SSDM-6061: UserManagerTest and helper classes for testing introduced. Testing...

SSDM-6061: UserManagerTest and helper classes for testing introduced. Testing and implementation not finished

authentication/source/java/ch/systemsx/cisd/authentication/ldap/LDAPDirectoryConfiguration.java

@@ -432,7 +432,10 @@ public final class LDAPDirectoryConfiguration
      */
     public void setServerUrl(String ldapUrl)
     {
-        this.serverUrl = ldapUrl;
+        if (isResolved(ldapUrl))
+        {
+            this.serverUrl = ldapUrl;
+        }
     }
 
     private static boolean isResolved(String name)

openbis/source/java/ch/systemsx/cisd/openbis/generic/server/task/Group.java → openbis/source/java/ch/systemsx/cisd/openbis/generic/server/task/UserGroup.java

@@ -18,34 +18,43 @@ package ch.systemsx.cisd.openbis.generic.server.task;
 
 import java.util.List;
 
-class Group
+public class UserGroup
 {
     private String name;
+    
+    private String key;
 
     private List<String> ldapGroupKeys;
 
     private List<String> admins;
 
-    private List<String> usersBlackList;
-
     public String getName()
     {
         return name;
     }
 
-    public List<String> getAdmins()
+    public String getKey()
     {
-        return admins;
+        return key;
     }
 
-    public List<String> getLdapGroupKeys()
+    public void setKey(String key)
     {
-        return ldapGroupKeys;
+        this.key = key;
     }
 
-    public List<String> getUsersBlackList()
+    public List<String> getAdmins()
     {
-        return usersBlackList;
+        return admins;
     }
 
+    public void setAdmins(List<String> admins)
+    {
+        this.admins = admins;
+    }
+    
+    public List<String> getLdapGroupKeys()
+    {
+        return ldapGroupKeys;
+    }
 }
\ No newline at end of file

openbis/source/java/ch/systemsx/cisd/openbis/generic/server/task/UserManagementMaintenanceTask.java

@@ -19,14 +19,12 @@ package ch.systemsx.cisd.openbis.generic.server.task;
 import java.io.File;
 import java.util.List;
 import java.util.Map;
-import java.util.Map.Entry;
 import java.util.Properties;
 import java.util.TreeMap;
 
 import org.apache.commons.lang.StringUtils;
 import org.apache.log4j.Logger;
 
-import com.fasterxml.jackson.core.type.TypeReference;
 import com.fasterxml.jackson.databind.ObjectMapper;
 
 import ch.systemsx.cisd.authentication.Principal;
@@ -51,8 +49,11 @@ public class UserManagementMaintenanceTask implements IMaintenanceTask
     private static final Logger operationLog = LogFactory.getLogger(LogCategory.OPERATION,
             UserManagementMaintenanceTask.class);
 
+    private static final Logger notificationLog = LogFactory.getLogger(LogCategory.NOTIFY,
+            UserManagementMaintenanceTask.class);
+    
     private File configurationFile;
-
+    
     private LDAPAuthenticationService ldapService;
 
     @Override
@@ -65,7 +66,14 @@ public class UserManagementMaintenanceTask implements IMaintenanceTask
             throw new ConfigurationFailureException("Configuration file '" + configurationFile.getAbsolutePath()
                     + "' doesn't exist or is a directory.");
         }
+        
         ldapService = (LDAPAuthenticationService) CommonServiceProvider.getApplicationContext().getBean("ldap-authentication-service");
+        if (ldapService.isConfigured() == false)
+        {
+            throw new ConfigurationFailureException("There is no LDAP authentication service configured. "
+                    + "At least 'ldap.server.url', 'ldap.security.principal.distinguished.name', "
+                    + "'ldap.security.principal.password' have to be specified in 'service.properties'.");
+        }
         operationLog.info("Plugin '" + pluginName + "' initialized. Configuration file: " + configurationFile.getAbsolutePath());
         
     }
@@ -73,17 +81,16 @@ public class UserManagementMaintenanceTask implements IMaintenanceTask
     @Override
     public void execute()
     {
-        Map<String, Group> groups = readGroupDefinitions();
-        if (groups == null)
+        UserManagerConfig config = readGroupDefinitions();
+        if (config == null || config.getGroups() == null)
         {
             return;
         }
         Log4jSimpleLogger logger = new Log4jSimpleLogger(operationLog);
-        UserManager userManager = new UserManager(CommonServiceProvider.getApplicationServerApi(), logger);
-        for (Entry<String, Group> entry : groups.entrySet())
+        UserManager userManager = new UserManager(CommonServiceProvider.getApplicationServerApi(), config.getCommonSpaces(), logger);
+        for (UserGroup group : config.getGroups())
         {
-            String key = entry.getKey();
-            Group group = entry.getValue();
+            String key = group.getKey();
             List<String> ldapGroupKeys = group.getLdapGroupKeys();
             if (ldapGroupKeys == null || ldapGroupKeys.isEmpty())
             {
@@ -112,11 +119,15 @@ public class UserManagementMaintenanceTask implements IMaintenanceTask
             }
             userManager.addGroup(key, group, principalsByUserId);
         }
-        userManager.manageUsers();
+        String errorReport = userManager.manageUsers();
+        if (StringUtils.isNotBlank(errorReport))
+        {
+            notificationLog.error("User management failed for the following reasons:\n\n" + errorReport);
+        }
         operationLog.info("finished");
     }
     
-    private Map<String, Group> readGroupDefinitions()
+    private UserManagerConfig readGroupDefinitions()
     {
         if (configurationFile.isFile() == false)
         {
@@ -134,10 +145,9 @@ public class UserManagementMaintenanceTask implements IMaintenanceTask
         }
     }
 
-    private Map<String, Group> deserialize(String serializedConfig) throws Exception
+    private UserManagerConfig deserialize(String serializedConfig) throws Exception
     {
         ObjectMapper mapper = new ObjectMapper();
-        return mapper.readValue(serializedConfig, new TypeReference<Map<String, Group>>(){});
+        return mapper.readValue(serializedConfig, UserManagerConfig.class);
     }
-    
 }

openbis/source/java/ch/systemsx/cisd/openbis/generic/server/task/UserManager.java

