Zonify groups

Groups should be zone aware. This means that a group (displayName) has a zone ID.
This commit also reverts the zonification of group_membership and external_group_mapping.
The zone can be derived from group ID in both cases

https://www.pivotaltracker.com/story/show/99737730
[#99737730]

common/src/main/java/org/cloudfoundry/identity/uaa/rest/jdbc/AbstractQueryable.java

@@ -110,4 +110,7 @@ protected String getQuerySQL(String filter, SearchQueryConverter.ProcessedFilter
     protected abstract String getBaseSqlQuery();
     protected abstract String getTableName();
 
+    public SearchQueryConverter getQueryConverter() {
+        return queryConverter;
+    }
 }

common/src/main/resources/org/cloudfoundry/identity/uaa/db/hsqldb/V2_5_1__Zonify_Groups.sql

@@ -0,0 +1,43 @@
+--
+-- Cloud Foundry
+-- Copyright (c) [2015] Pivotal Software, Inc. All Rights Reserved.
+--
+-- This product is licensed to you under the Apache License, Version 2.0 (the "License").
+-- You may not use this product except in compliance with the License.
+--
+-- This product includes a number of subcomponents with
+-- separate copyright notices and license terms. Your use of these
+-- subcomponents is subject to the terms and conditions of the
+-- subcomponent's license, as noted in the LICENSE file.
+--
+
+
+-- add zone id to the groups table
+ALTER TABLE groups ADD COLUMN identity_zone_id varchar(36) DEFAULT 'uaa' NOT NULL ;
+ALTER TABLE groups DROP CONSTRAINT unique_uk_2;
+CREATE UNIQUE INDEX groups_unique_key ON groups (displayname,identity_zone_id);
+
+-- remove zone id from the group_membership table - it is derived from group_id
+DROP INDEX group_membership_unique_key;
+ALTER TABLE group_membership DROP COLUMN identity_zone_id;
+CREATE UNIQUE INDEX group_membership_unique_key ON group_membership (member_id,group_id);
+
+-- remove zone id from the external_grou_mapping table - it is derived from group_id
+DROP INDEX external_group_unique_key;
+ALTER TABLE external_group_mapping DROP COLUMN identity_zone_id;
+CREATE UNIQUE INDEX external_group_unique_key ON external_group_mapping (origin,external_group,group_id);
+
+
+-- ALTER TABLE group_membership DROP PRIMARY KEY;
+--
+-- ALTER TABLE external_group_mapping ADD COLUMN identity_zone_id varchar(36);
+-- ALTER TABLE external_group_mapping ADD COLUMN origin varchar(36);
+-- ALTER TABLE external_group_mapping DROP PRIMARY KEY;
+--
+-- UPDATE group_membership SET identity_zone_id = (SELECT identity_zone_id FROM users where users.id = group_membership.member_id);
+-- UPDATE group_membership SET identity_zone_id = (SELECT 'uaa' FROM groups where groups.id = group_membership.member_id);
+--
+-- UPDATE external_group_mapping SET identity_zone_id = 'uaa', origin='ldap';
+--
+-- CREATE UNIQUE INDEX group_membership_unique_key ON group_membership (identity_zone_id,member_id,group_id);
+-- CREATE UNIQUE INDEX external_group_unique_key ON external_group_mapping (identity_zone_id,origin,external_group,group_id);

common/src/main/resources/org/cloudfoundry/identity/uaa/db/mysql/V2_5_1__Zonify_Groups.sql

