User Management: Update User's registration

dang03 commented 7 years ago

User registration request must be updated in order to:

Return username and/or userId for a successful registration
In case of a userType: developer user, save its public key and certificate in attributes field
Enable user deletion from the User Management son-gtkusr API

dang03 commented 7 years ago

This feature is implemented, however more tests are required

jbonnet commented 7 years ago

@mzacharioudakis Please take these two fields into account when developing the user registration form:

public key
certificate

for developer users.

jbonnet commented 7 years ago

Hi @mzacharioudakis, @srodriguezOPT I've just merged PR #533 which implements

POST /api/v2/users/ for user creation;
POST /api/v2/sessions/ for user login (with username and password -- not secret)

Can you please try and let me know the results?

jbonnet commented 7 years ago

closed by #533

santiagordguez commented 7 years ago

Hi @jbonnet ,

User Registration POST http://sp.int.sonata-nfv.eu:32001/api/v2/users/ with { "username": "test1" , "password": "test2" , "first_name": "firstName", "last_name": "lastName", "email": "mail@mail.com", "phone_number": 654654654, "user_type": "customer"} returns 201, { "username": "test1", "uuid": null }
User login (once user registration done): POST http://sp.int.sonata-nfv.eu:32001/api/v2/sessions/ with { "username": "test1" , "password": "test2" } returns { "error": { "code": 401, "message": "Unauthorized: user test1 not authenticated" } }

jbonnet commented 7 years ago

Thanks a million, @srodriguezOPT Probably we need to wait for @dang03's opinion, but PR #534 improved logging a bit, could you try again both creation and login, please?

santiagordguez commented 7 years ago

@jbonnet: done, but same result

jbonnet commented 7 years ago

Thanks, @srodriguezOPT @dang03, help is needed here: when I do this on the command line: $ curl -X POST sp.int3.sonata-nfv.eu:5600/api/v1/register/user -d '{ "username": "test1" , "password": "test2" , "first_name": "firstName", "last_name": "lastName", "email": "mail@mail.com", "phone_number": 654654654, "user_type": "customer"}'

I'm getting this: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "{ "username": "test1" , "password": "test2" , "first_name": "firstName", "last_name": "lastName", "email": "mail@mail.com", "phone_number": 654654654, "user_type": "customer"}" (class org.keycloak.representations.idm.UserRepresentation), not marked as ignorable (24 known properties: "disableableCredentialTypes", "federatedIdentities", "enabled", "lastName", "emailVerified", "clientConsents", "self", "socialLinks", "applicationRoles", "createdTimestamp", "groups", "username", "attributes", "id", "firstName", "email", "federationLink", "serviceAccountClientId", "requiredActions", "origin", "realmRoles", "clientRoles", "totp", "credentials"]) at [Source: io.undertow.servlet.spec.ServletInputStreamImpl@5a132bc4; line: 1, column: 207] (through reference chain: org.keycloak.representations.idm.UserRepresentation["{ "username": "test1" , "password": "test2" , "first_name": "firstName", "last_name": "lastName", "email": "mail@mail.com", "phone_number": 654654654, "user_type": "customer"}"])

Can you help?

jbonnet commented 7 years ago

Also, @dang03, doing a login: $ curl http://sp.int3.sonata-nfv.eu:5600/api/v1/login/user -H 'Authentication:Basic VW5rbm93bjpOb25l' -X POST

nothing is returned... I was expecting the token to be returned, is that correct?

The same happens in the INT environment.

dang03 commented 7 years ago

@jbonnet, I'm testing your command, but somehow the API has broken so I will have to rebuild again :S What is happening here is, that the registration form you try to send to the UM is not valid for the Keycloak, for example, "first_name" should be named "firstName", "phone_number" does not exists as a valid field... What I see is that UM should parse and translate the form.

The login should work... testing

tsoenen commented 7 years ago

@dang03

Which fields are required in $ curl -X POST sp.int3.sonata-nfv.eu:5600/api/v1/register/user -d '{ "username": "test1" , "password": "test2" , "first_name": "firstName", "last_name": "lastName", "email": "mail@mail.com", "phone_number": 654654654, "user_type": "customer"}' ?

jbonnet commented 7 years ago

@tsoenen The API is validating only username, password, email and user_type. But then a translation is being made to the UM expected API (I had forgotten that, @dang03 , sorry)

jbonnet commented 7 years ago

@dang03 now with the correct JSON (I think...): $ curl -X POST sp.int.sonata-nfv.eu:5600/api/v1/register/user -d '{ "username": "test1" , "credentials":{"type":"password","value":"test2"}, "firstName": "firstName", "lastName": "lastName", "email": "mail@mail.com","attributes":{"phone_number":"654654654","userType":["customer"]}'

gives me {"error":""}

dang03 commented 7 years ago

Please let me check the logs and test it.

