Merge pull request #253 from Engineering-Research-and-Development/develop

Develop

Author: marest94

CHANGELOG.md

@@ -1,6 +1,12 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
+## [1.14.7] - 2024-01-19
+
+### Added
+
+ - Simple user management
+
 ## [1.14.6] - 2023-11-16
 
 ### Changed

ci/docker/be-dataapp_resources/users.properties

@@ -0,0 +1,8 @@
+# List of users
+users.list=idsUser,bob
+
+# Credentials for each user
+# encoded - password
+idsUser.password=$2a$10$MQ5grDaIqDpBjMlG78PFduv.AMRe9cs0CNm/V4cgUubrqdGTFCH3m
+# encoded - passwordBob
+bob.password=$2a$12$8ngZQYUF9pATTwNRmLiYeu6XGlLd79eb4FIgr5ezzuAA6tGLxuAyy

ci/docker/ecc_resources_consumer/application-docker.properties

@@ -155,10 +155,6 @@ application.usageControlVersion=platoon
 application.technicalHeaders=header,Is-Enabled-DataApp-WebSocket,payload,Forward-To,Payload-Content-Type,Host
 
 #SelfDescription
-#API management credentials
-application.user.api.username=apiUser
-# 'password' encoded value
-application.user.api.password=$2a$10$MQ5grDaIqDpBjMlG78PFduv.AMRe9cs0CNm/V4cgUubrqdGTFCH3m
 #number of consecutive failed attempts
 application.user.lock.maxattempts=5
 # duration for how long user will be locked

ci/docker/ecc_resources_consumer/users.properties

@@ -0,0 +1,8 @@
+# List of users
+users.list=apiUser,alice
+
+# Credentials for each user
+# encoded - password
+apiUser.password=$2a$10$MQ5grDaIqDpBjMlG78PFduv.AMRe9cs0CNm/V4cgUubrqdGTFCH3m
+# encoded - passwordAlice
+alice.password=$2a$12$xeiemEk5ycerfxq7440ieeTUmZ3EK65hwXwM.NQu.1Y29xbpOMVyq

ci/docker/ecc_resources_provider/application-docker.properties

@@ -158,10 +158,6 @@ application.usageControlVersion=platoon
 application.technicalHeaders=header,Is-Enabled-DataApp-WebSocket,payload,Forward-To,Payload-Content-Type,Host
 
 #SelfDescription
-#API management credentials
-application.user.api.username=apiUser
-# 'password' encoded value
-application.user.api.password=$2a$10$MQ5grDaIqDpBjMlG78PFduv.AMRe9cs0CNm/V4cgUubrqdGTFCH3m
 #number of consecutive failed attempts
 application.user.lock.maxattempts=5
 # duration for how long user will be locked

ci/docker/ecc_resources_provider/users.properties

@@ -0,0 +1,8 @@
+# List of users
+users.list=apiUser,alice
+
+# Credentials for each user
+# encoded - password
+apiUser.password=$2a$10$MQ5grDaIqDpBjMlG78PFduv.AMRe9cs0CNm/V4cgUubrqdGTFCH3m
+# encoded - passwordAlice
+alice.password=$2a$12$xeiemEk5ycerfxq7440ieeTUmZ3EK65hwXwM.NQu.1Y29xbpOMVyq

doc/AUDIT.md

@@ -10,6 +10,8 @@ TRUE Connector has list of audit events which can be found in following table:
 |HTTP_REQUEST_RECEIVED | Http request received |
 |USER_AUTHORIZATION_FAILURE | Authorization failure |
 |USER_AUTHORIZATION_SUCCESS | Authorization success |
+|USER_AUTHENTICATION_FAILURE | Authentication failure |
+|USER_AUTHENTICATION_SUCCESS | Authentication success |
 |USER_BLOCKED | User blocked |
 |SELF_DESCRIPTION | Self description requested |
 |CONTRACT_OFFER | Contract offer requested |

doc/SELF_DESCRIPTION.md

@@ -46,13 +46,33 @@ All endpoints after /api/** are protected and you will have to provide credentia
 
