Merge branch 'master' into new-build-agent

Jenkinsfile

@@ -6,7 +6,7 @@ pipeline {
     }
 
     environment {
-        BLUE_OCEAN_URL = "https://jenkins.ozg-sh.de/job/user-manager/job/${env.BRANCH_NAME}/${env.BUILD_NUMBER}/"
+        BLUE_OCEAN_URL = "https://jenkins.infra.ozg-cloud.systems/job/user-manager/job/${env.BRANCH_NAME}/${env.BUILD_NUMBER}/"
         RELEASE_REGEX = /\d+.\d+.\d+/
         SNAPSHOT_REGEX = /\d+.\d+.\d+-SNAPSHOT/
         FAILED_STAGE = ""
@@ -200,6 +200,44 @@ pipeline {
                 }
             }
         }
+
+
+        stage('march build image') {
+            when {
+                branch 'master'
+            }
+            steps {
+                script {
+                    FAILED_STAGE=env.STAGE_NAME
+
+                    withCredentials([usernamePassword(credentialsId: 'jenkins-nexus-login', usernameVariable: 'USER', passwordVariable: 'PASSWORD')]) {
+                        configFileProvider([configFile(fileId: 'maven-settings', variable: 'MAVEN_SETTINGS')]) {
+                            sh './mvnw -pl user-manager-server -s $MAVEN_SETTINGS clean verify \
+                                       -Pnative -Dquarkus.container-image.registry=docker.ozg-sh.de \
+                                       -Dquarkus.container-image.username=${USER} \
+                                       -Dquarkus.container-image.password=${PASSWORD} \
+                                       -Dquarkus.container-image.push=true \
+                                       -Dquarkus.container-image.build=true \
+                                       -Dquarkus.native.remote-container-build=true \
+                                       -Dquarkus.native.additional-build-args=-march=compatibility \
+                                       -Dmaven.wagon.http.retryHandler.count=3'
+                        }
+                    }
+                }
+            }
+        }
+
+        stage('march push image') {
+            when {
+                branch 'master'
+            }
+            steps {
+                script {
+                    FAILED_STAGE = env.STAGE_NAME
+                    tagAndPushDockerImage('march-snapshot-latest')
+                }
+            }
+        }
     }
 
     post {

README.md

-# user-manager Project
+# user-manager
 
 This project uses Quarkus, the Supersonic Subatomic Java Framework.
 
@@ -8,11 +8,11 @@ If you want to learn more about Quarkus, please visit its website: https://quark
 This properties must be configured to run the application
 
 | Key                                           | Value                                              | Default                | Mandatory | Description                                                    |
-| --- | ----- | ------- | --------- | ----------- |
+|-----------------------------------------------|----------------------------------------------------|------------------------| --------- |----------------------------------------------------------------|
 | quarkus.oidc.auth-server-url                  | https://sso.dev.by.ozg-cloud.de/realms/sh-kiel-dev | none                   | yes | Url of the keycloak server with the realm                      |
 | quarkus.mongodb.connection-string             | mongodb://ozg-mongodb:27017                        | none                   | yes | The connection string for the mongo db database                |
 | quarkus.mongodb.database                      | usermanager                                        | usermanager            | no | Name of the mongo db database                                  |
-| kop.keycloak.sync.cron | 0 15 2 * * ? | 0 15 2 * * ? | no | Cron statement when the sync is done |
+| kop.keycloak.sync.period                      | 5m                                                 | 6h                     | no | Period between synchronizations                                |
 | kop.keycloak.api.user                         | apiUser                                            | none                   | yes | The name of the keycloak admin api user                        |
 | kop.keycloak.api.password                     | ****                                               | none                   | yes | The password of the keycloak admin api user                    |
 | kop.keycloak.api.realm                        | realm-name                                         | none                   | yes | The name of the realm                                          |
@@ -30,6 +30,27 @@ You can run your application in dev mode that enables live coding using:
 
 > **_NOTE:_**  Quarkus now ships with a Dev UI, which is available in dev mode only at http://localhost:8080/q/dev/.
 
