Fixes #398

oharsta · oharsta · commit e9db6a1389df · 2025-09-18T15:49:02.000+02:00
diff --git a/client/src/api/index.js b/client/src/api/index.js
@@ -168,6 +168,10 @@ export function organizationGUIDValidation(organizationGUID) {
     return fetchJson(`/api/v1/manage/organization-guid-validation/${organizationGUID}`, {}, {}, false);
 }
 
+export function hasProvisionings(manageId) {
+    return fetchJson(`/api/v1/manage/provisionings/${manageId}`);
+}
+
 //Roles
 export function rolesByApplication(force = true, pagination = {}) {
     const queryPart = paginationQueryParams(pagination, {force: !!force})
diff --git a/client/src/components/WarningIndicator.jsx b/client/src/components/WarningIndicator.jsx
@@ -0,0 +1,15 @@
+import React from "react";
+import "./WarningIndicator.scss";
+import {ReactComponent as WarningIco} from "../icons/warning.svg";
+import DOMPurify from "dompurify";
+
+export default function WarningIndicator({msg, standalone = false, decode = true, adjustMargin = false}) {
+    const className = `warning-indication ${standalone ? "standalone" : ""} ${adjustMargin ? "adjust-margin" : ""}`;
+    msg = msg.replaceAll("?", "");
+    return decode ? <span className={className}><WarningIco/>{msg}</span> :
+        <span className={className}>
+            <WarningIco/>
+            <span className={"warning-message"}
+                  dangerouslySetInnerHTML={{__html: DOMPurify.sanitize(msg, {ADD_ATTR: ['target']})}}/>
+        </span>
+}
diff --git a/client/src/components/WarningIndicator.scss b/client/src/components/WarningIndicator.scss
@@ -0,0 +1,25 @@
+span.warning-indication {
+    color: #C15500;
+
+    display: flex;
+    align-items: center;
+    margin-top: 5px;
+
+    &.standalone {
+        margin-bottom: 15px;
+    }
+
+    &.adjust-margin {
+        margin-top: -15px;
+    }
+
+    span.warning-message {
+        word-break: keep-all;
+    }
+
+    svg {
+        margin-right: 10px;
+        width: 18px;
+        height: auto;
+    }
+}
diff --git a/client/src/icons/warning.svg b/client/src/icons/warning.svg
@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg width="25px" height="25px" viewBox="0 0 25 25" version="1.1" xmlns="http://www.w3.org/2000/svg"
+     xmlns:xlink="http://www.w3.org/1999/xlink">
+    <defs>
+        <path d="M16.2519,3.9999 C17.3139,3.9999 18.3029,4.6159 18.7709,5.5689 L18.7709,5.5689 L28.2429,24.8669 C28.6309,25.6519 28.5849,26.5679 28.1199,27.3129 C27.6579,28.0559 26.8579,28.4999 25.9799,28.4999 L25.9799,28.4999 L6.5239,28.4999 C5.6479,28.4999 4.8469,28.0559 4.3829,27.3129 C3.9199,26.5679 3.8739,25.6529 4.2609,24.8659 L4.2609,24.8659 L13.7339,5.5689 C14.2019,4.6159 15.1899,3.9999 16.2519,3.9999 Z M16.2519,5.9999 C15.9469,5.9999 15.6629,6.1769 15.5279,6.4509 L15.5279,6.4509 L6.0559,25.7479 C5.9759,25.9119 5.9849,26.1009 6.0809,26.2549 C6.1759,26.4079 6.3419,26.4999 6.5239,26.4999 L6.5239,26.4999 L25.9799,26.4999 C26.1609,26.4999 26.3269,26.4079 26.4219,26.2559 C26.5189,26.1009 26.5279,25.9119 26.4479,25.7499 L26.4479,25.7499 L16.9759,6.4499 C16.8409,6.1769 16.5569,5.9999 16.2519,5.9999 Z M16.252,22 C17.01,22 17.627,22.617 17.627,23.375 C17.627,24.133 17.01,24.75 16.252,24.75 C15.494,24.75 14.877,24.133 14.877,23.375 C14.877,22.617 15.494,22 16.252,22 Z M16.252,11.5 C16.7645714,11.5 17.1874694,11.8862857 17.2452682,12.3834315 L17.252,12.5 L17.252,20 C17.252,20.553 16.804,21 16.252,21 C15.7394286,21 15.3165306,20.6145765 15.2587318,20.1167533 L15.252,20 L15.252,12.5 C15.252,11.948 15.7,11.5 16.252,11.5 Z"
