Merge pull request #2096 from auslin-aot/feature/FWF-3325-save-group-…

…role-mapping ❇️ FWF-3325: [Feature] Save group role mapping
AOT-Technologies · Jun 6, 2024 · 0818b48 · 0818b48
2 parents d32846d + 90c7a35
commit 0818b48
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 9 deletions.
diff --git a/forms-flow-api/src/formsflow_api/schemas/roles.py b/forms-flow-api/src/formsflow_api/schemas/roles.py
@@ -14,3 +14,4 @@ class Meta:  # pylint: disable=too-few-public-methods
     id = fields.Str(dump_only=True)
     name = fields.Str(required=True)
     description = fields.Str()
+    permissions = fields.List(fields.Str())
diff --git a/forms-flow-api/src/formsflow_api/services/factory/keycloak_client_service.py b/forms-flow-api/src/formsflow_api/services/factory/keycloak_client_service.py
@@ -12,6 +12,7 @@
 from formsflow_api.services import KeycloakAdminAPIService, UserService
 
 from .keycloak_admin import KeycloakAdmin
+from .keycloak_group_service import KeycloakGroupService
 
 
 class KeycloakClientService(KeycloakAdmin):
@@ -93,14 +94,18 @@ def delete_group(self, group_id: str):
             url_path=f"clients/{client_id}/roles/{group_id}"
         )
 
-    def create_group_role(self, data: Dict):
-        """Create role."""
-        client_id = self.client.get_client_id()
-        response = self.client.create_request(
-            url_path=f"clients/{client_id}/roles", data=data
-        )
-        role_name = response.headers["Location"].split("/")[-1]
-        return {"id": role_name}
+    @user_context
+    def create_group_role(self, data: Dict, **kwargs):
+        """Create tenant group."""
+        current_app.logger.debug("Creating tenant group...")
+        user: UserContext = kwargs["user"]
+        tenant_key = user.tenant_key
+        name = data["name"].lstrip("/")
+        # Prefix the tenant_key to the main group
+        data["name"] = f"{tenant_key}-{name}"
+        current_app.logger.debug(f"Tenant group: {data['name']}")
+        group_service = KeycloakGroupService()
+        return group_service.create_group_role(data)
 
     def add_user_to_group_role(self, user_id: str, group_id: str, payload: Dict):
         """Add user to role."""

diff --git a/forms-flow-api/src/formsflow_api/services/factory/keycloak_group_service.py b/forms-flow-api/src/formsflow_api/services/factory/keycloak_group_service.py
@@ -91,6 +91,7 @@ def create_group_role(self, data: Dict):
 
         Split name parameter to create group/subgroups
         """
+        permissions = data.pop("permissions")
         data = self.add_description(data)
         data["name"] = (
             data["name"].lstrip("/") if data["name"].startswith("/") else data["name"]
@@ -119,6 +120,8 @@ def create_group_role(self, data: Dict):
                         )
                         group_id = response["id"]
                 url_path = f"groups/{group_id}/children"
+        client_id = self.client.get_client_id()
+        self.create_group_permission_mapping(group_id, permissions, client_id)
         return {"id": group_id}
 
     def add_description(self, data: Dict):
@@ -218,3 +221,22 @@ def add_user_to_tenant(self, data: Dict):
         return {
             "message": "The requested operation is not supported."
         }, HTTPStatus.BAD_REQUEST
+
+    def create_group_permission_mapping(self, group_id, permissions, client_id):
+        """Set permission mapping to group."""
+        current_app.logger.debug("Setting permission mapping to group")
+        roles = self.client.get_roles()
+        role_data_list = []
+        for role in roles:
+            if permissions and role.get("name") in permissions:
+                role_data = {
+                    "containerId": client_id,
+                    "id": role.get("id"),
+                    "clientRole": True,
+                    "name": role.get("name"),
+                }
+                role_data_list.append(role_data)
+        self.client.create_request(
+            url_path=f"groups/{group_id}/role-mappings/clients/{client_id}",
+            data=role_data_list,
+        )
diff --git a/forms-flow-api/tests/unit/api/test_roles.py b/forms-flow-api/tests/unit/api/test_roles.py
@@ -24,7 +24,7 @@ def test_keycloak_role_crud(self, app, client, session, jwt):
             "content-type": "application/json",
         }
         # Create new user group.
-        data = {"name": "new-test-group", "description": "Group"}
+        data = {"name": "new-test-group", "description": "Group", "permissions": ["view_designs", "create_designs"]}
         rv = client.post("/roles", headers=headers, json=data)
         assert rv.status_code == 201
         assert rv.json.get("id") is not None