@@ -17,9 +17,12 @@
 package ch.systemsx.cisd.openbis.generic.server.task;
 
 import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
+import java.util.Map.Entry;
 import java.util.Set;
 import java.util.TreeMap;
 import java.util.TreeSet;
@@ -27,13 +30,32 @@ import java.util.function.Function;
 import java.util.stream.Collectors;
 
 import ch.ethz.sis.openbis.generic.asapi.v3.dto.authorizationgroup.AuthorizationGroup;
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.authorizationgroup.create.AuthorizationGroupCreation;
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.authorizationgroup.create.CreateAuthorizationGroupsOperation;
 import ch.ethz.sis.openbis.generic.asapi.v3.dto.authorizationgroup.fetchoptions.AuthorizationGroupFetchOptions;
 import ch.ethz.sis.openbis.generic.asapi.v3.dto.authorizationgroup.id.AuthorizationGroupPermId;
 import ch.ethz.sis.openbis.generic.asapi.v3.dto.authorizationgroup.id.IAuthorizationGroupId;
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.authorizationgroup.update.AuthorizationGroupUpdate;
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.authorizationgroup.update.UpdateAuthorizationGroupsOperation;
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.common.operation.IOperation;
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.operation.SynchronousOperationExecutionOptions;
 import ch.ethz.sis.openbis.generic.asapi.v3.dto.person.Person;
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.person.create.CreatePersonsOperation;
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.person.create.PersonCreation;
 import ch.ethz.sis.openbis.generic.asapi.v3.dto.person.fetchoptions.PersonFetchOptions;
 import ch.ethz.sis.openbis.generic.asapi.v3.dto.person.id.IPersonId;
 import ch.ethz.sis.openbis.generic.asapi.v3.dto.person.id.PersonPermId;
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.person.update.PersonUpdate;
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.person.update.UpdatePersonsOperation;
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.roleassignment.Role;
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.roleassignment.create.CreateRoleAssignmentsOperation;
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.roleassignment.create.RoleAssignmentCreation;
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.space.Space;
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.space.create.CreateSpacesOperation;
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.space.create.SpaceCreation;
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.space.fetchoptions.SpaceFetchOptions;
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.space.id.ISpaceId;
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.space.id.SpacePermId;
 import ch.ethz.sis.openbis.generic.server.asapi.v3.IApplicationServerInternalApi;
 import ch.systemsx.cisd.authentication.Principal;
 import ch.systemsx.cisd.common.logging.ISimpleLogger;
@@ -42,27 +64,29 @@ import ch.systemsx.cisd.common.logging.LogLevel;
 /**
  * @author Franz-Josef Elmer
  */
-class UserManager
+public class UserManager
 {
     private final IApplicationServerInternalApi service;
 
     private final ISimpleLogger logger;
-    
+
+    private final Map<Role, List<String>> commonSpacesByRole;
+
     private final Map<String, UserInfo> userInfosByUserId = new TreeMap<>();
-    
+
     private final List<String> groupCodes = new ArrayList<>();
 
-    UserManager(IApplicationServerInternalApi service, ISimpleLogger logger)
+    public UserManager(IApplicationServerInternalApi service, Map<Role, List<String>> commonSpacesByRole, ISimpleLogger logger)
     {
         this.service = service;
+        this.commonSpacesByRole = commonSpacesByRole;
         this.logger = logger;
     }
 
-    public void addGroup(String key, Group group, Map<String, Principal> principalsByUserId)
+    public void addGroup(String key, UserGroup group, Map<String, Principal> principalsByUserId)
     {
-        groupCodes.add(key);
+        groupCodes.add(key.toUpperCase());
         Set<String> admins = asSet(group.getAdmins());
-        Set<String> blackListedUsers = asSet(group.getUsersBlackList());
         for (Principal principal : principalsByUserId.values())
         {
             String userId = principal.getUserId();
@@ -72,27 +96,231 @@ class UserManager
                 userInfo = new UserInfo(principal);
                 userInfosByUserId.put(userId, userInfo);
             }
-            userInfo.addGroupInfo(new GroupInfo(key, admins.contains(userId), blackListedUsers.contains(userId)));
+            userInfo.addGroupInfo(new GroupInfo(key, admins.contains(userId)));
         }
         logger.log(LogLevel.INFO, principalsByUserId.size() + " users for group " + key);
     }
 
