WIP for #650

Author: oharsta

server/src/main/java/invite/api/InvitationController.java

@@ -374,6 +374,10 @@ public ResponseEntity<Map<String, Object>> accept(@Validated @RequestBody Accept
             }
         }
         user.setInternalPlaceholderIdentifier(invitation.getInternalPlaceholderIdentifier());
+        if (StringUtils.hasText(invitation.getCrmContactId())) {
+            user.setCrmContactId(invitation.getCrmContactId());
+            user.setCrmOrganisationId(invitation.getCrmOrganisationId());
+        }
         userRepository.save(user);
         AccessLogger.user(LOG, Event.Created, user);
         newUserRoles.forEach(userRole -> userRoleAuditService.logAction(userRole, UserRoleAudit.ActionType.ADD));
@@ -553,22 +557,17 @@ private void checkEmailEquality(User user, Invitation invitation) {
     }
 
     private void checkCrmUniqueOrganisation(User user, Invitation invitation) {
-        if (StringUtils.hasText(invitation.getCrmContactId()) && user.getUserRoles().stream()
-                .map(userRole -> userRole.getRole().getCrmOrganisationId())
-                .anyMatch(crmOrganisationId -> StringUtils.hasText(crmOrganisationId) &&
-                        invitation.getRoles().stream()
-                                .map(invitationRole -> invitationRole.getRole())
-                                .anyMatch(role -> StringUtils.hasText(role.getCrmOrganisationId()) && !role.getCrmOrganisationId().equals(crmOrganisationId)))) {
+        if (StringUtils.hasText(invitation.getCrmContactId()) &&
+                StringUtils.hasText(user.getCrmContactId()) &&
+                user.getCrmContactId().equals(invitation.getCrmContactId()) &&
+                !user.getCrmOrganisationId().equals(invitation.getCrmOrganisationId())) {
             throw new InvitationUniqueCrmOrganisationException(
                     String.format("User %s is not allowed to accept an invitation from Organisation %s, because it already has roles for Organisation %s",
                             user.getEmail(),
-                            user.getUserRoles().stream()
-                                    .map(userRole -> userRole.getRole().getCrmOrganisationId())
-                                    .toList(),
-                            invitation.getRoles().stream()
-                                    .map(invitationRole -> invitationRole.getRole().getCrmOrganisationId())
-                                    .toList()));
+                            invitation.getCrmOrganisationId(),
+                            user.getCrmOrganisationId()
+                            ));
+
         }
     }
-
 }

server/src/main/java/invite/crm/CRMController.java

@@ -24,6 +24,7 @@
 import invite.provision.ProvisioningService;
 import invite.provision.scim.OperationType;
 import invite.repository.ApplicationRepository;
+import invite.repository.InvitationRepository;
 import invite.repository.RoleRepository;
 import invite.repository.UserRepository;
 import org.apache.commons.logging.Log;
@@ -68,6 +69,7 @@ public class CRMController {
     private final Map<String, CrmConfigEntry> crmConfig;
     private final UserRoleAuditService userRoleAuditService;
     private final Provisionable provisionable = () -> "SURF CRM";
+    private final InvitationRepository invitationRepository;
 
 
     @SuppressWarnings("unchecked")
@@ -79,7 +81,8 @@ public CRMController(@Value("${crm.collab-person-prefix}") String collabPersonPr
                          ProvisioningService provisioningService,
                          ObjectMapper objectMapper,
                          MailBox mailBox, Manage manage,
-                         UserRoleAuditService userRoleAuditService) throws IOException {
+                         UserRoleAuditService userRoleAuditService,
+                         InvitationRepository invitationRepository) throws IOException {
         this.userRepository = userRepository;
         this.collabPersonPrefix = collabPersonPrefix;
         this.roleRepository = roleRepository;
@@ -100,7 +103,8 @@ public CRMController(@Value("${crm.collab-person-prefix}") String collabPersonPr
                         crmConfigEntry -> crmConfigEntry.code(),
                         crmConfigEntry -> crmConfigEntry
                 ));
-
+        LOG.info(String.format("Parsed %s entries from %s", this.crmConfig.size(), crmConfigResource.getDescription()));
+        this.invitationRepository = invitationRepository;
     }
 
