Auth Data can use LDAP as external data source.

Currently LDAP certificate files are expected to be found from the project root: https://github.com/haltu/eca-auth-data/blob/db14f4b2acbe09068c5262311e35cd99dddf487c/authdata/external_sources.py#L254

These files are set in place with salt and never committed to this repository. It would be better to save these files outside the project directory. This will require changes to this repository and to the salt configuration.

DoD: Organize certificate files better. They should be outside of project root.

ObjectGUID is an immutable value, which should be as the external id and for OID hash calculations instead of a mutable attribute such UserPrincipalName.

The database can grow quite large and it would be beneficial to be able to query only the data which has changed after certain timestamp.

It might be impossible to implement this with external data sources.

Users in external sources might not have an OID. Generate a fake OID by hashing an immutable attribute of the user.

Proviously this service was named "roledb". The role of the service was changed and now it contains more than just role information. Also the new naming is in line with the documentation.

Write documentation how external data sources are configured.

Currently query /api/1/user?dreamschool=123&foo=bar filters UserAttributes by only picking either of the parameters (randomly).

DoD: User queryset is filtered using all GET parameters

Ref:

This is the reason why following test failed: https://travis-ci.org/educloudalliance/eca-auth-data/jobs/102996338

All models should have "created" and "modified" timestamp.

When a user adds an authentication method an Attribute with the given name ('google', 'dreamschool', etc) must already exist in Auth Data db. This could also be solved in Auth Connector by calling the Attribute REST endpoint and creating the Attribute if it does not exist.

Project structure should match with the https://github.com/educloudalliance/eca-auth-connector

The query timeouts if too many results are returned in an LDAP query.

Current version is 1.7 which doesn't receive security updates. Update to 1.8 series

Dreamschool is based on Dream Platform. Dream UserDB should be added as external data source.

Line test coverage should be increased

DoD: Coverage >90%

The /query endpoint is returning UserAttributes that are disabled. This must not happen.

Wehn Service queries the database it should get only attributes it should know about. As comprehensive permission handling is huge task this can be implemented by allowing only attributes written by the Service to be queried by the Service.

Auth Proxy service is only exception. It can always receive all attributes.

The concept of Auth Data service should be changed slightly.

Before it behaved like a cache for data. The cache could be updated with an API and changes were always made from outside. This is still the case but now Auth Data can also act as a proxy for external data sources. In this case Auth Data can redirect API query to external service if the query is made with parameters which are attached to external sources. This attachment is known as External Data Mapping. There is runtime config which defines the mapping between municipalities and external data sources.

Some queries, such as when a query is mapped to an OU in LDAP, HTTP 500 is returned for non-matches.