+              id="path-1"></path>
+    </defs>
+    <g id="Styleboard" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
+        <g id="EDUbadges_styleboard" transform="translate(-628.000000, -7253.000000)">
+            <g id="notifications" transform="translate(460.000000, 6372.000000)">
+                <g id="info-components-/-notification-/-05-critical" transform="translate(152.000000, 870.000000)">
+                    <g id="basis-/-check-3px-copy" transform="translate(12.000000, 7.000000)">
+                        <polygon id="Path-2" fill="#FFFFFF"
+                                 points="5 25.4447139 15.429494 5 17.0640283 5 27.0299137 25.4447139 26.3139521 27.0889186 5.81381281 27.0889186"></polygon>
+                        <mask id="mask-2" fill="white">
+                            <use xlink:href="#path-1"></use>
+                        </mask>
+                        <use id="Combined-Shape" fill="#000000" xlink:href="#path-1"></use>
+                        <g id="Group" mask="url(#mask-2)">
+                            <g id="🎨-Color">
+                                <rect id="Rectangle" fill="#FFFFFF" x="0" y="0" width="32" height="32"></rect>
+                                <g id="Colors/Gray-900-Copy" fill="#FFC100">
+                                    <path d="M0,0 L32,0 L32,32 L0,32 L0,0 Z" id="Colors/Red-900"></path>
+                                </g>
+                            </g>
+                        </g>
+                    </g>
+                </g>
+            </g>
+        </g>
+    </g>
+</svg>
diff --git a/client/src/locale/en.js b/client/src/locale/en.js
@@ -186,7 +186,8 @@
             info: "The following users will lose their access:",
             userInfo: "{{name}} ({{authority}}), last activity {{lastActivity}}",
             andMore: "And {{nbr}} more.. Check the list of current users for more details."
-        }
+        },
+        noProvisioning: "Users added to this role, won't have immediate access to this application. See the <a href='http://wiki.surfnet.nl/' target='_blank'>wiki</a> for more information"
     },
     applications: {
         title: "Access Roles for this application ({{nbr}})",
diff --git a/client/src/locale/nl.js b/client/src/locale/nl.js
@@ -186,7 +186,8 @@ const nl = {
             info: "De volgende gebruikers verliezen toegang tot deze rol:",
             userInfo: "{{name}} ({{authority}}), laatste activiteit {{lastActivity}}",
             andMore: "En nog {{nbr}} meer.. Bekijk de lijst van huidige gebruikers voor meer details."
-        }
+        },
+        noProvisioning: "Gebruikers die toegevoegd worden aan deze rol, hebben niet gelijk toegang tot deze applicatie. Zie de <a href='http://wiki.surfnet.nl/' target='_blank'>wiki</a> voor meer information"
     },
     applications: {
         title: "Toegangsrollen voor deze applicatie ({{nbr}})",
diff --git a/client/src/pages/RoleForm.js b/client/src/pages/RoleForm.js
@@ -7,7 +7,7 @@ import {
     allProviders,
     consequencesRoleDeletion,
     createRole,
-    deleteRole,
+    deleteRole, hasProvisionings,
     me,
     organizationGUIDValidation,
     roleByID,
@@ -28,6 +28,7 @@ import ConfirmationDialog from "../components/ConfirmationDialog";
 import SwitchField from "../components/SwitchField";
 import {dateFromEpoch, displayExpiryDate, futureDate} from "../utils/Date";
 import DOMPurify from "dompurify";
+import WarningIndicator from "../components/WarningIndicator";
 
