Merge pull request #3977 from dseurotech/ref/passwordReset

:ref: rationalized user(s) credentials rest api endpoints

console/module/authentication/src/main/java/org/eclipse/kapua/app/console/module/authentication/server/GwtCredentialServiceImpl.java

@@ -271,7 +271,7 @@ public User call() throws Exception {
             PasswordChangeRequest passwordChangeRequest = USER_CREDENTIALS_FACTORY.newPasswordChangeRequest();
             passwordChangeRequest.setCurrentPassword(oldPassword);
             passwordChangeRequest.setNewPassword(newPassword);
-            USER_CREDENTIALS_SERVICE.changePassword(passwordChangeRequest);
+            USER_CREDENTIALS_SERVICE.changePassword(scopeId, userId, passwordChangeRequest);
 
         } catch (Exception e) {
             throw KapuaExceptionHandler.buildExceptionFromError(e);

rest-api/resources/src/main/java/org/eclipse/kapua/app/api/resources/v1/resources/UserCredential.java → rest-api/resources/src/main/java/org/eclipse/kapua/app/api/resources/v1/resources/UserCredentials.java

@@ -14,8 +14,8 @@
 
 import org.eclipse.kapua.KapuaException;
 import org.eclipse.kapua.app.api.core.model.EntityId;
-import org.eclipse.kapua.app.api.core.model.ScopeId;
 import org.eclipse.kapua.app.api.core.resources.AbstractKapuaResource;
+import org.eclipse.kapua.commons.security.KapuaSecurityUtils;
 import org.eclipse.kapua.service.KapuaService;
 import org.eclipse.kapua.service.authentication.credential.Credential;
 import org.eclipse.kapua.service.authentication.user.PasswordChangeRequest;
@@ -30,16 +30,22 @@
 import javax.ws.rs.Produces;
 import javax.ws.rs.core.MediaType;
 
-@Path("{scopeId}/user/credentials")
-public class UserCredential extends AbstractKapuaResource {
+/*
+ @deprecated
+ accidentally exposed under:
+ /{scopeId}/user/....
+ Where the scopeId has no meaning of the current user (the one from the session will always be used)
+ Remove the match with /{scopeId}/... in the next release
+ */
+@Path("{scopeId: (\\w+)?}{path:|/}user/credentials")
+public class UserCredentials extends AbstractKapuaResource {
 
     @Inject
     public UserCredentialsService userCredentialsService;
 
     /**
      * Change the user password
      *
-     * @param scopeId               The {@link ScopeId} to use in the request.
      * @param passwordChangeRequest The {@link PasswordChangeRequest} represents the changing
      * @return The updated {@link Credential}
      * @throws KapuaException Whenever something bad happens. See specific {@link KapuaService} exceptions.
@@ -48,27 +54,29 @@ public class UserCredential extends AbstractKapuaResource {
     @POST
     @Produces({MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML})
     @Consumes({MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML})
-    public Credential newPassword(@PathParam("scopeId") ScopeId scopeId, PasswordChangeRequest passwordChangeRequest) throws KapuaException {
-        return userCredentialsService.changePassword(passwordChangeRequest);
+    public Credential newPassword(
+            PasswordChangeRequest passwordChangeRequest) throws KapuaException {
+        return userCredentialsService.changePassword(KapuaSecurityUtils.getSession().getScopeId(), KapuaSecurityUtils.getSession().getUserId(), passwordChangeRequest);
     }
 
-
     /**
      * Reset the password of a {@link Credential}.
      *
-     * @param scopeId              The {@link ScopeId} of the {@link Credential} to reset.
      * @param credentialId         The id of the Credential to reset the password.
      * @param passwordResetRequest Request for resetting credential password
      * @return The updated credential.
      * @throws KapuaException Whenever something bad happens. See specific {@link KapuaService} exceptions.
      * @since 2.0.0
+     * @deprecated since 2.0.0 - use POST /{scopeId}/users/{userId}/password/_reset instead (see {@link UsersCredentials})
+     * It has been considered that a user might want to reset a password credential using another type of credential (e.g.: apiKey), but for security reasons (e.g.: avoid a leaked apiKey to be used
+     * to steal the whole account) only the admin's controlled password reset is left
      */
     @POST
-    @Path("credentials/{credentialId}/_reset")
+    @Path("{credentialId}/_reset")
+    @Deprecated
     public Credential unlockCredential(
-            @PathParam("scopeId") ScopeId scopeId,
             @PathParam("credentialId") EntityId credentialId,
             PasswordResetRequest passwordResetRequest) throws KapuaException {
-        return userCredentialsService.resetPassword(scopeId, credentialId, passwordResetRequest);
+        return userCredentialsService.resetPassword(KapuaSecurityUtils.getSession().getScopeId(), credentialId, passwordResetRequest);
     }
 }

rest-api/resources/src/main/java/org/eclipse/kapua/app/api/resources/v1/resources/Users.java