+> If you want to use remote Keycloak for local development, then use the profile remotekc. Be aware,
+> that it deactivates synchronization - if you need it, then you have to create your own realm and 
+> set it in properties, like this:
+> ```yaml
+> keycloak:
+>   realm: your-realm
+> ozgcloud:
+>   usersync:
+>     period: "6h"
+> ```
+
+## Running the server with custom realm
+In order to start user-manager-server connecting againts dev keycloak locally with custom realm 
+use below configuration in your IDE or CLI. 
+```
+-Dquarkus.profile=local,remotekc
+-Dquarkus.oidc.auth-server-url=https://sso.dev.by.ozg-cloud.de/realms/sebo-test
+-Dkop.keycloak.api.realm=sebo-test
+-Dozgcloud.usersync.period="5s"
+```
+
 ## Packaging and running the application
 
 The application can be packaged using:
@@ -121,7 +142,7 @@ Usermanager als native Anwendung erstellen und lokal starten:
     -Dkop.keycloak.api.password=hlc_j1I1Ji0trC0 \
     -Dkop.keycloak.api.realm=by-kiel-dev \
     -Dkop.keycloak.api.client=alfa \
-    -Dkop.keycloak.sync.cron="* */3 * * * ?" \
+    -Dozgcloud.usersync.period="5m" \
     -Xmx32m
 ```
 

build-native-local-docker-image.sh

+#!/usr/bin/env bash
+
+export QUARKUS_CONTAINER_IMAGE_NAME=user-manager
+export QUARKUS_CONTAINER_IMAGE_TAG=build-latest
+export QUARKUS_NATIVE_CONTAINER_RUNTIME=docker
+cd user-manager-server
+./mvnw clean install -D skipTests \
+      -Pnative \
+      -Dquarkus.container-image.registry=docker.ozg-sh.de \
+      -Dquarkus.container-image.push=false \
+      -Dquarkus.container-image.build=true \
+      -Dquarkus.native.remote-container-build=false
\ No newline at end of file

pom.xml

@@ -29,7 +29,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>de.itvsh.kop</groupId>
 	<artifactId>user-manager</artifactId>
-	<version>1.13.0-SNAPSHOT</version>
+	<version>1.14.0-SNAPSHOT</version>
 
 	<name>User Manager Parent</name>
 	<packaging>pom</packaging>

src/main/helm/templates/deployment.yaml

@@ -98,8 +98,10 @@ spec:
           value: {{ include "app.ssoServerUrl" . }}
         - name: KOP_USER_MANAGER_URL
           value: {{ include "app.baseUrl" . }}
-        - name: KOP_KEYCLOAK_SYNC_CRON
-          value: {{ .Values.kop.keycloak.sync.cron }}
+        {{- if ((.Values.ozgcloud).usersync).period }}
+        - name: OZGCLOUD_USERSYNC_PERIOD
+          value: {{ .Values.ozgcloud.usersync.period }}
+        {{- end }}
         - name: QUARKUS_HTTP_CORS_ORIGINS
           value: {{ (include "app.goofyAddress" .) }}
         {{- with (.Values.env).customList }}

src/main/helm/templates/ingress.yaml

@@ -37,8 +37,8 @@ metadata:
   name: {{ include "app.name" . }}
   namespace: {{ include "app.namespace" . }}
 spec:
-  {{- if ne (.Values).cluster_env "dataport" }}
-  ingressClassName: nginx
+  {{- if and (.Values.ingress).className (ne (.Values).cluster_env "dataport") }}
+  ingressClassName: {{ .Values.ingress.className }}
   {{- end }}
   rules:
     - http:

src/main/helm/values.yaml

@@ -38,8 +38,6 @@ kop:
   keycloak:
     api:
       user: userManagerApiUser
-    sync:
-      cron: 0 15 1 * * ?
 
 imageCredentials:
   registry: docker.ozg-sh.de

src/test/helm/deployment-keycloak-values-test.yaml

@@ -52,11 +52,6 @@ tests:
           content: 