-    public void manageUsers()
+    public String manageUsers()
     {
         String sessionToken = service.loginAsSystem();
         Map<IPersonId, Person> users = getUsersWithRoleAssigments(sessionToken);
         Map<IAuthorizationGroupId, AuthorizationGroup> authorizationGroups = getAuthorizationGroups(sessionToken);
+        StringBuilder builder = new StringBuilder();
+        for (String groupCode : groupCodes)
+        {
+            try
+            {
+                manageGroup(sessionToken, groupCode, authorizationGroups);
+            } catch (Exception e)
+            {
+                String message = String.format("Couldn't manage group '%s' because of the following error: %s",
+                        groupCode, e);
+                builder.append(message).append("\n");
+                logger.log(LogLevel.ERROR, message, e);
+            }
+        }
+        authorizationGroups = getAuthorizationGroups(sessionToken);
         for (UserInfo userInfo : userInfosByUserId.values())
         {
-            manageUser(userInfo, users, authorizationGroups);
+            try
+            {
+                manageUser(sessionToken, userInfo, users, authorizationGroups);
+            } catch (Exception e)
+            {
+                String message = String.format("Couldn't manage user '%s' because of the following error: %s",
+                        userInfo.getPrincipal().getUserId(), e);
+                builder.append(message).append("\n");
+                logger.log(LogLevel.ERROR, message, e);
+            }
         }
         service.logout(sessionToken);
+        return builder.toString();
     }
-    
-    private void manageUser(UserInfo userInfo, Map<IPersonId, Person> knownUsers, 
+
+    private void manageGroup(String sessionToken, String groupCode, Map<IAuthorizationGroupId, AuthorizationGroup> knownAuthorizationGroups)
+    {
+        Context context = new Context(sessionToken);
+        AuthorizationGroup knownGroup = knownAuthorizationGroups.get(new AuthorizationGroupPermId(groupCode));
+        if (knownGroup != null)
+        {
+            manageKnownGroup(context, knownGroup);
+        } else
+        {
+            manageNewGroup(context, groupCode);
+        }
+        context.executeOperations();
+    }
+
+    private void manageNewGroup(Context context, String groupCode)
+    {
+        String adminGroupCode = createAdminGroupCode(groupCode);
+        assertAuthorizationGroupDoesNotExist(context, adminGroupCode);
+        assertNoCommonSpaceExists(context, groupCode);
+
+        createAuthorizationGroup(context, groupCode);
+        createAuthorizationGroup(context, adminGroupCode);
+
+        for (Entry<Role, List<String>> entry : commonSpacesByRole.entrySet())
+        {
+            Role role = entry.getKey();
+            for (String space : entry.getValue())
+            {
+                ISpaceId spaceId = createSpace(context, createCommonSpaceCode(groupCode, space));
+                createRoleAssignment(context, new AuthorizationGroupPermId(groupCode), role, spaceId);
+                createRoleAssignment(context, new AuthorizationGroupPermId(adminGroupCode), Role.ADMIN, spaceId);
+            }
+        }
+    }
+
+    private void assertAuthorizationGroupDoesNotExist(Context context, String adminGroup)
+    {
+        if (service.getAuthorizationGroups(context.getSessionToken(), Arrays.asList(new AuthorizationGroupPermId(adminGroup)),
+                new AuthorizationGroupFetchOptions()).isEmpty() == false)
+        {
+            throw new IllegalStateException("Authorization group " + adminGroup + " already exists.");
+        }
+    }
+
+    private void assertNoCommonSpaceExists(Context context, String groupCode)
+    {
+        Set<String> commonSpaces = new TreeSet<>();
+        for (List<String> set : commonSpacesByRole.values())
+        {
+            commonSpaces.addAll(set.stream().map(s -> createCommonSpaceCode(groupCode, s)).collect(Collectors.toList()));
+        }
+        Map<ISpaceId, Space> spaces = getSpaces(context.getSessionToken(), commonSpaces);
+        if (spaces.isEmpty())
+        {
+            return;
+        }
+        List<String> existingSpaces = new ArrayList<>(spaces.values()).stream().map(Space::getCode).collect(Collectors.toList());
+        Collections.sort(existingSpaces);
+        throw new IllegalStateException("The group '" + groupCode + "' has already the following spaces: " + existingSpaces);
+    }
+
+    private void manageKnownGroup(Context context, AuthorizationGroup knownGroup)
+    {
+        // TODO Auto-generated method stub
+
+    }
+
+    private void manageUser(String sessionToken, UserInfo userInfo, Map<IPersonId, Person> knownUsers,
+            Map<IAuthorizationGroupId, AuthorizationGroup> knownAuthorizationGroups)
+    {
+        Context context = new Context(sessionToken);
+        Person knownUser = knownUsers.get(new PersonPermId(userInfo.getPrincipal().getUserId()));
+        if (knownUser != null)
+        {
+            manageKnownUser(context, userInfo, knownUser, knownAuthorizationGroups);
+        } else
+        {
+            manageNewUser(context, userInfo, knownAuthorizationGroups);
+        }
+        context.executeOperations();
+    }
+
+    private void manageKnownUser(Context context, UserInfo userInfo, Person knownUser,
             Map<IAuthorizationGroupId, AuthorizationGroup> knownAuthorizationGroups)
     {
-        
+        System.out.println("UserManager.manageKnownUser() " + userInfo);
+    }
+
+    private void manageNewUser(Context context, UserInfo userInfo,
+            Map<IAuthorizationGroupId, AuthorizationGroup> knownAuthorizationGroups)
+    {
+        Principal principal = userInfo.getPrincipal();
+        String userId = principal.getUserId();
+        String spaceCode = userId.toUpperCase();
+        if (getSpaces(context.getSessionToken(), Arrays.asList(spaceCode)).isEmpty() == false)
+        {
+            throw new IllegalStateException("There is already a space with code " + spaceCode + ".");
+        }
+
+        ISpaceId homeSpaceId = createSpace(context, spaceCode);
+        IPersonId personId = createPerson(context, userId);
+        assignHomeSpace(context, homeSpaceId, personId);
+
+        for (GroupInfo groupInfo : userInfo.getGroupInfosByGroupKey().values())
+        {
+            String groupCode = groupInfo.getKey();
+            addPersonToAuthorizationGroup(context, new AuthorizationGroupPermId(groupCode), personId);
+            AuthorizationGroupPermId adminGroupId = new AuthorizationGroupPermId(createAdminGroupCode(groupCode));
+            createRoleAssignment(context, adminGroupId, Role.ADMIN, homeSpaceId);
+            if (groupInfo.isAdmin())
+            {
+                addPersonToAuthorizationGroup(context, adminGroupId, personId);
+            }
+        }
+    }
+
+    private void assignHomeSpace(Context context, ISpaceId homeSpaceId, IPersonId personId)
+    {
+        PersonUpdate personUpdate = new PersonUpdate();
+        personUpdate.setUserId(personId);
+        personUpdate.setSpaceId(homeSpaceId);
+        context.add(personUpdate);
+        RoleAssignmentCreation roleCreation = new RoleAssignmentCreation();
+        roleCreation.setUserId(personId);
+        roleCreation.setRole(Role.ADMIN);
+        roleCreation.setSpaceId(homeSpaceId);
+        context.add(roleCreation);
+    }
+
+    private void addPersonToAuthorizationGroup(Context context, AuthorizationGroupPermId groupId, IPersonId personId)
+    {
+        AuthorizationGroupUpdate groupUpdate = new AuthorizationGroupUpdate();
+        groupUpdate.setAuthorizationGroupId(groupId);
+        groupUpdate.getUserIds().add(personId);
+        context.add(groupUpdate);
+    }
+
+    private ISpaceId createSpace(Context context, String spaceCode)
+    {
+        SpaceCreation spaceCreation = new SpaceCreation();
+        spaceCreation.setCode(spaceCode);
+        context.add(spaceCreation);
+        return new SpacePermId(spaceCode);
+    }
+
+    private IPersonId createPerson(Context context, String userId)
+    {
+        PersonCreation personCreation = new PersonCreation();
+        personCreation.setUserId(userId);
+        context.add(personCreation);
+        return new PersonPermId(userId);
+    }
+
+    private void createAuthorizationGroup(Context context, String groupCode)
+    {
+        AuthorizationGroupCreation creation = new AuthorizationGroupCreation();
+        creation.setCode(groupCode);
+        context.add(creation);
+    }
+
+    private void createRoleAssignment(Context context, AuthorizationGroupPermId groupId, Role role, ISpaceId spaceId)
+    {
+        RoleAssignmentCreation roleCreation = new RoleAssignmentCreation();
+        roleCreation.setAuthorizationGroupId(groupId);
+        roleCreation.setRole(role);
+        roleCreation.setSpaceId(spaceId);
+        context.add(roleCreation);
+    }
+
+    private String createCommonSpaceCode(String groupCode, String spaceCode)
+    {
+        return groupCode + "_" + spaceCode;
+    }
+
+    private String createAdminGroupCode(String groupCode)
+    {
+        return groupCode + "_ADMIN";
+    }
+
+    private Map<ISpaceId, Space> getSpaces(String sessionToken, Collection<String> spaceCodes)
+    {
+        SpaceFetchOptions fetchOptions = new SpaceFetchOptions();
+        return service.getSpaces(sessionToken, spaceCodes.stream().map(SpacePermId::new).collect(Collectors.toList()), fetchOptions);
     }
 
     private Map<IPersonId, Person> getUsersWithRoleAssigments(String sessionToken)
@@ -113,7 +341,7 @@ class UserManager
         fetchOptions.withUsers();
         return service.getAuthorizationGroups(sessionToken, groupPermIds, fetchOptions);
     }
-    
+
     private Set<String> asSet(List<String> users)
     {
         return users == null ? Collections.emptySet() : new TreeSet<>(users);
@@ -140,6 +368,11 @@ class UserManager
             groupInfosByGroupKey.put(groupInfo.getKey(), groupInfo);
         }
 
