diff --git a/rest/taskana-rest-spring/src/main/java/pro/taskana/common/rest/AccessIdController.java b/rest/taskana-rest-spring/src/main/java/pro/taskana/common/rest/AccessIdController.java index 8b0d6e8bd..15f30c5b7 100644 --- a/rest/taskana-rest-spring/src/main/java/pro/taskana/common/rest/AccessIdController.java +++ b/rest/taskana-rest-spring/src/main/java/pro/taskana/common/rest/AccessIdController.java @@ -80,7 +80,7 @@ public class AccessIdController { taskanaEngine.checkRoleMembership(TaskanaRole.ADMIN, TaskanaRole.BUSINESS_ADMIN); - if (!validateAccessId(accessId)) { + if (!ldapClient.validateAccessId(accessId)) { throw new InvalidArgumentException("The accessId is invalid"); } @@ -93,8 +93,4 @@ public class AccessIdController { } return response; } - - private boolean validateAccessId(String accessId) throws InvalidArgumentException { - return ldapClient.searchUsersAndGroups(accessId).size() == 1; - } } diff --git a/rest/taskana-rest-spring/src/main/java/pro/taskana/common/rest/ldap/LdapClient.java b/rest/taskana-rest-spring/src/main/java/pro/taskana/common/rest/ldap/LdapClient.java index c33715896..92c26dd2e 100644 --- a/rest/taskana-rest-spring/src/main/java/pro/taskana/common/rest/ldap/LdapClient.java +++ b/rest/taskana-rest-spring/src/main/java/pro/taskana/common/rest/ldap/LdapClient.java @@ -214,6 +214,46 @@ public class LdapClient { return accessIds; } + /** + * Validates a given AccessId / name. + * + * @param name lookup string for names or groups + * @return whether the given name is valid or not + */ + public boolean validateAccessId(final String name) { + + LOGGER.debug("entry to validateAccessId(name = {})", name); + + isInitOrFail(); + + if (nameIsDn(name)) { + + AccessIdRepresentationModel groupByDn = searchAccessIdByDn(name); + + return groupByDn != null; + + } else { + + final AndFilter andFilter = new AndFilter(); + andFilter.and(new EqualsFilter(getUserSearchFilterName(), getUserSearchFilterValue())); + + final OrFilter orFilter = new OrFilter(); + orFilter.or(new EqualsFilter(getUserIdAttribute(), name)); + + andFilter.and(orFilter); + + final List accessIds = + ldapTemplate.search( + getUserSearchBase(), + andFilter.encode(), + SearchControls.SUBTREE_SCOPE, + getLookUpUserAttributesToReturn(), + new UserContextMapper()); + + return !accessIds.isEmpty(); + } + } + public String getUserSearchBase() { return LdapSettings.TASKANA_LDAP_USER_SEARCH_BASE.getValueFromEnv(env); } diff --git a/rest/taskana-rest-spring/src/test/java/pro/taskana/common/rest/AccessIdControllerIntTest.java b/rest/taskana-rest-spring/src/test/java/pro/taskana/common/rest/AccessIdControllerIntTest.java index 2cde44883..a2ed20cd5 100644 --- a/rest/taskana-rest-spring/src/test/java/pro/taskana/common/rest/AccessIdControllerIntTest.java +++ b/rest/taskana-rest-spring/src/test/java/pro/taskana/common/rest/AccessIdControllerIntTest.java @@ -157,6 +157,25 @@ class AccessIdControllerIntTest { + "cn=Organisationseinheit KSC,cn=organisation,OU=Test,O=TASKANA"); } + @Test + void should_ValidateAccessIdWithEqualsFilterAndReturnAccessIdsOfGroupsTheAccessIdIsMemberOf() { + ResponseEntity> response = + TEMPLATE.exchange( + restHelper.toUrl(RestEndpoints.URL_ACCESS_ID_GROUPS) + "?access-id=user-2-1", + HttpMethod.GET, + restHelper.defaultRequest(), + ACCESS_ID_LIST_TYPE); + + assertThat(response.getBody()) + .isNotNull() + .extracting(AccessIdRepresentationModel::getAccessId) + .usingElementComparator(String.CASE_INSENSITIVE_ORDER) + .containsExactlyInAnyOrder( + "cn=ksc-users,cn=groups,ou=Test,O=TASKANA", + "cn=Organisationseinheit KSC 2,cn=Organisationseinheit KSC," + + "cn=organisation,ou=Test,O=TASKANA"); + } + @Test void should_ReturnBadRequest_ifAccessIdOfUserContainsInvalidCharacter() { ThrowingCallable call =