Add auth service config setting for user's default time zone (#24381)

* Add auth service config setting for user's default time zone

The authentication backends for Active Directory, LDAP, OIDC, Okta, and SAML
previously set the time zone for +newly synchronized users to the value of
the `root_timezone` config file setting. ("UTC" by default)

This change introduces a configurable "default user time zone" setting for
all authentication backends. The default value is unset, meaning that the
browser's time zone will be used by default.

Other changes:

- Adjust the notification text for AD/LDAP configurations to reflect
  reality. Default roles are only set for new users, not on login.
- Add note to UPGRADING.md

* Add changelog entry

* Remove unneeded default-user-timezone-select class

* Show "Browser's time zone" when no zone is selected

Author: bernd

UPGRADING.md

@@ -1,12 +1,20 @@
 Upgrading to Graylog 7.1.x
 ==========================
 
+## User Session Termination
+
 All user sessions will be terminated when upgrading because the internal storage format for sessions has been changed.
 Users will have to log in again.
 
 ## Breaking Changes
 
-tbd
+### External Authentication Services: Changed Default User Time Zone
+
+The authentication backends for Active Directory, LDAP, OIDC, Okta, and SAML previously set the time zone for
+newly synchronized users to the value of the `root_timezone` config file setting. ("UTC" by default)
+
+Graylog 7.1 introduces a configurable "default user time zone" setting for all authentication backends.
+The default value is unset, meaning that the browser's time zone will be used by default.
 
 ## Configuration File Changes
 

changelog/unreleased/pr-24381.toml

@@ -0,0 +1,4 @@
+type = "c"
+message = "Add auth service config setting for user's default time zone. (see upgrade notes)"
+
+pulls = ["24381", "graylog-plugin-enterprise#12641"]

graylog2-server/src/main/java/org/graylog/security/authservice/AuthServiceBackendDTO.java

@@ -29,7 +29,9 @@
 import org.mongojack.ObjectId;
 
 import javax.annotation.Nullable;
+import java.time.ZoneId;
 import java.util.Collections;
+import java.util.Optional;
 import java.util.Set;
 
 import static org.apache.commons.lang3.StringUtils.isBlank;
@@ -42,6 +44,7 @@ public abstract class AuthServiceBackendDTO implements BuildableMongoEntity<Auth
     public static final String FIELD_TITLE = "title";
     public static final String FIELD_DESCRIPTION = "description";
     private static final String FIELD_DEFAULT_ROLES = "default_roles";
+    private static final String FIELD_DEFAULT_USER_TIMEZONE = "default_user_timezone";
     private static final String FIELD_CONFIG = "config";
 
     @Id
@@ -59,6 +62,9 @@ public abstract class AuthServiceBackendDTO implements BuildableMongoEntity<Auth
     @JsonProperty(FIELD_DEFAULT_ROLES)
     public abstract Set<String> defaultRoles();
 
+    @JsonProperty(FIELD_DEFAULT_USER_TIMEZONE)
+    public abstract Optional<ZoneId> defaultUserTimezone();
+
     @NotNull
     @JsonProperty(FIELD_CONFIG)
     public abstract AuthServiceBackendConfig config();
@@ -96,7 +102,8 @@ public abstract static class Builder implements BuildableMongoEntity.Builder<Aut
         public static Builder create() {
             return new AutoValue_AuthServiceBackendDTO.Builder()
                     .description("")
-                    .defaultRoles(Collections.emptySet());
+                    .defaultRoles(Collections.emptySet())
+                    .defaultUserTimezone(null);
         }
 
         @Id
@@ -113,6 +120,9 @@ public static Builder create() {
         @JsonProperty(FIELD_DEFAULT_ROLES)
         public abstract Builder defaultRoles(Set<String> defaultRoles);
 
+        @JsonProperty(FIELD_DEFAULT_USER_TIMEZONE)
+        public abstract Builder defaultUserTimezone(@Nullable ZoneId defaultUserTimezone);
+
         @JsonProperty(FIELD_CONFIG)
         public abstract Builder config(AuthServiceBackendConfig config);
 

graylog2-server/src/main/java/org/graylog/security/authservice/ProvisionerService.java

@@ -16,6 +16,7 @@
  */
 package org.graylog.security.authservice;
 
