From bf12d1b0c8f19105fa582c14e630376dcad80f24 Mon Sep 17 00:00:00 2001
From: Shaun Ford <shaun.ford@nike.com>
Date: Wed, 11 Jul 2018 15:47:54 -0700
Subject: [PATCH 1/5] Add feature flag for user group case sensitivity

---
 .../com/nike/cerberus/dao/PermissionsDao.java |  5 ++
 .../nike/cerberus/dao/SafeDepositBoxDao.java  |  4 ++
 .../cerberus/mapper/PermissionsMapper.java    |  3 +
 .../cerberus/mapper/SafeDepositBoxMapper.java |  2 +
 .../cerberus/service/PermissionsService.java  | 67 ++++++++++++++++---
 .../service/SafeDepositBoxService.java        | 13 +++-
 src/main/resources/cms.conf                   |  4 +-
 .../cerberus/mapper/PermissionsMapper.xml     | 23 +++++++
 .../cerberus/mapper/SafeDepositBoxMapper.xml  | 28 ++++++++
 .../service/PermissionsServiceTest.java       | 41 ++++++++++--
 10 files changed, 174 insertions(+), 16 deletions(-)

diff --git a/src/main/java/com/nike/cerberus/dao/PermissionsDao.java b/src/main/java/com/nike/cerberus/dao/PermissionsDao.java
index 1a8b25bd7..f2f39174c 100644
--- a/src/main/java/com/nike/cerberus/dao/PermissionsDao.java
+++ b/src/main/java/com/nike/cerberus/dao/PermissionsDao.java
@@ -23,6 +23,7 @@
 
 public class PermissionsDao {
 
+
     private final PermissionsMapper permissionsMapper;
 
     @Inject
@@ -37,4 +38,8 @@ public Boolean doesIamPrincipalHaveRoleForSdb(String sdbId, String iamPrincipalA
     public Boolean doesUserPrincipalHaveRoleForSdb(String sdbId, Set<String> rolesThatAllowPermission, Set<String> userGroupsThatPrincipalBelongsTo) {
         return permissionsMapper.doesUserPrincipalHaveGivenRoleForSdb(sdbId, rolesThatAllowPermission, userGroupsThatPrincipalBelongsTo);
     }
+
+    public Boolean doesUserHavePermsForRoleAndSdbCaseInsensitive(String sdbId, Set<String> rolesThatAllowPermission, Set<String> userGroupsThatPrincipalBelongsTo) {
+        return permissionsMapper.doesUserHavePermsForRoleAndSdbCaseInsensitive(sdbId, rolesThatAllowPermission, userGroupsThatPrincipalBelongsTo);
+    }
 }
diff --git a/src/main/java/com/nike/cerberus/dao/SafeDepositBoxDao.java b/src/main/java/com/nike/cerberus/dao/SafeDepositBoxDao.java
index f00bc6131..191cae2d0 100644
--- a/src/main/java/com/nike/cerberus/dao/SafeDepositBoxDao.java
+++ b/src/main/java/com/nike/cerberus/dao/SafeDepositBoxDao.java
@@ -49,6 +49,10 @@ public List<SafeDepositBoxRecord> getUserAssociatedSafeDepositBoxes(final Set<St
         return safeDepositBoxMapper.getUserAssociatedSafeDepositBoxes(userGroups);
     }
 
+    public List<SafeDepositBoxRecord> getUserAssociatedSafeDepositBoxesIgnoreCase(final Set<String> userGroups) {
+        return safeDepositBoxMapper.getUserAssociatedSafeDepositBoxesIgnoreCase(userGroups);
+    }
+
     public List<SafeDepositBoxRecord> getIamPrincipalAssociatedSafeDepositBoxes(final String iamPrincipalArn) {
         return safeDepositBoxMapper.getIamPrincipalAssociatedSafeDepositBoxes(iamPrincipalArn);
     }
diff --git a/src/main/java/com/nike/cerberus/mapper/PermissionsMapper.java b/src/main/java/com/nike/cerberus/mapper/PermissionsMapper.java
index ccd4ec4ec..3bed60b22 100644
--- a/src/main/java/com/nike/cerberus/mapper/PermissionsMapper.java
+++ b/src/main/java/com/nike/cerberus/mapper/PermissionsMapper.java
@@ -30,4 +30,7 @@ Boolean doesUserPrincipalHaveGivenRoleForSdb(@Param("sdbId") String sdbId,
                                                  @Param("rolesThatAllowPermission") Set<String> rolesThatAllowPermission,
                                                  @Param("userGroupsThatPrincipalBelongsTo") Set<String> userGroupsThatPrincipalBelongsTo);
 
