WIP for #378

oharsta · oharsta · commit a8a3596534e6 · 2025-03-10T16:10:20.000+01:00
diff --git a/client/src/locale/en.js b/client/src/locale/en.js
@@ -247,6 +247,7 @@ const en = {
         inviteesPlaceholder: "Invitee email addresses",
         requiredEmail: "At least one email address is required",
         requiredRole: "At least one role is required for an invitation",
+        requiredOrganizationGUID: "A valid Organization GUID is required for an institution admin invitation",
         intendedAuthority: "Authority",
         roles: "Roles",
         inviterRoles: "Select the roles for the new invitation",
diff --git a/client/src/locale/nl.js b/client/src/locale/nl.js
@@ -247,6 +247,7 @@ const nl = {
         inviteesPlaceholder: "E-mailadressen genodigden",
         requiredEmail: "Geef minimaal 1 e-mailadres op",
         requiredRole: "Minimaal 1 rol is benodigd voor een uitnodiging",
+        requiredOrganizationGUID: "Een valide Organisatie GUID is verplicht voor een instellingsadmin uitnodiging",
         intendedAuthority: "Autoriteit",
         roles: "Rollen",
         inviterRoles: "Selecteer de rollen voor de nieuwe uitnodiging",
@@ -390,7 +391,7 @@ const nl = {
         secretTooltip: "De waarde die je gebruikt in de X-API-TOKEN header",
         description: "Omschrijving",
         superUserToken: "Super User token",
-        organizationGUID: "Organization GUID",
+        organizationGUID: "Organisatie GUID",
         descriptionPlaceHolder: "Omschrijving voor dit API-token",
         descriptionTooltip: "Een omschrijving die de reden voor dit API-token omschrijft",
         deleteFlash: "API-token is verwijderd",
diff --git a/client/src/pages/Home.js b/client/src/pages/Home.js
@@ -65,6 +65,13 @@ export const Home = () => {
             );
         }
         if (user && user.institutionAdmin && user.organizationGUID && !isEmpty(user.applications)) {
+            newTabs.push(
+                <Page key="applicationUsers"
+                      name="applicationUsers"
+                      label={I18n.t("tabs.applicationUsers")}
+                >
+                    <ApplicationUsers/>
+                </Page>);
             newTabs.push(
                 <Page key="applications"
                       name="applications"
@@ -73,13 +80,6 @@ export const Home = () => {
                     <Applications/>
                 </Page>
             );
-            newTabs.push(
-                <Page key="applicationUsers"
-                      name="applicationUsers"
-                      label={I18n.t("tabs.applicationUsers")}
-                >
-                    <ApplicationUsers/>
-                </Page>);
         }
         if (user && (user.superUser || (user.institutionAdmin && user.organizationGUID))) {
             newTabs.push(
diff --git a/client/src/pages/InvitationForm.js b/client/src/pages/InvitationForm.js
@@ -13,7 +13,7 @@ import {
 import {ReactComponent as UserIcon} from "@surfnet/sds/icons/functional-icons/id-2.svg";
 import {ReactComponent as UpIcon} from "@surfnet/sds/icons/functional-icons/arrow-up-2.svg";
 import {ReactComponent as DownIcon} from "@surfnet/sds/icons/functional-icons/arrow-down-2.svg";
-import {newInvitation, rolesByApplication} from "../api";
+import {newInvitation, organizationGUIDValidation, rolesByApplication} from "../api";
 import {Button, ButtonType, Loader, Tooltip} from "@surfnet/sds";
 import "./InvitationForm.scss";
 import {UnitHeader} from "../components/UnitHeader";
@@ -50,6 +50,10 @@ export const InvitationForm = () => {
         invites: [],
         intendedAuthority: AUTHORITIES.GUEST
     });
+
+    const [validOrganizationGUID, setValidOrganizationGUID] = useState(true);
+    const [organizationGUIDIdentityProvider, setOrganizationGUIDIdentityProvider] = useState(null);
+
     const [displayAdvancedSettings, setDisplayAdvancedSettings] = useState(false);
     const [loading, setLoading] = useState(true);
     const [customExpiryDate, setCustomExpiryDate] = useState(false);
@@ -152,7 +156,8 @@ export const InvitationForm = () => {
 
