Do not block access for ALL AD users when the license user limit is exceeded #116

[KebabRonin]

Fix for issue xwikisas/application-licensing#192

Depends on PR xwikisas/application-licensing#194 xwikisas/application-licensing#207

What was implemented:

• ActiveDirectoryAuthExtensionUserManager.java‎ - Implementation of an interface with some user operations
  • Only getUserDocFromUsername(String, XWikiContext) is actually used. The rest are remainders from other attempts on this issue, though some might be nice to have.
• ActiveDirectoryAuthServiceImpl.java - Added special cases in which the license is ignored and AD users are allowed to login. More precisely:

if (isLicensed()) {
    // Don't allow the creation of new LDAP users if the license cannot hold more users.
    return !(license.getMaxUserCount() == userCounter.getUserCount() && null == userPage);
} else {
    // Allow AD users to log in if they are the oldest active users on the instance (under the user limit). 
    return license.getExpirationDate() > new Date().getTime() && userCounter.isUserUnderLimit(userPage,
        license.getMaxUserCount());
}

---

Special cases

Active Directory license user limit is 5 for these examples

1. AD License user limit is reached exactly (5/5 users)

   • All existing users can log in
   • The AD license is treated as valid
   • New AD users should not be created automatically on login when the license user limit is reached. This is to avoid the situation where you create the account but are unable to login afterwards
     • If the login credentials match an AD user not yet imported in XWiki, the current behavior of the AD extension is to create a new user.
     • This can make the license invalid from the user limit point of view, making it so the new user will be able to log in only once, and be kicked out immediately.
   • Importing AD users through the Admin Section for Users won't be blocked like above

2. AD License user limit is exceeded (6/5 users)

   • All non-AD users can log in
   • The AD license is treated as invalid
   • For AD users to log in, they need to be among the oldest 5 currently active users (including non-AD users) on the instance.
     • So if the oldest 5 users on the instance are non-AD users, no AD users will be able to login.

[KebabRonin]

Might be worth to include this in the AuthExtensionUserManager interface, with a more suggestive name, to make it easier for other auth extensions to add the user limit bypass behavior from this PR. WDYT?

[KebabRonin]

Test cases

The license used for testing has a user limit of 5 users.
Users are listed in the order of their creation date on the instance.
Users from Active Directory have names starting with ADU . The rest are regular XWiki users.
Users in bold are unable to login.
Users in strikethrough are disabled.

Users on the instance	Active User count	Test Plan
Admin,regU1	<=5	Logging in 1. Go to the login page 2. Login using ADU1 3. Check that login succeeds and the new user is created
Admin,regU1,ADU1 (This one isn't really needed. I'm not sure that this test case actually tests anything)	<=5	Persistent login status for cookies 1. Go to the login page 2. Login using ADU1 (don't clear cookies) 3. Close the XWiki instance 4. Start the XWiki instance 5. Check that accessing any XWiki page still remembers ADU1 as the logged in user
Admin,regU1,ADU1,regU2,regU3	=5	No auto user creation when license limit reached 1. Go to the login page 2. Login using ADU2 (user existing in Active Directory server but not on XWiki) 3. Check that the login fails
Admin,regU1,ADU1,regU2,regU3	=5	User import not blocked when license limit reached 1. Go to Users in the Admin Section 2. Import user ADU2 (user existing in Active Directory server but not on XWiki) 3. Check that ADU2 is imported and can't log in
Admin,regU1,ADU1,regU2,regU3,ADU2,regU4 Previously in Active Directory (Pro) 1.17.2, both ADU1 and ADU2 couldn't log in. (The rest of the users could log in)	>5	User limit enforced for newest user 1. Check that regular users and ADU1 can log in 2. Check that ADU2 can't log in
Admin,regU1,ADU1,regU2,regU3,ADU2,regU4 Previously in Active Directory (Pro) 1.17.2, ADU1 and ADU2 couldn't log in.	>5	User import not blocked when license limit exceeded 1. Check that ADU1, ADU2, regU4 can log in
Admin,regU1,ADU1,regU2,regU3,ADU2,regU4,ADU3	8/7 user limit	License update 1. Check that, with the 5 user license, ADU2 and ADU3 can't log in 2. Update the license for AD to have 6 user limit 3. Check that ADU3 can't log in 4. Check that ADU1 and ADU2 can log in

I didn't test login methods other than the login form, such as using xwiki.authentication.ldap.httpHeader in xwiki.cfg.