+    Boolean doesUserHavePermsForRoleAndSdbCaseInsensitive(@Param("sdbId") String sdbId,
+                                                          @Param("rolesThatAllowPermission") Set<String> rolesThatAllowPermission,
+                                                          @Param("userGroupsThatPrincipalBelongsTo") Set<String> userGroupsThatPrincipalBelongsTo);
 }
diff --git a/src/main/java/com/nike/cerberus/mapper/SafeDepositBoxMapper.java b/src/main/java/com/nike/cerberus/mapper/SafeDepositBoxMapper.java
index d49b633a8..39f901748 100644
--- a/src/main/java/com/nike/cerberus/mapper/SafeDepositBoxMapper.java
+++ b/src/main/java/com/nike/cerberus/mapper/SafeDepositBoxMapper.java
@@ -34,6 +34,8 @@ public interface SafeDepositBoxMapper {
 
     List<SafeDepositBoxRecord> getUserAssociatedSafeDepositBoxes(@Param("userGroups") Set<String> userGroups);
 
+    List<SafeDepositBoxRecord> getUserAssociatedSafeDepositBoxesIgnoreCase(@Param("userGroups") Set<String> userGroups);
+
     List<SafeDepositBoxRecord> getIamPrincipalAssociatedSafeDepositBoxes(@Param("iamPrincipalArn") final String iamPrincipalArn);
 
     SafeDepositBoxRecord getSafeDepositBox(@Param("id") String id);
diff --git a/src/main/java/com/nike/cerberus/service/PermissionsService.java b/src/main/java/com/nike/cerberus/service/PermissionsService.java
index 74f6328ca..27543814a 100644
--- a/src/main/java/com/nike/cerberus/service/PermissionsService.java
+++ b/src/main/java/com/nike/cerberus/service/PermissionsService.java
@@ -16,6 +16,7 @@
 
 package com.nike.cerberus.service;
 
+import com.google.inject.name.Named;
 import com.nike.backstopper.exception.ApiException;
 import com.nike.cerberus.SecureDataAction;
 import com.nike.cerberus.dao.PermissionsDao;
@@ -30,31 +31,38 @@
 
 import javax.inject.Inject;
 import javax.inject.Singleton;
+import java.util.Collection;
 import java.util.Optional;
 import java.util.Set;
+import java.util.stream.Collectors;
 
 import static com.nike.cerberus.record.RoleRecord.ROLE_OWNER;
 
 @Singleton
 public class PermissionsService {
 
+    public static final String USER_GROUPS_CASE_SENSITIVE = "cms.user.groups.caseSensitive";
+
     protected final Logger log = LoggerFactory.getLogger(getClass());
 
     private final RoleService roleService;
     private final UserGroupPermissionService userGroupPermissionService;
     private final IamPrincipalPermissionService iamPrincipalPermissionService;
     private final PermissionsDao permissionsDao;
+    private final boolean userGroupsCaseSensitive;
 
     @Inject
     public PermissionsService(RoleService roleService,
                               UserGroupPermissionService userGroupPermissionService,
                               IamPrincipalPermissionService iamPrincipalPermissionService,
-                              PermissionsDao permissionsDao) {
+                              PermissionsDao permissionsDao,
+                              @Named(USER_GROUPS_CASE_SENSITIVE) boolean userGroupsCaseSensitive) {
 
         this.roleService = roleService;
         this.userGroupPermissionService = userGroupPermissionService;
         this.iamPrincipalPermissionService = iamPrincipalPermissionService;
         this.permissionsDao = permissionsDao;
+        this.userGroupsCaseSensitive = userGroupsCaseSensitive;
     }
 
