DESENG-473: Restore role assignment functionality (#2385)

* Backend changes to leverage the CSS API for composite role management (#2382)
bcgov · Feb 15, 2024 · ca06c76 · ca06c76
1 parent 1bac246
commit ca06c76
Show file tree

Hide file tree

Showing 27 changed files with 437 additions and 428 deletions.
diff --git a/CHANGELOG.MD b/CHANGELOG.MD
@@ -1,3 +1,7 @@
+## February 15, 2024
+- **Task**Restore role assignment functionality to MET with the CSS API [DESENG-473](https://apps.itsm.gov.bc.ca/jira/browse/DESENG-473)
+    - Utilize the CSS API for efficient management of composite roles. This involves the assignment, reassignment, or removal of users from the composite roles of TEAM_MEMBER, REVIEWER, IT_ADMIN, or IT_VIEWER.
+
 ## February 09, 2024
 - **Task**Consolidate and re-write old migration files [DESENG-452](https://apps.itsm.gov.bc.ca/jira/browse/DESENG-452)
     - Deleted old migration files

diff --git a/met-api/sample.env b/met-api/sample.env
@@ -35,6 +35,14 @@ MET_ADMIN_CLIENT_ID="" # resource
 MET_ADMIN_CLIENT_SECRET="" # credentials.secret
 KEYCLOAK_CONNECT_TIMEOUT="60"
 
+KEYCLOAK_ADMIN_TOKEN_URL="" # URL to obtain the admin token from Keycloak
+KEYCLOAK_ADMIN_CLIENT_ID="" # Admin Client ID for Keycloak authentication
+KEYCLOAK_ADMIN_CLIENT_SECRET="" # Admin Client Secret for Keycloak authentication
+
+CSS_API_URL="" # CSS API URL
+CSS_API_ENVIRONMENT="" # CSS API environment
+CSS_API_INTEGRATION_ID= # CSS API integration number
+
 # JWT OIDC configuration for authentication
 # Populate from 'GDX MET web (public)-installation-*.json'
 JWT_OIDC_AUDIENCE="" # resource

diff --git a/met-api/src/met_api/config.py b/met-api/src/met_api/config.py
@@ -185,8 +185,12 @@ def SQLALCHEMY_DATABASE_URI(self) -> str:
         'REALMNAME': os.getenv('KEYCLOAK_REALMNAME', 'standard'),
         'SERVICE_ACCOUNT_ID': os.getenv('MET_ADMIN_CLIENT_ID'),
         'SERVICE_ACCOUNT_SECRET': os.getenv('MET_ADMIN_CLIENT_SECRET'),
-        'ADMIN_USERNAME': os.getenv('MET_ADMIN_CLIENT_ID'),
-        'ADMIN_SECRET': os.getenv('MET_ADMIN_CLIENT_SECRET'),
+        'ADMIN_BASE_URL': os.getenv('KEYCLOAK_ADMIN_TOKEN_URL', ''),
+        'ADMIN_USERNAME': os.getenv('KEYCLOAK_ADMIN_CLIENT_ID'),
+        'ADMIN_SECRET': os.getenv('KEYCLOAK_ADMIN_CLIENT_SECRET'),
+        'CSS_API_URL': os.getenv('CSS_API_URL', ''),
+        'CSS_API_ENVIRONMENT': os.getenv('CSS_API_ENVIRONMENT', ''),
+        'CSS_API_INTEGRATION_ID': os.getenv('CSS_API_INTEGRATION_ID'),
         'CONNECT_TIMEOUT': int(os.getenv('KEYCLOAK_CONNECT_TIMEOUT', '60')),
     }
 

diff --git a/met-api/src/met_api/resources/engagement_members.py b/met-api/src/met_api/resources/engagement_members.py
@@ -48,18 +48,17 @@ def get(engagement_id):
         except BusinessException as err:
             return {'message': err.error}, err.status_code
 
-    # TODO: Create membership method that uses composite roles
-    # @staticmethod
-    # @cross_origin(origins=allowedorigins())
-    # @_jwt.requires_auth
-    # def post(engagement_id):
-    #     """Create a new membership."""
-    #     # TODO validate against a schema.
-    #     try:
-    #         member = MembershipService.create_membership(engagement_id, request.get_json())
-    #         return MembershipSchema().dump(member), HTTPStatus.OK
-    #     except BusinessException as err:
-    #         return {'message': err.error}, err.status_code
+    @staticmethod
+    @cross_origin(origins=allowedorigins())
+    @_jwt.requires_auth
+    def post(engagement_id):
+        """Create a new membership."""
+        # TODO validate against a schema.
+        try:
+            member = MembershipService.create_membership(engagement_id, request.get_json())
+            return MembershipSchema().dump(member), HTTPStatus.OK
+        except BusinessException as err:
+            return {'message': err.error}, err.status_code
 
 
 @cors_preflight('GET,OPTIONS')

diff --git a/met-api/src/met_api/resources/staff_user.py b/met-api/src/met_api/resources/staff_user.py
@@ -121,6 +121,44 @@ def patch(user_id):
             return str(err), HTTPStatus.BAD_REQUEST
 
 
+@cors_preflight('POST, PUT')
+@API.route('/<user_id>/roles')
+class UserRoles(Resource):
+    """Add user to composite roles."""
+
+    @staticmethod
+    @cross_origin(origins=allowedorigins())
+    @require_role([Role.CREATE_ADMIN_USER.value], skip_tenant_check_for_admin=True)
+    def post(user_id):
+        """Add user to composite roles."""
+        try:
+            args = request.args
+            user_schema = StaffUserService().assign_composite_role_to_user(user_id, args.get('role'))
+            return user_schema, HTTPStatus.OK
+        except KeyError as err:
+            return str(err), HTTPStatus.INTERNAL_SERVER_ERROR
+        except ValueError as err:
+            return str(err), HTTPStatus.INTERNAL_SERVER_ERROR
+        except BusinessException as err:
+            return {'message': err.error}, err.status_code
+
+    @staticmethod
+    @cross_origin(origins=allowedorigins())
+    @require_role([Role.UPDATE_USER_GROUP.value])
+    def put(user_id):
+        """Update user composite roles."""
+        try:
+            args = request.args
+            user_schema = StaffUserMembershipService().reassign_user(user_id, args.get('role'))
+            return user_schema, HTTPStatus.OK
+        except KeyError as err:
+            return str(err), HTTPStatus.INTERNAL_SERVER_ERROR
+        except ValueError as err:
+            return str(err), HTTPStatus.INTERNAL_SERVER_ERROR
+        except BusinessException as err:
+            return {'message': err.error}, err.status_code
+
+
 @cors_preflight('GET,OPTIONS')
 @API.route('/<user_id>/engagements')
 class EngagementMemberships(Resource):