feat: add platform access roles (AAI-467) (#112)

* feat: add role_name to platform - role that grants platform access in Auth0

* fix: make sure name is unique on Auth0Role

* test: update tests to include role_name for platform

* feat: add schemas for Auth0 role names

* feat: methods to create platform from Åuth0 role

* feat: sync task to populate platforms in the DB

* fix: add populating platforms to sync job

* feat: add auth0 role when adding (approved) platform membership

* feat: add role when creating user record in registration

* test: update tests to account for platform role

* fix: include group id in 404 message

* refactor: create a class for defining bundles

* fix: make sure we pass string IDs when getting database groups

* test: update biocommons registration tests after refactor

* fix: fix BPA registration to include Auth0 client when needed

* test: update test of BPA registration

* fix: add a default admin role when populating platforms

* fix: make platform role_name nullable: difficult to populate if it has to be there from the start

* fix: add migration for platform role name

* fix: include auth0_client when creating galaxy membership

* test: update tests of Galaxy registration

* fix: update SBP registration

* test: update tests of SBP registration

* feat: add an endpoint to update platform admin roles

* test: test setting platform admin roles

* chore: style fix

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* fix: need to provide an actual role when defining default platform admin role

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: marius-mather

db/models.py

@@ -1,5 +1,6 @@
 import uuid
 from datetime import datetime, timezone
+from logging import getLogger
 from typing import Optional, Self
 
 from pydantic import AwareDatetime
@@ -17,9 +18,12 @@
     PlatformEnum,
     PlatformMembershipData,
 )
+from schemas.auth0 import get_platform_id_from_role_name
 from schemas.tokens import AccessTokenPayload
 from schemas.user import SessionUser
 
+logger = getLogger(__name__)
+
 
 class BiocommonsUser(SoftDeleteModel, table=True):
     __tablename__ = "biocommons_user"
@@ -120,9 +124,27 @@ def update_from_auth0_data(self, data: 'schemas.biocommons.Auth0UserData') -> Se
         self.email_verified = data.email_verified
         return self
 
+    def add_role(self, role_name: str, auth0_client: Auth0Client, session: Session) -> None:
+        """
+        Add a role to the user in Auth0. The role must already exist in Auth0 and the DB.
+        """
+        role = Auth0Role.get_by_name(role_name, session)
+        if role is None:
+            raise ValueError(f"Role {role_name} not found in DB")
+        resp = auth0_client.add_roles_to_user(user_id=self.id, role_id=role.id)
+        resp.raise_for_status()
+
     def add_platform_membership(
-        self, platform: PlatformEnum, db_session: Session, auto_approve: bool = False
+        self, platform: PlatformEnum, db_session: Session, auth0_client: Auth0Client, auto_approve: bool = False
     ) -> "PlatformMembership":
+        """
+        Create a platform membership for this user. If auto_approve is True,
+        add the Auth0 role for the platform to the user's roles
+        """
+        db_platform = Platform.get_by_id(platform, db_session)
+        if auto_approve:
+            logger.info(f"Adding role {db_platform.role_name} to user {self.id}")
+            self.add_role(role_name=db_platform.role_name, auth0_client=auth0_client, session=db_session)
         membership = PlatformMembership(
             platform_id=platform,
             user=self,
@@ -181,13 +203,43 @@ class PlatformRoleLink(SoftDeleteModel, table=True):
 
 class Platform(SoftDeleteModel, table=True):
     id: PlatformEnum = Field(primary_key=True, unique=True, sa_type=DbEnum(PlatformEnum, name="PlatformEnum"))
+    # Role name in Auth0 for basic access to the platform
+    role_name: str | None = Field(foreign_key="auth0role.name", nullable=True)
+    platform_role: "Auth0Role" = Relationship(back_populates="platform")
     # Human-readable name for the platform
     name: str = Field(unique=True)
     admin_roles: list["Auth0Role"] = Relationship(
         back_populates="admin_platforms", link_model=PlatformRoleLink,
     )
     members: list["PlatformMembership"] = Relationship(back_populates="platform")
 
