From 7f1cf4c531fe5b7dd5069bcb4645f35dbc8662f4 Mon Sep 17 00:00:00 2001
From: Dominik Frantisek Bucik <bucik@ics.muni.cz>
Date: Wed, 15 May 2024 15:25:51 +0200
Subject: [PATCH] =?UTF-8?q?feat:=20=F0=9F=8E=B8=20filtering=20of=20assigne?=
=?UTF-8?q?d=20resource=20groups=20in=20entitlements?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Entitlements claim sources now support specifying a resource attribute,
which if set and non-null on Resource object, groups from this resource
will not be considered for producing group-based entitlements.
---
.../server/adapters/PerunAdapterMethods.java | 11 ++-
.../adapters/impl/PerunAdapterImpl.java | 11 ++-
.../adapters/impl/PerunAdapterLdap.java | 84 +++++++++++++++++--
.../server/adapters/impl/PerunAdapterRpc.java | 77 +++++++++++++++--
.../ics/oidc/server/claims/ClaimUtils.java | 10 ++-
.../EntitlementExtendedClaimSource.java | 3 +-
.../claims/sources/EntitlementSource.java | 13 ++-
.../claims/sources/GroupNamesSource.java | 2 +-
...AssignedActiveMemberGroupsClaimSource.java | 2 +-
9 files changed, 182 insertions(+), 31 deletions(-)
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/PerunAdapterMethods.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/PerunAdapterMethods.java
index d823ea008..d2a7cf172 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/PerunAdapterMethods.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/PerunAdapterMethods.java
@@ -156,11 +156,16 @@ public interface PerunAdapterMethods {
/**
* Get groups where user is active (also in VO in which group exists) and are assigned to the resources of facility.
* Fill the uniqueGroupName for groups as well.
- * @param facilityId Id of Facility
- * @param userId Id of User
+ *
+ * @param facilityId Id of Facility
+ * @param userId Id of User
+ * @param resourceGroupEntitlementDisabledAttribute Attribute to check if groups assigned to resource should be
+ * considered. Pass null to ignore the setting.
* @return Set of groups (filled or empty)
*/
- Set<Group> getGroupsWhereUserIsActiveWithUniqueNames(Long facilityId, Long userId);
+ Set<Group> getGroupsWhereUserIsActiveWithUniqueNames(Long facilityId,
+ Long userId,
+ String resourceGroupEntitlementDisabledAttribute);
/**
* Fetch VO attribute values
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterImpl.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterImpl.java
index 33ecd0a2b..36b09cd6d 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterImpl.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterImpl.java
@@ -334,12 +334,17 @@ public class PerunAdapterImpl extends PerunAdapter {
}
@Override
- public Set<Group> getGroupsWhereUserIsActiveWithUniqueNames(Long facilityId, Long userId) {
+ public Set<Group> getGroupsWhereUserIsActiveWithUniqueNames(Long facilityId,
+ Long userId,
+ String resourceGroupEntitlementDisabledAttribute)
+ {
try {
- return this.getAdapterPrimary().getGroupsWhereUserIsActiveWithUniqueNames(facilityId, userId);
+ return this.getAdapterPrimary().getGroupsWhereUserIsActiveWithUniqueNames(
+ facilityId, userId, resourceGroupEntitlementDisabledAttribute);
} catch (UnsupportedOperationException e) {
if (this.isCallFallback()) {
- return this.getAdapterFallback().getGroupsWhereUserIsActiveWithUniqueNames(facilityId, userId);
+ return this.getAdapterFallback().getGroupsWhereUserIsActiveWithUniqueNames(
+ facilityId, userId, resourceGroupEntitlementDisabledAttribute);
} else {
throw e;
}