     const isValid = () => {
         return required.every(attr => !isEmpty(invitation[attr])) &&
-            (!isEmpty(selectedRoles) || [AUTHORITIES.SUPER_USER, AUTHORITIES.INSTITUTION_ADMIN].includes(invitation.intendedAuthority));
+            (!isEmpty(selectedRoles) || [AUTHORITIES.SUPER_USER, AUTHORITIES.INSTITUTION_ADMIN].includes(invitation.intendedAuthority))
+            && (invitation.intendedAuthority !== AUTHORITIES.INSTITUTION_ADMIN || !user.superUser || validOrganizationGUID);
     }
 
     const addEmails = emails => {
@@ -175,6 +180,21 @@ export const InvitationForm = () => {
         return invitation.roleExpiryDate;
     }
 
+    const validateOrganizationGUID = e => {
+        const organizationGUID = e.target.value;
+        if (!isEmpty(organizationGUID)) {
+            organizationGUIDValidation(organizationGUID)
+                .then(idp => {
+                    setOrganizationGUIDIdentityProvider(idp);
+                    setValidOrganizationGUID(true);
+                })
+                .catch(() => {
+                    setOrganizationGUIDIdentityProvider(null);
+                    setValidOrganizationGUID(false);
+                })
+        }
+    }
+
     const rolesChanged = selectedOptions => {
         if (selectedOptions === null) {
             setSelectedRoles([])
@@ -199,7 +219,6 @@ export const InvitationForm = () => {
             intendedAuthority: option.value,
             roleExpiryDate: defaultRoleExpiryDate(selectedRoles)
         });
-
     }
 
     const renderUserRole = (role, index, invitationSelected, invitationSelectCallback) => {
@@ -216,6 +235,7 @@ export const InvitationForm = () => {
     }
 
     const renderFormElements = authorityOptions => {
+        const skipRoles = [AUTHORITIES.SUPER_USER, AUTHORITIES.INSTITUTION_ADMIN].includes(invitation.intendedAuthority);
         return (
             <>
                 <EmailField
@@ -242,7 +262,34 @@ export const InvitationForm = () => {
                     toolTip={I18n.t("tooltips.intendedAuthorityTooltip")}
                     clearable={false}
                 />}
-                {!isInviter && <>
+
+                {(user.superUser && AUTHORITIES.INSTITUTION_ADMIN === invitation.intendedAuthority) &&
+                    <InputField
+                        name={I18n.t("roles.organizationGUID")}
+                        value={invitation.organizationGUID}
+                        onChange={e => {
+                            setInvitation({
+                                ...invitation,
+                                organizationGUID: e.target.value
+                            });
+                            setValidOrganizationGUID(true);
+                            setOrganizationGUIDIdentityProvider(null);
+                        }}
+                        onBlur={validateOrganizationGUID}
+                        toolTip={I18n.t("tooltips.organizationGUID")}
+                    />}
+                {!validOrganizationGUID &&
+                    <ErrorIndicator msg={I18n.t("forms.invalid", {
+                        value: invitation.organizationGUID,
+                        attribute: I18n.t("roles.organizationGUID").toLowerCase()
+                    })}/>}
+                {!isEmpty(organizationGUIDIdentityProvider) &&
+                    <p className="info">{I18n.t("roles.identityProvider", {name: organizationGUIDIdentityProvider["name:en"]})}</p>}
+                {(!initial && isEmpty(invitation.organizationGUID) &&
+                        invitation.intendedAuthority === AUTHORITIES.INSTITUTION_ADMIN && user.superUser) &&
+                    <ErrorIndicator msg={I18n.t("invitations.requiredOrganizationGUID")}/>}
+
+                {(!isInviter && !skipRoles) && <>
                     <SelectField value={selectedRoles}
                                  options={roles.filter(role => !selectedRoles.find(r => r.value === role.value))}
                                  name={I18n.t("invitations.roles")}
@@ -254,7 +301,7 @@ export const InvitationForm = () => {
                                  placeholder={I18n.t("invitations.rolesPlaceHolder")}
                                  onChange={rolesChanged}/>
                     {(!initial && isEmpty(selectedRoles) &&
-                            ![AUTHORITIES.SUPER_USER, AUTHORITIES.INSTITUTION_ADMIN].includes(invitation.intendedAuthority)) &&
+                            !skipRoles) &&
                         <ErrorIndicator msg={I18n.t("invitations.requiredRole")}/>}
                 </>}
 
