feat: enable revoke access via updating db

Author: amandazhuyilan

db/models.py

@@ -3,7 +3,7 @@
 from typing import Self
 
 from pydantic import AwareDatetime
-from sqlalchemy import UniqueConstraint
+from sqlalchemy import Column, String, UniqueConstraint
 from sqlmodel import DateTime, Field, Relationship, Session, select
 from sqlmodel import Enum as DbEnum
 
@@ -157,6 +157,10 @@ class PlatformMembership(BaseModel, table=True):
             "foreign_keys": "PlatformMembership.updated_by_id",
         }
     )
+    revocation_reason: str | None = Field(
+        default=None,
+        sa_column=Column(String(1024), nullable=True)
+    )
 
     def save_history(self, session: Session) -> "PlatformMembershipHistory":
         # Make sure this object is in the session before accessing relationships
@@ -170,6 +174,7 @@ def save_history(self, session: Session) -> "PlatformMembershipHistory":
             approval_status=self.approval_status,
             updated_at=self.updated_at,
             updated_by=self.updated_by,
+            reason=self.revocation_reason,
         )
         session.add(history)
         return history
@@ -188,6 +193,7 @@ def get_data(self) -> PlatformMembershipData:
             user_id=self.user_id,
             approval_status=self.approval_status,
             updated_by=updated_by,
+            revocation_reason=self.revocation_reason,
         )
 
 
@@ -212,6 +218,10 @@ class PlatformMembershipHistory(BaseModel, table=True):
             "foreign_keys": "PlatformMembershipHistory.updated_by_id",
         }
     )
+    reason: str | None = Field(
+        default=None,
+        sa_column=Column(String(1024), nullable=True)
+    )
 
 
 class GroupMembership(BaseModel, table=True):
@@ -247,6 +257,10 @@ class GroupMembership(BaseModel, table=True):
             "foreign_keys": "GroupMembership.updated_by_id",
         }
     )
+    revocation_reason: str | None = Field(
+        default=None,
+        sa_column=Column(String(1024), nullable=True)
+    )
 
     @classmethod
     def get_by_user_id(
@@ -283,6 +297,7 @@ def save_history(
             approval_status=self.approval_status,
             updated_at=self.updated_at,
             updated_by=self.updated_by,
+            reason=self.revocation_reason,
         )
         session.add(history)
         if commit:
@@ -310,6 +325,7 @@ def get_data(self) -> GroupMembershipData:
             group_name=self.group.name,
             approval_status=self.approval_status,
             updated_by=updated_by,
+            revocation_reason=self.revocation_reason,
         )
 
 
@@ -340,6 +356,10 @@ class GroupMembershipHistory(BaseModel, table=True):
             "foreign_keys": "GroupMembershipHistory.updated_by_id",
         }
     )
+    reason: str | None = Field(
+        default=None,
+        sa_column=Column(String(1024), nullable=True)
+    )
 
     @classmethod
     def get_by_user_id(

db/types.py

@@ -29,6 +29,7 @@ class PlatformMembershipData(BaseModel):
     user_id: str
     approval_status: ApprovalStatusEnum
     updated_by: str
+    revocation_reason: str | None = None
 
 
 class GroupMembershipData(BaseModel):
@@ -38,6 +39,7 @@ class GroupMembershipData(BaseModel):
     group_name: str
     approval_status: ApprovalStatusEnum
     updated_by: str
+    revocation_reason: str | None = None
 
 
 # Not used for Groups in the database yet

routers/admin.py

@@ -1,6 +1,6 @@
 import asyncio
 import logging
-from datetime import datetime
+from datetime import datetime, timezone
 from typing import Annotated
 
 from fastapi import APIRouter, Depends, HTTPException, Path
@@ -96,6 +96,76 @@ def strip_reason(cls, value: str | None) -> str | None:
         return stripped or None
 
