Add allowedGroups to UserConfig in IdZ configuration

[klaus-sap]

#2505 -> Proposal 3.
We want to add an optional attribute "allowedGroups" to the UserConfig in IdZ configuration. If this attribute is not set (i.e., allowedGroups == null), then all groups are allowed as before. If this attribute contains an array of groups, then only the groups from defaultGroups plus allowedGroups are allowed. All other groups can neither be created nor assigned to users.

[cf-gitbot]

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/186503483

The labels on this github issue will be updated when the story is started.

[strehle]

@klaus-sap here you can see the smells from sonar
https://sonarcloud.io/summary/new_code?id=cloudfoundry-identity-parent&pullRequest=2606

[strehle]

Open
a) combine default and allowed groups. So from understanding, if you have default groups defined, then these entries are automatically part of allowedGroups. So this behaviour should be implemented.
b) Check if the limitation should be really done always or only in Identity Zone NOT EQUAL to 'uaa'

[klaus-sap]

Open a) combine default and allowed groups. So from understanding, if you have default groups defined, then these entries are automatically part of allowedGroups. So this behaviour should be implemented. b) Check if the limitation should be really done always or only in Identity Zone NOT EQUAL to 'uaa'

a) commit 6e6ab18
b) I would prefer to handle the IdZ configuration of all zones in the same way. If you don't want allowedGroups in the "uaa" zone, simply don't configure them

test

[strehle]

see here new sonar

https://sonarcloud.io/summary/new_code?id=cloudfoundry-identity-parent&pullRequest=2606

coverage
https://sonarcloud.io/component_measures?id=cloudfoundry-identity-parent&pullRequest=2606&metric=new_coverage&view=list

smells
not all need to be fixed, but please check them
https://sonarcloud.io/project/issues?resolved=false&types=CODE_SMELL&sinceLeakPeriod=true&pullRequest=2606&id=cloudfoundry-identity-parent

[strehle]

@klaus-sap Please add some scenario tests into
https://github.com/cloudfoundry/uaa/blob/develop/uaa/src/test/java/org/cloudfoundry/identity/uaa/integration/ScimGroupEndpointsIntegrationTests.java

you can create an extra zone or stay in default , btw. zone creation https://github.com/cloudfoundry/uaa/blob/develop/uaa/src/test/java/org/cloudfoundry/identity/uaa/integration/util/IntegrationTestUtils.java#L671

Scenario I see
a) Add allowedGroups to zone and perform positive and negative test , means create the group
b) Update or deleted one entry in defaultGroups (because this has influence to allowedGroups) and then do the same create the groups and verify result

[strehle]

sonar ok,

• almost 100 coverage.
• Integration Tests available

https://sonarcloud.io/component_measures?id=cloudfoundry-identity-parent&pullRequest=2606&metric=new_coverage&view=list

@hsinn0 @Tallicia FYI please check who can do a review from VMware side in next week , thanks

[bruce-ricard]

I have one major concern about the validation only happening at group write time, see inline comments.

And a couple sub-major implementation design comments.

The change request has been actually resolved. I am dismissing it as Bruce won't be available for a couple weeks.

[hsinn0]

@bruce-ricard & I agreed that I would take over this PR review from our side as he will be unavailable for a couple of weeks. I am approving this PR.