362 - Account managment

authentication/elaastic-iam/themes/elaastic/login/login.ftl

@@ -126,5 +126,14 @@
                 </div>
             </#if>
         </div>
+    <#elseif section = "info" >
+        <#if realm.password && realm.registrationAllowed && !registrationDisabled??>
+            <div id="kc-registration-container">
+                <div id="kc-registration">
+                    <span>${msg("noAccount")} <a tabindex="8"
+                                                 href="${url.registrationUrl}">${msg("doRegister")}</a></span>
+                </div>
+            </div>
+        </#if>
     </#if>
 </@layout.registrationLayout>

authentication/elaastic-iam/themes/elaastic/login/resources/css/login.css

@@ -21,17 +21,28 @@ body > div:has(.login-container) {
 
     width: 100%;
     max-width: 480px;
-    padding: 1%;
 
     background: #fff;
     border-radius: 8px;
-}
 
-.login-container .logo {
-    width: 150px;
-    height: auto;
-    font-size: .92857143rem;
-    margin-bottom: 1em;
+    > :not(script) {
+        margin: 0 8%;
+    }
+
+    > :not(script):first-child {
+        margin-top: 5%;
+    }
+
+    > :not(script):last-child {
+        margin-bottom: 4%;
+    }
+
+    .logo {
+        width: 150px;
+        height: auto;
+        font-size: .92857143rem;
+        margin-bottom: 1em;
+    }
 }
 
 .login-pf-settings {
@@ -59,4 +70,14 @@ body > div:has(.login-container) {
 
 .required {
     color: #a30000;
+}
+
+#kc-registration-container {
+    font-size: 13px;
+    padding: 15px 35px;
+    background-color: #F0F0F0;
+
+    margin: 4% 0 0 0;
+    border-bottom-left-radius: 8px;
+    border-bottom-right-radius: 8px;
 }

authentication/elaastic-iam/themes/elaastic/login/resources/css/password-update.css

@@ -0,0 +1,3 @@
+#kc-passwd-update-form{
+    margin-bottom: 3%;
+}

authentication/elaastic-iam/themes/elaastic/login/resources/css/register.css

@@ -0,0 +1,3 @@
+#kc-register-form {
+    margin-bottom: 4%;
+}

authentication/elaastic-iam/themes/elaastic/login/template.ftl

@@ -30,7 +30,9 @@
         <body>
         <div>
             <div class="login-container">
-                <img class="logo" src="${url.resourcesPath}/img/elaastic_logo_rvb.png" alt="Logo of elaastic">
+                <div>
+                    <img class="logo" src="${url.resourcesPath}/img/elaastic_logo_rvb.png" alt="Logo of elaastic">
+                </div>
                 <#nested "form">
                 <#nested "info">
             </div>

authentication/elaastic-iam/themes/elaastic/login/theme.properties

@@ -1,5 +1,5 @@
 parent=keycloak
 import=common/keycloak
 locales=de,en,fr
-styles=css/login.css css/social.css
+styles=css/login.css css/social.css css/register.css css/password-update.css
 scripts=js/passwordVisibility.js

server/src/main/kotlin/org/elaastic/auth/UserLinkService.kt

@@ -42,6 +42,7 @@ class UserLinkService(
     @Autowired val userLinkRepository: UserLinkRepository,
     @Autowired val userService: UserService,
     @Autowired val roleService: RoleService,
+    @Autowired val userRepository: UserRepository,
 ) {
 