+    @classmethod
+    def create_from_auth0_role(cls, role: "Auth0Role", session: Session, commit: bool = True) -> Self:
+        platform_id = get_platform_id_from_role_name(role.name)
+        default_admin_role = Auth0Role.get_by_name(f"biocommons/role/{platform_id}/admin", session=session)
+        if default_admin_role is None:
+            raise ValueError(f"Default admin role for platform {platform_id} not found in DB. ")
+        platform = cls(
+            id=platform_id,
+            role_name=role.name,
+            name=role.description,
+            admin_roles=[default_admin_role],
+        )
+        session.add(platform)
+        if commit:
+            session.commit()
+        session.flush()
+        return platform
+
+    def update_from_auth0_role(self, role: "Auth0Role", session: Session, commit: bool = True) -> Self:
+        self.role_name = role.name
+        self.name = role.description
+        session.add(self)
+        if commit:
+            session.commit()
+        session.flush()
+        return self
+
     @classmethod
     def get_by_id(cls, platform_id: PlatformEnum, session: Session) -> Self | None:
         return session.get(cls, platform_id)
@@ -237,7 +289,6 @@ def user_is_admin(self, user: SessionUser) -> bool:
                 return True
         return False
 
-
     def delete(self, session: Session, commit: bool = False) -> "Platform":
         memberships = list(self.members or [])
         for membership in memberships:
@@ -652,15 +703,20 @@ class GroupRoleLink(SoftDeleteModel, table=True):
 
 class Auth0Role(SoftDeleteModel, table=True):
     id: str = Field(primary_key=True, unique=True)
-    name: str
+    name: str = Field(unique=True)
     description: str = Field(default="")
+    platform: Platform | None = Relationship(back_populates="platform_role")
     admin_groups: list["BiocommonsGroup"] = Relationship(
         back_populates="admin_roles", link_model=GroupRoleLink
     )
     admin_platforms: list["Platform"] = Relationship(
         back_populates="admin_roles", link_model=PlatformRoleLink
     )
 
+    @classmethod
+    def get_by_id(cls, role_id: str, session: Session) -> Self | None:
+        return session.get(Auth0Role, role_id)
+
     @classmethod
     def get_or_create_by_id(
         cls, auth0_id: str, session: Session, auth0_client: Auth0Client
@@ -724,7 +780,7 @@ def get_by_id(cls, group_id: str, session: Session) -> Self | None:
     def get_by_id_or_404(cls, group_id: str, session: Session) -> Self:
         group = cls.get_by_id(group_id, session)
         if group is None:
-            raise HTTPException(status_code=404, detail="Group not found")
+            raise HTTPException(status_code=404, detail=f"Group {group_id} not found in database")
         return group
 
     def delete(self, session: Session, commit: bool = False) -> "BiocommonsGroup":

migrations/versions/4271e34a0adf_platform_role_name.py

@@ -0,0 +1,35 @@
+"""platform_role_name
+
+Revision ID: 4271e34a0adf
+Revises: 6c9d1e8540be
+Create Date: 2025-11-04 11:41:03.519358
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+import sqlmodel
+
+
+# revision identifiers, used by Alembic.
+revision: str = '4271e34a0adf'
+down_revision: Union[str, None] = '6c9d1e8540be'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.create_unique_constraint(op.f('uq_auth0role_name'), 'auth0role', ['name'])
+    op.add_column('platform', sa.Column('role_name', sqlmodel.sql.sqltypes.AutoString(), nullable=True))
+    op.create_foreign_key(op.f('fk_platform_role_name_auth0role'), 'platform', 'auth0role', ['role_name'], ['name'])
+    # ### end Alembic commands ###
+
+
+def downgrade() -> None:
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_constraint(op.f('fk_platform_role_name_auth0role'), 'platform', type_='foreignkey')
+    op.drop_column('platform', 'role_name')
+    op.drop_constraint(op.f('uq_auth0role_name'), 'auth0role', type_='unique')
+    # ### end Alembic commands ###

routers/biocommons_admin.py

@@ -71,6 +71,7 @@ def save_platform(self, db_session: Session, commit: bool = False):
             db_roles.append(db_role)
         platform = Platform(
             id=self.id,
+            role_name=f"biocommons/platform/{self.id}",
             name=self.name,
             admin_roles=db_roles,
         )
@@ -103,6 +104,28 @@ def create_platform(platform_data: PlatformCreateData, db_session: Annotated[Ses
     )
 
