optionally limit account-context to natural persons (#187)

Co-authored-by: Michael Hoennig <michael@hoennig.de>
Reviewed-on: https://dev.hostsharing.net/hostsharing/hs.hsadmin.ng/pulls/187
Reviewed-by: Marc Sandlus <marc.sandlus@hostsharing.net>

src/main/java/net/hostsharing/hsadminng/hs/accounts/HsCredentialsContext.java

@@ -50,6 +50,9 @@ public abstract class HsCredentialsContext implements Stringifyable, BaseEntity<
     @Column(name = "qualifier", length = 80)
     private String qualifier;
 
+    @Column(name = "only_for_natural_persons")
+    private boolean onlyForNaturalPersons;
+
     @Override
     public String toShortString() {
         return toString();

src/main/java/net/hostsharing/hsadminng/hs/accounts/HsCredentialsController.java

@@ -17,6 +17,7 @@ import net.hostsharing.hsadminng.accounts.generated.api.v1.model.CredentialsPatc
 import net.hostsharing.hsadminng.accounts.generated.api.v1.model.CredentialsResource;
 import net.hostsharing.hsadminng.accounts.generated.api.v1.model.HsOfficePersonResource;
 import net.hostsharing.hsadminng.hs.office.person.HsOfficePersonRbacRepository;
+import net.hostsharing.hsadminng.hs.office.person.HsOfficePersonType;
 import net.hostsharing.hsadminng.mapper.StrictMapper;
 import net.hostsharing.hsadminng.persistence.EntityManagerWrapper;
 import net.hostsharing.hsadminng.rbac.subject.RbacSubjectEntity;
@@ -190,12 +191,21 @@ public class HsCredentialsController implements CredentialsApi {
         );
         of(entity.getPerson()).ifPresent(
                 person -> resource.setPerson(
-                        mapper.map(person, HsOfficePersonResource.class)
-                )
+                    mapper.map(person, HsOfficePersonResource.class)
+            )
         );
-        resource.setContexts(mapper.mapList(entity.getLoginContexts().stream().toList(), ContextResource.class));
+
+        resource.setContexts(mapToValidContextResources(entity));
     };
 
+    private List<ContextResource> mapToValidContextResources(final HsCredentialsEntity entity) {
+        var allContexts = mapper.mapList(entity.getLoginContexts().stream().toList(), ContextResource.class);
+        return allContexts.stream()
+            .filter(context -> !context.getOnlyForNaturalPersons() ||
+                          entity.getPerson().getPersonType() == HsOfficePersonType.NATURAL_PERSON)
+        .toList();
+    }
+
     final BiConsumer<CredentialsInsertResource, HsCredentialsEntity> RESOURCE_TO_ENTITY_POSTMAPPER = (resource, entity) -> {
 
         // TODO.impl: we need to make sure that the current subject is OWNER (or ADMIN?) of the person

src/main/resources/api-definition/accounts/context-schemas.yaml

@@ -15,6 +15,8 @@ components:
                 qualifier:
                     type: string
                     maxLength: 80
+                onlyForNaturalPersons:
+                    type: boolean
             required:
                 - uuid
                 - type

src/main/resources/db/changelog/9-hs-global/950-accounts/9510-hs-accounts.sql

@@ -32,11 +32,13 @@ create table hs_accounts.credentials
 
 create table hs_accounts.context
 (
-    uuid            uuid PRIMARY KEY,
-    version         int not null default 0,
+    uuid                        uuid PRIMARY KEY,
+    version                     int not null default 0,
 
-    type            varchar(16),
-    qualifier       varchar(80),
+    type                        varchar(16),
+    qualifier                   varchar(80),
+
+    only_for_natural_persons    boolean default false,
 
     unique (type, qualifier)
 );

src/main/resources/db/changelog/9-hs-global/950-accounts/9519-hs-accounts-test-data.sql

@@ -26,15 +26,17 @@ begin
     personFranUuid = (SELECT uuid FROM hs_office.person WHERE givenName='Fran');
 
     -- Add test contexts
-    INSERT INTO hs_accounts.context (uuid, type, qualifier) VALUES
-        ('11111111-1111-1111-1111-111111111111', 'HSADMIN', 'prod')
+    INSERT INTO hs_accounts.context (uuid, type, qualifier, only_for_natural_persons) VALUES
+        ('11111111-1111-1111-1111-111111111111', 'HSADMIN', 'prod', true)
         RETURNING * INTO context_HSADMIN_prod;
-    INSERT INTO hs_accounts.context (uuid, type, qualifier) VALUES
-        ('22222222-2222-2222-2222-222222222222', 'SSH', 'internal')
+    INSERT INTO hs_accounts.context (uuid, type, qualifier, only_for_natural_persons) VALUES
+        ('22222222-2222-2222-2222-222222222222', 'SSH', 'internal', true)
            RETURNING * INTO context_SSH_internal;
-    INSERT INTO hs_accounts.context (uuid, type, qualifier) VALUES
-        ('33333333-3333-3333-3333-333333333333', 'MATRIX', 'internal')
+    INSERT INTO hs_accounts.context (uuid, type, qualifier, only_for_natural_persons) VALUES
+        ('33333333-3333-3333-3333-333333333333', 'MATRIX', 'internal', true)
            RETURNING * INTO context_MATRIX_internal;
+    INSERT INTO hs_accounts.context (uuid, type, qualifier, only_for_natural_persons) VALUES
+        ('44444444-4444-4444-4444-444444444444', 'MASTODON', 'external', false);
 
 -- grant general access to public credential contexts
 -- TODO_impl: RBAC rules for _rv do not yet work properly