Merge branch 'development' into feat-3977_keycloak_password_policy (SORMAS-Foundation#3988)

vidi42 · web-flow · commit 70fa407863a8 · 2021-01-13T16:22:19.000+02:00
* SORMAS-Foundation#3977: Add default password policy and documentation about the Keycloak configuration * SORMAS-Foundation#3977: Fixed typo * SORMAS-Foundation#3977: Added missing import
diff --git a/SERVER_SETUP.md b/SERVER_SETUP.md
@@ -140,6 +140,10 @@ In case Keycloak is set up alongside an already running instance of SORMAS, thes
 2. Login to SORMAS and trigger the **Sync Users** button from the **Users** page
 3. This will sync users to Keycloak keeping their original password - see [SORMAS Keycloak Service Provider](sormas-keycloak-service-provider/README.md) for more information about this
 
+### Keycloak configuration
+
+More about the default configuration and how to customize can be found here [Keycloak](sormas-base/doc/keycloak.md)
+
 ## Web Server Setup
 
 ### Apache Web Server
diff --git a/sormas-backend/src/main/java/de/symeda/sormas/backend/person/PersonService.java b/sormas-backend/src/main/java/de/symeda/sormas/backend/person/PersonService.java
@@ -18,6 +18,7 @@
 package de.symeda.sormas.backend.person;
 
 import static de.symeda.sormas.backend.ExtendedPostgreSQL94Dialect.SIMILARITY_OPERATOR;
+import static de.symeda.sormas.backend.common.CriteriaBuilderHelper.and;
 
 import java.sql.Timestamp;
 import java.util.Collections;
@@ -311,24 +312,24 @@ public List<PersonNameDto> getMatchingNameDtos(PersonSimilarityCriteria criteria
 		Predicate activeCasesFilter = caseService.createActiveCasesFilter(cb, personCaseJoin);
 		Predicate caseUserFilter = caseService.createUserFilter(cb, personQuery, personCaseJoin);
 		Predicate personCasePredicate =
-				CriteriaBuilderHelper.and(cb, personCaseJoin.get(Case.ID).isNotNull(), activeCasesFilter, caseUserFilter);
+				and(cb, personCaseJoin.get(Case.ID).isNotNull(), activeCasesFilter, caseUserFilter);
 
 		// Persons of active contacts
 		Predicate activeContactsFilter = contactService.createActiveContactsFilter(cb, personContactJoin);
 		Predicate contactUserFilter = contactService.createUserFilter(cb, personQuery, personContactJoin);
 		Predicate personContactPredicate =
-				CriteriaBuilderHelper.and(cb, personContactJoin.get(Contact.ID).isNotNull(), contactUserFilter, activeContactsFilter);
+				and(cb, personContactJoin.get(Contact.ID).isNotNull(), contactUserFilter, activeContactsFilter);
 
 		// Persons of event participants in active events
 		Predicate activeEventParticipantsFilter = eventParticipantService.createActiveEventParticipantsFilter(cb, personEventParticipantJoin);
 		Predicate eventParticipantUserFilter = eventParticipantService.createUserFilter(cb, personQuery, personEventParticipantJoin);
 		Predicate personEventParticipantPredicate =
-				CriteriaBuilderHelper.and(cb, personEventParticipantJoin.get(EventParticipant.ID).isNotNull(), activeEventParticipantsFilter, eventParticipantUserFilter);
+				and(cb, personEventParticipantJoin.get(EventParticipant.ID).isNotNull(), activeEventParticipantsFilter, eventParticipantUserFilter);
 
 		caseContactEventParticipantLinkPredicate =
 				CriteriaBuilderHelper.or(cb, personCasePredicate, personContactPredicate, personEventParticipantPredicate);
 
-		personQuery.where(CriteriaBuilderHelper.and(cb, personSimilarityFilter, caseContactEventParticipantLinkPredicate));
+		personQuery.where(and(cb, personSimilarityFilter, caseContactEventParticipantLinkPredicate));
 		personQuery.distinct(true);
 
 		TypedQuery<PersonNameDto> query = em.createQuery(personQuery);
@@ -410,34 +411,34 @@ public Predicate buildSimilarityCriteriaFilter(PersonSimilarityCriteria criteria
 
 			String name = criteria.getFirstName() + " " + criteria.getLastName();
 
-			filter = CriteriaBuilderHelper.and(cb, filter, cb.isTrue(cb.function(SIMILARITY_OPERATOR, boolean.class, nameExpr, cb.literal(name))));
+			filter = and(cb, filter, cb.isTrue(cb.function(SIMILARITY_OPERATOR, boolean.class, nameExpr, cb.literal(name))));
 		}
 
