Merge branch 'release/v1.7.0-1'

Author: sklein94

CHANGELOG.md

@@ -6,6 +6,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [v1.7.0-1] - 2022-08-23
+### Changed
+- The password rules are now set via global etcd keys. For more information see [docs](docs/operations/password-policy_en.md#Configuration-of-password-rules-in-etcd) (#63)
+  - Note: the existing password rules will NOT be migrated automatically.
+
 ## [v1.6.1-2] - 2022-07-05
 ### Changed
 - Increase max username length to 64 characters (was 32 before) (#61)

Dockerfile

@@ -8,7 +8,7 @@ RUN set -x \
 FROM registry.cloudogu.com/official/java:8u302-3
 
 LABEL NAME="official/usermgt" \
-   VERSION="1.6.1-2" \
+   VERSION="1.7.0-1" \
    maintainer="[email protected]"
 
 # mark as webapp for nginx

Jenkinsfile

@@ -45,6 +45,10 @@ node('docker') {
       shellCheck("./resources/startup.sh")
     }
 
+    stage('Shell tests') {
+      executeShellTests()
+    }
+
     // Run inside of docker container, because karma always starts on port 9876 which might lead to errors when two
     // builds run concurrently (e.g. feature branch, PR and develop)
     new Docker(this).image('openjdk:8-jdk')
@@ -114,7 +118,17 @@ node('docker') {
 
       stage('Setup') {
         ecoSystem.loginBackend('cesmarvin-setup')
-        ecoSystem.setup()
+        ecoSystem.setup([registryConfig:"""
+                                        "_global": {
+                                            "password-policy": {
+                                                "must_contain_capital_letter": "true",
+                                                "must_contain_lower_case_letter": "true",
+                                                "must_contain_digit": "true",
+                                                "must_contain_special_character": "true",
+                                                "min_length": "14"
+                                            }
+                                        }
+                                    """])
       }
 
       stage('Wait for dependencies') {
@@ -206,3 +220,20 @@ void gitWithCredentials(String command){
     )
   }
 }
+
+def executeShellTests() {
+    def bats_base_image = "bats/bats"
+    def bats_custom_image = "cloudogu/bats"
+    def bats_tag = "1.2.1"
+
+    def batsImage = docker.build("${bats_custom_image}:${bats_tag}", "--build-arg=BATS_BASE_IMAGE=${bats_base_image} --build-arg=BATS_TAG=${bats_tag} ./unitTests")
+    try {
+        sh "mkdir -p target"
+
+        batsContainer = batsImage.inside("--entrypoint='' -v ${WORKSPACE}:/workspace") {
+            sh "make unit-test-shell-ci"
+        }
+    } finally {
+        junit allowEmptyResults: true, testResults: 'target/shell_test_reports/*.xml'
+    }
+}

Makefile

@@ -1,6 +1,6 @@
 # Set these to the desired values
 ARTIFACT_ID=usermgt
-VERSION=1.6.1-2
+VERSION=1.7.0-1
 # overwrite ADDITIONAL_LDFLAGS to disable static compilation
 # this should fix https://github.com/golang/go/issues/13470
 ADDITIONAL_LDFLAGS=""
@@ -10,5 +10,6 @@ MAKEFILES_VERSION=4.2.0
 include build/make/variables.mk
 include build/make/self-update.mk
 include build/make/release.mk
+include bats.mk
 