+        public Map<String, GroupInfo> getGroupInfosByGroupKey()
+        {
+            return groupInfosByGroupKey;
+        }
+
         @Override
         public String toString()
         {
@@ -153,13 +386,10 @@ class UserManager
 
         private boolean admin;
 
-        private boolean onBlackList;
-
-        GroupInfo(String key, boolean admin, boolean onBlackList)
+        GroupInfo(String key, boolean admin)
         {
             this.key = key;
             this.admin = admin;
-            this.onBlackList = onBlackList;
         }
 
         public String getKey()
@@ -172,17 +402,103 @@ class UserManager
             return admin;
         }
 
-        public boolean isOnBlackList()
-        {
-            return onBlackList;
-        }
-
         @Override
         public String toString()
         {
-            return (onBlackList ? "." : "") + key + (admin ? "*" : "");
+            return key + (admin ? "*" : "");
         }
 
     }
 
+    private final class Context
+    {
+        private String sessionToken;
+
+        private List<PersonCreation> personCreations = new ArrayList<>();
+
+        private List<PersonUpdate> personUpdates = new ArrayList<>();
+
+        private List<SpaceCreation> spaceCreations = new ArrayList<>();
+
+        private List<AuthorizationGroupCreation> groupCreations = new ArrayList<>();
+
+        private List<AuthorizationGroupUpdate> groupUpdates = new ArrayList<>();
+
+        private List<RoleAssignmentCreation> roleCreations = new ArrayList<>();
+
+        Context(String sessionToken)
+        {
+            this.sessionToken = sessionToken;
+        }
+
+        public String getSessionToken()
+        {
+            return sessionToken;
+        }
+
+        public void add(PersonCreation personCreation)
+        {
+            personCreations.add(personCreation);
+        }
+
+        public void add(PersonUpdate personUpdate)
+        {
+            personUpdates.add(personUpdate);
+        }
+
+        public void add(SpaceCreation spaceCreation)
+        {
+            spaceCreations.add(spaceCreation);
+        }
+
+        public void add(AuthorizationGroupCreation creation)
+        {
+            groupCreations.add(creation);
+        }
+
+        public void add(RoleAssignmentCreation roleCreation)
+        {
+            roleCreations.add(roleCreation);
+        }
+
+        public void add(AuthorizationGroupUpdate groupUpdate)
+        {
+            groupUpdates.add(groupUpdate);
+        }
+
+        public void executeOperations()
+        {
+            List<IOperation> operations = new ArrayList<>();
+            if (personCreations.isEmpty() == false)
+            {
+                operations.add(new CreatePersonsOperation(personCreations));
+            }
+            if (personUpdates.isEmpty() == false)
+            {
+                operations.add(new UpdatePersonsOperation(personUpdates));
+            }
+            if (spaceCreations.isEmpty() == false)
+            {
+                operations.add(new CreateSpacesOperation(spaceCreations));
+            }
+            if (groupCreations.isEmpty() == false)
+            {
+                operations.add(new CreateAuthorizationGroupsOperation(groupCreations));
+            }
+            if (groupUpdates.isEmpty() == false)
+            {
+                operations.add(new UpdateAuthorizationGroupsOperation(groupUpdates));
+            }
+            if (roleCreations.isEmpty() == false)
+            {
+                operations.add(new CreateRoleAssignmentsOperation(roleCreations));
+            }
+            if (operations.isEmpty())
+            {
+                return;
+            }
+            SynchronousOperationExecutionOptions options = new SynchronousOperationExecutionOptions();
+            service.executeOperations(sessionToken, operations, options);
+        }
+    }
 }

openbis/source/java/ch/systemsx/cisd/openbis/generic/server/task/UserManagerConfig.java

+/*
+ * Copyright 2018 ETH Zuerich, SIS
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package ch.systemsx.cisd.openbis.generic.server.task;
+
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.roleassignment.Role;
+
+class UserManagerConfig
+{
+    private Map<Role, List<String>> commonSpaces = new HashMap<>();
+
+    private List<UserGroup> groups;
+
+    public Map<Role, List<String>> getCommonSpaces()
+    {
+        return commonSpaces;
+    }
+
+    public void setCommonSpaces(Map<Role, List<String>> commonSpaces)
+    {
+        this.commonSpaces = commonSpaces;
+    }
+
+    public List<UserGroup> getGroups()
+    {
+        return groups;
+    }
+
+    public void setGroups(List<UserGroup> groups)
+    {
+        this.groups = groups;
+    }
+
+}
\ No newline at end of file

openbis/sourceTest/java/ch/ethz/sis/openbis/systemtest/asapi/v3/AbstractTest.java

@@ -47,7 +47,6 @@ import org.testng.annotations.AfterMethod;
 import org.testng.annotations.BeforeClass;
 import org.testng.annotations.BeforeMethod;
 
-import ch.ethz.sis.openbis.generic.asapi.v3.IApplicationServerApi;
 import ch.ethz.sis.openbis.generic.asapi.v3.dto.attachment.Attachment;
 import ch.ethz.sis.openbis.generic.asapi.v3.dto.attachment.create.AttachmentCreation;
 import ch.ethz.sis.openbis.generic.asapi.v3.dto.common.id.IObjectId;
@@ -97,6 +96,7 @@ import ch.ethz.sis.openbis.generic.asapi.v3.dto.vocabulary.id.VocabularyTermPerm
 import ch.ethz.sis.openbis.generic.asapi.v3.exceptions.NotFetchedException;
 import ch.ethz.sis.openbis.generic.asapi.v3.exceptions.ObjectNotFoundException;
 import ch.ethz.sis.openbis.generic.asapi.v3.exceptions.UnauthorizedObjectAccessException;
+import ch.ethz.sis.openbis.generic.server.asapi.v3.IApplicationServerInternalApi;
 import ch.ethz.sis.openbis.systemtest.asapi.v3.index.IndexOperation;
 import ch.ethz.sis.openbis.systemtest.asapi.v3.index.IndexState;
 import ch.ethz.sis.openbis.systemtest.asapi.v3.index.ReindexingState;
@@ -119,7 +119,6 @@ import ch.systemsx.cisd.openbis.generic.shared.dto.PersonPE;
 import ch.systemsx.cisd.openbis.generic.shared.dto.SamplePE;
 import ch.systemsx.cisd.openbis.systemtest.SystemTestCase;
 import ch.systemsx.cisd.openbis.util.LogRecordingUtils;
-
 import junit.framework.Assert;
 
 /**
@@ -139,7 +138,7 @@ public class AbstractTest extends SystemTestCase
     private BufferedAppender logRecorder;
 
     @Autowired
-    protected IApplicationServerApi v3api;
+    protected IApplicationServerInternalApi v3api;
 
