NOISSUE - Fix domains bugs and feature to disable user self register (#…

…74)

* fix: nginx entrypoint.sh file shebang

Signed-off-by: Arvindh <[email protected]>

* fix: default domain users listing include membership

Signed-off-by: Arvindh <[email protected]>

* fix: create same thing name, thing key and group name in different domain

Signed-off-by: Arvindh <[email protected]>

* add: feature to disable user self register, user can add by only super admin

Signed-off-by: Arvindh <[email protected]>

* add: feature to disable user self register, user can add by only super admin

Signed-off-by: Arvindh <[email protected]>

* fix: Duplicate items in list domains response

Signed-off-by: Arvindh <[email protected]>

* fix: users refresh & issue token api logging middleware

Signed-off-by: Arvindh <[email protected]>

* add: comments

Signed-off-by: Arvindh <[email protected]>

---------

Signed-off-by: Arvindh <[email protected]>

auth/postgres/domains.go

@@ -159,6 +159,15 @@ func (repo domainRepo) ListDomains(ctx context.Context, pm auth.Page) (auth.Doma
 	JOIN policies pc
 	ON pc.object_id = d.id`
 
+	// The service sends the user ID in the pagemeta subject field, which filters domains by joining with the policies table.
+	// For SuperAdmins, access to domains is granted without the policies filter.
+	// If the user making the request is a super admin, the service will assign an empty value to the pagemeta subject field.
+	// In the repository, when the pagemeta subject is empty, the query should be constructed without applying the policies filter.
+	if pm.SubjectID == "" {
+		q = `SELECT d.id as id, d.name as name, d.tags as tags, d.alias as alias, d.metadata as metadata, d.created_at as created_at, d.updated_at as updated_at, d.updated_by as updated_by, d.created_by as created_by, d.status as status
+		FROM domains as d`
+	}
+
 	q = fmt.Sprintf("%s %s LIMIT %d OFFSET %d", q, query, pm.Limit, pm.Offset)
 
 	dbPage, err := toDBClientsPage(pm)

auth/service.go

@@ -10,6 +10,7 @@ import (
 	"time"
 
 	"github.com/absmach/magistrala"
+	"github.com/absmach/magistrala/internal/postgres"
 	"github.com/absmach/magistrala/pkg/clients"
 	"github.com/absmach/magistrala/pkg/errors"
 	svcerr "github.com/absmach/magistrala/pkg/errors/service"
@@ -548,7 +549,16 @@ func (svc service) ListDomains(ctx context.Context, token string, p Page) (Domai
 	}); err == nil {
 		p.SubjectID = ""
 	}
-	return svc.domains.ListDomains(ctx, p)
+	dp, err := svc.domains.ListDomains(ctx, p)
+	if err != nil {
+		return DomainsPage{}, postgres.HandleError(svcerr.ErrViewEntity, err)
+	}
+	if p.SubjectID == "" {
+		for i := range dp.Domains {
+			dp.Domains[i].Permission = AdministratorRelation
+		}
+	}
+	return dp, nil
 }
 
 func (svc service) AssignUsers(ctx context.Context, token string, id string, userIds []string, relation string) error {

cmd/users/main.go

@@ -68,6 +68,7 @@ type config struct {
 	InstanceID    string  `env:"MG_USERS_INSTANCE_ID"            envDefault:""`
 	ESURL         string  `env:"MG_USERS_ES_URL"                 envDefault:"nats://localhost:4222"`
 	TraceRatio    float64 `env:"MG_JAEGER_TRACE_RATIO"           envDefault:"1.0"`
+	SelfRegister  bool    `env:"MF_USERS_ALLOW_SELF_REGISTER"    envDefault:"false"`
 	PassRegex     *regexp.Regexp
 }
 
@@ -202,7 +203,7 @@ func newService(ctx context.Context, auth magistrala.AuthServiceClient, db *sqlx
 		logger.Error(fmt.Sprintf("failed to configure e-mailing util: %s", err.Error()))
 	}
 
