Skip to content

Create root user on IAM application startup#28

Merged
phongphongg merged 3 commits into
v0from
feature/seed-root-user
May 21, 2026
Merged

Create root user on IAM application startup#28
phongphongg merged 3 commits into
v0from
feature/seed-root-user

Conversation

@phongphongg

@phongphongg phongphongg commented May 21, 2026

Copy link
Copy Markdown
Contributor

This pull request introduces significant refactoring and improvements to the core security and infrastructure modules, with a focus on modularization, enhanced auditing, and improved user management. The changes include moving infrastructure classes to more appropriate module-specific packages, implementing auditing support, and enriching the User model with auditing fields and sensible defaults. Additionally, several new support utilities have been added for security context handling, and the build workflow has been simplified and updated.

Core modularization and refactoring:

  • Moved infrastructure classes such as JdbcLockConfiguration and PasswordEncoderConfiguration to core.module.lock and core.module.security.configuration respectively, and updated related package-info files and auto-configuration imports for better modular separation. (core/src/main/java/com/workastra/core/module/lock/JdbcLockConfiguration.java, core/src/main/java/com/workastra/core/module/lock/package-info.java, core/src/main/java/com/workastra/core/module/security/configuration/PasswordEncoderConfiguration.java, core/src/main/java/com/workastra/core/module/security/configuration/package-info.java, core/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports, [1] [2] [3] [4] [5]

  • Moved security-related entities and repositories (User, UserRepository) from the iam module to core.module.security, and adjusted their package structure and related package-info files accordingly. (core/src/main/java/com/workastra/core/module/security/model/User.java, core/src/main/java/com/workastra/core/module/security/model/package-info.java, core/src/main/java/com/workastra/core/module/security/repository/UserRepository.java, core/src/main/java/com/workastra/core/module/security/repository/package-info.java, [1] [2] [3] [4]

Auditing enhancements:

  • Introduced AuditorAwareImpl to provide auditing support for entities, enabling automatic population of created/updated by fields using the current authenticated user. (core/src/main/java/com/workastra/core/module/auditing/AuditorAwareImpl.java, core/src/main/java/com/workastra/core/module/auditing/package-info.java, [1] [2]

  • Updated the User entity to include auditing fields (createdBy, updatedBy, deletedBy, deletedAt) with proper JPA and Spring Data annotations, and enabled entity listeners for auditing. (core/src/main/java/com/workastra/core/module/security/model/User.java, [1] [2] [3] [4]

User model improvements:

  • Added sensible defaults for several User fields (e.g., gender, locale, accountNonExpired, etc.) and improved the getFullName() method to handle null values more gracefully. (core/src/main/java/com/workastra/core/module/security/model/User.java, [1] [2] [3]

  • Extended UserRepository with a new method findByUsernameAndDeletedAtIsNull to support soft-deleted users. (core/src/main/java/com/workastra/core/module/security/repository/UserRepository.java, core/src/main/java/com/workastra/core/module/security/repository/UserRepository.javaR13-R15)

Security support utilities:

  • Added Identifiers and SecurityContextTemplate utility classes to simplify working with authentication and security contexts in a programmatic way. (core/src/main/java/com/workastra/core/module/security/support/Identifiers.java, core/src/main/java/com/workastra/core/module/security/support/SecurityContextTemplate.java, core/src/main/java/com/workastra/core/module/security/support/package-info.java, [1] [2] [3]

Build and workflow updates:

  • Updated the GitHub Actions workflow to use Corretto JDK 26 instead of GraalVM, removed native build/test jobs, and consolidated JVM build and test steps for simplification. (.github/workflows/workastra_platform.yaml, [1] [2] [3]

  • Removed the GraalVM build tools plugin from both console/build.gradle.kts and iam/build.gradle.kts. [1] [2]

Summary by CodeRabbit

  • New Features

    • Added soft-delete support for users and auditable entities—deleted records are retained in the database but excluded from queries.
    • Enhanced audit tracking with user-level attribution for entity creation and modification events.
  • Infrastructure

    • Upgraded Java runtime from 25.0.1 to 26 with Corretto distribution.
    • Updated database schema to support soft-delete and improved audit field mappings.

Review Change Stack

@phongphongg phongphongg added this to the v0.1.0 milestone May 21, 2026
@phongphongg phongphongg self-assigned this May 21, 2026
@phongphongg phongphongg added type: feature New capability that doesn't exist yet priority: medium P2 — notable issue, planned soon status: confirmed Acknowledged and accepted by maintainers pr: size M Medium diff, 50–250 lines changed project: core Affects the core shared layer project: iam Identity & access management service labels May 21, 2026
@coderabbitai

coderabbitai Bot commented May 21, 2026

Copy link
Copy Markdown

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1dbadbef-c898-40ba-8289-fd606e0aa339

📥 Commits

Reviewing files that changed from the base of the PR and between 876839d and 4b9476d.