     /**
@@ -78,9 +86,9 @@ public boolean doesPrincipalHaveOwnerPermissions(CerberusPrincipal principal, Sa
                 }
                 break;
             case USER:
-                if (principal.getUserGroups().contains(sdb.getOwner())) {
-                    principalHasOwnerPermissions = true;
-                }
+                principalHasOwnerPermissions = userGroupsCaseSensitive ?
+                            principal.getUserGroups().contains(sdb.getOwner()) :
+                            containsIgnoreCase(principal.getUserGroups(), sdb.getOwner());
                 break;
         }
         return principalHasOwnerPermissions;
@@ -124,10 +132,12 @@ public boolean doesPrincipalHaveReadPermission(CerberusPrincipal principal, Stri
             case USER:
                 // if the the principal is a user principal ensure that one of the users groups is associated with the sdb
                 Set<UserGroupPermission> userGroupPermissions = userGroupPermissionService.getUserGroupPermissions(sdbId);
-                principalHasPermissionAssociationWithSdb = userGroupPermissions
-                        .stream()
-                        .filter(perm -> principal.getUserGroups().contains(perm.getName())) // filter for permissions on the sdb that have groups that the authenticated user belongs too.
-                        .count() > 0; // if there is more than one, then the SDB is has read, write or owner all of which allow read.
+                Set<String> userGroups = userGroupPermissions.stream()
+                        .map(UserGroupPermission::getName)
+                        .collect(Collectors.toSet());
+                principalHasPermissionAssociationWithSdb = userGroupsCaseSensitive ?
+                        doesHaveIntersection(userGroups, principal.getUserGroups()) :
+                        doesHaveIntersectionIgnoreCase(userGroups, principal.getUserGroups());
                 break;
         }
         return principalHasPermissionAssociationWithSdb;
@@ -140,7 +150,9 @@ public boolean doesPrincipalHavePermission(CerberusPrincipal principal, String s
                 hasPermission = permissionsDao.doesIamPrincipalHaveRoleForSdb(sdbId, principal.getName(), action.getAllowedRoles());
                 break;
             case USER:
-                hasPermission = permissionsDao.doesUserPrincipalHaveRoleForSdb(sdbId, action.getAllowedRoles(), principal.getUserGroups());
+                hasPermission = userGroupsCaseSensitive ?
+                        permissionsDao.doesUserPrincipalHaveRoleForSdb(sdbId, action.getAllowedRoles(), principal.getUserGroups()) :
+                        permissionsDao.doesUserHavePermsForRoleAndSdbCaseInsensitive(sdbId, action.getAllowedRoles(), principal.getUserGroups());
                 break;
             default:
                 log.error("Unknown Principal Type: {}, returning hasPermission: false", principal.getPrincipalType().getName());
@@ -156,4 +168,41 @@ public boolean doesPrincipalHavePermission(CerberusPrincipal principal, String s
 
         return hasPermission;
     }
+
+    /**
+     * Does a case-insensitive check to see if the collection contains the given String
+     * @param items   List of strings from which to search
+     * @param object  String for which to search
+     * @return  True if the object exists in the array, false if not
+     */
+    private boolean containsIgnoreCase(Collection<String> items, String object) {
+        return items.stream()
+                .anyMatch(item -> item.equalsIgnoreCase(object));
+    }
+
+    /**
+     * Checks if any string is contained in both the first collection and the second collection
+     * @return  True if both collections contain any one string, false if not
+     */
+    private boolean doesHaveIntersection(Collection<String> co1, Collection<String> co2) {
+        Set<String> co1LowerCase = co1.stream()
+                .map(String::toLowerCase)
+                .collect(Collectors.toSet());
+
+        return co2.stream()
+                .anyMatch(str -> co1LowerCase.contains(str.toLowerCase()));
+    }
+
+    /**
+     * Checks (ignoring case) if any string is contained in both the first collection and the second collection
+     * @return  True if both collections contain any one string, false if not
+     */
+    private boolean doesHaveIntersectionIgnoreCase(Collection<String> co1, Collection<String> co2) {
+        Set<String> co1LowerCase = co1.stream()
+                .map(String::toLowerCase)
+                .collect(Collectors.toSet());
+
+        return co2.stream()
+                .anyMatch(str -> co1LowerCase.contains(str.toLowerCase()));
+    }
 }
\ No newline at end of file
diff --git a/src/main/java/com/nike/cerberus/service/SafeDepositBoxService.java b/src/main/java/com/nike/cerberus/service/SafeDepositBoxService.java
index 76a9d19ea..49eda335e 100644
--- a/src/main/java/com/nike/cerberus/service/SafeDepositBoxService.java
+++ b/src/main/java/com/nike/cerberus/service/SafeDepositBoxService.java
@@ -45,6 +45,7 @@
 import org.slf4j.LoggerFactory;
 
 import javax.inject.Inject;
+import javax.inject.Named;
 import javax.inject.Singleton;
 import java.time.OffsetDateTime;
 import java.util.LinkedList;
@@ -53,6 +54,8 @@
 import java.util.Set;
 import java.util.stream.Collectors;
 