 default: dogu-release

app/src/main/webapp/views/user/edit.html

@@ -84,10 +84,10 @@ <h1>{{create ? 'New user' : 'Account'}}</h1>
       <div class="form-group password-field has-feedback" data-uadm-validate>
         <label class="control-label" for="password">Password</label>
         <input id="password" name="password" type="password" class="form-control" placeholder="Password" ng-required="true" ng-model="user.password" ng-change="applyPasswordPolicy()">
-        <span  class="glyphicon glyphicon-remove form-control-feedback "></span>
-        <span  class="glyphicon glyphicon-ok form-control-feedback"></span>
+        <span  class="glyphicon glyphicon-remove form-control-feedback " data-testid="password-invalid-marker"></span>
+        <span  class="glyphicon glyphicon-ok form-control-feedback" data-testid="password-valid-marker"></span>
       </div>
-      <p>
+      <p data-testid="password-policy-rules">
         <span ng-repeat="violation in passwordPolicy.violations" class="text-danger display-block"><strong>{{violation.Description}}.&nbsp;</strong></span>
         <span ng-repeat="satisfaction in passwordPolicy.satisfactions" class="text-success display-block"><strong>{{satisfaction.Description}}.&nbsp;</strong></span>
       </p>

bats.mk

@@ -0,0 +1,60 @@
+
+WORKSPACE=/workspace
+BATS_LIBRARY_DIR=$(TARGET_DIR)/bats_libs
+TESTS_DIR=./unitTests
+BASH_TEST_REPORT_DIR=$(TARGET_DIR)/shell_test_reports
+BASH_TEST_REPORTS=$(BASH_TEST_REPORT_DIR)/TestReport-*.xml
+BATS_ASSERT=$(BATS_LIBRARY_DIR)/bats-assert
+BATS_MOCK=$(BATS_LIBRARY_DIR)/bats-mock
+BATS_SUPPORT=$(BATS_LIBRARY_DIR)/bats-support
+BATS_FILE=$(BATS_LIBRARY_DIR)/bats-file
+BATS_BASE_IMAGE?=bats/bats
+BATS_CUSTOM_IMAGE?=cloudogu/bats
+BATS_TAG?=1.2.1
+
+.PHONY unit-test-shell:
+unit-test-shell: unit-test-shell-$(ENVIRONMENT)
+
+$(BATS_ASSERT):
+	@git clone --depth 1 https://github.com/bats-core/bats-assert $@
+
+$(BATS_MOCK):
+	@git clone --depth 1 https://github.com/grayhemp/bats-mock $@
+
+$(BATS_SUPPORT):
+	@git clone --depth 1 https://github.com/bats-core/bats-support $@
+
+$(BATS_FILE):
+	@git clone --depth 1 https://github.com/bats-core/bats-file $@
+
+$(BASH_SRC):
+	BASH_SRC:=$(shell find "${WORKDIR}" -type f -name "*.sh")
+
+${BASH_TEST_REPORT_DIR}: $(TARGET_DIR)
+	@mkdir -p $(BASH_TEST_REPORT_DIR)
+
+unit-test-shell-ci: $(BASH_SRC) $(BASH_TEST_REPORT_DIR) $(BATS_ASSERT) $(BATS_MOCK) $(BATS_SUPPORT) $(BATS_FILE)
+	@echo "Test shell units on CI server"
+	@make unit-test-shell-generic
+
+unit-test-shell-local: $(BASH_SRC) $(PASSWD) $(ETCGROUP) $(HOME_DIR) buildTestImage $(BASH_TEST_REPORT_DIR) $(BATS_ASSERT) $(BATS_MOCK) $(BATS_SUPPORT) $(BATS_FILE)
+	@echo "Test shell units locally (in Docker)"
+	@docker run --rm \
+		-v $(HOME_DIR):/home/$(USER) \
+		-v $(WORKDIR):$(WORKSPACE) \
+		-w $(WORKSPACE) \
+		--entrypoint="" \
+		$(BATS_CUSTOM_IMAGE):$(BATS_TAG) \
+		${TESTS_DIR}/customBatsEntrypoint.sh make unit-test-shell-generic
+
+unit-test-shell-generic:
+	@bats --formatter junit --output ${BASH_TEST_REPORT_DIR} ${TESTS_DIR}
+
+.PHONY buildTestImage:
+buildTestImage:
+	@echo "Build shell test container"
+	@cd ${TESTS_DIR} && docker build \
+		--build-arg=BATS_BASE_IMAGE=${BATS_BASE_IMAGE} \
+		--build-arg=BATS_TAG=${BATS_TAG} \
+		-t ${BATS_CUSTOM_IMAGE}:${BATS_TAG} \
+		.

