Bulk user login creadential

Seema_Rani · January 27, 2016, 11:24am

Hello Team,

This is regarding creating user, on web site admin gives access to user
with login name and password, can we create multiple users in one time,
like can we create a sheet of users with there name and password, and
upload it to server?

Mitch_S · January 27, 2016, 5:28pm

Yes. In the add user text entry box, you can enter space-separated list of
users (or paste in a list of users on multiple lines). I think
comma-separated lists also work.

The pain point is that you have to individually change each of their
passwords.

···

On Wed, Jan 27, 2016 at 3:24 AM, Seema Rani wrote:

Hello Team,

This is regarding creating user, on web site admin gives access to user
with login name and password, can we create multiple users in one time,
like can we create a sheet of users with there name and password, and
upload it to server?

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
Mitch Sundt
Software Engineer
University of Washington
mitchellsundt@gmail.com

Ramandeep_Singh_Baks · January 29, 2016, 7:55am

Yes. In the add user text entry box, you can enter space-separated list of users (or paste in a list of users on multiple lines). I think comma-separated lists also work.

The pain point is that you have to individually change each of their passwords.

Hello Team,

This is regarding creating user, on web site admin gives access to user with login name and password, can we create multiple users in one time, like can we create a sheet of users with there name and password, and upload it to server?

--

You received this message because you are subscribed to the Google Groups "ODK Developers" group.

To unsubscribe from this group and stop receiving emails from it, send an email to opendatakit-developers+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Mitch Sundt
Software Engineer
University of Washington
mitche...@gmail.com

Mitch

There should be a provision to upload an excel with the details as well as the passwords else its very time consuming to do this manual work. Pls see if this could be done in the next builds

···

On Wednesday, January 27, 2016 at 10:58:23 PM UTC+5:30, Mitch wrote: > On Wed, Jan 27, 2016 at 3:24 AM, Seema Rani wrote:

yanokwa · January 29, 2016, 9:01am

Agreed that this would be a nice feature. If this is important to you,
the best way to ensure it happens is to contribute code. You can find
the code base at http://github.com/opendatakit/aggregate.

Yaw

···

-- Need ODK consultants? Nafundi provides form design, server setup, in-field training, and software development for ODK. Go to https://nafundi.com to get started.

On Fri, Jan 29, 2016 at 9:55 AM, raman@codecube.in wrote:

On Wednesday, January 27, 2016 at 10:58:23 PM UTC+5:30, Mitch wrote:

Yes. In the add user text entry box, you can enter space-separated list of users (or paste in a list of users on multiple lines). I think comma-separated lists also work.

The pain point is that you have to individually change each of their passwords.

On Wed, Jan 27, 2016 at 3:24 AM, Seema Rani se...@vartulz.com wrote:

Hello Team,

This is regarding creating user, on web site admin gives access to user with login name and password, can we create multiple users in one time, like can we create a sheet of users with there name and password, and upload it to server?

--

You received this message because you are subscribed to the Google Groups "ODK Developers" group.

To unsubscribe from this group and stop receiving emails from it, send an email to opendatakit-developers+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Mitch Sundt
Software Engineer
University of Washington
mitche...@gmail.com

Mitch

There should be a provision to upload an excel with the details as well as the passwords else its very time consuming to do this manual work. Pls see if this could be done in the next builds

--
You received this message because you are subscribed to the Google Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Ramandeep_Singh_Baks · January 29, 2016, 9:03am

Great, we will try and see what we can do for the ODK platform. I will ask
my tech head to take this ahead.

Thanks for a great platform.

*-- *
Rgds
Ramandeep Singh
www.codecube.in
Mob - +91 - 98108 69975
Skype - raman_egov
Twitter - @Code_Cube

>>>>> DO check out our amazing work on Pinterest http://bit.ly/K0IAiy
http://bit.ly/K0IAiy <<<<<

···

On Fri, Jan 29, 2016 at 2:31 PM, Yaw Anokwa wrote:

Agreed that this would be a nice feature. If this is important to you,
the best way to ensure it happens is to contribute code. You can find
the code base at http://github.com/opendatakit/aggregate.

Yaw

Need ODK consultants? Nafundi provides form design, server setup,
in-field training, and software development for ODK. Go to
https://nafundi.com to get started.

On Fri, Jan 29, 2016 at 9:55 AM, raman@codecube.in wrote:

On Wednesday, January 27, 2016 at 10:58:23 PM UTC+5:30, Mitch wrote:

Yes. In the add user text entry box, you can enter space-separated
list of users (or paste in a list of users on multiple lines). I think
comma-separated lists also work.

The pain point is that you have to individually change each of their
passwords.

On Wed, Jan 27, 2016 at 3:24 AM, Seema Rani se...@vartulz.com wrote:

Hello Team,

This is regarding creating user, on web site admin gives access to user
with login name and password, can we create multiple users in one time,
like can we create a sheet of users with there name and password, and
upload it to server?

--

You received this message because you are subscribed to the Google
Groups "ODK Developers" group.

To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit-developers+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Mitch Sundt
Software Engineer
University of Washington
mitche...@gmail.com

Mitch

There should be a provision to upload an excel with the details as well
as the passwords else its very time consuming to do this manual work. Pls
see if this could be done in the next builds

--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the
Google Groups "ODK Developers" group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/opendatakit-developers/hg8Fyfeux-o/unsubscribe
.
To unsubscribe from this group and all its topics, send an email to
opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Andrew · May 25, 2016, 10:42am

Hi Ramandeep / ODK team,

Similar to this, I am needing to create new users via an API call (we want
to be able to allow new users registering via our platform to be
auto-assigned an ODK login).

Ramandeep, were you able to modify the code to allow upload of an Excel
file?

ODK team - any suggestions/guidance on where to start providing API
functionality to create new users?