About the valid fields, @jbonnet is right, those are the minimum required fields, however if you add other fields they must be valid. @tsoenen check the documentation here to see some examples: https://github.com/sonata-nfv/son-gkeeper/wiki/GK-API---User-Management-Message-exchange I also suggest using JSON forms such the one in the integration tests: https://github.com/sonata-nfv/son-tests/blob/master/int-gtkusr-keycloak/resources/user_d_registration.json

dang03 commented 7 years ago

Hey @jbonnet @tsoenen, I have found some kind of bug in the Keycloak tool... If a send a malformed JSON object, then it breaks somehow, and starts to return 403 errors to any request, that's why you see {"error":""} I'm investigating how to solve this, but seems out of my scope, so my be suggestion is, let's send properly formed JSONs.

jbonnet commented 7 years ago

Ok, @dang03. Is the following JSON right? { "username": "test1" , "credentials":{"type":"password","value":"test2"}, "firstName": "firstName", "lastName": "lastName", "email": "mail@mail.com","attributes":{"phone_number":"654654654","userType":["customer"]}

dang03 commented 7 years ago

It should be like this (note 'credentials' and 'phone_numer' are a list): {"username": "test1" , "credentials":[{"type":"password","value":"test2"}], "firstName": "firstName", "lastName": "lastName", "email": "mail@mail.com", "attributes":{"phone_number":["654654654"],"userType":["customer"]} }

jbonnet commented 7 years ago

Ok, I'll force this in the API. @srodriguezOPT can you send the phone number as a string? It's JSON, it has to be a string, right?

dang03 commented 7 years ago

The phone number is not required to be a string, I have tested it and is OK

jbonnet commented 7 years ago

@dang03 I've tried: $ curl -X POST sp.int.sonata-nfv.eu:5600/api/v1/register/user -d '{ "username": "test1" ,"credentials":[{"type":"password","value":"test2"}], "firstName": "firstName", "lastName": "lastName", "email": "mail@mail.com","attributes":{"phone_number":["654654654"],"userType":["customer"]}'

still no success: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "{ "username": "test1" ,"credentials":[{"type":"password","value":"test2"}], "firstName": "firstName", "lastName": "lastName", "email": "mail@mail.com","attributes":{"phone_number":["654654654"],"userType":["customer"]}" (class org.keycloak.representations.idm.UserRepresentation), not marked as ignorable (24 known properties: "disableableCredentialTypes", "federatedIdentities", "enabled", "lastName", "emailVerified", "clientConsents", "self", "socialLinks", "applicationRoles", "createdTimestamp", "groups", "username", "attributes", "id", "firstName", "email", "federationLink", "serviceAccountClientId", "requiredActions", "origin", "realmRoles", "clientRoles", "totp", "credentials"]) at [Source: io.undertow.servlet.spec.ServletInputStreamImpl@a3a4a42; line: 1, column: 260] (through reference chain: org.keycloak.representations.idm.UserRepresentation["{ "username": "test1" ,"credentials":[{"type":"password","value":"test2"}], "firstName": "firstName", "lastName": "lastName", "email": "mail@mail.com","attributes":{"phone_number":["654654654"],"userType":["customer"]}"])

dang03 commented 7 years ago

To be even more sure about doing a proper registration request, send it with header as JSON content: curl -X POST -H "Content-Type: application/json" -d '{"username": "test4" , "credentials":[{"type":"password","value":"test2"}], "firstName": "firstName", "lastName": "lastName", "email": "mail4@mail.com", "attributes":{"phone_number":[654654654],"userType":["customer"]} }' "http://sp.int3.sonata-nfv.eu:5600/api/v1/register/user"

This works well

jbonnet commented 7 years ago

@dang03 You have to tell me about your magic trick: $ curl -X POST sp.int.sonata-nfv.eu:5600/api/v1/register/user -d '{ "username": "test1" ,"credentials":[{"type":"password","value":"test2"}], "firstName": "firstName", "lastName": "lastName", "email": "mail@mail.com","attributes":{"phone_number":["654654654"],"userType":["customer"]}' -H "Content-Type: application/json"

gave me "743: unexpected token at '{ \"username\": \"test1\" ,\"credentials\":[{\"type\":\"password\",\"value\":\"test2\"}], \"firstName\": \"firstName\", \"lastName\": \"lastName\", \"email\": \"mail@mail.com\",\"attributes\":{\"phone_number\":[\"654654654\"],\"userType\":[\"customer\"]}'\n"

