Hotfix password change and LDAP

dcfd87cd · Martin Weise · fc06634d · dcfd87cd · dcfd87cd · dcfd87cd
Verified Commit dcfd87cd authored 10 months ago by Martin Weise
--- a/.docker/dist.tar.gz
+++ b/.docker/dist.tar.gz
--- a/.docker/docker-compose.yml
+++ b/.docker/docker-compose.yml
@@ -346,7 +346,6 @@ services:
      OPENSEARCH_PORT: ${OPENSEARCH_PORT:-9200}
      OPENSEARCH_USERNAME: ${SEARCH_DB_USERNAME:-admin}
      OPENSEARCH_PASSWORD: ${SEARCH_DB_PASSWORD:-admin}
-      LOG_LEVEL: ${LOG_LEVEL:-info}
    depends_on:
      dbrepo-search-db:
        condition: service_healthy

--- a/.docs/api/auth-service.md
+++ b/.docs/api/auth-service.md
@@ -19,10 +19,37 @@ of immutable properties (id, username) is mirrored in the [Metadata Database](..

 ## Identities

-:octicons-tag-16:{ title="Minimum version" } 1.4.4
-
-Identities can also be added in Keycloak directly. When requesting a JWT token from the `/api/user` endpoint, the
-immutable properties mentioned in c.f. [Overview](#overview) are copied transparent to the user on first login.
+:octicons-tag-16:{ title="Minimum version" } 1.4.5
+
+Identities are managed via LDAP through the [Identity Service](../identity-service). The normal workflow is that the
+[Metadata Service](../metadata-service) adds identities when user register. In some cases, where this is not possible
+(e.g. in workshop-scenarios where accounts are created before the workshop starts), identities need to be created
+manually in Keycloak. The recommended workflow is:
+
+1. Login to the Auth Service as **Admin** and in the dbrepo realm navigate to **Users**
+2. Click the **Add user** button and fill out the Username field and assign the group `researchers` by clicking 
+   the **Join Groups** and selecting it. Click **Join** and **Create**.
+3. Click the **Credentials** tab above and **Set password**. In the popup window assign a secure password to the user
+   and set **Temporary** to `Off`.
+
+    !!! example "Create user with specific id"
+
+        The user id is created automatically. In case you need to create a user with specific id such as in migration
+        scenarios, you need to change the `entryUUID` in the [Identity Service](../identity-service) by modifying this
+        protected attribute in `relax` mode:
+
+        ```bash
+        echo "dn: uid=<username>,ou=users,dc=dbrepo,dc=at
+        changetype: modify
+        replace: entryUUID
+        entryUUID: 506ae590-11a2-4d2d-82b8-45121c6b4dab" | \
+        ldapmodify -h localhost -p 1389 -D cn=admin,dc=dbrepo,dc=at -c -x -e relax \
+        -w<adminpassword> 
+        ```
+
+4. Finally you need to query the user info once by navigating again to **Users**
+   and search for the **Username** and click :arrow_right: to search. Click the username and ensure that the 
+   **User metadata** contains the entry **LDAP_ID**.

 ## Groups


--- a/dbrepo-metadata-service/rest-service/src/main/java/at/tuwien/endpoints/UserEndpoint.java
+++ b/dbrepo-metadata-service/rest-service/src/main/java/at/tuwien/endpoints/UserEndpoint.java
@@ -372,11 +372,11 @@ public class UserEndpoint {
            log.error("Failed to modify user password: not current user");
            throw new NotAllowedException("Failed to modify user password: not current user");
        }
-        userService.updatePassword(user, data);
        authenticationService.updatePassword(user, data);
        for (Database database : databaseService.findAllAccess(userId)) {
            databaseService.updatePassword(database, user);
        }
+        userService.updatePassword(user, data);
        return ResponseEntity.accepted()
                .build();
    }

--- a/dbrepo-metadata-service/rest-service/src/test/java/at/tuwien/gateway/KeycloakGatewayUnitTest.java
+++ b/dbrepo-metadata-service/rest-service/src/test/java/at/tuwien/gateway/KeycloakGatewayUnitTest.java
@@ -191,7 +191,8 @@ public class KeycloakGatewayUnitTest extends AbstractUnitTest {
    }

