[MM-63516] Target LegalHold users by groups

.gitignore

@@ -19,4 +19,4 @@ dist/
 .idea/
 
 processor/temp
-.aider*
+.aider*

server/api.go

@@ -8,6 +8,7 @@ import (
 	"io"
 	"net/http"
 	"slices"
+	"strings"
 	"time"
 
 	"github.com/gorilla/mux"
@@ -47,6 +48,7 @@ func (p *Plugin) ServeHTTP(_ *plugin.Context, w http.ResponseWriter, r *http.Req
 	router.HandleFunc("/api/v1/legalholds/{legalhold_id:[A-Za-z0-9]+}/download", p.downloadLegalHold).Methods(http.MethodGet)
 	router.HandleFunc("/api/v1/legalholds/{legalhold_id:[A-Za-z0-9]+}/run", p.runSingleLegalHold).Methods(http.MethodPost)
 	router.HandleFunc("/api/v1/test_amazon_s3_connection", p.testAmazonS3Connection).Methods(http.MethodPost)
+	router.HandleFunc("/api/v1/groups/search", p.searchLDAPGroups).Methods(http.MethodGet)
 
 	// Other routes
 	router.HandleFunc("/api/v1/legalhold/run", p.runJobFromAPI).Methods(http.MethodPost)
@@ -406,6 +408,27 @@ func (p *Plugin) testAmazonS3Connection(w http.ResponseWriter, _ *http.Request)
 	}
 }
 
+// searchLDAPGroups searches for groups by display name
+func (p *Plugin) searchLDAPGroups(w http.ResponseWriter, r *http.Request) {
+	prefix := strings.TrimSpace(r.URL.Query().Get("prefix"))
+	if prefix == "" {
+		http.Error(w, "missing search prefix", http.StatusBadRequest)
+		return
+	}
+
+	groups, err := p.SQLStore.SearchLDAPGroupsByPrefix(prefix)
+	if err != nil {
+		http.Error(w, "failed to search groups", http.StatusInternalServerError)
+		p.Client.Log.Error("failed to search groups", "error", err.Error())
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(groups); err != nil {
+		p.Client.Log.Error("failed to write http response", "error", err.Error())
+	}
+}
+
 func RequireLegalHoldID(r *http.Request) (string, error) {
 	props := mux.Vars(r)
 

server/legalhold/legal_hold.go

@@ -13,6 +13,7 @@ import (
 
 	"github.com/gocarina/gocsv"
 	"github.com/mattermost/mattermost-plugin-api/cluster"
+	mm_model "github.com/mattermost/mattermost-server/v6/model"
 	"github.com/mattermost/mattermost-server/v6/plugin"
 	"github.com/mattermost/mattermost-server/v6/shared/filestore"
 
@@ -111,13 +112,38 @@ func (ex *Execution) Execute(now int64) (*model.LegalHold, error) {
 // GetChannels populates the list of channels that the Execution needs to cover within the
 // internal state of the Execution struct.
 func (ex *Execution) GetChannels() error {
+	targetUsers, appErr := getUsersForGroups(ex.papi, ex.LegalHold.GroupIDs)
+	if appErr != nil {
+		return appErr
+	}
+
 	for _, userID := range ex.LegalHold.UserIDs {
 		user, appErr := ex.papi.GetUser(userID)
 		if appErr != nil {
 			return appErr
 		}
+		targetUsers = append(targetUsers, user)
+	}
+
+	// keep track of which users have been processed
+	processedUsersList := make(map[string]struct{})
+	// processAndMarkUser is a helper function that will check if a user
+	// has been processed, and mark the user if they has not.
+	// Returns true if the user should be processed
+	processAndMarkUser := func(id string) bool {
+		if _, processed := processedUsersList[id]; processed {
+			return false
+		}
+		processedUsersList[id] = struct{}{}
+		return true
+	}
+
+	for _, user := range targetUsers {
+		if !processAndMarkUser(user.Id) {
+			continue
+		}
 
-		channelIDs, err := ex.store.GetChannelIDsForUserDuring(userID, ex.ExecutionStartTime, ex.ExecutionEndTime, ex.LegalHold.IncludePublicChannels)
+		channelIDs, err := ex.store.GetChannelIDsForUserDuring(user.Id, ex.ExecutionStartTime, ex.ExecutionEndTime, ex.LegalHold.IncludePublicChannels)
 		if err != nil {
 			return err
 		}
@@ -126,16 +152,16 @@ func (ex *Execution) GetChannels() error {
 
 		ex.papi.LogDebug(
 			"Legal hold executor - GetChannels",
-			"user_id", userID,
+			"user_id", user.Id,
 			"channel_count", len(channelIDs),
 			"start_time", ex.ExecutionStartTime,
 			"end_time", ex.ExecutionEndTime,
 		)
 
