deactivate users

conf/docker-aio/run-test-suite.sh

@@ -8,4 +8,4 @@ fi
 
 # Please note the "dataverse.test.baseurl" is set to run for "all-in-one" Docker environment.
 # TODO: Rather than hard-coding the list of "IT" classes here, add a profile to pom.xml.
-source maven/maven.sh && mvn test -Dtest=DataversesIT,DatasetsIT,SwordIT,AdminIT,BuiltinUsersIT,UsersIT,UtilIT,ConfirmEmailIT,FileMetadataIT,FilesIT,SearchIT,InReviewWorkflowIT,HarvestingServerIT,MoveIT,MakeDataCountApiIT,FileTypeDetectionIT,EditDDIIT,ExternalToolsIT,AccessIT,DuplicateFilesIT,DownloadFilesIT,LinkIT -Ddataverse.test.baseurl=$dvurl
+source maven/maven.sh && mvn test -Dtest=DataversesIT,DatasetsIT,SwordIT,AdminIT,BuiltinUsersIT,UsersIT,UtilIT,ConfirmEmailIT,FileMetadataIT,FilesIT,SearchIT,InReviewWorkflowIT,HarvestingServerIT,MoveIT,MakeDataCountApiIT,FileTypeDetectionIT,EditDDIIT,ExternalToolsIT,AccessIT,DuplicateFilesIT,DownloadFilesIT,LinkIT,DeleteUsersIT,DeactivateUsersIT -Ddataverse.test.baseurl=$dvurl

doc/release-notes/2419-4475-7575-disable-users.md

@@ -0,0 +1,5 @@
+## Release Highlights
+
+### Deactivate Users API, Get User Traces API, Revoke Roles API
+
+A new API has been added to deactivate users to prevent them from logging in or otherwise being active in the system. Deactivating a user is an alternative to deleting a user, especially when the latter is not possible due to the amount of interaction the user has had with the system. In order to learn more about a user before deleting, deactivating, or merging, a new "get user traces" API is available that will show objects created, roles, group memberships, and more. Finally, the "remove all roles" button available in the superuser dashboard is now also available via API.

doc/sphinx-guides/source/admin/user-administration.rst

@@ -44,6 +44,16 @@ Change User Identifier
 
 See :ref:`change-identifier-label`
 
+Delete a User
+-------------
+
+See :ref:`delete-a-user`
+
+Deactivate a User
+-----------------
+
+See :ref:`deactivate-a-user`
+
 Confirm Email
 -------------
 

doc/sphinx-guides/source/api/native-api.rst

@@ -3147,6 +3147,8 @@ Example: ``curl -H "X-Dataverse-key: $API_TOKEN" -X POST http://demo.dataverse.o
 
 This action moves account data from jsmith2 into the account jsmith and deletes the account of jsmith2.
 
+Note: User accounts can only be merged if they are either both active or both deactivated. See :ref:`deactivate a user<deactivate-a-user>`.
+
 .. _change-identifier-label:
 
 Change User Identifier
@@ -3166,7 +3168,9 @@ Make User a SuperUser
 Toggles superuser mode on the ``AuthenticatedUser`` whose ``identifier`` (without the ``@`` sign) is passed. ::
 
