diff --git a/src/main/java/com/knecon/fforesight/tenantusermanagement/controller/external/UserController.java b/src/main/java/com/knecon/fforesight/tenantusermanagement/controller/external/UserController.java index f44846b..c4238a5 100644 --- a/src/main/java/com/knecon/fforesight/tenantusermanagement/controller/external/UserController.java +++ b/src/main/java/com/knecon/fforesight/tenantusermanagement/controller/external/UserController.java @@ -41,6 +41,9 @@ public class UserController implements UserResource, PublicResource { private final UserService userService; private final TenantUserManagementProperties tenantUserManagementProperties; + private static final String KNECON_ADMIN_ROLE = "KNECON_ADMIN"; + private static final String KNECON_SUPPORT_ROLE = "KNECON_SUPPORT"; + @Override @PreAuthorize("hasAuthority('" + READ_USERS + "')") @@ -51,7 +54,12 @@ public class UserController implements UserResource, PublicResource { } var allRoles = tenantUserManagementProperties.getKcRoleMapping().getAllRoles(); - return userService.getAllUsers().stream().filter(user -> user.getRoles().stream().anyMatch(allRoles::contains)).collect(Collectors.toList()); + return userService.getAllUsers() + .stream() + .filter(user -> user.getRoles() + .stream() + .anyMatch(allRoles::contains)) + .collect(Collectors.toList()); } @@ -63,21 +71,22 @@ public class UserController implements UserResource, PublicResource { userService.evictUserCache(); } - var kneconAdminRole = "KNECON_ADMIN"; + return userService.getAllUsers() + .stream() + .filter(user -> { + Set filteredRoles = user.getRoles() + .stream() + .filter(role -> !role.equals(KNECON_ADMIN_ROLE) && !role.equals(KNECON_SUPPORT_ROLE)) + .collect(Collectors.toSet()); - return userService.getAllUsers().stream().filter(user -> { - if(user.getRoles().contains(kneconAdminRole)) - { - //user should be filtered out because he has only role knecon_admin - if(user.getRoles().size() == 1) { - return false; - } - //remove knecon_admin role - user.getRoles().remove(kneconAdminRole); - return true; - } - return true; - }).toList(); + if (filteredRoles.isEmpty()) { + return false; + } + + user.setRoles(filteredRoles); + return true; + }) + .toList(); } @@ -128,14 +137,19 @@ public class UserController implements UserResource, PublicResource { if (StringUtils.isEmpty(userId)) { throw new ResponseStatusException(HttpStatus.BAD_REQUEST, "The userId should not be empty."); } - var kneconAdminRole = "KNECON_ADMIN"; - var user = userService.getUserById(userId).orElseThrow(() -> new ResponseStatusException(HttpStatus.NOT_FOUND, "User not found")); - if (user.getRoles().contains(kneconAdminRole)) { - if(user.getRoles().size() == 1) { - throw new ResponseStatusException(HttpStatus.NOT_FOUND, "User not found"); - } - user.getRoles().remove(kneconAdminRole); + var user = userService.getUserById(userId) + .orElseThrow(() -> new ResponseStatusException(HttpStatus.NOT_FOUND, "User not found")); + + Set filteredRoles = user.getRoles() + .stream() + .filter(role -> !role.equals(KNECON_ADMIN_ROLE) && !role.equals(KNECON_SUPPORT_ROLE)) + .collect(Collectors.toSet()); + + if (filteredRoles.isEmpty()) { + throw new ResponseStatusException(HttpStatus.NOT_FOUND, "User not found"); } + + user.setRoles(filteredRoles); return user; } diff --git a/src/main/resources/application-clarifynd.yaml b/src/main/resources/application-clarifynd.yaml index 978e220..941a137 100644 --- a/src/main/resources/application-clarifynd.yaml +++ b/src/main/resources/application-clarifynd.yaml @@ -56,6 +56,24 @@ fforesight: - "fforesight-read-identity-provider-config" - "fforesight-write-identity-provider-config" - "red-unarchive-dossier" + - name: KNECON_SUPPORT + set-by-default: false + rank: 1000 + permissions: + - "red-read-license" + - "red-update-license" + - "fforesight-get-tenants" + - "fforesight-create-tenant" + - "fforesight-update-tenant" + - "fforesight-delete-tenant" + - "fforesight-read-users" + - "fforesight-read-all-users" + - "fforesight-write-users" + - "fforesight-read-smtp-configuration" + - "fforesight-write-smtp-configuration" + - "fforesight-read-identity-provider-config" + - "fforesight-write-identity-provider-config" + - "red-unarchive-dossier" - name: FF_ADMIN set-by-default: true rank: 100 diff --git a/src/main/resources/application-documine.yaml b/src/main/resources/application-documine.yaml index f9da110..9efd940 100644 --- a/src/main/resources/application-documine.yaml +++ b/src/main/resources/application-documine.yaml @@ -22,7 +22,11 @@ fforesight: - name: KNECON_ADMIN set-by-default: false rank: 1000 - permissions: [ "red-read-license", "red-update-license","fforesight-get-tenants", "fforesight-create-tenant", "fforesight-update-tenant", "fforesight-delete-tenant","fforesight-read-users", "fforesight-read-all-users", "fforesight-write-users","fforesight-read-smtp-configuration", "fforesight-write-smtp-configuration", "fforesight-read-identity-provider-config","fforesight-write-identity-provider-config", "red-unarchive-dossier" ] + permissions: [ "red-read-license", "red-update-license","fforesight-get-tenants", "fforesight-create-tenant", "fforesight-update-tenant", "fforesight-delete-tenant","fforesight-read-users", "fforesight-read-all-users", "fforesight-write-users","fforesight-read-smtp-configuration", "fforesight-write-smtp-configuration", "fforesight-read-identity-provider-config","fforesight-write-identity-provider-config", "red-unarchive-dossier", "red-use-support-controller" ] + - name: KNECON_SUPPORT + set-by-default: false + rank: 1000 + permissions: [ "red-read-license", "red-update-license","fforesight-get-tenants", "fforesight-create-tenant", "fforesight-update-tenant", "fforesight-delete-tenant","fforesight-read-users", "fforesight-read-all-users", "fforesight-write-users","fforesight-read-smtp-configuration", "fforesight-write-smtp-configuration", "fforesight-read-identity-provider-config","fforesight-write-identity-provider-config", "red-unarchive-dossier", "red-use-support-controller" ] - name: RED_USER set-by-default: true rank: 100 diff --git a/src/main/resources/application-redaction.yaml b/src/main/resources/application-redaction.yaml index 5bcca12..ac354b6 100644 --- a/src/main/resources/application-redaction.yaml +++ b/src/main/resources/application-redaction.yaml @@ -48,7 +48,11 @@ fforesight: - name: KNECON_ADMIN set-by-default: false rank: 1000 - permissions: [ "red-read-license", "red-update-license","fforesight-get-tenants", "fforesight-create-tenant", "fforesight-update-tenant", "fforesight-delete-tenant","fforesight-read-users", "fforesight-read-all-users", "fforesight-write-users","fforesight-read-smtp-configuration", "fforesight-write-smtp-configuration","red-unarchive-dossier" ] + permissions: [ "red-read-license", "red-update-license","fforesight-get-tenants", "fforesight-create-tenant", "fforesight-update-tenant", "fforesight-delete-tenant","fforesight-read-users", "fforesight-read-all-users", "fforesight-write-users","fforesight-read-smtp-configuration", "fforesight-write-smtp-configuration","red-unarchive-dossier", "red-use-support-controller" ] + - name: KNECON_SUPPORT + set-by-default: false + rank: 1000 + permissions: [ "red-read-license", "red-update-license","fforesight-get-tenants", "fforesight-create-tenant", "fforesight-update-tenant", "fforesight-delete-tenant","fforesight-read-users", "fforesight-read-all-users", "fforesight-write-users","fforesight-read-smtp-configuration", "fforesight-write-smtp-configuration","red-unarchive-dossier", "red-use-support-controller" ] - name: RED_USER_ADMIN set-by-default: false rank: 400