    @Test
-    public void updateUserCredentials_succeeds() throws AuthServiceException, AuthServiceConnectionException {
+    public void updateUserCredentials_succeeds() throws AuthServiceException, AuthServiceConnectionException,
+            UserNotFoundException {

        /* mock */
        when(restTemplate.exchange(anyString(), eq(HttpMethod.POST), any(HttpEntity.class), eq(TokenDto.class)))

--- a/dbrepo-metadata-service/rest-service/src/test/java/at/tuwien/service/UserServiceUnitTest.java
+++ b/dbrepo-metadata-service/rest-service/src/test/java/at/tuwien/service/UserServiceUnitTest.java
@@ -109,7 +109,7 @@ public class UserServiceUnitTest extends AbstractUnitTest {

    @Test
    public void updatePassword_succeeds() throws AuthServiceException, AuthServiceConnectionException,
-            CredentialsInvalidException {
+            UserNotFoundException {

        /* mock */
        doNothing()

--- a/dbrepo-metadata-service/services/src/main/java/at/tuwien/gateway/KeycloakGateway.java
+++ b/dbrepo-metadata-service/services/src/main/java/at/tuwien/gateway/KeycloakGateway.java
@@ -40,7 +40,7 @@ public interface KeycloakGateway {
     * @param password The user credential.
     */
    void updateUserCredentials(UUID id, UserPasswordDto password) throws AuthServiceException,
-            AuthServiceConnectionException;
+            AuthServiceConnectionException, UserNotFoundException;

    /**
     * Finds a user in the metadata database by given username.

--- a/dbrepo-metadata-service/services/src/main/java/at/tuwien/gateway/impl/KeycloakGatewayImpl.java
+++ b/dbrepo-metadata-service/services/src/main/java/at/tuwien/gateway/impl/KeycloakGatewayImpl.java
@@ -161,7 +161,7 @@ public class KeycloakGatewayImpl implements KeycloakGateway {

    @Override
    public void updateUserCredentials(UUID id, UserPasswordDto data) throws AuthServiceException,
-            AuthServiceConnectionException {
+            AuthServiceConnectionException, UserNotFoundException {
        final UpdateCredentialsDto payload = metadataMapper.passwordToUpdateCredentialsDto(data.getPassword());
        final String path = "/admin/realms/dbrepo/users/" + id;
        log.trace("update user credentials at endpoint {} with path {}", keycloakConfig.getKeycloakEndpoint(), path);
@@ -171,6 +171,9 @@ public class KeycloakGatewayImpl implements KeycloakGateway {
        } catch (HttpServerErrorException e) {
            log.error("Failed to update user credentials: {}", e.getMessage());
            throw new AuthServiceConnectionException("Service unavailable", e);
+        } catch (HttpClientErrorException.NotFound e) {
+            log.error("Failed to update user credentials: user not found: {}", e.getMessage());
+            throw new UserNotFoundException("User not found", e);
        } catch (Exception e) {
            log.error("Failed to update user: unexpected response: {}", e.getMessage());
            throw new AuthServiceException("Unexpected result", e);

--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -403,7 +403,6 @@ services:
      OPENSEARCH_PORT: ${OPENSEARCH_PORT:-9200}
      OPENSEARCH_USERNAME: ${SEARCH_DB_USERNAME:-admin}
      OPENSEARCH_PASSWORD: ${SEARCH_DB_PASSWORD:-admin}
-      LOG_LEVEL: ${LOG_LEVEL:-info}
    depends_on:
      dbrepo-search-db:
        condition: service_healthy

--- a/helm/dbrepo/values.yaml
+++ b/helm/dbrepo/values.yaml
@@ -306,7 +306,7 @@ brokerservice:
    ## @param brokerservice.ldap.uidField The field containing the user id.
    uidField: uid
    ## @param brokerservice.ldap.basedn The base domain name containing the users.
-    basedn: ou=users,dc=dbrepo,dc=at
+    basedn: dc=dbrepo,dc=at
    ## @param brokerservice.ldap.userDnPattern The pattern to determine the user.
    userDnPattern: ${username}
  auth: