Options to recreate admin. (#436)

6 years ago · c6e8bac2af
8 changed files with 84 additions and 16 deletions
--- a/backend/src/Squidex.Domain.Users/DefaultUserResolver.cs
+++ b/backend/src/Squidex.Domain.Users/DefaultUserResolver.cs
@ -69,7 +69,7 @@ namespace Squidex.Domain.Users
                }
                else
                {
-                    return await userManager.FindByEmailWithClaimsAsyncAsync(idOrEmail);
+                    return await userManager.FindByEmailWithClaimsAsync(idOrEmail);
                }
            }
        }
--- a/backend/src/Squidex.Domain.Users/UserManagerExtensions.cs
+++ b/backend/src/Squidex.Domain.Users/UserManagerExtensions.cs
@ -55,7 +55,7 @@ namespace Squidex.Domain.Users
            return await userManager.ResolveUserAsync(user);
        }

-        public static async Task<UserWithClaims?> FindByEmailWithClaimsAsyncAsync(this UserManager<IdentityUser> userManager, string email)
+        public static async Task<UserWithClaims?> FindByEmailWithClaimsAsync(this UserManager<IdentityUser> userManager, string email)
        {
            if (email == null)
            {
--- a/backend/src/Squidex.Infrastructure/Security/PermissionSet.cs
+++ b/backend/src/Squidex.Infrastructure/Security/PermissionSet.cs
@ -48,6 +48,20 @@ namespace Squidex.Infrastructure.Security
            display = new Lazy<string>(() => string.Join(";", this.permissions));
        }

+        public PermissionSet Add(string permission)
+        {
+            Guard.NotNullOrEmpty(permission);
+
+            return Add(new Permission(permission));
+        }
+
+        public PermissionSet Add(Permission permission)
+        {
+            Guard.NotNull(permission);
+
+            return new PermissionSet(permissions.Union(Enumerable.Repeat(permission, 1)).Distinct());
+        }
+
        public bool Allows(Permission? other)
        {
            if (other == null)
--- a/backend/src/Squidex/Areas/IdentityServer/Config/CreateAdminHost.cs
+++ b/backend/src/Squidex/Areas/IdentityServer/Config/CreateAdminHost.cs
@ -19,6 +19,7 @@ using Squidex.Domain.Users;
 using Squidex.Infrastructure.Log;
 using Squidex.Infrastructure.Security;
 using Squidex.Shared;
+using Squidex.Shared.Users;

 namespace Squidex.Areas.IdentityServer.Config
 {
@ -49,19 +50,41 @@ namespace Squidex.Areas.IdentityServer.Config
                    var adminEmail = identityOptions.AdminEmail;
                    var adminPass = identityOptions.AdminPassword;

-                    if (userManager.SupportsQueryableUsers && !userManager.Users.Any())
+                    var isEmpty = IsEmpty(userManager);
+
+                    if (isEmpty || identityOptions.AdminRecreate)
                    {
                        try
                        {
-                            var values = new UserValues
+                            var user = await userManager.FindByEmailWithClaimsAsync(adminEmail);
+
+                            if (user != null)
+                            {
+                                if (identityOptions.AdminRecreate)
+                                {
+                                    var permissions = user.Permissions().Add(Permissions.Admin);
+
+                                    var values = new UserValues
+                                    {
+                                        Password = adminPass,
+                                        Permissions = permissions
+                                    };
+
+                                    await userManager.UpdateAsync(user.Identity, values);
+                                }
+                            }
+                            else
                            {
-                                Email = adminEmail,
-                                Password = adminPass,
-                                Permissions = new PermissionSet(Permissions.Admin),
-                                DisplayName = adminEmail
-                            };
+                                var values = new UserValues
+                                {
+                                    Email = adminEmail,
+                                    Password = adminPass,
+                                    Permissions = new PermissionSet(Permissions.Admin),
+                                    DisplayName = adminEmail
+                                };

-                            await userManager.CreateAsync(userFactory, values);
+                                await userManager.CreateAsync(userFactory, values);
+                            }
                        }
                        catch (Exception ex)
                        {
@ -73,5 +96,10 @@ namespace Squidex.Areas.IdentityServer.Config
                }
            }
        }
+
+        private static bool IsEmpty(UserManager<IdentityUser> userManager)
+        {
+            return userManager.SupportsQueryableUsers && !userManager.Users.Any();
+        }
    }
 }
--- a/backend/src/Squidex/Areas/IdentityServer/Controllers/Account/AccountController.cs
+++ b/backend/src/Squidex/Areas/IdentityServer/Controllers/Account/AccountController.cs
@ -268,7 +268,7 @@ namespace Squidex.Areas.IdentityServer.Controllers.Account
            {
                var email = externalLogin.Principal.FindFirst(ClaimTypes.Email).Value;

-                user = await userManager.FindByEmailWithClaimsAsyncAsync(email);
+                user = await userManager.FindByEmailWithClaimsAsync(email);

                if (user != null)
                {
--- a/backend/src/Squidex/Config/MyIdentityOptions.cs
+++ b/backend/src/Squidex/Config/MyIdentityOptions.cs
@ -11,6 +11,10 @@ namespace Squidex.Config
 {
    public sealed class MyIdentityOptions
    {
+        public string PrivacyUrl { get; set; }
+
+        public string AuthorityUrl { get; set; }
+
        public string AdminEmail { get; set; }

        public string AdminPassword { get; set; }
@ -45,11 +49,7 @@ namespace Squidex.Config

        public Dictionary<string, string[]> OidcRoleMapping { get; set; }

-        public string AuthorityUrl { get; set; }
-
-        public string PrivacyUrl { get; set; }
-
-        public bool RequiresHttps { get; set; }
+        public bool AdminRecreate { get; set; }

        public bool AllowPasswordAuth { get; set; }

@ -57,6 +57,8 @@ namespace Squidex.Config

        public bool NoConsent { get; set; }

+        public bool RequiresHttps { get; set; }
+
        public bool ShowPII { get; set; }

        public bool IsAdminConfigured()
--- a/backend/src/Squidex/appsettings.json
+++ b/backend/src/Squidex/appsettings.json
@ -428,6 +428,10 @@
     */
    "adminEmail": "",
    "adminPassword": "",
+    /*
+     * Recreate the admin if it does not exist or the password does not match.
+     */
+    "adminRecreate": false,
    /*
     * Client with all admin permissions.
     */
--- a/backend/tests/Squidex.Infrastructure.Tests/Security/PermissionSetTests.cs
+++ b/backend/tests/Squidex.Infrastructure.Tests/Security/PermissionSetTests.cs
@ -113,5 +113,25 @@ namespace Squidex.Infrastructure.Security

            Assert.False(sut.Includes(null));
        }
+
+        [Fact]
+        public void Should_add_permission_by_string()
+        {
+            var sut =
+                new PermissionSet("app.contents")
+                    .Add("admin.*");
+
+            Assert.True(sut.Includes(new Permission("admin")));
+        }
+
+        [Fact]
+        public void Should_add_permission()
+        {
+            var sut =
+                new PermissionSet("app.contents")
+                    .Add(new Permission("admin.*"));
+
+            Assert.True(sut.Includes(new Permission("admin")));
+        }
    }
 }