manage user permissions

Author: dwradcliffe

backend/pkg/constants.go

@@ -10,6 +10,7 @@ type DatabaseRepositoryType string
 type InstallationVerificationStatus string
 type InstallationQuotaStatus string
 type UserRole string
+type Permission string
 
 const (
 	ResourceListPageSize int = 20
@@ -54,4 +55,7 @@ const (
 
 	UserRoleUser  UserRole = "user"
 	UserRoleAdmin UserRole = "admin"
+
+	PermissionManageSources Permission = "manage_sources"
+	PermissionRead          Permission = "read"
 )

backend/pkg/database/gorm_common.go

@@ -192,6 +192,110 @@ func (gr *GormRepository) GetUsers(ctx context.Context) ([]models.User, error) {
 	return sanitizedUsers, result.Error
 }
 
+func (gr *GormRepository) GetUser(ctx context.Context, userID uuid.UUID) (*models.User, error) {
+	var dbUser models.User
+	var user models.User
+	result := gr.GormClient.WithContext(ctx).First(&dbUser, userID)
+	if result.Error != nil {
+		return nil, result.Error
+	}
+
+	user.ID = dbUser.ID
+	user.FullName = dbUser.FullName
+	user.Email = dbUser.Email
+	user.Username = dbUser.Username
+	user.Role = dbUser.Role
+
+	// Populate ACLs for the user
+	var acls []models.UserPermission
+	if err := gr.GormClient.WithContext(ctx).
+		Where("user_id = ?", user.ID).
+		Find(&acls).Error; err != nil {
+		return nil, err
+	}
+	user.Permissions = make(map[string]map[string]bool)
+
+	for _, acl := range acls {
+		if _, exists := user.Permissions[acl.TargetUserID.String()]; !exists {
+			user.Permissions[acl.TargetUserID.String()] = make(map[string]bool)
+		}
+		user.Permissions[acl.TargetUserID.String()][string(acl.Permission)] = true
+	}
+
+	return &user, nil
+}
+
+func (gr *GormRepository) UpdateUserAndPermissions(ctx context.Context, user models.User) error {
+	// Lookup user from the db
+	var dbUser models.User
+	result := gr.GormClient.WithContext(ctx).First(&dbUser, user.ID)
+	if result.Error != nil {
+		return result.Error
+	}
+	// Update fields on User
+	updates := map[string]interface{}{
+		"full_name": user.FullName,
+		"username":  user.Username,
+		"email":     user.Email,
+		"role":      user.Role,
+	}
+	result = gr.GormClient.WithContext(ctx).Model(dbUser).Updates(updates)
+	if result.Error != nil {
+		return result.Error
+	}
+	// Update User Permissions
+	var existingPermissions []models.UserPermission
+	if err := gr.GormClient.WithContext(ctx).
+		Where("user_id = ?", user.ID).
+		Find(&existingPermissions).Error; err != nil {
+		return err
+	}
+	for targetUserId, permissions := range user.Permissions {
+		for permission, value := range permissions {
+			if !value {
+				continue
+			}
+			// Check if the permission already exists
+			exists := false
+			for _, existingPermission := range existingPermissions {
+				if existingPermission.TargetUserID.String() == targetUserId && string(existingPermission.Permission) == permission {
+					exists = true
+					break
+				}
+			}
+			if !exists {
+				// Add new permission
+				p := models.UserPermission{
+					UserID:       user.ID,
+					TargetUserID: uuid.Must(uuid.Parse(targetUserId)),
+					Permission:   pkg.Permission(permission),
+				}
+				err := gr.GormClient.WithContext(ctx).Create(&p).Error
+				if err != nil {
+					return err
+				}
+			}
+		}
+	}
+
+	// Remove permissions that are no longer in user.Permissions
+	for _, existingPermission := range existingPermissions {
+		targetUserId := existingPermission.TargetUserID.String()
+		permission := string(existingPermission.Permission)
+
+		// Check if the permission still exists in the new user.Permissions
+		if _, exists := user.Permissions[targetUserId]; !exists || !user.Permissions[targetUserId][permission] {
+			// Permission no longer exists, so delete it
+			err := gr.GormClient.WithContext(ctx).Delete(&existingPermission).Error
+			if err != nil {
+				return err
+			}
+		}
+	}
+
+	return nil
+}
+
 //</editor-fold>
 
 ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

backend/pkg/database/gorm_repository_migrations.go

@@ -11,6 +11,7 @@ import (
 	_20240114103850 "github.com/fastenhealth/fasten-onprem/backend/pkg/database/migrations/20240114103850"
 	_20240208112210 "github.com/fastenhealth/fasten-onprem/backend/pkg/database/migrations/20240208112210"
 	_20240813222836 "github.com/fastenhealth/fasten-onprem/backend/pkg/database/migrations/20240813222836"
+	_20240827214347 "github.com/fastenhealth/fasten-onprem/backend/pkg/database/migrations/20240827214347"
 	"github.com/fastenhealth/fasten-onprem/backend/pkg/models"
 	databaseModel "github.com/fastenhealth/fasten-onprem/backend/pkg/models/database"
 	sourceCatalog "github.com/fastenhealth/fasten-sources/catalog"
@@ -225,6 +226,20 @@ func (gr *GormRepository) Migrate() error {
 				return nil
 			},
 		},
+		{
+			ID: "20240827214347", // add UserPermission model
+			Migrate: func(tx *gorm.DB) error {
+
+				err := tx.AutoMigrate(
+					&_20240827214347.UserPermission{},
+				)
+				if err != nil {
+					return err
+				}
+
+				return nil
+			},
+		},
 	})
 