 		if (criteria.getSex() != null) {
-			filter = CriteriaBuilderHelper.and(cb, filter, cb.or(cb.isNull(personFrom.get(Person.SEX)), cb.equal(personFrom.get(Person.SEX), criteria.getSex())));
+			filter = and(cb, filter, cb.or(cb.isNull(personFrom.get(Person.SEX)), cb.equal(personFrom.get(Person.SEX), criteria.getSex())));
 		}
 		if (criteria.getBirthdateYYYY() != null) {
-			filter = CriteriaBuilderHelper.and(
+			filter = and(
 				cb,
 				filter,
 				cb.or(
 					cb.isNull(personFrom.get(Person.BIRTHDATE_YYYY)),
 					cb.equal(personFrom.get(Person.BIRTHDATE_YYYY), criteria.getBirthdateYYYY())));
 		}
 		if (criteria.getBirthdateMM() != null) {
-			filter = CriteriaBuilderHelper.and(
+			filter = and(
 				cb,
 				filter,
 				cb.or(cb.isNull(personFrom.get(Person.BIRTHDATE_MM)), cb.equal(personFrom.get(Person.BIRTHDATE_MM), criteria.getBirthdateMM())));
 		}
 		if (criteria.getBirthdateDD() != null) {
-			filter = CriteriaBuilderHelper.and(
+			filter = and(
 				cb,
 				filter,
 				cb.or(cb.isNull(personFrom.get(Person.BIRTHDATE_DD)), cb.equal(personFrom.get(Person.BIRTHDATE_DD), criteria.getBirthdateDD())));
 		}
 		if (!StringUtils.isBlank(criteria.getNationalHealthId())) {
-			filter = CriteriaBuilderHelper.and(
+			filter = and(
 				cb,
 				filter,
 				cb.or(
diff --git a/sormas-base/doc/keycloak.md b/sormas-base/doc/keycloak.md
@@ -0,0 +1,75 @@
+# Keycloak
+
+Open Source Identity and Access Management.
+In SORMAS Keycloak is available as an alternative authentication provider to the default authentication method.
+
+Current version is: Keycloak 12
+
+## Setup
+
+To set up Keycloak check the guide here [Keycloak Setup](../../SERVER_SETUP.md#keycloak-server)
+
+## SORMAS Realm
+
+The SORMAS Realm in Keycloak contains all the configuration which are specific to the SORMAS Project.
+All the configuration is part of the [SORMAS.json](../setup/keycloak/SORMAS.json) file.
+
+### Configuration summary
+
+#### Login & Authentication
+
+* **Duplicate emails** are allowed in order to support the same requirement as SORMAS which in some installations require 
+admin support for some users, in which case the admin will use her own email address
+* **No login with emails** due to the previous point
+* **Password Policy** comes predefined since version 1.54 of the SORMAS-Project with the following default settings
+  * Length of minimum 12 characters
+  * At least 1 upper case letter
+  * At least 1 lower case letter
+  * At least 1 digit
+  * At least 1 special character
+* **OTP** is supported by default trough the *Google Authenticator* or *Free OTP* by has to be activated from the 
+  Keycloak Admin console
+* **Forgot Password** is enabled by default
+* **sormas-sha256** is an encryption algorithm which comes packaged with Keycloak to support transition of existing 
+  environments towards the Keycloak Authentication Provider
+  
+#### Clients
+
+The SORMAS Realm relies on 4 clients:
+
+* **sormas-ui** - handles access to the SORMAS wen UI
+* **sormas-app** - handles access to the SORMAS Android App
+* **sormas-rest** - handles access to the SORMAS API
+* **sormas-backend** - handles SORMAS server requests
+
+#### Roles
+
+The role management is handled by SORMAS however as a pre-validation Keycloak is also configured with a few roles which 
+are required for certain API access:
+* **USER** - required by default for any API access
+* **REST_USER** - required for most API endpoints (main purpose is for the SurvNet converter)
+* **REST_EXTERNAL_VISITS_USER** - required by Symptom Journals which are connected to SORMAS
+* **SORMAS_TO_SORMAS_CLIENT** - required by other SORMAS instance to access the current SORMAS instance
+
+#### Email
+
+Email configurations are optional and are not part of the default configuration.
+
+In case the system relies on users activating their own accounts it's required to configure these settings.
+
+#### Custom Configuration
+
+The configuration provided by default is the minimum required configuration for Keycloak to work together with SORMAS.
+
+The Keycloak configuration can be adjusted by any user with admin rights, however **beware** that any change to the default 
+configuration might render the system unusable.
+
+The following configurations are most likely to be environment specific:
+
+* **[Email Settings](https://www.keycloak.org/docs/12.0/server_admin/#_email)**  
+  * make sure to set an email for the admin user, so the **Test connection** feature works
+* **[Password Policies](https://www.keycloak.org/docs/latest/server_admin/#_password-policies)**
+  * The **Password Blacklist** policy can only be configured with access to the host machine
+* **[OTP Policies](https://www.keycloak.org/docs/latest/server_admin/#otp-policies)**
+  *  Can be activated by default for all user by marking **Basic Auth Password+OTP** as required in the 
+     **Authentication>Flows** section, then mark it as default in the **Authentication>Required** section
diff --git a/sormas-base/setup/keycloak/SORMAS.json b/sormas-base/setup/keycloak/SORMAS.json
@@ -410,6 +410,7 @@
   "requiredCredentials": [
     "password"
   ],
+  "passwordPolicy": "length(12) and upperCase(1) and lowerCase(1) and digits(1) and specialChars(1) and notUsername(undefined) and notEmail(undefined)",
   "otpPolicyType": "totp",
   "otpPolicyAlgorithm": "HmacSHA1",
   "otpPolicyInitialCounter": 0,
