Merge pull request #543 from Heigvd/mikk-signUp

Terms of service and data policy

Author: SandraMonnier

client-generator-model/src/main/java/ch/colabproject/colab/generator/model/annotations/ConsentNotRequired.java

@@ -0,0 +1,26 @@
+/*
+ * The coLAB project
+ * Copyright (C) 2021-2023 AlbaSim, MEI, HEIG-VD, HES-SO
+ *
+ * Licensed under the MIT License
+ */
+package ch.colabproject.colab.generator.model.annotations;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+/**
+ * Depict REST classes or methods which are available when user consent is not required.
+ * <p>
+ * If a class is annotated, all methods are impacted
+ *
+ *
+ * @author mikkelvestergaard
+ */
+@Target({ElementType.METHOD})
+@Retention(RetentionPolicy.RUNTIME)
+public @interface ConsentNotRequired {
+
+}

colab-api/src/main/java/ch/colabproject/colab/api/controller/user/UserManager.java

@@ -317,6 +317,7 @@ public User signup(SignUpInfo signup) {
                 user.setFirstname(signup.getFirstname());
                 user.setLastname(signup.getLastname());
                 user.setAffiliation(signup.getAffiliation());
+                user.setAgreedTime(OffsetDateTime.now());
 
                 validationManager.assertValid(user);
                 validationManager.assertValid(account);
@@ -671,6 +672,17 @@ public void setLocalAccountAsVerified(LocalAccount account) {
         account.setVerified(Boolean.TRUE);
     }
 
+    /**
+     * Update the user agreedTime to now
+     *
+     * @param userId id of the user to update
+     */
+    public void updateUserAgreedTime(Long userId) {
+        User user = assertAndGetUser(userId);
+        OffsetDateTime now = OffsetDateTime.now();
+        user.setAgreedTime(now);
+    }
+
     /**
      * Get all session linked to the current user
      *

colab-api/src/main/java/ch/colabproject/colab/api/model/user/User.java

@@ -104,6 +104,13 @@ public class User implements ColabEntity, WithWebsocketChannels {
     @JsonbTypeSerializer(DateSerDe.class)
     private OffsetDateTime activityDate = null;
 
+    /**
+     * persisted terms and data policy agreement time
+     */
+    @JsonbTypeDeserializer(DateSerDe.class)
+    @JsonbTypeSerializer(DateSerDe.class)
+    private OffsetDateTime agreedTime = null;
+
     /**
      * Firstname
      */
@@ -250,6 +257,20 @@ public void setActivityDate(OffsetDateTime activityDate) {
         this.activityDate = activityDate;
     }
 
+    /**
+     *
+     *
+     * @return user agreedTime
+     */
+    public OffsetDateTime getAgreedTime() { return agreedTime; }
+
+    /**
+     * Set user agreedTime
+     *
+     * @param agreedTime new agreedTime
+     */
+    public void setAgreedTime(OffsetDateTime agreedTime) { this.agreedTime = agreedTime; }
+
     /**
      * @return user first name, may be null or empty
      */
@@ -409,6 +430,7 @@ public void mergeToUpdate(ColabEntity other) throws ColabMergeException {
             this.setLastname(o.getLastname());
             this.setCommonname(o.getCommonname());
             this.setAffiliation(o.getAffiliation());
+            // agreedTime cannot be changed by a simple update
         } else {
             throw new ColabMergeException(this, other);
         }

colab-api/src/main/java/ch/colabproject/colab/api/rest/security/SecurityRestEndPoint.java

@@ -0,0 +1,42 @@
+/*
+ * The coLAB project
+ * Copyright (C) 2021-2023 AlbaSim, MEI, HEIG-VD, HES-SO
+ *
+ * Licensed under the MIT License
+ */
+package ch.colabproject.colab.api.rest.security;
+
+import ch.colabproject.colab.api.security.TosAndDataPolicyManager;
+
+import javax.inject.Inject;
+import javax.ws.rs.Consumes;
+import javax.ws.rs.GET;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.MediaType;
+
+/**
+ * REST SecurityRestEndpoint for ToS and Data Policy
+ *
+ * @author mikkelvestergaard
+ */
+@Path("security")
+@Consumes(MediaType.APPLICATION_JSON)
+@Produces(MediaType.APPLICATION_JSON)
+public class SecurityRestEndPoint {
+
+    /**
+     * To get TosAndDataPolicy timestamp
+     */
+    @Inject
+    private TosAndDataPolicyManager tosAndDataPolicyManager;
+
+    /**
+     * Get the current TosAndDataPolicy as unix timestamp
+     *
+     * @return current TosAndDataPolicy timestamp
+     */
+    @GET
+    @Path("getTosAndDataPolicyTimeEpoch")
+    public Long getTosAndDataPolicyTimeEpoch() { return tosAndDataPolicyManager.getEpochTime(); }
+}

colab-api/src/main/java/ch/colabproject/colab/api/rest/user/UserRestEndpoint.java