 
+class SetRolesData(BaseModel):
+    role_names: list[str]
+
+
+@router.post("/platforms/{platform_id}/set-admin-roles")
+def set_platform_admin_roles(platform_id: PlatformEnum, data: SetRolesData, db_session: Annotated[Session, Depends(get_db_session)]):
+    platform = Platform.get_by_id(platform_id, db_session)
+    db_roles = []
+    for role_name in data.role_names:
+        role = Auth0Role.get_by_name(role_name, db_session)
+        if role is None:
+            raise HTTPException(
+                status_code=HTTPStatus.BAD_REQUEST,
+                detail=f"Role {role_name} doesn't exist in DB - create roles first"
+            )
+        db_roles.append(role)
+    platform.admin_roles = db_roles
+    db_session.add(platform)
+    db_session.commit()
+    return {"message": f"Admin roles for platform {platform_id} set successfully."}
+
+
 class CreateRoleData(BaseModel):
     name: RoleId | GroupId
     description: str

routers/biocommons_register.py

@@ -2,6 +2,7 @@
 
 from fastapi import APIRouter, BackgroundTasks, Depends, HTTPException
 from httpx import HTTPStatusError
+from pydantic import BaseModel
 from sqlmodel import Session
 from starlette.responses import JSONResponse
 
@@ -18,19 +19,62 @@
 
 logger = logging.getLogger(__name__)
 
+
+class BiocommonsBundle(BaseModel):
+    id: BundleType
+    group_id: GroupEnum
+    group_auto_approve: bool
+    # Platforms that are automatically approved upon registration
+    platforms: list[PlatformEnum]
+
+    def _add_group_membership(self, user: BiocommonsUser, session: Session):
+        # Verify group exists
+        BiocommonsGroup.get_by_id_or_404(group_id=self.group_id.value, session=session)
+        group_membership = user.add_group_membership(
+            group_id=self.group_id.value, db_session=session, auto_approve=self.group_auto_approve
+        )
+        session.add(group_membership)
+
+    def _add_platform_memberships(self, user: BiocommonsUser, session: Session, auth0_client: Auth0Client):
+        for platform in self.platforms:
+            logger.info(f"Adding platform membership for {platform.value} to user {user.id}")
+            platform_membership = user.add_platform_membership(
+                platform=platform, db_session=session, auth0_client=auth0_client, auto_approve=True
+            )
+            session.add(platform_membership)
+
+    def create_user_record(self, auth0_user_data: Auth0UserData, auth0_client: Auth0Client, db_session: Session):
+        """
+        Create a user record for the bundle user.
+        """
+        db_user = BiocommonsUser.from_auth0_data(data=auth0_user_data)
+        db_session.add(db_user)
+        db_session.flush()
+        # Create group membership
+        self._add_group_membership(user=db_user, session=db_session)
+        # Add platform memberships based on bundle configuration
+        self._add_platform_memberships(user=db_user, session=db_session, auth0_client=auth0_client)
+        db_session.commit()
+        return db_user
+
+
 # Bundle configuration mapping bundle names to their groups and included platforms
 # Note: Platforms listed here are auto-approved upon registration,
 # while group memberships require manual approval
 # Currently BPA Data Portal and Galaxy are auto-approved for all bundles
-BUNDLES: dict[BundleType, dict] = {
-    "bpa_galaxy": {
-        "group_id": GroupEnum.BPA_GALAXY,
-        "platforms": [PlatformEnum.BPA_DATA_PORTAL, PlatformEnum.GALAXY],
-    },
-    "tsi": {
-        "group_id": GroupEnum.TSI,
-        "platforms": [PlatformEnum.BPA_DATA_PORTAL, PlatformEnum.GALAXY],
-    },
+BUNDLES: dict[BundleType, BiocommonsBundle] = {
+    "bpa_galaxy": BiocommonsBundle(
+        id="bpa_galaxy",
+        group_id=GroupEnum.BPA_GALAXY,
+        group_auto_approve=True,
+        platforms=[PlatformEnum.BPA_DATA_PORTAL, PlatformEnum.GALAXY],
+    ),
+    "tsi": BiocommonsBundle(
+        id="tsi",
+        group_id=GroupEnum.TSI,
+        group_auto_approve=False,
+        platforms=[PlatformEnum.BPA_DATA_PORTAL, PlatformEnum.GALAXY],
+    ),
 }
 
 router = APIRouter(prefix="/biocommons", tags=["biocommons", "registration"], route_class=RegistrationRoute)
@@ -72,17 +116,23 @@ async def register_biocommons_user(
 
