Add property enable-full-list (Azure#21080)

* Enable full list

Author: wujack778

sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-webapp/README.md

@@ -81,6 +81,7 @@ azure:
     user-group:
       allowed-group-names: group1,group2
       allowed-group-ids: <group1-id>,<group2-id>
+      enable-full-list: false  
     post-logout-redirect-uri: http://localhost:8080
     authorization-clients:
       arm:
@@ -94,6 +95,8 @@ azure:
 #        scopes:
 #          - <Web-API-A-app-id-url>/Obo.WebApiA.ExampleScope
       
+# enable-full-list is used to control whether to list all group id, default is false
+
 # It's suggested the logged in user should at least belong to one of the above groups
 # If not, the logged in user will not be able to access any authorization controller rest APIs
 ```

sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-webapp/src/main/resources/application.yml

@@ -1,3 +1,6 @@
+# WebapiA is an optional client, we can access obo resource servers.
+# We can also access a custom server according to the webapiA client.
+
 azure:
   activedirectory:
     client-id: <client-id>
@@ -6,6 +9,7 @@ azure:
     user-group:
       allowed-group-names: group1,group2
       allowed-group-ids: <group1-id>,<group2-id>
+      enable-full-list: false
     post-logout-redirect-uri: http://localhost:8080
     authorization-clients:
       arm:

sdk/spring/azure-spring-boot/src/main/java/com/azure/spring/aad/webapp/AADOAuth2UserService.java

@@ -119,6 +119,9 @@ Set<String> extractGroupRolesFromAccessToken(OAuth2AccessToken accessToken) {
                                      .map(AbstractOAuth2Token::getTokenValue)
                                      .map(graphClient::getGroupsFromGraph)
                                      .orElseGet(Collections::emptySet);
+        if (properties.getUserGroup().getEnableFullList()) {
+            return groups;
+        }
         Set<String> roles = Arrays
             .asList(properties.getUserGroup().getAllowedGroupIds(), properties.getUserGroup().getAllowedGroupNames())
             .stream()

sdk/spring/azure-spring-boot/src/main/java/com/azure/spring/aad/webapp/GraphClient.java

@@ -54,8 +54,13 @@ public Set<String> getGroupsFromGraph(String accessToken) {
             memberships.getValue()
                        .stream()
                        .filter(this::isGroupObject)
-                       .map(membership -> Arrays.asList(membership.getDisplayName(), membership.getObjectID()))
-                       .forEach(groups::addAll);
+                       .map(membership -> {
+                           if (properties.getUserGroup().getEnableFullList()) {
+                               return Arrays.asList(membership.getObjectID());
+                           } else {
+                               return Arrays.asList(membership.getDisplayName(), membership.getObjectID());
+                           }
+                       }).forEach(groups::addAll);
             aadMembershipRestUri = Optional.of(memberships)
                                            .map(Memberships::getOdataNextLink)
                                            .orElse(null);

sdk/spring/azure-spring-boot/src/main/java/com/azure/spring/autoconfigure/aad/AADAuthenticationProperties.java

@@ -145,6 +145,11 @@ public static class UserGroupProperties {
 
         private Set<String> allowedGroupIds = new HashSet<>();
 
+        /**
+         * enableFullList is used to control whether to list all group id, default is false
+         */
+        private Boolean enableFullList = false;
+
         public Set<String> getAllowedGroupIds() {
             return allowedGroupIds;
         }
@@ -161,6 +166,14 @@ public void setAllowedGroupNames(List<String> allowedGroupNames) {
             this.allowedGroupNames = allowedGroupNames;
         }
 
+        public Boolean getEnableFullList() {
+            return enableFullList;
+        }
+
+        public void setEnableFullList(Boolean enableFullList) {
+            this.enableFullList = enableFullList;
+        }
+
         @Deprecated
         @DeprecatedConfigurationProperty(
             reason = "In order to distinguish between allowed-group-ids and allowed-group-names, set allowed-groups "

sdk/spring/azure-spring-boot/src/test/java/com/azure/spring/aad/webapp/AADAccessTokenGroupRolesExtractionTest.java

@@ -81,4 +81,29 @@ public void testGroupsNameAndGroupsId() {
         assertThat(groupsName).doesNotContain("ROLE_d07c0bd6-4aab-45ac-b87c-23e8d00194abaaa");
         assertThat(groupsName).hasSize(2);
     }
+
+    @Test
+    public void testEnableFullList() {
+        when(properties.getUserGroup().getEnableFullList()).thenReturn(true);
+        Set<String> groupIds = userService.extractGroupRolesFromAccessToken(accessToken);
+        assertThat(groupIds).hasSize(4);
+    }
+
+    @Test
+    public void testDisableFullList() {
+        when(properties.getUserGroup().getEnableFullList()).thenReturn(false);
+        Set<String> allowedGroupIds = new HashSet<>();
+        allowedGroupIds.add("d07c0bd6-4aab-45ac-b87c-23e8d00194ab");
+        when(userGroup.getAllowedGroupIds()).thenReturn(allowedGroupIds);
+        List<String> allowedGroupNames = new ArrayList<>();
+        allowedGroupNames.add("group1");
+        when(userGroup.getAllowedGroupNames()).thenReturn(allowedGroupNames);
+
+        Set<String> groupsName = userService.extractGroupRolesFromAccessToken(accessToken);
+        assertThat(groupsName).contains("ROLE_group1");
+        assertThat(groupsName).doesNotContain("ROLE_group5");
+        assertThat(groupsName).contains("ROLE_d07c0bd6-4aab-45ac-b87c-23e8d00194ab");
+        assertThat(groupsName).doesNotContain("ROLE_d07c0bd6-4aab-45ac-b87c-23e8d00194abaaa");
+        assertThat(groupsName).hasSize(2);
+    }
 }