 	// run when database is empty

backend/pkg/database/interface.go

@@ -20,6 +20,8 @@ type DatabaseRepository interface {
 	GetCurrentUser(ctx context.Context) (*models.User, error)
 	DeleteCurrentUser(ctx context.Context) error
 	GetUsers(ctx context.Context) ([]models.User, error)
+	GetUser(ctx context.Context, userId uuid.UUID) (*models.User, error)
+	UpdateUserAndPermissions(ctx context.Context, user models.User) error
 
 	GetSummary(ctx context.Context) (*models.Summary, error)
 

backend/pkg/database/migrations/20240827214347/user_permission.go

@@ -0,0 +1,20 @@
+package _20240827214347
+
+import (
+	"github.com/fastenhealth/fasten-onprem/backend/pkg/models"
+	"github.com/google/uuid"
+)
+
+type Permission string
+
+const (
+	PermissionManageSources Permission = "manage_sources"
+	PermissionRead          Permission = "read"
+)
+
+type UserPermission struct {
+	models.ModelBase
+	UserID       uuid.UUID  `json:"user_id" gorm:"type:uuid"`
+	TargetUserID uuid.UUID  `json:"target_user_id" gorm:"type:uuid"`
+	Permission   Permission `json:"permission"`
+}

backend/pkg/database/mock/mock_database.go

@@ -4,21 +4,19 @@ import (
 	"fmt"
 	"strings"
 
-	"golang.org/x/crypto/bcrypt"
-
 	"github.com/fastenhealth/fasten-onprem/backend/pkg"
+	"golang.org/x/crypto/bcrypt"
 )
 
 type User struct {
 	ModelBase
-	FullName string `json:"full_name"`
-	Username string `json:"username" gorm:"unique"`
-	Password string `json:"password"`
-
-	//additional optional metadata that Fasten stores with users
-	Picture string       `json:"picture"`
-	Email   string       `json:"email"`
-	Role    pkg.UserRole `json:"role"`
+	FullName    string                     `json:"full_name"`
+	Username    string                     `json:"username" gorm:"unique"`
+	Password    string                     `json:"password"`
+	Picture     string                     `json:"picture"`
+	Email       string                     `json:"email"`
+	Role        pkg.UserRole               `json:"role"`
+	Permissions map[string]map[string]bool `json:"permissions" gorm:"-:all"`
 }
 
 func (user *User) HashPassword(password string) error {

backend/pkg/models/user.go

@@ -0,0 +1,13 @@
+package models
+
+import (
+	"github.com/fastenhealth/fasten-onprem/backend/pkg"
+	"github.com/google/uuid"
+)
+
+type UserPermission struct {
+	ModelBase
+	UserID       uuid.UUID      `json:"user_id" gorm:"type:uuid"`
+	TargetUserID uuid.UUID      `json:"target_user_id" gorm:"type:uuid"`
+	Permission   pkg.Permission `json:"permission"`
+}

backend/pkg/models/user_permission.go

@@ -8,6 +8,7 @@ import (
 	"github.com/fastenhealth/fasten-onprem/backend/pkg/database"
 	"github.com/fastenhealth/fasten-onprem/backend/pkg/models"
 	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
 	"gorm.io/gorm"
 )
 
@@ -54,3 +55,43 @@ func CreateUser(c *gin.Context) {
 
 	c.JSON(http.StatusOK, gin.H{"success": true, "data": newUser})
 }
+
+func GetUser(c *gin.Context) {
+	if !IsAdmin(c) {
+		c.JSON(http.StatusUnauthorized, gin.H{"success": false, "error": "Unauthorized"})
+		return
+	}
+
+	databaseRepo := c.MustGet(pkg.ContextKeyTypeDatabase).(database.DatabaseRepository)
+
+	user, err := databaseRepo.GetUser(c, uuid.MustParse(c.Param("userId")))
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"success": false, "error": err.Error()})
+		return
+	}
+
+	c.JSON(200, gin.H{"success": true, "data": user})
+}
+
+func UpdateUser(c *gin.Context) {
+	if !IsAdmin(c) {
+		c.JSON(http.StatusUnauthorized, gin.H{"success": false, "error": "Unauthorized"})
+		return
+	}
+
+	databaseRepo := c.MustGet(pkg.ContextKeyTypeDatabase).(database.DatabaseRepository)
+
+	var user models.User
+	if err := c.ShouldBindJSON(&user); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"success": false, "error": err.Error()})
+		return
+	}
+
+	err := databaseRepo.UpdateUserAndPermissions(c, user)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"success": false, "error": err.Error()})
+		return
+	}
+
+	c.JSON(200, gin.H{"success": true, "data": user})
+}

backend/pkg/web/handler/users.go

@@ -128,6 +128,8 @@ func (ae *AppEngine) Setup() (*gin.RouterGroup, *gin.Engine) {
 
 				secure.GET("/users", handler.GetUsers)
 				secure.POST("/users", handler.CreateUser)
+				secure.GET("/users/:userId", handler.GetUser)
+				secure.POST("/users/:userId", handler.UpdateUser)
 
 				//server-side-events handler (only supported on mac/linux)
 				// TODO: causes deadlock on Windows