@@ -244,7 +244,7 @@ public Response deleteUser(
      * @return The newly created {@link MfaOption} object.
      * @throws KapuaException Whenever something bad happens. See specific {@link KapuaService} exceptions.
      * @since 1.4.0
-     * @deprecated since 2.0.0 - use POST {scopeId}/user/mfa instead (see {@link UserCredential})
+     * @deprecated since 2.0.0 - use POST {scopeId}/user/mfa instead (see {@link UserCredentials})
      */
     @POST
     @Path("{userId}/mfa")
@@ -288,7 +288,7 @@ public MfaOption findMfa(
      * @return HTTP 200 if operation has completed successfully.
      * @throws KapuaException Whenever something bad happens. See specific {@link KapuaService} exceptions.
      * @since 1.4.0
-     * @deprecated since 2.0.0 - use DELETE {scopeId}/user/mfa instead (see {@link UserCredential})
+     * @deprecated since 2.0.0 - use DELETE {scopeId}/user/mfa instead (see {@link UserCredentials})
      */
     @DELETE
     @Deprecated
@@ -309,7 +309,7 @@ public Response deleteMfa(
      * @return HTTP 200 if operation has completed successfully.
      * @throws KapuaException Whenever something bad happens. See specific {@link KapuaService} exceptions.
      * @since 1.4.0
-     * @deprecated since 2.0.0 - use DELETE {scopeId}/user/mfa/disableTrust instead (see {@link UserCredential})
+     * @deprecated since 2.0.0 - use DELETE {scopeId}/user/mfa/disableTrust instead (see {@link UserCredentials})
      */
     @DELETE
     @Deprecated

rest-api/resources/src/main/java/org/eclipse/kapua/app/api/resources/v1/resources/UserCredentialFiltered.java → rest-api/resources/src/main/java/org/eclipse/kapua/app/api/resources/v1/resources/UsersCredentials.java

@@ -26,6 +26,7 @@
 import org.eclipse.kapua.service.authentication.credential.CredentialListResult;
 import org.eclipse.kapua.service.authentication.credential.CredentialQuery;
 import org.eclipse.kapua.service.authentication.credential.CredentialService;
+import org.eclipse.kapua.service.authentication.user.PasswordResetRequest;
 
 import javax.inject.Inject;
 import javax.ws.rs.Consumes;
@@ -39,8 +40,16 @@
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
 
-@Path("/{scopeId}/user/{userId}/credentials")
-public class UserCredentialFiltered extends AbstractKapuaResource {
+/*
+ @deprecated
+ accidentally exposed under:
+ /{scopeId}/user/{userId}/credentials
+ instead of the desired*
+ /{scopeId}/users/{userId}/credentials (notice the plural userS)
+ Remove the match with /user/ in the next release
+ */
+@Path("/{scopeId}/user{plural:|s}/{userId}/credentials")
+public class UsersCredentials extends AbstractKapuaResource {
 
     @Inject
     public CredentialService credentialService;
@@ -127,4 +136,25 @@ public Response create(
 
         return returnCreated(credentialService.create(credentialCreator));
     }
+
+    /**
+     * Reset the password for the specific user
+     *
+     * @param scopeId              The {@link ScopeId} of the {@link Credential} to reset.
+     * @param userId               The {@link EntityId} for which to reset the password credential.
+     * @param passwordResetRequest Request for resetting credential password
+     * @return The updated credential.
+     * @throws KapuaException Whenever something bad happens. See specific {@link KapuaService} exceptions.
+     * @since 2.0.0
+     * @deprecated since 2.0.0 - use POST POST /{scopeId}/users/{userId}/password/_reset instead (see {@link UsersCredentials})
+     */
+    @POST
+    @Path("password/_reset")
+    @Deprecated
+    public Credential unlockCredential(
+            @PathParam("scopeId") ScopeId scopeId,
+            @PathParam("userId") EntityId userId,
+            PasswordResetRequest passwordResetRequest) throws KapuaException {
+        return credentialService.adminResetUserPassword(scopeId, userId, passwordResetRequest);
+    }
 }