             name: KOP_KEYCLOAK_API_REALM
             value: sh-helm-test
-      - contains:
-          path: spec.template.spec.containers[0].env
-          content: 
-            name: KOP_KEYCLOAK_SYNC_CRON
-            value: 0 15 1 * * ?
       - contains:
           path: spec.template.spec.containers[0].env
           content: 

src/test/helm/deployment_env_test.yaml

@@ -69,3 +69,19 @@ tests:
           content: 
             name: QUARKUS_MONGODB_DATABASE
             value: test-database
+  - it: check user sync period set
+    set:
+      ozgcloud.usersync.period: "6h"
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: OZGCLOUD_USERSYNC_PERIOD
+            value: "6h"
+  - it: check user sync period NOT set
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: OZGCLOUD_USERSYNC_PERIOD
+            value: "6h"
\ No newline at end of file

src/test/helm/ingress-nginx-tests.yaml

@@ -29,16 +29,23 @@ release:
 templates:
   - templates/ingress.yaml
 tests:
-  - it: should create ingress tls/ingressClass
+  - it: should create ingress tls
     asserts:
-      - equal:
-          path: spec.ingressClassName
-          value: nginx
       - equal:
           path: spec.tls[0].secretName
           value: helm-user-manager-tls
-
-  - it: should not create ingress tls/ingressClass
+  - it: should not set ingressClassName
+    asserts:
+      - isNull:
+          path: spec.ingressClassName
+  - it: should set ingressClassName
+    set:
+      ingress.className: nginx
+    asserts:
+      - equal:
+          path: spec.ingressClassName
+          value: nginx
+  - it: should not create ingress tls/ingressClassName
     set:
       cluster_env: dataport
     asserts:

user-manager-interface/pom.xml

@@ -36,7 +36,7 @@
 
 	<groupId>de.itvsh.kop.user</groupId>
 	<artifactId>user-manager-interface</artifactId>
-	<version>1.13.0-SNAPSHOT</version>
+	<version>1.14.0-SNAPSHOT</version>
 
 	<name>UserManager Interface</name>
 	<description>gRPC Interface for User Manager</description>
@@ -45,6 +45,7 @@
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 		<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
 		<jandex-maven-plugin-version>1.2.3</jandex-maven-plugin-version>
+		<quarkus.platform.version>3.5.0</quarkus.platform.version>
 	</properties>
 
 	<dependencies>

user-manager-server/pom.xml

@@ -30,13 +30,13 @@
 	<parent>
 		<groupId>de.itvsh.kop.common</groupId>
 		<artifactId>kop-common-dependencies</artifactId>
-		<version>1.7.1</version>
+		<version>2.3.1</version>
 		<relativePath/>
 	</parent>
 
 	<groupId>de.itvsh.kop.user</groupId>
 	<artifactId>user-manager-server</artifactId>
-	<version>1.13.0-SNAPSHOT</version>
+	<version>1.14.0-SNAPSHOT</version>
 	<name>User Manager</name>
 
 	<properties>
@@ -54,8 +54,12 @@
 
 		<lombok.version>1.18.24</lombok.version>
 
-		<jakarta.interceptor.version>1.2.5</jakarta.interceptor.version>
-		<jakarta.annotatioin.version>1.3.5</jakarta.annotatioin.version>
+		<jakarta.interceptor.version>2.1.0</jakarta.interceptor.version>
+		<jakarta.annotatioin.version>2.1.1</jakarta.annotatioin.version>
+
+		<keycloak-adapter.version>22.0.5</keycloak-adapter.version>
+
+		<quarkus.platform.version>3.5.0</quarkus.platform.version>
 	</properties>
 
 	<dependencyManagement>
@@ -92,6 +96,10 @@