Thanks and regards,
Andrew

···

On Friday, 29 January 2016 11:04:34 UTC+2, Ramandeep Singh Bakshi wrote: > > Great, we will try and see what we can do for the ODK platform. I will ask > my tech head to take this ahead. > > Thanks for a great platform. > > > *-- * > Rgds > *Ramandeep Singh* > www.codecube.in > Mob - +91 - 98108 69975 > Skype - raman_egov > Twitter - @Code_Cube > > > *>>>>> DO check out our amazing work on Pinterest http://bit.ly/K0IAiy > <<< > On Fri, Jan 29, 2016 at 2:31 PM, Yaw Anokwa <yan...@nafundi.com > wrote: > >> Agreed that this would be a nice feature. If this is important to you, >> the best way to ensure it happens is to contribute code. You can find >> the code base at http://github.com/opendatakit/aggregate. >> >> Yaw >> -- >> Need ODK consultants? Nafundi provides form design, server setup, >> in-field training, and software development for ODK. Go to >> https://nafundi.com to get started. >> >> On Fri, Jan 29, 2016 at 9:55 AM, <ra...@codecube.in > wrote: >> > On Wednesday, January 27, 2016 at 10:58:23 PM UTC+5:30, Mitch wrote: >> >> Yes. In the add user text entry box, you can enter space-separated >> list of users (or paste in a list of users on multiple lines). I think >> comma-separated lists also work. >> >> >> >> >> >> The pain point is that you have to individually change each of their >> passwords. >> >> >> >> >> >> On Wed, Jan 27, 2016 at 3:24 AM, Seema Rani wrote: >> >> >> >> Hello Team, >> >> >> >> >> >> This is regarding creating user, on web site admin gives access to >> user with login name and password, can we create multiple users in one >> time, like can we create a sheet of users with there name and password, and >> upload it to server? >> >> >> >> >> >> >> >> >> >> -- >> >> >> >> You received this message because you are subscribed to the Google >> Groups "ODK Developers" group. >> >> >> >> To unsubscribe from this group and stop receiving emails from it, send >> an email to opendatakit-developers+unsubscribe@googlegroups.com >> . >> >> >> >> For more options, visit https://groups.google.com/d/optout. >> >> >> >> >> >> >> >> >> >> >> >> -- >> >> >> >> Mitch Sundt >> >> Software Engineer >> >> University of Washington >> >> mitche...@gmail.com >> > >> > Mitch >> > >> > There should be a provision to upload an excel with the details as well >> as the passwords else its very time consuming to do this manual work. Pls >> see if this could be done in the next builds >> > >> > -- >> > You received this message because you are subscribed to the Google >> Groups "ODK Developers" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to opendatakit-developers+unsubscribe@googlegroups.com >> . >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> You received this message because you are subscribed to a topic in the >> Google Groups "ODK Developers" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/opendatakit-developers/hg8Fyfeux-o/unsubscribe >> . >> To unsubscribe from this group and all its topics, send an email to >> opendatakit-developers+unsubscribe@googlegroups.com . >> For more options, visit https://groups.google.com/d/optout. >> > >

Mitch_S · May 25, 2016, 5:15pm

If you are hosting on MySQL or PostgreSQL, you could probably write a
database script to do this.

Otherwise, you could mimic the structure of the ODK Aggregate
upload-form-definition servlet:

github.com

getodk/aggregate/blob/master/src/main/java/org/opendatakit/aggregate/servlet/FormUploadServlet.java

/*
 * Copyright (C) 2009 Google Inc.
 * Copyright (C) 2010 University of Washington.
 *
 * Licensed under the Apache License, Version 2.0 (the "License"); you may not
 * use this file except in compliance with the License. You may obtain a copy of
 * the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 * License for the specific language governing permissions and limitations under
 * the License.
 */

package org.opendatakit.aggregate.servlet;

import java.io.IOException;

This file has been truncated. show original

And, instead of using the javarosa parser to parse it, do the construction
for the security settings.

The security permissions settings are intended to be all-at-once changes.
I.e., you can't just add one user. The Java code expects a set of all
users, and all of their permissions. It then replaces the existing
configuration with that new configuration. See
setUsersAndGrantedAuthorities:

https://github.com/opendatakit/aggregate/blob/master/src/main/java/org/opendatakit/common/security/server/SecurityAdminServiceImpl.java

The passwords for the users must be individually set through a different
API:

github.com

getodk/aggregate/blob/master/src/main/java/org/opendatakit/common/security/server/SecurityServiceUtil.java#L602


      
          /*
           * Copyright (C) 2011 University of Washington
           *
           * Licensed under the Apache License, Version 2.0 (the "License"); you may not
           * use this file except in compliance with the License. You may obtain a copy of
           * the License at
           *
           * http://www.apache.org/licenses/LICENSE-2.0
           *
           * Unless required by applicable law or agreed to in writing, software
           * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
           * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
           * License for the specific language governing permissions and limitations under
           * the License.
           */
          
          package org.opendatakit.common.security.server;
          
          import java.util.ArrayList;
          import java.util.Collection;
          import java.util.Collections;
          import java.util.HashMap;
          import java.util.HashSet;
          import java.util.List;
          import java.util.Map;
          import java.util.Set;
          import java.util.TreeSet;
          import org.opendatakit.common.persistence.CommonFieldsBase;
          import org.opendatakit.common.persistence.Datastore;
          import org.opendatakit.common.persistence.Query;
          import org.opendatakit.common.persistence.client.exception.DatastoreFailureException;
          import org.opendatakit.common.persistence.exception.ODKDatastoreException;
          import org.opendatakit.common.security.SecurityBeanDefs;
          import org.opendatakit.common.security.User;
          import org.opendatakit.common.security.client.CredentialsInfo;
          import org.opendatakit.common.security.client.UserSecurityInfo;
          import org.opendatakit.common.security.client.UserSecurityInfo.UserType;
          import org.opendatakit.common.security.client.exception.AccessDeniedException;
          import org.opendatakit.common.security.common.GrantedAuthorityName;
          import org.opendatakit.common.security.spring.GrantedAuthorityHierarchyTable;
          import org.opendatakit.common.security.spring.RegisteredUsersTable;
          import org.opendatakit.common.security.spring.SecurityRevisionsTable;
          import org.opendatakit.common.security.spring.UserGrantedAuthority;
          import org.opendatakit.common.web.CallingContext;
          import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
          import org.springframework.security.authentication.encoding.MessageDigestPasswordEncoder;
          import org.springframework.security.core.GrantedAuthority;
          import org.springframework.security.core.authority.SimpleGrantedAuthority;
          
