feat: implement role checks across the whole admin API (AAI-453) (#99)

* refactor: rename user_is_admin -> user_is_general_admin to make purpose clearer

* refactor: rename SessionUser.is_admin SessionUser.is_biocommons_admin

* feat: add group/platform admin checks for the user

* refactor: rename get_current_user -> get_session_user for clarity

* refactor: add DB checks to user_is_general_admin check

* test: update tests to allow for updated admin check

* test: add tests of user_is_general_admin check

* test: add tests of DB admin checks

* refactor: update is-admin endpoint to is-general-admin

* refactor: update tests of is-admin check

* refactor: move user permissions to a new module

* feat: add check for is_biocommons_admin and a new router for biocommons admin routes

* chore: add biocommons_admin router to main app

* refactor: start moving routes to /biocommons-admin

* refactor: simplify creating groups in the API

* refactor: lookup methods for roles and platforms

* refactor: rework group/role/platform creation endpoints

* test: move biocommons-admin tests to a dedicated module

* test: fix mocks in user tests

* feat: add is_admin check for platform model

* refactor: rework UserQueryParams to add group/platform admin checks, use it in all endpoints

* test: update tests of get_users to include platform-specific users

* test: test group or platform admin access

* feat: more permissions checks that can be applied to endpoints

* refactor: move 'get_or_404' checks into models

* refactor: add permission checks to admin endpoints

* refactor: renamed get_for_admin_roles -> get_from_admin_roles

* refactor: move shared param types to schemas to avoid circular import

* fix: should use _or_404 for getting the group

* fix: need to return platform

* fix: fix checking admin roles for platform

* fix: allow for / in group IDs in URLs

* test: update tests of admin API to reflect permissions

* refactor: exclude biocommons-admin endpoints from docs/API schema

* test: include short_name when creating group

* feat: add simple endpoint for checking if current user has admin rights to a specific platform

* fix: sync platform roles to db, response typing
test: increase test coverate to 100%

* fix: undefiend role name in error message

* docs: docstring fixes

* docs: update DB diagram

---------

Co-authored-by: Marius <marius.mather@gmail.com>
Co-authored-by: Uwe Winter <uwwint@gmail.com>

