Merge branch 'feature/shedlock-locking' of github.com:OpenConext/OpenConext-Invite into feature/shedlock-locking

Author: phavekes

.github/badges/branches.svg

@@ -5,6 +5,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## 1.1.1
+
+- Fix: eduID only invitations for managers and inviters
+- Feature: Display audit train for Institution Admins
+- Feature: Clean up expired invitations
+- Fix: Locking for cron jobs on multi-master databases
+
 ## 1.1.0
 
 - Feature: Add CRM interface to directly create application-roles and invite users, triggers from an external CRM system
@@ -34,6 +41,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 - Improvement: cronjob database locks to work in clusterd enviroment
 - Fix: SCIM delete messageses were not always sent
 - Fix: Accepting invite in the same browser session that sent the invite
+- Change: SCIM Patch opeartions now follow rfc7644 and use `add`, `remove`, or `replace` (instead of `Add` and `Remove`)
 
 ## 1.0.2
 

.github/badges/jacoco.svg

@@ -209,3 +209,8 @@ cd client
 nvm use
 yarn outdated
 ```
+
+## CRM
+
+CRM api calls have been added to enable migration from a legacy application called SAB (SURF Autorisatie Beheer).
+These api calls are actively used to integrate with the enterprise role administration system.

CHANGELOG.md

@@ -45,7 +45,7 @@
     "nth-check": "^2.1.1",
     "react-json-view-lite": "^2.4.2",
     "sass": "^1.90.0",
-    "vite": "^7.2.2",
+    "vite": "^7.3.2",
     "vite-plugin-svgr": "^4.5.0",
     "vitest": "^4.0.8"
   },

README.md

@@ -2660,9 +2660,9 @@ lodash.debounce@^4.0.8:
   integrity sha512-FT1yDzDYEoYWhnSGnpE/4Kj1fLZkDFyqRb7fNt6FdYOSxlUWAtp42Eh6Wb0rGIv/m9Bgo7x4GhQbm5Ys4SG5ow==
 
 lodash@*:
-  version "4.17.23"
-  resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.23.tgz#f113b0378386103be4f6893388c73d0bde7f2c5a"
-  integrity sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==
+  version "4.18.1"
+  resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.18.1.tgz#ff2b66c1f6326d59513de2407bf881439812771c"
+  integrity sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==
 
 loose-envify@^1.4.0:
   version "1.4.0"
@@ -3642,10 +3642,10 @@ vite-plugin-svgr@^4.5.0:
     "@svgr/core" "^8.1.0"
     "@svgr/plugin-jsx" "^8.1.0"
 
-"vite@^6.0.0 || ^7.0.0", vite@^7.2.2:
-  version "7.3.1"
-  resolved "https://registry.yarnpkg.com/vite/-/vite-7.3.1.tgz#7f6cfe8fb9074138605e822a75d9d30b814d6507"
-  integrity sha512-w+N7Hifpc3gRjZ63vYBXA56dvvRlNWRczTdmCBBa+CotUzAPf5b7YMdMR/8CQoeYE5LX3W4wj6RYTgonm1b9DA==
+"vite@^6.0.0 || ^7.0.0", vite@^7.3.2:
+  version "7.3.2"
+  resolved "https://registry.yarnpkg.com/vite/-/vite-7.3.2.tgz#cb041794d4c1395e28baea98198fd6e8f4b96b5c"
+  integrity sha512-Bby3NOsna2jsjfLVOHKes8sGwgl4TT0E6vvpYgnAYDIF/tie7MRaFthmKuHx1NSXjiTueXH3do80FMQgvEktRg==
   dependencies:
     esbuild "^0.27.0"
     fdir "^6.5.0"
@@ -3797,9 +3797,9 @@ yallist@^3.0.2:
   integrity sha512-a4UGQaWPH59mOXUYnAG2ewncQS4i4F43Tv3JoAM+s2VDAmS9NsK8GpDMLrCHPksFT7h3K6TOoUNn2pb7RoXx4g==
 
 yaml@^1.10.0:
-  version "1.10.2"
-  resolved "https://registry.yarnpkg.com/yaml/-/yaml-1.10.2.tgz#2301c5ffbf12b467de8da2333a459e29e7920e4b"
-  integrity sha512-r3vXyErRCYJ7wg28yvBY5VSoAF8ZvlcW9/BwUzEtUsjvX/DKs24dIkuwjtuprwJJHsbyUbLApepYTR1BN4uHrg==
+  version "1.10.3"
+  resolved "https://registry.yarnpkg.com/yaml/-/yaml-1.10.3.tgz#76e407ed95c42684fb8e14641e5de62fe65bbcb3"
+  integrity sha512-vIYeF1u3CjlhAFekPPAk2h/Kv4T3mAkMox5OymRiJQB0spDP10LHvt+K7G9Ny6NuuMAb25/6n1qyUjAcGNf/AA==
 
 yocto-queue@^0.1.0:
   version "0.1.0"

client/package.json

@@ -326,7 +326,7 @@ Content-Type: application/json
   "schemas" : [ "urn:ietf:params:scim:api:messages:2.0:PatchOp" ],
   "id" : "{GroupID at SP}",
   "Operations" : [ {
-    "op" : "Add",
+    "op" : "add",
     "path" : "members",
     "value" : [ {
       "value" : "{UserID at SP}"
@@ -346,7 +346,7 @@ Content-Type: application/json
   "schemas" : [ "urn:ietf:params:scim:api:messages:2.0:PatchOp" ],
   "id" : "{GroupID at SP}",
   "Operations" : [ {
-    "op" : "Remove",
+    "op" : "remove",
     "path" : "members",
     "value" : [ {
       "value" : "{UserID at SP}"

client/yarn.lock

@@ -18,7 +18,13 @@
 import org.springframework.transaction.annotation.Transactional;
 import org.springframework.util.StringUtils;
 import org.springframework.validation.annotation.Validated;
-import org.springframework.web.bind.annotation.*;
+import org.springframework.web.bind.annotation.DeleteMapping;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
 
 import java.util.List;
 import java.util.Map;
@@ -73,10 +79,10 @@ public ResponseEntity<APIToken> create(@Validated @RequestBody APIToken apiToken
