WIP for policies

oharsta · oharsta · commit d46ff55a0449 · 2026-03-02T15:57:44.000+01:00
diff --git a/server/src/main/java/access/api/InviteController.java b/server/src/main/java/access/api/InviteController.java
@@ -4,9 +4,7 @@
 import access.exception.UserRestrictionException;
 import access.invite.InviteClient;
 import access.manage.Manage;
-import access.manage.ManageData;
 import access.model.User;
-import access.repository.OrganizationRepository;
 import access.repository.UserRepository;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -73,7 +71,7 @@ public ResponseEntity<List<Map<String, Object>>> rolesPerOrganizationInviteAppli
             if (StringUtils.hasText(idpInstitutionGUID)) {
                 organizationGUID = idpInstitutionGUID;
             } else {
-                LOG.warn("Not fetching invite roles as there is no institution GUID for IdP: "+user.getAuthenticatingAuthority());
+                LOG.warn("Not fetching invite roles as there is no institution GUID for IdP: " + user.getAuthenticatingAuthority());
                 return ResponseEntity.ok(List.of());
             }
         }
@@ -85,4 +83,16 @@ public ResponseEntity<List<Map<String, Object>>> rolesPerOrganizationInviteAppli
         List<Map<String, Object>> inviteRoles = this.inviteClient.rolesPerOrganizationApplicationId(organizationGUID, applicationManageId);
         return ResponseEntity.ok(inviteRoles);
     }
+
+
+    @GetMapping("/roles-summary")
+    public ResponseEntity<List<Map<String, Object>>> rolesSummary(User user) {
+        LOG.debug("/rolesSummary called by: " + user.getEmail());
+
+        confirmInstitutionAdmin(user);
+
+        List<Map<String, Object>> inviteRoles = this.inviteClient.rolesSummary();
+        return ResponseEntity.ok(inviteRoles);
+    }
+
 }
diff --git a/server/src/main/java/access/api/UserAccessRights.java b/server/src/main/java/access/api/UserAccessRights.java
@@ -54,11 +54,8 @@ default void confirmApplicationWriteAccess(User user, Application application, A
                     String.format("User %s is not allowed to access application %s",
                             user.getEmail(), application.getName()));
         }
-
-
     }
 
-
     default void confirmApplicationDeleteAccess(User user, Application application) {
         if (user.isSuperUser()) {
             return;
diff --git a/server/src/main/java/access/invite/InviteClient.java b/server/src/main/java/access/invite/InviteClient.java
@@ -36,4 +36,12 @@ public List<Map<String, Object>> rolesPerOrganizationApplicationId(String organi
                 organizationGUID,
                 applicationManageId);
     }
+
+    public List<Map<String, Object>> rolesSummary() {
+        if (!enabled) {
+            return List.of();
+        }
+        return restTemplate.getForObject(
+                url + "/api/external/v1/internal/invite/roles-summary", List.class);
+    }
 }
diff --git a/server/src/test/java/access/api/InviteControllerTest.java b/server/src/test/java/access/api/InviteControllerTest.java
@@ -207,4 +207,30 @@ void rolesPerOrganizationInviteApplicationServerSideRequestForgery() {
                 .statusCode(HttpStatus.BAD_REQUEST.value());
     }
 
+    @SneakyThrows
+    @Test
+    void rolesSummary() {
+        List<Map<String, Object>> rolesMock = objectMapper.readValue(new ClassPathResource("/invite/roles_summary.json").getInputStream(),
+                new TypeReference<>() {
+                });
+        stubFor(get(urlPathMatching("/api/external/v1/internal/invite/roles-summary"))
+                .willReturn(aResponse()
+                        .withHeader("Content-Type", "application/json")
+                        .withBody(objectMapper.writeValueAsString(rolesMock))));
+
+        AccessCookieFilter accessCookieFilter = openIDConnectFlow("/api/v1/users/me", SUPER_SUB);
+
+        List<Map<String, String>> roles = given()
+                .when()
+                .filter(accessCookieFilter.cookieFilter())
+                .accept(ContentType.JSON)
+                .contentType(ContentType.JSON)
+                .get("/api/v1/invite/roles-summary")
+                .as(new TypeRef<>() {
+                });
+
+        assertEquals(2, roles.size());
+    }
+
+
 }
diff --git a/server/src/test/resources/invite/roles_summary.json b/server/src/test/resources/invite/roles_summary.json
@@ -0,0 +1,12 @@
+[
+  {
+    "name": "Test Role Profile",
+    "description": "Test Role Profile",
+    "urn": "urn:mace:surf.nl:invite.test2.surfconext.nl:f5b477df-6af9-46f8-b0fa-8e7a8695afb0:test_role_profile"
+  },
+  {
+    "name": "Test Role Profile II ",
+    "description": "Test Role Profile Description",
+    "urn": "urn:mace:surf.nl:invite.test2.surfconext.nl:f5b477df-6af9-46f8-b0fa-8e7a8695afb0:test_role2_profile"
+  }
+]

Original file line number	Diff line number	Diff line change
`@@ -54,11 +54,8 @@ default void confirmApplicationWriteAccess(User user, Application application, A`
`54`	`54`	`String.format("User %s is not allowed to access application %s",`
`55`	`55`	`user.getEmail(), application.getName()));`
`56`	`56`	`}`
`57`		`-`
`58`		`-`
`59`	`57`	`}`
`60`	`58`
`61`		`-`
`62`	`59`	`default void confirmApplicationDeleteAccess(User user, Application application) {`
`63`	`60`	`if (user.isSuperUser()) {`
`64`	`61`	`return;`
Original file line number	Diff line number	Diff line change
`@@ -36,4 +36,12 @@ public List<Map<String, Object>> rolesPerOrganizationApplicationId(String organi`
`36`	`36`	`organizationGUID,`
`37`	`37`	`applicationManageId);`
`38`	`38`	`}`
	`39`	`+`
	`40`	`+ public List<Map<String, Object>> rolesSummary() {`
	`41`	`+ if (!enabled) {`
	`42`	`+ return List.of();`
	`43`	`+ }`
	`44`	`+ return restTemplate.getForObject(`
	`45`	`+ url + "/api/external/v1/internal/invite/roles-summary", List.class);`
	`46`	`+ }`
`39`	`47`	`}`