          /**
           * Common utility methods extracted from the AccessConfigurationServlet so they
           * can be shared between the servlet and GWT server classes.
           *
           * @author mitchellsundt@gmail.com
           */
          public class SecurityServiceUtil {
          
            public static final GrantedAuthority siteAuth = new SimpleGrantedAuthority(GrantedAuthorityName.GROUP_SITE_ADMINS.name());
            public static final List<String> siteAdministratorGrants;
            public static final GrantedAuthority dataOwnerAuth = new SimpleGrantedAuthority(GrantedAuthorityName.GROUP_FORM_MANAGERS.name());
            public static final List<String> dataOwnerGrants;
            public static final GrantedAuthority dataViewerAuth = new SimpleGrantedAuthority(GrantedAuthorityName.GROUP_DATA_VIEWERS.name());
            public static final List<String> dataViewerGrants;
            public static final GrantedAuthority dataCollectorAuth = new SimpleGrantedAuthority(GrantedAuthorityName.GROUP_DATA_COLLECTORS.name());
            public static final List<String> dataCollectorGrants;
            public static final GrantedAuthority anonAuth = new SimpleGrantedAuthority(GrantedAuthorityName.USER_IS_ANONYMOUS.name());
            // special grants for Google Earth work-around
            public static final List<String> anonAttachmentViewerGrants;
          
            static {
              List<String> isiteAdministratorGrants = new ArrayList<String>();
              isiteAdministratorGrants.add(GrantedAuthorityName.ROLE_USER.name());
              isiteAdministratorGrants.add(GrantedAuthorityName.ROLE_SITE_ACCESS_ADMIN.name());
              isiteAdministratorGrants.add(GrantedAuthorityName.GROUP_FORM_MANAGERS.name());
              isiteAdministratorGrants.add(GrantedAuthorityName.GROUP_DATA_VIEWERS.name());
              siteAdministratorGrants = Collections.unmodifiableList(isiteAdministratorGrants);
          
          
              List<String> idataOwnerGrants = new ArrayList<String>();
              idataOwnerGrants.add(GrantedAuthorityName.ROLE_USER.name());
              idataOwnerGrants.add(GrantedAuthorityName.ROLE_DATA_OWNER.name());
              idataOwnerGrants.add(GrantedAuthorityName.GROUP_DATA_VIEWERS.name());
              dataOwnerGrants = Collections.unmodifiableList(idataOwnerGrants);
          
              List<String> idataViewerGrants = new ArrayList<String>();
              idataViewerGrants.add(GrantedAuthorityName.ROLE_USER.name());
              idataViewerGrants.add(GrantedAuthorityName.ROLE_DATA_VIEWER.name());
              dataViewerGrants = Collections.unmodifiableList(idataViewerGrants);
          
              List<String> idataCollectorGrants = new ArrayList<String>();
              idataCollectorGrants.add(GrantedAuthorityName.ROLE_DATA_COLLECTOR.name());
              dataCollectorGrants = Collections.unmodifiableList(idataCollectorGrants);
          
              // Work-around hack for Google Earth top-level balloon image
              List<String> ianonAttachmentViewerGrants = new ArrayList<String>();
              ianonAttachmentViewerGrants.add(GrantedAuthorityName.ROLE_ATTACHMENT_VIEWER.name());
              anonAttachmentViewerGrants = Collections.unmodifiableList(ianonAttachmentViewerGrants);
            }
          
            public static ArrayList<UserSecurityInfo> getAllUsers(boolean withAuthorities, CallingContext cc) throws DatastoreFailureException {
          
              ArrayList<UserSecurityInfo> users = new ArrayList<UserSecurityInfo>();
              try {
                Query q = RegisteredUsersTable.createQuery(cc.getDatastore(),
                    "SecurityServiceUtil.getAllUsers", cc.getCurrentUser());
                RegisteredUsersTable.applyNaturalOrdering(q, cc);
          
                List<? extends CommonFieldsBase> l = q.executeQuery();
          
                for (CommonFieldsBase cb : l) {
                  RegisteredUsersTable t = (RegisteredUsersTable) cb;
                  UserSecurityInfo i = new UserSecurityInfo(t.getUsername(), t.getFullName(), t.getEmail(),
                      UserSecurityInfo.UserType.REGISTERED);
                  if (withAuthorities) {
                    SecurityServiceUtil.setAuthenticationLists(i, t.getUri(), cc);
                  }
                  users.add(i);
                }
                // TODO: why doesn't this work?
                UserSecurityInfo anonymous = new UserSecurityInfo(User.ANONYMOUS_USER,
                    User.ANONYMOUS_USER_NICKNAME, null, UserSecurityInfo.UserType.ANONYMOUS);
                if (withAuthorities) {
                  SecurityServiceUtil.setAuthenticationListsForSpecialUser(anonymous,
                      GrantedAuthorityName.USER_IS_ANONYMOUS, cc);
                }
                users.add(anonymous);
              } catch (ODKDatastoreException e) {
                e.printStackTrace();
                throw new DatastoreFailureException(e);
              }
              // the natural ordering (above) produces a sorted list...
              return users;
            }
          
            static GrantedAuthorityName mapName(GrantedAuthority auth, Set<GrantedAuthority> badGrants) {
              GrantedAuthorityName name = null;
              try {
                name = GrantedAuthorityName.valueOf(auth.getAuthority());
              } catch (Exception e) {
                badGrants.add(auth);
              }
              return name;
            }
          
