diff --git a/obp-api/src/main/resources/props/sample.props.template b/obp-api/src/main/resources/props/sample.props.template index 3fd91dbad..f55a57c4e 100644 --- a/obp-api/src/main/resources/props/sample.props.template +++ b/obp-api/src/main/resources/props/sample.props.template @@ -961,7 +961,9 @@ default_auth_context_update_request_key=CUSTOMER_NUMBER # Support removing the app type checkbox during consumer registration #consumer_registration.display_app_type=true -# if set this props, it will grant all the dynamic roles automatically to the users whose emails contain the following domain. +# if set this props, we can automatically grant the Entitlements required to use all the Dynamic Endpoint roles belonging +# to the bank_ids (Spaces) the User has access to via their validated email domain. Entitlements are generated /refreshed +# both following manual locin and Direct Login token generation (POST). # the default value is empty #email_to_space_mapping= # And here we provide an example to show how to prepare the mappings diff --git a/obp-api/src/main/scala/code/api/directlogin.scala b/obp-api/src/main/scala/code/api/directlogin.scala index 57d085136..3fc9ccaf4 100644 --- a/obp-api/src/main/scala/code/api/directlogin.scala +++ b/obp-api/src/main/scala/code/api/directlogin.scala @@ -97,7 +97,7 @@ object DirectLogin extends RestHelper with MdcLoggable { case Req("my" :: "logins" :: "direct" :: Nil,_ , PostRequest) => { for{ (httpCode: Int, message: String, userId:Long) <- createTokenFuture(getAllParameters) - _ <- Future{grantEntitlementsToUseDynamicEndpointsAtOneBankInDirectLogin(userId)} + _ <- Future{grantEntitlementsToUseDynamicEndpointsInSpacesInDirectLogin(userId)} } yield { if (httpCode == 200) { (JSONFactory.createTokenJSON(message), HttpCode.`201`(CallContext())) @@ -109,16 +109,16 @@ object DirectLogin extends RestHelper with MdcLoggable { } - def grantEntitlementsToUseDynamicEndpointsAtOneBankInDirectLogin(userId:Long) = { + def grantEntitlementsToUseDynamicEndpointsInSpacesInDirectLogin(userId:Long) = { try { if(!emailToSpaceMapping.isEmpty){ val resourceUser = UserX.findByResourceUserId(userId).openOrThrowException(s"$InvalidDirectLoginParameters can not find the resourceUser!") val authUser = AuthUser.findUserByUsernameLocally(resourceUser.name).openOrThrowException(s"$InvalidDirectLoginParameters can not find the auth user!") - AuthUser.grantEntitlementsToUseDynamicEndpointsAtOneBank(authUser) + AuthUser.grantEntitlementsToUseDynamicEndpointsInSpaces(authUser) } } catch { case e: Throwable => // error handling, found wrong props value as early as possible. - this.logger.error(s"directLogin.grantEntitlementsToUseDynamicEndpointsAtOneBank throw exception, details: $e" ); + this.logger.error(s"directLogin.grantEntitlementsToUseDynamicEndpointsInSpaces throw exception, details: $e" ); } } /** diff --git a/obp-api/src/main/scala/code/api/util/APIUtil.scala b/obp-api/src/main/scala/code/api/util/APIUtil.scala index c65c46951..e396495cb 100644 --- a/obp-api/src/main/scala/code/api/util/APIUtil.scala +++ b/obp-api/src/main/scala/code/api/util/APIUtil.scala @@ -2843,7 +2843,7 @@ object APIUtil extends MdcLoggable with CustomJsonFormats{ x => //TODO due to performance issue, first comment this out, // val authUser = AuthUser.findUserByUsernameLocally(x._1.head.name).openOrThrowException("") - // tryo{AuthUser.grantEntitlementsToUseDynamicEndpointsAtOneBank(authUser, x._2)}.openOr(logger.error(s"${x._1} authenticatedAccess.grantEntitlementsToUseDynamicEndpointsAtOneBank throw exception! ")) + // tryo{AuthUser.grantEntitlementsToUseDynamicEndpointsInSpaces(authUser, x._2)}.openOr(logger.error(s"${x._1} authenticatedAccess.grantEntitlementsToUseDynamicEndpointsInSpaces throw exception! ")) // make sure, if `refreshUserIfRequired` throw exception, do not break the `authenticatedAccess`, // TODO better move `refreshUserIfRequired` to other place. diff --git a/obp-api/src/main/scala/code/model/dataAccess/AuthUser.scala b/obp-api/src/main/scala/code/model/dataAccess/AuthUser.scala index be174773c..e1a7d990e 100644 --- a/obp-api/src/main/scala/code/model/dataAccess/AuthUser.scala +++ b/obp-api/src/main/scala/code/model/dataAccess/AuthUser.scala @@ -930,8 +930,8 @@ def restoreSomeSessions(): Unit = { S.notice(S.?