@@ -285,6 +332,7 @@ export const InvitationForm = () => {
         const authorityOptions = allowedAuthoritiesForInvitation(user, selectedRoles)
             .map(authority => ({value: authority, label: I18n.t(`access.${authority}`)}));
         const overrideSettingsAllowed = selectedRoles.every(role => role.overrideSettingsAllowed);
+        const skipRoles = [AUTHORITIES.SUPER_USER, AUTHORITIES.INSTITUTION_ADMIN].includes(invitation.intendedAuthority)
         return (
             <>
                 {isInviter &&
@@ -342,15 +390,16 @@ export const InvitationForm = () => {
                                              info={I18n.t("tooltips.eduIDOnlyTooltip")}
                                 />}
 
-                            {(invitation.intendedAuthority !== AUTHORITIES.GUEST && !isInviter) &&
+                            {(invitation.intendedAuthority !== AUTHORITIES.GUEST && !isInviter &&
+                                    !skipRoles) &&
                                 <SwitchField name={"guestRoleIncluded"}
                                              value={invitation.guestRoleIncluded || false}
                                              onChange={val => setInvitation({...invitation, guestRoleIncluded: val})}
                                              label={I18n.t("invitations.guestRoleIncluded")}
                                              info={I18n.t("tooltips.guestRoleIncludedTooltip")}
                                 />
                             }
-                            {overrideSettingsAllowed &&
+                            {(overrideSettingsAllowed && !skipRoles) &&
                                 <SwitchField name={"roleExpiryDate"}
                                              value={customRoleExpiryDate}
                                              onChange={() => {
diff --git a/client/src/pages/InvitationForm.scss b/client/src/pages/InvitationForm.scss
@@ -37,6 +37,11 @@
             grid-column-start: first;
         }
 
+        p.info {
+            grid-column-start: first;
+            margin-top: 4px;
+        }
+
         .inviter-wrapper {
             margin-top: 25px;
             padding: 25px 155px 25px 25px;
diff --git a/client/src/tabs/ApplicationUsers.js b/client/src/tabs/ApplicationUsers.js
@@ -11,10 +11,14 @@ import debounce from "lodash.debounce";
 import {dateFromEpoch, shortDateFromEpoch} from "../utils/Date";
 import {useNavigate} from "react-router-dom";
 import {defaultPagination, pageCount} from "../utils/Pagination";
+import {AUTHORITIES, isUserAllowed} from "../utils/UserRole";
+import {useAppStore} from "../stores/AppStore";
 
 
 export const ApplicationUsers = () => {
 
+    const {user: currentUser} = useAppStore(state => state);
+
     const [paginationQueryParams, setPaginationQueryParams] = useState(defaultPagination());
     const [searching, setSearching] = useState(true);
     const [users, setUsers] = useState([]);
@@ -121,6 +125,9 @@ export const ApplicationUsers = () => {
                       inputFocus={true}
                       totalElements={totalElements}
                       customSearch={search}
+                      newLabel={I18n.t("invitations.newInvite")}
+                      showNew={isUserAllowed(AUTHORITIES.INSTITUTION_ADMIN, currentUser)}
+                      newEntityFunc={() => navigate(`/invitation/new?institution=true`)}
                       hideTitle={searching}
                       busy={searching}/>
         </div>
diff --git a/client/src/utils/UserRole.js b/client/src/utils/UserRole.js
@@ -167,9 +167,9 @@ export const markAndFilterRoles = (user, allRoles, locale, multiple, separator,
 