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterLdap.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterLdap.java
index ba6b673e1..e38c288ac 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterLdap.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterLdap.java
@@ -143,7 +143,7 @@ public class PerunAdapterLdap extends PerunAdapterWithMappingServices implements
@Override
public boolean canUserAccessBasedOnMembership(Facility facility, Long userId) {
- Set<Long> groupsWithAccessIds = getGroupIdsWithAccessToFacility(facility.getId());
+ Set<Long> groupsWithAccessIds = getGroupIdsAssignedToFacility(facility.getId(), null);
if (groupsWithAccessIds == null || groupsWithAccessIds.isEmpty()) {
return false;
}
@@ -212,7 +212,7 @@ public class PerunAdapterLdap extends PerunAdapterWithMappingServices implements
public List<String> getGroupsAssignedToResourcesWithUniqueNames(Facility facility) {
List<String> res = new ArrayList<>();
- Set<Long> groupIds = getGroupIdsWithAccessToFacility(facility.getId());
+ Set<Long> groupIds = getGroupIdsAssignedToFacility(facility.getId(), null);
if (groupIds == null || groupIds.isEmpty()) {
return res;
}
@@ -415,9 +415,13 @@ public class PerunAdapterLdap extends PerunAdapterWithMappingServices implements
}
@Override
- public Set<Group> getGroupsWhereUserIsActiveWithUniqueNames(Long facilityId, Long userId) {
- Set<Long> userGroups = this.getGroupIdsWhereUserIsMember(userId, null);
- Set<Long> facilityGroups = this.getGroupIdsWithAccessToFacility(facilityId);
+ public Set<Group> getGroupsWhereUserIsActiveWithUniqueNames(Long facilityId,
+ Long userId,
+ String resourceGroupEntitlementDisabledAttribute)
+ {
+ Set<Long> userGroups = getGroupIdsWhereUserIsMember(userId, null);
+ Set<Long> facilityGroups = getGroupIdsAssignedToFacility(
+ facilityId, resourceGroupEntitlementDisabledAttribute);
Set<Long> groupIds = userGroups.stream()
.filter(facilityGroups::contains)
.collect(Collectors.toSet());
@@ -659,15 +663,50 @@ public class PerunAdapterLdap extends PerunAdapterWithMappingServices implements
return PERUN_USER_ID + '=' + userId + ',' + OU_PEOPLE;
}
- private Set<Long> getGroupIdsWithAccessToFacility(Long facilityId) {
+ private Set<Long> getGroupIdsAssignedToFacility(Long facilityId, String ignoreGroupsAttribute) {
+ String ldapResourceGroupEntitlementDisabledAttrName = null;
+ if (ignoreGroupsAttribute != null) {
+ AttributeMapping mapping = getMappingForAttrName(PerunEntityType.RESOURCE, ignoreGroupsAttribute);
+ if (mapping == null) {
+ log.warn("No Attribute mapping found for '{}'", ignoreGroupsAttribute);
+ } else {
+ ldapResourceGroupEntitlementDisabledAttrName = mapping.getLdapName();
+ }
+ }
+
+ final String ignoreResourceAttr = ldapResourceGroupEntitlementDisabledAttrName;
+
FilterBuilder filter = and(equal(OBJECT_CLASS, PERUN_RESOURCE), equal(PERUN_FACILITY_ID, String.valueOf(facilityId)));
- String[] attributes = new String[] { ASSIGNED_GROUP_ID };
+ Set<String> attributesToFetch = new HashSet<>();
+ attributesToFetch.add(ASSIGNED_GROUP_ID);
+
+ final String[] mandatoryAttributes = attributesToFetch.toArray(new String[] {});
+ if (StringUtils.hasText(ignoreResourceAttr)) {
+ attributesToFetch.add(ignoreResourceAttr);
+ }
+
+ final String[] attributes = attributesToFetch.toArray(new String[] {});
+
EntryMapper<Set<Long>> mapper = e -> {
Set<Long> ids = new HashSet<>();
- if (checkHasAttributes(e, attributes)) {
+ if (checkHasAttributes(e, mandatoryAttributes)) {
+ boolean ignore = false;
+ if (StringUtils.hasText(ignoreResourceAttr)) {
+ Attribute ignoreAttr = e.get(ignoreResourceAttr);
+ if (ignoreAttr != null && "true".equalsIgnoreCase(ignoreAttr.getString())) {
+ ignore = true;
+ }
+ }
Attribute a = e.get(ASSIGNED_GROUP_ID);
if (a != null) {
- a.iterator().forEachRemaining(id -> ids.add(Long.valueOf(id.getString())));
+ final Set<Long> groupIds = new HashSet<>();
+ a.iterator().forEachRemaining(id -> groupIds.add(Long.valueOf(id.getString())));
+ if (!ignore) {
+ log.debug("Including groups '{}' due to '{}' not set on a resource", groupIds, ignoreGroupsAttribute);
+ ids.addAll(groupIds);
+ } else {
+ log.debug("Ignoring groups '{}' due to '{}' set on a resource", groupIds, ignoreGroupsAttribute);
+ }
}
}
@@ -844,6 +883,33 @@ public class PerunAdapterLdap extends PerunAdapterWithMappingServices implements
return mappings;
}
+ private AttributeMapping getMappingForAttrName(PerunEntityType entity, String attrToFetch) {
+ AttributeMapping mapping;
+ switch (entity) {
+ case USER:
+ mapping = getUserAttributesMappingService().getMappingByIdentifier(attrToFetch);
+ break;
+ case FACILITY:
+ mapping = getFacilityAttributesMappingService().getMappingByIdentifier(attrToFetch);
+ break;
+ case VO:
+ mapping = getVoAttributesMappingService().getMappingByIdentifier(attrToFetch);
+ break;
+ case GROUP:
+ mapping = getGroupAttributesMappingService().getMappingByIdentifier(attrToFetch);
+ break;
+ case RESOURCE:
+ mapping = getResourceAttributesMappingService().getMappingByIdentifier(attrToFetch);
+ break;
+ default:
+ log.error("Unknown ENTITY {}", entity);
+ mapping = null;
+ break;
+ }
+
+ return mapping;
+ }
+
private String[] getAttributesFromMappings(Set<AttributeMapping> mappings) {
return mappings.stream()
.map(AttributeMapping::getLdapName)
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterRpc.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterRpc.java
index 68be610d7..66db96adb 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterRpc.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterRpc.java
@@ -137,7 +137,7 @@ public class PerunAdapterRpc extends PerunAdapterWithMappingServices implements
return true;
}
- List<Group> activeGroups = getGroupsWhereUserIsActive(facility, userId);
+ List<Group> activeGroups = getGroupsWhereUserIsActiveByFacility(facility.getId(), userId);
return !activeGroups.isEmpty();
}
@@ -811,12 +811,15 @@ public class PerunAdapterRpc extends PerunAdapterWithMappingServices implements
}
@Override
- public Set<Group> getGroupsWhereUserIsActiveWithUniqueNames(Long facilityId, Long userId) {
+ public Set<Group> getGroupsWhereUserIsActiveWithUniqueNames(Long facilityId,
+ Long userId,
+ String resourceGroupEntitlementDisabledAttribute)
+ {
if (!this.connectorRpc.isEnabled()) {
return new HashSet<>();
}
- Set<Group> groups = this.getGroupsWhereUserIsActive(facilityId, userId);
+ Set<Group> groups = this.getGroupsWhereUserIsActive(facilityId, userId, resourceGroupEntitlementDisabledAttribute);
Map<Long, String> voIdToShortNameMap = new HashMap<>();
groups.forEach(g -> {
@@ -980,19 +983,71 @@ public class PerunAdapterRpc extends PerunAdapterWithMappingServices implements
return RpcMapper.mapMember(jsonNode);
}
- private Set<Group> getGroupsWhereUserIsActive(Long facilityId, Long userId) {
+ private Set<Group> getGroupsWhereUserIsActive(Long facilityId, Long userId, String ignoreGroupsAttribute) {
