Provide a set of endpoints for user management

[syntrydy]

User Story Title.

Implement endpoints for user management

User Story Meta Information.

This should be base on the existing SCIM project

Priority.

MEDIUM

Description.

As an API consumer with the user management permission set, I should be able to:

• List all users
• Search for users base on a search pattern
• Add new user
• Update existing user
• Remove a user
• Activate/Deactivate a user
• Manage user password:
  1. Password policy: define the password complexity(eg. min length,
  2. Password Reset: reset my password
  3. Username Recovery

[pujavs]

Implemented endpoints for User Management.
Regarding, Manage user password there is nothing specific in scim regarding password policy management. This will need more decision on what should be the policy and best place to implement it. It will be good to create a sperate JIRA for the same with proper details to take fwd.

[syntrydy]

I think we can ignore Password management for now, because we don’t have it implement in SCIM.

[pujavs]

Feature Branch:- https://github.com/JanssenProject/jans-config-api/tree/issue_50_new
Related changes:-
https://github.com/JanssenProject/jans-setup/issues/62
https://github.com/JanssenProject/jans-cli/issues/54

[pujavs]

Testing
src.test.resources.feature.scim.user.scim-user.pdf

[duttarnab]

Reopening this issue, as scim endpoints are not sufficient to include Custom schema in Flex Admin UI.

• Manage Groups are not required in Admin UI.

We will need the following endpoints in config-api for User Management

• GET /jans-config-api/api/v1/users (get all users)
• POST /jans-config-api/api/v1/users (create a user)
• GET /jans-config-api/api/v1/users/{inum} (get a user by inum)
• PUT /jans-config-api/api/v1/users/{inum} (update a user)
• DELETE /jans-config-api/api/v1/users/{inum} (delete a user)
• PATCH /jans-config-api/api/v1/users/{inum} (patch user attributes)

The above APIs will perform CRUD on jansPerson table.

The payload from the API will be in the below format.

{
    "dn": "string",
    "inum": "string",
    "givenName": "string",
    "displayName: "string",
    "sn": "string",
    "mail": "string",
    "userPassword": "string",
    "jansStatus": "string",
    "customAttributes" : [{ "attr1_name": "attr1_value"}, {"attr2_name": "attr2_value}", ...]
}

here customAttributes will contain all user claims and their values from jansPerson person table.

cc: @yuriyz @yurem @nynymike

[yurem]

I think we should not expose user API in this application. Why we can't use SCIM and configure it to conform our requirements?
We should keep minimum count of services which can expose/modify user data.
@nynymike

[nynymike]

I agree with Yura. What is the advantage to exposing endpoints that just duplicate the functionality of SCIM?

[duttarnab]

@yurem @nynymike , SCIM apis does not provide all attributes from jansPerson table. As @jgomer2001 has mentioned

Moreover, if a user manually updates the schema to add a new attribute to jansPerson table then this attribute will also not be available using SCIM apis as it does not provide all attributes.

That's why we are thinking to create new User Management APIs in config-api.

[yurem]

After manual schema update did you register this attribute in ou=attributes? In Jans CE setup there are scim test data. You can use -t option to prepare test server. In scim-test-data.ldif setup registers 3 custom attributes which uses in tests.

[duttarnab]

We need to remove password from the response of the below endpoints because if we have the user password in the get endpoint response then it can be easily traced from the browser console.

• GET /jans-config-api/api/v1/users (get all users)
• GET /jans-config-api/api/v1/users/{inum} (get a user by inum)

[pujavs]

Implemented:

• PATCH endpoint -> /jans-config-api/api/v1/user/{inum}
• Exclusion of userPassword in fetch request
  • GET /jans-config-api/api/v1/users (get all users)
  • GET /jans-config-api/api/v1/users/{inum} (get a user by inum)

Test results:
src.test.resources.feature.user.user.pdf

[pujavs]

Post discussion with @nynymike and @jgomer2001, since adding all 'jansPersonattributes to SCIM api is not advisable as there are many attributes and it is decided to **remove theSCIM - User Managementendpoint and convert the new configUser Management` endpoint into plugin.**

Refer older comment from this issue as well:
#418 (comment)

[pujavs]

@duttarnab changes done for following

1. Removing scim user management endpoint
2. Moving user management endpoint in user-mgt-plugin.
   Note change in endpoint url, new url is /jans-config-api/mgt/configuser

Testing evidence:
src.test.resources.feature.mgt.user.user.pdf

[pujavs]

Issue: For user management endpoints mail,displayName,jansStatus,userPassword,givenName have been made mandatory fields and the endpoint does not return userPassword.
This will work fine for POST - create user request.
However since 'userPasswordis not returned the PUT methods throws error ifuserPassword` is not provided.

Example: jans-cli uses swagger spec in which the mandatory fields have to be specified at the object level.
So the PUT request throws error as it does not contain userPassword.

Resolution: To resolve this it is decided to make userPassword mandatory only for POST method

[pujavs]

This requirement and related enhancements for root level attributes and mandatory attribute check was implemented on 08-Jun-2022 hence closing the same.