Merge pull request AOT-Technologies#2166 from AOT-Technologies/featur…

…e/FWF-3316-permission-matrix Feature/fwf 3316 permission matrix to develoop
abilpraju-aot · Jul 30, 2024 · 677e793 · 677e793
2 parents 1d6728f + 78249e7
commit 677e793
Show file tree

Hide file tree

Showing 105 changed files with 2,615 additions and 1,868 deletions.
diff --git a/.github/workflows/forms-flow-api-cd.yml b/.github/workflows/forms-flow-api-cd.yml
@@ -3,7 +3,7 @@ name: Push Forms flow API to registry
 on:
   workflow_dispatch:
   push:
-    branches: [ master, develop, release/* ]
+    branches: [ master, develop, release/*, feature/FWF-3316-permission-matrix ]
     paths:
       - "forms-flow-api/**"
       - "VERSION"
@@ -109,20 +109,20 @@ jobs:
           sarif_file: snyk.sarif
 
 #####
-      - name: Set up AWS CLI
-        uses: aws-actions/configure-aws-credentials@v1
-        with:
-          aws-access-key-id: ${{ secrets.AWS_DEPLOYMENT_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_DEPLOYMENT_SECRET_ACCESS_KEY }}
-          aws-region: ca-central-1  # Change this to your desired region
-      - name: Install kubectl
-        run: |
-          curl -LO "https://dl.k8s.io/release/$(curl -Ls https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
-          chmod +x kubectl
-          sudo mv kubectl /usr/local/bin/
-      - name: Update Kube config
-        run: aws eks update-kubeconfig --region ca-central-1 --name ${{ secrets.DEV_EKS_CLUSTER }}
-      - name: Deploy to eks
-        run: |
-          kubectl -n ${{ secrets.DEV_OPENSOURCE_NAMESPACE }} patch deployment forms-flow-api -p '{"spec":{"template":{"spec":{"containers":[{"name":"forms-flow-api","image":"docker.io/formsflow/forms-flow-webapi:${{ env.VERSION }}"}]}}}}'
-          kubectl -n ${{ secrets.DEV_OPENSOURCE_NAMESPACE }} rollout restart deployment forms-flow-api
+      # - name: Set up AWS CLI
+      #   uses: aws-actions/configure-aws-credentials@v1
+      #   with:
+      #     aws-access-key-id: ${{ secrets.AWS_DEPLOYMENT_ACCESS_KEY_ID }}
+      #     aws-secret-access-key: ${{ secrets.AWS_DEPLOYMENT_SECRET_ACCESS_KEY }}
+      #     aws-region: ca-central-1  # Change this to your desired region
+      # - name: Install kubectl
+      #   run: |
+      #     curl -LO "https://dl.k8s.io/release/$(curl -Ls https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
+      #     chmod +x kubectl
+      #     sudo mv kubectl /usr/local/bin/
+      # - name: Update Kube config
+      #   run: aws eks update-kubeconfig --region ca-central-1 --name ${{ secrets.DEV_EKS_CLUSTER }}
+      # - name: Deploy to eks
+      #   run: |
+      #     kubectl -n ${{ secrets.DEV_OPENSOURCE_NAMESPACE }} patch deployment forms-flow-api -p '{"spec":{"template":{"spec":{"containers":[{"name":"forms-flow-api","image":"docker.io/formsflow/forms-flow-webapi:${{ env.VERSION }}"}]}}}}'
+      #     kubectl -n ${{ secrets.DEV_OPENSOURCE_NAMESPACE }} rollout restart deployment forms-flow-api
diff --git a/.github/workflows/forms-flow-api-ci.yml b/.github/workflows/forms-flow-api-ci.yml
@@ -7,11 +7,13 @@ on:
       - develop
       - master
       - release/**
+      - feature/FWF-3316-permission-matrix
   pull_request:
     branches:
       - develop
       - master
       - release/**
+      - feature/FWF-3316-permission-matrix
     paths:
       - "forms-flow-api/**"
 

diff --git a/.github/workflows/forms-flow-bpm-cd.yml b/.github/workflows/forms-flow-bpm-cd.yml
@@ -3,7 +3,7 @@ name: Push Forms flow BPM to registry
 on:
   workflow_dispatch:
   push:
-    branches: [ master, develop, release/* ]
+    branches: [ master, develop, release/*, feature/FWF-3316-permission-matrix ]
     paths:
       - "forms-flow-bpm/**"
       - "VERSION"