+ if (!this.connectorRpc.isEnabled()) {
+ return new HashSet<>();
+ }
+
+ Set<Group> groups = new HashSet<>();
+ if (StringUtils.hasText(ignoreGroupsAttribute)) {
+ Set<Resource> resources = getResourcesAssignedToFacility(facilityId, userId, ignoreGroupsAttribute);
+ for (Resource resource : resources) {
+ groups.addAll(
+ getGroupsWhereUserIsActiveByResource(resource.getId(), userId)
+ );
+ }
+ } else {
+ groups.addAll(getGroupsWhereUserIsActiveByFacility(facilityId, userId));
+ }
+ return groups;
+ }
+
+ private Set<Resource> getResourcesAssignedToFacility(Long facilityId, Long userId, String ignoreAttribute) {
+ if (!this.connectorRpc.isEnabled()) {
+ return new HashSet<>();
+ }
+ Set<Resource> resources = getAllowedResources(facilityId, userId);
+ Set<Resource> result = new HashSet<>();
+ for (Resource resource : resources) {
+ PerunAttributeValue attrValue = getResourceAttributeValue(resource.getId(), ignoreAttribute);
+ if (attrValue == null || attrValue.isNullValue()) {
+ result.add(resource);
+ } else {
+ log.debug(
+ "getResourcesAssignedToFacility - non null attr value for '{}', skipping resource '{}'",
+ ignoreAttribute, resource
+ );
+ }
+ }
+ return result;
+ }
+
+ private Set<Group> getGroupsWhereUserIsActiveByResource(Long resourceId, Long userId) {
if (!this.connectorRpc.isEnabled()) {
return new HashSet<>();
}
Map<String, Object> map = new LinkedHashMap<>();
- map.put("facility", facilityId);
map.put("user", userId);
- JsonNode res = connectorRpc.post(USERS_MANAGER, "getGroupsWhereUserIsActive", map);
+ map.put("resource", resourceId);
+ JsonNode res = connectorRpc.post(USERS_MANAGER, "getGroupsWhereUserIsActive", map);
return new HashSet<>(RpcMapper.mapGroups(res));
}
+ private Set<Resource> getAllowedResources(Long facilityId, Long userId) {
+ if (!this.connectorRpc.isEnabled()) {
+ return new HashSet<>();
+ }
+
+ Map<String, Object> map = new LinkedHashMap<>();
+ map.put("user", userId);
+ map.put("facility", facilityId);
+
+ JsonNode res = connectorRpc.post(USERS_MANAGER, "getAllowedResources", map);
+ return new HashSet<>(RpcMapper.mapResources(res));
+ }
+
private Vo getVoById(Long voId) {
if (!this.connectorRpc.isEnabled()) {
return null;
@@ -1196,13 +1251,13 @@ public class PerunAdapterRpc extends PerunAdapterWithMappingServices implements
return true;
}
- private List<Group> getGroupsWhereUserIsActive(Facility facility, Long userId) {
+ private List<Group> getGroupsWhereUserIsActiveByFacility(Long facilityId, Long userId) {
if (!this.connectorRpc.isEnabled()) {
return new ArrayList<>();
}
Map<String, Object> map = new LinkedHashMap<>();
- map.put("facility", facility.getId());
+ map.put("facility", facilityId);
map.put("user", userId);
JsonNode jsonNode = connectorRpc.post(USERS_MANAGER, "getGroupsWhereUserIsActive", map);
@@ -1223,12 +1278,16 @@ public class PerunAdapterRpc extends PerunAdapterWithMappingServices implements
}
private List<Resource> getAssignedResources(Facility facility) {
+ return getAssignedResources(facility.getId());
+ }
+
+ private List<Resource> getAssignedResources(Long facilityId) {
if (!this.connectorRpc.isEnabled()) {
return new ArrayList<>();
}
Map<String, Object> map = new LinkedHashMap<>();
- map.put("facility", facility.getId());
+ map.put("facility", facilityId);
JsonNode res = connectorRpc.post(FACILITIES_MANAGER, "getAssignedResources", map);
return RpcMapper.mapResources(res);
