Merge pull request #224 from Sambruk/feature/223

New functionality for blacklisting users.

Author: joesiltberg

CHANGELOG.md

@@ -1,5 +1,9 @@
 ## Releases
 
+## Unreleased
+#### Features
+  - New functionality for blacklisting users (#223)
+
 ## v2.18 (2024-11-19)
 #### Features
   - Configurable thresholds to prevent accidental large changes (#196)

src/load_limiter.cpp

@@ -1,7 +1,7 @@
 /**
  *  This file is part of the EGIL SCIM client.
  *
- *  Copyright (C) 2017-2019 Föreningen Sambruk
+ *  Copyright (C) 2017-2024 Föreningen Sambruk
  *
  *  This program is free software: you can redistribute it and/or modify
  *  it under the terms of the GNU Affero General Public License as
@@ -25,6 +25,31 @@
 
 namespace pt = boost::property_tree;
 
+namespace {
+    std::shared_ptr<load_limiter> user_blacklist;
+}
+
+void set_user_blacklist(const std::string &filename,
+                        const std::string &attribute) {
+    user_blacklist = std::make_shared<not_limiter>(std::make_shared<list_limiter>(filename, attribute));
+}
+
+/** If there is a user blacklist set, this function will return a new limiter based on the
+ *  passed in limiter. The returned limiter will work like the passed in limiter except that
+ *  it will exclude users from the blacklist.
+ * 
+ *  If no user blacklist is set the limiter will be returned as it is.
+ * 
+*/
+std::shared_ptr<load_limiter> combine_with_user_blacklist(std::shared_ptr<load_limiter> limiter) {
+    if (user_blacklist == nullptr) {
+        return limiter;
+    }
+    else {
+        return std::make_shared<and_limiter>(std::vector<std::shared_ptr<load_limiter>>{limiter, user_blacklist});
+    }
+}
+
 std::shared_ptr<load_limiter> create_limiter_from_json(const pt::ptree& root);
 
 std::vector<std::shared_ptr<load_limiter>> create_limiters_from_json_array(const pt::ptree& root) {
@@ -62,6 +87,13 @@ std::shared_ptr<load_limiter> create_limiter_from_json(const pt::ptree& root) {
     }
 }
 
+/** Returns the limiter for a specific type, or for the SCIM endpoint
+ *  if there's no type specific limiter (or a null_limiter if there's
+ *  no endpoint limiter).
+ *  Note that if there's a user blacklist, it is not created here, the
+ *  caller of this function is expected to combine the limiter with
+ *  the user blacklist if the type is a user type.
+ */
 std::shared_ptr<load_limiter> create_limiter(const std::string& type) {
     config_file &conf = config_file::instance();
 
@@ -118,7 +150,15 @@ std::shared_ptr<load_limiter> get_limiter(const std::string& type) {
     }
 
     if (limiters.find(type) == limiters.end()) {
-        limiters[type] = create_limiter(type);
+        auto l = create_limiter(type);
+
+        // Figure out if we should add the user blacklist to the limiter
+        auto endpoint_variable = type + "-scim-url-endpoint";
+        if (conf.has(endpoint_variable) && conf.get(endpoint_variable) == "Users") {
+            limiters[type] = combine_with_user_blacklist(l);
+        } else {
+            limiters[type] = l;
+        }
     }
     return limiters[type];
 }

src/load_limiter.hpp

@@ -1,7 +1,7 @@
 /**
  *  This file is part of the EGIL SCIM client.
  *
- *  Copyright (C) 2017-2019 Föreningen Sambruk
+ *  Copyright (C) 2017-2024 Föreningen Sambruk
  *
  *  This program is free software: you can redistribute it and/or modify
  *  it under the terms of the GNU Affero General Public License as
@@ -37,4 +37,18 @@ class load_limiter {
 
 std::shared_ptr<load_limiter> get_limiter(const std::string& type);
 
+/**
+ * Sets a user blacklist. The blacklist works like a list limiter,
+ * so the blacklisted users are listed in a file. If an attribute
+ * is given, the values in the file are matched against that attribute
+ * in the data source, otherwise the values are assumed to be UUIDs.
+ * 
+ * If a blacklist is used, it will be combined with the limiters
+ * returned by get_limiter (if called for a type that has "Users" as
+ * the endpoint), so that the returned limiter excludes users from
+ * the blacklist.
+ */
+void set_user_blacklist(const std::string &filename,
+                        const std::string &attrib);
+
 #endif // EGILSCIM_LOAD_LIMITER_HPP

src/main.cpp

@@ -187,6 +187,12 @@ std::shared_ptr<rendered_object_list> read_cache(const post_processing::plugins&
     return rendered_cache;
 }
 
