Expand create and update user endpionts

Signed-off-by: montesm <[email protected]>

Author: montesmoci

UnityAuth/src/main/java/io/unityfoundation/auth/UserController.java

@@ -1,29 +1,34 @@
 package io.unityfoundation.auth;
 
-import io.micronaut.core.annotation.Nullable;
 import io.micronaut.http.HttpResponse;
+import io.micronaut.http.HttpStatus;
 import io.micronaut.http.annotation.*;
 import io.micronaut.security.annotation.Secured;
 import io.micronaut.security.authentication.Authentication;
 import io.micronaut.security.rules.SecurityRule;
 import io.micronaut.serde.annotation.Serdeable;
 import io.unityfoundation.auth.entities.*;
+import jakarta.transaction.Transactional;
 import jakarta.validation.constraints.NotBlank;
 import jakarta.validation.constraints.NotEmpty;
 import jakarta.validation.constraints.NotNull;
 
 import java.util.List;
+import java.util.Objects;
+import java.util.Optional;
 
 @Secured(SecurityRule.IS_AUTHENTICATED)
 @Controller("/api/users")
 public class UserController {
 
     private final UserRepo userRepo;
     private final TenantRepo tenantRepo;
+    private final RoleRepo roleRepo;
 
-    public UserController(UserRepo userRepo, TenantRepo tenantRepo) {
+    public UserController(UserRepo userRepo, TenantRepo tenantRepo, RoleRepo roleRepo) {
         this.userRepo = userRepo;
         this.tenantRepo = tenantRepo;
+        this.roleRepo = roleRepo;
     }
 
     @Post
@@ -34,55 +39,149 @@ public HttpResponse<?> createUser(@Body AddUserRequest requestDTO,
 
         // reject if the declared tenant does not exist
         if (tenantRepo.existsById(requestTenantId)) {
-            return HttpResponse.badRequest("Tenant does not exist");
+            return HttpResponse.notFound("Tenant does not exist");
         }
 
+        Role unityAdministrator = roleRepo.findByName("Unity Administrator");
+
+        // ignore roles not defined by application
+        List<Long> rolesIntersection = getRolesIntersection(requestDTO.roles());
+
         // reject if caller is not a unity nor tenant admin of the declared tenant
-        if (!isUserUnityOrTenantAdmin(authentication.getName(), requestTenantId)) {
-            return HttpResponse.badRequest("Authenticated user is not authorized to make changes under declared tenant.");
+        String authUserEmail = authentication.getName();
+        if (!userRepo.existsByEmailAndRoleEqualsUnityAdmin(authUserEmail)) {
+            if (!userRepo.existsByEmailAndTenantEqualsAndIsTenantAdmin(authUserEmail, requestTenantId)) {
+                return HttpResponse.status(HttpStatus.FORBIDDEN,
+                        "Authenticated user is not authorized to make changes under declared tenant.");
+            } else if (rolesIntersection.stream().anyMatch(roleId -> roleId.equals(unityAdministrator.getId()))){
+                // authenticated tenant admin user cannot grant unity admin role
+                return HttpResponse.status(HttpStatus.FORBIDDEN,
+                        "Authenticated user is not authorized to grant Unity Admin");
+            }
         }
 
         // reject if new user already exists under a tenant
         if (userRepo.existsByEmailAndTenantId(requestDTO.email(), requestTenantId)) {
             return HttpResponse.badRequest("User already exists under declared tenant.");
         }
 
-        // reject if the declared roles supersede that of the authenticated user if authenticated user is not a unity admin
-        // ie. first condition is applied assumes that authenticated user is a tenant admin of the declared tenant
-
         // if the new user exists, create a new user-role entry
         // otherwise, create the user along with user-role entry
+        Optional<User> userOptional = userRepo.findByEmail(requestDTO.email());
+        User user;
+        if (userOptional.isEmpty()) {
+            User newUser = new User();
+            newUser.setEmail(requestDTO.email());
+            newUser.setPassword(requestDTO.password());
+            newUser.setFirstName(requestDTO.firstName);
+            newUser.setLastName(requestDTO.lastName);
+            newUser.setStatus(User.UserStatus.ENABLED);
+            user = userRepo.save(newUser);
+        } else {
+            user = userOptional.get();
+        }
 
