Fixes #642

oharsta · oharsta · commit 962a01adf58e · 2026-02-05T11:52:25.000+01:00
diff --git a/.gitignore b/.gitignore
@@ -48,3 +48,4 @@ teams-api-calls.md
 .run/
 client/locale_parser.js
 PlayGroundTest.java
+spieldata
diff --git a/server/src/main/java/invite/api/InvitationController.java b/server/src/main/java/invite/api/InvitationController.java
@@ -356,7 +356,7 @@ public ResponseEntity<Map<String, Object>> accept(@Validated @RequestBody Accept
         //Already provisioned users in the remote systems are ignored / excluded
         Optional<GraphResponse> optionalGraphResponse = isGuest ? provisioningService.newUserRequest(user) : Optional.empty();
         if (isGuest) {
-            newUserRoles.forEach(userRole -> provisioningService.updateGroupRequest(userRole, OperationType.Add));
+            newUserRoles.forEach(userRole -> provisioningService.updateGroupRequest(userRole, OperationType.add));
         }
         LOG.info(String.format("User %s accepted invitation with role(s) %s",
                 user.getEduPersonPrincipalName(),
diff --git a/server/src/main/java/invite/api/RoleController.java b/server/src/main/java/invite/api/RoleController.java
@@ -192,7 +192,9 @@ public ResponseEntity<Role> newRole(@Validated @RequestBody RoleRequest roleRequ
     public ResponseEntity<Role> updateRole(@Validated @RequestBody Role role,
                                            @Parameter(hidden = true) User user) {
         LOG.debug(String.format("PUT /roles/ for user %s", user.getEduPersonPrincipalName()));
-        UserPermissions.assertAuthority(user, Authority.MANAGER);
+
+        UserPermissions.assertRoleAccess(user, role, Authority.MANAGER);
+
         LOG.debug(String.format("Update role '%s' by user %s", role.getName(), user.getEduPersonPrincipalName()));
         return saveOrUpdate(role, user);
     }
diff --git a/server/src/main/java/invite/api/UserRoleController.java b/server/src/main/java/invite/api/UserRoleController.java
@@ -199,7 +199,7 @@ public ResponseEntity<User> userRoleProvisioning(@Validated @RequestBody UserRol
         AccessLogger.user(LOG, Event.Created, user);
 
         provisioningService.newUserRequest(user);
-        newUserRoles.forEach(userRole -> provisioningService.updateGroupRequest(userRole, OperationType.Add));
+        newUserRoles.forEach(userRole -> provisioningService.updateGroupRequest(userRole, OperationType.add));
 
         return ResponseEntity.status(201).body(user);
     }
@@ -242,7 +242,7 @@ public ResponseEntity<Void> deleteUserRole(@PathVariable("id") Long id,
             AccessLogger.userRole(LOG, Event.Updated, user, userRole);
 
         } else {
-            provisioningService.updateGroupRequest(userRole, OperationType.Remove);
+            provisioningService.updateGroupRequest(userRole, OperationType.remove);
             provisioningService.deleteUserRoleRequest(userRole);
             userRoleAuditService.logAction(userRole, UserRoleAudit.ActionType.DELETE);
             // Deprovision the user for all provisionings which are exclusively used in this userRole
diff --git a/server/src/main/java/invite/config/HashGenerator.java b/server/src/main/java/invite/config/HashGenerator.java
@@ -27,7 +27,7 @@ public static String generateRandomHash(int byteLength) {
     }
 
     public static String generateToken() {
-        return RandomStringUtils.secure().random(36, true, true);
+        return RandomStringUtils.secure().next(36, true, true);
     }
 
     public static String hashToken(String token) {
diff --git a/server/src/main/java/invite/cron/ResourceCleaner.java b/server/src/main/java/invite/cron/ResourceCleaner.java
@@ -96,7 +96,7 @@ private List<UserRole> cleanUserRoles() {
             User user = userRole.getUser();
             Role role = userRole.getRole();
             try {
-                provisioningService.updateGroupRequest(userRole, OperationType.Remove);
+                provisioningService.updateGroupRequest(userRole, OperationType.remove);
                 user.removeUserRole(userRole);
                 userRepository.save(user);
                 LOG.info(String.format("Deleted userRole for user %s and role %s with an endDate in the past",
diff --git a/server/src/main/java/invite/model/RoleRequest.java b/server/src/main/java/invite/model/RoleRequest.java
@@ -25,7 +25,7 @@ public class RoleRequest implements Serializable{
 
     @NotNull
     @NotBlank
-    @Schema(description = "Unique name of the role", example = "Guest for my application", required = true)
+    @Schema(description = "Unique name of the role", example = "Guest for my application", requiredMode = Schema.RequiredMode.REQUIRED)
     private String name;
 