 		// Add to channels index
 		for _, channelID := range channelIDs {
-			if idx, ok := ex.index.Users[userID]; !ok {
-				ex.index.Users[userID] = model.LegalHoldIndexUser{
+			if idx, ok := ex.index.Users[user.Id]; !ok {
+				ex.index.Users[user.Id] = model.LegalHoldIndexUser{
 					Username: user.Username,
 					Email:    user.Email,
 					Channels: []model.LegalHoldChannelMembership{
@@ -147,7 +173,7 @@ func (ex *Execution) GetChannels() error {
 					},
 				}
 			} else {
-				ex.index.Users[userID] = model.LegalHoldIndexUser{
+				ex.index.Users[user.Id] = model.LegalHoldIndexUser{
 					Username: user.Username,
 					Email:    user.Email,
 					Channels: append(idx.Channels, model.LegalHoldChannelMembership{
@@ -496,3 +522,29 @@ func hashFromReader(secret string, reader io.Reader) (string, error) {
 
 	return fmt.Sprintf("%x", hasher.Sum(nil)), nil
 }
+
+func getUsersForGroups(api plugin.API, groupIDs []string) ([]*mm_model.User, error) {
+	const GroupPageLimit = 100
+	const GroupPageSize = 50
+
+	var allUsers []*mm_model.User
+	for _, groupID := range groupIDs {
+		currPage := 0
+		for {
+			users, appErr := api.GetGroupMemberUsers(groupID, currPage, GroupPageSize)
+			if appErr != nil {
+				return nil, appErr
+			}
+			if currPage > GroupPageLimit {
+				return nil, fmt.Errorf("cannot execute legal hold: a group (%s) exceeds the maximum number of members (%d)", groupID, GroupPageLimit*GroupPageSize)
+			}
+			if len(users) < 1 {
+				break
+			}
+			allUsers = append(allUsers, users...)
+			currPage++
+		}
+	}
+
+	return allUsers, nil
+}

server/model/index.go

@@ -154,10 +154,10 @@ func getLegalHoldChannelMembership(channelMemberships []LegalHoldChannelMembersh
 
 // Combine combines the data from two LegalHoldChannelMembership instances and returns a new one
 // representing the combined data.
-func (lhcm LegalHoldChannelMembership) Combine(new LegalHoldChannelMembership) LegalHoldChannelMembership {
+func (lhcm LegalHoldChannelMembership) Combine(newMembership LegalHoldChannelMembership) LegalHoldChannelMembership {
 	return LegalHoldChannelMembership{
 		ChannelID: lhcm.ChannelID,
-		StartTime: utils.Min(lhcm.StartTime, new.StartTime),
-		EndTime:   utils.Max(lhcm.EndTime, new.EndTime),
+		StartTime: utils.Min(lhcm.StartTime, newMembership.StartTime),
+		EndTime:   utils.Max(lhcm.EndTime, newMembership.EndTime),
 	}
 }

server/model/legal_hold.go

@@ -24,6 +24,7 @@ type LegalHold struct {
 	CreateAt              int64    `json:"create_at"`
 	UpdateAt              int64    `json:"update_at"`
 	UserIDs               []string `json:"user_ids"`
+	GroupIDs              []string `json:"group_ids"`
 	StartsAt              int64    `json:"starts_at"`
 	EndsAt                int64    `json:"ends_at"`
 	IncludePublicChannels bool     `json:"include_public_channels"`
@@ -68,6 +69,11 @@ func (lh *LegalHold) DeepCopy() LegalHold {
 		copy(newLegalHold.UserIDs, lh.UserIDs)
 	}
 
+	if len(lh.GroupIDs) > 0 {
+		newLegalHold.GroupIDs = make([]string, len(lh.GroupIDs))
+		copy(newLegalHold.GroupIDs, lh.GroupIDs)
+	}
+
 	return newLegalHold
 }
 
@@ -93,8 +99,8 @@ func (lh *LegalHold) IsValidForCreate() error {
 		return errors.New("LegalHold display name must be between 2 and 64 characters in length")
 	}
 
-	if len(lh.UserIDs) < 1 {
-		return errors.New("LegalHold must include at least 1 user")
+	if len(lh.UserIDs) < 1 && len(lh.GroupIDs) < 1 {
+		return errors.New("LegalHold must include at least 1 user or 1 group")
 	}
 
 	for _, userID := range lh.UserIDs {
@@ -103,6 +109,12 @@ func (lh *LegalHold) IsValidForCreate() error {
 		}
 	}
 
