Merge pull request #9597 from IQSS/9369-shib-subgroup

9369 Shib groups (and other custom groups), as subgroups of an explicit group

Author: kcondon

src/main/java/edu/harvard/iq/dataverse/authorization/groups/GroupServiceBean.java

@@ -7,10 +7,13 @@
 import edu.harvard.iq.dataverse.authorization.groups.impl.explicit.ExplicitGroup;
 import edu.harvard.iq.dataverse.authorization.groups.impl.explicit.ExplicitGroupProvider;
 import edu.harvard.iq.dataverse.authorization.groups.impl.explicit.ExplicitGroupServiceBean;
+import edu.harvard.iq.dataverse.authorization.groups.impl.ipaddress.IpGroup;
 import edu.harvard.iq.dataverse.authorization.groups.impl.ipaddress.IpGroupProvider;
 import edu.harvard.iq.dataverse.authorization.groups.impl.ipaddress.IpGroupsServiceBean;
+import edu.harvard.iq.dataverse.authorization.groups.impl.maildomain.MailDomainGroup;
 import edu.harvard.iq.dataverse.authorization.groups.impl.maildomain.MailDomainGroupProvider;
 import edu.harvard.iq.dataverse.authorization.groups.impl.maildomain.MailDomainGroupServiceBean;
+import edu.harvard.iq.dataverse.authorization.groups.impl.shib.ShibGroup;
 import edu.harvard.iq.dataverse.authorization.groups.impl.shib.ShibGroupProvider;
 import edu.harvard.iq.dataverse.authorization.groups.impl.shib.ShibGroupServiceBean;
 import edu.harvard.iq.dataverse.engine.command.DataverseRequest;
@@ -97,9 +100,49 @@ public MailDomainGroupProvider getMailDomainGroupProvider() {
      * @return The groups {@code req} is part of under {@code dvo}.
      */
     public Set<Group> groupsFor( DataverseRequest req, DvObject dvo ) {
-        return groupProviders.values().stream()
+        Set<Group> ret = groupProviders.values().stream()
                               .flatMap(gp->(Stream<Group>)gp.groupsFor(req, dvo).stream())
                               .collect(toSet());
+        
+        // ShibGroupProvider.groupsFor(), above, only returns the Shib Groups 
+        // (as you would expect), but not the Explicit Groups that may include them 
+        // (unlike the ExplicitGroupProvider, that returns all the ancestors too). 
+        // We appear to rely on this method returning all of the ancestor groups 
+        // for everything, so we need to perform some extra hacky steps in 
+        // order to obtain the ancestors for the shib groups as well:
+        
+        Set<ExplicitGroup> directAncestorsOfShibGroups = new HashSet<>();
+        for (Group group : ret) {
+
+            if (group instanceof ShibGroup 
+                    || group instanceof IpGroup 
+                    || group instanceof MailDomainGroup) {
+                // if this is one of the non-explicit group types above, we 
+                // need to find if it is included in some explicit group; i.e., 
+                // if it has direct ancestors that happen to be explicit groups:
+                
+                directAncestorsOfShibGroups.addAll(explicitGroupService.findDirectlyContainingGroups(group));
+            }
+        }
+        
+        if (!directAncestorsOfShibGroups.isEmpty()) {
+            // ... and now we can run the Monster Query in the ExplicitServiceBean
+            // that will find ALL the hierarchical explicit group ancestors of 
+            // these groups that include the shib groups fond
+            
+            Set<ExplicitGroup> allAncestorsOfShibGroups = explicitGroupService.findClosure(directAncestorsOfShibGroups);
+            
+            if (allAncestorsOfShibGroups != null) {
+                ret.addAll(allAncestorsOfShibGroups);
+            }
+        }
+        
+        // Perhaps the code above should be moved into the ShibGroupProvider (??)
+        // Also, this most likely applies not just to ShibGroups, but to the 
+        // all the groups that are not ExplicitGroups, i.e., IP- and domain-based 
+        // groups too. (??)
+        
+        return ret;
     }
 
     /**

src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/explicit/ExplicitGroup.java

@@ -61,7 +61,7 @@
     @NamedQuery( name="ExplicitGroup.findByAuthenticatedUserIdentifier",
                  query="SELECT eg FROM ExplicitGroup eg JOIN eg.containedAuthenticatedUsers au "
                      + "WHERE au.userIdentifier=:authenticatedUserIdentifier"),
-    @NamedQuery( name="ExplicitGroup.findByRoleAssgineeIdentifier",
+    @NamedQuery( name="ExplicitGroup.findByRoleAssigneeIdentifier",
                  query="SELECT eg FROM ExplicitGroup eg JOIN eg.containedRoleAssignees cra "
                      + "WHERE cra=:roleAssigneeIdentifier"),
     @NamedQuery( name="ExplicitGroup.findByContainedExplicitGroupId",

src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/explicit/ExplicitGroupServiceBean.java

@@ -169,7 +169,7 @@ public Set<ExplicitGroup> findDirectlyContainingGroups( RoleAssignee ra ) {
         } else {
             return provider.updateProvider(
                     new HashSet<>(
-                            em.createNamedQuery("ExplicitGroup.findByRoleAssgineeIdentifier", ExplicitGroup.class)
+                            em.createNamedQuery("ExplicitGroup.findByRoleAssigneeIdentifier", ExplicitGroup.class)
                               .setParameter("roleAssigneeIdentifier", ra.getIdentifier())
                               .getResultList()
                   ));
@@ -198,7 +198,7 @@ public Set<ExplicitGroup> findGroups( RoleAssignee ra, DvObject o ) {
                 .filter( g -> g.owner.isAncestorOf(o) )
                 .collect( Collectors.toSet() );
     }
-    
+        
     /**
      * Finds all the groups {@code ra} directly belongs to in the context of {@code o}. In effect,
      * collects all the groups {@code ra} belongs to and that are defined at {@code o}
@@ -252,7 +252,7 @@ public Set<ExplicitGroup> findDirectGroups( RoleAssignee ra, DvObject o ) {
      * @param seed the initial set of groups.
      * @return Transitive closure (based on group  containment) of the groups in {@code seed}.
      */
-    protected Set<ExplicitGroup> findClosure( Set<ExplicitGroup> seed ) {
+    public Set<ExplicitGroup> findClosure( Set<ExplicitGroup> seed ) {
 
         if ( seed.isEmpty() ) return Collections.emptySet();
 

src/main/java/edu/harvard/iq/dataverse/authorization/groups/impl/shib/ShibGroup.java

@@ -135,5 +135,4 @@ public RoleAssigneeDisplayInfo getDisplayInfo() {
     public boolean contains(DataverseRequest aRequest) {
         throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
     }
-
 }