@@ -0,0 +1,42 @@
+--
+-- Cloud Foundry
+-- Copyright (c) [2015] Pivotal Software, Inc. All Rights Reserved.
+--
+-- This product is licensed to you under the Apache License, Version 2.0 (the "License").
+-- You may not use this product except in compliance with the License.
+--
+-- This product includes a number of subcomponents with
+-- separate copyright notices and license terms. Your use of these
+-- subcomponents is subject to the terms and conditions of the
+-- subcomponent's license, as noted in the LICENSE file.
+--
+
+-- add zone id to the groups table
+ALTER TABLE groups ADD COLUMN identity_zone_id varchar(36) DEFAULT 'uaa' NOT NULL;
+ALTER TABLE groups DROP INDEX unique_uk_2;
+ALTER TABLE groups ADD UNIQUE KEY groups_unique_key(displayname, identity_zone_id);
+
+-- remove zone id from the group_membership table - it is derived from group_id
+ALTER TABLE group_membership DROP INDEX group_membership_unique_key;
+ALTER TABLE group_membership DROP COLUMN identity_zone_id;
+ALTER TABLE group_membership ADD UNIQUE KEY group_membership_unique_key(member_id,group_id);
+
+-- remove zone id from the external_group_mapping table - it is derived from group_id
+ALTER TABLE external_group_mapping DROP INDEX external_group_unique_key;
+ALTER TABLE external_group_mapping DROP COLUMN identity_zone_id;
+ALTER TABLE external_group_mapping ADD UNIQUE KEY external_group_unique_key(origin,external_group,group_id);
+
+
+# ALTER TABLE group_membership DROP PRIMARY KEY;
+#
+# ALTER TABLE external_group_mapping ADD COLUMN identity_zone_id varchar(36);
+# ALTER TABLE external_group_mapping ADD COLUMN origin varchar(36);
+# ALTER TABLE external_group_mapping DROP PRIMARY KEY;
+#
+# UPDATE group_membership SET identity_zone_id = (SELECT identity_zone_id FROM users where users.id = group_membership.member_id);
+# UPDATE group_membership SET identity_zone_id = (SELECT 'uaa' FROM groups where groups.id = group_membership.member_id);
+#
+# UPDATE external_group_mapping SET identity_zone_id = 'uaa', origin='ldap';
+#
+# ALTER TABLE group_membership ADD UNIQUE KEY group_membership_unique_key(identity_zone_id,member_id,group_id);
+# ALTER TABLE external_group_mapping ADD UNIQUE KEY external_group_unique_key(identity_zone_id,origin,external_group,group_id);

common/src/main/resources/org/cloudfoundry/identity/uaa/db/postgresql/V2_5_1__Zonify_Groups.sql

@@ -0,0 +1,39 @@
+--
+-- Cloud Foundry
+-- Copyright (c) [2015] Pivotal Software, Inc. All Rights Reserved.
+--
+-- This product is licensed to you under the Apache License, Version 2.0 (the "License").
+-- You may not use this product except in compliance with the License.
+--
+-- This product includes a number of subcomponents with
+-- separate copyright notices and license terms. Your use of these
+-- subcomponents is subject to the terms and conditions of the
+-- subcomponent's license, as noted in the LICENSE file.
+--
+-- add zone id to the groups table
+ALTER TABLE groups ADD COLUMN identity_zone_id varchar(36) DEFAULT 'uaa' NOT NULL ;
+ALTER TABLE groups DROP CONSTRAINT unique_uk_2;
+CREATE UNIQUE INDEX groups_unique_key ON groups (displayname,identity_zone_id);
+
+-- remove zone id from the group_membership table - it is derived from group_id
+DROP INDEX group_membership_unique_key;
+ALTER TABLE group_membership DROP COLUMN identity_zone_id;
+CREATE UNIQUE INDEX group_membership_unique_key ON group_membership (member_id,group_id);
+
+-- remove zone id from the external_grou_mapping table - it is derived from group_id
+DROP INDEX external_group_unique_key;
+ALTER TABLE external_group_mapping DROP COLUMN identity_zone_id;
+CREATE UNIQUE INDEX external_group_unique_key ON external_group_mapping (origin,external_group,group_id);
+
+--
+-- ALTER TABLE external_group_mapping ADD COLUMN identity_zone_id varchar(36);
+-- ALTER TABLE external_group_mapping ADD COLUMN origin varchar(36);
+-- ALTER TABLE external_group_mapping DROP CONSTRAINT external_group_mapping_pkey;
+--
+-- UPDATE group_membership SET identity_zone_id = (SELECT identity_zone_id FROM users where users.id = group_membership.member_id);
+-- UPDATE group_membership SET identity_zone_id = (SELECT 'uaa' FROM groups where groups.id = group_membership.member_id);
+--
+-- UPDATE external_group_mapping SET identity_zone_id = 'uaa', origin='ldap';
+--
+-- CREATE UNIQUE INDEX group_membership_unique_key ON group_membership (identity_zone_id,member_id,group_id);
+-- CREATE UNIQUE INDEX external_group_unique_key ON external_group_mapping (identity_zone_id,origin,external_group,group_id);