+	for _, groupID := range lh.GroupIDs {
+		if !mattermostModel.IsValidId(groupID) {
+			return errors.New("LegalHold groups must have valid IDs")
+		}
+	}
+
 	if lh.StartsAt < 1 {
 		return errors.New("LegalHold must start at a valid time")
 	}
@@ -163,6 +175,7 @@ type CreateLegalHold struct {
 	Name                  string   `json:"name"`
 	DisplayName           string   `json:"display_name"`
 	UserIDs               []string `json:"user_ids"`
+	GroupIDs              []string `json:"group_ids"`
 	StartsAt              int64    `json:"starts_at"`
 	EndsAt                int64    `json:"ends_at"`
 	IncludePublicChannels bool     `json:"include_public_channels"`
@@ -176,6 +189,7 @@ func NewLegalHoldFromCreate(lhc CreateLegalHold) LegalHold {
 		Name:                  lhc.Name,
 		DisplayName:           lhc.DisplayName,
 		UserIDs:               lhc.UserIDs,
+		GroupIDs:              lhc.GroupIDs,
 		StartsAt:              lhc.StartsAt,
 		EndsAt:                lhc.EndsAt,
 		IncludePublicChannels: lhc.IncludePublicChannels,
@@ -189,6 +203,7 @@ type UpdateLegalHold struct {
 	ID                    string   `json:"id"`
 	DisplayName           string   `json:"display_name"`
 	UserIDs               []string `json:"user_ids"`
+	GroupIDs              []string `json:"group_ids"`
 	IncludePublicChannels bool     `json:"include_public_channels"`
 	EndsAt                int64    `json:"ends_at"`
 }
@@ -202,8 +217,8 @@ func (ulh UpdateLegalHold) IsValid() error {
 		return errors.New("LegalHold display name must be between 2 and 64 characters in length")
 	}
 
-	if len(ulh.UserIDs) < 1 {
-		return errors.New("LegalHold must include at least 1 user")
+	if len(ulh.UserIDs) < 1 && len(ulh.GroupIDs) < 1 {
+		return errors.New("LegalHold must include at least 1 user or 1 group")
 	}
 
 	for _, userID := range ulh.UserIDs {
@@ -212,6 +227,12 @@ func (ulh UpdateLegalHold) IsValid() error {
 		}
 	}
 
+	for _, groupID := range ulh.GroupIDs {
+		if !mattermostModel.IsValidId(groupID) {
+			return errors.New("LegalHold groups must have valid IDs")
+		}
+	}
+
 	if ulh.EndsAt < 0 {
 		return errors.New("LegalHold must end at a valid time or zero")
 	}
@@ -222,6 +243,7 @@ func (ulh UpdateLegalHold) IsValid() error {
 func (lh *LegalHold) ApplyUpdates(updates UpdateLegalHold) {
 	lh.DisplayName = updates.DisplayName
 	lh.UserIDs = updates.UserIDs
+	lh.GroupIDs = updates.GroupIDs
 	lh.EndsAt = updates.EndsAt
 	lh.IncludePublicChannels = updates.IncludePublicChannels
 }

server/model/legal_hold_test.go

@@ -475,7 +475,7 @@ func TestModel_UpdateLegalHold_IsValid(t *testing.T) {
 				UserIDs:     []string{},
 				EndsAt:      0,
 			},
-			expected: "LegalHold must include at least 1 user",
+			expected: "LegalHold must include at least 1 user or 1 group",
 		},
 		{
 			name: "InvalidUserIDs",

server/store/sqlstore/group.go

@@ -0,0 +1,54 @@
+package sqlstore
+
+import (
+	"strings"
+
+	sq "github.com/Masterminds/squirrel"
+	"github.com/pkg/errors"
+
+	"github.com/mattermost/mattermost-server/v6/model"
+)
+
+var escapeLikeSearchChar = []string{
+	"%",
+	"_",
+}
+
+func sanitizeSearchTerm(term string) string {
+	const escapeChar = "\\"
+
+	term = strings.ReplaceAll(term, escapeChar, "")
+
+	for _, c := range escapeLikeSearchChar {
+		term = strings.ReplaceAll(term, c, escapeChar+c)
+	}
+
+	return term
+}
+
+func (ss SQLStore) SearchLDAPGroupsByPrefix(prefix string) ([]*model.Group, error) {
+	sanitizedPrefix := strings.ToLower(sanitizeSearchTerm(prefix))
+	query := ss.replicaBuilder.
+		Select("Id", "Name", "DisplayName", "DeleteAt").
+		From("UserGroups").
+		Where(sq.Or{
+			sq.Like{"LOWER(DisplayName)": sanitizedPrefix + "%"},
+			sq.Like{"LOWER(Name)": sanitizedPrefix + "%"},
+		}).
+		Where(sq.Eq{"DeleteAt": 0}).
+		Where(sq.Eq{"Source": "ldap"}).
+		OrderBy("DisplayName").
+		Limit(10)
+
+	sql, args, err := query.ToSql()
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to build SQL query for searching groups")
+	}
+
+	var groups []*model.Group
+	if err := ss.replica.Select(&groups, sql, args...); err != nil {
+		return nil, errors.Wrap(err, "failed to search groups")
+	}
+
+	return groups, nil
+}

webapp/src/client.ts

@@ -42,6 +42,16 @@ class APIClient {
         return this.doWithBody(url, 'post', {}) as Promise<{message: string}>;
     };
 
+    getGroup = (id: string) => {
+        const url = `/api/v4/groups/${id}`;
+        return this.doGet(url);
+    };
+
+    searchGroups = (term: string) => {
+        const url = `${this.url}/groups/search?prefix=${encodeURIComponent(term)}`;
+        return this.doGet(url);
+    };
+
     private doGet = async (url: string, headers = {}) => {
         const options = {
             method: 'get',