docs/development/configure_integration_tests_de.md

@@ -0,0 +1,16 @@
+# Konfiguration für Integrations-Tests
+
+Die Integrationstests erwarten eine bestimmte Konfiguration, damit diese erfolgreich durchlaufen. Konkret müssen
+bestimmte Werte im etcd gesetzt sein. Dies sind folgende:
+
+```
+etcdctl set /config/_global/password-policy/must_contain_capital_letter true
+etcdctl set /config/_global/password-policy/must_contain_lower_case_letter true
+etcdctl set /config/_global/password-policy/must_contain_digit true
+etcdctl set /config/_global/password-policy/must_contain_special_character true
+etcdctl set /config/_global/password-policy/min_length 14
+```
+
+Damit die gesetzten Werte berücksichtigt werden, muss das Dogu einmal neu gestartet werden.
+
+Die Werte konfigurieren die Passwort-Regeln, welche in den Integrationstests überprüft werden.

docs/development/configure_integration_tests_en.md

@@ -0,0 +1,16 @@
+# Configuration for integration tests
+
+The integration tests expect a certain configuration to run successfully. Specifically certain values be set in the
+etcd. These are as follows:
+
+```
+etcdctl set /config/_global/password-policy/must_contain_capital_letter true
+etcdctl set /config/_global/password-policy/must_contain_lower_case_letter true
+etcdctl set /config/_global/password-policy/must_contain_digit true
+etcdctl set /config/_global/password-policy/must_contain_special_character true
+etcdctl set /config/_global/password-policy/min_length 14
+```
+
+In order for the set values to be taken into account, the Dogu must be restarted once.
+
+The values configure the password rules that are checked in the integration tests.

docs/gui/figures/usermanagement/CESUsermanagement_Password_Policy_All_Rules_Satisfied.png

@@ -72,7 +72,7 @@ Wird versucht, eine Nutzerin oder einen Nutzer mit einer E-Mail-Addresse anzuleg
 ![Nutzerin oder Nutzer neu angelegt_Unique_Email: Fehlermeldung E-mail](figures/usermanagement/CESUsermanagement_EmailUnique.png)
 
 ### Passwort-Richtlinien
-Im User Management können Passwort-Richtlinien konfiguriert werden, die während der Eingabe der Passwörter validiert werden. Durch das Anlegen von sinnvollen Passwort-Richtlinien kann die Sicherheit der Passwörter global kontrolliert werden.
+Im etcd vom CES können Passwort-Richtlinien konfiguriert werden, die während der Eingabe der Passwörter validiert werden. Durch das Anlegen von sinnvollen Passwort-Richtlinien kann die Sicherheit der Passwörter global kontrolliert werden.
 
 ##### Ablauf
 1. Alle nicht erfüllten Passwort-Richtlinien werden angezeigt.
@@ -87,15 +87,6 @@ Im User Management können Passwort-Richtlinien konfiguriert werden, die währen
 
 ![Alle Regeln erfüllt](figures/usermanagement/CESUsermanagement_Password_Policy_All_Rules_Satisfied.png)
 
-
-##### Ausnahmen
-Sollten Passwort-Richtlinien falsch konfiguriert worden sein, so werden diese angezeigt. Die Eingabe von Passwörtern im System ist dann nicht möglich. Der Administrator muss in diesem Fall die Einstellungen korrigieren.
-
-Sollte ein ungültiger Regex zur Konfiguration verwendet worden sein, so wird eine Fehlermeldung nach dem folgenden Muster angezeigt:
-
-![Invalid Regel](figures/usermanagement/CESUsermanagement_Password_Policy_InvalidRegex.png)
-
-
 ### Nutzerin oder Nutzer löschen
 Klicken Sie hierzu auf der Seite "Users" auf das Symbol "Mülltonne", welches in der Spalte "Functions" und in der Zeile der zu löschenden Nutzerin oder des Nutzers abgebildet ist. Bestätigen Sie daraufhin die Sicherheitsabfrage.
 