📒 Files selected for processing (30)
  • .github/workflows/workastra_platform.yaml
  • build.gradle.kts
  • console/build.gradle.kts
  • core/src/main/java/com/workastra/core/module/auditing/AuditorAwareImpl.java
  • core/src/main/java/com/workastra/core/module/auditing/package-info.java
  • core/src/main/java/com/workastra/core/module/lock/JdbcLockConfiguration.java
  • core/src/main/java/com/workastra/core/module/lock/package-info.java
  • core/src/main/java/com/workastra/core/module/security/configuration/PasswordEncoderConfiguration.java
  • core/src/main/java/com/workastra/core/module/security/configuration/package-info.java
  • core/src/main/java/com/workastra/core/module/security/model/User.java
  • core/src/main/java/com/workastra/core/module/security/model/package-info.java
  • core/src/main/java/com/workastra/core/module/security/repository/UserRepository.java
  • core/src/main/java/com/workastra/core/module/security/repository/package-info.java
  • core/src/main/java/com/workastra/core/module/security/support/Identifiers.java
  • core/src/main/java/com/workastra/core/module/security/support/SecurityContextTemplate.java
  • core/src/main/java/com/workastra/core/module/security/support/package-info.java
  • core/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports
  • iam/build.gradle.kts
  • iam/src/main/java/com/workastra/iam/Bootstrap.java
  • iam/src/main/java/com/workastra/iam/IAMApplication.java
  • iam/src/main/java/com/workastra/iam/bootstrap/OAuthClientBootstrap.java
  • iam/src/main/java/com/workastra/iam/bootstrap/UserBootstrap.java
  • iam/src/main/java/com/workastra/iam/bootstrap/package-info.java
  • iam/src/main/java/com/workastra/iam/configuration/TokenCustomizer.java
  • iam/src/main/java/com/workastra/iam/configuration/UserInfoMapper.java
  • iam/src/main/java/com/workastra/iam/service/CustomUserDetailsService.java
  • iam/src/main/resources/application.yaml
  • migration/build.gradle.kts
  • migration/src/main/resources/db/migration/postgresql/V0_1_0__2026-04-23 - Hello World.sql
  • qodana.yaml

📝 Walkthrough

Walkthrough

This PR upgrades Java from 25 to 26, removes GraalVM native tooling across build configs, reorganizes User and security classes into a new core module, enhances User persistence with auditing relationships and soft-delete support, introduces security utilities for bootstrap, and updates the database schema to match.

Changes

Java Runtime & Security Module Refactor

Layer / File(s) Summary
Java runtime upgrade and build tooling
.github/workflows/workastra_platform.yaml, build.gradle.kts, console/build.gradle.kts, iam/build.gradle.kts, migration/build.gradle.kts, qodana.yaml
Java version updated from 25.0.1 to 26 in workflow env vars, Gradle configs, and Qodana analysis settings. GraalVM native build plugin removed from all module Gradle files. JVM build job restructured to use explicit setup-java action and separate test/build steps.
Core security module structure and package setup
core/src/main/java/com/workastra/core/module/lock/*, core/src/main/java/com/workastra/core/module/security/configuration/*, core/src/main/java/com/workastra/core/module/auditing/*, core/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports
New core module package hierarchy established: JdbcLockConfiguration and PasswordEncoderConfiguration relocated from infrastructure to module-specific packages; auditing and security configuration subpackages created with @NullMarked annotations; AutoConfiguration imports updated to reference new class locations.
User model migration and auditing enhancements
core/src/main/java/com/workastra/core/module/security/model/User.java, core/src/main/java/com/workastra/core/module/security/model/package-info.java
User entity moved from iam.entity to core.module.security.model; @EntityListeners(AuditingEntityListener.class) applied; UUID generation switched to @UuidGenerator(VERSION_7); audit fields (createdBy/updatedBy) changed from String to lazy @ManyToOne User references with @CreatedBy/@LastModifiedBy; soft-delete fields (deletedAt/deletedBy) added; @Builder.Default values applied for gender/locale/timezone/account-status; getFullName() refactored to handle null name parts.
User repository soft-delete query integration
core/src/main/java/com/workastra/core/module/security/repository/UserRepository.java, core/src/main/java/com/workastra/core/module/security/repository/package-info.java
UserRepository relocated to core.module.security.repository; query method changed from findByUsername to findByUsernameAndDeletedAtIsNull to enforce soft-delete filtering; package-level @NullMarked annotation added.
Security context utilities and bootstrap infrastructure
core/src/main/java/com/workastra/core/module/security/support/Identifiers.java, core/src/main/java/com/workastra/core/module/security/support/SecurityContextTemplate.java, core/src/main/java/com/workastra/core/module/security/support/package-info.java
Identifiers component added to construct authenticated tokens from usernames via UserRepository; SecurityContextTemplate utility added to swap SecurityContext during task execution; both support bootstrap flow for creating initial users under specific security contexts.
Bootstrap components for initial data setup
iam/src/main/java/com/workastra/iam/bootstrap/OAuthClientBootstrap.java, iam/src/main/java/com/workastra/iam/bootstrap/UserBootstrap.java, iam/src/main/java/com/workastra/iam/bootstrap/package-info.java
OAuthClientBootstrap added to acquire distributed lock and migrate configured OAuth2 clients with secret encoding and authentication method mapping. UserBootstrap added to validate system user, acquire lock, and create root user within SecurityContextTemplate authenticated as system using Identifiers utility. Bootstrap package-info updated.
IAM module integration and configuration updates
iam/src/main/java/com/workastra/iam/IAMApplication.java, iam/src/main/java/com/workastra/iam/configuration/TokenCustomizer.java, iam/src/main/java/com/workastra/iam/configuration/UserInfoMapper.java, iam/src/main/java/com/workastra/iam/service/CustomUserDetailsService.java, iam/src/main/resources/application.yaml
IAMApplication updated with @EntityScan/@EnableJpaRepositories/@EnableJpaAuditing for explicit JPA scanning. TokenCustomizer, UserInfoMapper, and CustomUserDetailsService updated to import User from core.module.security package. UserInfoMapper refactored to conditionally add GIVEN_NAME claim only when non-null. Hibernate ddl-auto changed from none to validate.
Database schema migration for audit relationships and soft delete
migration/src/main/resources/db/migration/postgresql/V0_1_0__2026-04-23 - Hello World.sql
PostgreSQL migration enables pgcrypto; updates users table with UUID primary key naming and givenName nullability; converts audit columns from TEXT to UUID foreign keys with ON DELETE RESTRICT; adds deletedAt/deletedBy soft-delete fields; updates authorities table with audit/soft-delete columns; rewrites user_authorities foreign keys to inline UUID constraints with ON DELETE RESTRICT (replacing ON DELETE CASCADE); updates seed insert to use UUID literals.

