jasper-121 add access request page with basic api to allow saving new…#457
jasper-121 add access request page with basic api to allow saving new…#457devinleighsmith merged 10 commits intomasterfrom
Conversation
|
Let me know if there is anything I missed - first pull request, tried to follow the checklist and what I've seen from PRs I've reviewed. |
|
will deal with conflict. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
There was a problem hiding this comment.
We're in the process of deprecating vue-bootstrap-next in favor of Vuetify. All new FE components should use Vuetify
| </b-card> | ||
| </template> | ||
|
|
||
| <script lang="ts"> |
devinleighsmith
force-pushed
the
jasper-121
branch
from
1cc9a9d to
7a73312
Compare
|
I'm putting this in draft as I'm no longer seeing claims for first name, last name, or a guid coming back from keycloak. |
api/Controllers/UsersController.cs
Outdated
| [Route("request-access")] | ||
| public async Task<ActionResult> RequestAccess(string email) | ||
| { | ||
| var userIdentifier = User.Claims.FirstOrDefault(c => c.Type == "preferred_username")?.Value; |
There was a problem hiding this comment.
You will be able to utilize the extension methods in ClaimsPrincipalExtensions.cs. e.g. User.PreferredUsername()
api/Controllers/UsersController.cs
Outdated
| Guid.TryParse(userIdentifier?.Split("@").FirstOrDefault(), out userGuid); | ||
| var newUser = new UserDto() | ||
| { | ||
| FirstName = User.Claims.FirstOrDefault(c => c.Type == "given_name")?.Value, |
There was a problem hiding this comment.
Might better to use the code below to avoid hard coded strings.
| FirstName = User.Claims.FirstOrDefault(c => c.Type == "given_name")?.Value, | |
| FirstName = User.FindFirstValue(ClaimTypes.GivenName), | |
| LastName = User.FindFirstValue(ClaimTypes.Surname), |
api/Controllers/UsersController.cs
Outdated
| ADId = userGuid, | ||
| ADUsername = userIdentifier, | ||
| }; | ||
| var result = await base.Create(newUser); // Note: this handles validation and duplicate prevention. |
There was a problem hiding this comment.
Might be better to change the route to HttpPost because it creates a user?
devinleighsmith
force-pushed
the
jasper-121
branch
from
c8ed2cf to
3c214a8
Compare
| UserId = HttpContext.User.UserId(), | ||
| JudgeId = HttpContext.User.JudgeId(), | ||
| Email = HttpContext.User.Email(), | ||
| IsActive = HttpContext.User.IsActive(), |
There was a problem hiding this comment.
@ronaldo-macapobre I added the active flag here for now, but the issue I was having in testing with the current implementation is that changes to a user in the database are not reflected in these UserContext properties without a user being logged out or starting a new incognito session - we may want to rethink this flow if we want to, for example, disable a user and have their access revoked immediately.
There was a problem hiding this comment.
@devinleighsmith I see, we can force the user to logout or invalidate his session upon updating the access. That way the user is forced to relogin.
There was a problem hiding this comment.
@ronaldo-macapobre perhaps a check in the permissionhandler, if the active flag or the groupIds have changed? That logic needs to be in one of the handlers in my OP to catch when a change has been made in the db that isn't reflected in the current user's cached claims.
There was a problem hiding this comment.
Moving PR to draft to add this.
| return Task.CompletedTask; | ||
| } | ||
|
|
||
| if (!user.IsActive()) |
There was a problem hiding this comment.
@ronaldo-macapobre I added this here to correspond with my changes - however, in current state the session has to expire for updates to this property to change here - we may want to get the user from the db here instead.
… user access request. updates from SONAR recommendations. codeql, sonarqube updates. Includes Josh's requested changes. snapshot updates. remove debugging console logs. sanitize logged user email (codeQL). add snapshot serializer to avoid data-v component unique ids failing snapshot tests. correct pascal case warning. force snapshot render to wait for component to be finished rendering. wrap snapshot in wait in case difference caused by async logic. correct snapshot by running all tests not using test runner. updates based on Ronnie's changes. perform an update on an existing user, as we can assume the userId will already be in place. check for user based on userid instead of email. updates based on ronaldo's changes, updates existing user. snapshot correction. Correct potential null-pointer if user not found. jasper-121 final updates based on testing - ensure that active/inactive users are not redirected appropriately.