     @Autowired
     protected IGeneralInformationService generalInformationService;

openbis/sourceTest/java/ch/systemsx/cisd/openbis/systemtest/task/UserManagerExpectationsBuilder.java

+/*
+ * Copyright 2018 ETH Zuerich, SIS
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package ch.systemsx.cisd.openbis.systemtest.task;
+
+import static org.testng.Assert.assertEquals;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
+import java.util.Map.Entry;
+import java.util.Set;
+import java.util.TreeMap;
+import java.util.TreeSet;
+import java.util.function.Function;
+import java.util.stream.Collectors;
+
+import org.testng.Assert;
+
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.common.id.ObjectPermId;
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.common.interfaces.ICodeHolder;
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.person.Person;
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.person.fetchoptions.PersonFetchOptions;
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.person.id.IPersonId;
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.person.id.PersonPermId;
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.roleassignment.Role;
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.space.Space;
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.space.fetchoptions.SpaceFetchOptions;
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.space.id.ISpaceId;
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.space.id.SpacePermId;
+import ch.ethz.sis.openbis.generic.server.asapi.v3.IApplicationServerInternalApi;
+import ch.ethz.sis.openbis.generic.server.asapi.v3.executor.IOperationContext;
+import ch.ethz.sis.openbis.generic.server.asapi.v3.executor.OperationContext;
+import ch.systemsx.cisd.authentication.Principal;
+import ch.systemsx.cisd.openbis.generic.shared.IOpenBisSessionManager;
+import ch.systemsx.cisd.openbis.generic.shared.dto.Session;
+import ch.systemsx.cisd.openbis.generic.shared.dto.SpacePE;
+
+class UserManagerExpectationsBuilder
+{
+    private static final String TEST_USER = "test";
+
+    private static final String PASSWORD = "password";
+
+    private final IApplicationServerInternalApi v3api;
+
+    private final UserManagerTestService testService;
+
+    private final IOpenBisSessionManager sessionManager;
+
+    private final Map<Role, List<String>> commonSpaces;
+
+    private Map<String, List<Principal>> usersByGroup = new TreeMap<>();
+
+    private Map<String, List<Principal>> noUsersByGroup = new TreeMap<>();
+
+    private Map<String, List<Principal>> normalUsersByGroup = new TreeMap<>();
+
+    private Map<String, List<Principal>> adminUsersByGroup = new TreeMap<>();
+
+    UserManagerExpectationsBuilder(IApplicationServerInternalApi v3api, UserManagerTestService testService,
+            IOpenBisSessionManager sessionManager, Map<Role, List<String>> commonSpaces)
+    {
+        this.v3api = v3api;
+        this.testService = testService;
+        this.sessionManager = sessionManager;
+        this.commonSpaces = commonSpaces;
+    }
+
+    UserManagerExpectationsBuilder noUser(Principal user, String... groups)
+    {
+        return addUser(user, noUsersByGroup, groups);
+    }
+
+    UserManagerExpectationsBuilder user(Principal user, String... groups)
+    {
+        return addUser(user, normalUsersByGroup, groups);
+    }
+
+    UserManagerExpectationsBuilder adminUser(Principal user, String... groups)
+    {
+        return addUser(user, adminUsersByGroup, groups);
+    }
+
+    private UserManagerExpectationsBuilder addUser(Principal user, Map<String, List<Principal>> users, String... groups)
+    {
+        for (String group : groups)
+        {
+            addUserToGroup(user, group, users);
+            addUserToGroup(user, group, usersByGroup);
+        }
+        return this;
+    }
+
+    private void addUserToGroup(Principal user, String group, Map<String, List<Principal>> users)
+    {
+        List<Principal> principals = users.get(group);
+        if (principals == null)
+        {
+            principals = new ArrayList<>();
+            users.put(group, principals);
+        }
+        principals.add(user);
+    }
+
+    void assertExpectations()
+    {
+        String sessionToken = v3api.login(TEST_USER, PASSWORD);
+        assertSpaces(sessionToken);
+        assertUsers(sessionToken);
+        assertAuthorization(sessionToken);
+        v3api.logout(sessionToken);
+    }
+
+    private void assertSpaces(String sessionToken)
+    {
+        List<SpacePermId> allCommonSpaces = getAllCommonSpaces();
+        assertSpacesExist(sessionToken, allCommonSpaces);
+        List<SpacePermId> allUserSpaces = applyMapperToAllUsers(user -> new SpacePermId(user.getUserId().toUpperCase()));
+        assertSpacesExist(sessionToken, allUserSpaces);
+    }
+
+    private List<SpacePermId> getAllCommonSpaces()
+    {
+        List<SpacePermId> allCommonSpaces = new ArrayList<>();
+        Set<String> groups = usersByGroup.keySet();
+        for (String group : groups)
+        {
+            for (List<String> list : commonSpaces.values())
+            {
+                for (String commonSpace : list)
+                {
+                    allCommonSpaces.add(new SpacePermId(group + "_" + commonSpace));
+                }
+            }
+        }
+        return allCommonSpaces;
+    }
+
+    private void assertSpacesExist(String sessionToken, List<SpacePermId> spaces)
+    {
+        List<String> expectedSpaces = extractedSortedPermIds(spaces);
+        SpaceFetchOptions fetchOptions = new SpaceFetchOptions();
+        List<String> actualSpaces = extractedSortedCodes(v3api.getSpaces(sessionToken, spaces, fetchOptions).values());
+        assertEquals(actualSpaces.toString(), expectedSpaces.toString());
+    }
+
+    private void assertUsers(String sessionToken)
+    {
+        List<PersonPermId> allUsers = applyMapperToAllUsers(user -> new PersonPermId(user.getUserId()));
+        PersonFetchOptions fetchOptions = new PersonFetchOptions();
+        fetchOptions.withSpace();
+        Map<IPersonId, Person> persons = v3api.getPersons(sessionToken, allUsers, fetchOptions);
+        Function<IPersonId, PersonPermId> mapper = id -> (PersonPermId) id;
+        List<String> expectedUsers = extractedSortedPermIds(allUsers);
+        List<String> actualUsers = extractedSortedPermIds(persons.keySet().stream().map(mapper).collect(Collectors.toSet()));
+        assertEquals(actualUsers.toString(), expectedUsers.toString());
+        for (PersonPermId id : allUsers)
+        {
+            Person person = persons.get(id);
+            assertEquals(person.getUserId(), id.getPermId());
+            assertEquals(person.getEmail(), "franz-josef.elmer@systemsx.ch", "Wrong email of " + person);
+            assertEquals(person.getSpace().getCode(), person.getUserId().toUpperCase(), "Wrong home space of " + person);
+        }
+    }
+
+    private void assertAuthorization(String sessionToken)
+    {
+        AuthorizationExpectations expectations = new AuthorizationExpectations(v3api, sessionManager, testService);
+        for (Entry<String, List<Principal>> entry : normalUsersByGroup.entrySet())
+        {