     @Schema(description = "Brief explanation of this role's purpose", example = "Full access to all modules")
diff --git a/server/src/main/java/invite/provision/ProvisioningServiceDefault.java b/server/src/main/java/invite/provision/ProvisioningServiceDefault.java
@@ -19,11 +19,12 @@
 import invite.provision.eva.EvaClient;
 import invite.provision.graph.GraphClient;
 import invite.provision.graph.GraphResponse;
+import invite.provision.scim.DisplayNameOperation;
 import invite.provision.scim.GroupPatchRequest;
 import invite.provision.scim.GroupRequest;
 import invite.provision.scim.GroupURN;
 import invite.provision.scim.Member;
-import invite.provision.scim.Operation;
+import invite.provision.scim.MembersOperation;
 import invite.provision.scim.OperationType;
 import invite.provision.scim.UserRequest;
 import invite.repository.RemoteProvisionedGroupRepository;
@@ -44,9 +45,7 @@
 import org.springframework.http.MediaType;
 import org.springframework.http.RequestEntity;
 import org.springframework.http.ResponseEntity;
-import org.springframework.http.client.ClientHttpRequestInterceptor;
 import org.springframework.http.client.JdkClientHttpRequestFactory;
-import org.springframework.retry.support.RetryTemplate;
 import org.springframework.stereotype.Service;
 import org.springframework.util.StringUtils;
 import org.springframework.web.client.RestClientException;
@@ -64,7 +63,6 @@
 import java.util.Set;
 import java.util.concurrent.atomic.AtomicReference;
 import java.util.stream.Collectors;
-import java.util.stream.Stream;
 
 @Service
 @SuppressWarnings("unchecked")
@@ -228,7 +226,7 @@ public void deleteUserRoleRequest(UserRole userRole) {
     public void deleteUserRequest(User user) {
         //First send update role requests
         user.getUserRoles()
-                .forEach(userRole -> this.updateGroupRequest(userRole, OperationType.Remove));
+                .forEach(userRole -> this.updateGroupRequest(userRole, OperationType.remove));
 
         List<Provisioning> provisionings = getProvisionings(user);
         //Delete the user to all provisionings in Manage where the user is known
@@ -238,7 +236,7 @@ public void deleteUserRequest(User user) {
     @Override
     public void deleteUserRequest(User user, UserRole userRole) {
         //First send update role request
-        this.updateGroupRequest(userRole, OperationType.Remove);
+        this.updateGroupRequest(userRole, OperationType.remove);
         /*
          * We first need a List all provisionings for the user#userRole, and then we need to remove the provisiongs
          * from that List that are in use by other user#userRoles, and those are the provisionings which we need to delete
@@ -343,9 +341,9 @@ public void updateGroupRequest(UserRole userRole, OperationType operationType) {
                                         .filter(userRoleDB -> userRoleDB.getAuthority().equals(Authority.GUEST) || userRoleDB.isGuestRoleIncluded())
                                         .collect(Collectors.toCollection(ArrayList::new));
                                 boolean userRolePresent = userRoles.stream().anyMatch(dbUserRole -> dbUserRole.getId().equals(userRole.getId()));
-                                if (operationType.equals(OperationType.Add) && !userRolePresent) {
+                                if (operationType.equals(OperationType.add) && !userRolePresent) {
                                     userRoles.add(userRole);
-                                } else if (operationType.equals(OperationType.Remove) && userRolePresent) {
+                                } else if (operationType.equals(OperationType.remove) && userRolePresent) {
                                     userRoles = userRoles.stream()
                                             .filter(dbUserRole -> !dbUserRole.getId().equals(userRole.getId()))
                                             .collect(Collectors.toCollection(ArrayList::new));
@@ -381,31 +379,30 @@ private void sendGroupPutRequest(Provisioning provisioning,
                 .map(Optional::get)
                 .map(RemoteProvisionedUser::getRemoteIdentifier)
                 .toList();
-        if (!userScimIdentifiers.isEmpty()) {
+        if (!userScimIdentifiers.isEmpty() || operationType.equals(OperationType.replace)) {
             if (provisioning.isScimUpdateRolePutMethod()) {
                 String groupRequest = constructGroupRequest(
                         role,
                         provisionedGroup.getRemoteIdentifier(),
                         userScimIdentifiers);
                 this.updateRequest(provisioning, groupRequest, APIType.GROUP_API, provisionedGroup.getRemoteIdentifier(), HttpMethod.PUT);
             } else {
-                String groupRequest = patchGroupRequest(
-                        role,
-                        userScimIdentifiers,
-                        provisionedGroup.getRemoteIdentifier(),
-                        operationType);
+                GroupPatchRequest request = operationType.equals(OperationType.replace) ?
+                        new GroupPatchRequest(new DisplayNameOperation(role.getName())):
+                        new GroupPatchRequest(new MembersOperation(operationType, userScimIdentifiers));
+                String groupRequest = prettyJson(request);
                 this.updateRequest(provisioning, groupRequest, APIType.GROUP_API, provisionedGroup.getRemoteIdentifier(), HttpMethod.PATCH);
             }
         }
-
     }
 
