Allow for remoteUser in localDevMode

server/src/main/java/access/security/RemoteUser.java

@@ -28,13 +28,15 @@ public class RemoteUser implements UserDetails, CredentialsContainer, Provisiona
     private String displayName;
     private List<Scope> scopes = new ArrayList<>();
     private List<Application> applications = new ArrayList<>();
+    private boolean localDevMode;
 
     public RemoteUser(RemoteUser remoteUser) {
         this.username = remoteUser.username;
         this.password = remoteUser.password;
         this.displayName = remoteUser.displayName;
         this.scopes = remoteUser.scopes;
         this.applications = remoteUser.applications;
+        this.localDevMode = remoteUser.localDevMode;
     }
 
     @Override

server/src/main/java/access/security/RemoteUserPermissions.java

@@ -33,6 +33,9 @@ public static void assertApplicationAccess(RemoteUser remoteUser, List<Role> rol
         if (remoteUser == null) {
             throw new UserRestrictionException();
         }
+        if (remoteUser.isLocalDevMode()) {
+            return;
+        }
         List<Application> remoteUserApplications = remoteUser.getApplications();
         boolean hasApplicationAccess = roles.stream().map(role -> role.applicationsUsed())
                 .flatMap(Collection::stream)

server/src/main/resources/application.yml

@@ -161,6 +161,16 @@ external-api-configuration:
       applications:
         - manageId: "4"
           manageType: SAML20_SP
+    -
+      username: sp_dashboard_local_dev_mode
+      displayName: "SP Dashboard"
+      password: "secret"
+      scopes:
+        - sp_dashboard
+      applications:
+        - manageId: "4"
+          manageType: SAML20_SP
+      localDevMode: true
 
 voot:
   group_urn_domain: urn:mace:surf.nl:test.surfaccess.nl

server/src/test/java/access/internal/InternalInviteControllerTest.java

@@ -42,7 +42,24 @@ void createWithAPIUser() throws Exception {
                 .as(new TypeRef<>() {
                 });
         assertNotNull(newRole.getId());
-        System.out.println(objectMapper.writeValueAsString(newRole));
+    }
+
+    @Test
+    void createWithAPIUserNotAllowed() {
+        Role role = new Role("Required role name", "Required role description", application("3", EntityType.SAML20_SP),
+                365, false, false);
+
+        super.stubForManagerProvidersByIdIn(EntityType.SAML20_SP, List.of("3"));
+
+        given()
+                .when()
+                .auth().preemptive().basic("sp_dashboard", "secret")
+                .accept(ContentType.JSON)
+                .contentType(ContentType.JSON)
+                .body(role)
+                .post("/api/internal/invite/roles")
+                .then()
+                        .statusCode(403);
     }
 
     @Test
@@ -191,14 +208,4 @@ void userRolesByRole() {
         assertEquals(1, userRoles.size());
     }
 
-    @Test
-    void delme() throws JsonProcessingException {
-        InvitationResponse invitationResponse = new InvitationResponse(
-                201,
-                List.of(new RecipientInvitationURL("[email protected]", "https://invite.test.surfconext.nl/invitation/accept?{hash}"))
-        );
-        String json = objectMapper.writeValueAsString(invitationResponse);
-        System.out.println(json);
-    }
-
 }

server/src/test/java/access/security/ExtendedInMemoryUserDetailsManagerTest.java

@@ -16,7 +16,8 @@ class ExtendedInMemoryUserDetailsManagerTest {
             "password",
             "SP Dashboard",
             List.of(Scope.profile),
-            List.of(new Application("4", EntityType.SAML20_SP)));
+            List.of(new Application("4", EntityType.SAML20_SP)),
+            false);
 
     private final ExtendedInMemoryUserDetailsManager userDetailsManager =
             new ExtendedInMemoryUserDetailsManager(List.of(remoteUser));

server/src/test/java/access/security/RemoteUserPermissionsTest.java

@@ -21,7 +21,7 @@ void assertScopeAccess() {
 
         RemoteUserPermissions.assertScopeAccess(new RemoteUser());
         RemoteUserPermissions.assertScopeAccess(
-                new RemoteUser("user", "secret", null, List.of(Scope.profile), List.of()), Scope.profile);
+                new RemoteUser("user", "secret", null, List.of(Scope.profile), List.of(), false), Scope.profile);
     }
 
     @Test
@@ -34,9 +34,25 @@ void assertApplicationAccess() {
         role.setApplicationUsages(applicationUsages);
         assertThrows(UserRestrictionException.class, () -> RemoteUserPermissions.assertApplicationAccess(null, role));
         assertThrows(UserRestrictionException.class, () -> RemoteUserPermissions.assertApplicationAccess(new RemoteUser(), role));
-        RemoteUser remoteUser = new RemoteUser("user", "secret", null, List.of(), List.of(application));
+        RemoteUser remoteUser = new RemoteUser("user", "secret", null, List.of(), List.of(application), false);
         RemoteUserPermissions.assertApplicationAccess(remoteUser, role);
         RemoteUserPermissions.assertApplicationAccess(remoteUser, List.of(role));
     }
 
+    @Test
+    void assertApplicationAccessDevMode() {
+        Role role = new Role();
+        Application application = new Application("1", EntityType.SAML20_SP);
+        Set<ApplicationUsage> applicationUsages = Set.of(
+                new ApplicationUsage(application, "landingPage")
+        );
+        role.setApplicationUsages(applicationUsages);
+        RemoteUser remoteUser = new RemoteUser("user", "secret", null, List.of(), List.of(new Application("5", EntityType.SAML20_SP)), false);
+        assertThrows(UserRestrictionException.class, () -> RemoteUserPermissions.assertApplicationAccess(remoteUser, role));
+
+        RemoteUser remoteUserDevMode = new RemoteUser(remoteUser);
+        remoteUserDevMode.setLocalDevMode(true);
+        RemoteUserPermissions.assertApplicationAccess(remoteUserDevMode, role);
+    }
+
 }