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/claims/ClaimUtils.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/claims/ClaimUtils.java
index 2c64a15bb..a9d0a06df 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/claims/ClaimUtils.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/claims/ClaimUtils.java
@@ -96,14 +96,18 @@ public class ClaimUtils {
return res;
}
- public static Set<Group> getUserGroupsOnFacility(Facility facility, Long userId,
- PerunAdapter perunAdapter, String claimName)
+ public static Set<Group> getUserGroupsOnFacility(Facility facility,
+ Long userId,
+ PerunAdapter perunAdapter,
+ String resourceGroupEntitlementDisabledAttribute,
+ String claimName)
{
Set<Group> userGroups = new HashSet<>();
if (facility == null) {
log.warn("{} - no facility provided when searching for user groups, will return empty set", claimName);
} else {
- userGroups = perunAdapter.getGroupsWhereUserIsActiveWithUniqueNames(facility.getId(), userId);
+ userGroups = perunAdapter.getGroupsWhereUserIsActiveWithUniqueNames(
+ facility.getId(), userId, resourceGroupEntitlementDisabledAttribute);
}
log.trace("{} - found user groups: '{}'", claimName, userGroups);
return userGroups;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/claims/sources/EntitlementExtendedClaimSource.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/claims/sources/EntitlementExtendedClaimSource.java
index 3e6810da4..45b12129f 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/claims/sources/EntitlementExtendedClaimSource.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/claims/sources/EntitlementExtendedClaimSource.java
@@ -45,7 +45,8 @@ public class EntitlementExtendedClaimSource extends EntitlementSource {
}
private Set<String> produceEntitlementsExtended(Facility facility, Long userId, PerunAdapter perunAdapter) {
- Set<Group> userGroups = ClaimUtils.getUserGroupsOnFacility(facility, userId, perunAdapter, getClaimName());
+ Set<Group> userGroups = ClaimUtils.getUserGroupsOnFacility(
+ facility, userId, perunAdapter, getClaimName(), getGroupEntitlementDisabledAttr());
Map<Long, String> groupIdToNameMap = super.getGroupIdToNameMap(userGroups, false);
Set<String> entitlements = new TreeSet<>();
this.fillUuidEntitlements(userGroups, entitlements);
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/claims/sources/EntitlementSource.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/claims/sources/EntitlementSource.java
index bc7868dec..25582f0a5 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/claims/sources/EntitlementSource.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/claims/sources/EntitlementSource.java
@@ -9,6 +9,7 @@ import cz.muni.ics.oidc.server.adapters.PerunAdapter;
import cz.muni.ics.oidc.server.claims.ClaimSourceInitContext;
import cz.muni.ics.oidc.server.claims.ClaimSourceProduceContext;
import cz.muni.ics.oidc.server.claims.ClaimUtils;
+import lombok.Getter;
import lombok.extern.slf4j.Slf4j;
import org.springframework.util.StringUtils;
@@ -30,6 +31,10 @@ import java.util.TreeSet;
* </li>
* <li><b>custom.claim.[claimName].source.resourceCapabilities</b> - resource capabilities attribute name for resources</li>
* <li><b>custom.claim.[claimName].source.facilityCapabilities</b> - resource capabilities attribute name for facility</li>
+ * <li>
+ * <b>custom.claim.[claimName].source.groupEntitlementDisabledAttribute</b> - resource attribute which triggers
+ * if resource assigned groups should not be used for generating group entitlements.
