DESENG-447 : Convert keycloak groups to composite roles for permissio…

…n levels (#2376) * DESENG-447 Removed references to EAO in groups, remove group check for AuthGate * DESENG-447 Remove or comment out references to groups * DESENG-447: Commented out checks related to groups * DESENG-447: Fixing linting issues and unit test * Updated Changelog * Removed console.log statements * Removed console.log --------- Co-authored-by: Alex <[email protected]>
bcgov · Feb 7, 2024 · 23faaae · 23faaae
1 parent 16d4f32
commit 23faaae
Show file tree

Hide file tree

Showing 23 changed files with 793 additions and 790 deletions.
diff --git a/CHANGELOG.MD b/CHANGELOG.MD
@@ -1,3 +1,9 @@
+## February 06, 2024
+- **Task**Convert keycloak groups to composite roles for permission levels [DESENG-447](https://apps.itsm.gov.bc.ca/jira/browse/DESENG-447)
+    - Commented out unit test related to Keycloak groups
+    - Changed reference of Keycloak `groups` to `roles`
+    - Commented out code related to Keycloak groups
+
 ## February 06, 2024
 - **Task** Streamline CRON jobs [DESENG-493](https://apps.itsm.gov.bc.ca/jira/browse/DESENG-493)
   - Aligned the CRON configuration and sample environment files with the structure used in the Met API.

diff --git a/met-api/.DS_Store b/met-api/.DS_Store
diff --git a/met-api/src/met_api/models/membership.py b/met-api/src/met_api/models/membership.py
@@ -93,7 +93,7 @@ def find_by_user_id(
     @classmethod
     def find_by_engagement_and_user_id(cls, eng_id, userid, status=None) \
             -> Membership:
-        """Get a survey."""
+        """Get a membership by engagement and user ID."""
         query = db.session.query(Membership) \
             .join(StaffUser, StaffUser.id == Membership.user_id) \
             .filter(and_(Membership.engagement_id == eng_id,

diff --git a/met-api/src/met_api/resources/engagement_members.py b/met-api/src/met_api/resources/engagement_members.py
@@ -48,17 +48,18 @@ def get(engagement_id):
         except BusinessException as err:
             return {'message': err.error}, err.status_code
 
-    @staticmethod
-    @cross_origin(origins=allowedorigins())
-    @_jwt.requires_auth
-    def post(engagement_id):
-        """Create a new membership."""
-        # TODO validate against a schema.
-        try:
-            member = MembershipService.create_membership(engagement_id, request.get_json())
-            return MembershipSchema().dump(member), HTTPStatus.OK
-        except BusinessException as err:
-            return {'message': err.error}, err.status_code
+    # TODO: Create membership method that uses composite roles
+    # @staticmethod
+    # @cross_origin(origins=allowedorigins())
+    # @_jwt.requires_auth
+    # def post(engagement_id):
+    #     """Create a new membership."""
+    #     # TODO validate against a schema.
+    #     try:
+    #         member = MembershipService.create_membership(engagement_id, request.get_json())
+    #         return MembershipSchema().dump(member), HTTPStatus.OK
+    #     except BusinessException as err:
+    #         return {'message': err.error}, err.status_code
 
 
 @cors_preflight('GET,OPTIONS')

diff --git a/met-api/src/met_api/resources/staff_user.py b/met-api/src/met_api/resources/staff_user.py
@@ -72,7 +72,7 @@ def get():
         users = StaffUserService.find_users(
             pagination_options=pagination_options,
             search_text=args.get('search_text', '', str),
-            include_groups=args.get('include_groups', default=False, type=lambda v: v.lower() == 'true'),
+            include_roles=args.get('include_roles', default=False, type=lambda v: v.lower() == 'true'),
             include_inactive=args.get('include_inactive', default=False, type=lambda v: v.lower() == 'true')
         )
         return jsonify(users), HTTPStatus.OK
@@ -91,7 +91,7 @@ def get(user_id):
         args = request.args
         user = StaffUserService.get_user_by_id(
             user_id,
-            include_groups=args.get('include_groups', default=False, type=lambda v: v.lower() == 'true'),
+            include_roles=args.get('include_roles', default=False, type=lambda v: v.lower() == 'true'),
             include_inactive=True,
         )
         return user, HTTPStatus.OK
@@ -121,44 +121,6 @@ def patch(user_id):
             return str(err), HTTPStatus.BAD_REQUEST
 
 
-@cors_preflight('POST, PUT')
-@API.route('/<user_id>/groups')
-class UserGroup(Resource):
-    """Add user to group."""
-
-    @staticmethod
-    @cross_origin(origins=allowedorigins())
-    @require_role([Role.CREATE_ADMIN_USER.value], skip_tenant_check_for_admin=True)
-    def post(user_id):
-        """Add user to group."""
-        try:
-            args = request.args
-            user_schema = StaffUserService().add_user_to_group(user_id, args.get('group'))
-            return user_schema, HTTPStatus.OK
-        except KeyError as err:
-            return str(err), HTTPStatus.INTERNAL_SERVER_ERROR
-        except ValueError as err:
-            return str(err), HTTPStatus.INTERNAL_SERVER_ERROR
-        except BusinessException as err:
-            return {'message': err.error}, err.status_code
-
-    @staticmethod
-    @cross_origin(origins=allowedorigins())
-    @_jwt.has_one_of_roles([Role.UPDATE_USER_GROUP.value])
-    def put(user_id):
-        """Update user group."""
-        try:
-            args = request.args
-            user_schema = StaffUserMembershipService().reassign_user(user_id, args.get('group'))
-            return user_schema, HTTPStatus.OK
-        except KeyError as err:
-            return str(err), HTTPStatus.INTERNAL_SERVER_ERROR
-        except ValueError as err:
-            return str(err), HTTPStatus.INTERNAL_SERVER_ERROR
-        except BusinessException as err:
-            return {'message': err.error}, err.status_code
-
-
 @cors_preflight('GET,OPTIONS')
 @API.route('/<user_id>/engagements')
 class EngagementMemberships(Resource):

diff --git a/met-api/src/met_api/services/authorization.py b/met-api/src/met_api/services/authorization.py
@@ -31,14 +31,15 @@ def check_auth(**kwargs):
     has_valid_roles = token_roles & permitted_roles
     if has_valid_roles:
         if not skip_tenant_check:
+
             user_tenant_id = user_from_db.tenant_id
             _validate_tenant(kwargs.get('engagement_id'), user_tenant_id)
         return
-
     team_permitted_roles = {MembershipType.TEAM_MEMBER.name, MembershipType.REVIEWER.name} & permitted_roles
 
     if team_permitted_roles:
         # check if he is a member of particular engagement.
+
         has_valid_team_access = _has_team_membership(kwargs, user_from_context, team_permitted_roles)
         if has_valid_team_access:
             return
@@ -63,16 +64,19 @@ def _has_team_membership(kwargs, user_from_context, team_permitted_roles) -> boo
     eng_id = kwargs.get('engagement_id')
 
     if not eng_id:
+
         return False
 
     user = StaffUserModel.get_user_by_external_id(user_from_context.sub)
 
     if not user:
+
         return False
 
     membership = MembershipModel.find_by_engagement_and_user_id(eng_id, user.id, status=MembershipStatus.ACTIVE.value)
 
     if not membership:
+
         return False
 
     skip_tenant_check = current_app.config.get('IS_SINGLE_TENANT_ENVIRONMENT')