+import static com.nike.cerberus.service.PermissionsService.USER_GROUPS_CASE_SENSITIVE;
+
 /**
  * Business logic for interacting with safe deposit boxes.
  */
@@ -87,6 +90,8 @@ public class SafeDepositBoxService {
 
     private final SecureDataVersionDao secureDataVersionDao;
 
+    private final Boolean userGroupsCaseSensitive;
+
     @Inject
     public SafeDepositBoxService(SafeDepositBoxDao safeDepositBoxDao,
                                  UserGroupDao userGroupDao,
@@ -100,7 +105,8 @@ public SafeDepositBoxService(SafeDepositBoxDao safeDepositBoxDao,
                                  DateTimeSupplier dateTimeSupplier,
                                  AwsIamRoleArnParser awsIamRoleArnParser,
                                  SecureDataService secureDataService,
-                                 SecureDataVersionDao secureDataVersionDao) {
+                                 SecureDataVersionDao secureDataVersionDao,
+                                 @Named(USER_GROUPS_CASE_SENSITIVE) Boolean userGroupsCaseSensitive){
 
         this.safeDepositBoxDao = safeDepositBoxDao;
         this.userGroupDao = userGroupDao;
@@ -115,6 +121,7 @@ public SafeDepositBoxService(SafeDepositBoxDao safeDepositBoxDao,
         this.awsIamRoleArnParser = awsIamRoleArnParser;
         this.secureDataService = secureDataService;
         this.secureDataVersionDao = secureDataVersionDao;
+        this.userGroupsCaseSensitive = userGroupsCaseSensitive;
     }
 
     /**
@@ -132,7 +139,9 @@ public List<SafeDepositBoxSummary> getAssociatedSafeDepositBoxes(final CerberusP
                 sdbRecords = safeDepositBoxDao.getIamPrincipalAssociatedSafeDepositBoxes(principal.getName());
                 break;
             case USER:
-                sdbRecords = safeDepositBoxDao.getUserAssociatedSafeDepositBoxes(principal.getUserGroups());
+                sdbRecords = userGroupsCaseSensitive ?
+                        safeDepositBoxDao.getUserAssociatedSafeDepositBoxes(principal.getUserGroups()) :
+                        safeDepositBoxDao.getUserAssociatedSafeDepositBoxesIgnoreCase(principal.getUserGroups());
                 break;
             default:
                 throw new ApiException(DefaultApiError.UNKNOWN_PRINCIPAL_TYPE);
diff --git a/src/main/resources/cms.conf b/src/main/resources/cms.conf
index 8c2bf8fcd..cc63b9486 100644
--- a/src/main/resources/cms.conf
+++ b/src/main/resources/cms.conf
@@ -140,7 +140,7 @@ cms.jobs.configuredJobs=[
 #
 # Fully qualified classname, will be created with guice and injected into the event processor service
 #
-# You can add your own here as long as its availible on the classpath
+# You can add your own here as long as its available on the classpath
 # See https://github.com/Nike-Inc/cerberus-util-scripts/blob/master/bash_scripts/start-jar-script.sh#L72
 # ex set JVM_BEHAVIOR_ARGS='-cp /opt/cerberus/*.jar' with your jar there.
 # You can disable event logging locally or for your specific env by removing the default LoggingEventProcessor
@@ -164,3 +164,5 @@ cms.auth.token.hash.algorithm="PBKDF2WithHmacSHA512"
 cms.user.token.ttl=1h
 cms.user.token.maxRefreshCount=24
 cms.iam.token.ttl=1h
+
+cms.user.groups.caseSensitive=true
\ No newline at end of file
diff --git a/src/main/resources/com/nike/cerberus/mapper/PermissionsMapper.xml b/src/main/resources/com/nike/cerberus/mapper/PermissionsMapper.xml
index 65f92e223..76a09b211 100644
--- a/src/main/resources/com/nike/cerberus/mapper/PermissionsMapper.xml
+++ b/src/main/resources/com/nike/cerberus/mapper/PermissionsMapper.xml
@@ -63,4 +63,27 @@
         ) as HAS_PERMS
     </select>
 