+ * When not specified, all groups will be used</li>
* <li><b>custom.claim.[claimName].source.prefix</b> - string to be prepended to the value,</li>
* <li>
* <b>custom.claim.[claimName].source.authority</b> - string to be appended to the value, represents authority
@@ -48,12 +53,17 @@ public class EntitlementSource extends GroupNamesSource {
protected static final String FORWARDED_ENTITLEMENTS = "forwardedEntitlements";
protected static final String RESOURCE_CAPABILITIES = "resourceCapabilities";
protected static final String FACILITY_CAPABILITIES = "facilityCapabilities";
+
+ protected static final String GROUP_ENTITLEMENT_DISABLED_ATTR = "groupEntitlementDisabledAttribute";
protected static final String PREFIX = "prefix";
protected static final String AUTHORITY = "authority";
private final String forwardedEntitlements;
private final String resourceCapabilities;
+
private final String facilityCapabilities;
+ @Getter
+ private final String groupEntitlementDisabledAttr;
private final String prefix;
private final String authority;
@@ -63,6 +73,7 @@ public class EntitlementSource extends GroupNamesSource {
this.forwardedEntitlements = ClaimUtils.fillStringPropertyOrDefaultVal(FORWARDED_ENTITLEMENTS, ctx, null);
this.resourceCapabilities = ClaimUtils.fillStringPropertyOrDefaultVal(RESOURCE_CAPABILITIES, ctx, null);
this.facilityCapabilities = ClaimUtils.fillStringPropertyOrDefaultVal(FACILITY_CAPABILITIES, ctx, null);
+ this.groupEntitlementDisabledAttr = ClaimUtils.fillStringPropertyOrDefaultVal(GROUP_ENTITLEMENT_DISABLED_ATTR, ctx, null);
this.prefix = ClaimUtils.fillStringMandatoryProperty(PREFIX, ctx, getClaimName());
this.authority = ClaimUtils.fillStringMandatoryProperty(AUTHORITY, ctx, getClaimName());
@@ -86,7 +97,7 @@ public class EntitlementSource extends GroupNamesSource {
PerunAdapter perunAdapter = pctx.getPerunAdapter();
Long userId = pctx.getPerunUserId();
Facility facility = pctx.getFacility();
- Set<Group> userGroups = ClaimUtils.getUserGroupsOnFacility(facility, userId, perunAdapter, getClaimName());
+ Set<Group> userGroups = ClaimUtils.getUserGroupsOnFacility(facility, userId, perunAdapter, groupEntitlementDisabledAttr, getClaimName());
Set<String> entitlements = produceEntitlements(facility, userGroups, userId, perunAdapter);
JsonNode result = ClaimUtils.convertResultStringsToJsonArray(entitlements);
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/claims/sources/GroupNamesSource.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/claims/sources/GroupNamesSource.java
index cfdaba451..fa5db66a4 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/claims/sources/GroupNamesSource.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/claims/sources/GroupNamesSource.java
@@ -49,7 +49,7 @@ public class GroupNamesSource extends ClaimSource {
log.trace("{} - produce group names with trimming 'members' part of the group names", getClaimName());
Facility facility = pctx.getFacility();
Set<Group> userGroups = ClaimUtils.getUserGroupsOnFacility(facility, pctx.getPerunUserId(),
- pctx.getPerunAdapter(), getClaimName());
+ pctx.getPerunAdapter(), getClaimName(), null);
return getGroupIdToNameMap(userGroups, true);
}
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/claims/sources/ResourceAssignedActiveMemberGroupsClaimSource.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/claims/sources/ResourceAssignedActiveMemberGroupsClaimSource.java
index db95b3a1d..5e384f264 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/claims/sources/ResourceAssignedActiveMemberGroupsClaimSource.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/claims/sources/ResourceAssignedActiveMemberGroupsClaimSource.java
@@ -58,7 +58,7 @@ public class ResourceAssignedActiveMemberGroupsClaimSource extends ClaimSource {
Long userId = pctx.getPerunUserId();
Facility facility = pctx.getFacility();
PerunAdapter perunAdapter = pctx.getPerunAdapter();
- Set<Group> userGroups = ClaimUtils.getUserGroupsOnFacility(facility, userId, perunAdapter, getClaimName());
+ Set<Group> userGroups = ClaimUtils.getUserGroupsOnFacility(facility, userId, perunAdapter, getClaimName(), null);
return getValuesFromAttribute(userGroups, perunAdapter);
}
--
GitLab