+        rolesIntersection.forEach(roleId -> userRepo.insertUserRole(user.getId(), requestTenantId, roleId));
+
+        return HttpResponse.created(new UserResponse(user.getId(),
+                user.getEmail(),
+                user.getFirstName(),
+                user.getLastName(),
+                rolesIntersection));
     }
 
     @Patch("{id}/roles")
-    public HttpResponse<UserResponse> updateUserRoles(@PathVariable Long id, @Body UpdateUserRolesRequest requestDTO,
+    public HttpResponse<?> updateUserRoles(@PathVariable Long id, @Body UpdateUserRolesRequest requestDTO,
                                                 Authentication authentication) {
-        // get user under tenant
+        Long requestTenantId = requestDTO.tenantId();
+
+        // reject if the declared tenant does not exist
+        if (tenantRepo.existsById(requestTenantId)) {
+            return HttpResponse.notFound("Tenant does not exist");
+        }
+
+        Optional<User> userOptional = userRepo.findById(id);
+        if (userOptional.isEmpty()) {
+            return HttpResponse.notFound("User not found.");
+        }
+
+        User user = userOptional.get();
+        Role unityAdministrator = roleRepo.findByName("Unity Administrator");
+
+        // ignore roles not defined by application
+        List<Long> rolesIntersection = getRolesIntersection(requestDTO.roles());
+
         // if unity admin, proceed; otherwise, reject if roles exceed authenticated user's under same tenant.
-        // apply patch
+        String authUserEmail = authentication.getName();
+        if (!userRepo.existsByEmailAndRoleEqualsUnityAdmin(authUserEmail)) {
+            if (!userRepo.existsByEmailAndTenantEqualsAndIsTenantAdmin(authUserEmail, requestTenantId)) {
+                return HttpResponse.status(HttpStatus.FORBIDDEN,
+                        "Authenticated user is not authorized to make changes under declared tenant.");
+            } else if (rolesIntersection.stream().anyMatch(roleId -> roleId.equals(unityAdministrator.getId()))){
+                // authenticated tenant admin user cannot grant unity admin role
+                return HttpResponse.status(HttpStatus.FORBIDDEN,
+                        "Authenticated user is not authorized to grant Unity Admin");
+            }
+        }
 
+        applyRolesPatch(rolesIntersection, requestTenantId, user.getId());
 
         // return updated user
+        return HttpResponse.created(new UserResponse(user.getId(),
+                user.getEmail(),
+                user.getFirstName(),
+                user.getLastName(),
+                rolesIntersection));
+    }
+
+    private List<Long> getRolesIntersection(List<Long> requestRoles) {
+        List<Long> roles = roleRepo.findAllRoleIds();
+        return requestRoles.stream()
+                .distinct()
+                .filter(roles::contains)
+                .toList();
+    }
+
+
+    @Transactional
+    public void applyRolesPatch(List<Long> requestRoles, Long requestTenantId, Long userId) {
+        userRepo.deleteRoleByTenantIdAndUserId(requestTenantId, userId);
+        requestRoles.forEach(roleId -> userRepo.insertUserRole(userId, requestTenantId, roleId));
     }
 
     @Patch("{id}")
-    public HttpResponse<UserResponse> selfPatch(@PathVariable Long id, @Body UpdateSelfRequest requestDTO,
+    public HttpResponse<?> selfPatch(@PathVariable Long id, @Body UpdateSelfRequest requestDTO,
                                                 Authentication authentication) {
-        // get user (and verify id?)
-        // perform patch
 
-        // return updated user
-    }
+        Optional<User> userOptional = userRepo.findByEmail(authentication.getName());
+        if (userOptional.isEmpty()) {
+            return HttpResponse.notFound("User not found.");
+        }
 
