Implementing new endpoints for external attributes and corresponding ACL rules and scopes.

Author: krulis-martin

app/V1Module/presenters/GroupExternalAttributesPresenter.php

@@ -0,0 +1,136 @@
+<?php
+
+namespace App\V1Module\Presenters;
+
+use App\Exceptions\ForbiddenRequestException;
+use App\Exceptions\BadRequestException;
+use App\Model\Repository\GroupExternalAttributes;
+use App\Model\Repository\Groups;
+use App\Model\Entity\GroupExternalAttribute;
+use App\Model\View\GroupViewFactory;
+use App\Security\ACL\IGroupPermissions;
+use DateTime;
+
+/**
+ * Additional attributes used by 3rd parties to keep relations between groups and entites in external systems.
+ * In case of a university, the attributes may hold things like course/semester/student-group identifiers.
+ */
+class GroupExternalAttributesPresenter extends BasePresenter
+{
+    /**
+     * @var GroupExternalAttributes
+     * @inject
+     */
+    public $groupExternalAttributes;
+
+    /**
+     * @var Groups
+     * @inject
+     */
+    public $groups;
+
+    /**
+     * @var IGroupPermissions
+     * @inject
+     */
+    public $groupAcl;
+
+    /**
+     * @var GroupViewFactory
+     * @inject
+     */
+    public $groupViewFactory;
+
+    public function checkDefault()
+    {
+        if (!$this->groupAcl->canViewExternalAttributes()) {
+            throw new ForbiddenRequestException();
+        }
+    }
+
+    /**
+     * Return all attributes that correspond to given filtering parameters.
+     * @GET
+     * @Param(type="query", name="filter", required=true, validation="string",
+     *        description="JSON-encoded filter query in DNF as [clause OR clause...]")
+     *
+     * The filter is encocded as array of objects (logically represented as disjunction of clauses)
+     * -- i.e., [clause1 OR clause2 ...]. Each clause is an object with the following keys:
+     * "group", "service", "key", "value" that match properties of GroupExternalAttribute entity.
+     * The values are expected values matched with == in the search. Any of the keys may be ommitted or null
+     * which indicate it should not be matched in the particular clause.
+     * A clause must contain at least one of the four keys.
+     *
+     * The endpoint will return a list of matching attributes and all related group entities.
+     */
+    public function actionDefault(?string $filter)
+    {
+        $filterStruct = json_decode($filter ?? '');
+        if (!$filterStruct || !is_array($filterStruct)) {
+            throw new BadRequestException("Invalid filter format.");
+        }
+
+        $attributes = $this->groupExternalAttributes->findByFilter($filterStruct);
+
+        $groupIds = [];
+        foreach ($attributes as $attribute) {
+            $groupIds[$attribute->getGroup()->getId()] = true; // id is key to make it unique
+        }
+
+        $groups = $this->groups->groupsAncestralClosure(array_keys($groupIds));
+        $this->sendSuccessResponse([
+            "attributes" => $attributes,
+            "groups" => $this->groupViewFactory->getGroups($groups),
+        ]);
+    }
+
+
+    public function checkAdd(string $groupId)
+    {
+        if (!$this->groupAcl->canSetExternalAttributes()) {
+            throw new ForbiddenRequestException();
+        }
+    }
+
+    /**
+     * Create an external attribute for given group.
+     * @Param(type="post", name="service", required=true, validation="string:1..32",
+     *        description="Identifier of the external service creating the attribute")
+     * @Param(type="post", name="key", required=true, validation="string:1..32",
+     *        description="Key of the attribute (must be valid identifier)")
+     * @Param(type="post", name="value", required=true, validation="string:0..255",
+     *        description="Value of the attribute (arbitrary string)")
+     * @POST
+     */
+    public function actionAdd(string $groupId)
+    {
+        $group = $this->groups->findOrThrow($groupId);
+
+        $req = $this->getRequest();
+        $service = $req->getPost("service");
+        $key = $req->getPost("key");
+        $value = $req->getPost("value");
+        $attribute = new GroupExternalAttribute($group, $service, $key, $value);
+        $this->groupExternalAttributes->persist($attribute);
+
+        $this->sendSuccessResponse("OK");
+    }
+
+    public function checkRemove(string $groupId)
+    {
+        if (!$this->groupAcl->canSetExternalAttributes()) {
+            throw new ForbiddenRequestException();
+        }
+    }
+
+    /**
+     * Remove selected attribute
+     * @DELETE
+     */
+    public function actionRemove(string $id)
+    {
+        $attribute = $this->groupExternalAttributes->findOrThrow($id);
+        $this->groupExternalAttributes->remove($attribute);
+        $this->sendSuccessResponse("OK");
+    }
+}

app/V1Module/presenters/GroupInvitationsPresenter.php

@@ -11,7 +11,7 @@
 use DateTime;
 
