SAP · henrikpalsson · Oct 20, 2021 · Dec 12, 2022 · Dec 12, 2022 · Mar 13, 2023
diff --git a/scimono-server/src/main/java/com/sap/scimono/api/Groups.java b/scimono-server/src/main/java/com/sap/scimono/api/Groups.java
@@ -30,10 +30,7 @@
 import javax.ws.rs.PathParam;
 import javax.ws.rs.Produces;
 import javax.ws.rs.QueryParam;
-import javax.ws.rs.core.Application;
-import javax.ws.rs.core.Context;
-import javax.ws.rs.core.Response;
-import javax.ws.rs.core.UriInfo;
+import javax.ws.rs.core.*;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -89,10 +86,12 @@ public Groups(@Context Application appContext, @Context UriInfo uriInfo) {
   // @formatter:off
   public Response getGroup(@PathParam("id") final String groupId,
                            @QueryParam(ATTRIBUTES_PARAM) final String attributes,
-                           @QueryParam(EXCLUDED_ATTRIBUTES_PARAM) final String excludedAttributes) {
+                           @QueryParam(EXCLUDED_ATTRIBUTES_PARAM) final String excludedAttributes,
+                           @Context final SecurityContext sec) {
     // @formatter:on
     logger.trace("Reading group {}", groupId);
-    Group groupFromDb = groupAPI.getGroup(groupId, RequestedResourceAttributesParser.parse(attributes, excludedAttributes));
+    Group groupFromDb = groupAPI.getGroup(groupId, RequestedResourceAttributesParser.parse(attributes, excludedAttributes),
+            sec.getUserPrincipal());
 
     if (groupFromDb == null) {
       throw new ResourceNotFoundException(RESOURCE_TYPE_GROUP, groupId);
@@ -110,7 +109,8 @@ public Response getGroups(@QueryParam(START_INDEX_PARAM) @DefaultValue(DEFAULT_S
                             @QueryParam(START_ID_PARAM) @ValidStartId String startId,
                             @QueryParam(FILTER_PARAM) final String filter,
                             @QueryParam(ATTRIBUTES_PARAM) final String attributes,
-                            @QueryParam(EXCLUDED_ATTRIBUTES_PARAM) final String excludedAttributes) {
+                            @QueryParam(EXCLUDED_ATTRIBUTES_PARAM) final String excludedAttributes,
+                            @Context final SecurityContext sec) {
     // @formatter:on
     logger.trace("Reading groups with paging parameters startIndex {} startId {} count {}", startIndexParam, startId, countParam);
 
@@ -124,7 +124,8 @@ public Response getGroups(@QueryParam(START_INDEX_PARAM) @DefaultValue(DEFAULT_S
     }
 
     PageInfo pageInfo = PageInfo.getInstance(count, startIndex - 1, startId);
-    PagedResult<Group> groups = groupAPI.getGroups(pageInfo, filter, RequestedResourceAttributesParser.parse(attributes, excludedAttributes));
+    PagedResult<Group> groups = groupAPI.getGroups(pageInfo, filter, RequestedResourceAttributesParser.parse(attributes, excludedAttributes),
+            sec.getUserPrincipal());
 
     List<Group> groupsToReturn = new ArrayList<>();
     for (Group group : groups.getResources()) {
@@ -141,13 +142,14 @@ public Response getGroups(@QueryParam(START_INDEX_PARAM) @DefaultValue(DEFAULT_S
   }
 
   @POST
-  public Response createGroup(@Valid Group newGroup) {
+  public Response createGroup(@Valid Group newGroup,
+                              @Context final SecurityContext sec) {
     if (newGroup == null) {
       throw new InvalidInputException(NOT_VALID_INPUTS);
     }
 
     Group preparedGroup = groupPreProcessor.prepareForCreate(newGroup);
-    Group createdGroup = groupAPI.createGroup(preparedGroup);
+    Group createdGroup = groupAPI.createGroup(preparedGroup, sec.getUserPrincipal());
 
     createdGroup = resourceLocationService.addMembersLocation(createdGroup);
     createdGroup = resourceLocationService.addLocation(createdGroup, createdGroup.getId());
@@ -159,13 +161,14 @@ public Response createGroup(@Valid Group newGroup) {
 