     @Value("\${spring.security.oauth2.client.registration.keycloak.provider}")
@@ -219,4 +220,21 @@ class UserLinkService(
     fun isNotLinked(user: User): Boolean {
         return !isLinked(user)
     }
+
+    /**
+     * Update the user with the given OIDC user
+     *
+     * The user information are updated with the OIDC user information.
+     */
+    fun updateUserWithOidcUser(user: User, oidcUser: OidcUser): User {
+        return if (user.firstName != oidcUser.givenName || user.lastName != oidcUser.familyName || user.email != oidcUser.email) {
+            user.apply {
+                firstName = oidcUser.givenName
+                lastName = oidcUser.familyName
+                email = oidcUser.email
+            }.let(userRepository::save)
+        } else {
+            user
+        }
+    }
 }

server/src/main/kotlin/org/elaastic/auth/oauth/ElaasticOidcUserService.kt

@@ -18,6 +18,7 @@
 
 package org.elaastic.auth.oauth
 
+import org.elaastic.auth.UserLink
 import org.elaastic.auth.UserLinkService
 import org.elaastic.common.util.alsoThrowIf
 import org.elaastic.user.Role.RoleId
@@ -41,9 +42,8 @@ private const val ROLES_KEY = "roles"
 /**
  * Service dedicated to retrieve the Elaastic User bound to an OidcUser
  *
- * Implementation note: This service overrides OidcUserService, and, as
- * such, must return an OidcUser. The ElaasticOidcUser is an OidcUser bound
- * to its corresponding Elaastic User
+ * Implementation note: This service overrides OidcUserService, and, as such, must return an OidcUser. The
+ * ElaasticOidcUser is an OidcUser bound to its corresponding Elaastic User
  *
  * @author John Tranier
  */
@@ -66,9 +66,10 @@ class ElaasticOidcUserService(
                 userLinkService.oidcProvider,
                 oidcUser.name
             )?.alsoThrowIf({ !(it.user hasRole role) }, RoleException::class.java) {
-                "ElaasticUser ${it.user.username} does not have the role $role but the OIDC user ${oidcUser.name} has it. " +
-                        "ElaasticUser ${it.user.username} has the roles ${it.user.roles.joinToString(", ") { role -> role.name }}"
-            }?.user ?: userLinkService.registerNewOidcUser(oidcUser, role)
+                createMessageRoleMismap(it, role, oidcUser)
+            }?.user?.let {
+                userLinkService.updateUserWithOidcUser(it, oidcUser)
+            } ?: userLinkService.registerNewOidcUser(oidcUser, role)
 
             return ElaasticOidcUser(oidcUser, user)
         } catch (e: RoleException) {
@@ -80,11 +81,18 @@ class ElaasticOidcUserService(
         }
     }
 
+    private fun createMessageRoleMismap(
+        it: UserLink,
+        role: RoleId,
+        oidcUser: OidcUser
+    ) = "ElaasticUser ${it.user.username} does not have the role $role but the OIDC user ${oidcUser.name} has it. " +
+            "ElaasticUser ${it.user.username} has the roles ${it.user.roles.joinToString(", ") { role -> role.name }}"
+
     /**
      * Get the role from the OIDC user
      *
-     * We search the role in the realm access of the OIDC user. The realm
-     * access is a map containing the roles of the user.
+     * We search the role in the realm access of the OIDC user. The realm access is a map containing the roles of the
+     * user.
      *
      * We expected a claims like this :
      * ```json
@@ -106,8 +114,7 @@ class ElaasticOidcUserService(
      *
      * @param oidcUser the OIDC user
      * @return the role of the OIDC user
-     * @throws IllegalStateException if there is not exactly one role in the
-     *    realm access and the role is unknown
+     * @throws IllegalStateException if there is not exactly one role in the realm access and the role is unknown
      * @see REALM_ACCESS_KEY
      * @see ROLES_KEY
      */

server/src/main/kotlin/org/elaastic/user/controller/UserAccountController.kt

@@ -20,12 +20,12 @@ package org.elaastic.user.controller
 
 
 import org.elaastic.common.onboarding.OnboardingChapter
-import org.elaastic.user.PrincipalUserResolver
-import org.elaastic.user.RoleService
-import org.elaastic.user.UserService
+import org.elaastic.user.*
 import org.elaastic.user.controller.command.PasswordData
 import org.elaastic.user.controller.command.UserData
 import org.elaastic.user.legal.TermsService
+import org.slf4j.Logger
+import org.slf4j.LoggerFactory
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.beans.factory.annotation.Value
 import org.springframework.context.MessageSource
@@ -34,41 +34,49 @@ import org.springframework.http.HttpStatus
 import org.springframework.security.core.Authentication
 import org.springframework.stereotype.Controller
 import org.springframework.ui.Model
+import org.springframework.ui.set
 import org.springframework.validation.BindingResult
 import org.springframework.web.bind.annotation.*
 import org.springframework.web.servlet.mvc.support.RedirectAttributes
 import java.util.*
-import java.util.logging.Logger
 import javax.servlet.http.HttpServletResponse
 import javax.validation.Valid
 