 ![Basic Auth](basic_auth.jpg?raw=true "Basic Authorization for api endpoints")
 
-Credentials are located in property file, and for now, there is only one user:
 
+For storing user credentials, simple in memory user storage solution is implemented, and all user credentials can be found in `users.properties` file.
+
+
+```
+# List of users
+users.list=apiUser,alice
+
+# Credentials for each user
+# encoded - password
+apiUser.password=$2a$10$MQ5grDaIqDpBjMlG78PFduv.AMRe9cs0CNm/V4cgUubrqdGTFCH3m
+# encoded - passwordAlice
+alice.password=$2a$12$xeiemEk5ycerfxq7440ieeTUmZ3EK65hwXwM.NQu.1Y29xbpOMVyq
 ```
-application.user.api.username=apiUser
-application.user.api.password=encoded_password
+
+
+In the example, the property `user.list` is a list with each item separated by a comma (,) without space. You need to enter all the users you want and then give each one a specific password, which must be BCrypt encoded. Getting password can be done via following endpoint:
 
 ```
+/notification/password/{new_password}
+```
+
+Using this endpoint, it is guaranteed that the password strength rules configured in the `application.properties` file will be enforced.
+
+Bare in mind that this endpoint is password protected, and you will have to provide existing credentials in order for TRUE Connector to generate new hash that matches with the value passed in URL, so the general advice is to keep `apiUser` as a kind of administrator account. Once new hash is returned, you can modify properties file and set new password for specific user.
+
+
 
 There is also mechanism to lock user after configured number of consecutive failed attempts from same IP address. Following functionality can be configured by changing:
 

src/main/java/it/eng/idsa/businesslogic/audit/TrueConnectorEvent.java

@@ -14,92 +14,111 @@
 import it.eng.idsa.multipart.domain.MultipartMessage;
 
 public class TrueConnectorEvent extends AuditApplicationEvent {
-	
+
 	private static final long serialVersionUID = -87655024649097585L;
-	
+
 	private static final String IDS_USER = "idsUser";
 
 	public TrueConnectorEvent(String principal, TrueConnectorEventType type, MultipartMessage multipartMessage) {
 		super(principal, type.name(), detailsMultipartMessage(multipartMessage, null));
 	}
-	
+
 	/**
 	 * Uses default principal - connector
-	 * @param type TrueConnectorEventType
+	 * 
+	 * @param type             TrueConnectorEventType
 	 * @param multipartMessage - logs information from multipartMessage to event
 	 */
 	public TrueConnectorEvent(TrueConnectorEventType type, MultipartMessage multipartMessage) {
 		super(IDS_USER, type.name(), detailsMultipartMessage(multipartMessage, null));
 	}
-	
+
 	/**
 	 * TrueConnector event with correlationId
-	 * @param type TrueConnectorEventType
+	 * 
+	 * @param type             TrueConnectorEventType
 	 * @param multipartMessage - logs information from multipartMessage to event
-	 * @param correlationId correlation Id
+	 * @param correlationId    correlation Id
 	 */
 	public TrueConnectorEvent(TrueConnectorEventType type, MultipartMessage multipartMessage, String correlationId) {
 		super(IDS_USER, type.name(), detailsMultipartMessage(multipartMessage, correlationId));
 	}
-	
+
 	/**
 	 * Default TrueConnector event
+	 * 
 	 * @param principal Principal of the user
-	 * @param type TrueConnectorEventType
-	 * @param data Data for logging
+	 * @param type      TrueConnectorEventType
+	 * @param data      Data for logging
 	 */
 	public TrueConnectorEvent(String principal, TrueConnectorEventType type, Map<String, Object> data) {
 		super(principal, type.name(), data);
 	}
-	
+
+	/**
+	 * TrueConnectorEvent with request and type\n
+	 * 
+	 * @param request   Http Request
+	 * @param principal Principal of the user
+	 * @param type      TrueConnectorEventType
+	 */
+	public TrueConnectorEvent(HttpServletRequest request, String principal, TrueConnectorEventType type) {
+		super(principal, type.name(), details(request, null, null));
+	}
+
 	/**
 	 * TrueConnectorEvent with request and type\n
+	 * 
 	 * @param request Http Request
-	 * @param type TrueConnectorEventType
+	 * @param type    TrueConnectorEventType
 	 */
 	public TrueConnectorEvent(HttpServletRequest request, TrueConnectorEventType type) {
 		super(principal(request), type.name(), details(request, null, null));
 	}
-	
+
 	/**
 	 * TrueConnectorEvent with request, type and correlationId
-	 * @param request Http Request
-	 * @param type TrueConnectorEventType
+	 * 
+	 * @param request       Http Request
+	 * @param type          TrueConnectorEventType
 	 * @param correlationId correlation id
 	 */
 	public TrueConnectorEvent(HttpServletRequest request, TrueConnectorEventType type, String correlationId) {
 		super(principal(request), type.name(), details(request, correlationId, null));
 	}
-	
+
 	/**
 	 * TrueConnectorEvent with request, type, correlationId and payload
-	 * @param request HTTP request
-	 * @param type TrueConnectorEventType
+	 * 
+	 * @param request       HTTP request
+	 * @param type          TrueConnectorEventType
 	 * @param correlationId correlationId for tracking request
-	 * @param payload payload of the request
+	 * @param payload       payload of the request
 	 */
-	public TrueConnectorEvent(HttpServletRequest request, TrueConnectorEventType type, String correlationId, String payload) {
+	public TrueConnectorEvent(HttpServletRequest request, TrueConnectorEventType type, String correlationId,
+			String payload) {
 		super(principal(request), type.name(), details(request, correlationId, payload));
 	}
 