     @PostMapping("")
@@ -112,7 +116,7 @@ public ResponseEntity<String> contact(@RequestBody CRMContact crmContact) {
         if (crmContact.isSuppressInvitation()) {
             if (!StringUtils.hasText(crmContact.getSchacHomeOrganisation()) || !StringUtils.hasText(crmContact.getUid())) {
                 throw new InvalidInputException(
-                        "Missing schacHomeOrganisation or uid in crmContact with sendInvitation false: " + crmContact);
+                        "Missing schacHomeOrganisation or uid in crmContact with isSuppressInvitation true: " + crmContact);
             }
             created = provisionUser(crmContact);
         } else {
@@ -126,8 +130,16 @@ public ResponseEntity<String> contact(@RequestBody CRMContact crmContact) {
     public ResponseEntity<String> delete(@RequestBody CRMContact crmContact) {
         LOG.debug("DELETE /api/external/v1/crm: " + crmContact);
 
-        List<User> users = userRepository.findByCrmContactId(crmContact.getContactId());
-        users.forEach(user -> {
+        List<Invitation> invitations = invitationRepository.findByCrmContactIdAndCrmOrganisationId(
+                crmContact.getContactId(), crmContact.getOrganisation().getOrganisationId());
+        invitations.forEach(invitation -> {
+            LOG.info("Deleting CRM invitation: " + invitation.getEmail());
+            this.invitationRepository.delete(invitation);
+        });
+
+        Optional<User> userOptional = userRepository.findByCrmContactIdAndCrmOrganisationId(
+                crmContact.getContactId(), crmContact.getOrganisation().getOrganisationId());
+        userOptional.ifPresent(user -> {
             LOG.info("Deleting CRM user: " + user.getEmail());
             this.provisioningService.deleteUserRequest(user);
             this.userRepository.delete(user);
@@ -140,6 +152,9 @@ private boolean provisionUser(CRMContact crmContact) {
         String sub = constructSub(crmContact);
         Optional<User> optionalUser = userRepository.findBySubIgnoreCase(sub);
         User user = optionalUser.orElseGet(() -> createUser(crmContact, sub));
+        user.setCrmContactId(crmContact.getContactId());
+        user.setCrmOrganisationId(crmContact.getOrganisation().getOrganisationId());
+
         List<CRMRole> newCrmRoles = syncCrmRoles(crmContact, user);
 
         List<Role> roles = convertCrmRolesToInviteRoles(crmContact, newCrmRoles);
@@ -166,7 +181,6 @@ private User createUser(CRMContact crmContact, String sub) {
                 crmContact.getFirstname(),
                 StringUtils.hasText(middleName) ? String.format("%s %s", middleName, surName) : surName,
                 crmContact.getEmail());
-        unsavedUser.setCrmContactId(crmContact.getContactId());
         User user = userRepository.save(unsavedUser);
         this.provisioningService.newUserRequest(user);
         return user;
@@ -177,6 +191,7 @@ private String constructSub(CRMContact crmContact) {
     }
 
     private List<CRMRole> syncCrmRoles(CRMContact crmContact, User user) {
+        LOG.debug(String.format("Start syncing crmRoles %s for user %s", crmContact.getRoles(), user.getEmail()));
         // Removes roles no longer present in CRM
         user.getUserRoles().removeIf(userRole -> {
             Role role = userRole.getRole();
@@ -192,15 +207,18 @@ private List<CRMRole> syncCrmRoles(CRMContact crmContact, User user) {
                 .map(userRole -> userRole.getRole())
                 .toList();
         // Return all the new CRM roles
-        return crmContact.getRoles().stream()
+        List<CRMRole> crmRoles = crmContact.getRoles().stream()
                 .filter(crmRole -> currentRoles.stream()
                         .noneMatch(role -> crmRole.getRoleId().equalsIgnoreCase(role.getCrmRoleId())))
                 .toList();
+        LOG.debug(String.format("Finished syncing crmRoles %s for user %s", crmContact.getRoles(), user.getEmail()));
+        return crmRoles;
     }
 
