Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DESENG-447 : Convert keycloak groups to composite roles for permission levels #2376

Merged
merged 7 commits into from
Feb 7, 2024
Merged

DESENG-447 : Convert keycloak groups to composite roles for permission levels #2376

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
b60c93a
DESENG-447 Removed references to EAO in groups, remove group check fo…
Jan 9, 2024
449060b
DESENG-447 Remove or comment out references to groups
Jan 30, 2024
2e2c38d
DESENG-447: Commented out checks related to groups
ratheesh-aot Feb 6, 2024
ff394e0
DESENG-447: Fixing linting issues and unit test
ratheesh-aot Feb 7, 2024
e9efd87
Updated Changelog
ratheesh-aot Feb 7, 2024
f0df39b
Removed console.log statements
ratheesh-aot Feb 7, 2024
e436ab7
Removed console.log
ratheesh-aot Feb 7, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions CHANGELOG.MD
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
## February 06, 2024
- **Task**Convert keycloak groups to composite roles for permission levels [DESENG-447](https://apps.itsm.gov.bc.ca/jira/browse/DESENG-447)
- Commented out unit test related to Keycloak groups
- Changed reference of Keycloak `groups` to `roles`
- Commented out code related to Keycloak groups

## February 06, 2024
- **Task** Streamline CRON jobs [DESENG-493](https://apps.itsm.gov.bc.ca/jira/browse/DESENG-493)
- Aligned the CRON configuration and sample environment files with the structure used in the Met API.
Expand Down
Binary file modified met-api/.DS_Store
View file
Open in desktop
Binary file not shown.
2 changes: 1 addition & 1 deletion met-api/src/met_api/models/membership.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,7 @@ def find_by_user_id(
@classmethod
def find_by_engagement_and_user_id(cls, eng_id, userid, status=None) \
-> Membership:
"""Get a survey."""
"""Get a membership by engagement and user ID."""
query = db.session.query(Membership) \
.join(StaffUser, StaffUser.id == Membership.user_id) \
.filter(and_(Membership.engagement_id == eng_id,
Expand Down
23 changes: 12 additions & 11 deletions met-api/src/met_api/resources/engagement_members.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,17 +48,18 @@ def get(engagement_id):
except BusinessException as err:
return {'message': err.error}, err.status_code

@staticmethod
@cross_origin(origins=allowedorigins())
@_jwt.requires_auth
def post(engagement_id):
"""Create a new membership."""
# TODO validate against a schema.
try:
member = MembershipService.create_membership(engagement_id, request.get_json())
return MembershipSchema().dump(member), HTTPStatus.OK
except BusinessException as err:
return {'message': err.error}, err.status_code
# TODO: Create membership method that uses composite roles
# @staticmethod
# @cross_origin(origins=allowedorigins())
# @_jwt.requires_auth
# def post(engagement_id):
# """Create a new membership."""
# # TODO validate against a schema.
# try:
# member = MembershipService.create_membership(engagement_id, request.get_json())
# return MembershipSchema().dump(member), HTTPStatus.OK
# except BusinessException as err:
# return {'message': err.error}, err.status_code


@cors_preflight('GET,OPTIONS')
Expand Down
42 changes: 2 additions & 40 deletions met-api/src/met_api/resources/staff_user.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ def get():
users = StaffUserService.find_users(
pagination_options=pagination_options,
search_text=args.get('search_text', '', str),
include_groups=args.get('include_groups', default=False, type=lambda v: v.lower() == 'true'),
include_roles=args.get('include_roles', default=False, type=lambda v: v.lower() == 'true'),
include_inactive=args.get('include_inactive', default=False, type=lambda v: v.lower() == 'true')
)
return jsonify(users), HTTPStatus.OK
Expand All @@ -91,7 +91,7 @@ def get(user_id):
args = request.args
user = StaffUserService.get_user_by_id(
user_id,
include_groups=args.get('include_groups', default=False, type=lambda v: v.lower() == 'true'),
include_roles=args.get('include_roles', default=False, type=lambda v: v.lower() == 'true'),
include_inactive=True,
)
return user, HTTPStatus.OK
Expand Down Expand Up @@ -121,44 +121,6 @@ def patch(user_id):
return str(err), HTTPStatus.BAD_REQUEST


@cors_preflight('POST, PUT')
@API.route('/<user_id>/groups')
class UserGroup(Resource):
"""Add user to group."""

@staticmethod
@cross_origin(origins=allowedorigins())
@require_role([Role.CREATE_ADMIN_USER.value], skip_tenant_check_for_admin=True)
def post(user_id):
"""Add user to group."""
try:
args = request.args
user_schema = StaffUserService().add_user_to_group(user_id, args.get('group'))
return user_schema, HTTPStatus.OK
except KeyError as err:
return str(err), HTTPStatus.INTERNAL_SERVER_ERROR
except ValueError as err:
return str(err), HTTPStatus.INTERNAL_SERVER_ERROR
except BusinessException as err:
return {'message': err.error}, err.status_code

@staticmethod
@cross_origin(origins=allowedorigins())
@_jwt.has_one_of_roles([Role.UPDATE_USER_GROUP.value])
def put(user_id):
"""Update user group."""
try:
args = request.args
user_schema = StaffUserMembershipService().reassign_user(user_id, args.get('group'))
return user_schema, HTTPStatus.OK
except KeyError as err:
return str(err), HTTPStatus.INTERNAL_SERVER_ERROR
except ValueError as err:
return str(err), HTTPStatus.INTERNAL_SERVER_ERROR
except BusinessException as err:
return {'message': err.error}, err.status_code


@cors_preflight('GET,OPTIONS')
@API.route('/<user_id>/engagements')
class EngagementMemberships(Resource):
Expand Down
6 changes: 5 additions & 1 deletion met-api/src/met_api/services/authorization.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,14 +31,15 @@ def check_auth(**kwargs):
has_valid_roles = token_roles & permitted_roles
if has_valid_roles:
if not skip_tenant_check:

user_tenant_id = user_from_db.tenant_id
_validate_tenant(kwargs.get('engagement_id'), user_tenant_id)
return

team_permitted_roles = {MembershipType.TEAM_MEMBER.name, MembershipType.REVIEWER.name} & permitted_roles

if team_permitted_roles:
# check if he is a member of particular engagement.

has_valid_team_access = _has_team_membership(kwargs, user_from_context, team_permitted_roles)
if has_valid_team_access:
return
Expand All @@ -63,16 +64,19 @@ def _has_team_membership(kwargs, user_from_context, team_permitted_roles) -> boo
eng_id = kwargs.get('engagement_id')

if not eng_id:

return False

user = StaffUserModel.get_user_by_external_id(user_from_context.sub)

if not user:

return False

membership = MembershipModel.find_by_engagement_and_user_id(eng_id, user.id, status=MembershipStatus.ACTIVE.value)

if not membership:

return False

skip_tenant_check = current_app.config.get('IS_SINGLE_TENANT_ENVIRONMENT')
Expand Down
Loading
Loading