From d348e704ae613068912b11d4a547dd25df617c94 Mon Sep 17 00:00:00 2001
From: Konrad Windszus <konrad.windszus@netcentric.biz>
Date: Tue, 16 Jul 2024 16:57:49 +0200
Subject: [PATCH] Limit number of group memberships to be managed with "add"
 step to 10

In fact the limit seems to be 20 but documented is 10, so better be
conservative here.
Compare with
https://adobe-apiplatform.github.io/umapi-documentation/en/api/ActionsCmds.html

This closes #753
---
 .../tools/actool/ims/IMSUserManagement.java   | 20 +++++++++++------
 .../tools/actool/ims/IMSUserManagementIT.java | 22 +++++++++++++++++++
 2 files changed, 35 insertions(+), 7 deletions(-)

diff --git a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/ims/IMSUserManagement.java b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/ims/IMSUserManagement.java
index d719565b..bdfbf4f7 100644
--- a/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/ims/IMSUserManagement.java
+++ b/accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/ims/IMSUserManagement.java
@@ -116,6 +116,7 @@ public class IMSUserManagement implements ExternalGroupManagement {
 
     public static final Logger LOG = LoggerFactory.getLogger(IMSUserManagement.class);
     private static final int MAX_NUM_COMMANDS_PER_REQUEST = 10;
+    private static final int MAX_NUM_GROUPS_PER_ADD_STEP = 10;
 
     private final Configuration config;
     private final CloseableHttpClient client;
@@ -218,15 +219,20 @@ public void updateGroups(Collection<AuthorizableConfigBean> groupConfigs) throws
         }
         // optionally make users group administrators
         if (config.groupAdmins() != null && config.groupAdmins().length > 0) {
-            Set<String> adminGroupNames = groupConfigs.stream()
+            // at most 10 groups per add command
+            AtomicInteger groupCounter = new AtomicInteger();
+            Collection<List<String>> adminGroupNameBatches = groupConfigs.stream()
                     .map(AuthorizableConfigBean::getAuthorizableId)
                     .map(id -> "_admin_" + id) // https://adobe-apiplatform.github.io/umapi-documentation/en/api/ActionsCmds.html#addRemoveAttr
-                    .collect(Collectors.toSet());
-            for (String groupAdmin : config.groupAdmins()) {
-                ActionCommand actionCommand = new UserActionCommand(groupAdmin);
-                AddGroupMembership addGroupMembership = new AddGroupMembership(adminGroupNames);
-                actionCommand.addStep(addGroupMembership);
-                actionCommands.add(actionCommand);
+                    .collect(Collectors.groupingBy
+                    (it->groupCounter.getAndIncrement() / MAX_NUM_GROUPS_PER_ADD_STEP)).values();
+            for (List<String> adminGroupNames : adminGroupNameBatches) {
+                for (String groupAdmin : config.groupAdmins()) {
+                    ActionCommand actionCommand = new UserActionCommand(groupAdmin);
+                    AddGroupMembership addGroupMembership = new AddGroupMembership(adminGroupNames);
+                    actionCommand.addStep(addGroupMembership);
+                    actionCommands.add(actionCommand);
+                }
             }
         }
         // update in batches of 10 commands
diff --git a/accesscontroltool-bundle/src/test/java/biz/netcentric/cq/tools/actool/ims/IMSUserManagementIT.java b/accesscontroltool-bundle/src/test/java/biz/netcentric/cq/tools/actool/ims/IMSUserManagementIT.java
index a46cd8c0..7de7d1ec 100644
--- a/accesscontroltool-bundle/src/test/java/biz/netcentric/cq/tools/actool/ims/IMSUserManagementIT.java
+++ b/accesscontroltool-bundle/src/test/java/biz/netcentric/cq/tools/actool/ims/IMSUserManagementIT.java
@@ -20,6 +20,8 @@
 import java.io.IOException;
 import java.util.Collections;
 import java.util.HashMap;
+import java.util.LinkedList;
+import java.util.List;
 import java.util.Map;
 
 import org.apache.http.impl.client.HttpClientBuilder;
@@ -132,6 +134,26 @@ public HttpClientBuilder newBuilder() {
         imsUserManagement.updateGroups(Collections.singleton(group));
     }
 
+    @Test
+    void test25GroupsWithAdmin() throws IOException {
+        properties.put("groupAdmins", getMandatoryEnvironmentVariable("ACTOOL_IMS_IT_USERID"));
+        Configuration config = Converters.standardConverter().convert(properties).to(Configuration.class);
+        IMSUserManagement imsUserManagement = new IMSUserManagement(config, new HttpClientBuilderFactory() {
+            @Override
+            public HttpClientBuilder newBuilder() {
+                return HttpClientBuilder.create();
+            }
+        });
+        List<AuthorizableConfigBean> groups = new LinkedList<>();
+        for (int n=0; n<25; n++) {
+            AuthorizableConfigBean group = new AuthorizableConfigBean();
+            group.setAuthorizableId("testGroup" + n);
+            group.setDescription("my description" + n);
+            groups.add(group);
+        }
+        imsUserManagement.updateGroups(groups);
+    }
+
     private static String getMandatoryEnvironmentVariable(String name) {
         String value = System.getenv(name);
         if (value == null) {