Sequence Diagram

sequenceDiagram
    participant IAMApp as IAMApplication
    participant UBootstrap as UserBootstrap
    participant LockReg as LockRegistry
    participant SecTemplate as SecurityContextTemplate
    participant Identifiers as Identifiers
    participant UserRepo as UserRepository
    participant Database as Database
    
    IAMApp->>UBootstrap: run(ApplicationArguments)
    UBootstrap->>LockReg: acquire lock "iam.users"
    UBootstrap->>UserRepo: findByUsernameAndDeletedAtIsNull("system")
    UserRepo->>Database: query users WHERE username='system' AND deleted_at IS NULL
    Database-->>UserRepo: system user
    alt system user missing
        UBootstrap->>UBootstrap: log and exit
    else root user exists
        UBootstrap->>UBootstrap: log and skip creation
    else proceed to create root
        UBootstrap->>Identifiers: ofUsername("system")
        Identifiers->>UserRepo: findByUsernameAndDeletedAtIsNull("system")
        UserRepo-->>Identifiers: system user
        Identifiers-->>UBootstrap: Callable<Authentication>
        UBootstrap->>SecTemplate: use(callable).run(rootCreation)
        SecTemplate->>SecTemplate: swap SecurityContext with system auth
        SecTemplate->>UserRepo: save(root user)
        UserRepo->>Database: INSERT root user with created_by=system.id
        SecTemplate->>SecTemplate: restore previous SecurityContext
    end
    LockReg->>UBootstrap: release lock
Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

  • workastra/platform#1: Initial IAM/auth server refactor that established the OAuth2/OIDC infrastructure foundation that this PR extends with soft-delete filtering, audit relationships, and bootstrap management.

Suggested labels

project: migration, type: refactor

🐰 A bunny's ode to the refactor:

From version twenty-five we hop to twenty-six,
Security modules now properly mix,
Audit trails and soft deletes in place,
Bootstrap magic sets the pace! 🌱

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feature/seed-root-user

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@phongphongg phongphongg force-pushed the feature/seed-root-user branch 5 times, most recently from aa7fadd to 9a4abfe Compare May 21, 2026 14:46
…, repository, and auditing capabilities; update application configuration and database schema.
…User entity to simplify JoinColumn annotations; add package-info.java for bootstrap package with NullMarked annotation.
@phongphongg phongphongg force-pushed the feature/seed-root-user branch from 443afb3 to 4b9476d Compare May 21, 2026 15:03
@phongphongg phongphongg marked this pull request as ready for review May 21, 2026 15:10
@phongphongg phongphongg changed the title Implement user management, security features, and update configuration Create root user on IAM application startup May 21, 2026
@phongphongg phongphongg merged commit 1418c19 into v0 May 21, 2026
11 of 12 checks passed
@phongphongg phongphongg deleted the feature/seed-root-user branch May 21, 2026 15:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

pr: size M Medium diff, 50–250 lines changed priority: medium P2 — notable issue, planned soon project: core Affects the core shared layer project: iam Identity & access management service status: confirmed Acknowledged and accepted by maintainers type: feature New capability that doesn't exist yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant