open-metadata · mohityadav766 · Jun 24, 2024 · Jun 20, 2024 · Jun 21, 2024 · Jun 21, 2024
diff --git a/bootstrap/sql/migrations/native/1.4.4/mysql/postDataMigrationSQLScript.sql b/bootstrap/sql/migrations/native/1.4.4/mysql/postDataMigrationSQLScript.sql
diff --git a/bootstrap/sql/migrations/native/1.4.4/mysql/schemaChanges.sql b/bootstrap/sql/migrations/native/1.4.4/mysql/schemaChanges.sql
@@ -0,0 +1 @@
+ALTER TABLE user_entity ADD UNIQUE (name);
diff --git a/bootstrap/sql/migrations/native/1.4.4/postgres/postDataMigrationSQLScript.sql b/bootstrap/sql/migrations/native/1.4.4/postgres/postDataMigrationSQLScript.sql
diff --git a/bootstrap/sql/migrations/native/1.4.4/postgres/schemaChanges.sql b/bootstrap/sql/migrations/native/1.4.4/postgres/schemaChanges.sql
@@ -0,0 +1 @@
+ALTER TABLE user_entity ADD UNIQUE (name);
@@ -126,8 +126,13 @@ public User getByEmail(UriInfo uriInfo, String email, Fields fields) {
     if (userString == null) {
       throw EntityNotFoundException.byMessage(CatalogExceptionMessage.entityNotFound(USER, email));
     }
-    return withHref(
-        uriInfo, setFieldsInternal(JsonUtils.readValue(userString, User.class), fields));
+    User user = JsonUtils.readValue(userString, User.class);
+    setFieldsInternal(user, fields);
+    setInheritedFields(user, fields);
+    // Clone the entity
+    User entityClone = JsonUtils.deepCopy(user, User.class);
+    clearFieldsInternal(entityClone, fields);
+    return withHref(uriInfo, entityClone);
   }
 
   /** Ensures that the default roles are added for POST, PUT and PATCH operations. */
@@ -321,9 +326,9 @@ private List<EntityReference> getTeamChildren(UUID teamId) {
     return findTo(teamId, TEAM, Relationship.PARENT_OF, TEAM);
   }
 
-  public List<EntityReference> getGroupTeams(UriInfo uriInfo, String userName) {
+  public List<EntityReference> getGroupTeams(UriInfo uriInfo, String email) {
     // Cleanup
-    User user = getByName(uriInfo, userName, Fields.EMPTY_FIELDS, Include.ALL, true);
+    User user = getByEmail(uriInfo, email, Fields.EMPTY_FIELDS);
     List<EntityReference> teams = getTeams(user);
     return getGroupTeams(teams);
   }

@@ -130,8 +130,10 @@
 import org.openmetadata.service.secrets.masker.EntityMaskerFactory;
 import org.openmetadata.service.security.AuthorizationException;
 import org.openmetadata.service.security.Authorizer;
+import org.openmetadata.service.security.CatalogPrincipal;
 import org.openmetadata.service.security.auth.AuthenticatorHandler;
 import org.openmetadata.service.security.auth.BotTokenCache;
+import org.openmetadata.service.security.auth.CatalogSecurityContext;
 import org.openmetadata.service.security.auth.UserTokenCache;
 import org.openmetadata.service.security.jwt.JWTTokenGenerator;
 import org.openmetadata.service.security.mask.PIIMasker;
@@ -430,15 +432,17 @@ public User getCurrentLoggedInUser(
               schema = @Schema(type = "string", example = FIELDS))
           @QueryParam("fields")
           String fieldsParam) {
+    CatalogSecurityContext catalogSecurityContext =
+        (CatalogSecurityContext) containerRequestContext.getSecurityContext();
     Fields fields = getFields(fieldsParam);
-    String currentUserName = securityContext.getUserPrincipal().getName();
-    User user = repository.getByName(uriInfo, currentUserName, fields);
+    String currentEmail = ((CatalogPrincipal) catalogSecurityContext.getUserPrincipal()).getEmail();
+    User user = repository.getByEmail(uriInfo, currentEmail, fields);
 
     // Sync the Roles from token to User
     if (Boolean.TRUE.equals(authorizerConfiguration.getUseRolesFromProvider())
         && Boolean.FALSE.equals(user.getIsBot() != null && user.getIsBot())) {
       reSyncUserRolesFromToken(
-          uriInfo, user, getRolesFromAuthorizationToken(containerRequestContext));
+          uriInfo, user, getRolesFromAuthorizationToken(catalogSecurityContext));
     }
     return addHref(uriInfo, user);
   }
@@ -463,9 +467,13 @@ public User getCurrentLoggedInUser(
         @ApiResponse(responseCode = "404", description = "User not found")
       })
   public List<EntityReference> getCurrentLoggedInUser(
-      @Context UriInfo uriInfo, @Context SecurityContext securityContext) {
-    String currentUserName = securityContext.getUserPrincipal().getName();
-    return repository.getGroupTeams(uriInfo, currentUserName);
+      @Context UriInfo uriInfo,
+      @Context SecurityContext securityContext,
+      @Context ContainerRequestContext containerRequestContext) {
+    CatalogSecurityContext catalogSecurityContext =
+        (CatalogSecurityContext) containerRequestContext.getSecurityContext();
+    String currentEmail = ((CatalogPrincipal) catalogSecurityContext.getUserPrincipal()).getEmail();
+    return repository.getGroupTeams(uriInfo, currentEmail);
   }
 
   @POST
@@ -605,10 +613,11 @@ private void validateAndAddUserAuthForBasic(User user, CreateUser create) {
 
   private void updateUserRolesIfRequired(
       User user, ContainerRequestContext containerRequestContext) {
+    CatalogSecurityContext catalogSecurityContext =
+        (CatalogSecurityContext) containerRequestContext.getSecurityContext();
     if (Boolean.TRUE.equals(authorizerConfiguration.getUseRolesFromProvider())
         && Boolean.FALSE.equals(user.getIsBot() != null && user.getIsBot())) {
-      user.setRoles(
-          validateAndGetRolesRef(getRolesFromAuthorizationToken(containerRequestContext)));
+      user.setRoles(validateAndGetRolesRef(getRolesFromAuthorizationToken(catalogSecurityContext)));
     }
   }
 

@@ -46,9 +46,10 @@ public void filter(ContainerRequestContext containerRequestContext) {
       return;
     }
     MultivaluedMap<String, String> headers = containerRequestContext.getHeaders();
-    String principal = extractAuthorizedUserName(headers);
+    String email = extractAuthorizedEmail(headers);
+    String principal = extractAuthorizedUserName(email);
     LOG.debug("AuthorizedUserName:{}", principal);
-    CatalogPrincipal catalogPrincipal = new CatalogPrincipal(principal);
+    CatalogPrincipal catalogPrincipal = new CatalogPrincipal(principal, email);
     String scheme = containerRequestContext.getUriInfo().getRequestUri().getScheme();
     CatalogSecurityContext catalogSecurityContext =
         new CatalogSecurityContext(
@@ -62,14 +63,17 @@ protected boolean isHealthEndpoint(ContainerRequestContext containerRequestConte
     return uriInfo.getPath().equalsIgnoreCase(HEALTH_END_POINT);
   }
 
-  protected String extractAuthorizedUserName(MultivaluedMap<String, String> headers) {
-    LOG.debug("Request Headers:{}", headers);
+  protected String extractAuthorizedUserName(String openIdEmail) {
+    String[] openIdEmailParts = openIdEmail.split("@");
+    return openIdEmailParts[0];
+  }
 
+  protected String extractAuthorizedEmail(MultivaluedMap<String, String> headers) {
+    LOG.debug("Request Headers:{}", headers);
     String openIdEmail = headers.getFirst(X_AUTH_PARAMS_EMAIL_HEADER);
     if (nullOrEmpty(openIdEmail)) {
       throw new AuthenticationException("Not authorized; User's Email is not present");
     }
-    String[] openIdEmailParts = openIdEmail.split("@");
-    return openIdEmailParts[0];
+    return openIdEmail;
   }
 }
@@ -16,12 +16,16 @@
 import java.security.Principal;
 import lombok.Getter;
 
-public record CatalogPrincipal(@Getter String name) implements Principal {
+public record CatalogPrincipal(@Getter String name, @Getter String email) implements Principal {
   @Override
   public String getName() {
     return name;
   }
 
+  public String getEmail() {
+    return email;
+  }
+
   @Override
   public String toString() {
     return "CatalogPrincipal{name='" + name + '\'' + '}';