 const DEFAULT_EXPIRY_DAYS = 365;
 const CUT_OFF_DELETED_USER = 5;
@@ -58,6 +59,7 @@ export const RoleForm = () => {
     const [customRoleExpiryDate, setCustomRoleExpiryDate] = useState(false);
     const [customInviterDisplayName, setCustomInviterDisplayName] = useState(false);
     const [applications, setApplications] = useState([]);
+    const [provisionings, setProvisionings] = useState({});
     const [allowedToEditApplication, setAllowedToEditApplication] = useState(true);
     const [deletedUserRoles, setDeletedUserRoles] = useState(null);
 
@@ -247,6 +249,11 @@ export const RoleForm = () => {
     const changeApplication = (index, application) => {
         applications.splice(index, 1, application);
         setApplications([...applications]);
+        hasProvisionings(application.manageId)
+            .then(res => {
+                const newProvisionings = {...provisionings, [application.manageId]: !res && !application.receivesMemberships};
+                setProvisionings(newProvisionings);
+            })
     }
 
     const changeApplicationLandingPage = (index, e) => {
@@ -367,6 +374,9 @@ export const RoleForm = () => {
                                 <ErrorIndicator msg={I18n.t("forms.required", {
                                     attribute: I18n.t("roles.manage").toLowerCase()
                                 })}/>}
+                            {provisionings[application?.manageId] &&
+                                <WarningIndicator msg={I18n.t("roles.noProvisioning")} decode={false}/>
+                            }
                         </div>
                         <div className="input-field-container">
                             <InputField name={I18n.t("roles.landingPage")}
diff --git a/client/src/utils/Manage.js b/client/src/utils/Manage.js
@@ -10,6 +10,7 @@ export const singleProviderToOption = (provider, locale) => {
         type: manageType,
         manageType: manageType,
         manageId: manageId,
+        receivesMemberships: provider.receivesMemberships,
         url: provider.url || provider.landingPage,
         landingPage: provider.landingPage || provider.url
     };
diff --git a/server/src/main/java/invite/api/ManageController.java b/server/src/main/java/invite/api/ManageController.java
@@ -91,7 +91,6 @@ public ResponseEntity<Map<String, Object>> organizationGUIDValidation(@Parameter
 
     @GetMapping("applications")
     public ResponseEntity<Map<String, List<Map<String, Object>>>> applications(@Parameter(hidden = true) User user) {
-        LOG.debug("/applications");
         LOG.debug(String.format("GET /manage/applications for user %s", user.getEduPersonPrincipalName()));
 
         UserPermissions.assertInstitutionAdmin(user);
@@ -130,4 +129,12 @@ public ResponseEntity<Map<String, List<Map<String, Object>>>> applications(@Para
         ));
     }
 
+    @GetMapping("provisionings/{id}")
+    public ResponseEntity<Boolean> provisionings(@PathVariable("id") String id,
+                                                 @Parameter(hidden = true) User user) {
+        LOG.debug(String.format("GET /manage/provisionings for user %s", user.getEduPersonPrincipalName()));
+        UserPermissions.assertInstitutionAdmin(user);
+        List<Map<String, Object>> provisionings = manage.provisioning(List.of(id));
+        return ResponseEntity.ok(!provisionings.isEmpty());
+    }
 }
diff --git a/server/src/main/java/invite/manage/Manage.java b/server/src/main/java/invite/manage/Manage.java
@@ -91,6 +91,23 @@ default Map<String, Object> transformProvider(Map<String, Object> provider) {
         application.put("name:en", metaDataFields.get("name:en"));
         application.put("name:nl", metaDataFields.get("name:nl"));
         application.put("institutionGuid", metaDataFields.get("coin:institution_guid"));
+        Map<String, Object> arp = (Map<String, Object>) data.get("arp");
+        if (!CollectionUtils.isEmpty(arp)) {
+            boolean enabled = (boolean) arp.getOrDefault("enabled", false);
+            if (!enabled) {
+                //Will receive all attributes, but not from any other source than idp
+                application.put("receivesMemberships", false);
+            } else {
+                Map<String, Object> attributes = (Map<String, Object>) arp.getOrDefault("attributes", Map.of());
+                List<Map<String, Object>> isMemberOf = (List<Map<String, Object>>) attributes.get("urn:mace:dir:attribute-def:isMemberOf");
+                if (CollectionUtils.isEmpty(isMemberOf)) {
+                    application.put("receivesMemberships", false);
+                } else {
+                    boolean receivesVootMemberships = isMemberOf.stream().anyMatch(m -> m.get("source") == "voot");
+                    application.put("receivesMemberships", receivesVootMemberships);
+                }
+            }
+        }
         return application;
     }
 
diff --git a/server/src/main/java/invite/manage/ManageConf.java b/server/src/main/java/invite/manage/ManageConf.java
@@ -22,7 +22,7 @@ public Manage manage(@Value("${manage.url}") String url,
                          @Value("${manage.enabled}") boolean enabled,
                          @Value("${manage.staticManageDirectory}") String staticManageDirectory,
                          ObjectMapper objectMapper) throws IOException {
-        return enabled ? new RemoteManage(url, user, password, objectMapper) : new LocalManage(objectMapper, staticManageDirectory);
+        return enabled ? new RemoteManage(url, user, password) : new LocalManage(objectMapper, staticManageDirectory);
     }
 
     @Bean
diff --git a/server/src/main/java/invite/manage/RemoteManage.java b/server/src/main/java/invite/manage/RemoteManage.java
@@ -25,12 +25,9 @@ public class RemoteManage implements Manage {
 
     private final String url;
     private final RestTemplate restTemplate = new RestTemplate();
-    private final Map<String, Object> queries;
 