 					<groupId>org.apache.logging.log4j</groupId>
 					<artifactId>log4j-slf4j-impl</artifactId>
 				</exclusion>
+				<exclusion>
+					<groupId>org.springframework</groupId>
+					<artifactId>spring-context</artifactId>
+				</exclusion>
 			</exclusions>
 		</dependency>
 
@@ -207,11 +215,27 @@
 			<artifactId>jakarta.interceptor-api</artifactId>
 			<version>${jakarta.interceptor.version}</version>
 		</dependency>
+		<dependency>
+			<groupId>jakarta.json</groupId>
+			<artifactId>jakarta.json-api</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>jakarta.validation</groupId>
+			<artifactId>jakarta.validation-api</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>jakarta.ws.rs</groupId>
+			<artifactId>jakarta.ws.rs-api</artifactId>
+		</dependency>
 		<dependency>
 			<groupId>jakarta.annotation</groupId>
 			<artifactId>jakarta.annotation-api</artifactId>
 			<version>${jakarta.annotatioin.version}</version>
 		</dependency>
+		<dependency>
+			<groupId>jakarta.inject</groupId>
+			<artifactId>jakarta.inject-api</artifactId>
+		</dependency>
 
 		<!-- Test -->
 		<dependency>
@@ -290,7 +314,7 @@
 					<compilerArgs>
 						<arg>-parameters</arg>
 						<compilerArg>
-								-Amapstruct.defaultComponentModel=cdi
+							-Amapstruct.defaultComponentModel=jakarta
 						</compilerArg>
 						<compilerArg>
 							-Amapstruct.unmappedTargetPolicy=WARN

user-manager-server/src/main/java/de/itvsh/kop/user/RoleHierarchy.java

+package de.itvsh.kop.user;
+
+import java.util.ArrayDeque;
+import java.util.Deque;
+import java.util.List;
+import java.util.Objects;
+
+import lombok.Builder;
+import lombok.Getter;
+import lombok.Singular;
+
+@Builder
+@Getter
+class RoleHierarchy {
+
+	private final String roleName;
+
+	@Singular
+	private List<RoleHierarchy> subRoles;
+
+	public List<String> getFlattenedHierarchy(String roleName) {
+		var subRoles = new ArrayDeque<String>();
+		collectSubRoles(this, roleName, subRoles);
+		return subRoles.stream().toList();
+	}
+
+	boolean collectSubRoles(RoleHierarchy role, String roleName, Deque<String> subRoles) {
+		subRoles.addLast(role.getRoleName());
+		if (Objects.equals(role.getRoleName(), roleName)) {
+			return true;
+		}
+		for (var subRole : role.getSubRoles()) {
+			if (collectSubRoles(subRole, roleName, subRoles)) {
+				return true;
+			}
+		}
+		subRoles.removeLast();
+		return false;
+	}
+
+}

user-manager-server/src/main/java/de/itvsh/kop/user/UserProfileResource.java

@@ -26,13 +26,13 @@ package de.itvsh.kop.user;
 import java.util.Optional;
 import java.util.stream.Stream;
 
-import javax.inject.Inject;
-import javax.ws.rs.GET;
-import javax.ws.rs.Path;
-import javax.ws.rs.PathParam;
-import javax.ws.rs.Produces;
-import javax.ws.rs.QueryParam;
-import javax.ws.rs.core.MediaType;
+import jakarta.inject.Inject;
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.PathParam;
+import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.QueryParam;
+import jakarta.ws.rs.core.MediaType;
 
 import org.eclipse.microprofile.config.inject.ConfigProperty;
 import org.jboss.resteasy.reactive.common.util.RestMediaType;
@@ -80,7 +80,7 @@ public class UserProfileResource {
 		Stream<User> users;
 		if (deleted.isEmpty()) {
 			users = userService.findUsers(query);