     POST http://$SERVER/api/admin/superuser/$identifier
-
+
+.. _delete-a-user:
+
 Delete a User
 ~~~~~~~~~~~~~
 
@@ -3178,9 +3182,104 @@ Deletes an ``AuthenticatedUser`` whose ``id``  is passed. ::
 
     DELETE http://$SERVER/api/admin/authenticatedUsers/id/$id
 
-Note: If the user has performed certain actions such as creating or contributing to a Dataset or downloading a file they cannot be deleted.
-
-
+Note: If the user has performed certain actions such as creating or contributing to a Dataset or downloading a file they cannot be deleted. To see where in the database these actions are stored you can use the :ref:`show-user-traces-api` API. If a user cannot be deleted for this reason, you can choose to :ref:`deactivate a user<deactivate-a-user>`.
+
+.. _deactivate-a-user:
+
+Deactivate a User
+~~~~~~~~~~~~~~~~~
+
+Deactivates a user. A superuser API token is not required but the command will operate using the first superuser it finds.
+
+.. note:: See :ref:`curl-examples-and-environment-variables` if you are unfamiliar with the use of export below.
+
+.. code-block:: bash
+
+  export SERVER_URL=http://localhost:8080
+  export USERNAME=jdoe
+
+  curl -X POST $SERVER_URL/api/admin/authenticatedUsers/$USERNAME/deactivate
+
+The fully expanded example above (without environment variables) looks like this:
+
+.. code-block:: bash
+
+  curl -X POST http://localhost:8080/api/admin/authenticatedUsers/jdoe/deactivate
+
+The database ID of the user can be passed instead of the username.
+
+.. code-block:: bash
+
+  export SERVER_URL=http://localhost:8080
+  export USERID=42
+
+  curl -X POST $SERVER_URL/api/admin/authenticatedUsers/id/$USERID/deactivate
+
+Note: A primary purpose of most Dataverse installations is to serve an archive. In the archival space, there are best practices around the tracking of data access and the tracking of modifications to data and metadata. In support of these key workflows, a simple mechanism to delete users that have performed edit or access actions in the system is not provided. Providing a Deactivate User endpoint for users who have taken certain actions in the system alongside a Delete User endpoint to remove users that haven't taken certain actions in the system is by design.
+
+This is an irreversible action. There is no option to undeactivate a user.
+
+Deactivating a user with this endpoint will:
+
+- Deactivate the user's ability to log in to the Dataverse installation. A message will be shown, stating that the account has been deactivated. The user will not able to create a new account with the same email address, ORCID, Shibboleth, or other login type.
+- Deactivate the user's ability to use the API
+- Remove the user's access from all Dataverse collections, datasets and files
+- Prevent a user from being assigned any roles
+- Cancel any pending file access requests generated by the user
+- Remove the user from all groups
+- No longer have notifications generated or sent by the Dataverse installation
+- Prevent the account from being converted into an OAuth or Shibboleth account.
+- Prevent the user from becoming a superuser.
+
+Deactivating a user with this endpoint will keep:
+
+- The user's contributions to datasets, including dataset creation, file uploads, and publishing.
+- The user's access history to datafiles in the Dataverse installation, including guestbook records.
+- The user's account information (specifically name, email, affiliation, and position)
+
+.. _show-user-traces-api:
+
+Show User Traces
+~~~~~~~~~~~~~~~~
+
+Show the traces that the user has left in the system, such as datasets created, guestbooks filled out, etc. This can be useful for understanding why a user cannot be deleted. A superuser API token is required.
+
+.. note:: See :ref:`curl-examples-and-environment-variables` if you are unfamiliar with the use of export below.
+
+.. code-block:: bash
+
+  export API_TOKEN=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+  export SERVER_URL=https://demo.dataverse.org
+  export USERNAME=jdoe
+
+  curl -H "X-Dataverse-key:$API_TOKEN" -X GET $SERVER_URL/api/users/$USERNAME/traces
+
+The fully expanded example above (without environment variables) looks like this:
+
+.. code-block:: bash
+
+  curl -H X-Dataverse-key:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -X GET https://demo.dataverse.org/api/users/jdoe/traces
+
+Remove All Roles from a User
