concord-server: allow tokens without users, remove user from default agent token

server/db/src/main/resources/com/walmartlabs/concord/server/db/liquibase.xml

@@ -115,5 +115,6 @@
     <include file="v2.10.0.xml" relativeToChangelogFile="true"/>
     <include file="v2.12.0.xml" relativeToChangelogFile="true"/>
     <include file="v2.14.0.xml" relativeToChangelogFile="true"/>
+    <include file="v2.21.0.xml" relativeToChangelogFile="true"/>
 
 </databaseChangeLog>

server/db/src/main/resources/com/walmartlabs/concord/server/db/v0.69.0.xml

@@ -4,24 +4,32 @@
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.3.xsd">
 
+    <!-- starting from 2.21.x, the default agent token is no longer associated with any user -->
+    <!--
     <property name="concordAgentUserId" value="d4f123c1-f8d4-40b2-8a12-b8947b9ce2d8"/>
+    -->
 
     <!-- moved to v1.86.0.xml (no more hard-coded default token) -->
-<!--    <changeSet id="69000" author="[email protected]">
-            <insert tableName="USERS">
-                <column name="USER_ID">${concordAgentUserId}</column>
-                <column name="USERNAME">concordAgent</column>
-                <column name="USER_TYPE">LOCAL</column>
-            </insert>
+    <!-- starting from 2.21.x, the default agent token is no longer associated with any user -->
+    <!--
+    <changeSet id="69000" author="[email protected]">
+        <insert tableName="USERS">
+            <column name="USER_ID">${concordAgentUserId}</column>
+            <column name="USERNAME">concordAgent</column>
+            <column name="USER_TYPE">LOCAL</column>
+        </insert>
 
-            <insert tableName="API_KEYS">
-                &lt;!&ndash; "O+JMYwBsU797EKtlRQYu+Q" &ndash;&gt;
-                <column name="API_KEY">1sw9eLZ41EOK4w/iV3jFnn6cqeAMeFtxfazqVY04koY</column>
-                <column name="USER_ID">${concordAgentUserId}</column>
-            </insert>
-        </changeSet> -->
+        <insert tableName="API_KEYS">
+            &lt;!&ndash; "O+JMYwBsU797EKtlRQYu+Q" &ndash;&gt;
+            <column name="API_KEY">1sw9eLZ41EOK4w/iV3jFnn6cqeAMeFtxfazqVY04koY</column>
+            <column name="USER_ID">${concordAgentUserId}</column>
+        </insert>
+    </changeSet>
+    -->
 
+    <!-- starting from 2.21.x, the default agent token is no longer associated with any user -->
     <!-- Create agent user when not exist -->
+    <!--
     <changeSet id="69001" author="[email protected]">
         <preConditions onFail="MARK_RAN">
             <sqlCheck expectedResult="0">
@@ -37,5 +45,5 @@
             <column name="USER_TYPE">LOCAL</column>
         </insert>
     </changeSet>
-
+    -->
 </databaseChangeLog>

server/db/src/main/resources/com/walmartlabs/concord/server/db/v0.70.0.xml

@@ -4,21 +4,23 @@
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.3.xsd">
 
-<!--    <property name="concordRunnerUserId" value="2599c604-1384-4660-a767-8bc03baa7a31"/>
+    <!--
+    <property name="concordRunnerUserId" value="2599c604-1384-4660-a767-8bc03baa7a31"/>
 
-        <changeSet id="70000" author="[email protected]">
-            <insert tableName="USERS">
-                <column name="USER_ID">${concordRunnerUserId}</column>
-                <column name="USERNAME">concordRunner</column>
-                <column name="USER_TYPE">LOCAL</column>
-            </insert>
+    <changeSet id="70000" author="[email protected]">
+        <insert tableName="USERS">
+            <column name="USER_ID">${concordRunnerUserId}</column>
+            <column name="USERNAME">concordRunner</column>
+            <column name="USER_TYPE">LOCAL</column>
+        </insert>
 