+    <select id="doesUserHavePermsForRoleAndSdbCaseInsensitive" resultType="Boolean">
+        SELECT NOT 0 >= (
+            SELECT
+              COUNT(*)
+            FROM SAFE_DEPOSIT_BOX
+              LEFT JOIN USER_GROUP_PERMISSIONS ON SAFE_DEPOSIT_BOX.ID = USER_GROUP_PERMISSIONS.SDBOX_ID
+              LEFT JOIN USER_GROUP ON USER_GROUP_PERMISSIONS.USER_GROUP_ID = USER_GROUP.ID
+              LEFT JOIN ROLE ON USER_GROUP_PERMISSIONS.ROLE_ID = ROLE.ID
+            WHERE
+              SAFE_DEPOSIT_BOX.ID = #{sdbId}
+            AND
+              UPPER(USER_GROUP.NAME) IN
+              <foreach item="userGroup" collection="userGroupsThatPrincipalBelongsTo" separator="," open="(" close=")">
+                  UPPER(#{userGroup})
+              </foreach>
+            AND
+              ROLE.NAME IN
+              <foreach item="role" collection="rolesThatAllowPermission" separator="," open="(" close=")">
+                  #{role}
+              </foreach>
+        ) as HAS_PERMS
+    </select>
+
 </mapper>
\ No newline at end of file
diff --git a/src/main/resources/com/nike/cerberus/mapper/SafeDepositBoxMapper.xml b/src/main/resources/com/nike/cerberus/mapper/SafeDepositBoxMapper.xml
index a3268d212..ad537de3f 100644
--- a/src/main/resources/com/nike/cerberus/mapper/SafeDepositBoxMapper.xml
+++ b/src/main/resources/com/nike/cerberus/mapper/SafeDepositBoxMapper.xml
@@ -102,6 +102,34 @@
       SDB.ID ASC
   </select>
 
+  <select id="getUserAssociatedSafeDepositBoxesIgnoreCase" resultType="SafeDepositBoxRecord">
+    SELECT
+      DISTINCT SDB.ID,
+      SDB.CATEGORY_ID,
+      SDB.NAME,
+      SDB.DESCRIPTION,
+      SDB.PATH,
+      SDB.CREATED_BY,
+      SDB.LAST_UPDATED_BY,
+      SDB.CREATED_TS,
+      SDB.LAST_UPDATED_TS
+    FROM
+        SAFE_DEPOSIT_BOX SDB
+      INNER JOIN
+        USER_GROUP_PERMISSIONS UGP ON SDB.ID = UGP.SDBOX_ID
+      INNER JOIN
+        USER_GROUP UG ON UGP.USER_GROUP_ID = UG.ID
+    WHERE
+      UPPER(UG.NAME) IN
+      <foreach item="item" index="index" collection="userGroups"
+             open="(" separator="," close=")">
+        UPPER(#{item})
+      </foreach>
+    ORDER BY
+      SDB.CATEGORY_ID ASC,
+      SDB.ID ASC
+  </select>
+
   <select id="getIamPrincipalAssociatedSafeDepositBoxes" resultType="SafeDepositBoxRecord">
     SELECT
       DISTINCT SDB.ID,
diff --git a/src/test/java/com/nike/cerberus/service/PermissionsServiceTest.java b/src/test/java/com/nike/cerberus/service/PermissionsServiceTest.java
index 4cd6adeae..a8d193c38 100644
--- a/src/test/java/com/nike/cerberus/service/PermissionsServiceTest.java
+++ b/src/test/java/com/nike/cerberus/service/PermissionsServiceTest.java
@@ -33,14 +33,15 @@
 import java.util.Optional;
 import java.util.UUID;
 
-import static com.nike.cerberus.PrincipalType.*;
+import static com.nike.cerberus.PrincipalType.IAM;
+import static com.nike.cerberus.PrincipalType.USER;
 import static com.nike.cerberus.record.RoleRecord.ROLE_OWNER;
 import static com.nike.cerberus.record.RoleRecord.ROLE_READ;
 import static com.nike.cerberus.record.RoleRecord.ROLE_WRITE;
-import static org.junit.Assert.*;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
 import static org.mockito.Matchers.any;
 import static org.mockito.Mockito.doReturn;
-import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.spy;
 import static org.mockito.Mockito.when;
 import static org.mockito.MockitoAnnotations.initMocks;
@@ -68,11 +69,13 @@ public class PermissionsServiceTest {
     public void before() {
         initMocks(this);
 