-    private boolean isUserUnityOrTenantAdmin(String email, Long requestTenantId) {
-        return false;
+        User user = userOptional.get();
+        if (!Objects.equals(user.getId(), id)) {
+            return HttpResponse.badRequest("User id mismatch.");
+        }
+
+        if (requestDTO.firstName != null) {
+            user.setFirstName(requestDTO.firstName);
+        }
+        if (requestDTO.lastName != null) {
+            user.setLastName(requestDTO.lastName);
+        }
+        if (requestDTO.password != null) {
+            user.setPassword(requestDTO.password);
+        }
+
+        User saved = userRepo.save(user);
+        return HttpResponse.ok(new UserResponse(saved.getId(), saved.getEmail(), saved.getFirstName(), saved.getLastName(),
+                userRepo.getUserRolesByUserId(saved.getId())));
     }
 
     @Serdeable
     public record UpdateUserRolesRequest(
             @NotNull Long tenantId,
-            List<String> roles) {
+            List<Long> roles) {
     }
 
     @Serdeable
@@ -92,7 +191,7 @@ public record AddUserRequest(
             @NotBlank String lastName,
             @NotNull Long tenantId,
             @NotBlank String password,
-            @NotEmpty List<String> roles) {
+            @NotEmpty List<Long> roles) {
     }
 
     @Serdeable
@@ -101,6 +200,4 @@ public record UpdateSelfRequest(
             @NotBlank String lastName,
             @NotBlank String password) {
     }
-
-
 }

UnityAuth/src/main/java/io/unityfoundation/auth/entities/Role.java

@@ -12,4 +12,28 @@ public class Role {
 
     private String name;
     private String description;
+
+    public String getDescription() {
+        return description;
+    }
+
+    public void setDescription(String description) {
+        this.description = description;
+    }
+
+    public Long getId() {
+        return id;
+    }
+
+    public void setId(Long id) {
+        this.id = id;
+    }
+
+    public String getName() {
+        return name;
+    }
+
+    public void setName(String name) {
+        this.name = name;
+    }
 }

UnityAuth/src/main/java/io/unityfoundation/auth/entities/RoleRepo.java

@@ -6,6 +6,12 @@
 import io.micronaut.data.model.query.builder.sql.Dialect;
 import io.micronaut.data.repository.CrudRepository;
 
+import java.util.List;
+
 @JdbcRepository(dialect = Dialect.MYSQL)
 public interface RoleRepo extends CrudRepository<Role, Long> {
+    Role findByName(String name);
+
+    @Query("SELECT id FROM role")
+    List<Long> findAllRoleIds();
 }

UnityAuth/src/main/java/io/unityfoundation/auth/entities/UserRepo.java

@@ -69,9 +69,9 @@ select count(*) > 0
     from user_role ur
     inner join user u on u.id = ur.user_id
     inner join role r on r.id = ur.role_id
-    where u.email = :email and (r.name = 'Unity Administrator' or r.name = 'Tenant Administrator')
+    where u.email = :email and ur.tenant_id = :tenantId and r.name = 'Tenant Administrator'
 """)
-  boolean existsByEmailAndRoleEqualsUnityAdminOrTenantAdmin(String email);
+  boolean existsByEmailAndTenantEqualsAndIsTenantAdmin(String email, Long tenantId);
 
   @Query("""
 select count(*) > 0
@@ -84,4 +84,10 @@ select count(*) > 0
 
   @Query("select role_id from user_role where user_id = :userId")
   List<Long> getUserRolesByUserId(Long userId);
+
+  @Query("INSERT INTO user_role(user_id, tenant_id, role_id) VALUES (:userId, :tenantId, :roleId)")
+  void insertUserRole(Long userId, Long tenantId, Long roleId);
+
+  @Query("DELETE FROM user_role WHERE tenant_id = :tenantId and user_id = :userId")
+  void deleteRoleByTenantIdAndUserId(Long tenantId, Long userId);
 }