common/src/test/java/org/cloudfoundry/identity/uaa/test/CreateDB.java

@@ -0,0 +1,62 @@
+/*
+ * *****************************************************************************
+ *      Cloud Foundry
+ *      Copyright (c) [2009-2015] Pivotal Software, Inc. All Rights Reserved.
+ *      This product is licensed to you under the Apache License, Version 2.0 (the "License").
+ *      You may not use this product except in compliance with the License.
+ *
+ *      This product includes a number of subcomponents with
+ *      separate copyright notices and license terms. Your use of these
+ *      subcomponents is subject to the terms and conditions of the
+ *      subcomponent's license, as noted in the LICENSE file.
+ * *****************************************************************************
+ */
+
+package org.cloudfoundry.identity.uaa.test;
+
+
+import org.junit.Ignore;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+import org.junit.runners.Parameterized.Parameters;
+import org.springframework.mock.env.MockEnvironment;
+import org.springframework.util.StringUtils;
+
+import java.util.Arrays;
+import java.util.Collection;
+
+@Ignore("This test is here to simply execute the Flyway create DB script for all databases. Used to aid in writing schema scripts")
+@RunWith(Parameterized.class)
+public class CreateDB  extends JdbcTestBase {
+
+    private final String profile;
+
+    public CreateDB(String profile) {
+        this.profile = profile;
+    }
+
+    @Parameters
+    public static Collection<Object[]> profiles() {
+        return Arrays.asList(new Object[][]{
+            {"mysql,default"}, {"postgresql,default"}, {""},
+        });
+    }
+
+    @Override
+    public void setUp() throws Exception {
+        MockEnvironment environment = new MockEnvironment();
+        environment.setActiveProfiles(StringUtils.commaDelimitedListToStringArray(profile));
+        setUp(environment);
+    }
+
+    @Test
+    public void test() {
+        System.out.println("DB Created:"+profile);
+    }
+
+    @Override
+    public void tearDown() throws Exception {
+        //no op - no clean up
+    }
+}

scim/src/main/java/org/cloudfoundry/identity/uaa/authorization/external/LdapGroupMappingAuthorizationManager.java

@@ -43,7 +43,7 @@ public Set<? extends GrantedAuthority> findScopesFromAuthorities(Set<? extends G
         for (GrantedAuthority a : authorities) {
             if (a instanceof LdapAuthority) {
                 LdapAuthority la = (LdapAuthority)a;
-                List<ScimGroupExternalMember> members = extMbrMgr.getExternalGroupMapsByExternalGroup(la.getDn(), Origin.LDAP, IdentityZoneHolder.get().getId());
+                List<ScimGroupExternalMember> members = extMbrMgr.getExternalGroupMapsByExternalGroup(la.getDn(), Origin.LDAP);
                 for (ScimGroupExternalMember member : members) {
                     SimpleGrantedAuthority mapped = new SimpleGrantedAuthority(member.getDisplayName());
                     result.add(mapped);

scim/src/main/java/org/cloudfoundry/identity/uaa/scim/ScimGroup.java

@@ -1,5 +1,5 @@
 /*******************************************************************************
- *     Cloud Foundry 
+ *     Cloud Foundry
  *     Copyright (c) [2009-2014] Pivotal Software, Inc. All Rights Reserved.
  *
  *     This product is licensed to you under the Apache License, Version 2.0 (the "License").
@@ -23,6 +23,8 @@
 public class ScimGroup extends ScimCore {
 
     private String displayName;
+    private String zoneId;
+
     private List<ScimGroupMember> members;
 
     public String getDisplayName() {
@@ -33,6 +35,14 @@ public void setDisplayName(String displayName) {
         this.displayName = displayName;
     }
 
+    public String getZoneId() {
+        return zoneId;
+    }
+
+    public void setZoneId(String zoneId) {
+        this.zoneId = zoneId;
+    }
+
     public List<ScimGroupMember> getMembers() {
         return members;
     }
@@ -42,15 +52,17 @@ public void setMembers(List<ScimGroupMember> members) {
     }
 
     public ScimGroup() {
+        this(null);
     }
 
     public ScimGroup(String name) {
-        this.displayName = name;
+        this(null,name,null);
     }
 
