Netcentric
diff --git a/‎accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/ims/IMSUserManagement.java
+119-19 b/‎accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/ims/IMSUserManagement.java
+119-19
diff --git a/‎accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/ims/request/ActionCommand.java
+24-1 b/‎accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/ims/request/ActionCommand.java
+24-1
diff --git a/‎accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/ims/request/AddGroupMembers.java
+24 b/‎accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/ims/request/AddGroupMembers.java
+24
diff --git a/‎accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/ims/request/AddGroupMembership.java
+28-4 b/‎accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/ims/request/AddGroupMembership.java
+28-4
diff --git a/‎accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/ims/request/CreateGroupStep.java
+24 b/‎accesscontroltool-bundle/src/main/java/biz/netcentric/cq/tools/actool/ims/request/CreateGroupStep.java
+24
@@ -26,11 +26,14 @@
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
+import java.util.LinkedHashSet;
 import java.util.LinkedList;
 import java.util.List;
+import java.util.ListIterator;
 import java.util.Locale;
 import java.util.Map;
 import java.util.Random;
+import java.util.Set;
 import java.util.concurrent.atomic.AtomicInteger;
 import java.util.function.Function;
 import java.util.stream.Collectors;
@@ -80,6 +83,8 @@
 import biz.netcentric.cq.tools.actool.ims.request.AddGroupMembers;
 import biz.netcentric.cq.tools.actool.ims.request.AddGroupMembership;
 import biz.netcentric.cq.tools.actool.ims.request.CreateGroupStep;
+import biz.netcentric.cq.tools.actool.ims.request.RemoveGroupMembership;
+import biz.netcentric.cq.tools.actool.ims.request.Step;
 import biz.netcentric.cq.tools.actool.ims.request.UserActionCommand;
 import biz.netcentric.cq.tools.actool.ims.request.UserGroupActionCommand;
 import biz.netcentric.cq.tools.actool.ims.response.AccessToken;
@@ -231,6 +236,115 @@ private boolean requireGroupUpdate(Map<String, IMSGroup> existingImsGroups, Auth
         }
     }
 