+            String groupKey = entry.getKey();
+            List<Principal> users = entry.getValue();
+            users.forEach(user -> expectations.expect(user, groupKey, Level.SPACE_USER));
+        }
+    }
+
+    private static final class AuthorizationExpectations
+    {
+        private Map<String, Map<Level, Set<String>>> groupsByLevelsByUsers = new TreeMap<>();
+
+        private IApplicationServerInternalApi v3api;
+
+        private IOpenBisSessionManager sessionManager;
+
+        private UserManagerTestService testService;
+
+        public AuthorizationExpectations(IApplicationServerInternalApi v3api, IOpenBisSessionManager sessionManager,
+                UserManagerTestService testService)
+        {
+            this.v3api = v3api;
+            this.sessionManager = sessionManager;
+            this.testService = testService;
+        }
+
+        void expect(Principal user, String group, Level level)
+        {
+            String userId = user.getUserId();
+            Map<Level, Set<String>> groupsByLevels = groupsByLevelsByUsers.get(userId);
+            if (groupsByLevels == null)
+            {
+                groupsByLevels = new TreeMap<>();
+                groupsByLevelsByUsers.put(userId, groupsByLevels);
+            }
+            Set<String> groups = groupsByLevels.get(level);
+            if (groups == null)
+            {
+                groups = new TreeSet<>();
+                groupsByLevels.put(level, groups);
+            }
+            groups.add(group);
+        }
+
+        void assertExpectations()
+        {
+
+            for (Entry<String, Map<Level, Set<String>>> entry : groupsByLevelsByUsers.entrySet())
+            {
+                String userId = entry.getKey();
+                String sessionToken = v3api.login(userId, PASSWORD);
+
+                try
+                {
+                    Session session = sessionManager.getSession(sessionToken);
+                    IOperationContext context = new OperationContext(session);
+                    Set<Entry<Level, Set<String>>> entrySet = entry.getValue().entrySet();
+                    for (Entry<Level, Set<String>> entry2 : entrySet)
+                    {
+                        Level level = entry2.getKey();
+                        Set<String> groups = entry2.getValue();
+                        for (String group : groups)
+                        {
+//                            getActualLevel(context, spaceCode);
+                        }
+//                        probeAuthorizationLevel(user, spaceCodes);
+                    }
+                } finally
+                {
+                    v3api.logout(sessionToken);
+                }
+
+            }
+        }
+        
+        private Level getActualLevel(IOperationContext context, String spaceCode)
+        {
+            SpacePE space = new SpacePE();
+            space.setCode(spaceCode);
+            Level previousLevel = null;
+            for (Level level : Level.values())
+            {
+                try
+                {
+                    level.probe(testService, context, space);
+                } catch (Exception e)
+                {
+                    break;
+                }
+                previousLevel = level;
+            }
+            return previousLevel;
+        }
+        
+        private static final class LevelAndSpace
+        {
+            private Level level;
+            private String spaceCode;
+
+            LevelAndSpace(Level level, String spaceCode)
+            {
+                this.level = level;
+                this.spaceCode = spaceCode;
+            }
+        }
+
+    }
+
+    private List<String> extractedSortedPermIds(Collection<? extends ObjectPermId> ids)
+    {
+        List<String> result = ids.stream().map(ObjectPermId::getPermId).collect(Collectors.toList());
+        Collections.sort(result);
+        return result;
+    }
+
+    private List<String> extractedSortedCodes(Collection<? extends ICodeHolder> codeHolders)
+    {
+        List<String> result = codeHolders.stream().map(ICodeHolder::getCode).collect(Collectors.toList());
+        Collections.sort(result);
+        return result;
+    }
+
+    private <T> List<T> applyMapperToAllUsers(Function<Principal, T> mapper)
+    {
+        List<T> result = new ArrayList<>();
+        for (List<Principal> users : usersByGroup.values())
+        {
+            result.addAll(users.stream().map(mapper).collect(Collectors.toList()));
+        }
+        return result;
+    }
+
+    private List<Level> probeAuthorizationLevel(String userId, List<String> spaceCodes)
+    {
+        String sessionToken = v3api.login(userId, PASSWORD);
+        try
+        {
+            List<Level> levels = new ArrayList<>();
+            Session session = sessionManager.getSession(sessionToken);
+            IOperationContext context = new OperationContext(session);
+            for (String spaceCode : spaceCodes)
+            {
+                Level previousLevel = getActualLevel(context, spaceCode);
+                levels.add(previousLevel);
+            }
+            return levels;
+        } finally
+        {
+            v3api.logout(sessionToken);
+        }
+    }
+
+    private Level getActualLevel(IOperationContext context, String spaceCode)
+    {
+        SpacePE space = new SpacePE();
+        space.setCode(spaceCode);
+        Level previousLevel = null;
+        for (Level level : Level.values())
+        {
+            try
+            {
+                level.probe(testService, context, space);
+            } catch (Exception e)
+            {
+                break;
+            }
+            previousLevel = level;
+        }
+        return previousLevel;
+    }
+
+    private enum Level
+    {
+        NON
+        {
+            @Override
+            public void probe(UserManagerTestService testService, IOperationContext context, SpacePE space)
+            {
+            }
+        },
+        SPACE_OBSERVER
+        {
+            @Override
+            public void probe(UserManagerTestService testService, IOperationContext context, SpacePE space)
+            {
+                testService.allowedForSpaceObservers(context, space);
+            }
+        },
+        SPACE_USER
+        {
+            @Override
+            public void probe(UserManagerTestService testService, IOperationContext context, SpacePE space)
+            {
+                testService.allowedForSpaceUsers(context, space);
+            }
+        },
+        SPACE_ADMIN
+        {
+            @Override
+            public void probe(UserManagerTestService testService, IOperationContext context, SpacePE space)
+            {
+                testService.allowedForSpaceAdmins(context, space);
+            }
+        },
+        INSTANCE_ADMIN
+        {
+            @Override
+            public void probe(UserManagerTestService testService, IOperationContext context, SpacePE space)
+            {
+                testService.allowedForInstanceAdmins(context, space);
+            }
+        };
+
+        public abstract void probe(UserManagerTestService testService, IOperationContext context, SpacePE space);
+    }
+
+}
\ No newline at end of file