 
+def _resolve_platform(service_id: str) -> PlatformEnum | None:
+    if service_id in PLATFORM_MAPPING:
+        return PLATFORM_MAPPING[service_id]["enum"]
+    for data in PLATFORM_MAPPING.values():
+        if data["enum"].value == service_id:
+            return data["enum"]
+    return None
+
+
+def _resolve_group(service_id: str) -> GroupEnum | None:
+    if service_id in GROUP_MAPPING:
+        return GROUP_MAPPING[service_id]["enum"]
+    for data in GROUP_MAPPING.values():
+        if data["enum"].value == service_id:
+            return data["enum"]
+    return None
+
+
+def _get_or_create_db_user(user_id: str,
+                           client: Auth0Client,
+                           db_session: Session) -> BiocommonsUser:
+    db_user = db_session.get(BiocommonsUser, user_id)
+    if db_user is None:
+        db_user = BiocommonsUser.get_or_create(
+            auth0_id=user_id,
+            db_session=db_session,
+            auth0_client=client,
+        )
+    return db_user
+
+
+def _get_platform_membership_or_404(
+    *, user_id: str, platform_id: PlatformEnum, db_session: Session
+) -> PlatformMembership:
+    membership = db_session.exec(
+        select(PlatformMembership).where(
+            PlatformMembership.user_id == user_id,
+            PlatformMembership.platform_id == platform_id,
+        )
+    ).one_or_none()
+    if membership is None:
+        raise HTTPException(
+            status_code=404,
+            detail=f"Platform membership '{platform_id.value}' not found for user '{user_id}'",
+        )
+    return membership
+
+
+def _get_group_membership_or_404(
+    *, user_id: str, group_id: str, db_session: Session
+) -> GroupMembership:
+    membership = GroupMembership.get_by_user_id(
+        user_id=user_id,
+        group_id=group_id,
+        session=db_session,
+    )
+    if membership is None:
+        raise HTTPException(
+            status_code=404,
+            detail=f"Group membership '{group_id}' not found for user '{user_id}'",
+        )
+    return membership
+
+
+def _membership_response(kind: str, membership_model) -> dict[str, object]:
+    data = membership_model.get_data().model_dump(mode="json")
+    data["type"] = kind
+    return data
+
+
 @router.get("/filters")
 def get_filter_options():
     """
@@ -299,52 +369,105 @@ def resend_verification_email(user_id: Annotated[str, UserIdParam],
 def approve_service(user_id: Annotated[str, UserIdParam],
                     service_id: Annotated[str, ServiceIdParam],
                     client: Annotated[Auth0Client, Depends(get_auth0_client)],
-                    approving_user: Annotated[SessionUser, Depends(get_current_user)]):
-    user = client.get_user(user_id=user_id)
-    # Need to fetch full user info currently to get email address, not in access token
-    approving_user_data = client.get_user(user_id=approving_user.access_token.sub)
-    logger.debug(f"Approving service {service_id} for user {user_id} by {approving_user_data.email}")
-    user.app_metadata.approve_service(service_id, updated_by=str(approving_user_data.email))
-    logger.info("Sending updated metadata to Auth0 API")
-    # update_user_metadata is async, so run via asyncio
-    update = update_user_metadata(
+                    approving_user: Annotated[SessionUser, Depends(get_current_user)],
+                    db_session: Annotated[Session, Depends(get_db_session)]):
+    platform = _resolve_platform(service_id)
+    group = _resolve_group(service_id)
+    if platform is None and group is None:
+        raise HTTPException(status_code=404, detail=f"Service '{service_id}' is not recognised")
+
+    admin_record = _get_or_create_db_user(
+        user_id=approving_user.access_token.sub,
+        client=client,
+        db_session=db_session,
+    )
+
+    if platform is not None:
+        membership = _get_platform_membership_or_404(
+            user_id=user_id,
+            platform_id=platform,
+            db_session=db_session,
+        )
+        membership.approval_status = ApprovalStatusEnum.APPROVED
+        membership.revocation_reason = None
+        membership.updated_at = datetime.now(timezone.utc)
+        membership.updated_by = admin_record
+        db_session.add(membership)
+        membership.save_history(db_session)
+        db_session.commit()
+        db_session.refresh(membership)
+        logger.info("Approved platform %s for user %s", platform.value, user_id)
+        return _membership_response("platform", membership)
+
+    membership = _get_group_membership_or_404(
         user_id=user_id,
-        token=client.management_token,
-        metadata=user.app_metadata.model_dump(mode="json")
+        group_id=group.value,
+        db_session=db_session,
     )
-    resp = asyncio.run(update)
-    logger.info("Metadata updated successfully")
-    return resp
+    membership.approval_status = ApprovalStatusEnum.APPROVED
+    membership.revocation_reason = None
+    membership.updated_at = datetime.now(timezone.utc)
+    membership.updated_by = admin_record
+    membership.grant_auth0_role(auth0_client=client)
+    membership.save(session=db_session, commit=True)
+    db_session.refresh(membership)
+    logger.info("Approved group %s for user %s", group.value, user_id)
+    return _membership_response("group", membership)
 