+// TODO: Add the rest of the options names here
+namespace options {
+    const char* USER_BLACKLIST_FILE = "user-blacklist-file";
+    const char* USER_BLACKLIST_ATTRIBUTE = "user-blacklist-attribute";
+}
+
 int main(int argc, char *argv[]) {
     try {
         po::options_description cmdline_options("All options");
@@ -231,6 +237,10 @@ int main(int argc, char *argv[]) {
             ("force-update", po::value<std::vector<std::string>>(), "update object even if it hasn't changed")
             ("force-create", po::value<std::vector<std::string>>(), "create object even if it's already in the cache");
 
+        generic.add_options()
+            (options::USER_BLACKLIST_FILE, po::value<std::string>(), "a file of users which shall be blocked from loading")
+            (options::USER_BLACKLIST_ATTRIBUTE, po::value<std::string>(), "attribute (in the data source) to match against user blacklist file");
+
         hidden.add_options()
             ("config-file", po::value<std::vector<std::string>>(), "config file");
 
@@ -346,6 +356,16 @@ int main(int argc, char *argv[]) {
             }
         }
 
+        if (vm.count(options::USER_BLACKLIST_FILE)) {
+            auto user_blacklist_file = filesystem::absolute(vm[options::USER_BLACKLIST_FILE].as<std::string>()).u8string();
+            std::string user_blacklist_attribute;
+            if (vm.count(options::USER_BLACKLIST_ATTRIBUTE)) {
+                user_blacklist_attribute = vm[options::USER_BLACKLIST_ATTRIBUTE].as<std::string>();
+            }
+            set_user_blacklist(user_blacklist_file, user_blacklist_attribute);
+        }
+        
+
         /** Get objects from data source */
         data_server &server = data_server::instance();
         bool skip_load = vm.count("skip-load");

src/rendered_cache_file.cpp

@@ -138,7 +138,7 @@ void write_object(ofstream& ofs, std::shared_ptr<rendered_object> object) {
 void write_objects(ofstream& ofs, std::shared_ptr<rendered_object_list> objects) {
     write<uint64_t>(ofs, objects->size());
 
-    for (const auto obj : *objects) {
+    for (const auto& obj : *objects) {
         write_object(ofs, obj.second);
     }
 }

src/utility/simplescim_error_string.cpp

@@ -35,7 +35,7 @@ static char prefix_buffer[1024];
 static int message_present = 0;
 static char message_buffer[1024];
 
-static char error_string_buffer[1024];
+static char error_string_buffer[2051];
 
 static const char *no_error = "No error";
 

test/tests/blacklist/limitalluserstograde6.txt

@@ -0,0 +1,87 @@
+---
+Activities /Activities/7f9f75d8-9c01-5c1d-83df-b0d47cf1e4c9 PUT
+
+{
+    "schemas": ["urn:scim:schemas:extension:sis:school:1.0:Activity"],
+    "externalId": "7f9f75d8-9c01-5c1d-83df-b0d47cf1e4c9",
+    "displayName": "grupp2-Activity",
+    "owner": {
+        "value": "8d371858-3fbd-4af2-ae33-84225ead4a1b",
+        "$ref": "SchoolUnits/8d371858-3fbd-4af2-ae33-84225ead4a1b"  
+    },
+    "groups": [{
+        "value": "645ebd9d-55b5-4e7a-900a-92b9369c8f6a",
+        "$ref": "StudentGroups/645ebd9d-55b5-4e7a-900a-92b9369c8f6a"
+    }],
+    "teachers": [
+        
+    ]
+}
+---
+---
+Activities /Activities/857d1f1d-3e23-5896-9877-406ce84be599 PUT
+
+{
+    "schemas": ["urn:scim:schemas:extension:sis:school:1.0:Activity"],
+    "externalId": "857d1f1d-3e23-5896-9877-406ce84be599",
+    "displayName": "grupp1-Activity",
+    "owner": {
+        "value": "8d371858-3fbd-4af2-ae33-84225ead4a1b",
+        "$ref": "SchoolUnits/8d371858-3fbd-4af2-ae33-84225ead4a1b"  
+    },
+    "groups": [{
+        "value": "39074b36-e0ed-4443-a501-5148992014b9",
+        "$ref": "StudentGroups/39074b36-e0ed-4443-a501-5148992014b9"
+    }],
+    "teachers": [
+        
+    ]
+}
+---
+---
+Activities /Activities/ce4d51e5-f563-5105-8a13-849088f1fc2d PUT
+
+{
+    "schemas": ["urn:scim:schemas:extension:sis:school:1.0:Activity"],
+    "externalId": "ce4d51e5-f563-5105-8a13-849088f1fc2d",
+    "displayName": "DNP-GRGRMAT01_6-Activity",
+    "owner": {
+        "value": "8d371858-3fbd-4af2-ae33-84225ead4a1b",
+        "$ref": "SchoolUnits/8d371858-3fbd-4af2-ae33-84225ead4a1b"  
+    },
+    "groups": [{
+        "value": "def59679-3808-4210-a707-ebce13467206",
+        "$ref": "StudentGroups/def59679-3808-4210-a707-ebce13467206"
+    }],
+    "teachers": [
+        
+    ]
+}
+---
+---
+Activities /Activities/3df5c3cd-1194-574e-b107-6973f5695a66 DELETE
+---
+---
+Activities /Activities/b2880a10-4561-5818-ae8c-27411b6d5a24 DELETE
+---
+---
+StudentGroups /StudentGroups/0d9a892f-3698-4b56-91c2-44fdb61dedf1 DELETE
+---
+---
+StudentGroups /StudentGroups/9e2b1131-aac4-4ba3-adc8-a232a2b553d8 DELETE
+---
+---
+Employments /Employments/163cbddb-9fd0-53df-81e4-e022c5dd5c71 DELETE
+---
+---
+Employments /Employments/3b86c590-551e-5464-84ee-d505effff97e DELETE
+---
+---
+Employments /Employments/db405316-e9d1-50d2-89c5-776f91ac2c98 DELETE
+---
+---
+Users /Users/75c666db-e60e-4687-bdd3-1af191fa6799 DELETE
+---
+---
+Users /Users/88c0f298-8e33-4566-ace7-6e26228a9bc6 DELETE
+---