            static void removeBadGrantedAuthorities(Set<GrantedAuthority> badGrants, CallingContext cc) throws ODKDatastoreException {
              ArrayList<String> empty = new ArrayList<String>();
              for (GrantedAuthority auth : badGrants) {
                UserGrantedAuthority.assertGrantedAuthorityMembers(auth, empty, cc);
              }
            }
          
            static void setAuthenticationLists(UserSecurityInfo userInfo, String uriUser, CallingContext cc) throws ODKDatastoreException {
              Datastore ds = cc.getDatastore();
              User user = cc.getCurrentUser();
              RoleHierarchy hierarchy = (RoleHierarchy) cc.getBean("hierarchicalRoleRelationships");
              Set<GrantedAuthority> grants = UserGrantedAuthority.getGrantedAuthorities(uriUser, ds, user);
              Set<GrantedAuthority> badGrants = new HashSet<>();
              TreeSet<GrantedAuthorityName> groups = new TreeSet<GrantedAuthorityName>();
              TreeSet<GrantedAuthorityName> authorities = new TreeSet<GrantedAuthorityName>();
              for (GrantedAuthority grant : grants) {
                GrantedAuthorityName name = mapName(grant, badGrants);
                if (name != null) {
                  if (GrantedAuthorityName.permissionsCanBeAssigned(grant.getAuthority())) {
                    groups.add(name);
                  } else {
                    authorities.add(name);
                  }
                }
              }
              Collection<? extends GrantedAuthority> auths = hierarchy.getReachableGrantedAuthorities(grants);
              for (GrantedAuthority auth : auths) {
                GrantedAuthorityName name = mapName(auth, badGrants);
                if (name != null && !GrantedAuthorityName.permissionsCanBeAssigned(auth.getAuthority())) {
                  authorities.add(name);
                }
              }
              userInfo.setAssignedUserGroups(groups);
              userInfo.setGrantedAuthorities(authorities);
              removeBadGrantedAuthorities(badGrants, cc);
            }
          
            public static void setAuthenticationListsForSpecialUser(UserSecurityInfo userInfo, GrantedAuthorityName specialGroup, CallingContext cc) throws DatastoreFailureException {
              RoleHierarchy hierarchy = (RoleHierarchy) cc.getBean("hierarchicalRoleRelationships");
              Set<GrantedAuthority> badGrants = new HashSet<>();
              // The assigned groups are the specialGroup that this user defines
              // (i.e., anonymous or daemon) plus all directly-assigned assignable
              // permissions.
              TreeSet<GrantedAuthorityName> groups = new TreeSet<GrantedAuthorityName>();
              TreeSet<GrantedAuthorityName> authorities = new TreeSet<GrantedAuthorityName>();
              groups.add(specialGroup);
              GrantedAuthority specialAuth = new SimpleGrantedAuthority(specialGroup.name());
              try {
                Set<GrantedAuthority> auths = GrantedAuthorityHierarchyTable
                    .getSubordinateGrantedAuthorities(specialAuth, cc);
                for (GrantedAuthority auth : auths) {
                  GrantedAuthorityName name = mapName(auth, badGrants);
                  if (name != null) {
                    groups.add(name);
                  }
                }
              } catch (ODKDatastoreException e) {
                e.printStackTrace();
                throw new DatastoreFailureException("Unable to retrieve granted authorities of "
                    + specialGroup.name());
              }
          
              Collection<? extends GrantedAuthority> auths = hierarchy
                  .getReachableGrantedAuthorities(Collections.singletonList(specialAuth));
              for (GrantedAuthority auth : auths) {
                GrantedAuthorityName name = mapName(auth, badGrants);
                if (name != null && !GrantedAuthorityName.permissionsCanBeAssigned(auth.getAuthority())) {
                  authorities.add(name);
                }
              }
              userInfo.setAssignedUserGroups(groups);
              userInfo.setGrantedAuthorities(authorities);
              try {
                removeBadGrantedAuthorities(badGrants, cc);
              } catch (ODKDatastoreException e) {
                e.printStackTrace();
              }
            }
          
            private static Map<UserSecurityInfo, String> setUsers(ArrayList<UserSecurityInfo> users, CallingContext cc) throws DatastoreFailureException {
              List<UserSecurityInfo> allUsersList = getAllUsers(false, cc);
          
              Set<UserSecurityInfo> removedUsers = new TreeSet<UserSecurityInfo>();
              removedUsers.addAll(allUsersList);
              removedUsers.removeAll(users);
          
              Datastore ds = cc.getDatastore();
              User user = cc.getCurrentUser();
          
              Map<UserSecurityInfo, String> pkMap = new HashMap<UserSecurityInfo, String>();
              try {
                // mark absent users as removed...
                for (UserSecurityInfo u : removedUsers) {
                  if (u.getType() != UserType.REGISTERED)
                    continue;
                  RegisteredUsersTable t;
                  if (u.getUsername() == null) {
                    t = RegisteredUsersTable.getUniqueUserByEmail(u.getEmail(), ds, user);
                  } else {
                    t = RegisteredUsersTable.getUniqueUserByUsername(u.getUsername(), ds, user);
                  }
                  if (t != null) {
                    t.setIsRemoved(true);
                    ds.putEntity(t, user);
                  }
                }
                // go through all other users. Assert that they exist.
                // This will update the fields to match those specified.
                for (UserSecurityInfo u : users) {
                  if (u.getType() != UserType.REGISTERED)
                    continue;
                  RegisteredUsersTable t = RegisteredUsersTable.assertActiveUserByUserSecurityInfo(u, cc);
                  pkMap.put(u, t.getUri());
                }
              } catch (ODKDatastoreException e) {
                e.printStackTrace();
                throw new DatastoreFailureException("Incomplete security update", e);
              }
              return pkMap;
            }
          
            private static void setUsersOfGrantedAuthority(Map<UserSecurityInfo, String> pkMap, GrantedAuthority auth, CallingContext cc) throws DatastoreFailureException {
              Set<GrantedAuthority> badGrants = new HashSet<>();
              GrantedAuthorityName name = mapName(auth, badGrants);
              if (name != null) {
                // build the set of uriUsers for this granted authority...
                TreeSet<String> desiredMembers = new TreeSet<String>();
          
                for (Map.Entry<UserSecurityInfo, String> u : pkMap.entrySet()) {
                  UserSecurityInfo info = u.getKey();
                  String uriUser = u.getValue();
          
                  if (info.getAssignedUserGroups().contains(name)) {
                    desiredMembers.add(uriUser);
                  }
                }
          
