Consolidate attribute UI into fully integrated unified ABAC management interface with autocomplete and step-by-step workflow guide (#34)

* Initial plan

* Add unified ABAC attribute management page with tabs

Co-authored-by: phrocker <[email protected]>

* Add security hardening for URL parameters and iframe sandboxing

Co-authored-by: phrocker <[email protected]>

* Replace iframe approach with page-based navigation and center content

Co-authored-by: phrocker <[email protected]>

* Create fully integrated unified ABAC page with all content embedded

Co-authored-by: phrocker <[email protected]>

* Add step-by-step workflow and practical examples to explain ABAC component relationships

Co-authored-by: phrocker <[email protected]>

* Add autocomplete functionality for username and attribute name lookups in User Assignments

Co-authored-by: phrocker <[email protected]>

* update

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: phrocker <[email protected]>
Co-authored-by: Marc Parisi <[email protected]>

Author: Copilot

api/src/main/java/io/sentrius/sso/controllers/api/abac/AttributeManagementController.java

@@ -15,6 +15,7 @@
 import org.springframework.web.bind.annotation.*;
 
 import java.time.LocalDateTime;
+import java.time.ZoneOffset;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -243,8 +244,13 @@ private AttributeAssignmentDTO toAssignmentDTO(AttributeAssignment assignment) {
         dto.setTargetId(assignment.getTargetId());
         dto.setAttributeName(assignment.getAttributeDefinition().getAttributeName());
         dto.setAttributeValue(assignment.getAttributeValue());
-        dto.setValidFrom(LocalDateTime.from(assignment.getValidFrom()));
-        dto.setValidUntil(LocalDateTime.from(assignment.getValidUntil()));
+        if (assignment.getValidFrom() != null) {
+            dto.setValidFrom(LocalDateTime.ofInstant(assignment.getValidFrom(), ZoneOffset.UTC));
+        }
+        if (assignment.getValidUntil() != null) {
+            dto.setValidUntil(LocalDateTime.ofInstant(assignment.getValidUntil(), ZoneOffset.UTC));
+        }
+
         dto.setSyncedFromKeycloak(assignment.getSyncedFromKeycloak());
         dto.setActive(assignment.getIsActive());
         return dto;

api/src/main/java/io/sentrius/sso/controllers/api/users/UserApiController.java

@@ -6,6 +6,7 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Optional;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.node.BooleanNode;
@@ -20,6 +21,7 @@
 import io.sentrius.sso.core.exceptions.ZtatException;
 import io.sentrius.sso.core.model.hostgroup.HostGroup;
 import io.sentrius.sso.core.model.security.UserType;
+import io.sentrius.sso.core.model.security.enums.ApplicationAccessEnum;
 import io.sentrius.sso.core.model.security.enums.UserAccessEnum;
 import io.sentrius.sso.core.model.users.User;
 import io.sentrius.sso.core.dto.UserDTO;
@@ -137,6 +139,29 @@ public ResponseEntity<List<UserDTO>> listusers(
     }
 
 
+    @GetMapping("/search")
+    @LimitAccess(userAccess = {UserAccessEnum.CAN_VIEW_USERS})
+    public ResponseEntity<List<UserDTO>> findUsersByName(
+        @RequestParam(name = "query") String userId) {
+
+        log.debug("Finding users with attribute userId={}", userId);
+
+        try {
+            Optional<List<User>> userIds = userService.findByUsernameLike(userId);
+            if (userIds.isPresent()) {
+                log.info("Found users with attribute userId={}", userId);
+                List<UserDTO> userDTOs = userIds.get().stream().map(User::toDto).toList();
+                return ResponseEntity.ok(userDTOs);
+            } else {
+                log.info("No users with attribute userId={}", userId);
+                return ResponseEntity.status(HttpStatus.NOT_FOUND).build();
+            }
+
+        } catch (Exception e) {
+            log.error("Error finding users with attribute", e);
+            return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).build();
+        }
+    }
 