("logged.in")) preLoginState() if(emailToSpaceMapping.nonEmpty){ - tryo{AuthUser.grantEntitlementsToUseDynamicEndpointsAtOneBank(user)} - .openOr(logger.error(s"${user} authenticatedAccess.grantEntitlementsToUseDynamicEndpointsAtOneBank throw exception! ")) + tryo{AuthUser.grantEntitlementsToUseDynamicEndpointsInSpaces(user)} + .openOr(logger.error(s"${user} authenticatedAccess.grantEntitlementsToUseDynamicEndpointsInSpaces throw exception! ")) } S.redirectTo(redirect) }) @@ -1113,7 +1113,9 @@ def restoreSomeSessions(): Unit = { } /** - * Spaces is the obp BankIds, each bank can create many dynamice endpoints, all of them are belong to one Bank.(Space) + * A Space is an alias for the OBP Bank. Each Bank / Space can contain many Dynamic Endpoints. If a User belongs to a Space, + * the User can use those endpoints but not modify them. If a User creates a Bank (aka Space) the user can create + * and modify Dynamic Endpoints and other objects in that Bank / Space. * * @return */ @@ -1134,24 +1136,24 @@ def restoreSomeSessions(): Unit = { } } - def grantEntitlementsToUseDynamicEndpointsAtOneBank(user: AuthUser) = { - val createdByProcess = "grantEntitlementsToUseDynamicEndpointsAtOneBank" + def grantEntitlementsToUseDynamicEndpointsInSpaces(user: AuthUser) = { + val createdByProcess = "grantEntitlementsToUseDynamicEndpointsInSpaces" val userId = user.user.obj.map(_.userId).getOrElse("") // user's already auto granted entitlements. - val allGrantedEntitlements = Entitlement.entitlement.vend.getEntitlementsByUserId(userId) + val entitlementsGrantedByThisProcess = Entitlement.entitlement.vend.getEntitlementsByUserId(userId) .map(_.filter(role => role.createdByProcess == createdByProcess)) .getOrElse(Nil) - def isEntitlementAlreadyBeGranted(role:ApiRole, bankId: String): Boolean = - allGrantedEntitlements.exists(entitlement => entitlement.roleName == role.toString() && entitlement.bankId == bankId) + def alreadyHasEntitlement(role:ApiRole, bankId: String): Boolean = + entitlementsGrantedByThisProcess.exists(entitlement => entitlement.roleName == role.toString() && entitlement.bankId == bankId) //call mySpaces --> get BankIds --> listOfRolesToUseAllDynamicEndpointsAOneBank (at each bank)--> Grant roles (for each role) val allCurrentDynamicRoleToBankIdPairs: List[(ApiRole, String)] = for { BankId(bankId) <- mySpaces(user: AuthUser) role <- DynamicEndpointHelper.listOfRolesToUseAllDynamicEndpointsAOneBank(Some(bankId)) } yield { - if (!isEntitlementAlreadyBeGranted(role, bankId)) { + if (!alreadyHasEntitlement(role, bankId)) { Entitlement.entitlement.vend.addEntitlement(bankId, userId, role.toString, createdByProcess) } @@ -1161,7 +1163,7 @@ def restoreSomeSessions(): Unit = { // if user's auto granted entitlement invalid, delete it. // invalid happens when some dynamic endpoints are removed, so the entitlements linked to the deleted dynamic endpoints are invalid. for { - grantedEntitlement <- allGrantedEntitlements + grantedEntitlement <- entitlementsGrantedByThisProcess grantedEntitlementRoleName = grantedEntitlement.roleName grantedEntitlementBankId = grantedEntitlement.bankId } { diff --git a/release_notes.md b/release_notes.md index 18d5358e6..97417aaab 100644 --- a/release_notes.md +++ b/release_notes.md @@ -5,7 +5,9 @@ Date Commit Action 29/06/2021 98c5503c Existing Props authUser.skipEmailValidation now defaults to false (i.e. we now force email validation by default) 29/06/2021 0b08199b Added props: email_to_space_mapping, default is empty - We can grant all the dynamic roles automatic when the user login and create the directLogin Token. + We can automatically grant the Entitlements required to use all the Dynamic Endpoint roles belonging to + the bank_ids (Spaces) the User has access to via their validated email domain. Entitlements are +sam generated /refreshed both following manual locin and Direct Login token generation (POST). 14/03/2021 e29001e2 Added props: webui_login_page_instruction_title, default is 'Log on to the Open Bank Project API'. The clients can customise the login page instraction title. 13/03/2021 3c9880a9 Added props: featured_api_collection_ids, default is Empty.