         UserPermissions.assertAuthority(user, Authority.INVITER);
         String token = (String) request.getSession().getAttribute(TOKEN_KEY);
         if (!StringUtils.hasText(token)) {
-            throw new UserRestrictionException();
+            throw new UserRestrictionException("Token is NULL");
         }
         if (user.isSuperUser() && !StringUtils.hasText(apiTokenRequest.getOrganizationGUID())) {
-            throw new UserRestrictionException();
+            throw new UserRestrictionException("Super user must specify API token OrganizationGUID");
         }
         APIToken apiToken;
         if (user.isSuperUser() || user.isInstitutionAdmin()) {
@@ -96,16 +102,17 @@ public ResponseEntity<APIToken> create(@Validated @RequestBody APIToken apiToken
     @DeleteMapping("/{id}")
     public ResponseEntity<Void> deleteToken(@PathVariable("id") Long id, @Parameter(hidden = true) User user) {
         LOG.debug(String.format("DELETE /tokens/deleteToken with id %s for user %s", id.toString(), user.getEduPersonPrincipalName()));
+
         UserPermissions.assertAuthority(user, Authority.INVITER);
         APIToken apiToken = apiTokenRepository.findById(id).orElseThrow(() -> new NotFoundException("API token not found"));
         if (apiToken.isSuperUserToken() && !user.isSuperUser()) {
-            throw new UserRestrictionException();
+            throw new UserRestrictionException("Non super-user not allowed to delete super-user token: " + user.getEmail());
         }
         if (user.isInstitutionAdmin() && !apiToken.getOrganizationGUID().equals(user.getOrganizationGUID())) {
-            throw new UserRestrictionException();
+            throw new UserRestrictionException("User not allowed to delete token for different organization: " + user.getEmail());
         }
         if (!user.isSuperUser() && !user.isInstitutionAdmin() && !Objects.equals(user.getId(), apiToken.getOwner().getId())) {
-            throw new UserRestrictionException();
+            throw new UserRestrictionException("User not allowed to delete token for different owner: " + user.getEmail());
         }
         apiTokenRepository.delete(apiToken);
         return Results.deleteResult();

docs/SCIM/index.md

@@ -160,6 +160,7 @@ public InvitationController(MailBox mailBox,
                                       "message": "Personal message included in the email",
                                       "language": "en",
                                       "guestRoleIncluded": true,
+                                      "suppressSendingEmails": false,
                                       "invites": [
                                         "admin@service.org"
                                       ],

server/src/main/java/invite/api/APITokenController.java

@@ -179,7 +179,7 @@ public ResponseEntity<List<Role>> rolesPerApplicationId(@PathVariable("manageId"
                     .collect(Collectors.toSet());
             applicationManageIdentifiers.addAll(roleManageIdentifiers);
             if (!applicationManageIdentifiers.contains(manageId)) {
-                throw new UserRestrictionException();
+                throw new UserRestrictionException(String.format("User %s has no access to manageID %s", user.getEmail(), manageId));
             }
             roles = roleRepository.findByOrganizationGUIDAndApplicationUsagesApplicationManageId(user.getOrganizationGUID(), manageId);
         }
@@ -194,7 +194,7 @@ public ResponseEntity<Role> newRole(@Validated @RequestBody RoleRequest roleRequ
         UserPermissions.assertAuthority(user, Authority.INSTITUTION_ADMIN);
         //For super_users we require an organization GUID from the input form
         if (user.isSuperUser() && !StringUtils.hasText(roleRequest.getOrganizationGUID())) {
-            throw new UserRestrictionException();
+            throw new UserRestrictionException("Super users must specify an organizationGUID");
         }
         Role role = new Role(roleRequest);
         role.setOrganizationGUID(user.isSuperUser() ? roleRequest.getOrganizationGUID() : user.getOrganizationGUID());
@@ -244,7 +244,8 @@ public ResponseEntity<Void> deleteRole(@PathVariable("id") Long id,
 
         if (!user.isSuperUser() &&
                 !Objects.equals(user.getOrganizationGUID(), role.getOrganizationGUID())) {
-            throw new UserRestrictionException();
+            throw new UserRestrictionException(String.format("Non super user %s not allowd to delete role %s",
+                    user.getEmail(), role.getName()));
         }
 
         provisioningService.deleteGroupRequest(role);