 
 @router.post("/users/{user_id}/services/{service_id}/revoke")
 def revoke_service(user_id: Annotated[str, UserIdParam],
                    service_id: Annotated[str, ServiceIdParam],
                    payload: RevokeServiceRequest,
                    client: Annotated[Auth0Client, Depends(get_auth0_client)],
-                   revoking_user: Annotated[SessionUser, Depends(get_current_user)]):
+                   revoking_user: Annotated[SessionUser, Depends(get_current_user)],
+                   db_session: Annotated[Session, Depends(get_db_session)]):
     """
-    Revoke a service and all associated resources for a user.
+    Revoke a service by updating platform or group membership state in the database.
     """
-    user = client.get_user(user_id=user_id)
-    revoking_user_data = client.get_user(user_id=revoking_user.access_token.sub)
-    user.app_metadata.revoke_service(
-        service_id=service_id,
-        updated_by=str(revoking_user_data.email),
-        reason=payload.reason,
+    platform = _resolve_platform(service_id)
+    group = _resolve_group(service_id)
+    if platform is None and group is None:
+        raise HTTPException(status_code=404, detail=f"Service '{service_id}' is not recognised")
+
+    admin_record = _get_or_create_db_user(
+        user_id=revoking_user.access_token.sub,
+        client=client,
+        db_session=db_session,
     )
-    service = user.app_metadata.get_service_by_id(service_id)
-    if service is None:
-        raise HTTPException(status_code=404, detail=f"Service '{service_id}' not found for user '{user_id}'")
-    for resource in service.resources:
-        resource.revoke()
-    update = update_user_metadata(
+
+    reason = payload.reason
+
+    if platform is not None:
+        membership = _get_platform_membership_or_404(
+            user_id=user_id,
+            platform_id=platform,
+            db_session=db_session,
+        )
+        membership.approval_status = ApprovalStatusEnum.REVOKED
+        membership.revocation_reason = reason
+        membership.updated_at = datetime.now(timezone.utc)
+        membership.updated_by = admin_record
+        db_session.add(membership)
+        membership.save_history(db_session)
+        db_session.commit()
+        db_session.refresh(membership)
+        logger.info("Revoked platform %s for user %s", platform.value, user_id)
+        return _membership_response("platform", membership)
+
+    membership = _get_group_membership_or_404(
         user_id=user_id,
-        token=client.management_token,
-        metadata=user.app_metadata.model_dump(mode="json")
+        group_id=group.value,
+        db_session=db_session,
     )
-    resp = asyncio.run(update)
-    return resp
+    membership.approval_status = ApprovalStatusEnum.REVOKED
+    membership.revocation_reason = reason
+    membership.updated_at = datetime.now(timezone.utc)
+    membership.updated_by = admin_record
+    membership.save(session=db_session, commit=True)
+    db_session.refresh(membership)
+    logger.info("Revoked group %s for user %s", group.value, user_id)
+    return _membership_response("group", membership)
 
 
 @router.post("/users/{user_id}/services/{service_id}/resources/{resource_id}/approve")

tests/db/test_models.py

@@ -30,6 +30,7 @@
     BiocommonsUserFactory,
     GroupMembershipFactory,
     PlatformFactory,
+    PlatformMembershipFactory,
 )
 
 FROZEN_TIME = datetime(2025, 1, 1, 12, 0, 0)
@@ -143,6 +144,7 @@ def test_create_platform_membership(test_db_session, persistent_factories, froze
     # Check the related platform object is populated
     assert membership.platform.id == "galaxy"
     assert membership.updated_at == FROZEN_TIME
+    assert membership.revocation_reason is None
 
 
 def test_create_platform_membership_history(test_db_session, persistent_factories, frozen_time):
@@ -187,6 +189,24 @@ def test_create_group_membership(test_db_session, persistent_factories):
     assert membership.updated_by_id == updater.id
 
 
+def test_platform_membership_save_history_stores_reason(test_db_session, persistent_factories):
+    membership = PlatformMembershipFactory.create_sync(
+        approval_status=ApprovalStatusEnum.REVOKED,
+        revocation_reason="Policy violation",
+    )
+    membership.save_history(test_db_session)
+    history = test_db_session.exec(
+        select(PlatformMembershipHistory)
+        .where(
+            PlatformMembershipHistory.user_id == membership.user_id,
+            PlatformMembershipHistory.platform_id == membership.platform_id,
+        )
+        .order_by(PlatformMembershipHistory.updated_at.desc())
+    ).first()
+    assert history is not None
+    assert history.reason == "Policy violation"
+
+
 def test_create_group_membership_no_updater(test_db_session, persistent_factories):
     """
     Test creating a group membership without an updated_by (for automatic approvals)
@@ -366,6 +386,7 @@ def test_group_membership_save_with_history(test_db_session, persistent_factorie
     ).one()
     assert history.group_id == membership.group_id
     assert history.user_id == membership.user_id
+    assert history.reason == membership.revocation_reason
 
 
 def test_group_membership_save_and_commit_history(test_db_session, persistent_factories):
@@ -381,3 +402,4 @@ def test_group_membership_save_and_commit_history(test_db_session, persistent_fa
     ).one()
     assert history.group_id == membership.group_id
     assert history.user_id == membership.user_id
+    assert history.reason == membership.revocation_reason