Implement database-based multi user system for Web UI (#1539)

* add UserDetailsService impl using Jooq

* improve impl such that it is in a working condition

* refactor: make github action checks happy

* force data type JSON in Jooq for web_user.authorities

reason: our build matrix fails for mysql, but succeeds for mariadb.
Jooq infers data type org.jooq.JSON for web_user.authorities for mysql.
on the other hand, it is String for mariadb.

example: https://github.com/steve-community/steve/actions/runs/10339451112

* tighten json logic

* add check for validating that "authorities" is an array
* store a sorted set of authorities without duplicates

* add method to delete web user by database id

reason: to be used by web pages. a better way than doing with username,
and is consistent with other delete operations we do.

* PR feedback: skip default admin user creation, if "any" admin already exists

* refactor: PR feedback

* prepare database for #1540

* PR feedback

* add license header where missing

Author: goekay

pom.xml

@@ -434,6 +434,10 @@
                                     <name>BOOLEAN</name>
                                     <includeExpression>.*\.OCPP_TAG_ACTIVITY\.(IN_TRANSACTION|BLOCKED)</includeExpression>
                                 </forcedType>
+                                <forcedType>
+                                    <name>JSON</name>
+                                    <includeExpression>.*\.WEB_USER\.(AUTHORITIES)</includeExpression>
+                                </forcedType>
                                 <forcedType>
                                     <userType>org.joda.time.DateTime</userType>
                                     <converter>de.rwth.idsg.steve.utils.DateTimeConverter</converter>

src/main/java/de/rwth/idsg/steve/config/SecurityConfiguration.java

@@ -21,6 +21,7 @@
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.common.base.Strings;
 import de.rwth.idsg.steve.web.api.ApiControllerAdvice;
+import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -34,13 +35,9 @@
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.core.userdetails.User;
-import org.springframework.security.core.userdetails.UserDetails;
-import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.factory.PasswordEncoderFactories;
 import org.springframework.security.crypto.password.DelegatingPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
-import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
@@ -58,6 +55,7 @@
  * @since 07.01.2015
  */
 @Slf4j
+@RequiredArgsConstructor
 @Configuration
 @EnableWebSecurity
 public class SecurityConfiguration {
@@ -74,17 +72,6 @@ public PasswordEncoder passwordEncoder() {
         return CONFIG.getAuth().getPasswordEncoder();
     }
 
-    @Bean
-    public UserDetailsService userDetailsService() {
-        UserDetails webPageUser = User.builder()
-                .username(CONFIG.getAuth().getUserName())
-                .password(CONFIG.getAuth().getEncodedPassword())
-                .roles("ADMIN")
-                .build();
-
-        return new InMemoryUserDetailsManager(webPageUser);
-    }
-
     @Bean
     public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
         final String prefix = CONFIG.getSpringManagerMapping();
@@ -98,7 +85,7 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
                         WebSocketConfiguration.PATH_INFIX + "**",
                         "/WEB-INF/views/**" // https://github.com/spring-projects/spring-security/issues/13285#issuecomment-1579097065
                     ).permitAll()
-                    .requestMatchers(prefix + "/**").hasRole("ADMIN")
+                    .requestMatchers(prefix + "/**").hasAuthority("ADMIN")
             )
             // SOAP stations are making POST calls for communication. even though the following path is permitted for
             // all access, there is a global default behaviour from spring security: enable CSRF for all POSTs.

src/main/java/de/rwth/idsg/steve/repository/WebUserRepository.java

@@ -0,0 +1,42 @@
+/*
+ * SteVe - SteckdosenVerwaltung - https://github.com/steve-community/steve
+ * Copyright (C) 2013-2024 SteVe Community Team
+ * All Rights Reserved.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+package de.rwth.idsg.steve.repository;
+
+import jooq.steve.db.tables.records.WebUserRecord;
+
+public interface WebUserRepository  {
+
+    void createUser(WebUserRecord user);
+
+    void updateUser(WebUserRecord user);
+
+    void deleteUser(String username);
+
+    void deleteUser(int webUserPk);
+
+    void changeStatusOfUser(String username, boolean enabled);
+
+    Integer getUserCountWithAuthority(String authority);
+
+    void changePassword(String username, String newPassword);
+
+    boolean userExists(String username);
+
+    WebUserRecord loadUserByUsername(String username);
+}