Copied yours, but there's that bug, right? $ curl -X POST -H "Content-Type: application/json" -d '{"username": "test4" , "credentials":[{"type":"password","value":"test2"}], "firstName": "firstName", "lastName": "lastName", "email": "mail4@mail.com", "attributes":{"phone_number":[654654654],"userType":["customer"]} }' "http://sp.int3.sonata-nfv.eu:5600/api/v1/register/user"

gave {"error":""}

What do you see in the logs?

dang03 commented 7 years ago

Good morning @jbonnet, This works correctly: resp=$(curl -X POST -H "Content-Type: application/json" -d '{"username": "test4", "credentials":[{"type":"password","value":"test2"}], "firstName": "firstName", "lastName": "lastName", "email": "mail4@mail.com", "attributes":{"phone_number":[654654654],"userType":["customer"]}}' "http://sp.int3.sonata-nfv.eu:5600/api/v1/register/user") echo $resp > {"username":"test4","userId":"300a3a16-d305-41a1-96fd-480fb289fd1a"} When you see {"error":""}, it probably means that Keycloak has broken and it needs to be rebuilt (int-18-gtkusr-keycloak) I'm going to implement some changes in order to avoid this bug, seems that x-www-form-urlencoded requests cause this.

jbonnet commented 7 years ago

Indeed, @dang03, I can confirm that! 👍 Let's hope that fix works and let's build on top of this little success! And let's learn: Keycloack seems to be way too complex for what we need...

dang03 commented 7 years ago

Git User Management wiki has been updated: https://github.com/sonata-nfv/son-gkeeper/wiki/GK-API---User-Management-Message-exchange
GET, PUT and DELETE methods are implemented for users. They have been correctly tested and are ready to work. Details about messages and request are found in the wiki.

This issue can now be closed, as the 3 main goals have been achieved:

Return username and/or userId for a successful registration
If userType: developer, then a user can save its public_key and certificate in attributes field
Enable user deletion from the User Management son-gtkusr API

jbonnet commented 7 years ago

Hey, @dang03, @mzacharioudakis This feature s needed to update the user data in the GUI, right? Can you give me an idea of which priority it has? I'm giving it a low priority for the moment... Thanks,

dang03 commented 7 years ago

Hi @jbonnet, @mzacharioudakis

From the GUI point of view, I can't say which is the priority for the update feature. It is already there in the User Management. But in the SDK side, we need a GK API to update user's public key in the User Management database. Let me explain, UM exposes two different APIs:

Update user data PUT /api/v1/users?username="username" /api/v1/users?id="id"
Update user's Public key and/or certificate PUT /api/v1/signatures/:username

The second is a dedicated API responsible for updating user's key and certificate in the UM database (the first API can also do that). For the package signing feature in the SDK, this API is needed from the GK API.

jbonnet commented 7 years ago

Ok, @dang03 What should be the body of PUT /api/v1/signatures/:username, something like {"public_key":"..."}?

dang03 commented 7 years ago

@jbonnet, yes, exactly, these are the details:

HTTP method: PUT
Authentication header includes the user's Access Token
Parameter: username
Body: JSON object that includes public_key field (required) and certificate field (optional). Sample:

{"public_key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArVFiBHBiLPFRGrMobAxcK98SJRKKXJOkA66NL0UEgR7g8hOjVySchYUvtGAU5wi2ZCjmPGDT0hrJd1WEBplv0kT7YrIgdRGXGH73OJFjH8c7iX+XBwk0sH1K+KMUbszSbWFCKAlyHhYa8vz95RyzmzoMJZW6TeadlhRLuVw52RECaK9eIJu311oFA8os3z8J65olLexT0vF+B9Oqtn1gVJUfC0w984PXwMoGzSOVCbb5jD0/blAXonMS8PU+JFSGF4trTwRcmjw349NDEifUQamdHE8pynuxSpAuMN2WAPAlJpjnw/fHUxQFgRNGki6vHmegnQ6qmcbuorVW3oXkMwIDAQAB", "certificate": "optional"}

User Management response: 200, OK

jbonnet commented 7 years ago

...and 400for errors? Or something more detailed (invalid public key? missing public key? unknown user name?)?

jbonnet commented 7 years ago

@dang03 Can the SDK (son-access?) use the following API (note the PATCH verb, not PUT)? PATCH .../api/v2/users/:username, with a body as given above ({"public_key": "MIIBIjANBgk..."})? This will reach the UM as you've specified, PUT /api/v1/signatures/:username

dang03 commented 7 years ago

@jbonnet Yes, it mostly returns error codes 400 with a specific message in JSON format.

I'm testing the son-access right now so I'll try it :)

jbonnet commented 7 years ago

Closed by PR #760

sonata-nfv / son-gkeeper

User Management: Update User's registration #491