@@ -19,6 +19,7 @@
 import ch.colabproject.colab.api.persistence.jpa.user.UserDao;
 import ch.colabproject.colab.generator.model.annotations.AdminResource;
 import ch.colabproject.colab.generator.model.annotations.AuthenticationRequired;
+import ch.colabproject.colab.generator.model.annotations.ConsentNotRequired;
 import ch.colabproject.colab.generator.model.exceptions.HttpErrorMessage;
 import java.util.List;
 import javax.inject.Inject;
@@ -238,6 +239,19 @@ public void updateUser(User user) throws ColabMergeException {
         userDao.updateUser(user);
     }
 
+    /**
+     * Update user's agreedTime of given id.
+     *
+     * @param id id of the user who's agreedTime to update
+     */
+    @POST
+    @Path("{id : [1-9][0-9]*}/updateUserAgreedTime")
+    @ConsentNotRequired
+    public void updateUserAgreedTime(@PathParam("id") Long id) {
+        logger.debug("update agreedTime to user: #{}", id);
+        userManager.updateUserAgreedTime(id);
+    }
+
     /**
      * Grant admin right to user identified by given id.
      *

colab-api/src/main/java/ch/colabproject/colab/api/security/AuthenticationFilter.java

@@ -10,7 +10,9 @@
 import ch.colabproject.colab.api.model.user.User;
 import ch.colabproject.colab.generator.model.annotations.AdminResource;
 import ch.colabproject.colab.generator.model.annotations.AuthenticationRequired;
+import ch.colabproject.colab.generator.model.annotations.ConsentNotRequired;
 import ch.colabproject.colab.generator.model.exceptions.HttpErrorMessage;
+
 import java.io.IOException;
 import java.lang.annotation.Annotation;
 import java.lang.reflect.Method;
@@ -24,6 +26,7 @@
 import javax.ws.rs.core.Context;
 import javax.ws.rs.ext.ExceptionMapper;
 import javax.ws.rs.ext.Provider;
+
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -68,18 +71,23 @@ public class AuthenticationFilter implements ContainerRequestFilter {
     @Inject
     private SessionManager sessionManager;
 
+    /**
+     * To get TosAndDataPolicy timestamp
+     */
+    @Inject
+    private TosAndDataPolicyManager tosAndDataPolicyManager;
+
     /**
      * Get all method or class annotations matching the given type.
      *
      * @param <T>        type of annotation to search
      * @param annotation type of annotation to search
      * @param klass      targeted class
      * @param method     targeted method
-     *
      * @return the list of all matching annotations found on class and method
      */
     private <T extends Annotation> List<T> getAnnotations(Class<T> annotation,
-        Class<?> klass, Method method) {
+                                                          Class<?> klass, Method method) {
 
         List<T> list = new ArrayList<>();
 
@@ -109,27 +117,36 @@ public void filter(ContainerRequestContext requestContext) throws IOException {
         User currentUser = requestManager.getCurrentUser();
         HttpErrorMessage abortWith = null;
 
-        if (currentUser == null) {
-            // current user not authenticated: make sure the targeted method is accessible to
-            // unauthenticated user
-            List<AuthenticationRequired> annotations = getAnnotations(
+        List<AuthenticationRequired> authAnnotations = getAnnotations(
                 AuthenticationRequired.class,
                 targetClass, targetMethod);
 
-            if (!annotations.isEmpty()) {
+        if (!authAnnotations.isEmpty()) {
+            if (currentUser == null) {
+                // current user not authenticated: make sure the targeted method is accessible to
+                // unauthenticated user
                 // No current user but annotation required to be authenticated
                 // abort with 401 code
                 logger.trace("Request aborted:user is not authenticated");
                 abortWith = HttpErrorMessage.authenticationRequired();
+            } else {
+                List<ConsentNotRequired> consentAnnotations = getAnnotations(
+                        ConsentNotRequired.class,
+                        targetClass, targetMethod);
+
+                if (consentAnnotations.isEmpty() && (currentUser.getAgreedTime() == null || currentUser.getAgreedTime().isBefore(tosAndDataPolicyManager.getTimestamp()))) {
+                    // current user is authenticated but need to accept new TosAndDataPolicy
+                    logger.trace("Request aborted:user has not agreed to new TosAndDataPolicy");
+                    abortWith = HttpErrorMessage.forbidden();
+                }
             }
-        } else {
-            sessionManager.touchUserActivityDate();
         }
 