   @PUT
   @Path("{id}")
-  public Response updateGroup(@PathParam("id") final String groupId, @Valid Group groupToUpdate) {
+  public Response updateGroup(@PathParam("id") final String groupId, @Valid Group groupToUpdate,
+                              @Context final SecurityContext sec) {
     if (groupToUpdate == null) {
       throw new InvalidInputException(NOT_VALID_INPUTS);
     }
     Group preparedGroup = groupPreProcessor.prepareForUpdate(groupToUpdate, groupId);
 
-    Group updatedGroup = groupAPI.updateGroup(preparedGroup);
+    Group updatedGroup = groupAPI.updateGroup(preparedGroup, sec.getUserPrincipal());
 
     updatedGroup = resourceLocationService.addMembersLocation(updatedGroup);
     updatedGroup = resourceLocationService.addLocation(updatedGroup, updatedGroup.getId());
@@ -177,24 +180,26 @@ public Response updateGroup(@PathParam("id") final String groupId, @Valid Group
 
   @DELETE
   @Path("{id}")
-  public void deleteGroup(@PathParam("id") final String groupId) {
-    groupAPI.deleteGroup(groupId);
+  public void deleteGroup(@PathParam("id") final String groupId,
+                          @Context final SecurityContext sec) {
+    groupAPI.deleteGroup(groupId, sec.getUserPrincipal());
 
     logger.trace("Deleted group {}", groupId);
     Response.noContent().build();
   }
 
   @PATCH
   @Path("{id}")
-  public Response patchGroup(@PathParam("id") final String groupId, final PatchBody patchBody) {
+  public Response patchGroup(@PathParam("id") final String groupId, final PatchBody patchBody,
+                             @Context final SecurityContext sec) {
     if (patchBody == null) {
       throw new InvalidInputException(NOT_VALID_INPUTS);
     }
     PatchValidationFramework validationFramework = PatchValidationFramework.groupsFramework(schemaAPI, resourceTypesAPI, groupAPI);
     validationFramework.validate(patchBody);
 
     Meta meta = new Meta.Builder(null, Instant.now()).setVersion(UUID.randomUUID().toString()).build();
-    groupAPI.patchGroup(groupId, patchBody, meta);
+    groupAPI.patchGroup(groupId, patchBody, meta, sec.getUserPrincipal());
 
     logger.trace("Updated group {}", groupId);
     return Response.status(Response.Status.NO_CONTENT).build();

diff --git a/scimono-server/src/main/java/com/sap/scimono/api/Users.java b/scimono-server/src/main/java/com/sap/scimono/api/Users.java
@@ -119,10 +119,11 @@ public Response getMe(@Context final SecurityContext sec) {
   // @formatter:off
   public Response getUser(@PathParam("id")  final String userId,
                           @QueryParam(ATTRIBUTES_PARAM) final String attributes,
-                          @QueryParam(EXCLUDED_ATTRIBUTES_PARAM) final String excludedAttributes) {
+                          @QueryParam(EXCLUDED_ATTRIBUTES_PARAM) final String excludedAttributes,
+                          @Context final SecurityContext sec) {
     // @formatter:on
     logger.trace("Reading user {}", userId);
-    User userFromDb = usersAPI.getUser(userId, RequestedResourceAttributesParser.parse(attributes, excludedAttributes));
+    User userFromDb = usersAPI.getUser(userId, RequestedResourceAttributesParser.parse(attributes, excludedAttributes), sec.getUserPrincipal());
 
     if (userFromDb == null) {
       throw new ResourceNotFoundException(RESOURCE_TYPE_USER, userId);
@@ -140,7 +141,8 @@ public Response getUsers(@QueryParam(START_INDEX_PARAM) @DefaultValue(DEFAULT_ST
                            @QueryParam(START_ID_PARAM) @ValidStartId final String startId,
                            @QueryParam(FILTER_PARAM) final String filter,
                            @QueryParam(ATTRIBUTES_PARAM) final String attributes,
-                           @QueryParam(EXCLUDED_ATTRIBUTES_PARAM) final String excludedAttributes) {
+                           @QueryParam(EXCLUDED_ATTRIBUTES_PARAM) final String excludedAttributes,
+                           @Context final SecurityContext sec) {
     // @formatter:on
     logger.trace("Reading users with paging parameters startIndex {} startId {} count {}", startIndexParam, startId, countParam);
 
