feat: roles mapping support for condition groups

Author: ymarcon

mica-core/src/main/java/org/obiba/mica/security/service/MicaGroupsToRolesMapper.java

@@ -1,47 +1,80 @@
 package org.obiba.mica.security.service;
 
+import com.google.common.annotations.VisibleForTesting;
+import com.google.common.base.Joiner;
 import com.google.common.collect.Maps;
 import org.obiba.mica.security.Roles;
 import org.obiba.shiro.realm.GroupsToRolesMapper;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.core.env.Environment;
 
 import java.util.Arrays;
+import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import java.util.stream.Collectors;
 
 public class MicaGroupsToRolesMapper implements GroupsToRolesMapper {
 
-  private Map<String, Set<String>> roleGroups = Maps.newHashMap();
+  private static final Logger log = LoggerFactory.getLogger(MicaGroupsToRolesMapper.class);
+
+  private Map<String, List<Set<String>>> roleGroups = Maps.newHashMap();
 
   public MicaGroupsToRolesMapper(Environment environment) {
     Roles.ALL_ROLES.forEach(role -> {
       addRoleGroups(environment, role);
     });
   }
 
+  @VisibleForTesting
+  MicaGroupsToRolesMapper(String groupsStr, String someRole) {
+    Roles.ALL_ROLES.forEach(role -> {
+      if (role.equals(someRole)) {
+        addRoleGroups(groupsStr, role);
+      } else {
+        addRoleGroups("", role);
+      }
+    });
+  }
+
+
   @Override
   public Set<String> toRoles(Set<String> groups) {
     Set<String> roles = Roles.ALL_ROLES.stream()
       .filter(role -> hasRole(role, groups))
       .collect(Collectors.toSet());
-
+    log.debug("roles: {}", Joiner.on(",").join(roles));
     roles.addAll(groups);
 
     return roles;
   }
 
   private void addRoleGroups(Environment environment, String role) {
     String groupsStr = environment.getProperty(String.format("roles.%s", role), role);
-    Set<String> groups = Arrays.stream(groupsStr.split(","))
+    addRoleGroups(groupsStr, role);
+  }
+
+  private void addRoleGroups(String groupsStr, String role) {
+    Set<String> groupsCond = toSet(groupsStr, "\\|");
+    List<Set<String>> groupsSets = groupsCond.stream()
+      .map((cond) -> toSet(cond, ","))
+      .toList();
+    roleGroups.put(role, groupsSets);
+  }
+
+  private Set<String> toSet(String groupsStr, String separator) {
+    return Arrays.stream(groupsStr.split(separator))
       .map(String::trim)
       .filter(s -> !s.isEmpty()) // Remove empty strings
       .collect(Collectors.toSet());
-    roleGroups.put(role, groups);
   }
 
   private boolean hasRole(String role, Set<String> groups) {
     if (!roleGroups.containsKey(role)) return false;
-    return groups.containsAll(roleGroups.get(role));
+    for (Set<String> groupSet : roleGroups.get(role)) {
+      if (groups.containsAll(groupSet)) return true;
+    }
+    return false;
   }
 }

mica-core/src/test/java/org/obiba/mica/security/service/MicaGroupsToRolesMapperTest.java

@@ -0,0 +1,53 @@
+package org.obiba.mica.security.service;
+
+import org.junit.Test;
+import org.obiba.mica.security.Roles;
+
+import java.util.Set;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+public class MicaGroupsToRolesMapperTest {
+
+
+  @Test
+  public void testSingleGroup() {
+    MicaGroupsToRolesMapper mapper = new MicaGroupsToRolesMapper("local-administrator", Roles.MICA_ADMIN);
+    assertTrue(mapper.toRoles(Set.of("local-administrator")).contains(Roles.MICA_ADMIN));
+    assertFalse(mapper.toRoles(Set.of("some-group")).contains(Roles.MICA_ADMIN));
+  }
+
+  @Test
+  public void testMultipleGroups() {
+    MicaGroupsToRolesMapper mapper = new MicaGroupsToRolesMapper("opal-administrator,mica-user", Roles.MICA_ADMIN);
+    assertTrue(mapper.toRoles(Set.of("opal-administrator", "mica-user")).contains(Roles.MICA_ADMIN));
+    assertTrue(mapper.toRoles(Set.of("opal-administrator", "mica-user", "some-group")).contains(Roles.MICA_ADMIN));
+    assertFalse(mapper.toRoles(Set.of("opal-administrator")).contains(Roles.MICA_ADMIN));
+    assertFalse(mapper.toRoles(Set.of("mica-user")).contains(Roles.MICA_ADMIN));
+    assertTrue(mapper.toRoles(Set.of("mica-user")).contains(Roles.MICA_USER));
+    assertFalse(mapper.toRoles(Set.of("some-group")).contains(Roles.MICA_ADMIN));
+  }
+
+  @Test
+  public void testMultipleOptionsGroups() {
+    MicaGroupsToRolesMapper mapper = new MicaGroupsToRolesMapper("opal-administrator,mica-user|local-administrator", Roles.MICA_ADMIN);
+    assertTrue(mapper.toRoles(Set.of("opal-administrator", "mica-user")).contains(Roles.MICA_ADMIN));
+    assertTrue(mapper.toRoles(Set.of("opal-administrator", "mica-user", "some-group")).contains(Roles.MICA_ADMIN));
+    assertTrue(mapper.toRoles(Set.of("local-administrator")).contains(Roles.MICA_ADMIN));
+    assertFalse(mapper.toRoles(Set.of("opal-administrator")).contains(Roles.MICA_ADMIN));
+    assertFalse(mapper.toRoles(Set.of("mica-user")).contains(Roles.MICA_ADMIN));
+    assertTrue(mapper.toRoles(Set.of("mica-user")).contains(Roles.MICA_USER));
+    assertFalse(mapper.toRoles(Set.of("some-group")).contains(Roles.MICA_ADMIN));
+  }
+
+  @Test
+  public void testDefaults() {
+    MicaGroupsToRolesMapper mapper = new MicaGroupsToRolesMapper("", Roles.MICA_ADMIN);
+    assertTrue(mapper.toRoles(Set.of(Roles.MICA_USER)).contains(Roles.MICA_USER));
+    assertTrue(mapper.toRoles(Set.of(Roles.MICA_DAO)).contains(Roles.MICA_DAO));
+    assertTrue(mapper.toRoles(Set.of(Roles.MICA_EDITOR)).contains(Roles.MICA_EDITOR));
+    assertTrue(mapper.toRoles(Set.of(Roles.MICA_REVIEWER)).contains(Roles.MICA_REVIEWER));
+    assertTrue(mapper.toRoles(Set.of(Roles.MICA_ADMIN)).contains(Roles.MICA_ADMIN));
+  }
+}