                // assert that the authority has exactly this set of uriUsers (no more, no
                // less)
                try {
                  UserGrantedAuthority.assertGrantedAuthorityMembers(auth, desiredMembers, cc);
                } catch (ODKDatastoreException e) {
                  e.printStackTrace();
                  throw new DatastoreFailureException("Incomplete security update", e);
                }
              } else {
                try {
                  removeBadGrantedAuthorities(badGrants, cc);
                } catch (ODKDatastoreException e) {
                  e.printStackTrace();
                  throw new DatastoreFailureException("Incomplete security update", e);
                }
              }
            }
          
            public static final void setStandardSiteAccessConfiguration(ArrayList<UserSecurityInfo> users, ArrayList<GrantedAuthorityName> allGroups, CallingContext cc) throws DatastoreFailureException {
          
              // remove anonymousUser from the set of users and collect its
              // permissions (anonGrantStrings) which will be placed in
              // the granted authority hierarchy table.
              List<String> anonGrantStrings = new ArrayList<String>();
              {
                UserSecurityInfo anonUser = null;
                for (UserSecurityInfo i : users) {
                  if (i.getType() == UserType.ANONYMOUS) {
                    anonUser = i;
                    // clean up grants for anonymousUser --
                    // ignore anonAuth (the grant under which we will place things)
                    // and forbid Site Admin
                    for (GrantedAuthorityName a : i.getAssignedUserGroups()) {
                      if (anonAuth.getAuthority().equals(a.name()))
                        continue; // avoid circularity...
                      // only allow ROLE_ATTACHMENT_VIEWER and GROUP_ assignments.
                      if (!GrantedAuthorityName.ROLE_ATTACHMENT_VIEWER.equals(a) &&
                          !a.name().startsWith(GrantedAuthorityName.GROUP_PREFIX)) {
                        continue;
                      }
                      // do not allow Site Admin assignments for Anonymous --
                      // or Tables super-user or Tables Administrator.
                      // those all give access to the full set of users on the system
                      // and giving that information to Anonymous is a security
                      // risk.
                      if (GrantedAuthorityName.GROUP_SITE_ADMINS.equals(a)) {
                        continue;
                      }
                      anonGrantStrings.add(a.name());
                    }
                    break;
                  }
                }
                if (anonUser != null) {
                  users.remove(anonUser);
                }
              }
          
              // scan through the users and remove any entries under assigned user groups
              // that do not begin with GROUP_.
              //
              // Additionally, if the user is an e-mail, remove the GROUP_DATA_COLLECTORS
              // permission since ODK Collect does not support oauth2 authentication.
              {
                TreeSet<GrantedAuthorityName> toRemove = new TreeSet<GrantedAuthorityName>();
                for (UserSecurityInfo i : users) {
                  // only working with registered users
                  if (i.getType() != UserType.REGISTERED) {
                    continue;
                  }
                  // get the list of assigned groups
                  // -- this is not a copy -- we can directly manipulate this.
                  TreeSet<GrantedAuthorityName> assignedGroups = i.getAssignedUserGroups();
          
                  // scan the set of assigned groups and remove any that don't begin with GROUP_
                  toRemove.clear();
                  for (GrantedAuthorityName name : assignedGroups) {
                    if (!name.name().startsWith(GrantedAuthorityName.GROUP_PREFIX)) {
                      toRemove.add(name);
                    }
                  }
                  if (!toRemove.isEmpty()) {
                    assignedGroups.removeAll(toRemove);
                  }
                  // for e-mail accounts, remove the Data Collector permission since ODK Collect
                  // does not support an oauth2 authentication mechanism.
                  if (i.getEmail() != null) {
                    assignedGroups.remove(GrantedAuthorityName.GROUP_DATA_COLLECTORS);
                  }
                }
              }
          
              // find the entry(entries) for the designated super-user(s)
              String superUserEmail = cc.getUserService().getSuperUserEmail();
              String superUserUsername = cc.getUserService().getSuperUserUsername();
              int expectedSize = ((superUserEmail != null) ? 1 : 0) + ((superUserUsername != null) ? 1 : 0);
              ArrayList<UserSecurityInfo> superUsers = new ArrayList<UserSecurityInfo>();
              for (UserSecurityInfo i : users) {
                if (i.getType() == UserType.REGISTERED) {
                  if (i.getEmail() != null && superUserEmail != null && i.getEmail().equals(superUserEmail)) {
                    superUsers.add(i);
                  }
                  if (i.getUsername() != null && superUserUsername != null && i.getUsername().equals(superUserUsername)) {
                    superUsers.add(i);
                  }
                }
              }
          
              if (superUsers.size() != expectedSize) {
                // we are missing one or both super-users.
                // remove any we have and recreate them from scratch.
                users.removeAll(superUsers);
                superUsers.clear();
          
                // Synthesize a UserSecurityInfo object for the super-user(s)
                // and add it(them) to the list.
                MessageDigestPasswordEncoder mde = null;
                try {
                  Object obj = cc.getBean(SecurityBeanDefs.BASIC_AUTH_PASSWORD_ENCODER);
                  if (obj != null) {
                    mde = (MessageDigestPasswordEncoder) obj;
                  }
                } catch (Exception e) {
                  mde = null;
                }
                try {
                  List<RegisteredUsersTable> tList = RegisteredUsersTable.assertSuperUsers(mde, cc);
          
                  for (RegisteredUsersTable t : tList) {
                    UserSecurityInfo i = new UserSecurityInfo(t.getUsername(), t.getFullName(), t.getEmail(),
                        UserSecurityInfo.UserType.REGISTERED);
                    superUsers.add(i);
                    users.add(i);
                  }
          