@@ -154,7 +156,7 @@ public Response getUsers(@QueryParam(START_INDEX_PARAM) @DefaultValue(DEFAULT_ST
     }
 
     PageInfo pageInfo = PageInfo.getInstance(count, startIndex - 1, startId);
-    PagedResult<User> users = usersAPI.getUsers(pageInfo, filter, RequestedResourceAttributesParser.parse(attributes, excludedAttributes));
+    PagedResult<User> users = usersAPI.getUsers(pageInfo, filter, RequestedResourceAttributesParser.parse(attributes, excludedAttributes), sec.getUserPrincipal());
 
     List<User> usersToReturn = new ArrayList<>();
     for (User user : users.getResources()) {
@@ -171,13 +173,14 @@ public Response getUsers(@QueryParam(START_INDEX_PARAM) @DefaultValue(DEFAULT_ST
   }
 
   @POST
-  public Response createUser(@Valid final User newUser) {
+  public Response createUser(@Valid final User newUser,
+                             @Context final SecurityContext sec) {
     if (newUser == null) {
       throw new InvalidInputException(NOT_VALID_INPUTS);
     }
 
     User preparedUser = userPreProcessor.prepareForCreate(newUser);
-    User createdUser = usersAPI.createUser(preparedUser);
+    User createdUser = usersAPI.createUser(preparedUser, sec.getUserPrincipal());
 
     createdUser = resourceLocationService.addLocation(createdUser, createdUser.getId());
     createdUser = resourceLocationService.addRelationalEntitiesLocation(createdUser);
@@ -189,13 +192,14 @@ public Response createUser(@Valid final User newUser) {
 
   @PUT
   @Path("{id}")
-  public Response updateUser(@PathParam("id") final String userId, @Valid final User userToUpdate) {
+  public Response updateUser(@PathParam("id") final String userId, @Valid final User userToUpdate,
+                             @Context final SecurityContext sec) {
     if (userToUpdate == null) {
       throw new InvalidInputException(NOT_VALID_INPUTS);
     }
     User preparedUser = userPreProcessor.prepareForUpdate(userToUpdate, userId);
 
-    User updatedUser = usersAPI.updateUser(preparedUser);
+    User updatedUser = usersAPI.updateUser(preparedUser, sec.getUserPrincipal());
 
     updatedUser = resourceLocationService.addLocation(updatedUser, updatedUser.getId());
     updatedUser = resourceLocationService.addRelationalEntitiesLocation(updatedUser);
@@ -208,16 +212,18 @@ public Response updateUser(@PathParam("id") final String userId, @Valid final Us
 
   @DELETE
   @Path("{id}")
-  public void deleteUser(@PathParam("id") final String userId) {
-    usersAPI.deleteUser(userId);
+  public void deleteUser(@PathParam("id") final String userId,
+                         @Context final SecurityContext sec) {
+    usersAPI.deleteUser(userId, sec.getUserPrincipal());
 
     logger.trace("Deleted user {}", userId);
     Response.noContent().build();
   }
 
   @PATCH
   @Path("{id}")
-  public Response patchUser(@PathParam("id") final String userId, final PatchBody patchBody) {
+  public Response patchUser(@PathParam("id") final String userId, final PatchBody patchBody,
+                            @Context final SecurityContext sec) {
     if (patchBody == null) {
       throw new InvalidInputException(NOT_VALID_INPUTS);
     }
@@ -226,15 +232,15 @@ public Response patchUser(@PathParam("id") final String userId, final PatchBody
 
     String newVersion = UUID.randomUUID().toString();
     Meta meta = new Meta.Builder(null, Instant.now()).setVersion(newVersion).build();
-    usersAPI.patchUser(userId, patchBody, meta);
+    usersAPI.patchUser(userId, patchBody, meta, sec.getUserPrincipal());
 
     logger.trace("Updated user {}, new version is {}", userId, newVersion);
     return Response.status(Status.NO_CONTENT).build();
   }
 
   @POST
   @Path(".query")
-  public Response queryUsers() {
-    return getUsers("0", "0", null, null, null, null);
+  public Response queryUsers(@Context final SecurityContext sec) {
+    return getUsers("0", "0", null, null, null, null, sec);
   }
 }
diff --git a/scimono-server/src/main/java/com/sap/scimono/callback/groups/GroupsCallback.java b/scimono-server/src/main/java/com/sap/scimono/callback/groups/GroupsCallback.java
@@ -1,6 +1,7 @@
 
 package com.sap.scimono.callback.groups;
 
