Do not provision roles without applications

oharsta · oharsta · commit 1c8ec3068fce · 2026-03-02T13:50:26.000+01:00
Some of the applications in the `crm_config.json` do not have
applications and we don't want to add an user to those roles and
we also don't want to send invitations
diff --git a/server/src/main/java/invite/crm/CRMController.java b/server/src/main/java/invite/crm/CRMController.java
@@ -102,7 +102,8 @@ public CRMController(@Value("${crm.collab-person-prefix}") String collabPersonPr
         });
         this.crmConfig = crmConfigRaw.entrySet().stream()
                 .map(entry -> new CrmConfigEntry(entry.getKey(), (String) entry.getValue().get("name"),
-                        ((List<Map<String, String>>) entry.getValue().get("applications")).stream()
+                        ((List<Map<String, String>>) entry.getValue().getOrDefault("applications", List.of()))
+                                .stream()
                                 .map(application -> new CrmManageIdentifier(
                                         EntityType.valueOf(application.get("manageType").toUpperCase()),
                                         application.get("manageEntityID"))).toList()))
@@ -123,7 +124,7 @@ public ResponseEntity<String> contact(@RequestBody CRMContact crmContact) {
 
         if (crmContact.isSuppressInvitation() &&
                 StringUtils.hasText(crmContact.getSchacHomeOrganisation()) && StringUtils.hasText(crmContact.getUid())) {
-                created = provisionUser(crmContact);
+            created = provisionUser(crmContact);
         } else {
             created = sendInvitation(crmContact);
         }
@@ -237,10 +238,11 @@ private boolean sendInvitation(CRMContact crmContact) {
         List<CRMRole> newCrmRoles = syncCrmRoles(crmContact, optionalUser.orElse(new User()));
         //Only save the user when the user already existed
         optionalUser.ifPresent(user -> userRepository.save(user));
+        // Maps CRM roles to existing or new roles
+        List<Role> roles = convertCrmRolesToInviteRoles(crmContact, newCrmRoles);
         //If there are no new roles, then we can't do anything
-        if (!CollectionUtils.isEmpty(newCrmRoles)) {
-            // Maps CRM roles to existing or new roles
-            List<Role> roles = convertCrmRolesToInviteRoles(crmContact, newCrmRoles);
+        if (!CollectionUtils.isEmpty(roles)) {
+            //There are roles in CRM without applications, we need to ignore those
             List<GroupedProviders> groupedProviders = manage.getGroupedProviders(roles);
             Set<InvitationRole> invitationRoles = roles.stream()
                     .map(role -> new InvitationRole(role))
@@ -263,16 +265,20 @@ private boolean sendInvitation(CRMContact crmContact) {
     private List<Role> convertCrmRolesToInviteRoles(CRMContact crmContact, List<CRMRole> newCrmRoles) {
         return newCrmRoles.stream()
                 .map(crmRole -> roleRepository.findByCrmRoleIdAndCrmOrganisationId(
-                        crmRole.getRoleId(), crmContact.getOrganisation().getOrganisationId())
-                        .orElseGet(() -> this.createRole(crmContact.getOrganisation(), crmRole)))
+                                crmRole.getRoleId(), crmContact.getOrganisation().getOrganisationId())
+                        .or(() -> this.createRole(crmContact.getOrganisation(), crmRole)))
+                .flatMap(Optional::stream)
                 .toList();
     }
 
-    private Role createRole(CRMOrganisation crmOrganisation, CRMRole crmRole) {
+    private Optional<Role> createRole(CRMOrganisation crmOrganisation, CRMRole crmRole) {
         CrmConfigEntry crmConfigEntry = this.crmConfig.get(crmRole.getSabCode());
         if (crmConfigEntry == null) {
             throw new InvalidInputException("CRM sabCode is not configured: " + crmRole.getSabCode());
         }
+        if (crmConfigEntry.crmManageIdentifiers().isEmpty()) {
+            return Optional.empty();
+        }
         Set<ApplicationUsage> applicationUsages = crmConfigEntry.crmManageIdentifiers().stream()
                 .map(crmManageIdentifier -> manage
                         .providerByEntityID(crmManageIdentifier.manageType(), crmManageIdentifier.manageEntityID())
@@ -302,7 +308,7 @@ private Role createRole(CRMOrganisation crmOrganisation, CRMRole crmRole) {
 
         Role role = roleRepository.save(unsavedRole);
         this.provisioningService.newGroupRequest(role);
-        return role;
+        return Optional.of(role);
     }
 
     private Invitation createInvitation(CRMContact crmContact, Set<InvitationRole> invitationRoles) {
diff --git a/server/src/main/resources/crm/crm_config.json b/server/src/main/resources/crm/crm_config.json
@@ -46,5 +46,10 @@
         "manageType": "oidc10_rp"
       }
     ]
+  },
+  "EMPTY": {
+    "name": "Deprecated",
+    "roleId": "ea61793b-c4a9-47a0-9558-40e684ded3be",
+    "applications": []
   }
 }
diff --git a/server/src/test/java/invite/crm/CRMControllerTest.java b/server/src/test/java/invite/crm/CRMControllerTest.java
@@ -15,7 +15,6 @@
 import io.restassured.http.ContentType;
 import jakarta.mail.Address;
 import org.junit.jupiter.api.Test;
-import org.springframework.http.HttpStatus;
 