docs/gui/figures/usermanagement/CESUsermanagement_Password_Policy_Endpoint_Unreachable.png

@@ -73,7 +73,7 @@ If you try to create a user with an email address that already exists the follow
 ![User newly created_Unique_Email: Error message E-mail](figures/usermanagement/CESUsermanagement_EmailUnique.png)
 
 ### Password policies
-In User Management, password policies can be configured to be validated as passwords are entered. By creating meaningful password policies, the security of passwords can be controlled globally.
+In etcd of the CES, password policies can be configured to be validated as passwords are entered. By creating meaningful password policies, the security of passwords can be controlled globally.
 
 ##### Procedure
 1. all password policies that are not fulfilled are displayed.
@@ -88,15 +88,6 @@ In User Management, password policies can be configured to be validated as passw
 
 ![All rules satisfied](figures/usermanagement/CESUsermanagement_Password_Policy_All_Rules_Satisfied.png)
 
-
-##### Exceptions
-If password policies have been configured incorrectly, they will be displayed. It is then not possible to enter passwords in the system. In this case, the administrator must correct the settings.
-
-If an invalid regex has been used for configuration, an error message will be displayed according to the following pattern:
-
-![Invalid Rule](figures/usermanagement/CESUsermanagement_Password_Policy_InvalidRegex.png)
-
-
 ### Delete user
 To do this, click on the "Trash can" icon on the "Users" page, which is shown in the "Functions" column and in the row of the user you want to delete. Confirm the security prompt at the end.
 

docs/gui/figures/usermanagement/CESUsermanagement_Password_Policy_No_Rule_Satisfied.png

@@ -0,0 +1,31 @@
+# Passwort Policy
+
+Im etcd vom CES können bestimmte Regeln für die Passwörter definiert werden. Diese Regeln müssen im User Management beim
+Setzen von Passwörtern eingehalten werden.
+
+## Konfiguration der Passwort-Regeln im etcd
+
+Konkret kann konfiguriert werden, ob ein Passwort bestimmte Zeichen enthalten muss und welche Länge ein Passwort
+mindestens haben muss.
+
+Mit dem Wert `true` kann bei den folgenden Einträgen die jeweilige Regel aktiviert werden.
+
+* `/config/_global/password-policy/must_contain_capital_letter` - gibt an, ob das Passwort mindestens einen
+  Großbuchstaben enthalten muss
+* `/config/_global/password-policy/must_contain_lower_case_letter` - gibt an, ob das Passwort mindestens einen
+  Kleinbuchstaben enthalten muss
+* `/config/_global/password-policy/must_contain_digit` - gibt an, ob das Passwort mindestens eine Ziffer enthalten muss
+* `/config/_global/password-policy/must_contain_special_character` - gibt an, ob das Passwort mindestens ein
+  Sonderzeichen enthalten muss
+
+Bei den Großbuchstaben zählen die Umlaute `Ä`, `Ö` und `Ü` dazu, bei den Kleinbuchstaben die Umlaute `ä`, `ö` und `u`
+sowie das `ß`. Als Sonderzeichen gelten alle Zeichen, die weder Großbuchstabe, Kleinbuchstabe noch Ziffer sind.
+
+Die Mindestlänge des Passworts kann über den Eintrag `/config/_global/password-policy/min_length` konfiguriert werden.
+Hier ist ein numerischer Integerwert einzutragen. Wird kein Wert angegeben oder ein Nicht-Integerwert gesetzt, ist die
+Mindestlänge 1.
+
+Die Werte werden nach einem Neustart vom CAS herangezogen.
+
+Es ist zu beachten, dass diese Werte nicht über `cesapp edit-config usermgt` konfiguriert werden können, da es sich
+hierbei um globale Werte handelt. Diese Werte sind für das gesamte CES gültig und somit nicht Dogu-spezifisch.