diff --git a/.github/workflows/forms-flow-data-analysis-api-cd.yml b/.github/workflows/forms-flow-data-analysis-api-cd.yml
@@ -3,7 +3,7 @@ name: Push Forms flow Analysis API to registry
 on:
   workflow_dispatch:
   push:
-    branches: [ master, develop, release/* ]
+    branches: [ master, develop, release/*, feature/FWF-3316-permission-matrix ]
     paths:
       - "forms-flow-data-analysis-api/**"
       - "VERSION"

diff --git a/.github/workflows/forms-flow-documents-cd.yml b/.github/workflows/forms-flow-documents-cd.yml
@@ -3,7 +3,7 @@ name: Push Forms flow Document to registry
 on:
   workflow_dispatch:
   push:
-    branches: [ master, develop, release/* ]
+    branches: [ master, develop, release/*, feature/FWF-3316-permission-matrix ]
     paths:
       - "forms-flow-documents/**"
       - "VERSION"

diff --git a/.github/workflows/forms-flow-root-config-cd.yml b/.github/workflows/forms-flow-root-config-cd.yml
@@ -3,7 +3,7 @@ name: Push Forms flow root config to registry
 on:
   workflow_dispatch:
   push:
-    branches: [ master, develop, release/* ]
+    branches: [ master, develop, release/*, feature/FWF-3316-permission-matrix ]
     paths:
       - "forms-flow-web-root-config/**"
       - "VERSION"

diff --git a/.github/workflows/forms-flow-web-cd.yml b/.github/workflows/forms-flow-web-cd.yml
@@ -6,6 +6,7 @@ on:
       - master
       - develop
       - release/*
+      - feature/FWF-3316-permission-matrix
     paths:
       - "forms-flow-web/**"
       - "VERSION"

diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-v6.1.0-alpha
+v6.1.0-rbac-alpha
diff --git a/deployment/docker/docker-compose.yml b/deployment/docker/docker-compose.yml
@@ -137,10 +137,10 @@ services:
       context: ./../../forms-flow-web-root-config/
       dockerfile: Dockerfile
       args:
-        - MF_FORMSFLOW_WEB_URL=${MF_FORMSFLOW_WEB_URL:-https://forms-flow-microfrontends.aot-technologies.com/[email protected]/forms-flow-web.gz.js}
-        - MF_FORMSFLOW_NAV_URL=${MF_FORMSFLOW_NAV_URL:-https://forms-flow-microfrontends.aot-technologies.com/[email protected]/forms-flow-nav.gz.js}
-        - MF_FORMSFLOW_SERVICE_URL=${MF_FORMSFLOW_SERVICE_URL:-https://forms-flow-microfrontends.aot-technologies.com/[email protected]/forms-flow-service.gz.js}
-        - MF_FORMSFLOW_ADMIN_URL=${MF_FORMSFLOW_ADMIN_URL:-https://forms-flow-microfrontends.aot-technologies.com/[email protected]/forms-flow-admin.gz.js}
+        - MF_FORMSFLOW_WEB_URL=${MF_FORMSFLOW_WEB_URL:-https://forms-flow-microfrontends.aot-technologies.com/[email protected]rbac-alpha/forms-flow-web.gz.js}
+        - MF_FORMSFLOW_NAV_URL=${MF_FORMSFLOW_NAV_URL:-https://forms-flow-microfrontends.aot-technologies.com/[email protected]rbac-alpha/forms-flow-nav.gz.js}
+        - MF_FORMSFLOW_SERVICE_URL=${MF_FORMSFLOW_SERVICE_URL:-https://forms-flow-microfrontends.aot-technologies.com/[email protected]rbac-alpha/forms-flow-service.gz.js}
+        - MF_FORMSFLOW_ADMIN_URL=${MF_FORMSFLOW_ADMIN_URL:-https://forms-flow-microfrontends.aot-technologies.com/[email protected]rbac-alpha/forms-flow-admin.gz.js}
         - NODE_ENV=${NODE_ENV:-production}
     entrypoint: /bin/sh -c "/usr/share/nginx/html/config/env.sh && nginx -g 'daemon off;'"
     environment:

diff --git a/forms-flow-api-utils/src/formsflow_api_utils/utils/__init__.py b/forms-flow-api-utils/src/formsflow_api_utils/utils/__init__.py
@@ -20,9 +20,26 @@
     NEW_APPLICATION_STATUS,
     REVIEWER_GROUP,
     HTTP_TIMEOUT,
-    PERMISSIONS
 )
 from .enums import ApplicationSortingParameters
+from .permisions import (
+    PERMISSION_DETAILS ,
+    CREATE_DESIGNS,
+    VIEW_DESIGNS,
+    CREATE_SUBMISSIONS,
+    VIEW_SUBMISSIONS,
+    VIEW_DASHBOARDS,
+    VIEW_TASKS,
+    MANAGE_TASKS,
+    MANAGE_ALL_FILTERS,
+    CREATE_FILTERS,
+    VIEW_FILTERS,
+    MANAGE_INTEGRATIONS,
+    MANAGE_DASHBOARD_AUTHORIZATIONS,
+    MANAGE_USERS,
+    MANAGE_ROLES,
+    ADMIN,
+)
 from .file_log_handler import CustomTimedRotatingFileHandler, register_log_handlers
 from .format import CustomFormatter
 from .logging import setup_logging, log_bpm_error

diff --git a/forms-flow-api-utils/src/formsflow_api_utils/utils/auth.py b/forms-flow-api-utils/src/formsflow_api_utils/utils/auth.py
@@ -56,6 +56,11 @@ def wrapper(*args, **kwargs):
     def has_role(cls, role):
         """Method to validate the role."""
         return jwt.validate_roles(role)
+
+    @classmethod
+    def has_any_role(cls, role):
+        """Method to validate the role."""
+        return jwt.contains_role(role)
 
     @classmethod
     def require_custom(cls, f):
@@ -80,4 +85,4 @@ def decorated(*args, **kwargs):
 
 auth = (
     Auth()
-)  # pylint: disable=invalid-name; lower case name as used by convention in most Flask apps
+)  # pylint: disable=invalid-name; lower case name as used by convention in most Flask apps
diff --git a/forms-flow-api-utils/src/formsflow_api_utils/utils/constants.py b/forms-flow-api-utils/src/formsflow_api_utils/utils/constants.py
@@ -46,75 +46,4 @@
 