-            <insert tableName="API_KEYS">
-                &lt;!&ndash; "Gz0q/DeGlH8Zs7QJMj1v8g" &ndash;&gt;
-                <column name="API_KEY">DrRt3j6G7b6GHY/Prddu4voyKyZa17iFkEj99ac0q/A</column>
-                <column name="USER_ID">${concordRunnerUserId}</column>
-            </insert>
-        </changeSet> -->
+        <insert tableName="API_KEYS">
+            &lt;!&ndash; "Gz0q/DeGlH8Zs7QJMj1v8g" &ndash;&gt;
+            <column name="API_KEY">DrRt3j6G7b6GHY/Prddu4voyKyZa17iFkEj99ac0q/A</column>
+            <column name="USER_ID">${concordRunnerUserId}</column>
+        </insert>
+    </changeSet>
+    -->
 
     <changeSet id="70100" author="[email protected]">
         <addColumn tableName="PROCESS_QUEUE">

server/db/src/main/resources/com/walmartlabs/concord/server/db/v0.79.0.xml

@@ -4,12 +4,15 @@
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.3.xsd">
 
+    <!-- starting from 2.21.x, the default agent token is no longer associated with any user -->
+    <!--
     <changeSet id="79000" author="[email protected]">
         <insert tableName="USER_ROLES">
             <column name="ROLE_ID">${concordSystemReaderRoleId}</column>
             <column name="USER_ID">${concordAgentUserId}</column>
         </insert>
     </changeSet>
+    -->
 
     <changeSet id="79100" author="[email protected]">
         <addColumn tableName="API_KEYS">

server/db/src/main/resources/com/walmartlabs/concord/server/db/v0.80.0.xml

@@ -7,16 +7,20 @@
     <property name="concordSystemWriterRoleId" value="c162d868-89ea-11e8-80be-97fd8a9f7419"/>
 
     <changeSet id="80000" author="[email protected]">
+        <validCheckSum>ANY</validCheckSum>
         <insert tableName="ROLES">
             <column name="ROLE_ID">${concordSystemWriterRoleId}</column>
             <column name="ROLE_NAME">concordSystemWriter</column>
             <column name="GLOBAL_WRITER">true</column>
         </insert>
 
+        <!-- starting from 2.21.x, the default agent token is no longer associated with any user -->
+        <!--
         <insert tableName="USER_ROLES">
             <column name="ROLE_ID">${concordSystemWriterRoleId}</column>
             <column name="USER_ID">${concordAgentUserId}</column>
         </insert>
+        -->
     </changeSet>
 
     <!-- removed in 1.9.0+

server/db/src/main/resources/com/walmartlabs/concord/server/db/v1.45.0.xml

@@ -4,8 +4,9 @@
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.3.xsd">
 
-<!-- moved to v1.86.0.xml -->
-<!--    <changeSet id="1450000" author="[email protected]" runInTransaction="false" context="!codegen">
+        <!-- moved to v1.86.0.xml -->
+        <!--
+        <changeSet id="1450000" author="[email protected]" runInTransaction="false" context="!codegen">
             <sql>
                 delete from API_KEYS where KEY_ID = 'd5165ca8-e8de-11e6-9bf5-136b5db23c32'
             </sql>
@@ -17,5 +18,6 @@
                 &lt;!&ndash; value from concord-server.conf &ndash;&gt;
                 <param name="token" value="${defaultAdminToken}"/>
             </customChange>
-        </changeSet> -->
+        </changeSet>
+       -->
 </databaseChangeLog>

server/db/src/main/resources/com/walmartlabs/concord/server/db/v1.86.0.xml

@@ -5,7 +5,10 @@
         xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.3.xsd">
 
     <property name="concordAdminUserId" value="230c5c9c-d9a7-11e6-bcfd-bb681c07b26c"/>
+    <!-- starting from 2.21.x, the default agent token is no longer associated with any user -->
+    <!--
     <property name="concordAgentUserId" value="d4f123c1-f8d4-40b2-8a12-b8947b9ce2d8"/>
+    -->
     <property name="concordRunnerUserId" value="2599c604-1384-4660-a767-8bc03baa7a31"/>
 
     <!-- delete old hard-coded default admin API token -->
@@ -38,15 +41,20 @@
     </changeSet>
 
     <!-- delete old hard-coded default agent API token -->
+    <!-- starting from 2.21.x, the default agent token is no longer associated with any user -->
+    <!--
     <changeSet id="1860200" author="[email protected]" runInTransaction="false" context="!codegen">
         <sql>
             delete from API_KEYS
             where USER_ID = '${concordAgentUserId}'
             and API_KEY = '1sw9eLZ41EOK4w/iV3jFnn6cqeAMeFtxfazqVY04koY'
         </sql>
     </changeSet>
+    -->
 