-    public ScimGroup(String id, String name) {
+    public ScimGroup(String id, String name, String zoneId) {
         super(id);
         this.displayName = name;
+        this.zoneId = zoneId;
     }
 
     @Override

scim/src/main/java/org/cloudfoundry/identity/uaa/scim/ScimGroupExternalMember.java

@@ -24,8 +24,6 @@ public class ScimGroupExternalMember extends ScimCore {
 
     private String displayName;
 
-    private String zoneId;
-
     private String origin;
 
     public ScimGroupExternalMember() {
@@ -61,14 +59,6 @@ public void setDisplayName(String displayName) {
         this.displayName = displayName;
     }
 
-    public String getZoneId() {
-        return zoneId;
-    }
-
-    public void setZoneId(String zoneId) {
-        this.zoneId = zoneId;
-    }
-
     public String getOrigin() {
         return origin;
     }
@@ -80,35 +70,29 @@ public void setOrigin(String origin) {
     @Override
     public String toString() {
         return String.format(
-            "(Group id: %s, Name: %s, externalGroup: %s, origin: %s, zoneId: %s)",
+            "(Group id: %s, Name: %s, externalGroup: %s, origin: %s)",
             getGroupId(),
             getDisplayName(),
             getExternalGroup(),
-            getOrigin(),
-            getZoneId());
+            getOrigin());
     }
 
     @Override
     public boolean equals(Object o) {
         if (this == o) return true;
         if (o == null || getClass() != o.getClass()) return false;
         if (!super.equals(o)) return false;
-
         ScimGroupExternalMember that = (ScimGroupExternalMember) o;
-
         if (!getGroupId().equals(that.getGroupId())) return false;
         if (!getExternalGroup().equals(that.getExternalGroup())) return false;
-        if (getZoneId() != null ? !getZoneId().equals(that.getZoneId()) : that.getZoneId() != null) return false;
         return !(getOrigin() != null ? !getOrigin().equals(that.getOrigin()) : that.getOrigin() != null);
-
     }
 
     @Override
     public int hashCode() {
         int result = super.hashCode();
         result = 31 * result + getGroupId().hashCode();
         result = 31 * result + getExternalGroup().hashCode();
-        result = 31 * result + (getZoneId() != null ? getZoneId().hashCode() : 0);
         result = 31 * result + (getOrigin() != null ? getOrigin().hashCode() : 0);
         return result;
     }

scim/src/main/java/org/cloudfoundry/identity/uaa/scim/ScimGroupExternalMembershipManager.java

@@ -19,18 +19,18 @@
 
 public interface ScimGroupExternalMembershipManager {
 
-    ScimGroupExternalMember mapExternalGroup(String groupId, String externalGroup, String origin, String zoneId)
+    ScimGroupExternalMember mapExternalGroup(String groupId, String externalGroup, String origin)
         throws ScimResourceNotFoundException, MemberAlreadyExistsException;
 
-    ScimGroupExternalMember unmapExternalGroup(String groupId, String externalGroup, String origin, String zoneId)
+    ScimGroupExternalMember unmapExternalGroup(String groupId, String externalGroup, String origin)
         throws ScimResourceNotFoundException;
 
-    List<ScimGroupExternalMember> getExternalGroupMapsByGroupId(String groupId, String origin, String zoneId)
+    List<ScimGroupExternalMember> getExternalGroupMapsByGroupId(String groupId, String origin)
         throws ScimResourceNotFoundException;
 
-    List<ScimGroupExternalMember> getExternalGroupMapsByExternalGroup(String externalGroup, String origin, String zoneId)
+    List<ScimGroupExternalMember> getExternalGroupMapsByExternalGroup(String externalGroup, String origin)
         throws ScimResourceNotFoundException;
 
-    List<ScimGroupExternalMember> getExternalGroupMapsByGroupName(String groupName, String origin, String zoneId)
+    List<ScimGroupExternalMember> getExternalGroupMapsByGroupName(String groupName, String origin)
         throws ScimResourceNotFoundException;
 }