     @PostMapping("add")
     @LimitAccess(userAccess = {UserAccessEnum.CAN_EDIT_USERS})

api/src/main/java/io/sentrius/sso/controllers/api/users/UserAttributeController.java

@@ -5,6 +5,7 @@
 import java.util.Map;
 import java.util.Optional;
 import java.util.stream.Collectors;
+import io.sentrius.sso.core.annotations.LimitAccess;
 import io.sentrius.sso.core.config.SystemOptions;
 import io.sentrius.sso.core.controllers.BaseController;
 import io.sentrius.sso.core.dto.users.UserAttributeDTO;
@@ -90,6 +91,7 @@ public ResponseEntity<List<UserAttributeDTO>> getUserAttributes(@PathVariable St
      * Get user attributes as a map
      */
     @GetMapping("/{userId}/map")
+    @LimitAccess(applicationAccess = {ApplicationAccessEnum.CAN_MANAGE_APPLICATION})
     public ResponseEntity<Map<String, String>> getUserAttributesAsMap(@PathVariable String userId) {
         log.debug("Getting attributes map for user: {}", userId);
 
@@ -107,6 +109,7 @@ public ResponseEntity<Map<String, String>> getUserAttributesAsMap(@PathVariable
      * Get a specific user attribute
      */
     @GetMapping("/{userId}/{attributeName}")
+    @LimitAccess(applicationAccess = {ApplicationAccessEnum.CAN_MANAGE_APPLICATION})
     public ResponseEntity<UserAttributeDTO> getUserAttribute(
             @PathVariable String userId,
             @PathVariable String attributeName) {
@@ -133,6 +136,7 @@ public ResponseEntity<UserAttributeDTO> getUserAttribute(
      * Set a user attribute
      */
     @PostMapping("/update")
+    @LimitAccess(applicationAccess = {ApplicationAccessEnum.CAN_MANAGE_APPLICATION})
     public ResponseEntity<UserAttributeDTO> setUserAttribute(
             @RequestParam("userId") String userId,
             @RequestBody @Valid UserAttributeDTO attributeDTO,
@@ -174,6 +178,7 @@ public ResponseEntity<UserAttributeDTO> setUserAttribute(
      * Set multiple user attributes at once
      */
     @PostMapping("/{userId}/bulk")
+    @LimitAccess(applicationAccess = {ApplicationAccessEnum.CAN_MANAGE_APPLICATION})
     public ResponseEntity<List<UserAttributeDTO>> setUserAttributes(
             @PathVariable String userId,
             @RequestBody Map<String, String> attributes,
@@ -210,6 +215,7 @@ public ResponseEntity<List<UserAttributeDTO>> setUserAttributes(
      * Remove a user attribute
      */
     @DeleteMapping("/{userId}/{attributeName}")
+    @LimitAccess(applicationAccess = {ApplicationAccessEnum.CAN_MANAGE_APPLICATION})
     public ResponseEntity<Map<String, Object>> removeUserAttribute(
             @PathVariable String userId,
             @PathVariable String attributeName,
@@ -245,6 +251,7 @@ public ResponseEntity<Map<String, Object>> removeUserAttribute(
      * Sync user attributes from Keycloak
      */
     @PostMapping("/{userId}/sync/keycloak")
+    @LimitAccess(applicationAccess = {ApplicationAccessEnum.CAN_MANAGE_APPLICATION})
     public ResponseEntity<List<UserAttributeDTO>> syncFromKeycloak(
             @PathVariable String userId,
             HttpServletRequest request, HttpServletResponse response) {
@@ -278,6 +285,7 @@ public ResponseEntity<List<UserAttributeDTO>> syncFromKeycloak(
      * Check if user has specific attribute value
      */
     @GetMapping("/{userId}/check")
+    @LimitAccess(applicationAccess = {ApplicationAccessEnum.CAN_MANAGE_APPLICATION})
     public ResponseEntity<Map<String, Boolean>> checkUserAttribute(
             @PathVariable String userId,
             @RequestParam String attributeName,
@@ -303,6 +311,7 @@ public ResponseEntity<Map<String, Boolean>> checkUserAttribute(
      * Find users with specific attribute (admin endpoint)
      */
     @GetMapping("/search")
+    @LimitAccess(applicationAccess = {ApplicationAccessEnum.CAN_MANAGE_APPLICATION})
     public ResponseEntity<List<String>> findUsersWithAttribute(
             @RequestParam String attributeName,
             @RequestParam String attributeValue) {
@@ -323,6 +332,7 @@ public ResponseEntity<List<String>> findUsersWithAttribute(
      * Get all unique attribute names (admin endpoint)
      */
     @GetMapping("/names")
+    @LimitAccess(applicationAccess = {ApplicationAccessEnum.CAN_MANAGE_APPLICATION})
     public ResponseEntity<List<String>> getAllAttributeNames() {
         log.debug("Getting all unique attribute names");
 

