onlyKneconUser.getUserId());
|
||||
|
||||
// and again using the bulk call
|
||||
userClient.deleteUsers(List.of(user4.getUserId()));
|
||||
userClient.deleteUsers(List.of(onlyKneconUser.getUserId()));
|
||||
|
||||
// no rights again ...
|
||||
tokenService.setUser("red-user-admin@knecon.com", "Secret@secured!23");
|
||||
|
||||
// with this user we expect a 204 as well
|
||||
userClient.deleteUser(onlyKneconUser.getUserId());
|
||||
|
||||
userClient.deleteUsers(List.of(onlyKneconUser.getUserId()));
|
||||
|
||||
// check users as knecon admin again
|
||||
tokenService.setUser("admin@knecon.com", "secret");
|
||||
|
||||
// with this user we expect a 204 as well but the user should have removed red roles
|
||||
userClient.deleteUser(user4.getUserId());
|
||||
|
||||
addRoles(onlyKneconUser.getUserId(), allRoles);
|
||||
allUsers = userClient.getAllUsers(true);
|
||||
assertTrue(allUsers.stream()
|
||||
.anyMatch(u -> u.getUserId().equals(user4.getUserId())));
|
||||
// and should not have changed
|
||||
var user5 = userClient.getUserById(user4.getUserId());
|
||||
assertEquals(user4, user5);
|
||||
.anyMatch(u -> u.getUserId().equals(onlyKneconUser.getUserId())));
|
||||
|
||||
// hence, 404 when trying to get the user now
|
||||
e = assertThrows(FeignException.class, () -> userClient.getUserById(user4.getUserId()));
|
||||
assertEquals(404, e.status());
|
||||
// give the user the old roles back
|
||||
addRoles(user4.getUserId(), allButKneconRoles);
|
||||
|
||||
allUsers = userClient.getAllUsers(true);
|
||||
var user4AfterShenanigansOpt = allUsers.stream().filter(u -> u.getUserId().equals(user4.getUserId())).findFirst();
|
||||
assertTrue(user4AfterShenanigansOpt.isPresent());
|
||||
user4AfterShenanigansOpt.get().setRoles(new HashSet<>());
|
||||
assertEquals(user4AfterShenanigansOpt.get(), user4);
|
||||
|
||||
var stillOnlyKneconUserOpt = allUsers.stream().filter(u -> u.getUserId().equals(onlyKneconUser.getUserId())).findFirst();
|
||||
assertTrue(stillOnlyKneconUserOpt.isPresent());
|
||||
stillOnlyKneconUserOpt.get().setRoles(new HashSet<>());
|
||||
assertEquals(stillOnlyKneconUserOpt.get(), onlyKneconUser);
|
||||
|
||||
}
|
||||
|
||||
@ -563,8 +613,8 @@ public class UserTest extends AbstractTenantUserManagementIntegrationTest {
|
||||
createUserRequest.setFirstName("Some Other");
|
||||
createUserRequest.setLastName("User");
|
||||
createUserRequest.setUsername("SomeOtherUser");
|
||||
createUserRequest.setRoles(allRoles);
|
||||
User user = userClient.createUser(createUserRequest);
|
||||
addRoles(user.getUserId(), allRoles);
|
||||
|
||||
var createUserRequest2 = new CreateUserRequest();
|
||||
createUserRequest2.setEmail("noroles@notknecon.com");
|
||||
@ -587,6 +637,36 @@ public class UserTest extends AbstractTenantUserManagementIntegrationTest {
|
||||
}
|
||||
|
||||
|
||||
@Test
|
||||
public void testOperationsOnUserWithoutRoles() {
|
||||
|
||||
// set context and user
|
||||
TenantContext.setTenantId(AbstractTenantUserManagementIntegrationTest.TEST_TENANT_ID);
|
||||
tokenService.setUser("admin@knecon.com", "secret");
|
||||
|
||||
var createUserRequest = new CreateUserRequest();
|
||||
createUserRequest.setEmail("noroles@notknecon.com");
|
||||
createUserRequest.setFirstName("No");
|
||||
createUserRequest.setLastName("Roles");
|
||||
createUserRequest.setUsername("NoRolesAtAll");
|
||||
createUserRequest.setRoles(new HashSet<>());
|
||||
User noRolesUser = userClient.createUser(createUserRequest);
|
||||
|
||||
userClient.resetPassword(noRolesUser.getUserId(), ResetPasswordRequest.builder().password("SuperSecret42!!").build());
|
||||
|
||||
userClient.activateProfile(noRolesUser.getUserId(), false);
|
||||
noRolesUser = userClient.getUserById(noRolesUser.getUserId());
|
||||
assertFalse(noRolesUser.isActive());
|
||||
|
||||
var allUsers = userClient.getAllUsers(true);
|
||||
var sizeBefore = allUsers.size();
|
||||
userClient.deleteUser(noRolesUser.getUserId());
|
||||
allUsers = userClient.getAllUsers(true);
|
||||
assertThat(allUsers).hasSize(sizeBefore - 1);
|
||||
|
||||
}
|
||||
|
||||
|
||||
@Test
|
||||
public void testCreateUserWithInvalidEmailFormat() {
|
||||
|
||||
@ -623,4 +703,30 @@ public class UserTest extends AbstractTenantUserManagementIntegrationTest {
|
||||
|
||||
}
|
||||
|
||||
|
||||
private UsersResource getTenantUsersResource() {
|
||||
|
||||
return realmService.realm(TenantContext.getTenantId()).users();
|
||||
}
|
||||
|
||||
|
||||
private UserResource getUserResource(String userId) {
|
||||
|
||||
return this.getTenantUsersResource()
|
||||
.get(userId);
|
||||
}
|
||||
|
||||
|
||||
private RoleRepresentation getRoleRepresentation(String role) {
|
||||
|
||||
return realmService.realm(TenantContext.getTenantId()).roles()
|
||||
.get(role).toRepresentation();
|
||||
}
|
||||
|
||||
|
||||
private void addRoles(String userId, Set<String> roles) {
|
||||
|
||||
getUserResource(userId).roles().realmLevel().add(roles.stream().map(this::getRoleRepresentation).toList());
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user