openbis/sourceTest/java/ch/systemsx/cisd/openbis/systemtest/task/UserManagerTest.java

+/*
+ * Copyright 2018 ETH Zuerich, SIS
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package ch.systemsx.cisd.openbis.systemtest.task;
+
+import static org.testng.Assert.assertEquals;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.Comparator;
+import java.util.EnumMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.TreeMap;
+import java.util.TreeSet;
+import java.util.function.Function;
+import java.util.stream.Collectors;
+
+import javax.annotation.Resource;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.testng.Assert;
+import org.testng.annotations.Test;
+
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.common.search.SearchResult;
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.person.Person;
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.person.fetchoptions.PersonFetchOptions;
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.person.id.PersonPermId;
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.roleassignment.Role;
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.space.Space;
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.space.fetchoptions.SpaceFetchOptions;
+import ch.ethz.sis.openbis.generic.asapi.v3.dto.space.search.SpaceSearchCriteria;
+import ch.ethz.sis.openbis.generic.server.asapi.v3.executor.IOperationContext;
+import ch.ethz.sis.openbis.generic.server.asapi.v3.executor.OperationContext;
+import ch.ethz.sis.openbis.systemtest.asapi.v3.AbstractTest;
+import ch.systemsx.cisd.authentication.Principal;
+import ch.systemsx.cisd.common.logging.MockLogger;
+import ch.systemsx.cisd.common.test.AssertionUtil;
+import ch.systemsx.cisd.openbis.generic.server.ComponentNames;
+import ch.systemsx.cisd.openbis.generic.server.task.UserGroup;
+import ch.systemsx.cisd.openbis.generic.server.task.UserManager;
+import ch.systemsx.cisd.openbis.generic.shared.IOpenBisSessionManager;
+import ch.systemsx.cisd.openbis.generic.shared.dto.Session;
+import ch.systemsx.cisd.openbis.generic.shared.dto.SpacePE;
+
+/**
+ * @author Franz-Josef Elmer
+ */
+public class UserManagerTest extends AbstractTest
+{
+    private static final Principal U1 = new Principal("u1", "Albert", "Einstein", "a.e@abc.de");
+
+    private static final Principal U2 = new Principal("u2", "Isaac", "Newton", "i.n@abc.de");
+
+    private static final Principal U3 = new Principal("u3", "Alan", "Turing", "a.t@abc.de");
+
+    @Autowired
+    private UserManagerTestService testService;
+
+    @Resource(name = ComponentNames.SESSION_MANAGER)
+    private IOpenBisSessionManager sessionManager;
+
+    private static Map<Role, List<String>> commonSpaces()
+    {
+        Map<Role, List<String>> commonSpacesByRole = new EnumMap<>(Role.class);
+        commonSpacesByRole.put(Role.USER, Arrays.asList("ALPHA", "BETA"));
+        commonSpacesByRole.put(Role.OBSERVER, Arrays.asList("GAMMA"));
+        return commonSpacesByRole;
+    }
+
+    @Test
+    public void testAddNewGroupWithNewUsers()
+    {
+        // Given
+        MockLogger logger = new MockLogger();
+        UserManager userManager = new UserManager(v3api, commonSpaces(), logger);
+        Map<String, Principal> principals = principals(U3, U1, U2);
+        UserGroup group = new UserGroup();
+        group.setAdmins(Arrays.asList(U1.getUserId(), "blabla"));
+        userManager.addGroup("G1", group, principals);
+
+        // When
+        String errorMessages = userManager.manageUsers();
+
+        // Then
+        assertEquals(errorMessages, "");
+        List<String> allSpaces = getAllSpaces();
+        System.err.println("all spaces: " + allSpaces);
+        for (Principal user : principals.values())
+        {
+            List<Person> persons = getPersons(user.getUserId());
+            Person person = persons.get(0);
+            assertEquals(person.getUserId(), user.getUserId());
+            assertEquals(person.getEmail(), "franz-josef.elmer@systemsx.ch");
+            String space = getOwnSpace(user);
+            assertEquals(person.getSpace().getCode(), space);
+            if (group.getAdmins() != null && group.getAdmins().contains(user.getUserId()))
+            {
+                assertAdminUserLevels("G1", user, principals.values());
+            } else
+            {
+                assertNormalUserLevels("G1", user);
+            }
+        }
+    }
+
+    @Test
+    public void testAddUsersToAnExistingGroup()
+    {
+        // Given
+        MockLogger logger = new MockLogger();
+        Map<Role, List<String>> commonSpaces = commonSpaces();
+        UserManager userManager = new UserManager(v3api, commonSpaces, logger);
+        UserGroup group = new UserGroup();
+        group.setAdmins(Arrays.asList(U1.getUserId(), "blabla"));
+        userManager.addGroup("G2", group, principals(U1));
+        assertEquals(userManager.manageUsers(), "");
+
+        userManager = new UserManager(v3api, commonSpaces, logger);
+        userManager.addGroup("G2", group, principals(U2, U3));
+
+        // When
+        String errorMessages = userManager.manageUsers();
+
+        // Then
+        assertEquals(errorMessages, "");
+        Collection<Principal> users = principals(U1, U2, U3).values();
+        for (Principal user : users)
+        {
+            List<Person> persons = getPersons(user.getUserId());
+            Person person = persons.get(0);
+            assertEquals(person.getUserId(), user.getUserId());
+            assertEquals(person.getEmail(), "franz-josef.elmer@systemsx.ch");
+            String space = getOwnSpace(user);
+            assertEquals(person.getSpace().getCode(), space);
+            if (group.getAdmins() != null && group.getAdmins().contains(user.getUserId()))
+            {
+                assertAdminUserLevels("G2", user, users);
+            } else
+            {
+                assertNormalUserLevels("G2", user);
+            }
+        }
+        UserManagerExpectationsBuilder builder = createBuilder(commonSpaces);
+        builder.adminUser(U1, "G2");
+        builder.user(U2, "G2");
+        builder.user(U3, "G2");
+        builder.assertExpectations();
+    }
+
+    private UserManagerExpectationsBuilder createBuilder(Map<Role, List<String>> commonSpaces)
+    {
+        return new UserManagerExpectationsBuilder(v3api, testService, sessionManager, commonSpaces);
+    }
+
+    private void assertNormalUserLevels(String groupCode, Principal user)
+    {
+        String userId = user.getUserId();
+        Map<Role, List<String>> commonSpaces = commonSpaces();
+        assertLevel(userId, Level.SPACE_OBSERVER, getCommonSpaces(groupCode, commonSpaces, Role.OBSERVER));
+        assertLevel(userId, Level.SPACE_USER, getCommonSpaces(groupCode, commonSpaces, Role.USER));
+        assertLevel(userId, Level.SPACE_ADMIN, Arrays.asList(userId.toUpperCase()));
+    }
+
+    private void assertAdminUserLevels(String groupCode, Principal adminUser, Collection<Principal> users)
+    {
+        List<String> spaces = users.stream().map(p -> getOwnSpace(p)).collect(Collectors.toList());
+        Map<Role, List<String>> commonSpaces = commonSpaces();
+        spaces.addAll(getCommonSpaces(groupCode, commonSpaces, Role.OBSERVER));
+        spaces.addAll(getCommonSpaces(groupCode, commonSpaces, Role.USER));
+        assertLevel(adminUser.getUserId(), Level.SPACE_ADMIN, spaces);
+    }
+
+    private List<String> getCommonSpaces(String groupCode, Map<Role, List<String>> commonSpaces, Role role)
+    {
+        return commonSpaces.get(role).stream().map(s -> groupCode + "_" + s).collect(Collectors.toList());
+    }
+
+    private void assertLevel(String userId, Level level, List<String> spaceCodes)
+    {
+        List<Level> levels = probeAuthorizationLevel(userId, spaceCodes);
+        for (int i = 0; i < spaceCodes.size(); i++)
+        {
+            assertLevel(levels.get(i), level, userId, spaceCodes.get(i));
+        }
+    }
+
+    private void assertLevel(Level actualLevel, Level expectedLevel, String userId, String spaceCode)
+    {
+        assertEquals(userId + ":" + spaceCode + ":" + actualLevel, userId + ":" + spaceCode + ":" + expectedLevel);
+    }
+
+    private List<String> getAllSpaces()
+    {
+        String sessionToken = v3api.login(TEST_USER, PASSWORD);
+        SearchResult<Space> spaces = v3api.searchSpaces(sessionToken, new SpaceSearchCriteria(), new SpaceFetchOptions());
+        v3api.logout(sessionToken);
+        List<String> spaceCodes = spaces.getObjects().stream().map(Space::getCode).collect(Collectors.toList());
+        Collections.sort(spaceCodes);
+        return spaceCodes;
+    }
+
+    private List<Person> getPersons(String... userIds)
+    {
+        String sessionToken = v3api.login(TEST_USER, PASSWORD);
+        Function<String, PersonPermId> mapper = u -> new PersonPermId(u);
+        List<PersonPermId> permIds = Arrays.asList(userIds).stream().map(mapper).collect(Collectors.toList());
+        PersonFetchOptions fetchOptions = new PersonFetchOptions();
+        fetchOptions.withSpace();
+        Collection<Person> persons = v3api.getPersons(sessionToken, permIds, fetchOptions).values();
+        v3api.logout(sessionToken);
+        List<Person> result = new ArrayList<>(persons);
+        Collections.sort(result, Comparator.comparing(Person::getUserId));
+        return result;
+    }
+
+    private Map<String, Principal> principals(Principal... principals)
+    {
+        Map<String, Principal> map = new TreeMap<>();
+        for (Principal principal : principals)
+        {
+            map.put(principal.getUserId(), principal);
+        }
+        return map;
+    }
+
+    private String getOwnSpace(Principal principal)
+    {
+        return principal.getUserId().toUpperCase();
+    }
+
+    private List<Level> probeAuthorizationLevel(String userId, List<String> spaceCodes)
+    {
+        String sessionToken = v3api.login(userId, PASSWORD);
+        try
+        {
+            List<Level> levels = new ArrayList<>();
+            Session session = sessionManager.getSession(sessionToken);
+            IOperationContext context = new OperationContext(session);
+            for (String spaceCode : spaceCodes)
+            {
+                SpacePE space = new SpacePE();
+                space.setCode(spaceCode);
+                Level previousLevel = null;
+                for (Level level : Level.values())
+                {
+                    try
+                    {
+                        level.probe(testService, context, space);
+                    } catch (Exception e)
+                    {
+                        break;
+                    }
+                    previousLevel = level;
+                }
+                levels.add(previousLevel);
+            }
+            return levels;
+        } finally
+        {
+            v3api.logout(sessionToken);
+        }
+    }
+
+    private enum Level
+    {
+        NON
+        {
+            @Override
+            public void probe(UserManagerTestService testService, IOperationContext context, SpacePE space)
+            {
+            }
+        },
+        SPACE_OBSERVER
+        {
+            @Override
+            public void probe(UserManagerTestService testService, IOperationContext context, SpacePE space)
+            {
+                testService.allowedForSpaceObservers(context, space);
+            }
+        },
+        SPACE_USER
+        {
+            @Override
+            public void probe(UserManagerTestService testService, IOperationContext context, SpacePE space)
+            {
+                testService.allowedForSpaceUsers(context, space);
+            }
+        },
+        SPACE_ADMIN
+        {
+            @Override
+            public void probe(UserManagerTestService testService, IOperationContext context, SpacePE space)
+            {
+                testService.allowedForSpaceAdmins(context, space);
+            }
+        },
+        INSTANCE_ADMIN
+        {
+            @Override
+            public void probe(UserManagerTestService testService, IOperationContext context, SpacePE space)
+            {
+                testService.allowedForInstanceAdmins(context, space);
+            }
+        };
+
+        public abstract void probe(UserManagerTestService testService, IOperationContext context, SpacePE space);
+    }
+
+}