 	private static String principal(HttpServletRequest request) {
 		return Optional.ofNullable(request.getUserPrincipal()).map(Principal::getName).orElse("anonymousUser");
 	}
-	
-	private static Map<String, Object> detailsMultipartMessage(MultipartMessage multipartMessage, String correlationId) {
+
+	private static Map<String, Object> detailsMultipartMessage(MultipartMessage multipartMessage,
+			String correlationId) {
 		Map<String, Object> details = new HashMap<>();
 		details.put("http.method", HttpMethod.POST);
 		if (correlationId != null) {
 			details.put("correlationId", correlationId);
 		}
-		if(multipartMessage != null) {
+		if (multipartMessage != null) {
 			details.put("http.message", multipartMessage.getHeaderContent().getClass().getCanonicalName());
 		} else {
 			details.put("http.message", "NO MESSAGE");
 		}
 		return details;
 	}
-	
+
 	private static Map<String, Object> details(HttpServletRequest request, String correlationId, String payload) {
 		Map<String, Object> details = new HashMap<>();
 		details.put("http.method", request.getMethod());
@@ -108,7 +127,7 @@ private static Map<String, Object> details(HttpServletRequest request, String co
 		if (correlationId != null) {
 			details.put("correlationId", correlationId);
 		}
-		
+
 		if (payload != null) {
 			details.put("payload", payload);
 		}
@@ -121,7 +140,7 @@ private static Map<String, String> getHeadersInfo(HttpServletRequest request) {
 		while (headerNames.hasMoreElements()) {
 			String key = (String) headerNames.nextElement();
 			String value = request.getHeader(key);
-			if(key.equalsIgnoreCase("Authorization")) {
+			if (key.equalsIgnoreCase("Authorization")) {
 				value = "******";
 			}
 			map.put(key, value);

src/main/java/it/eng/idsa/businesslogic/audit/TrueConnectorEventType.java

@@ -6,6 +6,8 @@ public enum TrueConnectorEventType {
 	HTTP_REQUEST_RECEIVED("Http request received"),
 	USER_AUTHORIZATION_FAILURE("Authorization failure"),
 	USER_AUTHORIZATION_SUCCESS("Authorization success"),
+	USER_AUTHENTICATION_FAILURE("Authentication failure"),
+	USER_AUTHENTICATION_SUCCESS("Authentication success"),
 	USER_BLOCKED("User blocked"),
 	SELF_DESCRIPTION("Self description requested"),
 	CONTRACT_OFFER("Contract offer requested"),