feat: #1090 delete delegated admin (#1196)

bcgov · Feb 13, 2024 · c5dbbee · c5dbbee
1 parent 914ae89
commit c5dbbee
Show file tree

Hide file tree

Showing 9 changed files with 380 additions and 84 deletions.
diff --git a/client-code-gen/admin-management-openapi.json b/client-code-gen/admin-management-openapi.json
diff --git a/client-code-gen/gen/admin-management-api/api/famaccess-control-privileges-api.ts b/client-code-gen/gen/admin-management-api/api/famaccess-control-privileges-api.ts
@@ -75,6 +75,44 @@ export const FAMAccessControlPrivilegesApiAxiosParamCreator = function (configur
                 options: localVarRequestOptions,
             };
         },
+        /**
+         * 
+         * @summary Delete Access Control Privilege
+         * @param {number} accessControlPrivilegeId 
+         * @param {*} [options] Override http request option.
+         * @throws {RequiredError}
+         */
+        deleteAccessControlPrivilege: async (accessControlPrivilegeId: number, options: AxiosRequestConfig = {}): Promise<RequestArgs> => {
+            // verify required parameter 'accessControlPrivilegeId' is not null or undefined
+            assertParamExists('deleteAccessControlPrivilege', 'accessControlPrivilegeId', accessControlPrivilegeId)
+            const localVarPath = `/access_control_privileges/{access_control_privilege_id}`
+                .replace(`{${"access_control_privilege_id"}}`, encodeURIComponent(String(accessControlPrivilegeId)));
+            // use dummy base URL string because the URL constructor only accepts absolute URLs.
+            const localVarUrlObj = new URL(localVarPath, DUMMY_BASE_URL);
+            let baseOptions;
+            if (configuration) {
+                baseOptions = configuration.baseOptions;
+            }
+
+            const localVarRequestOptions = { method: 'DELETE', ...baseOptions, ...options};
+            const localVarHeaderParameter = {} as any;
+            const localVarQueryParameter = {} as any;
+
+            // authentication 6jfveou69mgford233or30hmta required
+            // oauth required
+            await setOAuthToObject(localVarHeaderParameter, "6jfveou69mgford233or30hmta", [], configuration)
+
+
+
+            setSearchParams(localVarUrlObj, localVarQueryParameter);
+            let headersFromBaseOptions = baseOptions && baseOptions.headers ? baseOptions.headers : {};
+            localVarRequestOptions.headers = {...localVarHeaderParameter, ...headersFromBaseOptions, ...options.headers};
+
+            return {
+                url: toPathString(localVarUrlObj),
+                options: localVarRequestOptions,
+            };
+        },
         /**
          * Get Delegated Admin Privileges For an Application
          * @summary Get Access Control Privileges By Application Id
@@ -137,6 +175,17 @@ export const FAMAccessControlPrivilegesApiFp = function(configuration?: Configur
             const localVarAxiosArgs = await localVarAxiosParamCreator.createAccessControlPrivilegeMany(famAccessControlPrivilegeCreateRequest, options);
             return createRequestFunction(localVarAxiosArgs, globalAxios, BASE_PATH, configuration);
         },
+        /**
+         * 
+         * @summary Delete Access Control Privilege
+         * @param {number} accessControlPrivilegeId 
+         * @param {*} [options] Override http request option.
+         * @throws {RequiredError}
+         */
+        async deleteAccessControlPrivilege(accessControlPrivilegeId: number, options?: AxiosRequestConfig): Promise<(axios?: AxiosInstance, basePath?: string) => AxiosPromise<void>> {
+            const localVarAxiosArgs = await localVarAxiosParamCreator.deleteAccessControlPrivilege(accessControlPrivilegeId, options);
+            return createRequestFunction(localVarAxiosArgs, globalAxios, BASE_PATH, configuration);
+        },
         /**
          * Get Delegated Admin Privileges For an Application
          * @summary Get Access Control Privileges By Application Id
@@ -168,6 +217,16 @@ export const FAMAccessControlPrivilegesApiFactory = function (configuration?: Co
         createAccessControlPrivilegeMany(famAccessControlPrivilegeCreateRequest: FamAccessControlPrivilegeCreateRequest, options?: any): AxiosPromise<Array<FamAccessControlPrivilegeCreateResponse>> {
             return localVarFp.createAccessControlPrivilegeMany(famAccessControlPrivilegeCreateRequest, options).then((request) => request(axios, basePath));
         },
+        /**
+         * 
+         * @summary Delete Access Control Privilege
+         * @param {number} accessControlPrivilegeId 
+         * @param {*} [options] Override http request option.
+         * @throws {RequiredError}
+         */
+        deleteAccessControlPrivilege(accessControlPrivilegeId: number, options?: any): AxiosPromise<void> {
+            return localVarFp.deleteAccessControlPrivilege(accessControlPrivilegeId, options).then((request) => request(axios, basePath));
+        },
         /**
          * Get Delegated Admin Privileges For an Application
          * @summary Get Access Control Privileges By Application Id
@@ -197,6 +256,16 @@ export interface FAMAccessControlPrivilegesApiInterface {
      */
     createAccessControlPrivilegeMany(famAccessControlPrivilegeCreateRequest: FamAccessControlPrivilegeCreateRequest, options?: AxiosRequestConfig): AxiosPromise<Array<FamAccessControlPrivilegeCreateResponse>>;
 