     @Override
     public void updateGroupRequest(List<String> previousManageIdentifiers, Role newRole, boolean nameChanged) {
         //Immutable List cannot be sorted
         List<String> previousManageIdentifiersSorted = previousManageIdentifiers.stream().sorted().toList();
         List<String> newManageIdentifiers = this.getManageIdentifiers(newRole);
-        if (!nameChanged && previousManageIdentifiers.equals(newManageIdentifiers)) {
+        boolean noApplicationsChanged = previousManageIdentifiers.equals(newManageIdentifiers);
+        if (!nameChanged && noApplicationsChanged) {
             LOG.info(String.format("Group %s update request with no difference in manage identifiers (%s). No action required",
                     newRole.getName(),
                     newManageIdentifiers));
@@ -436,13 +433,14 @@ public void updateGroupRequest(List<String> previousManageIdentifiers, Role newR
                     }
                     provisionedGroupOptional.ifPresent(provisionedGroup -> {
                         List<UserRole> userRoles = userRoleRepository.findByRole(newRole);
-                        this.sendGroupPutRequest(provisioning, provisionedGroup, userRoles, newRole, OperationType.Add);
+                        this.sendGroupPutRequest(provisioning, provisionedGroup, userRoles, newRole, OperationType.replace);
                     });
                 });
 
         LOG.info(String.format("Deleting existing provisionings %s from group %s", deletedManageIdentifiers, newRole.getName()));
 
-        List<Provisioning> provisionings = manage.provisioning(deletedManageIdentifiers).stream().map(Provisioning::new).toList();
+        List<Provisioning> provisionings = manage.provisioning(deletedManageIdentifiers).stream()
+                .map(Provisioning::new).toList();
         deleteGroupRequest(newRole, provisionings);
     }
 
@@ -488,16 +486,6 @@ private String constructGroupRequest(Role role, String remoteGroupScimIdentifier
         return prettyJson(new GroupRequest(externalId, remoteGroupScimIdentifier, role.getName(), members));
     }
 
-    private String patchGroupRequest(Role role,
-                                     List<String> remoteScimProvisionedUsers,
-                                     String remoteScimProvisionedGroup,
-                                     OperationType operationType) {
-        String externalId = GroupURN.urnFromRole(groupUrnPrefix, role);
-        GroupPatchRequest request = new GroupPatchRequest(externalId, remoteScimProvisionedGroup,
-                new Operation(operationType, remoteScimProvisionedUsers));
-        return prettyJson(request);
-    }
-
     private Optional<ProvisioningResponse> newRequest(Provisioning provisioning, String request, Provisionable provisionable) {
         boolean isUser = provisionable instanceof User;
         APIType apiType = isUser ? APIType.USER_API : APIType.GROUP_API;
diff --git a/server/src/main/java/invite/provision/scim/DisplayNameOperation.java b/server/src/main/java/invite/provision/scim/DisplayNameOperation.java
@@ -0,0 +1,19 @@
+package invite.provision.scim;
+
+import lombok.Getter;
+
+import java.util.HashSet;
+import java.util.List;
+
+@Getter
+public class DisplayNameOperation implements Operation {
+
+    private final OperationType op = OperationType.replace;
+    private final String path = "displayName";
+    private final String value;
+
+    public DisplayNameOperation(String value) {
+        this.value = value;
+    }
+
+}
diff --git a/server/src/main/java/invite/provision/scim/GroupPatchRequest.java b/server/src/main/java/invite/provision/scim/GroupPatchRequest.java
@@ -14,7 +14,7 @@ public class GroupPatchRequest implements Serializable {
     @JsonProperty("Operations")
     private final List<Operation> operations;
 
-    public GroupPatchRequest(String externalId, String id, Operation operation) {
+    public GroupPatchRequest(Operation operation) {
         this.operations = Collections.singletonList(operation);
     }
 }
diff --git a/server/src/main/java/invite/provision/scim/MembersOperation.java b/server/src/main/java/invite/provision/scim/MembersOperation.java
@@ -0,0 +1,20 @@
+package invite.provision.scim;
+
+import lombok.Getter;
+
+import java.util.HashSet;
+import java.util.List;
+
+@Getter
+public class MembersOperation implements Operation{
+
+    private final OperationType op;
+    private final String path = "members";
+    private final List<Member> value;
+
+    public MembersOperation(OperationType op, List<String> remoteScimIdentifiers) {
+        this.op = op;
+        this.value = new HashSet<>(remoteScimIdentifiers).stream().map(Member::new).toList();
+    }
+
+}
diff --git a/server/src/main/java/invite/provision/scim/Operation.java b/server/src/main/java/invite/provision/scim/Operation.java
@@ -1,19 +1,8 @@
 package invite.provision.scim;
 
