private void validateRequest(String groupId, ScimGroupMember member) {
if (!StringUtils.hasText(groupId)
|| !StringUtils.hasText(member.getMemberId())
|| !StringUtils.hasText(member.getOrigin())) {
throw new InvalidScimResourceException(
"group-id, member-id, origin and member-type must be non-empty");
}
if (groupId.equals(member.getMemberId())) { // oops! cycle detected
throw new InvalidScimResourceException("trying to nest group within itself, aborting");
}
// check if the group exists and the member-id is a valid group or user
// id
ScimGroup group = groupProvisioning.retrieve(groupId); // this will throw a ScimException
String memberZoneId;
// if the group does not exist
// this will throw a ScimException if the group or user does not exist
if (member.getType() == ScimGroupMember.Type.GROUP) {
memberZoneId = groupProvisioning.retrieve(member.getMemberId()).getZoneId();
} else {
memberZoneId = userProvisioning.retrieve(member.getMemberId()).getZoneId();
}
if (!memberZoneId.equals(group.getZoneId())) {
throw new ScimResourceConstraintFailedException(
"The zone of the group and the member must be the same.");
}
if (!memberZoneId.equals(IdentityZoneHolder.get().getId())) {
throw new ScimResourceConstraintFailedException(
"Unable to make membership changes in a different zone");
}
}
public boolean isDefaultGroup(String groupId) {
for (ScimGroup g : getDefaultUserGroups(IdentityZoneHolder.get())) {
if (g.getId().equals(groupId)) {
return true;
}
}
return false;
}
private String[] getGroupNames(Set<ScimGroup> groups) {
String[] result = new String[groups != null ? groups.size() : 0];
if (result.length == 0) {
return result;
}
int index = 0;
for (ScimGroup group : groups) {
result[index++] = group.getDisplayName();
}
return result;
}
private void validateUserGroups(String id, String... gNm) {
Set<ScimGroup> directGroups = dao.getGroupsWithMember(id, false);
assertNotNull(directGroups);
Set<ScimGroup> indirectGroups = dao.getGroupsWithMember(id, true);
indirectGroups.removeAll(directGroups);
assertNotNull(indirectGroups);
Set<String> expectedAuthorities = Collections.<String>emptySet();
if (gNm != null) {
expectedAuthorities = new HashSet<>(Arrays.asList(gNm));
}
expectedAuthorities.add("uaa.user");
assertEquals(expectedAuthorities.size(), directGroups.size() + indirectGroups.size());
for (ScimGroup group : directGroups) {
assertTrue(expectedAuthorities.contains(group.getDisplayName()));
}
for (ScimGroup group : indirectGroups) {
assertTrue(expectedAuthorities.contains(group.getDisplayName() + ".i"));
}
}
@Override
public ScimGroupExternalMember mapExternalGroup(final String groupId, final String externalGroup)
throws ScimResourceNotFoundException, MemberAlreadyExistsException {
ScimGroup group = scimGroupProvisioning.retrieve(groupId);
if (null != group) {
try {
jdbcTemplate.update(
ADD_EXTERNAL_GROUP_MAPPING_SQL,
new PreparedStatementSetter() {
@Override
public void setValues(PreparedStatement ps) throws SQLException {
ps.setString(1, groupId);
ps.setString(2, externalGroup);
ps.setTimestamp(3, new Timestamp(new Date().getTime()));
}
});
} catch (DuplicateKeyException e) {
// we should not throw, if the mapping exist, we should leave it
// there.
logger.info(
"The mapping between group "
+ group.getDisplayName()
+ " and external group "
+ externalGroup
+ " already exists");
// throw new
// MemberAlreadyExistsException("The mapping between group " +
// group.getDisplayName() + " and external group " +
// externalGroup + " already exists");
}
return getExternalGroupMap(groupId, externalGroup);
} else {
throw new ScimResourceNotFoundException("Group does not exist");
}
}
@Test
public void testApprovingAnApp() throws Exception {
ResponseEntity<SearchResults<ScimGroup>> getGroups =
restTemplate.exchange(
baseUrl + "/Groups?filter=displayName eq '{displayName}'",
HttpMethod.GET,
null,
new ParameterizedTypeReference<SearchResults<ScimGroup>>() {},
"cloud_controller.read");
ScimGroup group = getGroups.getBody().getResources().stream().findFirst().get();
group.setDescription("Read about your clouds.");
HttpHeaders headers = new HttpHeaders();
headers.add("If-Match", Integer.toString(group.getVersion()));
HttpEntity request = new HttpEntity(group, headers);
restTemplate.exchange(
baseUrl + "/Groups/{group-id}", HttpMethod.PUT, request, Object.class, group.getId());
ScimUser user = createUnapprovedUser();
// Visit app
webDriver.get(appUrl);
// Sign in to login server
webDriver.findElement(By.name("username")).sendKeys(user.getUserName());
webDriver.findElement(By.name("password")).sendKeys(user.getPassword());
webDriver.findElement(By.xpath("//input[@value='Sign in']")).click();
// Authorize the app for some scopes
Assert.assertEquals(
"Application Authorization", webDriver.findElement(By.cssSelector("h1")).getText());
webDriver
.findElement(By.xpath("//label[text()='Change your password']/preceding-sibling::input"))
.click();
webDriver
.findElement(
By.xpath(
"//label[text()='Read user IDs and retrieve users by ID']/preceding-sibling::input"))
.click();
webDriver.findElement(
By.xpath("//label[text()='Read about your clouds.']/preceding-sibling::input"));
webDriver.findElement(By.xpath("//button[text()='Authorize']")).click();
Assert.assertEquals("Sample Home Page", webDriver.findElement(By.cssSelector("h1")).getText());
// View profile on the login server
webDriver.get(baseUrl + "/profile");
Assert.assertFalse(
webDriver.findElement(By.xpath("//input[@value='app-password.write']")).isSelected());
Assert.assertFalse(
webDriver.findElement(By.xpath("//input[@value='app-scim.userids']")).isSelected());
Assert.assertTrue(
webDriver
.findElement(By.xpath("//input[@value='app-cloud_controller.read']"))
.isSelected());
Assert.assertTrue(
webDriver
.findElement(By.xpath("//input[@value='app-cloud_controller.write']"))
.isSelected());
// Add approvals
webDriver.findElement(By.xpath("//input[@value='app-password.write']")).click();
webDriver.findElement(By.xpath("//input[@value='app-scim.userids']")).click();
webDriver.findElement(By.xpath("//button[text()='Update']")).click();
Assert.assertTrue(
webDriver.findElement(By.xpath("//input[@value='app-password.write']")).isSelected());
Assert.assertTrue(
webDriver.findElement(By.xpath("//input[@value='app-scim.userids']")).isSelected());
Assert.assertTrue(
webDriver
.findElement(By.xpath("//input[@value='app-cloud_controller.read']"))
.isSelected());
Assert.assertTrue(
webDriver
.findElement(By.xpath("//input[@value='app-cloud_controller.write']"))
.isSelected());
// Revoke app
webDriver.findElement(By.linkText("Revoke Access")).click();
Assert.assertEquals(
"Are you sure you want to revoke access to The Ultimate Oauth App?",
webDriver.findElement(By.cssSelector(".revocation-modal p")).getText());
// click cancel
webDriver.findElement(By.cssSelector("#app-form .revocation-cancel")).click();
webDriver.findElement(By.linkText("Revoke Access")).click();
// click confirm
webDriver.findElement(By.cssSelector("#app-form .revocation-confirm")).click();
Assert.assertThat(
webDriver.findElements(By.xpath("//input[@value='app-password.write']")), Matchers.empty());
}