+    /**
+     * 
+     * @summary Delete Access Control Privilege
+     * @param {number} accessControlPrivilegeId 
+     * @param {*} [options] Override http request option.
+     * @throws {RequiredError}
+     * @memberof FAMAccessControlPrivilegesApiInterface
+     */
+    deleteAccessControlPrivilege(accessControlPrivilegeId: number, options?: AxiosRequestConfig): AxiosPromise<void>;
+
     /**
      * Get Delegated Admin Privileges For an Application
      * @summary Get Access Control Privileges By Application Id
@@ -228,6 +297,18 @@ export class FAMAccessControlPrivilegesApi extends BaseAPI implements FAMAccessC
         return FAMAccessControlPrivilegesApiFp(this.configuration).createAccessControlPrivilegeMany(famAccessControlPrivilegeCreateRequest, options).then((request) => request(this.axios, this.basePath));
     }
 
+    /**
+     * 
+     * @summary Delete Access Control Privilege
+     * @param {number} accessControlPrivilegeId 
+     * @param {*} [options] Override http request option.
+     * @throws {RequiredError}
+     * @memberof FAMAccessControlPrivilegesApi
+     */
+    public deleteAccessControlPrivilege(accessControlPrivilegeId: number, options?: AxiosRequestConfig) {
+        return FAMAccessControlPrivilegesApiFp(this.configuration).deleteAccessControlPrivilege(accessControlPrivilegeId, options).then((request) => request(this.axios, this.basePath));
+    }
+
     /**
      * Get Delegated Admin Privileges For an Application
      * @summary Get Access Control Privileges By Application Id

diff --git a/server/admin_management/api/app/repositories/access_control_privilege_repository.py b/server/admin_management/api/app/repositories/access_control_privilege_repository.py
@@ -49,6 +49,18 @@ def create_access_control_privilege(
         self.db.refresh(db_item)
         return db_item
 