     private boolean sendInvitation(CRMContact crmContact) {
-        String sub = constructSub(crmContact);
-        Optional<User> optionalUser = userRepository.findBySubIgnoreCase(sub);
+        Optional<User> optionalUser =
+                userRepository.findByCrmContactIdAndCrmOrganisationId(
+                        crmContact.getContactId(), crmContact.getOrganisation().getOrganisationId());
         List<CRMRole> newCrmRoles = syncCrmRoles(crmContact, optionalUser.orElse(new User()));
         //Only save the user when the user already existed
         optionalUser.ifPresent(user -> userRepository.save(user));
@@ -213,7 +231,7 @@ private boolean sendInvitation(CRMContact crmContact) {
                     .map(role -> new InvitationRole(role))
                     .collect(Collectors.toSet());
             Invitation invitation = createInvitation(crmContact, invitationRoles);
-            invitation.setOrganizationGUID(crmContact.getOrganisation().getOrganisationId());
+
             Optional<String> idpName = identityProviderName(manage, invitation);
             mailBox.sendInviteMail(this.provisionable, invitation, groupedProviders, Language.en, idpName);
         }
@@ -257,13 +275,15 @@ private Role createRole(CRMOrganisation crmOrganisation, CRMRole crmRole) {
         unsavedRole.setCrmRoleName(crmConfigEntry.name());
         unsavedRole.setCrmOrganisationId(crmOrganisation.getOrganisationId());
         unsavedRole.setCrmOrganisationCode(crmOrganisation.getAbbrev());
+        unsavedRole.setOrganizationGUID(crmOrganisation.getOrganisationId());
+
         Role role = roleRepository.save(unsavedRole);
         this.provisioningService.newGroupRequest(role);
         return role;
     }
 
     private Invitation createInvitation(CRMContact crmContact, Set<InvitationRole> invitationRoles) {
-        return new Invitation(
+        Invitation invitation = new Invitation(
                 Authority.GUEST,
                 HashGenerator.generateRandomHash(),
                 crmContact.getEmail(),
@@ -279,6 +299,12 @@ private Invitation createInvitation(CRMContact crmContact, Set<InvitationRole> i
                 invitationRoles,
                 null
         );
+        String crmOrganisationId = crmContact.getOrganisation().getOrganisationId();
+        invitation.setOrganizationGUID(crmOrganisationId);
+        invitation.setCrmOrganisationId(crmOrganisationId);
+        invitation.setCrmContactId(crmContact.getContactId());
+        invitationRepository.save(invitation);
+        return invitation;
 
     }
 }

server/src/main/java/invite/model/Invitation.java

@@ -92,6 +92,9 @@ public class Invitation implements Serializable {
     @Column(name = "crm_contact_id")
     private String crmContactId;
 
+    @Column(name = "crm_organisation_id")
+    private String crmOrganisationId;
+
     @OneToMany(mappedBy = "invitation", orphanRemoval = true, fetch = FetchType.EAGER, cascade = CascadeType.ALL)
     private Set<InvitationRole> roles = new HashSet<>();
 

server/src/main/java/invite/model/User.java

@@ -87,6 +87,9 @@ public class User implements Serializable, Provisionable {
     @Column(name = "crm_contact_id")
     private String crmContactId;
 
+    @Column(name = "crm_organisation_id")
+    private String crmOrganisationId;
+
     @OneToMany(mappedBy = "user", orphanRemoval = true, fetch = FetchType.EAGER, cascade = CascadeType.ALL)
     private Set<UserRole> userRoles = new HashSet<>();
 

server/src/main/java/invite/repository/InvitationRepository.java

@@ -24,6 +24,8 @@ public interface InvitationRepository extends JpaRepository<Invitation, Long>, Q
             attributePaths = {"inviter", "roles", "roles.role"})
     Optional<Invitation> findByHash(String hash);
 
