From 46383e7104213a89b4102486770ae45976e800fc Mon Sep 17 00:00:00 2001
From: Isman Firmansyah <iromli@users.noreply.github.com>
Date: Sat, 23 Dec 2023 02:53:18 +0700
Subject: [PATCH] chore(docker-jans-persistence-loader): sync
 role-scope-mappings (#7171)

* chore(docker-jans-persistence-loader): sync role-scope-mappings

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* fix(docker-jans-persistence-loader): ensure uniqueness of api-admin role permissions

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* refactor: remove code smell

Signed-off-by: iromli <isman.firmansyah@gmail.com>

---------

Signed-off-by: iromli <isman.firmansyah@gmail.com>
Co-authored-by: Mohammad Abudayyeh <47318409+moabu@users.noreply.github.com>
Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com>
---
 docker-jans-persistence-loader/Dockerfile     |  2 +-
 .../scripts/upgrade.py                        | 44 ++-----------------
 .../scripts/utils.py                          | 16 ++++---
 3 files changed, 14 insertions(+), 48 deletions(-)

diff --git a/docker-jans-persistence-loader/Dockerfile b/docker-jans-persistence-loader/Dockerfile
index 886cdb8c325..77c0b1a79b8 100644
--- a/docker-jans-persistence-loader/Dockerfile
+++ b/docker-jans-persistence-loader/Dockerfile
@@ -26,7 +26,7 @@ RUN python3 -m ensurepip \
 # =====================
 
 # janssenproject/jans SHA commit
-ENV JANS_SOURCE_VERSION=a2c5d4bd3d09c9f34e79b0d24bc63ece4ca7da43
+ENV JANS_SOURCE_VERSION=fd6ece561314e675a31cf8db2d0ca15f9edd0bd0
 ARG JANS_SETUP_DIR=jans-linux-setup/jans_setup
 ARG JANS_SCRIPT_CATALOG_DIR=docs/script-catalog
 ARG JANS_CONFIG_API_RESOURCES=jans-config-api/server/src/main/resources
diff --git a/docker-jans-persistence-loader/scripts/upgrade.py b/docker-jans-persistence-loader/scripts/upgrade.py
index 9c75ccd809a..fa171c14cda 100644
--- a/docker-jans-persistence-loader/scripts/upgrade.py
+++ b/docker-jans-persistence-loader/scripts/upgrade.py
@@ -590,14 +590,7 @@ def update_admin_ui_config(self):
         if not entry:
             return
 
-        # calculate new permissions for api-admin
         role_mapping = get_role_scope_mappings()
-        api_admin_perms = []
-
-        for api_role in role_mapping["rolePermissionMapping"]:
-            if api_role["role"] == "api-admin":
-                api_admin_perms = api_role["permissions"]
-                break
 
         try:
             conf = json.loads(entry.attrs["jansConfDyn"])
@@ -606,40 +599,9 @@ def update_admin_ui_config(self):
 
         should_update = False
 
-        # check for rolePermissionMapping
-        #
-        # - compare role permissions for api-admin
-        for i, api_role in enumerate(conf["rolePermissionMapping"]):
-            if api_role["role"] == "api-admin":
-                # compare permissions between the ones from persistence (current) and newer permissions
-                if sorted(api_role["permissions"]) != sorted(api_admin_perms):
-                    conf["rolePermissionMapping"][i]["permissions"] = api_admin_perms
-                    should_update = True
-                break
-
-        # check for permissions
-        #
-        # - add new permission if not exist
-        # - add defaultPermissionInToken (if not exist) in each permission
-
-        # determine current permission with index/position
-        current_perms = {
-            permission["permission"]: {"index": i}
-            for i, permission in enumerate(conf["permissions"])
-        }
-
-        for perm in role_mapping["permissions"]:
-            if perm["permission"] not in current_perms:
-                # add missing permission
-                conf["permissions"].append(perm)
-                should_update = True
-            else:
-                # add missing defaultPermissionInToken
-                index = current_perms[perm["permission"]]["index"]
-                if "defaultPermissionInToken" in conf["permissions"][index]:
-                    continue
-                conf["permissions"][index]["defaultPermissionInToken"] = perm["defaultPermissionInToken"]
-                should_update = True
+        if conf != role_mapping:
+            conf = role_mapping
+            should_update = True
 
         # licenseSpringCredentials must be removed in favor of SCAN license credentials
         if "licenseSpringCredentials" in conf:
diff --git a/docker-jans-persistence-loader/scripts/utils.py b/docker-jans-persistence-loader/scripts/utils.py
index 3ae28c64088..d3954ac2d50 100644
--- a/docker-jans-persistence-loader/scripts/utils.py
+++ b/docker-jans-persistence-loader/scripts/utils.py
@@ -235,12 +235,16 @@ def get_role_scope_mappings(path="/app/templates/jans-auth/role-scope-mappings.j
     scope_list = get_config_api_scopes()
 
     for i, api_role in enumerate(role_mapping["rolePermissionMapping"]):
-        if api_role["role"] == "api-admin":
-            # merge scopes without duplication
-            role_mapping["rolePermissionMapping"][i]["permissions"] = sorted(set(
-                role_mapping["rolePermissionMapping"][i]["permissions"] + scope_list
-            ))
-            break
+        if api_role["role"] != "api-admin":
+            continue
+
+        # add special permissions for api-admin
+        for scope in scope_list:
+            if scope in role_mapping["rolePermissionMapping"][i]["permissions"]:
+                continue
+            role_mapping["rolePermissionMapping"][i]["permissions"].append(scope)
+
+    # finalized role mapping
     return role_mapping