 
+private const val NOT_ALLOWED_TO_ANONYMOUS_USER = "Not allowed to anonymous user"
+
+private const val NOT_ALLOWED_TO_OIDC_USER =
+    "Oidc user cannot update his profile, use the OIDC provider console to do so."
+
 @Controller
 class UserAccountController(
-    @Value("\${elaastic.auth.check_user_email:true}")
-    val checkEmail: Boolean,
+    @Value("\${elaastic.auth.check_user_email:true}") val checkEmail: Boolean,
+    @Value("\${oauth2.client.provider.elaastic-keycloak.account-console-url}") private val accountConsoleURL: String,
     @Autowired val userService: UserService,
     @Autowired val roleService: RoleService,
     @Autowired val termsService: TermsService,
     @Autowired val messageSource: MessageSource
 ) {
 
-    val logger = Logger.getLogger(UserAccountController::javaClass.name)
+    private val logger: Logger = LoggerFactory.getLogger(this::class.java)
 
     @GetMapping("/register")
     fun showSubscribeForm(model: Model): String {
-        model.addAttribute("checkEmail", checkEmail)
+        model["checkEmail"] = checkEmail
         return "userAccount/showSubscribeForm"
     }
 
     @GetMapping("/userAccount/edit")
     fun edit(authentication: Authentication, model: Model): String {
         val user = (authentication.principal as PrincipalUserResolver).elaasticUser
-        if (user.isAnonymous()) throw IllegalStateException("Not allowed to anonymous user")
+        check(!user.isAnonymous()) { NOT_ALLOWED_TO_ANONYMOUS_USER }
 
         val userToUpdate = userService.get(user.id!!)!!
-        model.addAttribute("userData", UserData(userToUpdate, userHasGivenConsent = true))
-        model.addAttribute("user", userToUpdate)
+        model["userData"] = UserData(userToUpdate, userHasGivenConsent = true)
+        model["user"] = userToUpdate
+        model["source"] = userToUpdate.getSource()
+        model["accountConsoleURL"] = accountConsoleURL
+
         return "userAccount/edit"
     }
 
@@ -84,7 +92,9 @@ class UserAccountController(
         locale: Locale
     ): String {
         val authUser = (authentication.principal as PrincipalUserResolver).elaasticUser
-        if (authUser.isAnonymous()) throw IllegalStateException("Not allowed to anonymous user")
+        check(!authUser.isAnonymous()) { NOT_ALLOWED_TO_ANONYMOUS_USER }
+        check(authUser.getSource() != UserSource.OIDC) { NOT_ALLOWED_TO_OIDC_USER }
+
         if (!result.hasErrors()) {
             val updatedUser = userService.get(userData.id!!)!!
             userData.populateUser(updatedUser, roleService)
@@ -96,24 +106,31 @@ class UserAccountController(
         }
         return if (result.hasErrors()) {
             response.status = HttpStatus.BAD_REQUEST.value()
-            model.addAttribute("user", authUser)
-            model.addAttribute("userData", userData)
+            model["user"] = authUser
+            model["userData"] = userData
+            model["source"] = authUser.getSource()
+            model["accountConsoleURL"] = accountConsoleURL
+
             "/userAccount/edit"
         } else {
             redirectAttributes.addFlashAttribute("messageType", "success")
             messageSource.getMessage("useraccount.update.success", emptyArray(), locale).let {
                 redirectAttributes.addFlashAttribute("messageContent", it)
             }
+
             "redirect:/userAccount/edit"
         }
     }
 