Author: 3 people

auth/user_permissions.py

@@ -0,0 +1,208 @@
+from typing import Annotated
+
+from fastapi import Depends, HTTPException
+from sqlmodel import Session
+from starlette import status
+
+from auth.validator import oauth2_scheme, verify_jwt
+from config import Settings, get_settings
+from db.models import BiocommonsGroup, BiocommonsUser, Platform
+from db.setup import get_db_session
+from schemas.biocommons import ServiceIdParam, UserIdParam
+from schemas.user import SessionUser
+
+
+def get_session_user(
+    token: str = Depends(oauth2_scheme), settings: Settings = Depends(get_settings)
+) -> SessionUser:
+    """
+    Get the current user's session data (access token).
+    """
+    access_token = verify_jwt(token, settings=settings)
+    return SessionUser(access_token=access_token)
+
+
+def get_db_user(
+    current_user: Annotated[SessionUser, Depends(get_session_user)],
+    db_session: Annotated[Session, Depends(get_db_session)], ) -> BiocommonsUser | None:
+    """
+    Get the user's DB record.
+    """
+    user = db_session.get(BiocommonsUser, current_user.access_token.sub)
+    return user
+
+
+def user_is_general_admin(
+    current_user: Annotated[SessionUser, Depends(get_session_user)],
+    settings: Annotated[Settings, Depends(get_settings)],
+    db_user: Annotated[BiocommonsUser, Depends(get_db_user)],
+    db_session: Annotated[Session, Depends(get_db_session)],
+) -> SessionUser:
+    """
+    Check if user has general admin privileges.
+    This can come from:
+        * A role listed in settings.admin_roles (for BioCommons admins)
+        * A role listed in a group/platform's admin_roles in the DB (for platform sysadmins/project managers)
+    """
+    if current_user.is_biocommons_admin(settings=settings):
+        return current_user
+    if db_user is not None:
+        if db_user.is_any_platform_admin(access_token=current_user.access_token, db_session=db_session):
+            return current_user
+        if db_user.is_any_group_admin(access_token=current_user.access_token, db_session=db_session):
+            return current_user
+    raise HTTPException(
+        status_code=status.HTTP_403_FORBIDDEN,
+        detail="You must be an admin to access this endpoint.",
+    )
+
+
+def user_is_biocommons_admin(
+    current_user: Annotated[SessionUser, Depends(get_session_user)],
+    settings: Annotated[Settings, Depends(get_settings)],
+) -> SessionUser:
+    if current_user.is_biocommons_admin(settings=settings):
+        return current_user
+    raise HTTPException(
+        status_code=status.HTTP_403_FORBIDDEN,
+        detail="You must be an admin to access this endpoint.",
+    )
+
+
+def has_platform_admin_permission(
+    platform_id: str,
+    current_user: Annotated[SessionUser, Depends(get_session_user)],
+    db_session: Annotated[Session, Depends(get_db_session)],
+) -> bool:
+    """
+    Check if user has platform admin privileges.
+    """
+    platform = Platform.get_by_id(platform_id, db_session)
+    if platform is None:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail=f"Platform '{platform_id}' not found",
+        )
+    return platform.user_is_admin(current_user)
+
+
+def has_admin_permission_for_user(
+    user_id: str,
+    admin: Annotated[SessionUser, Depends(user_is_general_admin)],
+    db_session: Annotated[Session, Depends(get_db_session)],
+) -> bool:
+    """
+    Check if the current admin has the right to manage the specified user,
+    as either a platform admin or a group admin.
+    """
+    platform_permission = has_platform_admin_permission_for_user(
+        user_id=user_id,
+        admin=admin,
+        db_session=db_session,
+    )
+    group_permission = has_group_admin_permission_for_user(
+        user_id=user_id,
+        admin=admin,
+        db_session=db_session,
+    )
+    return platform_permission or group_permission
+
+
+def has_platform_admin_permission_for_user(
+    user_id: str,
+    admin: Annotated[SessionUser, Depends(user_is_general_admin)],
+    db_session: Annotated[Session, Depends(get_db_session)],
+) -> bool:
+    """
+    Check if the current admin has the right to manage the specified user,
+    based on platform admin roles.
+    """
+    user_in_db = BiocommonsUser.get_by_id(user_id, session=db_session)
+    if user_in_db is None:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail=f"User '{user_id}' not found",
+        )
+    admin_platforms = Platform.get_for_admin_roles(
+        role_names=admin.access_token.biocommons_roles,
+        session=db_session,
+    )
+    for membership in user_in_db.platform_memberships:
+        if membership.platform in admin_platforms:
+            return True
+    return False
+
+
+def has_group_admin_permission_for_user(
+        user_id: str,
+        admin: Annotated[SessionUser, Depends(user_is_general_admin)],
+        db_session: Annotated[Session, Depends(get_db_session)],
+) -> bool:
+    """
+    Check if the current admin has the right to manage the specified user,
+    based on group admin roles.
+    """
+    user_in_db = BiocommonsUser.get_by_id(user_id, session=db_session)
+    admin_groups = BiocommonsGroup.get_for_admin_roles(
+        role_names=admin.access_token.biocommons_roles,
+        session=db_session,
+    )
+    for membership in user_in_db.group_memberships:
+        if membership.group in admin_groups:
+            return True
+    return False
+
+
+def require_admin_permission_for_user(
+        user_id: Annotated[str, UserIdParam],
+        admin: Annotated[SessionUser, Depends(user_is_general_admin)],
+        db_session: Annotated[Session, Depends(get_db_session)],
+):
+    """
+    Dependency for checking if the current admin has the right to manage the
+    specified user (user_id should be a path parameter).
+    Raises an HTTPException if not.
+    """
+    if not has_admin_permission_for_user(user_id, admin, db_session):
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="You do not have permission to manage this user.",
+        )
+    return True
+
+
+def require_admin_permission_for_platform(
+        platform_id: Annotated[str, ServiceIdParam],
+        admin: Annotated[SessionUser, Depends(user_is_general_admin)],
+        db_session: Annotated[Session, Depends(get_db_session)],
+):
+    """
+    Dependency for checking if the current admin has the right to manage the
+    platform (platform_id should be a path parameter).
+
+    Raises HTTPException if the admin doesn't have permission.
+    """
+    platform = Platform.get_by_id(platform_id, db_session)
+    if not platform.user_is_admin(admin):
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="You do not have permission to manage this platform.",
+        )
+
+
+def require_admin_permission_for_group(
+        group_id: Annotated[str, ServiceIdParam],
+        admin: Annotated[SessionUser, Depends(user_is_general_admin)],
+        db_session: Annotated[Session, Depends(get_db_session)],
+):
+    """
+    Dependency for checking if the current admin has the right to manage the
+    group (group_id should be a path parameter).
+    """
+    group = BiocommonsGroup.get_by_id_or_404(group_id, db_session)
+    if not group.user_is_admin(admin):
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="You do not have permission to manage this group.",
+        )
+    return True