-    public RemoteManage(String url, String user, String password, ObjectMapper objectMapper) throws IOException {
+    public RemoteManage(String url, String user, String password) {
         this.url = url;
-        this.queries = objectMapper.readValue(new ClassPathResource("/manage/query_templates.json").getInputStream(), new TypeReference<>() {
-        });
         restTemplate.getInterceptors().add(new BasicAuthenticationInterceptor(user, password));
         ResponseErrorHandler resilientErrorHandler = new ResilientErrorHandler();
         restTemplate.setErrorHandler(resilientErrorHandler);
@@ -83,7 +80,6 @@ public Map<String, Object> providerById(EntityType entityType, String id) {
         return transformProvider(restTemplate.getForEntity(queryUrl, Map.class).getBody());
     }
 
-
     @Override
     public List<Map<String, Object>> provisioning(Collection<String> applicationIdentifiers) {
         LOG.debug("provisionings for identifiers");
@@ -144,6 +140,7 @@ public List<Map<String, Object>> identityProvidersByInstitutionalGUID(String org
         List<String> requestedAttributes = (List<String>) baseQuery.get("REQUESTED_ATTRIBUTES");
         requestedAttributes.add("allowedEntities");
         requestedAttributes.add("allowedall");
+        requestedAttributes.remove("arp");
 
         List<Map<String, Object>> identityProviders = restTemplate.postForObject(
                 String.format("%s/manage/api/internal/search/%s", this.url, EntityType.SAML20_IDP.collectionName()),
@@ -161,8 +158,14 @@ private List<Map<String, Object>> getRemoteMetaData(String type) {
     }
 
     private Map<String, Object> getBaseQuery() {
-        HashMap<String, Object> baseQuery = new HashMap<>((Map<String, Object>) this.queries.get("base_query"));
-        baseQuery.put("REQUESTED_ATTRIBUTES", baseQuery.get("REQUESTED_ATTRIBUTES"));
+        //Must be mutable, both the baseQuery as the requested attributes
+        HashMap<String, Object> baseQuery = new HashMap<>();
+        List<String> requestedAttributes = new ArrayList<>();
+        requestedAttributes.add("arp");
+        requestedAttributes.add("metaDataFields.logo:0:url");
+        requestedAttributes.add("metaDataFields.coin:application_url");
+        requestedAttributes.add("metaDataFields.coin:institution_guid");
+        baseQuery.put("REQUESTED_ATTRIBUTES", requestedAttributes);
         return baseQuery;
     }
 
diff --git a/server/src/main/resources/manage/query_templates.json b/server/src/main/resources/manage/query_templates.json
diff --git a/server/src/test/java/invite/api/ManageControllerTest.java b/server/src/test/java/invite/api/ManageControllerTest.java
@@ -13,7 +13,7 @@
 
 import static com.github.tomakehurst.wiremock.client.WireMock.*;
 import static io.restassured.RestAssured.given;
-import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.*;
 
 @SuppressWarnings("unchecked")
 class ManageControllerTest extends AbstractTest {
@@ -181,4 +181,40 @@ void organizationGUIDValidationNotAllowed() throws Exception {
                 .then()
                 .statusCode(403);
     }
+
+    @Test
+    void provisioningsTrue() throws Exception {
+        AccessCookieFilter accessCookieFilter = openIDConnectFlow("/api/v1/users/login", SUPER_SUB);
+        stubForManageProvisioning(List.of("1"));
+
+        Boolean res = given()
+                .when()
+                .filter(accessCookieFilter.cookieFilter())
+                .accept(ContentType.JSON)
+                .header(accessCookieFilter.csrfToken().getHeaderName(), accessCookieFilter.csrfToken().getToken())
+                .contentType(ContentType.JSON)
+                .pathParam("id","1")
+                .get("/api/v1/manage/provisionings/{id}")
+                .as(new TypeRef<>() {
+                });
+        assertTrue(res);
+    }
+
+    @Test
+    void provisioningsFalse() throws Exception {
+        AccessCookieFilter accessCookieFilter = openIDConnectFlow("/api/v1/users/login", SUPER_SUB);
+        stubForManageProvisioning(List.of("x"));
+
+        Boolean res = given()
+                .when()
+                .filter(accessCookieFilter.cookieFilter())
+                .accept(ContentType.JSON)
+                .header(accessCookieFilter.csrfToken().getHeaderName(), accessCookieFilter.csrfToken().getToken())
+                .contentType(ContentType.JSON)
+                .pathParam("id","1")
+                .get("/api/v1/manage/provisionings/{id}")
+                .as(new TypeRef<>() {
+                });
+        assertFalse(res);
+    }
 }