@@ -15,6 +15,7 @@
 
 import static org.openmetadata.common.utils.CommonUtil.listOrEmpty;
 import static org.openmetadata.common.utils.CommonUtil.nullOrEmpty;
+import static org.openmetadata.service.security.SecurityUtil.findEmailFromClaims;
 import static org.openmetadata.service.security.SecurityUtil.findUserNameFromClaims;
 import static org.openmetadata.service.security.SecurityUtil.isBot;
 import static org.openmetadata.service.security.SecurityUtil.validateDomainEnforcement;
@@ -151,12 +152,14 @@ public void filter(ContainerRequestContext requestContext) {
 
     Map<String, Claim> claims = validateJwtAndGetClaims(tokenFromHeader);
     String userName = findUserNameFromClaims(jwtPrincipalClaimsMapping, jwtPrincipalClaims, claims);
+    String email =
+        findEmailFromClaims(jwtPrincipalClaimsMapping, jwtPrincipalClaims, claims, principalDomain);
 
     // Check Validations
     checkValidationsForToken(claims, tokenFromHeader, userName);
 
     // Setting Security Context
-    CatalogPrincipal catalogPrincipal = new CatalogPrincipal(userName);
+    CatalogPrincipal catalogPrincipal = new CatalogPrincipal(userName, email);
     String scheme = requestContext.getUriInfo().getRequestUri().getScheme();
     CatalogSecurityContext catalogSecurityContext =
         new CatalogSecurityContext(

@@ -33,7 +33,8 @@ public NoopFilter(
       AuthorizerConfiguration authorizerConfiguration) {}
 
   public void filter(ContainerRequestContext containerRequestContext) {
-    CatalogPrincipal catalogPrincipal = new CatalogPrincipal("anonymous");
+    CatalogPrincipal catalogPrincipal =
+        new CatalogPrincipal("anonymous", "anonymous@openmetadata.org");
     String scheme = containerRequestContext.getUriInfo().getRequestUri().getScheme();
     CatalogSecurityContext catalogSecurityContext =
         new CatalogSecurityContext(

@@ -523,7 +523,7 @@ public void validatePassword(String providedIdentity, User storedUser, String re
 
   @Override
   public User lookUserInProvider(String userName) {
-    User storedUser;
+    User storedUser = null;
     try {
       if (userName.contains("@")) {
         // lookup by User Email
@@ -533,23 +533,21 @@ public User lookUserInProvider(String userName) {
                 userName,
                 new EntityUtil.Fields(
                     Set.of(USER_PROTECTED_FIELDS, "roles"), "authenticationMechanism,roles"));
-      } else {
-        storedUser =
-            userRepository.getByName(
-                null,
-                userName,
-                new EntityUtil.Fields(
-                    Set.of(USER_PROTECTED_FIELDS, "roles"), "authenticationMechanism,roles"));
       }
 
       if (storedUser != null && Boolean.TRUE.equals(storedUser.getIsBot())) {
         throw new CustomExceptionMessage(
             BAD_REQUEST, INVALID_USER_OR_PASSWORD, INVALID_USERNAME_PASSWORD);
       }
-    } catch (Exception ex) {
+    } catch (Exception ignored) {
+
+    }
+
+    if (storedUser == null) {
       throw new CustomExceptionMessage(
           BAD_REQUEST, INVALID_USER_OR_PASSWORD, INVALID_USERNAME_PASSWORD);
     }
+
     return storedUser;
   }
 }
@@ -30,7 +30,6 @@
 import java.util.UUID;
 import java.util.stream.Collectors;
 import javax.json.JsonPatch;
-import javax.ws.rs.container.ContainerRequestContext;
 import javax.ws.rs.core.UriInfo;
 import lombok.extern.slf4j.Slf4j;
 import org.openmetadata.schema.auth.BasicAuthMechanism;
@@ -271,9 +270,7 @@ public static List<EntityReference> validateAndGetRolesRef(Set<String> rolesList
   }
 
   public static Set<String> getRolesFromAuthorizationToken(
-      ContainerRequestContext containerRequestContext) {
-    CatalogSecurityContext catalogSecurityContext =
-        (CatalogSecurityContext) containerRequestContext.getSecurityContext();
+      CatalogSecurityContext catalogSecurityContext) {
     return catalogSecurityContext.getUserRoles();
   }