api/src/main/java/io/sentrius/sso/controllers/view/AttributeManagementViewController.java

@@ -0,0 +1,43 @@
+package io.sentrius.sso.controllers.view;
+
+import io.sentrius.sso.core.annotations.LimitAccess;
+import io.sentrius.sso.core.config.SystemOptions;
+import io.sentrius.sso.core.controllers.BaseController;
+import io.sentrius.sso.core.model.security.enums.ApplicationAccessEnum;
+import io.sentrius.sso.core.services.ErrorOutputService;
+import io.sentrius.sso.core.services.UserService;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.stereotype.Controller;
+import org.springframework.ui.Model;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+
+/**
+ * Unified view controller for ABAC attribute management.
+ * Provides a single entry point with tabs for:
+ * - Attribute Definitions (schema)
+ * - User Assignments (attribute values for users)
+ * - Access Mappings (endpoint access control)
+ */
+@Slf4j
+@Controller
+@RequestMapping("/sso/v1/attributes")
+public class AttributeManagementViewController extends BaseController {
+
+    public AttributeManagementViewController(
+            UserService userService,
+            SystemOptions systemOptions,
+            ErrorOutputService errorOutputService) {
+        super(userService, systemOptions, errorOutputService);
+    }
+
+    /**
+     * Show unified ABAC attribute management page with tabs
+     */
+    @GetMapping("/manage")
+    @LimitAccess(applicationAccess = {ApplicationAccessEnum.CAN_MANAGE_APPLICATION})
+    public String showAttributeManagement(Model model) {
+        log.debug("Showing unified attribute management page");
+        return "sso/attributes_unified";
+    }
+}

api/src/main/resources/templates/fragments/sidebar.html

@@ -73,18 +73,8 @@
                 </a>
             </li>
             <li th:if="${#sets.contains(operatingUser.authorizationType.accessSet, 'CAN_MANAGE_APPLICATION')}">
-                <a href="/sso/v1/custom-attributes/mappings" class="nav-link px-0 align-middle">
-                    <i class="fas fa-user-tag"></i> <span class="ms-1 d-none d-sm-inline">Custom Attributes</span>
-                </a>
-            </li>
-            <li th:if="${#sets.contains(operatingUser.authorizationType.accessSet, 'CAN_MANAGE_APPLICATION')}">
-                <a href="/sso/v1/user-attributes" class="nav-link px-0 align-middle">
-                    <i class="fas fa-id-badge"></i> <span class="ms-1 d-none d-sm-inline">User Attributes</span>
-                </a>
-            </li>
-            <li th:if="${#sets.contains(operatingUser.authorizationType.accessSet, 'CAN_MANAGE_APPLICATION')}">
-                <a href="/sso/v1/attribute-definitions" class="nav-link px-0 align-middle">
-                    <i class="fas fa-list-alt"></i> <span class="ms-1 d-none d-sm-inline">Attribute Definitions</span>
+                <a href="/sso/v1/attributes/manage" class="nav-link px-0 align-middle">
+                    <i class="fas fa-tags"></i> <span class="ms-1 d-none d-sm-inline">Attributes (ABAC)</span>
                 </a>
             </li>
             <li th:if="${#sets.contains(operatingUser.authorizationType.accessSet, 'CAN_MANAGE_APPLICATION')}">