 import java.util.List;
 import java.util.Optional;
@@ -198,7 +197,8 @@ void contactInviteNewUserSuppressEmail() throws Exception {
         List<MimeMessageParser> allMailMessages = allMailMessages(0);
         assertEquals(0, allMailMessages.size());
     }
-        @Test
+
+    @Test
     void contactProvisioningRemoveScimRole() throws JsonProcessingException {
         CRMRole crmRoleResearch = new CRMRole("5e17b508-08e4-e811-8100-005056956c1a", "CONBEH", "SURFconextbeheerder");
         CRMRole crmRoleCloud = new CRMRole("cf652619-08e4-e811-8100-005056956c1a", "CONVER", "SURFconextverantwoordelijke");
@@ -247,6 +247,67 @@ void contactProvisioningRemoveScimRole() throws JsonProcessingException {
         assertEquals(3, user.getUserRoles().size());
     }
 
+    @Test
+    void contactProvisioningRoleEmptyApplications() {
+        CRMRole crmRoleResearch = new CRMRole("ea61793b-c4a9-47a0-9558-40e684ded3be", "EMPTY", "Deprecated");
+        String crmContactID = UUID.randomUUID().toString();
+        String crmOrganisationID = UUID.randomUUID().toString();
+        CRMContact crmContact = createCrmContact(crmContactID, crmOrganisationID, crmRoleResearch, "steven", "nope.com", true);
+        String sub = "urn:collab:person:nope.com:steven";
+        Optional<User> userOptional = userRepository.findBySubIgnoreCase(sub);
+        assertTrue(userOptional.isEmpty());
+
+        String response = given()
+                .when()
+                .accept(ContentType.JSON)
+                .header(API_KEY_HEADER, "secret")
+                .contentType(ContentType.JSON)
+                .body(crmContact)
+                .post("/api/internal/v1/crm")
+                .then()
+                .extract()
+                .asString();
+        assertEquals("created", response);
+
+        userOptional = userRepository.findBySubIgnoreCase(sub);
+        assertTrue(userOptional.isPresent());
+        assertEquals(0, userOptional.get().getUserRoles().size());
+    }
+
+    @Test
+    void contactInviteNoInvitationWithNoRoles() throws Exception {
+        CRMRole crmRoleResearch = new CRMRole("ea61793b-c4a9-47a0-9558-40e684ded3be", "EMPTY", "Deprecated");
+        String crmContactID = UUID.randomUUID().toString();
+        String crmOrganisationID = UUID.randomUUID().toString();
+        CRMContact crmContact = createCrmContact(crmContactID, crmOrganisationID, crmRoleResearch, null, null, false);
+        String sub = "urn:collab:person:nope.com:steven";
+        Optional<User> userOptional = userRepository.findBySubIgnoreCase(sub);
+        assertTrue(userOptional.isEmpty());
+
+        String response = given()
+                .when()
+                .accept(ContentType.JSON)
+                .header(API_KEY_HEADER, "secret")
+                .contentType(ContentType.JSON)
+                .body(crmContact)
+                .post("/api/internal/v1/crm")
+                .then()
+                .extract()
+                .asString();
+        assertEquals("created", response);
+
+        Optional<User> optionalUser = userRepository.findByCrmContactIdAndCrmOrganisationId(crmContactID,
+                crmOrganisationID);
+        assertTrue(optionalUser.isEmpty());
+
+        List<Invitation> invitations = invitationRepository.findByCrmContactIdAndCrmOrganisationId(
+                crmContactID, crmOrganisationID);
+        assertEquals(0, invitations.size());
+
+        List<MimeMessageParser> allMailMessages = allMailMessages(0);
+        assertEquals(0, allMailMessages.size());
+    }
+
     @Test
     void deleteUser() throws JsonProcessingException {
         CRMContact crmContact = new CRMContact();
@@ -313,7 +374,7 @@ void scopeInviteRoleToUniqueCRMRoleIdAndOrganizationId() throws JsonProcessingEx
         assertEquals(1, user.getUserRoles().size());
         //Now post the same CRMContact for a different user, but the same role. Enusure the role is not re-used
         String newOrganisationID = UUID.randomUUID().toString();
-        crmContact.setOrganisation(new CRMOrganisation(newOrganisationID,"abbrev","name"));
+        crmContact.setOrganisation(new CRMOrganisation(newOrganisationID, "abbrev", "name"));
         crmContact.setUid("second_user");
         response = given()
                 .when()

Original file line number	Diff line number	Diff line change
`@@ -46,5 +46,10 @@`
`46`	`46`	`"manageType": "oidc10_rp"`
`47`	`47`	`}`
`48`	`48`	`]`
	`49`	`+ },`
	`50`	`+ "EMPTY": {`
	`51`	`+ "name": "Deprecated",`
	`52`	`+ "roleId": "ea61793b-c4a9-47a0-9558-40e684ded3be",`
	`53`	`+ "applications": []`
`49`	`54`	`}`
`50`	`55`	`}`