     <!-- Set initial agent API token when not exist  -->
+    <!-- starting from 2.21.x, the default agent token is no longer associated with any user -->
+    <!--
     <changeSet id="1860300" author="[email protected]" runInTransaction="false" context="!codegen">
         <validCheckSum>ANY</validCheckSum>
 
@@ -60,14 +68,13 @@
         </preConditions>
 
         <customChange class="com.walmartlabs.concord.server.liquibase.ext.ApiTokenCreator">
-            <!-- default agent user id from v0.69.0.xml -->
             <param name="userId" value="${concordAgentUserId}"/>
             <param name="username" value="concordAgent"/>
-            <!-- values from concord-server.conf -->
             <param name="token" value="${defaultAgentToken}"/>
             <param name="skip" value="${skipAgentTokenGeneration}"/>
         </customChange>
     </changeSet>
+    -->
 
     <!-- Delete runner API tokens and user when exist  -->
     <changeSet id="1860400" author="[email protected]" runInTransaction="false" context="!codegen">

server/db/src/main/resources/com/walmartlabs/concord/server/db/v2.21.0.xml

@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<databaseChangeLog
+        xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.3.xsd">
+
+    <changeSet id="2210000" author="[email protected]">
+        <dropNotNullConstraint tableName="API_KEYS" columnName="USER_ID"/>
+    </changeSet>
+
+    <changeSet id="2210010" author="[email protected]">
+        <dropIndex tableName="API_KEYS " indexName="IDX_API_KEYS_NAME_USER"/>
+
+        <sql>
+            create unique index IDX_API_KEYS_NAME_USER_NULL on API_KEYS (KEY_NAME) where USER_ID is null
+        </sql>
+        <sql>
+            create unique index IDX_API_KEYS_NAME_USER_NOT_NULL on API_KEYS (KEY_NAME, USER_ID) where USER_ID is not null
+        </sql>
+    </changeSet>
+
+    <changeSet id="2210020" author="[email protected]" runInTransaction="false" context="!codegen">
+        <validCheckSum>ANY</validCheckSum>
+
+        <preConditions onFail="MARK_RAN">
+            <sqlCheck expectedResult="0">
+                select count(key_id)
+                from API_KEYS
+                where KEY_NAME = 'concordAgentKey_autogenerated';
+            </sqlCheck>
+            <!-- concordAgentUserId='d4f123c1-f8d4-40b2-8a12-b8947b9ce2d8' -->
+            <sqlCheck expectedResult="0">
+                select count(key_id)
+                from API_KEYS
+                where USER_ID = 'd4f123c1-f8d4-40b2-8a12-b8947b9ce2d8';
+            </sqlCheck>
+        </preConditions>
+
+        <customChange class="com.walmartlabs.concord.server.liquibase.ext.ApiTokenCreator">
+            <param name="keyName" value="concordAgentKey_autogenerated"/>
+            <!-- values from concord-server.conf -->
+            <param name="token" value="${defaultAgentToken}"/>
+            <param name="skip" value="${skipAgentTokenGeneration}"/>
+        </customChange>
+    </changeSet>
+
+</databaseChangeLog>

server/impl/src/main/java/com/walmartlabs/concord/server/security/apikey/ApiKeyRealm.java

@@ -62,17 +62,20 @@ public boolean supports(AuthenticationToken token) {
     protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
         ApiKey t = (ApiKey) token;
 
-        UserEntry u = userManager.get(t.getUserId()).orElse(null);
-        if (u == null) {
-            return null;
-        }
+        UserEntry u = null;
+        if (t.getUserId() != null) {
+            u = userManager.get(t.getUserId()).orElse(null);
+            if (u == null) {
+                return null;
+            }
 
-        if (u.isDisabled()) {
-            throw new AuthenticationException("User account '" + u.getName() + "' is disabled");
+            if (u.isDisabled()) {
+                throw new AuthenticationException("User account '" + u.getName() + "' is disabled");
+            }
         }
 
         auditLog.add(AuditObject.SYSTEM, AuditAction.ACCESS)
-                .userId(u.getId())
+                .userId(u != null ? u.getId() : null)
                 .field("realm", REALM_NAME)
                 .field("apiKeyId", t.getKeyId())
                 .log();