 DEFAULT_PROCESS_KEY = "Defaultflow"
 DEFAULT_PROCESS_NAME = "Default Flow"
-HTTP_TIMEOUT = 30
-
-PERMISSIONS = [{
-    "name": "create_designs",
-    "description": "Create Form, workflow designs",
-    "depends_on": ["view_designs"]
-  },
-  {
-    "name": "view_designs",
-    "description": "Access to design",
-    "depends_on": []
-  },
-  {
-    "name": "create_submissions",
-    "description": "Create submissions",
-    "depends_on": []
-  },
-  {
-    "name": "view_submissions",
-    "description": "Access to submissions",
-    "depends_on": []
-  },
-  {
-    "name": "view_dashboards",
-    "description": "Access to dashboards",
-    "depends_on": []
-  },
-  {
-    "name": "view_tasks",
-    "description": "Access to tasks",
-    "depends_on": []
-  },
-  {
-    "name": "manage_tasks",
-    "description": "Can claim and work on tasks",
-    "depends_on": ["view_tasks"]
-  },{
-    "name": "manage_all_filters",
-    "description": "Manage all filters",
-    "depends_on": ["view_filters","create_filters"]
-  },
-  {
-    "name": "create_filters",
-    "description": "Access to create filters",
-    "depends_on": ["view_filters"]
-  },
-  {
-    "name": "view_filters",
-    "description": "Access to view filters",
-    "depends_on": []
-  },
-  {
-    "name": "manage_integrations",
-    "description": "Access to Integrations",
-    "depends_on": []
-  },
-  {
-    "name": "manage_dashboard_authorizations",
-    "description": "Manage Dashboard Authorization",
-    "depends_on": ["view_dashboards"]
-  },
-  {
-    "name": "manage_users",
-    "description": "Manage Users",
-    "depends_on": []
-  },
-  {
-    "name": "manage_roles",
-    "description": "Manage Roles",
-    "depends_on": ["manage_users"]
-  }
-]
+HTTP_TIMEOUT = 30
diff --git a/forms-flow-api-utils/src/formsflow_api_utils/utils/permisions.py b/forms-flow-api-utils/src/formsflow_api_utils/utils/permisions.py
@@ -0,0 +1,46 @@
+"""Permission definitions."""
+
+CREATE_DESIGNS = "create_designs"
+VIEW_DESIGNS = "view_designs"
+CREATE_SUBMISSIONS = "create_submissions"
+VIEW_SUBMISSIONS = "view_submissions"
+VIEW_DASHBOARDS = "view_dashboards"
+VIEW_TASKS = "view_tasks"
+MANAGE_TASKS = "manage_tasks"
+MANAGE_ALL_FILTERS = "manage_all_filters"
+CREATE_FILTERS = "create_filters"
+VIEW_FILTERS = "view_filters"
+MANAGE_INTEGRATIONS = "manage_integrations"
+MANAGE_DASHBOARD_AUTHORIZATIONS = "manage_dashboard_authorizations"
+MANAGE_USERS = "manage_users"
+MANAGE_ROLES = "manage_roles"
+ADMIN= "admin"
+
+PERMISSION_DETAILS = [
+    {"name": CREATE_DESIGNS , "description": "Create Form, workflow designs", "depends_on": [ VIEW_DESIGNS ]},
+    {"name": VIEW_DESIGNS , "description": "Access to design", "depends_on": []},
+    {"name": CREATE_SUBMISSIONS , "description": "Create submissions", "depends_on": []},
+    {"name": VIEW_SUBMISSIONS , "description": "Access to submissions", "depends_on": []},
+    {"name": VIEW_DASHBOARDS , "description": "Access to dashboards", "depends_on": []},
+    {"name": VIEW_TASKS , "description": "Access to tasks", "depends_on": []},
+    {"name": MANAGE_TASKS , "description": "Can claim and work on tasks", "depends_on": [ VIEW_TASKS ]},
+    {"name": MANAGE_ALL_FILTERS , "description": "Manage all filters", "depends_on": [ VIEW_FILTERS , CREATE_FILTERS ]},
+    {"name": CREATE_FILTERS , "description": "Access to create filters", "depends_on": [ VIEW_FILTERS ]},
+    {"name": VIEW_FILTERS , "description": "Access to view filters", "depends_on": []},
+    {"name": MANAGE_INTEGRATIONS , "description": "Access to Integrations", "depends_on": []},
+    {"name": MANAGE_DASHBOARD_AUTHORIZATIONS , "description": "Manage Dashboard Authorization", "depends_on": [ VIEW_DASHBOARDS ]},
+    {"name": MANAGE_USERS , "description": "Manage Users", "depends_on": []},
+    {"name": MANAGE_ROLES , "description": "Manage Roles", "depends_on": [ MANAGE_USERS ]},
+    {"name": ADMIN , "description": "Administrator Role", "depends_on": [ MANAGE_ROLES , MANAGE_USERS ]},
+]
+
+
+def build_permission_dict():
+    """
+    Builds a dictionary of permissions where the key is the permission name and 
+    the value is the permission detail.
+
+    Returns:
+        dict: A dictionary of permission details.
+    """
+    return {permission["name"]: permission for permission in PERMISSION_DETAILS}
diff --git a/forms-flow-api-utils/src/formsflow_api_utils/utils/roles.py b/forms-flow-api-utils/src/formsflow_api_utils/utils/roles.py
diff --git a/forms-flow-api-utils/src/formsflow_api_utils/utils/user_context.py b/forms-flow-api-utils/src/formsflow_api_utils/utils/user_context.py
@@ -51,6 +51,11 @@ def email(self) -> str:
     def roles(self) -> List[str]:
         """Return the roles."""
         return self._roles
+
+    @property
+    def groups(self) -> List[str]:
+        """Return the roles."""
+        return self._groups
 
