WIP for #381 and #506

Author: oharsta

server/src/main/java/access/api/InvitationOperations.java

@@ -21,10 +21,7 @@
 import java.time.Instant;
 import java.time.Period;
 import java.time.temporal.ChronoUnit;
-import java.util.Comparator;
-import java.util.List;
-import java.util.Map;
-import java.util.Optional;
+import java.util.*;
 
 import static java.util.stream.Collectors.toSet;
 
@@ -115,11 +112,7 @@ public ResponseEntity<InvitationResponse> sendInvitation(InvitationRequest invit
         if (!invitationRequest.isSuppressSendingEmails()) {
 
             invitations.forEach(invitation -> {
-                Optional<String> idpName = Optional.ofNullable(invitation.getOrganizationGUID())
-                        .map(organisationGUID -> this.invitationResource.getManage().identityProviderByInstitutionalGUID(organisationGUID))
-                        .flatMap(optional -> optional)
-                        .map(idp -> (String) idp.get("name:en"));
-
+                Optional<String> idpName = this.identityProviderName(invitation);
                 mailBox.sendInviteMail(user == null ? remoteUser : user,
                         invitation, groupedProviders, invitationRequest.getLanguage(), idpName);
             });
@@ -150,10 +143,7 @@ public ResponseEntity<Map<String, Integer>> resendInvitation(Long id,
 
         List<GroupedProviders> groupedProviders = this.invitationResource.getManage().getGroupedProviders(requestedRoles);
         Provisionable provisionable = user != null ? user : remoteUser;
-        Optional<String> idpName = Optional.ofNullable(invitation.getOrganizationGUID())
-                .map(organisationGUID -> this.invitationResource.getManage().identityProviderByInstitutionalGUID(organisationGUID))
-                .flatMap(optional -> optional)
-                .map(idp -> (String) idp.get("name:en"));
+        Optional<String> idpName = identityProviderName(invitation);
 
         this.invitationResource.getMailBox()
                 .sendInviteMail(provisionable,
@@ -171,4 +161,14 @@ public ResponseEntity<Map<String, Integer>> resendInvitation(Long id,
         return Results.createResult();
     }
 
+    private Optional<String> identityProviderName(Invitation invitation) {
+        return Optional.ofNullable(invitation.getOrganizationGUID())
+                .map(organisationGUID -> this.invitationResource.getManage().identityProvidersByInstitutionalGUID(organisationGUID))
+                .stream()
+                .flatMap(Collection::stream)
+                .findFirst()
+                .map(idp -> (String) idp.get("name:en"));
+
+    }
+
 }

server/src/main/java/access/api/ManageController.java

@@ -19,6 +19,7 @@
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
 import org.springframework.transaction.annotation.Transactional;
+import org.springframework.util.CollectionUtils;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -81,9 +82,11 @@ public ResponseEntity<Map<String, Object>> organizationGUIDValidation(@Parameter
         LOG.debug(String.format("GET /manage/organization-guid-validation guid: %s for user %s", organizationGUID, user.getEduPersonPrincipalName()));
 
         UserPermissions.assertSuperUser(user);
-        Map<String, Object> identityProvider = manage.identityProviderByInstitutionalGUID(organizationGUID)
-                .orElseThrow(() -> new NotFoundException("No identity provider with organizationGUID: " + organizationGUID));
-        return ResponseEntity.ok(identityProvider);
+        List<Map<String, Object>> identityProviders = manage.identityProvidersByInstitutionalGUID(organizationGUID);
+        if (CollectionUtils.isEmpty(identityProviders)) {
+            new NotFoundException("No identity provider with organizationGUID: " + organizationGUID);
+        }
+        return ResponseEntity.ok(identityProviders.getFirst());
     }
 
     @GetMapping("applications")

server/src/main/java/access/api/RoleController.java

@@ -168,7 +168,7 @@ public ResponseEntity<Role> newRole(@Validated @RequestBody Role role,
 
     @PutMapping("")
     @Retryable(
-            value = { SQLTransactionRollbackException.class },
+            retryFor = { SQLTransactionRollbackException.class },
             maxAttempts = 3,
             backoff = @Backoff(delay = 1000)
     )

server/src/main/java/access/manage/LocalManage.java

@@ -99,27 +99,40 @@ public List<Map<String, Object>> provisioning(Collection<String> applicationIden
     }
 