                } catch (ODKDatastoreException e) {
                  e.printStackTrace();
                  throw new DatastoreFailureException("Incomplete update");
                }
              }
          
              // reset super-user privileges to have (just) site admin privileges
              // even if caller attempts to change, add, or remove them.
              for (UserSecurityInfo i : superUsers) {
                TreeSet<GrantedAuthorityName> grants = new TreeSet<GrantedAuthorityName>();
                grants.add(GrantedAuthorityName.GROUP_SITE_ADMINS);
                grants.add(GrantedAuthorityName.ROLE_SITE_ACCESS_ADMIN);
                // override whatever the user gave us.
                i.setAssignedUserGroups(grants);
              }
          
              try {
                // enforce our fixed set of groups and their inclusion hierarchy.
                // this is generally a no-op during normal operations.
                GrantedAuthorityHierarchyTable.assertGrantedAuthorityHierarchy(siteAuth,
                    SecurityServiceUtil.siteAdministratorGrants, cc);
                GrantedAuthorityHierarchyTable.assertGrantedAuthorityHierarchy(dataOwnerAuth,
                    SecurityServiceUtil.dataOwnerGrants, cc);
                GrantedAuthorityHierarchyTable.assertGrantedAuthorityHierarchy(dataViewerAuth,
                    SecurityServiceUtil.dataViewerGrants, cc);
                GrantedAuthorityHierarchyTable.assertGrantedAuthorityHierarchy(dataCollectorAuth,
                    SecurityServiceUtil.dataCollectorGrants, cc);
          
                // place the anonymous user's permissions in the granted authority table.
                GrantedAuthorityHierarchyTable
                    .assertGrantedAuthorityHierarchy(anonAuth, anonGrantStrings, cc);
          
                // get all granted authority names
                TreeSet<String> authorities = GrantedAuthorityHierarchyTable
                    .getAllPermissionsAssignableGrantedAuthorities(cc.getDatastore(), cc.getCurrentUser());
                // remove the groups that have structure (i.e., those defined above).
                authorities.remove(siteAuth.getAuthority());
                authorities.remove(dataOwnerAuth.getAuthority());
                authorities.remove(dataViewerAuth.getAuthority());
                authorities.remove(dataCollectorAuth.getAuthority());
                authorities.remove(anonAuth.getAuthority());
          
                // delete all hierarchy structures under anything else.
                // i.e., if somehow USER_IS_REGISTERED had been granted GROUP_FORM_MANAGER
                // then this loop would leave USER_IS_REGISTERED without any grants.
                // (it repairs the database to conform to our privilege hierarchy expectations).
                List<String> empty = Collections.emptyList();
                for (String s : authorities) {
                  GrantedAuthorityHierarchyTable.assertGrantedAuthorityHierarchy(
                      new SimpleGrantedAuthority(s), empty, cc);
                }
          
                // declare all the users (and remove users that are not in this set)
                Map<UserSecurityInfo, String> pkMap = setUsers(users, cc);
          
                // now, for each GROUP_..., update the user granted authority
                // table with the users that have that GROUP_... assignment.
                setUsersOfGrantedAuthority(pkMap, siteAuth, cc);
                setUsersOfGrantedAuthority(pkMap, dataOwnerAuth, cc);
                setUsersOfGrantedAuthority(pkMap, dataViewerAuth, cc);
                setUsersOfGrantedAuthority(pkMap, dataCollectorAuth, cc);
                // all super-users would already have their site admin role and
                // we leave that unchanged. The key is to ensure that the
                // super users are in the users list so they don't get
                // accidentally removed and that they have siteAuth group
                // membership.  I.e., we don't need to manage ROLE_SITE_ACCESS_ADMIN
                // here. it is done elsewhere.
          
              } catch (ODKDatastoreException e) {
                e.printStackTrace();
                throw new DatastoreFailureException("Incomplete update");
              } finally {
                Datastore ds = cc.getDatastore();
                User user = cc.getCurrentUser();
                try {
                  SecurityRevisionsTable.setLastRegisteredUsersRevisionDate(ds, user);
                } catch (ODKDatastoreException e) {
                  // if it fails, use RELOAD_INTERVAL to force reload.
                  e.printStackTrace();
                }
                try {
                  SecurityRevisionsTable.setLastRoleHierarchyRevisionDate(ds, user);
                } catch (ODKDatastoreException e) {
                  // if it fails, use RELOAD_INTERVAL to force reload.
                  e.printStackTrace();
                }
              }
            }
          
            public static final void setUserCredentials(CredentialsInfo credential, CallingContext cc) throws AccessDeniedException, DatastoreFailureException {
              Datastore ds = cc.getDatastore();
              User user = cc.getUserService().getCurrentUser();
              RegisteredUsersTable userDefinition = null;
              try {
                userDefinition = RegisteredUsersTable.getUserByUsername(credential.getUsername(),
                    cc.getUserService(), ds);
                if (userDefinition == null) {
                  throw new AccessDeniedException("User is not a registered user.");
                }
                userDefinition.setDigestAuthPassword(credential.getDigestAuthHash());
                userDefinition.setBasicAuthPassword(credential.getBasicAuthHash());
                userDefinition.setBasicAuthSalt(credential.getBasicAuthSalt());
                ds.putEntity(userDefinition, user);
              } catch (ODKDatastoreException e) {
                e.printStackTrace();
                throw new DatastoreFailureException(e.getMessage());
              }
            }
          
            public static final void setDefaultRoleNamesAndHierarchy(CallingContext cc) throws DatastoreFailureException {
          
              ArrayList<UserSecurityInfo> users = new ArrayList<UserSecurityInfo>();
              ArrayList<GrantedAuthorityName> allGroups = new ArrayList<GrantedAuthorityName>();
          