+import jakarta.inject.Inject;
 import org.graylog2.plugin.database.ValidationException;
 import org.graylog2.plugin.database.users.User;
 import org.graylog2.shared.users.UserService;
@@ -25,25 +26,19 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import jakarta.inject.Inject;
-import jakarta.inject.Named;
-
 import java.util.Collections;
 import java.util.Map;
 
 public class ProvisionerService {
     private static final Logger LOG = LoggerFactory.getLogger(ProvisionerService.class);
 
     private final UserService userService;
-    private final DateTimeZone rootTimeZone;
     private final Map<String, ProvisionerAction.Factory<? extends ProvisionerAction>> provisionerActionFactories;
 
     @Inject
     public ProvisionerService(UserService userService,
-                              @Named("root_timezone") DateTimeZone rootTimeZone,
                               Map<String, ProvisionerAction.Factory<? extends ProvisionerAction>> provisionerActionFactories) {
         this.userService = userService;
-        this.rootTimeZone = rootTimeZone;
         this.provisionerActionFactories = provisionerActionFactories;
     }
 
@@ -142,8 +137,10 @@ private User createUser(UserDetails userDetails) {
         // Set fields there that should not be overridden by the authentication service provisioning
         user.setRoleIds(userDetails.defaultRoles());
         user.setPermissions(Collections.emptyList());
-        // TODO: Does the timezone need to be configurable per auth service backend?
-        user.setTimeZone(rootTimeZone);
+        // Default to null for the user's time zone so the UI will use the browser's time zone by default.
+        user.setTimeZone(userDetails.timezone()
+                .map(zoneId -> DateTimeZone.forID(zoneId.getId()))
+                .orElse(null));
         // TODO: Does the session timeout need to be configurable per auth service backend?
         user.setSessionTimeoutMs(UserConfiguration.DEFAULT_VALUES.globalSessionTimeoutInterval().toMillis());
 

graylog2-server/src/main/java/org/graylog/security/authservice/UserDetails.java

@@ -20,6 +20,7 @@
 import com.google.common.collect.ImmutableSet;
 
 import javax.annotation.Nullable;
+import java.time.ZoneId;
 import java.util.Optional;
 import java.util.Set;
 
@@ -46,6 +47,8 @@ public abstract class UserDetails {
 
     public abstract Optional<String> lastName();
 
+    public abstract Optional<ZoneId> timezone();
+
     /**
      * Some authentication backends only currently support the fullName attribute (and not firstName and lastName),
      * so it is still optionally available here. Prefer use of only firstName and lastName when available.
@@ -98,6 +101,8 @@ public static Builder create() {
 
         public abstract Builder lastName(@Nullable String lastName);
 
+        public abstract Builder timezone(@Nullable ZoneId timezone);
+
         /**
          * Starting in Graylog 4.1, use of this method is deprecated.
          * Prefer use of the {@link #firstName()} and {@link #lastName()} methods instead when possible. This way,
@@ -119,7 +124,7 @@ public UserDetails build() {
 
             // Either a fullName, or a firstName/lastName are required.
             final boolean missingFirstOrLast = !userDetails.firstName().isPresent()
-                                               || !userDetails.lastName().isPresent();
+                    || !userDetails.lastName().isPresent();
 
             if (missingFirstOrLast && !userDetails.fullName().isPresent()) {
                 throw new IllegalArgumentException("Either a firstName/lastName or a fullName are required.");

graylog2-server/src/main/java/org/graylog/security/authservice/backend/ADAuthServiceBackend.java

@@ -22,6 +22,7 @@
 import com.unboundid.ldap.sdk.Filter;
 import com.unboundid.ldap.sdk.LDAPConnection;
 import com.unboundid.ldap.sdk.LDAPException;
+import jakarta.inject.Inject;
 import org.graylog.security.authservice.AuthServiceBackend;
 import org.graylog.security.authservice.AuthServiceBackendDTO;
 import org.graylog.security.authservice.AuthServiceCredentials;
@@ -39,9 +40,6 @@
 import org.slf4j.LoggerFactory;
 
 import javax.annotation.Nullable;
-
-import jakarta.inject.Inject;
-
 import java.security.GeneralSecurityException;
 import java.util.Arrays;
 import java.util.Collections;
@@ -122,6 +120,7 @@ public Optional<AuthenticationDetails> authenticateAndProvision(AuthServiceCrede
                     .fullName(userEntry.fullName())
                     .email(userEntry.email())
                     .defaultRoles(backend.defaultRoles())
+                    .timezone(backend.defaultUserTimezone().orElse(null))
                     .build());
 
             return Optional.of(AuthenticationDetails.builder().userDetails(userDetails).build());

graylog2-server/src/main/java/org/graylog/security/authservice/backend/LDAPAuthServiceBackend.java

