Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BACK-2785] Add keycloak extension endpoint to extract and create a new custodian user from a fake child account. #28

Open
wants to merge 20 commits into
base: master
Choose a base branch
from
Open

[BACK-2785] Add keycloak extension endpoint to extract and create a new custodian user from a fake child account. #28

wants to merge 20 commits into from

Conversation

lostlevels
Copy link
Contributor

Used for migrating fake child accounts.

Creates a new "parent" user with email of target "child" account, copying over most fields, except a few custodiaL attributes. Parent will assume the email and username of the child, and the child will be given a new username and email as part of the request body.

@lostlevels lostlevels changed the title [BACK-2785] Add keycloak extension endpoint to clone a user. [BACK-2785] Add keycloak extension endpoint to extract and create a new custodian user from a fake child account. Apr 24, 2024
toddkazakov
toddkazakov reviewed Apr 25, 2024
View reviewed changes
admin/src/main/java/org/tidepool/keycloak/extensions/resource/TidepoolAdminResource.java Outdated
// CUSTODIAN_ROLE is the role to give custodians accounts extracted from
// profiles that contain a fake child.
// TODO: decide on actual role
private static final String CUSTODIAN_ROLE = "custodian";
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest using care_partner. @ewollesen thoughts?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While I think a custodian is a care_partner, I'm not sure that a care_partner is a custodian.

Custodian implies more access and responsbility.

So migrating these roles to care_partner is OK, but we need to be sure we don't accidentally equate care_partner with custodian in other ways.

toddkazakov
toddkazakov reviewed Apr 25, 2024
View reviewed changes
admin/src/main/java/org/tidepool/keycloak/extensions/resource/TidepoolAdminResource.java Outdated
if (user == null) {
throw new NotFoundException("User not found.");
}
boolean alreadyMigrated = user.getUsername() != null && TidepoolAdminResource.UNCLAIMED_CUSTODIAL.matcher(user.getUsername()).find();
Copy link
Collaborator

@toddkazakov toddkazakov Apr 25, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest keeping a ref to the userId of custodiaN in the custodiaL (child) profile in case something goes wrong.

toddkazakov
toddkazakov reviewed Apr 25, 2024
View reviewed changes
admin/src/main/java/org/tidepool/keycloak/extensions/resource/TidepoolAdminResource.java
// The Keycloak 24+ modules have removed cache eviction methods, so instead set child user's email and username "again" through the model. If we got this far,
// the previous transaction has succeeded so this is "safe" and will cause a user updated event which will clear the cache entry for the given user.
user.setEmail(newUsername);
user.setUsername(newUsername);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should add custodial_account role

@lostlevels
[BACK-2785] Add keycloak extension endpoint to clone a user making it a
69a18cc 
child with a new username and email and giving the newly created parent
the child's previous username and email along w/ all other properties.
@lostlevels
Clear user cache indirectly.
beb3e51
@lostlevels
Don't copy over certain user attributes that belong only to the child
f1dbc3f 
and have a separate EntityManager per transaction.
@lostlevels
Add POST body.
fcb4279
@lostlevels
Update comment to reflect keycloak 24.
b1c06ed
@lostlevels
Make sure custodiaL new email is in the right format and don't migrat…
f662559 
…e it if

it's already in that format.
@lostlevels
Add new custodiaN role in POST body.
781c0e2
@lostlevels
Only copy over fullName attribute.
b5c4018
@lostlevels
Use correct profile full name attribute.
02ab086
@lostlevels
Return bad request error if role not found.
77575ba
@lostlevels
Document body fields.
d64b190
@lostlevels
Remove "profile_" prefix from keycloak user profile attribute.
1c6c76a
@lostlevels
Updates from review.
a5f39f8
@lostlevels
User "care_partner" role for custodiaN accounts.
ce89618
@lostlevels
Grant fake child custodiaL role.
9089aee
@lostlevels
Add reference to created / extracted parent custodian account for a fake
6d3f1fc 
child.
@lostlevels
Whitespace.
71f3966
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@toddkazakov toddkazakov toddkazakov left review comments

@ewollesen ewollesen Awaiting requested review from ewollesen

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@lostlevels @ewollesen @toddkazakov