rest-api/resources/src/main/resources/openapi/openapi.yaml

@@ -441,15 +441,26 @@ paths:
   /{scopeId}/user/mfa/disableTrust:
     $ref: './userMfa/userMfa-scopeId-disableTrust.yaml#/paths/~1{scopeId}~1user~1mfa~1disableTrust'
   ### User Credentials ###
+  ### User Credentials self managing ###
   /{scopeId}/user/credentials/password:
-    $ref: './userCredentials/userCredentials-scopeId.yaml#/paths/~1{scopeId}~1user~1credentials~1password'
+    $ref: './userCredentials/user-credentials-password.yaml#/paths/~1{scopeId}~1user~1credentials~1password'
   /{scopeId}/user/credentials/{credentialId}/_reset:
-    $ref: './userCredentials/userCredentials-scopeId-credentialId-_reset.yaml#/paths/~1{scopeId}~1user~1credentials~1{credentialId}~1_reset'
-  ### User Credentials Filtered ###
+    $ref: './userCredentials/user-credentials-credentialId-_reset.yaml#/paths/~1{scopeId}~1user~1credentials~1{credentialId}~1_reset'
+  /user/credentials/password:
+    $ref: './userCredentials/user-credentials-password.yaml#/paths/~1user~1credentials~1password'
+  /user/credentials/{credentialId}/_reset:
+    $ref: './userCredentials/user-credentials-credentialId-_reset.yaml#/paths/~1user~1credentials~1{credentialId}~1_reset'
+  ### Admin view on User Credentials ###
   /{scopeId}/user/{userId}/credentials/:
-    $ref: './userCredentialsFiltered/credential-scopeId.yaml#/paths/~1{scopeId}~1user~1{userId}~1credentials'
+    $ref: './usersCredentials/users-credentials-scopeId-userId.yaml#/paths/~1{scopeId}~1user~1{userId}~1credentials'
+  /{scopeId}/users/{userId}/credentials/:
+    $ref: './usersCredentials/users-credentials-scopeId-userId.yaml#/paths/~1{scopeId}~1users~1{userId}~1credentials'
   /{scopeId}/user/{userId}/credentials/_count:
-    $ref: './userCredentialsFiltered/credential-scopeId-_count.yaml#/paths/~1{scopeId}~1user~1{userId}~1credentials~1_count'
+    $ref: './usersCredentials/users-credentials-scopeId-userId-_count.yaml#/paths/~1{scopeId}~1user~1{userId}~1credentials~1_count'
+  /{scopeId}/users/{userId}/credentials/_count:
+    $ref: './usersCredentials/users-credentials-scopeId-userId-_count.yaml#/paths/~1{scopeId}~1users~1{userId}~1credentials~1_count'
+  /{scopeId}/users/{userId}/credentials/password/_reset:
+    $ref: './usersCredentials/users-credentials-scopeId-userId-password-_reset.yaml#/paths/~1{scopeId}~1users~1{userId}~1credentials~1password~1_reset'
   ### User Profile ###
   /{scopeId}/user/profile/:
     $ref: './userProfile/userProfile-scopeId.yaml#/paths/~1{scopeId}~1user~1profile~1'
@@ -1019,9 +1030,9 @@ components:
       $ref: './userMfa/userMfa.yaml#/components/schemas/mfaOptionCreationResponse'
     ### User Credentials Entities ###
     passwordChangeRequest:
-      $ref: './userCredentials/userCredentials.yaml#/components/schemas/passwordChangeRequest'
+      $ref: './userCredentials/user-credentials.yaml#/components/schemas/passwordChangeRequest'
     passwordResetRequest:
-      $ref: './userCredentials/userCredentials.yaml#/components/schemas/passwordResetRequest'
+      $ref: './userCredentials/user-credentials.yaml#/components/schemas/passwordResetRequest'
     ### User Profile Entities ###
     userProfile:
       $ref: './userProfile/userProfile.yaml#/components/schemas/userProfile'

rest-api/resources/src/main/resources/openapi/userCredentials/user-credentials-credentialId-_reset.yaml