     @property
     def group_or_roles(self) -> List[str]:

diff --git a/forms-flow-api-utils/src/formsflow_api_utils/utils/util.py b/forms-flow-api-utils/src/formsflow_api_utils/utils/util.py
@@ -12,9 +12,6 @@
 
 from .constants import (
     ALLOW_ALL_ORIGINS,
-    CLIENT_GROUP,
-    DESIGNER_GROUP,
-    REVIEWER_GROUP,
 )
 from .enums import (
     ApplicationSortingParameters,
@@ -23,7 +20,14 @@
     ProcessSortingParameters,
 )
 from .translations.translations import translations
-
+from .permisions import (
+    CREATE_DESIGNS,
+VIEW_DESIGNS,
+MANAGE_TASKS,
+VIEW_TASKS,
+CREATE_SUBMISSIONS,
+VIEW_SUBMISSIONS,
+)
 
 def cors_preflight(methods: str = "GET"):
     """Render an option method on the class."""
@@ -108,11 +112,11 @@ def get_role_ids_from_user_groups(role_ids, user_role):
     if role_ids is None or user_role is None:
         return None
 
-    if DESIGNER_GROUP in user_role:
+    if any(permission in user_role for permission in [ CREATE_DESIGNS, VIEW_DESIGNS]):
         return role_ids
-    if REVIEWER_GROUP in user_role:
+    if any(permission in user_role for permission in [ MANAGE_TASKS, VIEW_TASKS]):
         return filter_list_by_user_role(FormioRoles.REVIEWER.name, role_ids)
-    if CLIENT_GROUP in user_role:
+    if any(permission in user_role for permission in [ CREATE_SUBMISSIONS, VIEW_SUBMISSIONS]):
         return filter_list_by_user_role(FormioRoles.CLIENT.name, role_ids)
     return None
 

diff --git a/forms-flow-api/requirements.txt b/forms-flow-api/requirements.txt
@@ -27,7 +27,7 @@ ecdsa==0.18.0
 flask-jwt-oidc==0.3.0
 flask-marshmallow==1.2.1
 flask-restx==1.3.0
-formsflow_api_utils  @ git+https://github.com/AOT-Technologies/forms-flow-ai.git@develop#subdirectory=forms-flow-api-utils
+formsflow_api_utils  @ git+https://github.com/AOT-Technologies/forms-flow-ai.git@feature/FWF-3316-permission-matrix#subdirectory=forms-flow-api-utils
 gunicorn==21.2.0
 h11==0.14.0
 h2==4.1.0

diff --git a/forms-flow-api/requirements/prod.txt b/forms-flow-api/requirements/prod.txt
@@ -16,4 +16,4 @@ sqlalchemy_utils
 markupsafe
 PyJWT
 redis
-git+https://github.com/AOT-Technologies/forms-flow-ai.git@develop#egg=formsflow_api_utils&subdirectory=forms-flow-api-utils
+git+https://github.com/AOT-Technologies/forms-flow-ai.git@feature/FWF-3316-permission-matrix#subdirectory=forms-flow-api-utils
diff --git a/forms-flow-api/src/formsflow_api/app.py b/forms-flow-api/src/formsflow_api/app.py
@@ -59,7 +59,7 @@ def create_app(
         when=os.getenv("API_LOG_ROTATION_WHEN", "d"),
         interval=int(os.getenv("API_LOG_ROTATION_INTERVAL", "1")),
         backupCount=int(os.getenv("API_LOG_BACKUP_COUNT", "7")),
-        configure_log_file=app.config["CONFIGURE_LOGS"]
+        configure_log_file=app.config["CONFIGURE_LOGS"],
     )
 
     app.logger.propagate = False

diff --git a/forms-flow-api/src/formsflow_api/config.py b/forms-flow-api/src/formsflow_api/config.py
@@ -85,7 +85,9 @@ class _Config:  # pylint: disable=too-few-public-methods
     # Keycloak Admin Service
     KEYCLOAK_URL = os.getenv("KEYCLOAK_URL")
     KEYCLOAK_URL_REALM = os.getenv("KEYCLOAK_URL_REALM")
-    KEYCLOAK_URL_HTTP_RELATIVE_PATH = os.getenv("KEYCLOAK_URL_HTTP_RELATIVE_PATH", "/auth")
+    KEYCLOAK_URL_HTTP_RELATIVE_PATH = os.getenv(
+        "KEYCLOAK_URL_HTTP_RELATIVE_PATH", "/auth"
+    )
 
     # Web url
     WEB_BASE_URL = os.getenv("WEB_BASE_URL")