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Removes all roles from the user. This is equivalent of clicking the "Remove All Roles" button in the superuser dashboard. Note that you can preview the roles that will be removed with the :ref:`show-user-traces-api` API. A superuser API token is required.
+
+.. note:: See :ref:`curl-examples-and-environment-variables` if you are unfamiliar with the use of export below.
+
+.. code-block:: bash
+
+  export API_TOKEN=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+  export SERVER_URL=https://demo.dataverse.org
+  export USERNAME=jdoe
+
+  curl -H "X-Dataverse-key:$API_TOKEN" -X POST $SERVER_URL/api/users/$USERNAME/removeRoles
+
+The fully expanded example above (without environment variables) looks like this:
+
+.. code-block:: bash
+
+  curl -H X-Dataverse-key:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -X POST http://localhost:8080/api/users/jdoe/removeRoles
 
 List Role Assignments of a Role Assignee
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

doc/sphinx-guides/source/developers/remote-users.rst

@@ -10,7 +10,7 @@ Shibboleth and OAuth
 
 If you are working on anything related to users, please keep in mind that your changes will likely affect Shibboleth and OAuth users. For some background on user accounts in the Dataverse Software, see :ref:`auth-modes` section of Configuration in the Installation Guide.
 
-Rather than setting up Shibboleth on your laptop, developers are advised to simply add a value to their database to enable Shibboleth "dev mode" like this:
+Rather than setting up Shibboleth on your laptop, developers are advised to add the Shibboleth auth provider (see "Add the Shibboleth Authentication Provider to Your Dataverse Installation" at :doc:`/installation/shibboleth`) and add a value to their database to enable Shibboleth "dev mode" like this:
 
 ``curl http://localhost:8080/api/admin/settings/:DebugShibAccountType -X PUT -d RANDOM``
 

doc/sphinx-guides/source/user/account.rst

@@ -99,6 +99,8 @@ If you already have a Dataverse installation account associated with the Usernam
 #. Enter your current password for your Dataverse installation account and click "Convert Account".
 #. Now you have finished converting your Dataverse installation account to use your institutional log in.
 
+Note that you cannot go through this conversion process if your Dataverse installation account associated with the Username/Email log in option has been deactivated.
+
 Convert your Dataverse installation account away from your Institutional Log In
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
@@ -132,6 +134,8 @@ If you already have a Dataverse installation account associated with the Usernam
 #. Enter your username and password for your Dataverse installation account and click "Convert Account".
 #. Now you have finished converting your Dataverse installation account to use ORCID for log in.
 
+Note that you cannot go through this conversion process if your Dataverse installation account associated with the Username/Email log in option has been deactivated.
+
 Convert your Dataverse installation account away from ORCID for log in
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 

src/main/java/edu/harvard/iq/dataverse/DataFile.java

@@ -57,6 +57,10 @@
 @NamedQueries({
 	@NamedQuery( name="DataFile.removeFromDatasetVersion",
 		query="DELETE FROM FileMetadata f WHERE f.datasetVersion.id=:versionId and f.dataFile.id=:fileId"),
+        @NamedQuery(name = "DataFile.findByCreatorId",
+                query = "SELECT o FROM DataFile o WHERE o.creator.id=:creatorId"),
+        @NamedQuery(name = "DataFile.findByReleaseUserId",
+                query = "SELECT o FROM DataFile o WHERE o.releaseUser.id=:releaseUserId"),
         @NamedQuery(name="DataFile.findDataFileByIdProtocolAuth", 
                 query="SELECT s FROM DataFile s WHERE s.identifier=:identifier AND s.protocol=:protocol AND s.authority=:authority"),
         @NamedQuery(name="DataFile.findDataFileThatReplacedId", 

src/main/java/edu/harvard/iq/dataverse/DataFileServiceBean.java

@@ -155,7 +155,15 @@ public DataFile find(Object pk) {
     public DataFile findByGlobalId(String globalId) {
             return (DataFile) dvObjectService.findByGlobalId(globalId, DataFile.DATAFILE_DTYPE_STRING);
     }
-
+
+    public List<DataFile> findByCreatorId(Long creatorId) {
+        return em.createNamedQuery("DataFile.findByCreatorId").setParameter("creatorId", creatorId).getResultList();
+    }
+
+    public List<DataFile> findByReleaseUserId(Long releaseUserId) {