docs/gui/figures/usermanagement/CESUsermanagement_Password_Policy_One_Rule_Statisfied.png

@@ -0,0 +1,32 @@
+# Passwort Policy
+
+Certain rules for passwords can be defined in the etcd of the CES. These rules must be observed in User Management when
+set passwords in the User Management.
+
+## Configuration of password rules in etcd
+
+Specifically, it can be configured whether a password must contain certain characters and what the minimum length of a
+password must be.
+
+With the value `true` the respective rule can be activated for the following entries.
+
+* `/config/_global/password-policy/must_contain_capital_letter` - specifies whether the password must contain at least
+  one capital letter.
+* `/config/_global/password-policy/must_contain_lower_case_letter` - specifies whether the password must contain at
+  least one lowercase letter.
+* `/config/_global/password-policy/must_contain_digit` - specifies if the password must contain at least one digit
+* `/config/_global/password-policy/must_contain_special_character` - indicates whether the password must contain at
+  least one
+
+For uppercase letters this includes the umlauts `Ä`, `Ö` and `Ü`, for lowercase letters it includes the umlauts `ä`, `ö`
+and `ü` and the `ß`. Special characters are all characters that are neither uppercase letters, lowercase letters nor
+numbers.
+
+The minimum length of the password can be configured via the entry `/config/_global/password-policy/min_length`. A
+numeric integer value must be entered here. If no value is entered or a non-integer value is set, the minimum length is
+1 .
+
+The values are used by the CAS after a restart.
+
+It should be noted that these values cannot be configured via `cesapp edit-config usermgt`, as they are global values.
+These values are valid for the entire CES and are therefore not Dogu-specific.

docs/gui/usermanagement_de.md

@@ -1,6 +1,6 @@
 {
   "Name": "official/usermgt",
-  "Version": "1.6.1-2",
+  "Version": "1.7.0-1",
   "DisplayName": "User Management",
   "Description": "User and Group Management.",
   "Category": "Administration Apps",
@@ -38,11 +38,6 @@
     }
   ],
   "Configuration": [
-    {
-      "Name": "password_policy",
-      "Description": "Configure a password policy for users passwords, based on a set of rules",
-      "Optional": true
-    },
     {
       "Name": "pwd_reset_selected_by_default",
       "Description": "Specifies whether the checkbox for the password change at the next login attribute should be preselected by default ",
@@ -91,6 +86,12 @@
       }
     }
   ],
+  "ExposedCommands": [
+    {
+      "Name": "post-upgrade",
+      "Command": "/post-upgrade.sh"
+    }
+  ],
   "ServiceAccounts": [
     {
       "Type": "ldap",

docs/gui/usermanagement_en.md

@@ -1,6 +1,6 @@
 {
   "username": "newuser",
-  "password": "newuserpassword",
+  "password": "newuserpassword1234A$",
   "givenname": "newuser",
   "surname": "newuser",
   "displayName": "newuser",

docs/operations/password-policy_de.md

@@ -1,6 +1,6 @@
 {
   "username": "testuser",
-  "password": "testuserpassword",
+  "password": "testuserpassword1234A$",
   "givenname": "test",
   "surname": "test",
   "displayName": "test",

docs/operations/password-policy_en.md

@@ -0,0 +1,14 @@
+Feature: Tests for the verification of the password policy
+
+  @requires_testuser
+  Scenario: a user who wants to change his password is shown the password rules
+    Given the user is logged into the CES
+    When the user opens his own page in usermgt
+    And the user deletes his password input
+    Then the password entry is marked as invalid
+    And all password rules are displayed
+    And all password rules are marked as not fullfilled
+    When the user enters a valid password
+    Then the password entry is marked as valid
+    And all password rules are displayed
+    And all password rules are marked as fullfilled