test/tests/blacklist/limitstudentstograde6.txt

@@ -0,0 +1,39 @@
+---
+StudentGroups /StudentGroups/0d9a892f-3698-4b56-91c2-44fdb61dedf1 PUT
+
+{
+  "schemas": [
+    "urn:scim:schemas:extension:sis:school:1.0:StudentGroup"
+  ],
+  "externalId": "0d9a892f-3698-4b56-91c2-44fdb61dedf1",
+  "displayName": "DNP-SVASVA03_GY",
+  "studentGroupType": "Undervisning",
+  "owner": {
+    "value": "7bbc6be0-5fa1-45d1-ba50-0736582190e2",
+    "$ref": "SchoolUnits/7bbc6be0-5fa1-45d1-ba50-0736582190e2"
+  },
+  "studentMemberships": [
+    
+  ]
+}---
+---
+StudentGroups /StudentGroups/9e2b1131-aac4-4ba3-adc8-a232a2b553d8 PUT
+
+{
+  "schemas": [
+    "urn:scim:schemas:extension:sis:school:1.0:StudentGroup"
+  ],
+  "externalId": "9e2b1131-aac4-4ba3-adc8-a232a2b553d8",
+  "displayName": "grupp3",
+  "studentGroupType": "Undervisning",
+  "owner": {
+    "value": "7bbc6be0-5fa1-45d1-ba50-0736582190e2",
+    "$ref": "SchoolUnits/7bbc6be0-5fa1-45d1-ba50-0736582190e2"
+  },
+  "studentMemberships": [
+    
+  ]
+}---
+---
+Users /Users/39732dea-e4a6-4d8f-96de-925a679c56ff DELETE
+---

test/tests/blacklist/pejo.txt

@@ -0,0 +1 @@
+pejo

test/tests/blacklist/pejo_uuid.txt

@@ -0,0 +1 @@
+2b3a480f-d0b9-4c09-bbac-70f915964b02

test/tests/blacklist/spec.json

@@ -0,0 +1,37 @@
+{
+    "description": "User blacklisting",
+    "config": "configs/base/master.conf",
+    "steps": [
+	{ "scenario": [ "scenarios/base" ],
+	  "requests": "../base/init.txt"
+	},
+	{ "scenario": [],
+	  "commandLine": ["--user-blacklist-file=tests/blacklist/pejo.txt", "--user-blacklist-attribute=uid"],
+	  "requests": "../delete_student/delete.txt"
+	},
+	{ "scenario": [],
+	  "commandLine": ["--user-blacklist-file=tests/blacklist/pejo_uuid.txt"],
+	  "requests": null
+	},
+	{ "scenario": [],
+	  "commandLine": ["--user-blacklist-file=tests/blacklist/pejo_uuid.txt",
+			  "--D", "Student-limit-with=regex",
+			  "--D", "Student-limit-by=departmentNumber",
+			  "--D", "Student-limit-regex=6"],
+	  "requests": "limitstudentstograde6.txt"
+	},
+	{ "scenario": [],
+	  "commandLine": ["--user-blacklist-file=tests/blacklist/pejo_uuid.txt",
+			  "--D", "Users-limit-with=regex",
+			  "--D", "Users-limit-by=departmentNumber",
+			  "--D", "Users-limit-regex=6"],
+	  "requests": "limitalluserstograde6.txt"
+	},
+	{ "scenario": [],
+	  "commandLine": ["--D", "Users-limit-with=regex",
+			  "--D", "Users-limit-by=departmentNumber",
+			  "--D", "Users-limit-regex=6"],
+	  "requests": "unblacklistpejo.txt"
+	}
+    ]
+}