@@ -21,6 +21,7 @@
 import com.google.inject.assistedinject.Assisted;
 import com.unboundid.ldap.sdk.LDAPConnection;
 import com.unboundid.ldap.sdk.LDAPException;
+import jakarta.inject.Inject;
 import org.graylog.security.authservice.AuthServiceBackend;
 import org.graylog.security.authservice.AuthServiceBackendDTO;
 import org.graylog.security.authservice.AuthServiceCredentials;
@@ -38,9 +39,6 @@
 import org.slf4j.LoggerFactory;
 
 import javax.annotation.Nullable;
-
-import jakarta.inject.Inject;
-
 import java.security.GeneralSecurityException;
 import java.util.Collections;
 import java.util.HashMap;
@@ -102,6 +100,7 @@ public Optional<AuthenticationDetails> authenticateAndProvision(AuthServiceCrede
                     .fullName(userEntry.fullName())
                     .email(userEntry.email())
                     .defaultRoles(backend.defaultRoles())
+                    .timezone(backend.defaultUserTimezone().orElse(null))
                     .build());
 
             return Optional.of(AuthenticationDetails.builder().userDetails(userDetails).build());

graylog2-server/src/test/java/org/graylog/security/authservice/ProvisionerServiceTest.java

@@ -35,6 +35,7 @@
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.ArgumentMatchers.isA;
+import static org.mockito.ArgumentMatchers.isNull;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
@@ -64,7 +65,7 @@ public class ProvisionerServiceTest {
 
     @BeforeEach
     public void setUp() throws Exception {
-        provisionerService = new ProvisionerService(userService, DateTimeZone.UTC, new HashMap<>());
+        provisionerService = new ProvisionerService(userService, new HashMap<>());
     }
 
     @Test
@@ -90,6 +91,7 @@ public void testFirstLastNameOnlySuccess() throws ValidationException {
         provisionerService.provision(userDetails);
         verify(userService, times(1)).save(isA(User.class));
         verify(user, times(1)).setFirstLastFullNames(eq(FIRST_NAME), eq(LAST_NAME));
+        verify(user, times(1)).setTimeZone((DateTimeZone) isNull());
     }
 
     @Test
@@ -114,5 +116,6 @@ public void testFullNameOnlySuccess() throws ValidationException {
         provisionerService.provision(userDetails);
         verify(userService, times(1)).save(isA(User.class));
         verify(user, times(1)).setFullName(FULL_NAME);
+        verify(user, times(1)).setTimeZone((DateTimeZone) isNull());
     }
 }

graylog2-web-interface/src/components/authentication/directoryServices/BackendConfigDetails/UserSyncSection.tsx

@@ -49,7 +49,7 @@ const UserSyncSection = ({ authenticationBackend, roles, excludedFields = {} }:
     userUniqueIdAttribute,
     emailAttributes,
   } = authenticationBackend.config;
-  const { defaultRoles = Immutable.List() } = authenticationBackend;
+  const { defaultRoles = Immutable.List(), defaultUserTimezone } = authenticationBackend;
 
   return (
     <SectionComponent
@@ -66,6 +66,7 @@ const UserSyncSection = ({ authenticationBackend, roles, excludedFields = {} }:
         <ReadOnlyFormGroup label="ID Attribute" value={userUniqueIdAttribute} />
       )}
       <ReadOnlyFormGroup label="Default Roles" value={rolesList(defaultRoles, roles)} />
+      <ReadOnlyFormGroup label="Default User Time Zone" value={defaultUserTimezone || "Browser's time zone"} />
     </SectionComponent>
   );
 };

graylog2-web-interface/src/components/authentication/directoryServices/BackendWizard/BackendWizard.tsx

@@ -115,6 +115,7 @@ const _prepareSubmitPayload =
     const formValues = overrideFormValues ?? getUpdatedFormsValues();
     const {
       defaultRoles = '',
+      defaultUserTimezone,
       description,
       serverHost,
       serverPort,
@@ -136,6 +137,7 @@ const _prepareSubmitPayload =
       title,
       description,
       default_roles: defaultRoles.split(','),
+      default_user_timezone: defaultUserTimezone,
       config: {
         servers: [{ host: serverHost, port: serverPort }],
         system_user_dn: systemUserDn,