+        boolean userGroupsCaseSensitive = true;
         permissionsService = new PermissionsService(
                 roleService,
                 userGroupPermissionService,
                 iamPrincipalPermissionService,
-                permissionsDao
+                permissionsDao,
+                userGroupsCaseSensitive
         );
 
         when(ownerRole.getId()).thenReturn(OWNER_ID);
@@ -275,4 +278,34 @@ public void test_that_doesPrincipalHavePermission_returns_false_for_user_when_da
         when(permissionsDao.doesUserPrincipalHaveRoleForSdb(any(), any(), any())).thenReturn(false);
         assertFalse(permissionsService.doesPrincipalHavePermission(principal, SDB_ID, SecureDataAction.READ));
     }
+
+    @Test
+    public void test_that_doesPrincipalHavePermission_calls_case_insensitive_method_when_case_sensitive_is_false() {
+        PermissionsService permissionsService = new PermissionsService(
+                roleService,
+                userGroupPermissionService,
+                iamPrincipalPermissionService,
+                permissionsDao,
+                false
+        );
+        CerberusPrincipal principal = new CerberusPrincipal(CerberusAuthToken.Builder.create().withPrincipalType(USER).build());
+        when(permissionsDao.doesUserPrincipalHaveRoleForSdb(any(), any(), any())).thenReturn(false);
+        when(permissionsDao.doesUserHavePermsForRoleAndSdbCaseInsensitive(any(), any(), any())).thenReturn(true);
+        assertTrue(permissionsService.doesPrincipalHavePermission(principal, SDB_ID, SecureDataAction.READ));
+    }
+
+    @Test
+    public void test_that_doesPrincipalHavePermission_calls_case_sensitive_method_when_case_sensitive_is_true() {
+        PermissionsService permissionsService = new PermissionsService(
+                roleService,
+                userGroupPermissionService,
+                iamPrincipalPermissionService,
+                permissionsDao,
+                true
+        );
+        CerberusPrincipal principal = new CerberusPrincipal(CerberusAuthToken.Builder.create().withPrincipalType(USER).build());
+        when(permissionsDao.doesUserPrincipalHaveRoleForSdb(any(), any(), any())).thenReturn(false);
+        when(permissionsDao.doesUserHavePermsForRoleAndSdbCaseInsensitive(any(), any(), any())).thenReturn(true);
+        assertFalse(permissionsService.doesPrincipalHavePermission(principal, SDB_ID, SecureDataAction.READ));
+    }
 }

From a551b003f82fe4f52a65be26127a288da925467d Mon Sep 17 00:00:00 2001
From: Shaun Ford <shaun.ford@nike.com>
Date: Thu, 12 Jul 2018 10:39:30 -0700
Subject: [PATCH 2/5] Add tests and comment for case sensitive property

---
 .../cerberus/service/PermissionsService.java  |  6 +-
 src/main/resources/cms.conf                   |  5 +
 .../service/PermissionsServiceTest.java       | 97 +++++++++++++++++++
 3 files changed, 103 insertions(+), 5 deletions(-)

diff --git a/src/main/java/com/nike/cerberus/service/PermissionsService.java b/src/main/java/com/nike/cerberus/service/PermissionsService.java
index 27543814a..11342f5d4 100644
--- a/src/main/java/com/nike/cerberus/service/PermissionsService.java
+++ b/src/main/java/com/nike/cerberus/service/PermissionsService.java
@@ -185,12 +185,8 @@ private boolean containsIgnoreCase(Collection<String> items, String object) {
      * @return  True if both collections contain any one string, false if not
      */
     private boolean doesHaveIntersection(Collection<String> co1, Collection<String> co2) {
-        Set<String> co1LowerCase = co1.stream()
-                .map(String::toLowerCase)
-                .collect(Collectors.toSet());
-
         return co2.stream()
-                .anyMatch(str -> co1LowerCase.contains(str.toLowerCase()));
+                .anyMatch(co1::contains);
     }
 
     /**
diff --git a/src/main/resources/cms.conf b/src/main/resources/cms.conf
index cc63b9486..a69fe7c71 100644
--- a/src/main/resources/cms.conf
+++ b/src/main/resources/cms.conf
@@ -165,4 +165,9 @@ cms.user.token.ttl=1h
 cms.user.token.maxRefreshCount=24
 cms.iam.token.ttl=1h
 
