fix #2760 add aad.use.ds

src/main/java/org/codelibs/fess/mylasta/direction/FessProp.java

@@ -719,6 +719,10 @@ public interface FessProp {
                 .get(stream -> stream.filter(StringUtil::isNotBlank).map(String::trim).toArray(n -> new String[n]));
     }
 
+    default boolean isAzureAdUseDomainServices() {
+        return Constants.TRUE.equalsIgnoreCase(getSystemProperty("aad.use.ds", "true"));
+    }
+
     //
     // fess_*.properties
     //

src/main/java/org/codelibs/fess/sso/aad/AzureAdAuthenticator.java

@@ -404,18 +404,19 @@ public class AzureAdAuthenticator implements SsoAuthenticator {
                         logger.warn("id is empty: {}", memberOf);
                     }
                     final String[] names = fessConfig.getAzureAdPermissionFields();
+                    final boolean useDomainServices = fessConfig.isAzureAdUseDomainServices();
                     for (final String name : names) {
                         final String value = (String) memberOf.get(name);
                         if (StringUtil.isNotBlank(value)) {
                             if (memberType.contains("group")) {
-                                groupList.add(value);
+                                addGroupOrRoleName(groupList, value, useDomainServices);
                             } else if (memberType.contains("role")) {
-                                roleList.add(value);
+                                addGroupOrRoleName(roleList, value, useDomainServices);
                             } else {
                                 if (logger.isDebugEnabled()) {
                                     logger.debug("unknown @odata.type: {}", memberOf);
                                 }
-                                groupList.add(value);
+                                addGroupOrRoleName(groupList, value, useDomainServices);
                             }
                         } else if (logger.isDebugEnabled()) {
                             logger.debug("{} is empty: {}", name, memberOf);
@@ -434,6 +435,16 @@ public class AzureAdAuthenticator implements SsoAuthenticator {
         }
     }
 
+    protected void addGroupOrRoleName(List<String> list, String value, boolean useDomainServices) {
+        list.add(value);
+        if (useDomainServices && value.indexOf('@') >= 0) {
+            String[] values = value.split("@");
+            if (values.length > 1) {
+                list.add(values[0]);
+            }
+        }
+    }
+
     protected void processParentGroup(final AzureAdUser user, final List<String> groupList, final List<String> roleList, final String id) {
         final Pair<String[], String[]> groupsAndRoles = getParentGroup(user, id);
         StreamUtil.stream(groupsAndRoles.getFirst()).of(stream -> stream.forEach(groupList::add));

src/test/java/org/codelibs/fess/sso/aad/AzureAdAuthenticatorTest.java

@@ -0,0 +1,56 @@
+/*
+ * Copyright 2012-2023 CodeLibs Project and the Others.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+ * either express or implied. See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+package org.codelibs.fess.sso.aad;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.codelibs.fess.unit.UnitFessTestCase;
+
+public class AzureAdAuthenticatorTest extends UnitFessTestCase {
+    public void test_addGroupOrRoleName() {
+        AzureAdAuthenticator authenticator = new AzureAdAuthenticator();
+        List<String> list = new ArrayList<>();
+
+        list.clear();
+        authenticator.addGroupOrRoleName(list, "test", true);
+        assertEquals(1, list.size());
+        assertEquals("test", list.get(0));
+
+        list.clear();
+        authenticator.addGroupOrRoleName(list, "test", false);
+        assertEquals(1, list.size());
+        assertEquals("test", list.get(0));
+
+        list.clear();
+        authenticator.addGroupOrRoleName(list, "test@codelibs.org", true);
+        assertEquals(2, list.size());
+        assertEquals("test@codelibs.org", list.get(0));
+        assertEquals("test", list.get(1));
+
+        list.clear();
+        authenticator.addGroupOrRoleName(list, "test@codelibs.org", false);
+        assertEquals(1, list.size());
+        assertEquals("test@codelibs.org", list.get(0));
+
+        list.clear();
+        authenticator.addGroupOrRoleName(list, "test@codelibs.org@hoge.com", true);
+        assertEquals(2, list.size());
+        assertEquals("test@codelibs.org@hoge.com", list.get(0));
+        assertEquals("test", list.get(1));
+
+    }
+}