From 74950cfe9573f05afc5e62f6df744c6e52592400 Mon Sep 17 00:00:00 2001 From: kbeyro <121854496+kbeyro@users.noreply.github.com> Date: Fri, 11 Apr 2025 14:35:36 +0200 Subject: [PATCH 1/6] when deleting the ROLE.GROUP_MANAGER delete also domain roles and group domain membership --- .../portal/service/impl/DomainServiceImpl.java | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/src/main/java/net/geant/nmaas/portal/service/impl/DomainServiceImpl.java b/src/main/java/net/geant/nmaas/portal/service/impl/DomainServiceImpl.java index 9062b6ed8..83d7f5652 100644 --- a/src/main/java/net/geant/nmaas/portal/service/impl/DomainServiceImpl.java +++ b/src/main/java/net/geant/nmaas/portal/service/impl/DomainServiceImpl.java @@ -52,6 +52,8 @@ import java.util.Set; import java.util.stream.Collectors; import static com.google.common.base.Preconditions.checkArgument; +import static net.geant.nmaas.portal.persistent.entity.Role.ROLE_GROUP_DOMAIN_ADMIN; +import static net.geant.nmaas.portal.persistent.entity.Role.ROLE_GROUP_MANAGER; import static net.geant.nmaas.portal.persistent.entity.Role.ROLE_GUEST; @Service @@ -369,6 +371,19 @@ public class DomainServiceImpl implements DomainService { public void removeMemberRole(Long domainId, Long userId, Role role) { checkParams(domainId, userId); checkParams(role); + //if deleting group_manager role delete also group_domain_admin + if(role.equals(ROLE_GROUP_MANAGER)) { + Optional<User> user = userService.findById(userId); + if(user.isPresent()) { + List<UserRole> roles = user.get().getRoles().stream().filter(r -> r.getRole().equals(ROLE_GROUP_DOMAIN_ADMIN)).toList(); + roles.forEach(r -> { + userRoleRepository.deleteBy(userId, r.getDomain().getId(), r.getRole()); + log.info("Deleting role {} from domain {} for user {} as part of ROLE_GROUP_MANAGER removal", r.getRole(), r.getDomain().getCodename(), userId); + }); + domainGroupService.deleteUserFromAllDomainsGroups(user.get()); + log.info("Delete user {} from all domain groups", user.get().getId()); + } + } userRoleRepository.deleteBy(userId, domainId, role); } -- GitLab From 78a83c6834e8fc558b9b53d5ee937e1553709f4a Mon Sep 17 00:00:00 2001 From: pkazimierowski <pkazimierowski@man.poznan.pl> Date: Fri, 11 Apr 2025 15:00:06 +0200 Subject: [PATCH 2/6] some fixes --- .../portal/service/impl/OidcUserServiceImpl.java | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/src/main/java/net/geant/nmaas/portal/service/impl/OidcUserServiceImpl.java b/src/main/java/net/geant/nmaas/portal/service/impl/OidcUserServiceImpl.java index 85b513fec..4e3ad3a2d 100644 --- a/src/main/java/net/geant/nmaas/portal/service/impl/OidcUserServiceImpl.java +++ b/src/main/java/net/geant/nmaas/portal/service/impl/OidcUserServiceImpl.java @@ -2,6 +2,7 @@ package net.geant.nmaas.portal.service.impl; import lombok.RequiredArgsConstructor; import lombok.extern.slf4j.Slf4j; +import net.geant.nmaas.portal.api.exception.ExternalUserMatchException; import net.geant.nmaas.portal.api.exception.MissingElementException; import net.geant.nmaas.portal.api.exception.SignupException; import net.geant.nmaas.portal.exceptions.ObjectAlreadyExistsException; @@ -43,18 +44,25 @@ public class OidcUserServiceImpl implements OidcUserService { boolean existUserBySamlToken = userService .existsBySamlToken(oidcUserSub); - if (existUserBySamlToken) { + if (existUserBySamlToken) { //exist by saml_token and everything is correct return userService .findBySamlToken(oidcUserSub) .orElseThrow(); } - if (userService.existsByEmail(oidcUserEmail)) { + + if (userService.existsByEmail(oidcUserEmail)) {//exist by email needs work with this account User user = userService.findByEmail(oidcUserEmail); + //check if user with given email have older SamlToken as Email or Username if (user.getSamlToken().equals(oidcUserEmail) || user.getSamlToken().equals(oidcUserPreferredUsername)) { user.setSamlToken(oidcUserSub); userService.update(user); return user; + }else{ + throw new ExternalUserMatchException("External user " + + oidcUserSub + + " does not match internal user with SamlToken " + + user.getSamlToken()); } } return registerNewUser(oidcUser); -- GitLab From 861ef981fe6937fe01919dc6499bc6120d8c060a Mon Sep 17 00:00:00 2001 From: Lukasz Lopatowski <llopat@man.poznan.pl> Date: Mon, 14 Apr 2025 11:01:33 +0200 Subject: [PATCH 3/6] Adjusted log levels --- .../portal/api/security/JWTTokenService.java | 19 +++++++++---------- .../impl/ApplicationBaseServiceImpl.java | 8 ++++---- 2 files changed, 13 insertions(+), 14 deletions(-) diff --git a/src/main/java/net/geant/nmaas/portal/api/security/JWTTokenService.java b/src/main/java/net/geant/nmaas/portal/api/security/JWTTokenService.java index c63d712c4..813a0fb20 100644 --- a/src/main/java/net/geant/nmaas/portal/api/security/JWTTokenService.java +++ b/src/main/java/net/geant/nmaas/portal/api/security/JWTTokenService.java @@ -26,12 +26,11 @@ import java.util.stream.Collectors; @Slf4j public class JWTTokenService { - private JWTSettings jwtSettings; - private static final String SCOPES = "scopes"; - private static final String LANGUAGE = "language"; + private JWTSettings jwtSettings; + @Value("${domain.global:GLOBAL}") String globalDomain; @@ -47,16 +46,16 @@ public class JWTTokenService { if (user == null || StringUtils.isEmpty(user.getUsername())) { throw new IllegalArgumentException("User or username is not set"); } - if(user.getFirstname() != null && !user.getFirstname().isEmpty()) { + if (user.getFirstname() != null && !user.getFirstname().isEmpty()) { preferredUsername = user.getFirstname(); - }else{ + } else { preferredUsername = user.getUsername(); } - log.error("Get request for a token"); - log.error("user = {} {} {}", user.getId(), user.getUsername(), user.getSelectedLanguage()); - log.error("jwtSigningKey= {}", jwtSettings.getSigningKey()); + log.trace("Get request for a token"); + log.trace("user = {} {} {}", user.getId(), user.getUsername(), user.getSelectedLanguage()); + log.trace("jwtSigningKey= {}", jwtSettings.getSigningKey()); user.getRoles().forEach(role -> { - log.error("Role = {} {} {} {}", role.getRole().toString(), role.getAuthority(), role.getDomain().getCodename(), role.getUser().getId()); + log.trace("Role = {} {} {} {}", role.getRole().toString(), role.getAuthority(), role.getDomain().getCodename(), role.getUser().getId()); }); String result = Jwts.builder() .setSubject(user.getUsername()) @@ -88,7 +87,7 @@ public class JWTTokenService { .claim(LANGUAGE, user.getSelectedLanguage()) .signWith(getSignInKey(jwtSettings.getSigningKey()), SignatureAlgorithm.HS512) .compact(); - log.error(result); + log.trace(result); return result; } diff --git a/src/main/java/net/geant/nmaas/portal/service/impl/ApplicationBaseServiceImpl.java b/src/main/java/net/geant/nmaas/portal/service/impl/ApplicationBaseServiceImpl.java index 409f04ab8..0231ea424 100644 --- a/src/main/java/net/geant/nmaas/portal/service/impl/ApplicationBaseServiceImpl.java +++ b/src/main/java/net/geant/nmaas/portal/service/impl/ApplicationBaseServiceImpl.java @@ -74,7 +74,7 @@ public class ApplicationBaseServiceImpl implements ApplicationBaseService { private void handleTags(ApplicationBase base) { List<Tag> tags = base.getTags().stream() .map(tag -> tagRepository.findByName(tag.getName()).orElse(new Tag(tag.getName()))) - .collect(Collectors.toList()); + .toList(); base.setTags(new HashSet<>(tags)); } @@ -139,16 +139,16 @@ public class ApplicationBaseServiceImpl implements ApplicationBaseService { @Override public List<ApplicationBaseViewS> findAllActiveAppsSmall() { - log.debug("Loading information