-		} else if (deleted.get()) {
+		} else if (deleted.orElse(false)) {
 			users = userService.findInactiveUsers(query);
 		} else {
 			users = userService.findActiveUsers(query);

user-manager-server/src/main/java/de/itvsh/kop/user/UserProfileResourceAssembler.java

@@ -25,8 +25,8 @@ package de.itvsh.kop.user;
 
 import java.util.List;
 
-import javax.enterprise.context.ApplicationScoped;
-import javax.ws.rs.core.Link;
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.ws.rs.core.Link;
 
 import de.itvsh.kop.user.settings.UserSettingsResource;
 import io.quarkus.hal.HalCollectionWrapper;

user-manager-server/src/main/java/de/itvsh/kop/user/UserRepository.java

@@ -28,7 +28,7 @@ import static de.itvsh.kop.user.User.*;
 import java.util.Optional;
 import java.util.stream.Stream;
 
-import javax.enterprise.context.ApplicationScoped;
+import jakarta.enterprise.context.ApplicationScoped;
 
 import org.bson.types.ObjectId;
 

user-manager-server/src/main/java/de/itvsh/kop/user/UserResourceMapper.java

@@ -32,7 +32,7 @@ import java.util.Objects;
 import java.util.Optional;
 import java.util.Set;
 
-import javax.inject.Inject;
+import jakarta.inject.Inject;
 
 import org.keycloak.admin.client.resource.RealmResource;
 import org.keycloak.admin.client.resource.UserResource;

user-manager-server/src/main/java/de/itvsh/kop/user/UserRole.java

@@ -23,6 +23,9 @@
  */
 package de.itvsh.kop.user;
 
+import java.util.Collection;
+import java.util.Collections;
+
 import lombok.AccessLevel;
 import lombok.NoArgsConstructor;
 
@@ -32,4 +35,17 @@ public class UserRole {
 	public static final String EINHEITLICHER_ANSPRECHPARTNER = "EINHEITLICHER_ANSPRECHPARTNER";
 	public static final String VERWALTUNG_POSTSTELLE = "VERWALTUNG_POSTSTELLE";
 	public static final String VERWALTUNG_USER = "VERWALTUNG_USER";
+	public static final String VERWALTUNG_LOESCHEN = "VERWALTUNG_LOESCHEN";
+
+	private static final RoleHierarchy HIERARCHY = RoleHierarchy.builder()
+			.roleName(VERWALTUNG_LOESCHEN)
+			.subRole(RoleHierarchy.builder()
+					.roleName(VERWALTUNG_USER)
+					.build())
+			.build();
+
+	public static boolean containsWithinRoleHierarchy(Collection<String> userRoles, String roleName) {
+		return !Collections.disjoint(userRoles, HIERARCHY.getFlattenedHierarchy(roleName));
+	}
+
 }
\ No newline at end of file

user-manager-server/src/main/java/de/itvsh/kop/user/UserService.java

@@ -26,8 +26,8 @@ package de.itvsh.kop.user;
 import java.util.Optional;
 import java.util.stream.Stream;
 
-import javax.enterprise.context.ApplicationScoped;
-import javax.inject.Inject;
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.inject.Inject;
 
 import org.apache.commons.lang3.StringUtils;
 

user-manager-server/src/main/java/de/itvsh/kop/user/common/JwtUtil.java

@@ -28,10 +28,10 @@ import java.util.List;
 import java.util.Map;
 import java.util.Optional;
 
-import javax.enterprise.context.ApplicationScoped;
-import javax.inject.Inject;
-import javax.json.JsonArray;
-import javax.json.JsonString;
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.inject.Inject;
+import jakarta.json.JsonArray;
+import jakarta.json.JsonString;
 
 import org.apache.commons.lang3.StringUtils;
 import org.eclipse.microprofile.jwt.JsonWebToken;