+    def delete_access_control_privilege(self, access_control_privilege_id: int):
+        record = (
+            self.db.query(FamAccessControlPrivilege)
+            .filter(
+                FamAccessControlPrivilege.access_control_privilege_id
+                == access_control_privilege_id
+            )
+            .one()
+        )
+        self.db.delete(record)
+        self.db.flush()
+
     def get_user_delegated_admin_grants(self, user_id: int) -> List[FamRole]:
         """
         Find out from `app_fam.fam_access_control_privilege` the applications' roles
@@ -59,11 +71,11 @@ def get_user_delegated_admin_grants(self, user_id: int) -> List[FamRole]:
         """
         return (
             self.db.query(FamRole)
-                .options(joinedload(FamRole.application))  # also loads relationship
-                .select_from(FamAccessControlPrivilege)
-                .join(FamAccessControlPrivilege.role)
-                .join(FamAccessControlPrivilege.user)
-                .filter(FamAccessControlPrivilege.user_id == user_id)
-                .order_by(FamRole.application_id, FamRole.role_id)
-                .all()
+            .options(joinedload(FamRole.application))  # also loads relationship
+            .select_from(FamAccessControlPrivilege)
+            .join(FamAccessControlPrivilege.role)
+            .join(FamAccessControlPrivilege.user)
+            .filter(FamAccessControlPrivilege.user_id == user_id)
+            .order_by(FamRole.application_id, FamRole.role_id)
+            .all()
         )
diff --git a/server/admin_management/api/app/routers/router_access_control_privilege.py b/server/admin_management/api/app/routers/router_access_control_privilege.py
@@ -8,6 +8,7 @@
     authorize_by_application_role,
     enforce_self_grant_guard,
     get_current_requester,
+    validate_param_access_control_privilege_id,
 )
 from api.app.routers.router_utils import (
     access_control_privilege_service_instance,
@@ -21,7 +22,7 @@
 from api.app.services.role_service import RoleService
 from api.app.services.user_service import UserService
 from api.app.utils.audit_util import AuditEventLog, AuditEventOutcome, AuditEventType
-from fastapi import APIRouter, Depends, Request
+from fastapi import APIRouter, Depends, Request, Response
 
 LOGGER = logging.getLogger(__name__)
 
@@ -68,7 +69,7 @@ def create_access_control_privilege_many(
     audit_event_log = AuditEventLog(
         request=request,
         event_type=AuditEventType.CREATE_ACCESS_CONTROL_PRIVILIEGE,
-        forest_client_number=access_control_privilege_request.forest_client_numbers,
+        forest_client_numbers=access_control_privilege_request.forest_client_numbers,
         event_outcome=AuditEventOutcome.SUCCESS,
     )
 
@@ -120,3 +121,59 @@ def get_access_control_privileges_by_application_id(
     ),
 ):
     return access_control_privilege_service.get_acp_by_application_id(application_id)
+
+
+@router.delete(
+    "/{access_control_privilege_id}",
+    response_class=Response,
+    dependencies=[
+        Depends(
+            validate_param_access_control_privilege_id
+        ),  # validate id first, otherwise authorize_by_application_role cannot find application by role
+        Depends(
+            authorize_by_application_role
+        ),  # only app admin can do this, get application by role
+        Depends(enforce_self_grant_guard),
+    ],
+)
+def delete_access_control_privilege(
+    access_control_privilege_id: int,
+    request: Request,
+    user_service: UserService = Depends(user_service_instance),
+    access_control_privilege_service: AccessControlPrivilegeService = Depends(
+        access_control_privilege_service_instance
+    ),
+    requester: Requester = Depends(get_current_requester),
+):
+    LOGGER.debug(
+        f"Executing 'delete_access_control_privilege' with request: {access_control_privilege_id}"
+    )
+
+    audit_event_log = AuditEventLog(
+        request=request,
+        event_type=AuditEventType.REMOVE_ACCESS_CONTROL_PRIVILIEGE,
+        event_outcome=AuditEventOutcome.SUCCESS,
+    )
+
+    try:
+        audit_event_log.requesting_user = user_service.get_user_by_cognito_user_id(
+            requester.cognito_user_id
+        )
+        access_control_privilege = access_control_privilege_service.get_acp_by_id(
+            access_control_privilege_id
+        )
+        audit_event_log.role = access_control_privilege.role
+        audit_event_log.application = access_control_privilege.role.application
+        audit_event_log.target_user = access_control_privilege.user
+
+        return access_control_privilege_service.delete_access_control_privilege(
+            access_control_privilege_id
+        )
+
+    except Exception as e:
+        audit_event_log.event_outcome = AuditEventOutcome.FAIL
+        audit_event_log.exception = e
+        raise e
+
+    finally:
+        audit_event_log.log_event()