+    private static final class UserMembershipChanges {
+        private final String userName;
+        private final Set<String> groupsToRemove;
+        private final Set<String> groupsToAdd;
+
+        public UserMembershipChanges(String userName) {
+            this.userName = userName;
+            this.groupsToRemove = new LinkedHashSet<>();
+            this.groupsToAdd = new LinkedHashSet<>();
+        }
+
+        public boolean removeGroup(String group) {
+            return groupsToRemove.add(group);
+        }
+
+        public boolean addGroup(String group) {
+            return groupsToAdd.add(group);
+        }
+
+        public boolean addGroups(Collection<String> groups) {
+            return groupsToAdd.addAll(groups);
+        }
+    }
+
+    /**
+     * 
+     * @param token the api token
+     * @param groups the groups whose administrators should be updated
+     * @param isAddOnly whether only new group administrators should be added or also existing ones bound to managed groups but no longer configured as admins should be removed
+     * @return the list of action commands to be executed to perform the changes
+     * @throws IOException
+     */
+    List<ActionCommand> updateGroupAdminsCommands(String token, Collection<String> groups, boolean isAddOnly) throws IOException {
+        List<ActionCommand> actionCommands = new LinkedList<>();
+        // optionally make users group administrators
+        if (config.groupAdmins() != null && config.groupAdmins().length > 0) {
+            Set<String> groupAdmins = new LinkedHashSet<>(Arrays.asList(config.groupAdmins()));
+            Map<String, UserMembershipChanges> usersMembershipChanges  = new HashMap<>();
+            // for all admin groups collect users to remove and to add
+            Set<String> adminGroupNames = groups.stream().map(n -> "_admin_" + n).collect(Collectors.toSet());
+            if (!isAddOnly) {
+                // check which membership changes are necessary per user
+                for (String adminGroupName : adminGroupNames) {
+                    Map<String, IMSUser> usersInAdminGroup = getUsersInGroup(token, adminGroupName);
+                    // diff against configured admins and remove/add memberhip accordingly
+                    Set<String> usersToRemove = new LinkedHashSet<>(usersInAdminGroup.keySet());
+                    usersToRemove.removeAll(groupAdmins);
+                    for (String userToRemove : usersToRemove) {
+                        UserMembershipChanges changes = usersMembershipChanges.computeIfAbsent(userToRemove, UserMembershipChanges::new);
+                        changes.removeGroup(adminGroupName);
+                    }
+                    
+                    Set<String> usersToAdd = new LinkedHashSet<>(groupAdmins);
+                    usersToAdd.removeAll(usersInAdminGroup.keySet());
+                    for (String userToAdd : usersToAdd) {
+                        UserMembershipChanges changes = usersMembershipChanges.computeIfAbsent(userToAdd, UserMembershipChanges::new);
+                        changes.addGroup(adminGroupName);
+                    }
+                } 
+            } else {
+                // just add all adminGroupNames to all admin users
+                for (String admin : config.groupAdmins()) {
+                    UserMembershipChanges userMembershipChanges = new UserMembershipChanges(admin);
+                    userMembershipChanges.addGroups(adminGroupNames);
+                    usersMembershipChanges.put(admin, userMembershipChanges);
+                } 
+            }
+
+            // iterate over all usersMembershipChanges and create user action commands per affected user
+            for (UserMembershipChanges changes : usersMembershipChanges.values()) {
+                int actionCommandsIndex = actionCommands.size();
+                addMembershipSteps(changes.userName, actionCommands.listIterator(actionCommandsIndex), false, changes.groupsToRemove);
+                addMembershipSteps(changes.userName, actionCommands.listIterator(actionCommandsIndex), true, changes.groupsToAdd);
+            }
+            
+        }
+        return actionCommands;
+    }
+
+    /**
+     * Adds the necessary user memberhips steps to the next action command from the given iterator. If there is no next action command, a new one is created and added to the list.
+     * It makes sure that per action command there are at most {@link #MAX_NUM_GROUPS_PER_ADD_STEP} groups added or removed.
+     * @param userName used when new ActionCommand is created
+     * @param actionCommandsIterator the ListIterator which is potentially extended with new action commands
+     * @param isAdd {@code} true if the group membership should be added, {@code false} if it should be removed
+     * @param groupNames the group names to add/remove for the user
+     */
+    private void addMembershipSteps(String userName, ListIterator<ActionCommand> actionCommandsIterator, boolean isAdd, Collection<String> groupNames) {
+        AtomicInteger groupCounter = new AtomicInteger();
+        Collection<List<String>> groupNamesBatches = groupNames.stream().collect(Collectors.groupingBy
+                    (it->groupCounter.getAndIncrement() / MAX_NUM_GROUPS_PER_ADD_STEP)).values();
+        for (List<String> groupNamesBatch : groupNamesBatches) {
+            ActionCommand actionCommand;
+            if (actionCommandsIterator.hasNext()) {
+                actionCommand = actionCommandsIterator.next();
+            } else {
+                actionCommand = new UserActionCommand(userName);
+                actionCommandsIterator.add(actionCommand);
+            }
+            final Step step;
+            if (isAdd) {
+                step = new AddGroupMembership(groupNamesBatch);
+            } else {
+                step = new RemoveGroupMembership(groupNamesBatch);
+            }
+            actionCommand.addStep(step);
+        }
+    }
+
     @Override
     public int updateGroups(Collection<AuthorizableConfigBean> groupConfigs) throws IOException {
         String token = getOAuthServer2ServerToken();
@@ -259,23 +373,9 @@ public int updateGroups(Collection<AuthorizableConfigBean> groupConfigs) throws
             updatedGroupNames.add(groupConfig.getAuthorizableId());
             actionCommands.add(actionCommand);
         }
-        // optionally make users group administrators
-        if (config.groupAdmins() != null && config.groupAdmins().length > 0) {
-            // at most 10 groups per add command
-            AtomicInteger groupCounter = new AtomicInteger();
-            Collection<List<String>> adminGroupNameBatches = updatedGroupNames.stream()
-                    .map(id -> "_admin_" + id) // https://adobe-apiplatform.github.io/umapi-documentation/en/api/ActionsCmds.html#addRemoveAttr
-                    .collect(Collectors.groupingBy
-                    (it->groupCounter.getAndIncrement() / MAX_NUM_GROUPS_PER_ADD_STEP)).values();
-            for (List<String> adminGroupNames : adminGroupNameBatches) {
-                for (String groupAdmin : config.groupAdmins()) {
-                    ActionCommand actionCommand = new UserActionCommand(groupAdmin);
-                    AddGroupMembership addGroupMembership = new AddGroupMembership(adminGroupNames);
-                    actionCommand.addStep(addGroupMembership);
-                    actionCommands.add(actionCommand);
-                }
-            }
-        }
+
+        actionCommands.addAll(updateGroupAdminsCommands(token, updatedGroupNames, false));
+
         // update in batches of 10 commands
         AtomicInteger counter = new AtomicInteger();
         final Collection<List<ActionCommand>> actionCommandsBatches = actionCommands.stream().collect(Collectors.groupingBy
@@ -370,7 +470,7 @@ public GroupResponse handleResponse(
                 if (entity == null) {
                     throw new ClientProtocolException("Response contains no content for request " + getRequestInfo(httpGet));
                 }
-                //System.out.println(EntityUtils.toString(entity));
+                System.out.println(EntityUtils.toString(entity));
                 GroupResponse groupResponse = objectMapper.readValue(entity.getContent(), GroupResponse.class);
                 groupResponse.associatedRequest = httpGet;
                 return groupResponse;
@@ -401,7 +501,7 @@ Map<String, IMSUser> getUsersInGroup(String token, String name) throws IOExcepti
         return users;
     }
 