+    List<Invitation> findByCrmContactIdAndCrmOrganisationId(String crmContactId, String crmOrganisationId);
+
     Optional<Invitation> findTopBySubInviteeOrderByCreatedAtDesc(String email);
 
     List<Invitation> findByStatus(Status status);

server/src/main/java/invite/repository/UserRepository.java

@@ -19,16 +19,14 @@ public interface UserRepository extends JpaRepository<User, Long>, QueryRewriter
 
     Optional<User> findBySubIgnoreCase(String sub);
 
-    List<User> findByCrmContactId(String crmContactId);
+    Optional<User> findByCrmContactIdAndCrmOrganisationId(String crmContactId, String crmOrganisationId);
 
     List<User> findByOrganizationGUIDAndInstitutionAdmin(String organizationGUID, boolean institutionAdmin);
 
     List<User> findBySuperUserTrue();
 
     long countBySuperUserTrue();
 
-    long countByInstitutionAdminTrue();
-
     Optional<User> findByEduPersonPrincipalNameIgnoreCase(String eppn);
 
     Optional<User> findByEmailIgnoreCase(String email);

server/src/main/resources/db/mysql/migration/V56_0__crm_users_organization.sql

@@ -0,0 +1,13 @@
+ALTER TABLE `users`
+    ADD `crm_organisation_id` varchar(255) DEFAULT NULL;
+
+CREATE INDEX `users_crm_organisation_id_index` ON `users` (`crm_organisation_id`);
+
+ALTER TABLE `invitations`
+    ADD `crm_organisation_id` varchar(255) DEFAULT NULL;
+
+CREATE INDEX `invitations_crm_organisation_id_index` ON `users` (`crm_organisation_id`);
+
+ALTER TABLE `users`
+    ADD CONSTRAINT `users_unique_crm_contact_profile`
+    UNIQUE (`crm_contact_id`, `crm_organisation_id`);

server/src/test/java/invite/AbstractTest.java

@@ -111,6 +111,7 @@ public abstract class AbstractTest {
     public static final String API_TOKEN_INVITER_USER_HASH = HashGenerator.generateToken();
     public static final String API_TOKEN_LEGACY_HASH = HashGenerator.generateToken();
     public static final String CRM_CONTACT_ID = "5B5A4230-7A67-46E9-9EE1-95C6F5CACA4A";
+    public static final String CRM_ORGANIZATION_ID = "60507EEF-732D-4B38-B30B-8C7186A61813";
 
 
     @Value("${manage.staticManageDirectory}")
@@ -579,18 +580,23 @@ protected UnaryOperator<Map<String, Object>> institutionalAdminEntitlementOperat
         };
     }
 
-    protected CRMContact getCrmContact(CRMRole crmRole, String uid, String schacHomeOrganisation, boolean suppressInvitation) {
+    protected CRMContact createCrmContact(String crmContactId,
+                                          String crmOrganizationId,
+                                          CRMRole crmRole,
+                                          String uid,
+                                          String schacHomeOrganisation,
+                                          boolean suppressInvitation) {
         return new CRMContact(
                 uid,
                 schacHomeOrganisation,
                 suppressInvitation,
-                "contactId",
+                crmContactId,
                 "John",
                 "from",
                 "Doe",
                 "jdoe@example.com",
                 new CRMOrganisation(
-                        "organisationId",
+                        crmOrganizationId,
                         "abbrec",
                         "Inc. Corporated"
                 ),
@@ -636,6 +642,8 @@ private void doSeed() {
         User kbUser =
                 new User(false, KB_USER_SUB, KB_USER_SUB, "kb.nl", "George", "Best", "gb@kb.nl");
         kbUser.setCrmContactId(CRM_CONTACT_ID);
+        kbUser.setCrmOrganisationId(CRM_ORGANIZATION_ID);
+
         doSave(this.userRepository, superUser, institutionAdmin, manager, inviter, wikiInviter, guest, kbUser);
 