src/main/java/de/rwth/idsg/steve/repository/impl/WebUserRepositoryImpl.java

@@ -0,0 +1,118 @@
+/*
+ * SteVe - SteckdosenVerwaltung - https://github.com/steve-community/steve
+ * Copyright (C) 2013-2024 SteVe Community Team
+ * All Rights Reserved.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+package de.rwth.idsg.steve.repository.impl;
+
+import de.rwth.idsg.steve.repository.WebUserRepository;
+import jooq.steve.db.tables.records.WebUserRecord;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.jooq.DSLContext;
+import org.jooq.JSON;
+import org.springframework.stereotype.Repository;
+
+import static jooq.steve.db.Tables.WEB_USER;
+import static org.jooq.impl.DSL.condition;
+import static org.jooq.impl.DSL.count;
+
+/**
+ * @author Sevket Goekay <[email protected]>
+ * @since 10.08.2024
+ */
+@Slf4j
+@Repository
+@RequiredArgsConstructor
+public class WebUserRepositoryImpl implements WebUserRepository {
+
+    private final DSLContext ctx;
+
+    @Override
+    public void createUser(WebUserRecord user) {
+        ctx.insertInto(WEB_USER)
+            .set(WEB_USER.USERNAME, user.getUsername())
+            .set(WEB_USER.PASSWORD, user.getPassword())
+            .set(WEB_USER.ENABLED, user.getEnabled())
+            .set(WEB_USER.AUTHORITIES, user.getAuthorities())
+            .execute();
+    }
+
+    @Override
+    public void updateUser(WebUserRecord user) {
+        ctx.update(WEB_USER)
+            .set(WEB_USER.PASSWORD, user.getPassword())
+            .set(WEB_USER.ENABLED, user.getEnabled())
+            .set(WEB_USER.AUTHORITIES, user.getAuthorities())
+            .where(WEB_USER.USERNAME.eq(user.getUsername()))
+            .execute();
+    }
+
+    @Override
+    public void deleteUser(String username) {
+        ctx.delete(WEB_USER)
+            .where(WEB_USER.USERNAME.eq(username))
+            .execute();
+    }
+
+    @Override
+    public void deleteUser(int webUserPk) {
+        ctx.delete(WEB_USER)
+            .where(WEB_USER.WEB_USER_PK.eq(webUserPk))
+            .execute();
+    }
+
+    @Override
+    public void changeStatusOfUser(String username, boolean enabled) {
+        ctx.update(WEB_USER)
+            .set(WEB_USER.ENABLED, enabled)
+            .where(WEB_USER.USERNAME.eq(username))
+            .execute();
+    }
+
+    @Override
+    public Integer getUserCountWithAuthority(String authority) {
+        JSON authValue = JSON.json("\"" + authority + "\"");
+        return ctx.selectCount()
+            .from(WEB_USER)
+            .where(condition("json_contains({0}, {1})", WEB_USER.AUTHORITIES, authValue))
+            .fetchOne(count());
+    }
+
+    @Override
+    public void changePassword(String username, String newPassword) {
+        ctx.update(WEB_USER)
+            .set(WEB_USER.PASSWORD, newPassword)
+            .where(WEB_USER.USERNAME.eq(username))
+            .execute();
+    }
+
+    @Override
+    public boolean userExists(String username) {
+        return ctx.selectOne()
+            .from(WEB_USER)
+            .where(WEB_USER.USERNAME.eq(username))
+            .fetchOptional()
+            .isPresent();
+    }
+
+    @Override
+    public WebUserRecord loadUserByUsername(String username) {
+        return ctx.selectFrom(WEB_USER)
+            .where(WEB_USER.USERNAME.eq(username))
+            .fetchOne();
+    }
+}