     @Override
-    public List<Map<String, Object>> providersAllowedByIdP(Map<String, Object> identityProvider) {
-        LOG.debug("providersAllowedByIdP for : " + identityProvider.get("type"));
-
-        Boolean allowedAll = (Boolean) identityProvider.getOrDefault("allowedall", Boolean.FALSE);
+    public List<Map<String, Object>> providersAllowedByIdPs(List<Map<String, Object>> identityProviders) {
+        if (identityProviders.isEmpty()) {
+            return emptyList();
+        }
         List<Map<String, Object>> allProviders = this.providers(EntityType.SAML20_SP, EntityType.OIDC10_RP);
-        if (allowedAll) {
+        if (identityProviders.stream()
+                .anyMatch(idp -> (Boolean) idp.getOrDefault("allowedall", Boolean.FALSE))) {
             return allProviders;
         }
-        List<Map<String, String>> allowedEntities = (List<Map<String, String>>) identityProvider.getOrDefault("allowedEntities", emptyList());
-        List<String> entityIdentifiers = allowedEntities.stream().map(m -> m.get("name")).toList();
+        List<String> entityIdentifiers = identityProviders.stream()
+                .map(idp -> (List<Map<String, String>>) idp.getOrDefault("allowedEntities", emptyList()))
+                .flatMap(Collection::stream)
+                .map(m -> m.get("name"))
+                .distinct()
+                .toList();
         return allProviders.stream().filter(provider -> entityIdentifiers.contains((String) provider.get("entityid"))).toList();
+
+    }
+
+    @Override
+    public List<Map<String, Object>> providersAllowedByIdP(Map<String, Object> identityProvider) {
+        LOG.debug("providersAllowedByIdP for : " + identityProvider.get("type"));
+
+        return this.providersAllowedByIdPs(List.of(identityProvider));
     }
 
     @Override
-    public Optional<Map<String, Object>> identityProviderByInstitutionalGUID(String organisationGUID) {
+    public List<Map<String, Object>> identityProvidersByInstitutionalGUID(String organisationGUID) {
         LOG.debug("identityProviderByInstitutionalGUID for : " + organisationGUID);
 
         List<Map<String, Object>> providers = providers(EntityType.SAML20_IDP);
         return providers
                 .stream()
                 .filter(provider -> Objects.equals(provider.get("institutionGuid"), organisationGUID))
-                .findAny();
+                .toList();
     }
 }

server/src/main/java/access/manage/Manage.java

@@ -23,7 +23,9 @@ public interface Manage {
 
     List<Map<String, Object>> providersAllowedByIdP(Map<String, Object> identityProvider);
 
-    Optional<Map<String, Object>> identityProviderByInstitutionalGUID(String organisationGUID);
+    List<Map<String, Object>> providersAllowedByIdPs(List<Map<String, Object>> identityProviders);
+
+    List<Map<String, Object>> identityProvidersByInstitutionalGUID(String organisationGUID);
 
     default List<Map<String, Object>> transformProvider(List<Map<String, Object>> providers) {
         //Defensive because of Manage misbehaviour
@@ -151,9 +153,9 @@ default Map<String, Object> enrichInstitutionAdmin(String organizationGUID) {
         Map<String, Object> claims = new HashMap<>();
         claims.put(INSTITUTION_ADMIN, true);
         claims.put(ORGANIZATION_GUID, organizationGUID);
-        Optional<Map<String, Object>> optionalIdentityProvider = identityProviderByInstitutionalGUID(organizationGUID);
-        claims.put(INSTITUTION, optionalIdentityProvider.orElse(null));
-        List<Map<String, Object>> applications = optionalIdentityProvider.map(this::providersAllowedByIdP).orElse(Collections.emptyList());
+        List<Map<String, Object>> identityProviders = identityProvidersByInstitutionalGUID(organizationGUID);
+        claims.put(INSTITUTION, identityProviders.size() == 0 ? null : identityProviders.getFirst());
+        List<Map<String, Object>> applications = this.providersAllowedByIdPs(identityProviders);
         claims.put(APPLICATIONS, applications);
         return claims;
     }

server/src/main/java/access/manage/RemoteManage.java

@@ -86,16 +86,22 @@ public List<Map<String, Object>> provisioning(Collection<String> applicationIden
     }
 