              // Grant the Anonymous user the ability to submit data to ODK Aggregate
              // Enables users to anonymously publish from ODK Collect into ODK Aggregate
              UserSecurityInfo anonymous = new UserSecurityInfo(User.ANONYMOUS_USER,
                  User.ANONYMOUS_USER_NICKNAME, null, UserSecurityInfo.UserType.ANONYMOUS);
              TreeSet<GrantedAuthorityName> userGroups = new TreeSet<GrantedAuthorityName>();
              userGroups.add(GrantedAuthorityName.GROUP_DATA_COLLECTORS);
              userGroups.add(GrantedAuthorityName.GROUP_FORM_MANAGERS); // issue 710
              anonymous.setAssignedUserGroups(userGroups);
              users.add(anonymous);
              // NOTE: No users are defined at this point (including the superUser) see
              // superUserBootstrap below...
              setStandardSiteAccessConfiguration(users, allGroups, cc);
            }
          
            public static final synchronized void superUserBootstrap(CallingContext cc) throws ODKDatastoreException {
              // assert that the superuser exists...
              MessageDigestPasswordEncoder mde = null;
              try {
                Object obj = cc.getBean(SecurityBeanDefs.BASIC_AUTH_PASSWORD_ENCODER);
                if (obj != null) {
                  mde = (MessageDigestPasswordEncoder) obj;
                }
              } catch (Exception e) {
                mde = null;
              }
              List<RegisteredUsersTable> suList = RegisteredUsersTable.assertSuperUsers(mde, cc);
          
              Set<String> uriUsers;
          
              // add the superuser to the list of site administrators
              uriUsers = UserGrantedAuthority.getUriUsers(siteAuth, cc.getDatastore(), cc.getCurrentUser());
              for (RegisteredUsersTable su : suList) {
                uriUsers.add(su.getUri());
              }
              UserGrantedAuthority.assertGrantedAuthorityMembers(siteAuth, uriUsers, cc);
          
              // assert that the superuser is the only one with permanent access
              // administration rights...
              uriUsers.clear();
              for (RegisteredUsersTable su : suList) {
                uriUsers.add(su.getUri());
              }
              UserGrantedAuthority.assertGrantedAuthorityMembers(new SimpleGrantedAuthority(
                  GrantedAuthorityName.ROLE_SITE_ACCESS_ADMIN.name()), uriUsers, cc);
            }
          }

This file has been truncated. show original

That is called from the web page via a servlet:

github.com

getodk/aggregate/blob/master/src/main/java/org/opendatakit/aggregate/servlet/UserManagePasswordsServlet.java

/*
 * Copyright (C) 2010 University of Washington
 *
 * Licensed under the Apache License, Version 2.0 (the "License"); you may not
 * use this file except in compliance with the License. You may obtain a copy of
 * the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 * License for the specific language governing permissions and limitations under
 * the License.
 */
package org.opendatakit.aggregate.servlet;

import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.http.HttpServletRequest;

This file has been truncated. show original

When you add a new servlet, in addition to changing web.xml, you need to
update the site security rules here:
https://github.com/opendatakit/aggregate/blob/master/war-base/WEB-INF/applicationContext-security.xml

···

On Wed, May 25, 2016 at 3:42 AM, Andrew wrote:

Hi Ramandeep / ODK team,

Similar to this, I am needing to create new users via an API call (we want
to be able to allow new users registering via our platform to be
auto-assigned an ODK login).

Ramandeep, were you able to modify the code to allow upload of an Excel
file?

ODK team - any suggestions/guidance on where to start providing API
functionality to create new users?

Thanks and regards,
Andrew

On Friday, 29 January 2016 11:04:34 UTC+2, Ramandeep Singh Bakshi wrote:

Great, we will try and see what we can do for the ODK platform. I will
ask my tech head to take this ahead.

Thanks for a great platform.

*-- *
Rgds
Ramandeep Singh
www.codecube.in
Mob - +91 - 98108 69975
Skype - raman_egov
Twitter - @Code_Cube

>>>>> DO check out our amazing work on Pinterest http://bit.ly/K0IAiy
http://bit.ly/K0IAiy <<<<<

On Fri, Jan 29, 2016 at 2:31 PM, Yaw Anokwa yan...@nafundi.com wrote:

Agreed that this would be a nice feature. If this is important to you,
the best way to ensure it happens is to contribute code. You can find
the code base at http://github.com/opendatakit/aggregate.

Yaw

Need ODK consultants? Nafundi provides form design, server setup,
in-field training, and software development for ODK. Go to
https://nafundi.com to get started.

On Fri, Jan 29, 2016 at 9:55 AM, ra...@codecube.in wrote:

On Wednesday, January 27, 2016 at 10:58:23 PM UTC+5:30, Mitch wrote:

Yes. In the add user text entry box, you can enter space-separated
list of users (or paste in a list of users on multiple lines). I think
comma-separated lists also work.

The pain point is that you have to individually change each of their
passwords.

On Wed, Jan 27, 2016 at 3:24 AM, Seema Rani se...@vartulz.com wrote:

Hello Team,

This is regarding creating user, on web site admin gives access to
user with login name and password, can we create multiple users in one
time, like can we create a sheet of users with there name and password, and
upload it to server?

--

You received this message because you are subscribed to the Google
Groups "ODK Developers" group.

To unsubscribe from this group and stop receiving emails from it,
send an email to opendatakit-developers+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Mitch Sundt
Software Engineer
University of Washington
mitche...@gmail.com

Mitch

There should be a provision to upload an excel with the details as
well as the passwords else its very time consuming to do this manual work.
Pls see if this could be done in the next builds

--
You received this message because you are subscribed to the Google
Groups "ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the
Google Groups "ODK Developers" group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/opendatakit-developers/hg8Fyfeux-o/unsubscribe
.
To unsubscribe from this group and all its topics, send an email to
opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups
"ODK Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to opendatakit-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
Mitch Sundt
Software Engineer
University of Washington
mitchellsundt@gmail.com

Andrew · May 27, 2016, 8:20am

Great, thanks for the detailed response, exactly the type of info I was
after.

