[backend] wip: fix local migration

Author: marieflorescontact

opencti-platform/opencti-graphql/src/database/data-initialization.js

@@ -1,5 +1,5 @@
 import validator from 'validator';
-import { addSettings } from '../domain/settings';
+import { addSettings, updateLocalAuth } from '../domain/settings';
 import { BYPASS, AUTOMATION, ROLE_ADMINISTRATOR, ROLE_DEFAULT, SYSTEM_USER } from '../utils/access';
 import { findByType as findEntitySettingsByType, initCreateEntitySettings } from '../modules/entitySetting/entitySetting-domain';
 import { initDecayRules } from '../modules/decayRule/decayRule-domain';
@@ -26,6 +26,8 @@ import { initDefaultTheme } from '../modules/theme/theme-domain';
 import { addEmailTemplate } from '../modules/emailTemplate/emailTemplate-domain';
 import { DEFAULT_EMAIL_TEMPLATE_INPUT } from './default-email-template-input';
 import { createRetentionRule } from '../domain/retentionRule';
+import nconf from 'nconf';
+import { isLocalAuthEnabled } from '../modules/authenticationProvider/authenticationProvider-migration';
 
 // region Platform capabilities definition
 const KNOWLEDGE_CAPABILITY = 'KNOWLEDGE';
@@ -443,14 +445,15 @@ export const initializeData = async (context, withMarkings = true) => {
     logApp.warn(`[INIT] Platform identifier forced to [${platformId}]`);
   }
   const darkTheme = await initDefaultTheme(context);
+  const envConfigurations = nconf.get('providers') ?? {};
   await addSettings(context, SYSTEM_USER, {
     internal_id: platformId,
     platform_title: 'OpenCTI - Cyber Threat Intelligence Platform',
     platform_email: 'admin@opencti.io',
     platform_theme: darkTheme.id,
     platform_language: 'auto',
     view_all_users: false,
-    local_auth: { enabled: true }, // TODO issue here for platform starting on v7 with local in env
+    local_auth: { enabled: isLocalAuthEnabled(envConfigurations) },
     cert_auth: {
       enabled: false,
       description: null,

opencti-platform/opencti-graphql/src/modules/authenticationProvider/authenticationProvider-migration.ts

@@ -17,6 +17,11 @@ import nconf from 'nconf';
 import { getSettings, updateCertAuth, updateHeaderAuth, updateLocalAuth } from '../../domain/settings';
 import type { BasicStoreSettings } from '../../types/settings';
 
+export const isLocalAuthEnabled = (envProviders: Record<string, any>): boolean => {
+  const local = envProviders['local'];
+  return local?.config?.disabled !== true;
+};
+
 // ---------------------------------------------------------------------------
 // Provider type mapping
 // ---------------------------------------------------------------------------
@@ -65,10 +70,9 @@ const parseMappingStrings = (mapping: any) => {
 const migrateLocalAuthIfNeeded = async (context: AuthContext, user: AuthUser) => {
   const settings = await getSettings(context) as unknown as BasicStoreSettings;
   const envConfigurations = nconf.get('providers') ?? {};
-  const local = envConfigurations['local'];
   if (!settings.local_auth) {
     logApp.info('[SINGLETON-MIGRATION] local_auth is absent, creating with defaults');
-    await updateLocalAuth(context, user, settings.id, { enabled: local?.config.disabled !== true });
+    await updateLocalAuth(context, user, settings.id, { enabled: isLocalAuthEnabled(envConfigurations) });
     logApp.info('[SINGLETON-MIGRATION] local_auth successfully ensured');
   }
 };

opencti-platform/opencti-graphql/tests/01-unit/modules/authenticationProvider/authenticationProvider-migration-test.ts

@@ -0,0 +1,48 @@
+import { describe, expect, it } from 'vitest';
+import { isLocalAuthEnabled } from '../../../../src/modules/authenticationProvider/authenticationProvider-migration';
+
+// ==========================================================================
+// resolveLocalAuthEnabled
+// ==========================================================================
+
+describe('resolveLocalAuthEnabled', () => {
+  it('should return true when no local provider is configured', () => {
+    expect(isLocalAuthEnabled({})).toBe(true);
+  });
+
+  it('should return true when local provider exists but disabled is not set', () => {
+    const providers = { local: { strategy: 'LocalStrategy', config: {} } };
+    expect(isLocalAuthEnabled(providers)).toBe(true);
+  });
+
+  it('should return true when local provider disabled is explicitly false', () => {
+    const providers = { local: { strategy: 'LocalStrategy', config: { disabled: false } } };
+    expect(isLocalAuthEnabled(providers)).toBe(true);
+  });
+
+  it('should return false when local provider disabled is explicitly true', () => {
+    const providers = { local: { strategy: 'LocalStrategy', config: { disabled: true } } };
+    expect(isLocalAuthEnabled(providers)).toBe(false);
+  });
+
+  it('should return true when local provider has no config property', () => {
+    const providers = { local: { strategy: 'LocalStrategy' } };
+    expect(isLocalAuthEnabled(providers)).toBe(true);
+  });
+
+  it('should not be affected by other providers being present', () => {
+    const providers = {
+      oidc: { strategy: 'OpenIDConnectStrategy', config: { disabled: true } },
+      local: { strategy: 'LocalStrategy', config: { disabled: false } },
+    };
+    expect(isLocalAuthEnabled(providers)).toBe(true);
+  });
+
+  it('should return false when local is disabled even if other providers are enabled', () => {
+    const providers = {
+      oidc: { strategy: 'OpenIDConnectStrategy', config: { disabled: false } },
+      local: { strategy: 'LocalStrategy', config: { disabled: true } },
+    };
+    expect(isLocalAuthEnabled(providers)).toBe(false);
+  });
+});