fix: compute usernames in auth views correctly after domain policy change (#4860)

* fix: compute usernames in auth views correctly after domain policy change

* userloginmustbedomain hint

Co-authored-by: Max Peintner <max@caos.ch>

console/src/app/modules/policies/domain-policy/domain-policy.component.html

@@ -28,7 +28,7 @@
 </button>
 <!-- </ng-template> -->
 
-<div class="content" *ngIf="domainData">
+<div class="domain-policy-content" *ngIf="domainData">
   <div class="row">
     <mat-checkbox
       color="primary"
@@ -51,6 +51,34 @@
     </mat-checkbox>
   </div>
 
+  <cnsl-info-section>
+    <div>
+      <span>{{ 'POLICY.DATA.USERLOGINMUSTBEDOMAIN_DESCRIPTION' | translate }}</span>
+
+      <div class="loginname-preview">
+        <div class="left-right">
+          <div *ngIf="domainData.userLoginMustBeDomain"><small>domain</small><span>acme.com</span></div>
+          <div *ngIf="domainData.userLoginMustBeDomain"><small>username</small><span>john</span></div>
+          <div *ngIf="domainData.userLoginMustBeDomain"><small>loginname</small><span>john@acme.com</span></div>
+
+          <div *ngIf="!domainData.userLoginMustBeDomain"><small>domain</small><span>acme.com</span></div>
+          <div *ngIf="!domainData.userLoginMustBeDomain"><small>username</small><span>john@acme.com</span></div>
+          <div *ngIf="!domainData.userLoginMustBeDomain"><small>loginname</small><span>john@acme.com</span></div>
+        </div>
+        <i class="las la-arrow-right"></i>
+        <div class="left-right">
+          <div *ngIf="domainData.userLoginMustBeDomain"><small>domain</small><span>acme.com</span></div>
+          <div *ngIf="domainData.userLoginMustBeDomain"><small>username</small><span>john@acme.com</span></div>
+          <div *ngIf="domainData.userLoginMustBeDomain"><small>loginname</small><span>john@acme.com</span></div>
+
+          <div *ngIf="!domainData.userLoginMustBeDomain"><small>domain</small><span>acme.com</span></div>
+          <div *ngIf="!domainData.userLoginMustBeDomain"><small>username</small><span>john</span></div>
+          <div *ngIf="!domainData.userLoginMustBeDomain"><small>loginname</small><span>john@acme.com</span></div>
+        </div>
+      </div>
+    </div>
+  </cnsl-info-section>
+
   <div class="row">
     <mat-checkbox
       color="primary"

console/src/app/modules/policies/domain-policy/domain-policy.component.scss

@@ -8,16 +8,18 @@
   font-size: 14px;
 }
 
-.content {
+.domain-policy-content {
   padding-top: 1rem;
   display: flex;
   flex-direction: column;
   width: 100%;
+  max-width: 700px;
 
   .row {
     display: flex;
     align-items: center;
     padding: 0.3rem 0;
+    margin-top: 1rem;
 
     .left-desc {
       font-size: 0.9rem;
@@ -32,6 +34,37 @@
       align-items: center;
     }
   }
+
+  .loginname-preview {
+    margin: 1rem 0;
+    display: flex;
+    flex-direction: row;
+    align-items: center;
+    justify-content: space-between;
+
+    .left-right {
+      display: flex;
+      flex-direction: row;
+
+      @media only screen and (max-width: 600px) {
+        flex-direction: column;
+      }
+
+      div {
+        display: flex;
+        flex-direction: column;
+        margin: 0.5rem;
+
+        small {
+          opacity: 0.9;
+        }
+      }
+    }
+
+    i {
+      margin: 0 1rem;
+    }
+  }
 }
 
 .btn-container {

console/src/assets/i18n/de.json

@@ -1166,7 +1166,8 @@
       "MAXATTEMPTS": "Maximale Anzahl an Versuchen",
       "EXPIREWARNDAYS": "Ablauf Warnung nach Tagen",
       "MAXAGEDAYS": "Maximale Gültigkeit in Tagen",
-      "USERLOGINMUSTBEDOMAIN": "Benutzer Loginname muss die Domain der Organisation beinhalten",
+      "USERLOGINMUSTBEDOMAIN": "Organisationsdomain dem Loginname hinzufügen",
+      "USERLOGINMUSTBEDOMAIN_DESCRIPTION": "If you enable this setting, all loginnames will be suffixed with the organization domain. If this settings is disabled, you have to ensure that usernames are unique over all organizations.",
       "VALIDATEORGDOMAINS": "Org Domains validieren",
       "SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "SMTP Sender Adresse entspricht Instanzdomain",
       "ALLOWUSERNAMEPASSWORD": "Benutzername Passwort erlaubt",

console/src/assets/i18n/en.json

@@ -1166,7 +1166,8 @@
       "MAXATTEMPTS": "Password maximum Attempts",
       "EXPIREWARNDAYS": "Expiration Warning after day",
       "MAXAGEDAYS": "Max Age in days",
-      "USERLOGINMUSTBEDOMAIN": "User Loginname must contain orgdomain",
+      "USERLOGINMUSTBEDOMAIN": "Add organization domain as suffix to loginnames",
+      "USERLOGINMUSTBEDOMAIN_DESCRIPTION": "If you enable this setting, all loginnames will be suffixed with the organization domain. If this settings is disabled, you have to ensure that usernames are unique over all organizations.",
       "VALIDATEORGDOMAINS": "Validate Org domains",
       "SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "SMTP Sender Address matches Instance Domain",
       "ALLOWUSERNAMEPASSWORD": "Username Password allowed",