about all applications"); + log.trace("Loading information about all applications"); LocalDateTime beginning = LocalDateTime.now(); List<ApplicationBaseS> allSmall = appBaseRepository.findAllSmall(); LocalDateTime end = LocalDateTime.now(); - log.debug("Loaded base data from db in {}ms", end.toInstant(ZoneOffset.UTC).toEpochMilli() - beginning.toInstant(ZoneOffset.UTC).toEpochMilli()); + log.trace("Loaded base data from db in {}ms", end.toInstant(ZoneOffset.UTC).toEpochMilli() - beginning.toInstant(ZoneOffset.UTC).toEpochMilli()); List<ApplicationBaseViewS> result = allSmall.stream() .map(app -> modelMapper.map(app, ApplicationBaseViewS.class)) .collect(Collectors.toList()); LocalDateTime finish = LocalDateTime.now(); - log.debug("Complete data is ready after next {}ms", finish.toInstant(ZoneOffset.UTC).toEpochMilli() - end.toInstant(ZoneOffset.UTC).toEpochMilli()); + log.trace("Complete data is ready after next {}ms", finish.toInstant(ZoneOffset.UTC).toEpochMilli() - end.toInstant(ZoneOffset.UTC).toEpochMilli()); return result; } -- GitLab From 72b6cec12c3488f8d1dcb9798c50e05837a10ab2 Mon Sep 17 00:00:00 2001 From: pkazimierowski <pkazimierowski@man.poznan.pl> Date: Mon, 14 Apr 2025 11:38:10 +0200 Subject: [PATCH 4/6] temporary disable account approvals --- .../net/geant/nmaas/portal/api/auth/OIDCAuthController.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/net/geant/nmaas/portal/api/auth/OIDCAuthController.java b/src/main/java/net/geant/nmaas/portal/api/auth/OIDCAuthController.java index df0071568..526d2faad 100644 --- a/src/main/java/net/geant/nmaas/portal/api/auth/OIDCAuthController.java +++ b/src/main/java/net/geant/nmaas/portal/api/auth/OIDCAuthController.java @@ -71,7 +71,7 @@ public class OIDCAuthController { ); throw new AuthenticationException(ae.getMessage()); } - checkUserApprovals(user); +// checkUserApprovals(user); if (configurationManager.getConfiguration().isMaintenance() && user.getRoles().stream().noneMatch(value -> value.getRole().equals(Role.ROLE_SYSTEM_ADMIN))) { -- GitLab From 98e963b800a201f2821e9223dcb0776f64ec2836 Mon Sep 17 00:00:00 2001 From: Lukasz Lopatowski <llopat@man.poznan.pl> Date: Mon, 14 Apr 2025 16:16:48 +0200 Subject: [PATCH 5/6] Updated changelog.json --- src/main/resources/changelog.json | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/src/main/resources/changelog.json b/src/main/resources/changelog.json index ed50a597c..fb18ce9d9 100644 --- a/src/main/resources/changelog.json +++ b/src/main/resources/changelog.json @@ -2,12 +2,17 @@ "versions" : [ { "verNo" : "1.7.1", - "date" : "(2025/04/10)", + "date" : "(2025/04/14)", "topic" : [ { - "title" : "Authentication and user access improvements", + "title" : "Authentication and user access enhancements", "tags" : "[Enhancement]", - "description" : "JWT size reduction and account linking mechanism" + "description" : "JWT size reduction and improved account linking mechanism" + }, + { + "title" : "User role management improvements", + "tags" : "[Enhancement]", + "description" : "Properly handing role removal action and removed obsolete calls to the backend API" } ] }, -- GitLab From 0abc6e8d232eae8d17d41fdb4f14e97620f2b5b6 Mon Sep 17 00:00:00 2001 From: Lukasz Lopatowski <llopat@man.poznan.pl> Date: Tue, 15 Apr 2025 08:07:55 +0200 Subject: [PATCH 6/6] Updated changelog.json --- src/main/resources/changelog.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/resources/changelog.json b/src/main/resources/changelog.json index fb18ce9d9..0c9424123 100644 --- a/src/main/resources/changelog.json +++ b/src/main/resources/changelog.json @@ -2,7 +2,7 @@ "versions" : [ { "verNo" : "1.7.1", - "date" : "(2025/04/14)", + "date" : "(2025/04/15)", "topic" : [ { "title" : "Authentication and user access enhancements", -- GitLab