 /**
- * Hardware groups endpoints
+ * Group invitations - links that allow users to join a group.
  */
 class GroupInvitationsPresenter extends BasePresenter
 {

app/V1Module/router/RouterFactory.php

@@ -38,6 +38,7 @@ public static function createRouter()
         $router[] = self::createAssignmentsRoutes("$prefix/exercise-assignments");
         $router[] = self::createGroupsRoutes("$prefix/groups");
         $router[] = self::createGroupInvitationsRoutes("$prefix/group-invitations");
+        $router[] = self::createGroupAtrributesRoutes("$prefix/group-attributes");
         $router[] = self::createInstancesRoutes("$prefix/instances");
         $router[] = self::createReferenceSolutionsRoutes("$prefix/reference-solutions");
         $router[] = self::createAssignmentSolutionsRoutes("$prefix/assignment-solutions");
@@ -299,6 +300,21 @@ private static function createGroupInvitationsRoutes(string $prefix): RouteList
         return $router;
     }
 
+    /**
+     * Adds all group external attributes endpoints to given router.
+     * @param string $prefix Route prefix
+     * @return RouteList All endpoint routes
+     */
+    private static function createGroupAtrributesRoutes(string $prefix): RouteList
+    {
+        $router = new RouteList();
+
+        $router[] = new GetRoute($prefix, "GroupExternalAttributes:");
+        $router[] = new PostRoute("$prefix/<groupId>", "GroupExternalAttributes:add");
+        $router[] = new DeleteRoute("$prefix/<id>", "GroupExternalAttributes:remove");
+        return $router;
+    }
+
     /**
      * Adds all Instances endpoints to given router.
      * @param string $prefix Route prefix

app/V1Module/security/ACL/IGroupPermissions.php

@@ -75,4 +75,8 @@ public function canEditInvitations(Group $group): bool;
     public function canLockStudent(Group $group, User $student): bool;
 
     public function canUnlockStudent(Group $group, User $student): bool;
+
+    public function canViewExternalAttributes(): bool;
+
+    public function canSetExternalAttributes(): bool;
 }

app/V1Module/security/TokenScope.php

@@ -42,6 +42,16 @@ class TokenScope
      */
     public const EMAIL_VERIFICATION = "email-verification";
 
+    /**
+     * Scope used for 3rd party tools designed to externally manage groups and student memeberships.
+     */
+    public const GROUP_EXTERNAL_ATTRIBUTES = "group-external-attributes";
+
+    /**
+     * Scope for managing the users. Used in case the user data needs to be updated from an external database.
+     */
+    public const USERS = "users";
+
     /**
      * Usually used in combination with other scopes. Allows refreshing the token.
      */

app/config/permissions.neon

@@ -74,6 +74,21 @@ permissions:
           - viewPublicDetail
           - viewDetail
 
+    - allow: true
+      role: scope-group-external-attributes
+      resource: group
+      actions:
+          - viewExternalAttributes
+          - setExternalAttributes
+          - viewStudents
+          - viewAll
+          - viewPublicDetail
+          - viewDetail
+          - addStudent
+          - removeStudent
+          - addMember
+          - removeMember
+
     - allow: true
       role: student
       resource: group
@@ -372,6 +387,23 @@ permissions:
         - viewPublicData
         - viewList
 
+    - allow: true
+      role: scope-users
+      resource: user
+      actions:
+        - viewPublicData
+        - viewGroups
+        - viewDetail
+        - viewList
+        - viewAll
+        - create
+        - updateProfile
+        - updatePersonalData
+        - setIsAllowed
+        - createLocalAccount
+        - invalidateTokens
+        - delete
+
     - allow: true
       role: student
       resource: user

app/model/repository/ExerciseTags.php

@@ -11,7 +11,6 @@
  */
 class ExerciseTags extends BaseRepository
 {
-
     public function __construct(EntityManagerInterface $em)
     {
         parent::__construct($em, ExerciseTag::class);

app/model/repository/GroupExternalAttributes.php

@@ -6,6 +6,8 @@
 use App\Model\Entity\GroupExternalAttribute;
 use App\Model\Entity\User;
 use Doctrine\ORM\EntityManagerInterface;
+use Doctrine\ORM\QueryBuilder;
+use InvalidArgumentException;
 