 export const allowedAuthoritiesForInvitation = (user, selectedRoles) => {
     if (user.superUser) {
-        return Object.keys(AUTHORITIES)
-            //The superuser has no organization guid
-            .filter(authority => authority !== AUTHORITIES.INSTITUTION_ADMIN);
+        //The superuser has no organization guid, but is allowed to add one
+        return Object.keys(AUTHORITIES);
+
     }
     if (user.institutionAdmin && !isEmpty(user.applications)) {
         return Object.keys(AUTHORITIES)
diff --git a/server/src/main/java/access/api/InvitationController.java b/server/src/main/java/access/api/InvitationController.java
@@ -225,7 +225,12 @@ public ResponseEntity<Map<String, Object>> accept(@Validated @RequestBody Accept
         if (intendedAuthority.equals(Authority.INSTITUTION_ADMIN)) {
             user.setInstitutionAdmin(true);
             user.setInstitutionAdminByInvite(true);
-            user.setOrganizationGUID(inviter.getOrganizationGUID());
+            //Might be that a super-user has invited the institution admin or a different institution admin
+            if (inviter.isSuperUser()) {
+                user.setOrganizationGUID(invitation.getOrganizationGUID());
+            } else {
+                user.setOrganizationGUID(inviter.getOrganizationGUID());
+            }
             //Rare case - a new institution admin has logged in, but was not yet enriched by the CustomOidcUserService
             if (optionalUser.isEmpty()) {
                 saveOAuth2AuthenticationToken(authentication, user, servletRequest, servletResponse);
diff --git a/server/src/main/java/access/api/InvitationOperations.java b/server/src/main/java/access/api/InvitationOperations.java
@@ -24,6 +24,7 @@
 import java.util.Comparator;
 import java.util.List;
 import java.util.Map;
+import java.util.Optional;
 
 import static java.util.stream.Collectors.toSet;
 
@@ -95,6 +96,12 @@ public ResponseEntity<InvitationResponse> sendInvitation(InvitationRequest invit
         if (user == null) {
             invitations.forEach(invitation -> invitation.setRemoteApiUser(remoteUser.getName()));
         }
+        if (intendedAuthority.equals(Authority.INSTITUTION_ADMIN)) {
+            invitations.forEach(invitation -> invitation.setOrganizationGUID(
+                    user.isSuperUser() ? invitationRequest.getOrganizationGUID() : user.getOrganizationGUID())
+            );
+        }
+
         this.invitationResource.getInvitationRepository().saveAll(invitations);
 
         List<GroupedProviders> groupedProviders = this.invitationResource.getManage().getGroupedProviders(requestedRoles);
@@ -103,10 +110,19 @@ public ResponseEntity<InvitationResponse> sendInvitation(InvitationRequest invit
                 .map(invitation -> new RecipientInvitationURL(invitation.getEmail(),
                         mailBox.inviteMailURL(invitation)))
                 .toList();
+
+
         if (!invitationRequest.isSuppressSendingEmails()) {
-            invitations.forEach(invitation ->
-                    mailBox.sendInviteMail(user == null ? remoteUser : user,
-                            invitation, groupedProviders, invitationRequest.getLanguage()));
+
+            invitations.forEach(invitation -> {
+                Optional<String> idpName = Optional.ofNullable(invitation.getOrganizationGUID())
+                        .map(organisationGUID -> this.invitationResource.getManage().identityProviderByInstitutionalGUID(organisationGUID))
+                        .flatMap(optional -> optional)
+                        .map(idp -> (String) idp.get("name:en"));
+
+                mailBox.sendInviteMail(user == null ? remoteUser : user,
+                        invitation, groupedProviders, invitationRequest.getLanguage(), idpName);
+            });
         }
         invitations.forEach(invitation -> AccessLogger.invitation(LOG, Event.Created, invitation));
         return ResponseEntity.status(HttpStatus.CREATED).body(new InvitationResponse(HttpStatus.CREATED.value(), recipientInvitationURLs));
@@ -134,8 +150,17 @@ public ResponseEntity<Map<String, Integer>> resendInvitation(Long id,
 
         List<GroupedProviders> groupedProviders = this.invitationResource.getManage().getGroupedProviders(requestedRoles);
         Provisionable provisionable = user != null ? user : remoteUser;
-
-        this.invitationResource.getMailBox().sendInviteMail(provisionable, invitation, groupedProviders, invitation.getLanguage());
+        Optional<String> idpName = Optional.ofNullable(invitation.getOrganizationGUID())
+                .map(organisationGUID -> this.invitationResource.getManage().identityProviderByInstitutionalGUID(organisationGUID))
+                .flatMap(optional -> optional)
+                .map(idp -> (String) idp.get("name:en"));
+
+        this.invitationResource.getMailBox()
+                .sendInviteMail(provisionable,
+                        invitation,
+                        groupedProviders,
+                        invitation.getLanguage(),
+                        idpName);
         if (invitation.getExpiryDate().isBefore(Instant.now())) {
             invitation.setExpiryDate(Instant.now().plus(Period.ofDays(14)));
             invitationRepository.save(invitation);
diff --git a/server/src/main/java/access/mail/MailBox.java b/server/src/main/java/access/mail/MailBox.java
@@ -21,6 +21,7 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Optional;
 import java.util.stream.Collectors;
 
 @SuppressWarnings("unchecked")
@@ -58,7 +59,9 @@ public MailBox(ObjectMapper objectMapper,
     }
 
     @SneakyThrows
-    public void sendInviteMail(Provisionable provisionable, Invitation invitation, List<GroupedProviders> groupedProviders, Language language) {
+    public void sendInviteMail(Provisionable provisionable, Invitation invitation,
+                               List<GroupedProviders> groupedProviders, Language language,
+                               Optional<String> optionalIdpName) {
         Authority intendedAuthority = invitation.getIntendedAuthority();
         String title = String.format(subjects.get(language.name()).get("newInvitation"),
                 invitation.getRoles().stream().map(role -> role.getRole().getName()).collect(Collectors.joining(", ")));
@@ -73,6 +76,7 @@ public void sendInviteMail(Provisionable provisionable, Invitation invitation, L
         } else {
             variables.put("institutionName", "SURF");
         }
+        optionalIdpName.ifPresent(idpName -> variables.put("idpName", idpName));
         variables.put("roles", splitListSemantically(invitation.getRoles().stream()
                 .map(invitationRole -> invitationRole.getRole().getName()).toList()));
         if (invitation.getRoles().stream()
@@ -85,7 +89,6 @@ public void sendInviteMail(Provisionable provisionable, Invitation invitation, L
         if (StringUtils.hasText(invitation.getMessage())) {
             variables.put("message", invitation.getMessage().replaceAll("\n", "<br/>"));
         }
-
         variables.put("invitation", invitation);
         variables.put("intendedAuthority", invitation.getIntendedAuthority().translate(language.name()));
         variables.put("user", provisionable);
diff --git a/server/src/main/java/access/model/Invitation.java b/server/src/main/java/access/model/Invitation.java
@@ -70,6 +70,9 @@ public class Invitation implements Serializable {
     @Column(name = "accepted_at")
     private Instant acceptedAt;
 
+    @Column(name = "organization_guid")
+    private String organizationGUID;
+
     @ManyToOne(fetch = FetchType.EAGER)
     @JoinColumn(name = "inviter_id")
     @JsonIgnore
@@ -131,6 +134,12 @@ public List<String> anyRoles() {
         return CollectionUtils.isEmpty(this.roles) ? Collections.emptyList() : Arrays.asList("will-iterate-once");
     }
 
+    //used in the mustache templates
+    @JsonIgnore
+    public List<String> institutionAdminInvitation() {
+        return CollectionUtils.isEmpty(this.roles) && intendedAuthority.equals(Authority.INSTITUTION_ADMIN) ? Arrays.asList("will-iterate-once") : Collections.emptyList();
+    }
+
     @JsonProperty(value = "inviter", access = JsonProperty.Access.READ_ONLY)
     public Map<String, Object> getInviterEmail() {
         User inviter = this.getInviter();
diff --git a/server/src/main/java/access/model/InvitationRequest.java b/server/src/main/java/access/model/InvitationRequest.java
@@ -37,6 +37,8 @@ public class InvitationRequest implements Serializable {
 
     private List<Long> roleIdentifiers;
 
+    private String organizationGUID;
+
     private Instant roleExpiryDate;
 
     @NotNull
diff --git a/server/src/main/resources/db/mysql/migration/V43_0__invitation_institution_admin.sql b/server/src/main/resources/db/mysql/migration/V43_0__invitation_institution_admin.sql
@@ -0,0 +1,2 @@
+ALTER TABLE `invitations`
+    add `organization_guid` varchar(255) DEFAULT NULL;
diff --git a/server/src/main/resources/templates/invitation_en.html b/server/src/main/resources/templates/invitation_en.html
diff --git a/server/src/main/resources/templates/invitation_nl.html b/server/src/main/resources/templates/invitation_nl.html
diff --git a/server/src/test/java/access/mail/MailBoxTest.java b/server/src/test/java/access/mail/MailBoxTest.java