+# Set to true to make user group permissions case-sensitive
+#
+# For example:
+#   When true, if an SDB grants access to AD group 'Lst-foo', then users in group 'Lst-Foo' will not have access
+#   When false, if an SDB grants access to AD group 'Lst-foo', then users in group 'Lst-Foo' will have access
 cms.user.groups.caseSensitive=true
\ No newline at end of file
diff --git a/src/test/java/com/nike/cerberus/service/PermissionsServiceTest.java b/src/test/java/com/nike/cerberus/service/PermissionsServiceTest.java
index a8d193c38..f0081c7b9 100644
--- a/src/test/java/com/nike/cerberus/service/PermissionsServiceTest.java
+++ b/src/test/java/com/nike/cerberus/service/PermissionsServiceTest.java
@@ -308,4 +308,101 @@ public void test_that_doesPrincipalHavePermission_calls_case_sensitive_method_wh
         when(permissionsDao.doesUserHavePermsForRoleAndSdbCaseInsensitive(any(), any(), any())).thenReturn(true);
         assertFalse(permissionsService.doesPrincipalHavePermission(principal, SDB_ID, SecureDataAction.READ));
     }
+
+    @Test
+    public void test_that_doesPrincipalHaveReadPermission_returns_false_when_user_doesnt_have_perms_case_sensitive() {
+        PermissionsService permissionsService = new PermissionsService(
+                roleService,
+                userGroupPermissionService,
+                iamPrincipalPermissionService,
+                permissionsDao,
+                true);
+
+        CerberusPrincipal principal = new CerberusPrincipal(CerberusAuthToken.Builder.create()
+                .withPrincipalType(USER)
+                .withGroups("Lst-foo")
+                .build());
+
+        when(userGroupPermissionService.getUserGroupPermissions(SDB_ID)).thenReturn(ImmutableSet.of(
+                UserGroupPermission.Builder.create().withName("Lst-Foo").build()
+        ));
+
+        assertFalse("The principal should not have read permissions",
+                permissionsService.doesPrincipalHaveReadPermission(principal, SDB_ID));
+    }
+
+    @Test
+    public void test_that_doesPrincipalHaveReadPermission_returns_true_when_user_has_perms_case_insensitive() {
+        PermissionsService permissionsService = new PermissionsService(
+                roleService,
+                userGroupPermissionService,
+                iamPrincipalPermissionService,
+                permissionsDao,
+                false);
+
+        CerberusPrincipal principal = new CerberusPrincipal(CerberusAuthToken.Builder.create()
+                .withPrincipalType(USER)
+                .withGroups("Lst-foo")
+                .build());
+
+        when(userGroupPermissionService.getUserGroupPermissions(SDB_ID)).thenReturn(ImmutableSet.of(
+                UserGroupPermission.Builder.create().withName("Lst-Foo").build()
+        ));
+
+        assertTrue("The principal should have read permissions",
+                permissionsService.doesPrincipalHaveReadPermission(principal, SDB_ID));
+    }
+
+    @Test
+    public void test_that_doesPrincipalHaveOwnerPermissions_returns_false_when_user_doesnt_have_perms_case_sensitive() {
+        PermissionsService permissionsService = new PermissionsService(
+                roleService,
+                userGroupPermissionService,
+                iamPrincipalPermissionService,
+                permissionsDao,
+                true);
+
+        CerberusPrincipal principal = new CerberusPrincipal(CerberusAuthToken.Builder.create()
+                .withPrincipalType(USER)
+                .withGroups("Lst-foo")
+                .build());
+
+        SafeDepositBoxV2 sdb = SafeDepositBoxV2.Builder.create()
+                .withUserGroupPermissions(
+                        ImmutableSet.of(
+                                UserGroupPermission.Builder.create()
+                                        .withName("Lst-Foo")
+                                        .withRoleId(OWNER_ID)
+                                        .build()
+                        )
+                )
+                .build();
+
+
+        Boolean actual = permissionsService.doesPrincipalHaveOwnerPermissions(principal, sdb);
+        assertFalse("The principal should not have owner permissions", actual);
+    }
+
+    @Test
+    public void test_that_doesPrincipalHaveOwnerPermissions_returns_true_when_user_has_perms_case_insensitive() {
+        PermissionsService permissionsService = new PermissionsService(
+                roleService,
+                userGroupPermissionService,
+                iamPrincipalPermissionService,
+                permissionsDao,
+                false);
+
+        CerberusPrincipal principal = new CerberusPrincipal(CerberusAuthToken.Builder.create()
+                .withPrincipalType(USER)
+                .withGroups("Lst-foo")
+                .build());
+
+        SafeDepositBoxV2 sdb = SafeDepositBoxV2.Builder.create()
+                .withOwner("Lst-Foo")
+                .build();
+
+
+        Boolean actual = permissionsService.doesPrincipalHaveOwnerPermissions(principal, sdb);
+        assertTrue("The principal should have owner permissions", actual);
+    }
 }