     # Create Auth0 user data
     user_data = BiocommonsRegisterData.from_biocommons_registration(registration)
+    bundle = BUNDLES[registration.bundle]
 
     try:
         logger.info("Registering user with Auth0")
         auth0_user_data = auth0_client.create_user(user_data)
 
         logger.info("Adding user to DB")
-        _create_biocommons_user_record(auth0_user_data, registration, db_session)
+        bundle.create_user_record(
+            auth0_user_data=auth0_user_data,
+            auth0_client=auth0_client,
+            db_session=db_session
+        )
 
         # Send approval email in background
-        if settings.send_email:
-            background_tasks.add_task(send_approval_email, registration, settings)
+        if not bundle.group_auto_approve:
+            if settings.send_email:
+                background_tasks.add_task(send_approval_email, registration, settings)
 
         logger.info(
             f"Successfully registered biocommons user: {auth0_user_data.user_id}"
@@ -103,41 +153,3 @@ async def register_biocommons_user(
     except Exception as e:
         logger.error(f"Unexpected error during registration: {e}")
         raise HTTPException(status_code=500, detail="Internal server error")
-
-
-def _create_biocommons_user_record(
-    auth0_user_data: Auth0UserData,
-    registration: BiocommonsRegistrationRequest,
-    session: Session,
-) -> BiocommonsUser:
-    """Create a BioCommons user record in the database with group membership based on selected bundle."""
-    db_user = BiocommonsUser.from_auth0_data(data=auth0_user_data)
-    session.add(db_user)
-    session.flush()
-
-    # Get bundle configuration
-    bundle_config = BUNDLES[registration.bundle]
-    group_id = bundle_config["group_id"]
-
-    # Verify the group exists (this will raise an error if it doesn't)
-    db_group = BiocommonsGroup.get_by_id(group_id, session)
-    if not db_group:
-        raise ValueError(
-            f"Group '{group_id.value}' not found. Groups must be pre-configured in the database."
-        )
-
-    # Create group membership
-    group_membership = db_user.add_group_membership(
-        group_id=group_id, db_session=session, auto_approve=False
-    )
-    session.add(group_membership)
-
-    # Add platform memberships based on bundle configuration
-    for platform in bundle_config["platforms"]:
-        platform_membership = db_user.add_platform_membership(
-            platform=platform, db_session=session, auto_approve=True
-        )
-        session.add(platform_membership)
-
-    session.commit()
-    return db_user

routers/bpa_register.py

@@ -46,7 +46,7 @@ async def register_bpa_user(
         auth0_user_data = auth0_client.create_user(user_data)
 
         logger.info("Adding user to DB")
-        _create_bpa_user_record(auth0_user_data, db_session)
+        _create_bpa_user_record(auth0_user_data, auth0_client=auth0_client, session=db_session)
 
         return {"message": "User registered successfully", "user": auth0_user_data.model_dump(mode="json")}
 
@@ -65,11 +65,12 @@ async def register_bpa_user(
         )
 
 
-def _create_bpa_user_record(auth0_user_data: Auth0UserData, session: Session) -> BiocommonsUser:
+def _create_bpa_user_record(auth0_user_data: Auth0UserData, auth0_client: Auth0Client, session: Session) -> BiocommonsUser:
     db_user = BiocommonsUser.from_auth0_data(data=auth0_user_data)
     bpa_membership = db_user.add_platform_membership(
         platform=PlatformEnum.BPA_DATA_PORTAL,
         db_session=session,
+        auth0_client=auth0_client,
         auto_approve=True
     )
     session.add(db_user)

routers/galaxy_register.py

@@ -68,14 +68,15 @@ def register(
         return JSONResponse(status_code=400, content=response.model_dump(mode="json"))
     # Add to database and record Galaxy membership
     logger.info("Adding user to DB")
-    _create_galaxy_user_record(auth0_user_data, db_session)
+    _create_galaxy_user_record(auth0_user_data, auth0_client=auth0_client, session=db_session)
     return {"message": "User registered successfully", "user": auth0_user_data.model_dump(mode="json")}
 
 
-def _create_galaxy_user_record(auth0_user_data: Auth0UserData, session: Session) -> BiocommonsUser:
+def _create_galaxy_user_record(auth0_user_data: Auth0UserData, auth0_client: Auth0Client, session: Session) -> BiocommonsUser:
     db_user = BiocommonsUser.from_auth0_data(data=auth0_user_data)
     galaxy_membership = db_user.add_platform_membership(
         platform=PlatformEnum.GALAXY,
+        auth0_client=auth0_client,
         db_session=session,
         auto_approve=True
     )