console/src/assets/i18n/fr.json

@@ -1167,6 +1167,7 @@
       "EXPIREWARNDAYS": "Expiration Avertissement après le jour",
       "MAXAGEDAYS": "Âge maximum en jours",
       "USERLOGINMUSTBEDOMAIN": "Le nom de connexion de l'utilisateur doit contenir le nom de domaine de l'organisation",
+      "USERLOGINMUSTBEDOMAIN_DESCRIPTION": "Si vous activez ce paramètre, tous les noms de connexion seront suffixés avec le domaine de l'organisation. Si ce paramètre est désactivé, vous devez vous assurer que les noms d'utilisateur sont uniques pour toutes les organisations.",
       "VALIDATEORGDOMAINS": "Valider les domaines d'Org",
       "SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "L'adresse de l'expéditeur SMTP correspond au domaine de l'instance",
       "ALLOWUSERNAMEPASSWORD": "Nom d'utilisateur Mot de passe autorisé",

console/src/assets/i18n/it.json

@@ -1167,6 +1167,7 @@
       "EXPIREWARNDAYS": "Avviso scadenza dopo il giorno",
       "MAXAGEDAYS": "Lunghezza massima in giorni",
       "USERLOGINMUSTBEDOMAIN": "Nome utente deve contenere il dominio dell' organizzazione",
+      "USERLOGINMUSTBEDOMAIN_DESCRIPTION": "Se abiliti questa impostazione, a tutti i nomi di accesso verrà aggiunto il suffisso del dominio dell'organizzazione. Se questa impostazione è disabilitata, devi assicurarti che i nomi utente siano univoci per tutte le organizzazioni.",
       "VALIDATEORGDOMAINS": "Verifica domini dell' organizzazione",
       "SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "L'indirizzo mittente SMTP corrisponde al dominio dell'istanza",
       "ALLOWUSERNAMEPASSWORD": "Autenticazione classica con password consentita",

console/src/assets/i18n/zh.json

@@ -1166,6 +1166,7 @@
       "EXPIREWARNDAYS": "密码过期警告",
       "MAXAGEDAYS": "Max Age in days",
       "USERLOGINMUSTBEDOMAIN": "用户名必须包含组织域名",
+      "USERLOGINMUSTBEDOMAIN_DESCRIPTION": "如果启用此设置，所有登录名都将以组织域为后缀。如果禁用此设置，您必须确保用户名在所有组织中都是唯一的。",
       "VALIDATEORGDOMAINS": "验证组织域名",
       "SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "SMTP 发件人地址与实例域名匹配",
       "ALLOWUSERNAMEPASSWORD": "允许用户名密码",

internal/auth/repository/eventsourcing/handler/user.go

@@ -317,12 +317,12 @@ func (u *User) loginNameInformation(ctx context.Context, orgID string, instanceI
 	if err != nil {
 		return false, "", nil, err
 	}
-	if org.DomainPolicy == nil {
-		policy, err := u.queries.DefaultDomainPolicy(withInstanceID(ctx, org.InstanceID))
-		if err != nil {
-			return false, "", nil, err
-		}
-		userLoginMustBeDomain = policy.UserLoginMustBeDomain
+	if org.DomainPolicy != nil {
+		return org.DomainPolicy.UserLoginMustBeDomain, org.GetPrimaryDomain().Domain, org.Domains, nil
 	}
-	return userLoginMustBeDomain, org.GetPrimaryDomain().Domain, org.Domains, nil
+	policy, err := u.queries.DefaultDomainPolicy(withInstanceID(ctx, org.InstanceID))
+	if err != nil {
+		return false, "", nil, err
+	}
+	return policy.UserLoginMustBeDomain, org.GetPrimaryDomain().Domain, org.Domains, nil
 }

internal/auth/repository/eventsourcing/handler/user_session.go

@@ -220,14 +220,14 @@ func (u *UserSession) loginNameInformation(ctx context.Context, orgID string, in
 	if err != nil {
 		return false, "", err
 	}
-	if org.DomainPolicy == nil {
-		policy, err := u.queries.DefaultDomainPolicy(withInstanceID(ctx, org.InstanceID))
-		if err != nil {
-			return false, "", err
-		}
-		userLoginMustBeDomain = policy.UserLoginMustBeDomain
+	if org.DomainPolicy != nil {
+		return org.DomainPolicy.UserLoginMustBeDomain, org.GetPrimaryDomain().Domain, nil
 	}
-	return userLoginMustBeDomain, org.GetPrimaryDomain().Domain, nil
+	policy, err := u.queries.DefaultDomainPolicy(withInstanceID(ctx, org.InstanceID))
+	if err != nil {
+		return false, "", err
+	}
+	return policy.UserLoginMustBeDomain, org.GetPrimaryDomain().Domain, nil
 }
 
 func (u *UserSession) getOrgByID(ctx context.Context, orgID, instanceID string) (*org_model.Org, error) {