+        return em.createNamedQuery("DataFile.findByReleaseUserId").setParameter("releaseUserId", releaseUserId).getResultList();
+    }
+
     public DataFile findReplacementFile(Long previousFileId){
         Query query = em.createQuery("select object(o) from DataFile as o where o.previousDataFileId = :previousFileId");
         query.setParameter("previousFileId", previousFileId);

src/main/java/edu/harvard/iq/dataverse/Dataset.java

@@ -53,6 +53,10 @@
                 query = "SELECT o.id FROM Dataset o WHERE o.owner.id=:ownerId"),
     @NamedQuery(name = "Dataset.findByOwnerId", 
                 query = "SELECT o FROM Dataset o WHERE o.owner.id=:ownerId"),
+    @NamedQuery(name = "Dataset.findByCreatorId",
+                query = "SELECT o FROM Dataset o WHERE o.creator.id=:creatorId"),
+    @NamedQuery(name = "Dataset.findByReleaseUserId",
+                query = "SELECT o FROM Dataset o WHERE o.releaseUser.id=:releaseUserId"),
 })
 
 /*

src/main/java/edu/harvard/iq/dataverse/DatasetServiceBean.java

@@ -150,6 +150,14 @@ private List<Long> findIdsByOwnerId(Long ownerId, boolean onlyPublished) {
         }
     }
 
+    public List<Dataset> findByCreatorId(Long creatorId) {
+        return em.createNamedQuery("Dataset.findByCreatorId").setParameter("creatorId", creatorId).getResultList();
+    }
+
+    public List<Dataset> findByReleaseUserId(Long releaseUserId) {
+        return em.createNamedQuery("Dataset.findByReleaseUserId").setParameter("releaseUserId", releaseUserId).getResultList();
+    }
+
     public List<Dataset> filterByPidQuery(String filterQuery) {
         // finds only exact matches
         Dataset ds = findByGlobalId(filterQuery);

src/main/java/edu/harvard/iq/dataverse/Dataverse.java

@@ -50,6 +50,8 @@
     @NamedQuery(name = "Dataverse.findRoot", query = "SELECT d FROM Dataverse d where d.owner.id=null"),
     @NamedQuery(name = "Dataverse.findByAlias", query="SELECT dv FROM Dataverse dv WHERE LOWER(dv.alias)=:alias"),
     @NamedQuery(name = "Dataverse.findByOwnerId", query="select object(o) from Dataverse as o where o.owner.id =:ownerId order by o.name"),
+    @NamedQuery(name = "Dataverse.findByCreatorId", query="select object(o) from Dataverse as o where o.creator.id =:creatorId order by o.name"),
+    @NamedQuery(name = "Dataverse.findByReleaseUserId", query="select object(o) from Dataverse as o where o.releaseUser.id =:releaseUserId order by o.name"),
     @NamedQuery(name = "Dataverse.filterByAlias", query="SELECT dv FROM Dataverse dv WHERE LOWER(dv.alias) LIKE :alias order by dv.alias"),
     @NamedQuery(name = "Dataverse.filterByAliasNameAffiliation", query="SELECT dv FROM Dataverse dv WHERE (LOWER(dv.alias) LIKE :alias) OR (LOWER(dv.name) LIKE :name) OR (LOWER(dv.affiliation) LIKE :affiliation) order by dv.alias"),
     @NamedQuery(name = "Dataverse.filterByName", query="SELECT dv FROM Dataverse dv WHERE LOWER(dv.name) LIKE :name  order by dv.alias")

src/main/java/edu/harvard/iq/dataverse/DataverseServiceBean.java

@@ -173,6 +173,14 @@ public List<Long> findDataverseIdsForIndexing(boolean skipIndexed) {
 
     }
 
+    public List<Dataverse> findByCreatorId(Long creatorId) {
+        return em.createNamedQuery("Dataverse.findByCreatorId").setParameter("creatorId", creatorId).getResultList();
+    }
+
+    public List<Dataverse> findByReleaseUserId(Long releaseUserId) {
+        return em.createNamedQuery("Dataverse.findByReleaseUserId").setParameter("releaseUserId", releaseUserId).getResultList();
+    }
+
     public List<Dataverse> findByOwnerId(Long ownerId) {
         return em.createNamedQuery("Dataverse.findByOwnerId").setParameter("ownerId", ownerId).getResultList();
     }

src/main/java/edu/harvard/iq/dataverse/DataverseSession.java

@@ -4,9 +4,12 @@
 import edu.harvard.iq.dataverse.PermissionServiceBean.StaticPermissionQuery;
 import edu.harvard.iq.dataverse.actionlogging.ActionLogRecord;
 import edu.harvard.iq.dataverse.actionlogging.ActionLogServiceBean;
+import edu.harvard.iq.dataverse.authorization.AuthenticationServiceBean;
 import edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser;
 import edu.harvard.iq.dataverse.authorization.users.GuestUser;
 import edu.harvard.iq.dataverse.authorization.users.User;
+import edu.harvard.iq.dataverse.util.BundleUtil;
+import edu.harvard.iq.dataverse.util.JsfHelper;
 import edu.harvard.iq.dataverse.util.SessionUtil;
 import edu.harvard.iq.dataverse.util.SystemConfig;
 import java.io.IOException;
@@ -54,7 +57,10 @@ public class DataverseSession implements Serializable{
 