auth/validator.py

@@ -1,15 +1,12 @@
-from typing import Annotated
-
 import httpx
 from cachetools import TTLCache
-from fastapi import Depends, HTTPException, status
+from fastapi import HTTPException
 from fastapi.security import OAuth2PasswordBearer
 from jose import jwk, jwt
 from jose.exceptions import JWTError
 
-from config import Settings, get_settings
+from config import Settings
 from schemas.tokens import AccessTokenPayload
-from schemas.user import SessionUser
 
 oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token")
 
@@ -77,22 +74,3 @@ def get_rsa_key(token: str, settings: Settings, retry_on_failure: bool = True) -
         return get_rsa_key(token, settings, retry_on_failure=False)
 
     return None
-
-
-def get_current_user(
-    token: str = Depends(oauth2_scheme), settings: Settings = Depends(get_settings)
-) -> SessionUser:
-    access_token = verify_jwt(token, settings=settings)
-    return SessionUser(access_token=access_token)
-
-
-def user_is_admin(
-    current_user: Annotated[SessionUser, Depends(get_current_user)],
-    settings: Annotated[Settings, Depends(get_settings)],
-) -> SessionUser:
-    if not current_user.is_admin(settings=settings):
-        raise HTTPException(
-            status_code=status.HTTP_403_FORBIDDEN,
-            detail="You must be an admin to access this endpoint.",
-        )
-    return current_user

biocommons/groups.py

@@ -4,7 +4,6 @@
 from pydantic import StringConstraints
 from sqlmodel import Session
 
-from auth0.client import Auth0Client
 from db.core import BaseModel
 from db.models import Auth0Role, BiocommonsGroup
 
@@ -33,18 +32,19 @@ class BiocommonsGroupCreate(BaseModel):
     short_name: str
     admin_roles: list[RoleId | Auth0Role]
 
-    def save(self, session: Session, auth0_client: Auth0Client) -> BiocommonsGroup:
+    def save_group(self, session: Session) -> BiocommonsGroup:
         db_roles = []
         for role in self.admin_roles:
             if isinstance(role, Auth0Role):
                 db_roles.append(role)
             else:
-                role = Auth0Role.get_or_create_by_name(
+                db_role = Auth0Role.get_by_name(
                     role,
                     session,
-                    auth0_client=auth0_client
                 )
-                db_roles.append(role)
+                if db_role is None:
+                    raise ValueError(f"Role {role} doesn't exist in DB - create roles first")
+                db_roles.append(db_role)
         group = BiocommonsGroup(
             group_id=self.group_id,
             name=self.name,