@@ -0,0 +1,87 @@
+openapi: 3.0.3
+
+info:
+  title: Eclipse Kapua REST API - Credential
+  version: '1.0'
+  contact:
+    name: Eclipse Kapua Dev Team
+    url: https://eclipse.org/kapua
+    email: [email protected]
+  license:
+    name: Eclipse Public License 2.0
+    url: https://www.eclipse.org/legal/epl-2.0
+paths:
+  /user/credentials/{credentialId}/_reset:
+    post:
+      deprecated: true
+      description: >
+        This resource is deprecated and will be removed in future releases. Please make use of:
+        POST /{scopeId}/users/{userId}/credentials/password/_reset (for admins resetting a user's password)
+        or
+        POST /user/credentials/password (for the user changing its own password) instead
+      tags:
+        - User Credentials
+      summary: Reset the password of a Credential
+      operationId: credentialPasswordReset
+      parameters:
+        - $ref: '../openapi.yaml#/components/parameters/scopeId'
+        - $ref: '../credential/credential.yaml#/components/parameters/credentialId'
+      requestBody:
+        description: The new password
+        content:
+          application/json:
+            schema:
+              $ref: './user-credentials.yaml#/components/schemas/passwordResetRequest'
+        required: true
+      responses:
+        204:
+          description: The updated Credential
+          content:
+            application/json:
+              schema:
+                $ref: '../credential/credential.yaml#/components/schemas/credential'
+        401:
+          $ref: '../openapi.yaml#/components/responses/unauthenticated'
+        403:
+          $ref: '../openapi.yaml#/components/responses/subjectUnauthorized'
+        404:
+          $ref: '../openapi.yaml#/components/responses/entityNotFound'
+        500:
+          $ref: '../openapi.yaml#/components/responses/kapuaError'
+  /{scopeId}/user/credentials/{credentialId}/_reset:
+    post:
+      deprecated: true
+      description: >
+        This resource is deprecated and will be removed in future releases. Please make use of:
+        POST /{scopeId}/users/{userId}/credentials/password/_reset (for admins resetting a user's password)
+        or
+        POST /user/credentials/password (for the user changing its own password) instead
+      tags:
+        - User Credentials
+      summary: Reset the password of a Credential
+      operationId: scopeIdCredentialPasswordReset
+      parameters:
+        - $ref: '../openapi.yaml#/components/parameters/scopeId'
+        - $ref: '../credential/credential.yaml#/components/parameters/credentialId'
+      requestBody:
+        description: The new password
+        content:
+          application/json:
+            schema:
+              $ref: './user-credentials.yaml#/components/schemas/passwordResetRequest'
+        required: true
+      responses:
+        204:
+          description: The updated Credential
+          content:
+            application/json:
+              schema:
+                $ref: '../credential/credential.yaml#/components/schemas/credential'
+        401:
+          $ref: '../openapi.yaml#/components/responses/unauthenticated'
+        403:
+          $ref: '../openapi.yaml#/components/responses/subjectUnauthorized'
+        404:
+          $ref: '../openapi.yaml#/components/responses/entityNotFound'
+        500:
+          $ref: '../openapi.yaml#/components/responses/kapuaError'

rest-api/resources/src/main/resources/openapi/userCredentials/user-credentials-password.yaml

@@ -0,0 +1,66 @@
+openapi: 3.0.3
+
+info:
+  title: Everyware Cloud REST API - User Credentials
+  version: '1.0'
+  contact:
+    name: Eurotech
+    url: https://www.eurotech.com
+
+paths:
+  /{scopeId}/user/credentials/password:
+    post:
+      deprecated: true
+      description: >
+        Change logged user password
+        This resource is deprecated and will be removed in future releases. Please make use of
+        POST /user/credentials/password
+      tags:
+        - User Credentials
+      summary: Change the current user password
+      operationId: scopeIdUserPasswordChange
+      parameters:
+        - $ref: '../openapi.yaml#/components/parameters/scopeId'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '../openapi.yaml#/components/schemas/passwordChangeRequest'
+      responses:
+        200:
+          description: The details of the updated Credential
+          content:
+            application/json:
+              schema:
+                $ref: '../credential/credential.yaml#/components/schemas/credential'
+        401:
+          $ref: '../openapi.yaml#/components/responses/unauthenticated'
+        403:
+          $ref: '../openapi.yaml#/components/responses/subjectUnauthorized'
+        500:
+          $ref: '../openapi.yaml#/components/responses/kapuaError'
+  /user/credentials/password:
+    post:
+      tags:
+        - User Credentials
+      summary: Change the current user password
+      operationId: userPasswordChange
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '../openapi.yaml#/components/schemas/passwordChangeRequest'
+      responses:
+        200:
+          description: The details of the updated Credential
+          content:
+            application/json:
+              schema:
+                $ref: '../credential/credential.yaml#/components/schemas/credential'
+        401:
+          $ref: '../openapi.yaml#/components/responses/unauthenticated'
+        403:
+          $ref: '../openapi.yaml#/components/responses/subjectUnauthorized'
+        500:
+          $ref: '../openapi.yaml#/components/responses/kapuaError'
+      description: Change logged user password