 /**
  * @extends BaseRepository<GroupExternalAttribute>
@@ -16,4 +18,63 @@ public function __construct(EntityManagerInterface $em)
     {
         parent::__construct($em, GroupExternalAttribute::class);
     }
+
+    /**
+     * Helper function that constructs AND expression representing a filter clause for fiven query builder.
+     * @param QueryBuilder $qb
+     * @param int $counter used for generating unique parameter identifiers
+     * @param array $clause represented as associative array
+     * @param string $filterLocation used to identify the clause in exception messages
+     * @throws InvalidArgumentException if the clause format is invalid
+     */
+    private static function createFilterClause(QueryBuilder $qb, int &$counter, array $clause, string $filterLocation)
+    {
+        $expr = $qb->expr()->andX();
+        $set = false;
+        foreach (['group', 'service', 'key', 'value'] as $key) {
+            if (array_key_exists($key, $clause) && $clause[$key] !== null) {
+                if (!is_string($clause[$key])) {
+                    throw new InvalidArgumentException("Clause parameter $filterLocation.$key must be a string.");
+                }
+                $paramName = $key . $counter++;
+                $expr->add("ea.$key = :$paramName");
+                $qb->setParameter($paramName, $clause[$key]);
+                $set = true;
+            }
+        }
+
+        if (!$set) {
+            throw new InvalidArgumentException("Clause $filterLocation does not have any known keys.");
+        }
+        return $expr;
+    }
+
+    /**
+     * Find all external attributes that match given filter (disjunction of clauses).
+     * @param array $filter clause represented as and array of OR clauses where each clause is an object
+     *                      (or assoc. array) with a subset of 'group', 'service', 'key', 'value' keys
+     * @return GroupExternalAttribute[] attributes that match given filter
+     * @throws InvalidArgumentException if the clause format is invalid
+     */
+    public function findByFilter(array $filter): array
+    {
+        if (!$filter) {
+            throw new InvalidArgumentException("Arument filter is empty.");
+        }
+
+        $qb = $this->createQueryBuilder('ea')->join('ea.group', 'g');
+        $qb->where('g.archivedAt IS NULL');
+
+        $expr = $qb->expr()->orX();
+        $counter = 0;
+        foreach (array_values($filter) as $idx => $clause) {
+            if (!is_object($clause) && !is_array($clause)) {
+                throw new InvalidArgumentException("Invalid clause type in filter[$idx], object or array expected.");
+            }
+            $expr->add(self::createFIlterClause($qb, $counter, (array)$clause, "filter[$idx]"));
+        }
+        $qb->andWhere($expr);
+
+        return $qb->getQuery()->getResult();
+    }
 }

app/model/repository/Groups.php

@@ -17,7 +17,6 @@
  */
 class Groups extends BaseSoftDeleteRepository
 {
-
     public function __construct(EntityManagerInterface $em)
     {
         parent::__construct($em, Group::class);
@@ -287,18 +286,29 @@ public function findFiltered(
     /**
      * Gets an initial set of groups and produces a set of groups which have the
      * original set as a subset and every group has its parent in the set as well.
-     * @param iterable $groups Initial set of groups
+     * @param iterable $groups Initial set of groups or group IDs
      * @return Group[]
      */
     public function groupsAncestralClosure(iterable $groups): array
     {
         $res = [];
         foreach ($groups as $group) {
-            $groupId = $group->getId();
+            // handle both IDs and group entities as input
+            if (is_string($group)) { // load group if only ID is given
+                $groupId = $group;
+                $group = null;
+            } else {
+                $groupId = $group->getId();
+            }
+
             if (array_key_exists($groupId, $res)) { // @neloop made me do that
                 continue;
             }
-            $res[$groupId] = $group;
+
+            // add the group in the result
+            $res[$groupId] = $group ?? $this->findOrThrow($groupId);
+
+            // ... along with the parents
             foreach ($group->getParentGroupsIds() as $id) {
                 if (!array_key_exists($id, $res)) {
                     $res[$id] = $this->findOrThrow($id);