     @Override
-    public List<Map<String, Object>> providersAllowedByIdP(Map<String, Object> identityProvider) {
-        LOG.debug("providersAllowedByIdP for : " + identityProvider.get("type"));
-
-        Boolean allowedAll = (Boolean) identityProvider.getOrDefault("allowedall", Boolean.FALSE);
-        if (allowedAll) {
+    public List<Map<String, Object>> providersAllowedByIdPs(List<Map<String, Object>> identityProviders) {
+        LOG.debug("providersAllowedByIdPs");
+        if (identityProviders.isEmpty()) {
+            return emptyList();
+        }
+        if (identityProviders.stream()
+                .anyMatch(idp -> (Boolean) idp.getOrDefault("allowedall", Boolean.FALSE))) {
             return this.providers(EntityType.SAML20_SP, EntityType.OIDC10_RP);
         }
-        List<Map<String, String>> allowedEntities = (List<Map<String, String>>) identityProvider.getOrDefault("allowedEntities", emptyList());
-        String split = allowedEntities.stream().map(m -> "\"" + m.get("name") + "\"")
+        String split = identityProviders.stream()
+                .map(idp -> (List<Map<String, String>>) idp.getOrDefault("allowedEntities", emptyList()))
+                .flatMap(Collection::stream)
+                .map(m -> "\"" + m.get("name") + "\"")
+                .distinct()
                 .collect(Collectors.joining(","));
+
         String body = String.format("{\"data.entityid\":{\"$in\":[%s]}}", split);
         List<Map<String, Object>> results = new ArrayList<>();
         List.of(EntityType.SAML20_SP, EntityType.OIDC10_RP).forEach(entityType -> {
@@ -109,7 +115,14 @@ public List<Map<String, Object>> providersAllowedByIdP(Map<String, Object> ident
     }
 
     @Override
-    public Optional<Map<String, Object>> identityProviderByInstitutionalGUID(String organisationGUID) {
+    public List<Map<String, Object>> providersAllowedByIdP(Map<String, Object> identityProvider) {
+        LOG.debug("providersAllowedByIdP for : " + identityProvider.get("type"));
+
+        return this.providersAllowedByIdPs(List.of(identityProvider));
+    }
+
+    @Override
+    public List<Map<String, Object>> identityProvidersByInstitutionalGUID(String organisationGUID) {
         LOG.debug("identityProviderByInstitutionalGUID for : " + organisationGUID);
 
         Map<String, Object> baseQuery = getBaseQuery();
@@ -122,7 +135,7 @@ public Optional<Map<String, Object>> identityProviderByInstitutionalGUID(String
         List<Map<String, Object>> identityProviders = restTemplate.postForObject(
                 String.format("%s/manage/api/internal/search/%s", this.url, EntityType.SAML20_IDP.collectionName()),
                 baseQuery, List.class);
-        return identityProviders.isEmpty() ? Optional.empty() : Optional.of(transformProvider(identityProviders.get(0)));
+        return transformProvider(identityProviders);
     }
 
     private List<Map<String, Object>> getRemoteMetaData(String type) {

server/src/test/java/access/AbstractTest.java

@@ -3,7 +3,6 @@
 import access.config.HashGenerator;
 import access.manage.EntityType;
 import access.manage.LocalManage;
-import access.manage.Manage;
 import access.model.*;
 import access.repository.*;
 import com.fasterxml.jackson.core.JsonProcessingException;
@@ -354,7 +353,7 @@ protected void stubForManageProvisioning(List<String> applicationIdentifiers) th
 
     protected void stubForManageProvidersAllowedByIdP(String organisationGUID) throws JsonProcessingException {
         String postPath = "/manage/api/internal/search/%s";
-        Map<String, Object> identityProvider = localManage.identityProviderByInstitutionalGUID(organisationGUID).get();
+        Map<String, Object> identityProvider = localManage.identityProvidersByInstitutionalGUID(organisationGUID).get(0);
         stubFor(post(urlPathMatching(String.format(postPath, EntityType.SAML20_IDP.collectionName()))).willReturn(aResponse()
                 .withHeader("Content-Type", "application/json")
                 .withBody(objectMapper.writeValueAsString(List.of(identityProvider)))));

server/src/test/java/access/api/ManageControllerTest.java

@@ -146,7 +146,7 @@ void organizationGUIDValidation() throws Exception {
         AccessCookieFilter accessCookieFilter = openIDConnectFlow("/api/v1/users/login", SUPER_SUB);
 
         String postPath = "/manage/api/internal/search/%s";
-        Map<String, Object> localIdentityProvider = localManage.identityProviderByInstitutionalGUID(ORGANISATION_GUID).get();
+        Map<String, Object> localIdentityProvider = localManage.identityProvidersByInstitutionalGUID(ORGANISATION_GUID).get(0);
         stubFor(post(urlPathMatching(String.format(postPath, EntityType.SAML20_IDP.collectionName()))).willReturn(aResponse()
                 .withHeader("Content-Type", "application/json")
                 .withBody(objectMapper.writeValueAsString(List.of(localIdentityProvider)))));