Regards,
Andrew

···

On Wednesday, 25 May 2016 19:15:51 UTC+2, Mitch wrote: > > If you are hosting on MySQL or PostgreSQL, you could probably write a > database script to do this. > > Otherwise, you could mimic the structure of the ODK Aggregate > upload-form-definition servlet: > > > https://github.com/opendatakit/aggregate/blob/master/src/main/java/org/opendatakit/aggregate/servlet/FormUploadServlet.java > > And, instead of using the javarosa parser to parse it, do the construction > for the security settings. > > The security permissions settings are intended to be all-at-once changes. > I.e., you can't just add one user. The Java code expects a set of all > users, and all of their permissions. It then replaces the existing > configuration with that new configuration. See > setUsersAndGrantedAuthorities: > > > https://github.com/opendatakit/aggregate/blob/master/src/main/java/org/opendatakit/common/security/server/SecurityAdminServiceImpl.java > > The passwords for the users must be individually set through a different > API: > > > https://github.com/opendatakit/aggregate/blob/master/src/main/java/org/opendatakit/common/security/server/SecurityServiceUtil.java#L602 > > That is called from the web page via a servlet: > > > https://github.com/opendatakit/aggregate/blob/master/src/main/java/org/opendatakit/aggregate/servlet/UserManagePasswordsServlet.java > > When you add a new servlet, in addition to changing web.xml, you need to > update the site security rules here: > > https://github.com/opendatakit/aggregate/blob/master/war-base/WEB-INF/applicationContext-security.xml > > > On Wed, May 25, 2016 at 3:42 AM, Andrew <acawo...@gmail.com > wrote: > >> Hi Ramandeep / ODK team, >> >> Similar to this, I am needing to create new users via an API call (we >> want to be able to allow new users registering via our platform to be >> auto-assigned an ODK login). >> >> Ramandeep, were you able to modify the code to allow upload of an Excel >> file? >> >> ODK team - any suggestions/guidance on where to start providing API >> functionality to create new users? >> >> Thanks and regards, >> Andrew >> >> >> >> On Friday, 29 January 2016 11:04:34 UTC+2, Ramandeep Singh Bakshi wrote: >>> >>> Great, we will try and see what we can do for the ODK platform. I will >>> ask my tech head to take this ahead. >>> >>> Thanks for a great platform. >>> >>> >>> *-- * >>> Rgds >>> *Ramandeep Singh* >>> www.codecube.in >>> Mob - +91 - 98108 69975 >>> Skype - raman_egov >>> Twitter - @Code_Cube >>> >>> >>> *>>>>> DO check out our amazing work on Pinterest http://bit.ly/K0IAiy >>> <<<>> >>> On Fri, Jan 29, 2016 at 2:31 PM, Yaw Anokwa wrote: >>> >>>> Agreed that this would be a nice feature. If this is important to you, >>>> the best way to ensure it happens is to contribute code. You can find >>>> the code base at http://github.com/opendatakit/aggregate. >>>> >>>> Yaw >>>> -- >>>> Need ODK consultants? Nafundi provides form design, server setup, >>>> in-field training, and software development for ODK. Go to >>>> https://nafundi.com to get started. >>>> >>>> On Fri, Jan 29, 2016 at 9:55 AM, wrote: >>>> > On Wednesday, January 27, 2016 at 10:58:23 PM UTC+5:30, Mitch wrote: >>>> >> Yes. In the add user text entry box, you can enter space-separated >>>> list of users (or paste in a list of users on multiple lines). I think >>>> comma-separated lists also work. >>>> >> >>>> >> >>>> >> The pain point is that you have to individually change each of their >>>> passwords. >>>> >> >>>> >> >>>> >> On Wed, Jan 27, 2016 at 3:24 AM, Seema Rani wrote: >>>> >> >>>> >> Hello Team, >>>> >> >>>> >> >>>> >> This is regarding creating user, on web site admin gives access to >>>> user with login name and password, can we create multiple users in one >>>> time, like can we create a sheet of users with there name and password, and >>>> upload it to server? >>>> >> >>>> >> >>>> >> >>>> >> >>>> >> -- >>>> >> >>>> >> You received this message because you are subscribed to the Google >>>> Groups "ODK Developers" group. >>>> >> >>>> >> To unsubscribe from this group and stop receiving emails from it, >>>> send an email to opendatakit-developers+unsubscribe@googlegroups.com. >>>> >> >>>> >> For more options, visit https://groups.google.com/d/optout. >>>> >> >>>> >> >>>> >> >>>> >> >>>> >> >>>> >> -- >>>> >> >>>> >> Mitch Sundt >>>> >> Software Engineer >>>> >> University of Washington >>>> >> mitche...@gmail.com >>>> > >>>> > Mitch >>>> > >>>> > There should be a provision to upload an excel with the details as >>>> well as the passwords else its very time consuming to do this manual work. >>>> Pls see if this could be done in the next builds >>>> > >>>> > -- >>>> > You received this message because you are subscribed to the Google >>>> Groups "ODK Developers" group. >>>> > To unsubscribe from this group and stop receiving emails from it, >>>> send an email to opendatakit-developers+unsubscribe@googlegroups.com. >>>> > For more options, visit https://groups.google.com/d/optout. >>>> >>>> -- >>>> You received this message because you are subscribed to a topic in the >>>> Google Groups "ODK Developers" group. >>>> To unsubscribe from this topic, visit >>>> https://groups.google.com/d/topic/opendatakit-developers/hg8Fyfeux-o/unsubscribe >>>> . >>>> To unsubscribe from this group and all its topics, send an email to >>>> opendatakit-developers+unsubscribe@googlegroups.com. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "ODK Developers" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to opendatakit-developers+unsubscribe@googlegroups.com >> . >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > Mitch Sundt > Software Engineer > University of Washington > mitche...@gmail.com >