         Role wiki =

server/src/test/java/invite/aggregation/AttributeAggregatorControllerTest.java

@@ -122,7 +122,8 @@ void manageDown() {
     void attributeAggregationCRMRole() throws JsonProcessingException {
         CRMRole crmRoleResearch = new CRMRole("5e17b508-08e4-e811-8100-005056956c1a", "CONBEH", "SURFconextbeheerder");
         CRMRole crmRoleCloud = new CRMRole("cf652619-08e4-e811-8100-005056956c1a", "CONVER", "SURFconextverantwoordelijke");
-        CRMContact crmContact = getCrmContact(crmRoleResearch, "guest", "example.com", true);
+        CRMContact crmContact = createCrmContact(CRM_CONTACT_ID, CRM_ORGANIZATION_ID, crmRoleResearch,
+                "guest", "kb.nl", true);
         crmContact.setRoles(List.of(crmRoleCloud, crmRoleResearch));
         //This application is linked to the 'CONBEH' CRM role
         String researchEntityId = "https://research";
@@ -149,7 +150,7 @@ void attributeAggregationCRMRole() throws JsonProcessingException {
                 .auth().preemptive().basic("aa", "secret")
                 .accept(ContentType.JSON)
                 .contentType(ContentType.JSON)
-                .pathParam("sub", GUEST_SUB)
+                .pathParam("sub", KB_USER_SUB)
                 .queryParam("SPentityID", researchEntityId)
                 .get("/api/external/v1/aa/{sub}")
                 .as(new TypeRef<>() {
@@ -161,7 +162,7 @@ void attributeAggregationCRMRole() throws JsonProcessingException {
         List<String> autorizations = autorisatie.stream().map(m -> m.get("autorisatie")).sorted().toList();
         List<String> expected = Stream.of(
                 "urn:mace:surfnet.nl:surfnet.nl:sab:organizationCode:abbrec",
-                "urn:mace:surfnet.nl:surfnet.nl:sab:organizationGUID:organisationId",
+                "urn:mace:surfnet.nl:surfnet.nl:sab:organizationGUID:" + CRM_ORGANIZATION_ID,
                 "urn:mace:surfnet.nl:surfnet.nl:sab:role:SURFconextbeheerder").sorted().toList();
         assertEquals(expected, autorizations);
     }

server/src/test/java/invite/api/InvitationControllerTest.java

@@ -14,6 +14,7 @@
 import org.junit.jupiter.api.Test;
 import org.springframework.data.domain.Example;
 import org.springframework.data.domain.Sort;
+import org.springframework.http.HttpStatus;
 import org.springframework.util.MultiValueMap;
 import org.springframework.web.util.UriComponentsBuilder;
 
@@ -299,6 +300,27 @@ void accept() throws Exception {
         assertEquals(1, remoteProvisionedUserRepository.count());
     }
 
+    @Test
+    void acceptWithCRMConstraint() throws Exception {
+        AccessCookieFilter accessCookieFilter = openIDConnectFlow("/api/v1/users/login", KB_USER_SUB);
+        String hash = Authority.GUEST.name();
+        Invitation invitation = invitationRepository.findByHash(hash).get();
+        invitation.setCrmOrganisationId(UUID.randomUUID().toString());
+        invitation.setCrmContactId(CRM_CONTACT_ID);
+        invitationRepository.save(invitation);
+
+        AcceptInvitation acceptInvitation = new AcceptInvitation(hash, invitation.getId());
+        given()
+                .when()
+                .filter(accessCookieFilter.cookieFilter())
+                .accept(ContentType.JSON)
+                .header(accessCookieFilter.csrfToken().getHeaderName(), accessCookieFilter.csrfToken().getToken())
+                .contentType(ContentType.JSON)
+                .body(acceptInvitation)
+                .post("/api/v1/invitations/accept")
+                .then()
+                .statusCode(HttpStatus.NOT_ACCEPTABLE.value());
+    }
     @Test
     void acceptGraph() throws Exception {
         AccessCookieFilter accessCookieFilter = openIDConnectFlow("/api/v1/users/login", "graph@new.com");