+import java.security.Principal;
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.Optional;
@@ -25,6 +26,10 @@ default Group getGroup(String groupId, RequestedResourceAttributes additionalAtt
     return getGroup(groupId);
   }
 
+  default Group getGroup(String groupId, RequestedResourceAttributes additionalAttributes, Principal userPrincipal) {
+    return getGroup(groupId);
+  }
+
   /**
    * Returns a page of groups (limited by {@link SCIMConfigurationCallback#getMaxResourcesPerPage()}),
    * taking into account the specified filter and paging parameters.
@@ -45,6 +50,15 @@ default PagedResult<Group> getGroups(final PageInfo pageInfo, final String filte
     return getGroups(pageInfo, filter);
   }
 
+  /**
+   * Returns a page of groups (more info in {@link GroupsCallback#getGroups(PageInfo, String, RequestedResourceAttributes)} ()}
+   * adding security principal to be able to allow or deny the requested user.
+   * @param userPrincipal
+   * @return a page of groups or empty page if no groups match the filter/paging criteria
+   */
+  default PagedResult<Group> getGroups(final PageInfo pageInfo, final String filter, RequestedResourceAttributes additionalAttributes, Principal userPrincipal) {
+    return getGroups(pageInfo, filter, additionalAttributes);
+  }
 
   /**
    * Creates a group with the provided attributes. The group object must have all mandatory attributes available,
@@ -54,6 +68,16 @@ default PagedResult<Group> getGroups(final PageInfo pageInfo, final String filte
    */
   Group createGroup(final Group group);
 
+  /**
+   * Creates a group with the provided attributes.(more info in {@link GroupsCallback#createGroup(Group)} ()}
+   * adding security principal to be able to allow or deny the requested user.
+   * @param userPrincipal
+   * @return a page of groups or empty page if no groups match the filter/paging criteria
+   */
+  default Group createGroup(final Group group, Principal userPrincipal) {
+    return createGroup(group);
+  }
+
   /**
    * Updates a group with the provided attributes. The group object must have all mandatory attributes available,
    * including metadata (id, new version, etc.).
@@ -62,6 +86,16 @@ default PagedResult<Group> getGroups(final PageInfo pageInfo, final String filte
    */
   Group updateGroup(final Group group);
 
+  /**
+   * Updates a group with the provided attributes.(more info in {@link GroupsCallback#updateGroup(Group)} ()}
+   * adding security principal to be able to allow or deny the requested user.
+   * @param userPrincipal
+   * @return a page of groups or empty page if no groups match the filter/paging criteria
+   */
+  default Group updateGroup(final Group group, Principal userPrincipal) {
+    return updateGroup(group);
+  }
+
   /**
    * Updates a group with the provided attributes. The group object must have all mandatory attributes available,
    * including metadata (id, new version, etc.).
@@ -72,13 +106,33 @@ default PagedResult<Group> getGroups(final PageInfo pageInfo, final String filte
    */
   void patchGroup(String groupId, PatchBody patchBody, Meta groupMeta);
 
+  /**
+   * Updates a group with the provided attributes.(more info in {@link GroupsCallback#patchGroup(String, PatchBody, Meta)} ()}
+   * adding security principal to be able to allow or deny the requested user.
+   * @param userPrincipal
+   * @return a page of groups or empty page if no groups match the filter/paging criteria
+   */
+  default void patchGroup(String groupId, PatchBody patchBody, Meta groupMeta, Principal userPrincipal) {
+    patchGroup(groupId, patchBody, groupMeta);
+  }
+
   /**
    * Deletes the group with the specified groupId.
    *
    * @param groupId
    */
   void deleteGroup(final String groupId);
 
+  /**
+   * Deletes the group with the specified groupId.(more info in {@link GroupsCallback#deleteGroup(String)} ()}
+   * adding security principal to be able to allow or deny the requested user.
+   * @param userPrincipal
+   * @return a page of groups or empty page if no groups match the filter/paging criteria
+   */
+  default void deleteGroup(final String groupId, Principal userPrincipal) {
+    deleteGroup(groupId);
+  }
+
   /**
    * Generates a group id for a new group
    *