-	csvc := users.NewService(cRepo, auth, emailer, hsr, idp, c.PassRegex, true)
+	csvc := users.NewService(cRepo, auth, emailer, hsr, idp, c.PassRegex, c.SelfRegister)
 	gsvc := mggroups.NewService(gRepo, idp, auth)
 
 	csvc, err = uevents.NewEventStoreMiddleware(ctx, csvc, c.ESURL)

docker/.env

@@ -149,6 +149,7 @@ MG_USERS_ES_PASS=
 MG_USERS_ES_DB=
 MG_USERS_RESET_PWD_TEMPLATE=users.tmpl
 MG_USERS_INSTANCE_ID=
+MF_USERS_ALLOW_SELF_REGISTER=true
 
 #### Users Client Config
 MG_USERS_GRPC_URL=users:7001

docker/docker-compose.yml

@@ -100,7 +100,7 @@ services:
       MG_SPICEDB_HOST: ${MG_SPICEDB_HOST}
       MG_SPICEDB_PORT: ${MG_SPICEDB_PORT}
       MG_AUTH_ACCESS_TOKEN_DURATION: ${MG_AUTH_ACCESS_TOKEN_DURATION}
-      MG_AUTH_REFRESH_TOKEN_DURATION: ${MG_AUTH_REFRESH_TOKEN_DURATION}      
+      MG_AUTH_REFRESH_TOKEN_DURATION: ${MG_AUTH_REFRESH_TOKEN_DURATION}
       MG_AUTH_SECRET_KEY: ${MG_AUTH_SECRET_KEY}
       MG_AUTH_HTTP_HOST: ${MG_AUTH_HTTP_HOST}
       MG_AUTH_HTTP_PORT: ${MG_AUTH_HTTP_PORT}
@@ -327,6 +327,7 @@ services:
       MG_USERS_DB_SSL_CERT: ${MG_USERS_DB_SSL_CERT}
       MG_USERS_DB_SSL_KEY: ${MG_USERS_DB_SSL_KEY}
       MG_USERS_DB_SSL_ROOT_CERT: ${MG_USERS_DB_SSL_ROOT_CERT}
+      MF_USERS_ALLOW_SELF_REGISTER: ${MF_USERS_ALLOW_SELF_REGISTER}
       MG_EMAIL_HOST: ${MG_EMAIL_HOST}
       MG_EMAIL_PORT: ${MG_EMAIL_PORT}
       MG_EMAIL_USERNAME: ${MG_EMAIL_USERNAME}

docker/nginx/entrypoint.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/ash
 # Copyright (c) Abstract Machines
 # SPDX-License-Identifier: Apache-2.0
 

internal/groups/service.go

@@ -55,7 +55,7 @@ func (svc service) CreateGroup(ctx context.Context, token, kind string, g groups
 
 	g.ID = groupID
 	g.CreatedAt = time.Now()
-
+	g.Owner = res.GetDomainId()
 	if g.Parent != "" {
 		_, err := svc.authorize(ctx, auth.UserType, token, auth.EditPermission, auth.GroupType, g.Parent)
 		if err != nil {

things/postgres/init.go

@@ -21,13 +21,15 @@ func Migration() *migrate.MemoryMigrationSource {
 						name		VARCHAR(1024),
 						owner_id	VARCHAR(36),
 						identity	VARCHAR(254),
-						secret		VARCHAR(4096) NOT NULL UNIQUE,
+						secret		VARCHAR(4096) NOT NULL,
 						tags		TEXT[],
 						metadata	JSONB,
 						created_at	TIMESTAMP,
 						updated_at	TIMESTAMP,
 						updated_by  VARCHAR(254),
-						status		SMALLINT NOT NULL DEFAULT 0 CHECK (status >= 0)
+						status		SMALLINT NOT NULL DEFAULT 0 CHECK (status >= 0),
+						UNIQUE		(owner_id, secret),
+						UNIQUE		(owner_id, name)
 					)`,
 				},
 				Down: []string{

things/service.go

@@ -88,6 +88,7 @@ func (svc service) CreateThings(ctx context.Context, token string, cls ...mgclie
 		if c.Status != mgclients.DisabledStatus && c.Status != mgclients.EnabledStatus {
 			return []mgclients.Client{}, svcerr.ErrInvalidStatus
 		}
+		c.Owner = user.GetDomainId()
 		c.CreatedAt = time.Now()
 		clients = append(clients, c)
 	}

users/api/clients.go

@@ -418,7 +418,7 @@ func decodeChangeClientStatus(_ context.Context, r *http.Request) (interface{},
 }
 