…udicial styling. correct build issue. add jasper png
devinleighsmith
force-pushed
the
jasper-121
branch
from
60a3813 to
ff003f5
Compare
devinleighsmith
force-pushed
the
jasper-121
branch
from
ff003f5 to
63a0a95
Compare
|
|
||
| public bool IsActive { get; set; } | ||
|
|
||
| public bool? IsPendingRegistration { get; set; } = false; |
There was a problem hiding this comment.
Do we really need this to be nullable because the same field in UserDto is not nullable.
| roles: string[]; | ||
| subRole: string; | ||
| isSupremeUser: string; | ||
| isPendingRegistration?: boolean; |
There was a problem hiding this comment.
Kindly update if this is no longer nullable.
web/src/utils/utils.ts
Outdated
| return _.isNumber(value) && value > 0; | ||
| }; | ||
|
|
||
| export class CustomAPIError<T> extends Error { |
There was a problem hiding this comment.
I wonder if this should be placed in the ApiResponse.ts instead?
… on. Check user for changes during authorization handler.
| var forwardedPort = HttpContext.Request.Headers["X-Forwarded-Port"]; | ||
|
|
||
| //We are always sending X-Forwarded-Port, only time we aren't is when we are hitting the API directly. | ||
| var baseUri = HttpContext.Request.Headers.ContainsKey("X-Forwarded-Host") ? $"{HttpContext.Request.Headers["X-Base-Href"]}logout" : "/api"; |
There was a problem hiding this comment.
This appears to have been copy/pasted from sheriff-scheduling, but doesn't work for us at the moment since we don't have a /logout page on the frontend.
There was a problem hiding this comment.
Yup. This came along when we forked the Supreme Court Viewer repo.
api/Controllers/UsersController.cs
Outdated
| /// Allows a new user without authorization to JASPER to request access to the application. | ||
| /// </summary> | ||
| /// <returns>The user resulting from the access request.</returns> | ||
| [Authorize(AuthenticationSchemes = "SiteMinder, OpenIdConnect", Policy = nameof(ProviderAuthorizationHandler))] |
There was a problem hiding this comment.
this is already present at the controller level.
| { | ||
| public static IServiceCollection AddScvAuthorization(this IServiceCollection services) | ||
| { | ||
| services.AddScoped<IUserService, UserService>(); |
There was a problem hiding this comment.
these need to be scoped, or race conditions may cause multiple, simultaneous requests to the user repository methods.
| var databaseUser = await _userService.GetByIdWithPermissionsAsync(userId); | ||
| if (databaseUser == null || context.User.HasChanged(databaseUser)) | ||
| { | ||
| context.Fail(new AuthorizationFailureReason(this, "User claims changed since last authentication.")); |
There was a problem hiding this comment.
AuthorizationHandlers are not supposed to handle redirects directly - so flag the authorizationRedirectMiddleware with a unique failure reason.
| if (result == null || !result.Any()) | ||
| { | ||
| this.Logger.LogInformation("User with email: {email} is not found", email); | ||
| this.Logger.LogInformation("User with email: {Email} is not found", email.Replace(Environment.NewLine, "")); |
Check warning
Code scanning / CodeQL
Exposure of private information Medium
| @@ -1,4 +1,6 @@ | |||
| using System; | |||
| using DocumentFormat.OpenXml.InkML; | |||
There was a problem hiding this comment.
do we really need this namespace?
|
4 participants
… user access request.
Pull Request for JIRA Ticket: ----121----
Issue ticket number and link
Include the JIRA ticket # and link here
https://jira.justice.gov.bc.ca/browse/JASPER-121
Description
Partial implementation of 121, handles case where user is new, has no roles, and does not exist in PCSS.
Fixes # (issue)
Type of change
Please delete options that are not relevant.
How Has This Been Tested?
Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration
Test using idir login with no user in mongoDB. Validate that the user is redirected to access request screen and that user is able to submit request.
Checklist:
Documentation References
Put any doc references here