-        List<AdminResource> annotations = getAnnotations(
-            AdminResource.class,
-            targetClass, targetMethod);
-        if (!annotations.isEmpty()) {
+
+        List<AdminResource> adminAnnotations = getAnnotations(
+                AdminResource.class,
+                targetClass, targetMethod);
+        if (!adminAnnotations.isEmpty()) {
             if (currentUser == null) {
                 // no current user : unauthorized asks for user to authenticate
                 logger.trace("Request aborted:user is not authenticated");
@@ -145,6 +162,8 @@ public void filter(ContainerRequestContext requestContext) throws IOException {
 
         if (abortWith != null) {
             requestContext.abortWith(exceptionMapper.toResponse(abortWith));
+        } else {
+            sessionManager.touchUserActivityDate();
         }
     }
 }

colab-api/src/main/java/ch/colabproject/colab/api/security/TosAndDataPolicyManager.java

@@ -0,0 +1,46 @@
+/*
+ * The coLAB project
+ * Copyright (C) 2021-2023 AlbaSim, MEI, HEIG-VD, HES-SO
+ *
+ * Licensed under the MIT License
+ */
+package ch.colabproject.colab.api.security;
+
+import java.time.Instant;
+import java.time.OffsetDateTime;
+import java.time.ZoneId;
+
+/**
+ * To store the Terms of Service and Data Policy dates
+ *
+ * @author mikkelvestergaard
+ */
+public class TosAndDataPolicyManager {
+
+
+    /**
+     * Epoch time of the most recent ToS and Data Policy update
+     */
+    private static final Long EPOCHTIME = 1700780400L;
+
+    /**
+     * Date of the most recent ToS and Data Policy update
+     */
+    private static final OffsetDateTime TIMESTAMP = OffsetDateTime.ofInstant(Instant.ofEpochMilli(EPOCHTIME), ZoneId.systemDefault());
+
+    /**
+     *  Get ToS and Data Policy timestamp as Epoch Time
+     *
+     * @return the timestamp
+     */
+    public Long getEpochTime() { return EPOCHTIME; }
+
+    /**
+     * Get ToS and Data Policy timestamp as OffsetDateTime
+     *
+     * @return the timestamp
+     */
+    public OffsetDateTime getTimestamp() {
+        return TIMESTAMP;
+    }
+}

colab-api/src/main/resources/META-INF/dbchangelogs/1700818809.xml

@@ -0,0 +1,11 @@
+<?xml version="1.1" encoding="UTF-8" standalone="no"?>
+<databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+                   xmlns:ext="http://www.liquibase.org/xml/ns/dbchangelog-ext"
+                   xmlns:pro="http://www.liquibase.org/xml/ns/pro" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                   xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog-ext http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-ext.xsd http://www.liquibase.org/xml/ns/pro http://www.liquibase.org/xml/ns/pro/liquibase-pro-latest.xsd http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-latest.xsd">
+    <changeSet author="mikkelvestergaard" id="1700818809-1">
+        <addColumn tableName="users">
+            <column name="agreed_time" type="TIMESTAMP WITHOUT TIME ZONE"/>
+        </addColumn>
+    </changeSet>
+</databaseChangeLog>

colab-tests/src/test/java/ch/colabproject/colab/tests/rest/UserRestEndpointTest.java

@@ -26,6 +26,7 @@
 import ch.colabproject.colab.tests.ws.WebsocketClient;
 import java.io.IOException;
 import java.net.URISyntaxException;
+import java.time.OffsetDateTime;
 import java.util.Arrays;
 import java.util.List;
 import java.util.Optional;
@@ -130,6 +131,34 @@ public void testUpdateUserInternalFields() {
         Assertions.assertNull(client.userRestEndpoint.getCurrentUser());
     }
 
+    /**
+     * Assert new user have agreedTime and can update it
+     */
+    @Test
+    public void testUpdateUserAgreedTime() {
+        TestUser myUser = this.signup(
+                "GoulashSensei",
+                "goulashsensei@test.local",
+                "SoSecuredPassword"
+        );
+
+        this.signIn(myUser);
+
+        User user = client.userRestEndpoint.getCurrentUser();
+        Assertions.assertNotNull(user);
+
+        OffsetDateTime userAgreedTimestampInitial = user.getAgreedTime();
+        Assertions.assertNotNull(userAgreedTimestampInitial);
+
+        client.userRestEndpoint.updateUserAgreedTime(user.getId());
+        User updatedUser = client.userRestEndpoint.getCurrentUser();
+
+        Assertions.assertTrue(userAgreedTimestampInitial.isBefore(updatedUser.getAgreedTime()));
+
+        this.signOut();
+        Assertions.assertNull(client.userRestEndpoint.getCurrentUser());
+    }
+
     /**
      * Assert authenticate with wrong password fails
      */

colab-webapp/default_colab.properties

@@ -36,7 +36,7 @@ colab.smtp.port=1025
 #
 # Account Management Properties
 ###############################
-colab.localaccount.showcreatebutton=false
+colab.localaccount.showcreatebutton=true
 
 # Mongo DB (JCR)
 # docker run -d --restart always -p 27017:27017 --name colab_mongo mongo:4.4