From 468119908a2524fdd51a112fd146f113e9a2f5e8 Mon Sep 17 00:00:00 2001
From: Shaun Ford <shaun.ford@nike.com>
Date: Thu, 12 Jul 2018 10:44:04 -0700
Subject: [PATCH 3/5] Add documentation to README and conf file

---
 README.md                   | 1 +
 src/main/resources/cms.conf | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 58eb83cf4..882aa0780 100644
--- a/README.md
+++ b/README.md
@@ -57,6 +57,7 @@ cms.event.processors.com.nike.cerberus.event.processor.LoggingEventProcessor | N
 cms.event.processors.com.nike.cerberus.event.processor.AuditLogProcessor | No | defaults to false, Boolean of whether or not to enable audit logging, see #events below
 cms.audit.bucket="bucket-name" | No | [See Logging Event Processor below](https://github.com/Nike-Inc/cerberus-management-service/tree/feature/audit_logging#audit-log-processor)
 cms.audit.bucket_region="bucket-region" | No | [See Logging Event Processor below](https://github.com/Nike-Inc/cerberus-management-service/tree/feature/audit_logging#audit-log-processor)
+cms.user.groups.caseSensitive                       | YES      | Property to enable/disable case-sensitive user AD group permission checks
 
 KMS Policies are bound to IAM Principal IDs rather than ARNs themselves. Because of this, we validate the policy at authentication time
 to ensure that if an IAM role has been deleted and re-created, that we grant access to the new principal ID.
diff --git a/src/main/resources/cms.conf b/src/main/resources/cms.conf
index a69fe7c71..b4f3f2af9 100644
--- a/src/main/resources/cms.conf
+++ b/src/main/resources/cms.conf
@@ -165,7 +165,7 @@ cms.user.token.ttl=1h
 cms.user.token.maxRefreshCount=24
 cms.iam.token.ttl=1h
 
-# Set to true to make user group permissions case-sensitive
+# Set to true to make user group permissions case-sensitive, false for case-insensitive
 #
 # For example:
 #   When true, if an SDB grants access to AD group 'Lst-foo', then users in group 'Lst-Foo' will not have access

From bfe4a950159ea8c966cae4ea8ca856420ab9c2ac Mon Sep 17 00:00:00 2001
From: Shaun Ford <shaun.ford@nike.com>
Date: Thu, 12 Jul 2018 10:48:57 -0700
Subject: [PATCH 4/5] Clean up permissions contains ignore case method

---
 .../java/com/nike/cerberus/service/PermissionsService.java     | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/main/java/com/nike/cerberus/service/PermissionsService.java b/src/main/java/com/nike/cerberus/service/PermissionsService.java
index 11342f5d4..adf889a21 100644
--- a/src/main/java/com/nike/cerberus/service/PermissionsService.java
+++ b/src/main/java/com/nike/cerberus/service/PermissionsService.java
@@ -199,6 +199,7 @@ private boolean doesHaveIntersectionIgnoreCase(Collection<String> co1, Collectio
                 .collect(Collectors.toSet());
 
         return co2.stream()
-                .anyMatch(str -> co1LowerCase.contains(str.toLowerCase()));
+                .map(String::toLowerCase)
+                .anyMatch(co1LowerCase::contains);
     }
 }
\ No newline at end of file

From 3c0414a18d3119614fc149c75a9cc012c31e0862 Mon Sep 17 00:00:00 2001
From: Shaun Ford <shaun.ford@nike.com>
Date: Thu, 12 Jul 2018 14:01:37 -0700
Subject: [PATCH 5/5] Update gradle version to 3.19.0

---
 gradle.properties | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gradle.properties b/gradle.properties
index a86576cc9..5f1d43565 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -14,6 +14,6 @@
 # limitations under the License.
 #
 
-version=3.18.2
+version=3.19.0
 groupId=com.nike.cerberus
 artifactId=cms