openbis/sourceTest/java/ch/systemsx/cisd/openbis/systemtest/task/UserManagerTestService.java

+/*
+ * Copyright 2018 ETH Zuerich, SIS
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package ch.systemsx.cisd.openbis.systemtest.task;
+
+import org.springframework.stereotype.Component;
+
+import ch.ethz.sis.openbis.generic.server.asapi.v3.executor.IOperationContext;
+import ch.systemsx.cisd.openbis.generic.server.authorization.annotation.AuthorizationGuard;
+import ch.systemsx.cisd.openbis.generic.server.authorization.annotation.RolesAllowed;
+import ch.systemsx.cisd.openbis.generic.server.authorization.predicate.SpacePEPredicate;
+import ch.systemsx.cisd.openbis.generic.shared.basic.dto.RoleWithHierarchy;
+import ch.systemsx.cisd.openbis.generic.shared.dto.SpacePE;
+
+/**
+ * @author Franz-Josef Elmer
+ *
+ */
+@Component
+public class UserManagerTestService
+{
+    @RolesAllowed(RoleWithHierarchy.SPACE_OBSERVER)
+    public void allowedForSpaceObservers(IOperationContext context, @AuthorizationGuard(guardClass = SpacePEPredicate.class)  SpacePE space)
+    {
+    }
+
+    @RolesAllowed(RoleWithHierarchy.SPACE_USER)
+    public void allowedForSpaceUsers(IOperationContext context, @AuthorizationGuard(guardClass = SpacePEPredicate.class)  SpacePE space)
+    {
+    }
+    
+    @RolesAllowed(RoleWithHierarchy.SPACE_ADMIN)
+    public void allowedForSpaceAdmins(IOperationContext context, @AuthorizationGuard(guardClass = SpacePEPredicate.class)  SpacePE space)
+    {
+    }
+    
+    @RolesAllowed(RoleWithHierarchy.INSTANCE_ADMIN)
+    public void allowedForInstanceAdmins(IOperationContext context, @AuthorizationGuard(guardClass = SpacePEPredicate.class)  SpacePE space)
+    {
+    }
+    
+}