WIP for new role: institutionAdmin

server/src/main/java/access/repository/UserRepository.java

@@ -23,7 +23,8 @@ public interface UserRepository extends JpaRepository<User, Long> {
             nativeQuery = true)
     List<User> search(String keyWord, int limit);
 
-    @Query(value = "SELECT * FROM users u WHERE super_user = 0 AND NOT EXISTS (SELECT ur.id FROM user_roles ur WHERE ur.user_id = u.id)",
+    @Query(value = "SELECT * FROM users u WHERE super_user = 0 AND institution_admin = 0 " +
+            "AND NOT EXISTS (SELECT ur.id FROM user_roles ur WHERE ur.user_id = u.id)",
             nativeQuery = true)
     List<User> findNonSuperUserWithoutUserRoles();
 

server/src/main/java/access/security/UserPermissions.java

@@ -22,6 +22,9 @@ public static void assertSuperUser(User user) {
     }
 
     public static void assertAuthority(User user, Authority authority) {
+        if (user.isInstitutionAdmin() && !Authority.INSTITUTION_ADMIN.hasEqualOrHigherRights(authority)) {
+            throw new UserRestrictionException();
+        }
         if (!user.isSuperUser() && user.getUserRoles().stream()
                 .noneMatch(userRole -> userRole.getAuthority().hasEqualOrHigherRights(authority)))
             throw new UserRestrictionException();
@@ -36,6 +39,10 @@ public static void assertValidInvitation(User user, Authority intendedAuthority,
         }
         //For all roles verify that the user has a higher authority then the one requested for all off the roles
         Set<UserRole> userRoles = user.getUserRoles();
+        if (user.isInstitutionAdmin() && roles.stream()
+                .allMatch(role -> mayInviteByInstitutionAdmin(user.getApplications(), role.getManageId()))) {
+            return;
+        }
         boolean allowed = roles.stream()
                 .allMatch(role -> mayInviteByApplication(userRoles, role) ||
                         mayInviteByAuthority(userRoles, intendedAuthority, role));
@@ -51,6 +58,12 @@ private static boolean mayInviteByApplication(Set<UserRole> userRoles, Role role
                         userRole.getAuthority().hasEqualOrHigherRights(Authority.MANAGER));
     }
 
+    //Does the one off the applications has the same application as the role
+    private static boolean mayInviteByInstitutionAdmin(List<Map<String, Object>> applications, String manageId) {
+        return applications.stream()
+                .anyMatch(application -> application.get("id").equals(manageId));
+    }
+
     //Does one the userRoles has at least the Authority higher than the intendedAuthority and NOT Guest
     private static boolean mayInviteByAuthority(Set<UserRole> userRoles, Authority intendedAuthority, Role role) {
         return userRoles.stream()
@@ -61,13 +74,17 @@ private static boolean mayInviteByAuthority(Set<UserRole> userRoles, Authority i
 
     public static void assertManagerRole(Map<String, Object> provider, User user) {
         String manageId = (String) provider.get("id");
-        if (!user.isSuperUser()) {
-            user.getUserRoles().stream()
-                    .filter(userRole -> userRole.getAuthority().hasEqualOrHigherRights(Authority.MANAGER)
-                            && userRole.getRole().getManageId().equals(manageId))
-                    .findFirst()
-                    .orElseThrow(UserRestrictionException::new);
+        if (user.isSuperUser()) {
+            return;
+        }
+        if (user.isInstitutionAdmin() && mayInviteByInstitutionAdmin(user.getApplications(), manageId)) {
+            return;
         }
+        user.getUserRoles().stream()
+                .filter(userRole -> userRole.getAuthority().hasEqualOrHigherRights(Authority.MANAGER)
+                        && userRole.getRole().getManageId().equals(manageId))
+                .findFirst()
+                .orElseThrow(UserRestrictionException::new);
     }
 
     public static void assertRoleAccess(User user, Role accessRole) {
@@ -78,6 +95,9 @@ public static void assertRoleAccess(User user, Role accessRole, Authority author
         if (user.isSuperUser()) {
             return;
         }
+        if (user.isInstitutionAdmin() && mayInviteByInstitutionAdmin(user.getApplications(), accessRole.getManageId())) {
+            return;
+        }
         user.getUserRoles().stream()
                 .filter(userRole -> userRole.getRole().getId().equals(accessRole.getId()) ||
                         (userRole.getRole().getManageId().equals(accessRole.getManageId()) &&

server/src/main/resources/manage/query_templates.json

@@ -1,20 +1,6 @@
 {
   "base_query": {
     "REQUESTED_ATTRIBUTES": [
-      "metaDataFields.name:en",
-      "metaDataFields.name:nl",
-      "metaDataFields.name:en",
       "metaDataFields.logo:0:url"
     ]
-  },
-  "provisioning_query": {
-    "REQUESTED_ATTRIBUTES": [
-      "metaDataFields.name:nl",
-      "metaDataFields.name:nl",
-      "metaDataFields.name:nl",
-      "metaDataFields.name:nl",
-      "metaDataFields.name:nl",
-      "applications"
-    ]
-  }
-}
+  }}

server/src/test/java/access/api/UserControllerTest.java

@@ -263,7 +263,7 @@ void searchOwl() throws Exception {
                 .get("/api/v1/users/search")
                 .as(new TypeRef<>() {
                 });
-        assertEquals(4, users.size());
+        assertEquals(5, users.size());
     }
 
     @Test

server/src/test/java/access/manage/RemoteManageTest.java

@@ -62,7 +62,7 @@ void allowedEntries() throws JsonProcessingException {
         LocalManage localManage = new LocalManage(objectMapper);
         List<Map<String, Object>> serviceProviders = localManage.allowedEntries(EntityType.SAML20_SP, "1");
         String body = objectMapper.writeValueAsString(serviceProviders);
-        stubFor(get(urlPathMatching("/manage/api/internal/allowedEntities/SAML20_SP/1")).willReturn(aResponse()
+        stubFor(get(urlPathMatching("/manage/api/internal/allowedEntities/saml20_sp/1")).willReturn(aResponse()
                 .withHeader("Content-Type", "application/json")
                 .withBody(body)));
         List<Map<String, Object>> allowedEntries = manage.allowedEntries(EntityType.SAML20_SP, "1");