-import lombok.Getter;
+public interface Operation {
 
-import java.util.HashSet;
-import java.util.List;
+    OperationType getOp();
 
-@Getter
-public class Operation {
-
-    private final OperationType op;
-    private final String path = "members";
-    private final List<Member> value;
-
-    public Operation(OperationType op, List<String> remoteScimIdentifiers) {
-        this.op = op;
-        this.value = new HashSet<>(remoteScimIdentifiers).stream().map(Member::new).toList();
-    }
+    String getPath();
 }
diff --git a/server/src/main/java/invite/provision/scim/OperationType.java b/server/src/main/java/invite/provision/scim/OperationType.java
@@ -2,5 +2,5 @@
 
 public enum OperationType {
 
-    Add, Remove
+    add, remove, replace
 }
diff --git a/server/src/main/java/invite/teams/TeamsController.java b/server/src/main/java/invite/teams/TeamsController.java
@@ -161,7 +161,7 @@ private void provision(Role role, Membership membership) {
         userRole = userRoleRepository.save(userRole);
         userRoleAuditService.logAction(userRole, UserRoleAudit.ActionType.ADD);
 
-        provisioningService.updateGroupRequest(userRole, OperationType.Add);
+        provisioningService.updateGroupRequest(userRole, OperationType.add);
     }
 
     protected static Authority mapAuthority(invite.teams.Role role) {
diff --git a/server/src/main/resources/application.yml b/server/src/main/resources/application.yml
@@ -216,8 +216,10 @@ manage:
 springdoc:
   pathsToMatch: "/api/external/v1/**"
   api-docs:
+    enabled: true
     path: "/ui/api-docs"
   swagger-ui:
+    enabled: true
     path: "/ui/api-ui.html"
     operationsSorter: method
     oauth:
diff --git a/server/src/test/java/invite/api/RoleControllerTest.java b/server/src/test/java/invite/api/RoleControllerTest.java
diff --git a/server/src/test/java/invite/cron/ResourceCleanerUnitTest.java b/server/src/test/java/invite/cron/ResourceCleanerUnitTest.java
diff --git a/server/src/test/java/invite/provision/ProvisioningServiceDefaultTest.java b/server/src/test/java/invite/provision/ProvisioningServiceDefaultTest.java

Original file line number	Diff line number	Diff line change
`@@ -356,7 +356,7 @@ public ResponseEntity<Map<String, Object>> accept(@Validated @RequestBody Accept`
`356`	`356`	`//Already provisioned users in the remote systems are ignored / excluded`
`357`	`357`	`Optional<GraphResponse> optionalGraphResponse = isGuest ? provisioningService.newUserRequest(user) : Optional.empty();`
`358`	`358`	`if (isGuest) {`
`359`		`- newUserRoles.forEach(userRole -> provisioningService.updateGroupRequest(userRole, OperationType.Add));`
	`359`	`+ newUserRoles.forEach(userRole -> provisioningService.updateGroupRequest(userRole, OperationType.add));`
`360`	`360`	`}`
`361`	`361`	`LOG.info(String.format("User %s accepted invitation with role(s) %s",`
`362`	`362`	`user.getEduPersonPrincipalName(),`
Original file line number	Diff line number	Diff line change
`@@ -27,7 +27,7 @@ public static String generateRandomHash(int byteLength) {`
`27`	`27`	`}`
`28`	`28`
`29`	`29`	`public static String generateToken() {`
`30`		`- return RandomStringUtils.secure().random(36, true, true);`
	`30`	`+ return RandomStringUtils.secure().next(36, true, true);`
`31`	`31`	`}`
`32`	`32`
`33`	`33`	`public static String hashToken(String token) {`
Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,7 @@ public class GroupPatchRequest implements Serializable {`
`14`	`14`	`@JsonProperty("Operations")`
`15`	`15`	`private final List<Operation> operations;`
`16`	`16`
`17`		`- public GroupPatchRequest(String externalId, String id, Operation operation) {`
	`17`	`+ public GroupPatchRequest(Operation operation) {`
`18`	`18`	`this.operations = Collections.singletonList(operation);`
`19`	`19`	`}`
`20`	`20`	`}`