     @GetMapping("/userAccount/editPassword")
     fun editPassword(authentication: Authentication, model: Model): String {
         val user = (authentication.principal as PrincipalUserResolver).elaasticUser
-        if (user.isAnonymous()) throw IllegalStateException("Not allowed to anonymous user")
-        model.addAttribute("passwordData", PasswordData(user))
-        model.addAttribute("user", user)
+        check(!user.isAnonymous()) { NOT_ALLOWED_TO_ANONYMOUS_USER }
+        check(user.getSource() != UserSource.OIDC) { NOT_ALLOWED_TO_OIDC_USER }
+
+        model["passwordData"] = PasswordData(user)
+        model["user"] = user
+
         return "userAccount/editPassword"
     }
 
@@ -128,7 +145,9 @@ class UserAccountController(
         locale: Locale
     ): String {
         val authUser = (authentication.principal as PrincipalUserResolver).elaasticUser
-        if (authUser.isAnonymous()) throw IllegalStateException("Not allowed to anonymous user")
+        check(!authUser.isAnonymous()) { NOT_ALLOWED_TO_ANONYMOUS_USER }
+        check(authUser.getSource() != UserSource.OIDC) { NOT_ALLOWED_TO_OIDC_USER }
+
         if (!result.hasErrors()) {
             val updatedUser = userService.get(authUser, passwordData.id!!)
             try {
@@ -141,13 +160,15 @@ class UserAccountController(
         }
         return if (result.hasErrors()) {
             response.status = HttpStatus.BAD_REQUEST.value()
-            model.addAttribute("user", authUser)
+            model["user"] = authUser
+
             "/userAccount/editPassword"
         } else {
             redirectAttributes.addFlashAttribute("messageType", "success")
             messageSource.getMessage("useraccount.update.success", emptyArray(), locale).let {
                 redirectAttributes.addFlashAttribute("messageContent", it)
             }
+
             "redirect:/userAccount/edit"
         }
     }
@@ -194,12 +215,12 @@ class UserAccountController(
     @GetMapping("/userAccount/unsubscribe")
     fun unsubscribe(authentication: Authentication, model: Model, locale: Locale): String {
         val authUser = (authentication.principal as PrincipalUserResolver).elaasticUser
-        if (authUser.isAnonymous()) throw IllegalStateException("Not allowed to anonymous user")
+        check(!authUser.isAnonymous()) { NOT_ALLOWED_TO_ANONYMOUS_USER }
 
-        model.addAttribute("user", authUser)
+        model["user"] = authUser
         messageSource.getMessage("UnsubscribtionWarning.user", emptyArray(), locale).let {
-            model.addAttribute("messageContent", it)
-            model.addAttribute("messageType", "error")
+            model["messageContent"] = it
+            model["messageType"] = "error"
         }
         return "userAccount/unsubscribe"
     }
@@ -210,19 +231,22 @@ class UserAccountController(
         redirectAttributes: RedirectAttributes,
         locale: Locale
     ): String {
+        val authUser = (authentication.principal as PrincipalUserResolver).elaasticUser
+
+        check(!authUser.isAnonymous()) { NOT_ALLOWED_TO_ANONYMOUS_USER }
+
+        userService.disableUser(authUser)
         messageSource.getMessage("useraccount.unsubscribe.success", emptyArray(), locale).let {
             redirectAttributes.addFlashAttribute("message", it)
         }
-        val authUser = (authentication.principal as PrincipalUserResolver).elaasticUser
-        if (authUser.isAnonymous()) throw IllegalStateException("Not allowed to anonymous user")
 
-        userService.disableUser(authUser)
         return "redirect:/logout"
     }
 
     @GetMapping("/terms")
     fun terms(model: Model, locale: Locale): String {
-        model.addAttribute("termsContent", termsService.getTermsContentByLanguage(locale.language))
+        model["termsContent"] = termsService.getTermsContentByLanguage(locale.language)
+
         return "terms/terms"
     }