 func decodeListMembersByGroup(_ context.Context, r *http.Request) (interface{}, error) {
-	page, err := queryPageParams(r)
+	page, err := queryPageParams(r, api.DefPermission)
 	if err != nil {
 		return nil, err
 	}
@@ -432,7 +432,7 @@ func decodeListMembersByGroup(_ context.Context, r *http.Request) (interface{},
 }
 
 func decodeListMembersByChannel(_ context.Context, r *http.Request) (interface{}, error) {
-	page, err := queryPageParams(r)
+	page, err := queryPageParams(r, api.DefPermission)
 	if err != nil {
 		return nil, err
 	}
@@ -446,7 +446,7 @@ func decodeListMembersByChannel(_ context.Context, r *http.Request) (interface{}
 }
 
 func decodeListMembersByThing(_ context.Context, r *http.Request) (interface{}, error) {
-	page, err := queryPageParams(r)
+	page, err := queryPageParams(r, api.DefPermission)
 	if err != nil {
 		return nil, err
 	}
@@ -460,7 +460,7 @@ func decodeListMembersByThing(_ context.Context, r *http.Request) (interface{},
 }
 
 func decodeListMembersByDomain(_ context.Context, r *http.Request) (interface{}, error) {
-	page, err := queryPageParams(r)
+	page, err := queryPageParams(r, auth.MembershipPermission)
 	if err != nil {
 		return nil, err
 	}
@@ -480,7 +480,7 @@ func decodeListMembersByDomain(_ context.Context, r *http.Request) (interface{},
 	return req, nil
 }
 
-func queryPageParams(r *http.Request) (mgclients.Page, error) {
+func queryPageParams(r *http.Request, defPermission string) (mgclients.Page, error) {
 	s, err := apiutil.ReadStringQuery(r, api.StatusKey, api.DefClientStatus)
 	if err != nil {
 		return mgclients.Page{}, errors.Wrap(apiutil.ErrValidation, err)
@@ -517,7 +517,7 @@ func queryPageParams(r *http.Request) (mgclients.Page, error) {
 	if err != nil {
 		return mgclients.Page{}, errors.Wrap(apiutil.ErrValidation, err)
 	}
-	p, err := apiutil.ReadStringQuery(r, api.PermissionKey, api.DefPermission)
+	p, err := apiutil.ReadStringQuery(r, api.PermissionKey, defPermission)
 	if err != nil {
 		return mgclients.Page{}, errors.Wrap(apiutil.ErrValidation, err)
 	}

users/api/logging.go

@@ -44,7 +44,11 @@ func (lm *loggingMiddleware) RegisterClient(ctx context.Context, token string, c
 // If the request fails, it logs the error.
 func (lm *loggingMiddleware) IssueToken(ctx context.Context, identity, secret, domainID string) (t *magistrala.Token, err error) {
 	defer func(begin time.Time) {
-		message := fmt.Sprintf("Method issue_token of type %s for client %s took %s to complete", t.GetAccessType(), identity, time.Since(begin))
+		message := "Method issue_token"
+		if t != nil {
+			message = fmt.Sprintf("%s of type %s", message, t.AccessType)
+		}
+		message = fmt.Sprintf("%s for client %s took %s to complete", message, identity, time.Since(begin))
 		if err != nil {
 			lm.logger.Warn(fmt.Sprintf("%s with error: %s.", message, err))
 			return
@@ -58,7 +62,11 @@ func (lm *loggingMiddleware) IssueToken(ctx context.Context, identity, secret, d
 // If the request fails, it logs the error.
 func (lm *loggingMiddleware) RefreshToken(ctx context.Context, refreshToken, domainID string) (t *magistrala.Token, err error) {
 	defer func(begin time.Time) {
-		message := fmt.Sprintf("Method refresh_token of type %s for refresh token %s took %s to complete", t.AccessType, refreshToken, time.Since(begin))
+		message := "Method refresh_token"
+		if t != nil {
+			message = fmt.Sprintf("%s of type %s", message, t.AccessType)
+		}
+		message = fmt.Sprintf("%s for refresh token %s took %s to complete", message, refreshToken, time.Since(begin))
 		if err != nil {
 			lm.logger.Warn(fmt.Sprintf("%s with error: %s.", message, err))
 			return