-    private UsersInGroupResponse getUsersInGroup(String token, String name, int page) throws IOException {
+    UsersInGroupResponse getUsersInGroup(String token, String name, int page) throws IOException {
         ObjectMapper objectMapper = new ObjectMapper();
         HttpGet httpGet;
         try {
 
@@ -15,12 +15,13 @@
 
 import java.util.Collection;
 import java.util.LinkedList;
+import java.util.Objects;
 
 import com.fasterxml.jackson.annotation.JsonProperty;
 
 public class ActionCommand {
 
-    @JsonProperty("do")
+    @JsonProperty(value = "do", required = true)
     final Collection<Step> steps;
 
     public ActionCommand() {
@@ -30,4 +31,26 @@ public ActionCommand() {
     public boolean addStep(Step step) {
         return steps.add(step);
     }
+
+    @Override
+    public String toString() {
+        return "ActionCommand [steps=" + steps + "]";
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(steps);
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+        if (this == obj)
+            return true;
+        if (obj == null)
+            return false;
+        if (getClass() != obj.getClass())
+            return false;
+        ActionCommand other = (ActionCommand) obj;
+        return Objects.equals(steps, other.steps);
+    }
 }
@@ -1,5 +1,7 @@
 package biz.netcentric.cq.tools.actool.ims.request;
 
+import java.util.Objects;
+
 /*-
  * #%L
  * Access Control Tool Bundle
@@ -32,4 +34,26 @@ public class AddGroupMembers implements Step {
 
     @JsonProperty("productConfiguration")
     public Set<String> productProfileIds;
+
+    @Override
+    public String toString() {
+        return "AddGroupMembers [userIds=" + userIds + ", productProfileIds=" + productProfileIds + "]";
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(productProfileIds, userIds);
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+        if (this == obj)
+            return true;
+        if (obj == null)
+            return false;
+        if (getClass() != obj.getClass())
+            return false;
+        AddGroupMembers other = (AddGroupMembers) obj;
+        return Objects.equals(productProfileIds, other.productProfileIds) && Objects.equals(userIds, other.userIds);
+    }
 }
@@ -14,25 +14,49 @@
  */
 
 import java.util.Collection;
-import java.util.HashSet;
+import java.util.LinkedHashSet;
+import java.util.Objects;
 import java.util.Set;
 
 import com.fasterxml.jackson.annotation.JsonInclude;
 import com.fasterxml.jackson.annotation.JsonInclude.Include;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.annotation.JsonTypeName;
 
-/** Maintains memberships of users in (admin) groups, to be used with {@link UserActionCommand}.
+/** 
+ * Maintains memberships of users in (admin) groups, to be used with {@link UserActionCommand}.
  * @see AddGroupMembers
  */
 @JsonTypeName("add")
 @JsonInclude(Include.NON_EMPTY) // neither empty strings nor null values are allowed for the fields
 public class AddGroupMembership implements Step {
 
     public AddGroupMembership(Collection<String> group) {
-        this.group = new HashSet<>(group);
+        this.group = new LinkedHashSet<>(group);
     }
 
-    @JsonProperty("group")
+    @JsonProperty(value = "group", required = true)
     public Set<String> group;
+
+    @Override
+    public String toString() {
+        return "AddGroupMembership [group=" + group + "]";
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(group);
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+        if (this == obj)
+            return true;
+        if (obj == null)
+            return false;
+        if (getClass() != obj.getClass())
+            return false;
+        AddGroupMembership other = (AddGroupMembership) obj;
+        return Objects.equals(group, other.group);
+    }
 }
@@ -1,5 +1,7 @@
 package biz.netcentric.cq.tools.actool.ims.request;
 
+import java.util.Objects;
+
 /*-
  * #%L
  * Access Control Tool Bundle
@@ -30,4 +32,26 @@ public class CreateGroupStep implements Step {
     //String name; 
     @JsonProperty
     public String description; // this may be empty
+
+    @Override
+    public String toString() {
+        return "CreateGroupStep [defaultOption=" + defaultOption + ", description=" + description + "]";
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(defaultOption, description);
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+        if (this == obj)
+            return true;
+        if (obj == null)
+            return false;
+        if (getClass() != obj.getClass())
+            return false;
+        CreateGroupStep other = (CreateGroupStep) obj;
+        return Objects.equals(defaultOption, other.defaultOption) && Objects.equals(description, other.description);
+    }
 }