     @EJB
     BannerMessageServiceBean bannerMessageService;
-
+
+    @EJB
+    AuthenticationServiceBean authenticationService;
+
     private static final Logger logger = Logger.getLogger(DataverseSession.class.getCanonicalName());
 
     private boolean statusDismissed = false;
@@ -84,26 +90,70 @@ public void setDismissedMessages(List<BannerMessage> dismissedMessages) {
     private Boolean debug;
 
     public User getUser() {
+        return getUser(false);
+    }
+
+    /**
+     * For performance reasons, we only lookup the authenticated user again (to
+     * check if it has been deleted or deactivated, for example) when we have
+     * to.
+     *
+     * @param lookupAuthenticatedUserAgain A boolean to indicate if we should go
+     * to the database again to lookup the user to get the latest values that
+     * may have been updated outside the session.
+     */
+    public User getUser(boolean lookupAuthenticatedUserAgain) {
         if ( user == null ) {
             user = GuestUser.get();
         }
-
+        if (lookupAuthenticatedUserAgain && user instanceof AuthenticatedUser) {
+            AuthenticatedUser auFromSession = (AuthenticatedUser) user;
+            AuthenticatedUser auFreshLookup = authenticationService.findByID(auFromSession.getId());
+            if (auFreshLookup == null) {
+                logger.fine("getUser found user no longer exists (was deleted). Returning GuestUser.");
+                user = GuestUser.get();
+            } else {
+                if (auFreshLookup.isDeactivated()) {
+                    logger.fine("getUser found user is deactivated. Returning GuestUser.");
+                    user = GuestUser.get();
+                }
+            }
+        }
         return user;
     }
 
+    /**
+     * Sets the user and configures the session timeout.
+     */
     public void setUser(User aUser) {
-
+        // We check for deactivated status here in "setUser" to ensure a common user
+        // experience across Builtin, Shib, OAuth, and OIDC users.
+        // If we want a different user experience for Builtin users, we can
+        // modify getUpdateAuthenticatedUser in AuthenticationServiceBean
+        // (and probably other places).
+        if (aUser instanceof AuthenticatedUser && aUser.isDeactivated()) {
+            logger.info("Login attempt by deactivated user " + aUser.getIdentifier() + ".");
+            JsfHelper.addErrorMessage(BundleUtil.getStringFromBundle("deactivated.error"));
+            return;
+        }
         FacesContext context = FacesContext.getCurrentInstance();
 		// Log the login/logout and Change the session id if we're using the UI and have
 		// a session, versus an API call with no session - (i.e. /admin/submitToArchive()
 		// which sets the user in the session to pass it through to the underlying command)
+        // TODO: reformat to remove tabs etc.
 		if(context != null) {
           logSvc.log( 
                       new ActionLogRecord(ActionLogRecord.ActionType.SessionManagement,(aUser==null) ? "logout" : "login")
                           .setUserIdentifier((aUser!=null) ? aUser.getIdentifier() : (user!=null ? user.getIdentifier() : "") ));
 
           //#3254 - change session id when user changes
           SessionUtil.changeSessionId((HttpServletRequest) context.getExternalContext().getRequest());
+            HttpSession httpSession = (HttpSession) context.getExternalContext().getSession(false);
+            if (httpSession != null) {
+                // Configure session timeout.
+                logger.fine("jsession: " + httpSession.getId() + " setting the lifespan of the session to " + systemConfig.getLoginSessionTimeout() + " minutes");
+                httpSession.setMaxInactiveInterval(systemConfig.getLoginSessionTimeout() * 60); // session timeout, in seconds
+            }
         }
         this.user = aUser;
     }
@@ -208,15 +258,5 @@ public void dismissMessage(BannerMessage message){
         }
 
     }
-
-    public void configureSessionTimeout() {
-        HttpSession httpSession = (HttpSession) FacesContext.getCurrentInstance().getExternalContext().getSession(false);
-
-        if (httpSession != null) {
-            logger.fine("jsession: "+httpSession.getId()+" setting the lifespan of the session to " + systemConfig.getLoginSessionTimeout() + " minutes");
-            httpSession.setMaxInactiveInterval(systemConfig.getLoginSessionTimeout() * 60); // session timeout, in seconds
-        }
-
-    }
 
 }