Add option to map user API groups to teams

- Adds option to map groups to teams in ODC admin section. - Teams are retrieved and created during login. - Teams are assigned and unassigned based on group memberships.
H2-invent · Aug 16, 2024 · a7b7596 · a7b7596
1 parent 1ace325
commit a7b7596
Show file tree

Hide file tree

Showing 14 changed files with 249 additions and 36 deletions.
diff --git a/.env b/.env
@@ -76,3 +76,9 @@ APP_DEMO=0
 ###> LaF ###
 laF_version=2.0.0-dev
 ###< LaF ###
+
+### Group Mapper API ###
+GROUP_API_URI=http://localhost
+GROUP_API_KEY=CHANGEME
+GROUP_API_ROLE=CHANGEME
+GROUP_API_USER_ID=CHANGEME
diff --git a/.gitignore b/.gitignore
@@ -59,3 +59,5 @@ docker.conf
 ###> phpstan/phpstan ###
 phpstan.neon
 ###< phpstan/phpstan ###
+
+.php-version
diff --git a/config/packages/framework.yaml b/config/packages/framework.yaml
@@ -11,6 +11,13 @@ framework:
         cookie_secure: auto
         cookie_samesite: lax
 
+    http_client:
+        scoped_clients:
+            group.client:
+                base_uri: '%env(GROUP_API_URI)%'
+                headers:
+                    'X-API-KEY': '%env(default::GROUP_API_KEY)%'
+
     #esi: true
     #fragments: true
     php_errors:

diff --git a/config/services.yaml b/config/services.yaml
@@ -15,6 +15,8 @@ parameters:
     KEYCLOAK_SECRET: '%env(OAUTH_KEYCLOAK_CLIENT_SECRET)%'
     KEYCLOAK_ID: '%env(OAUTH_KEYCLOAK_CLIENT_ID)%'
     superAdminRole: '%env(superAdminRole)%'
+    group_api_user_id: '%env(default::GROUP_API_USER_ID)%'
+    group_api_role: '%env(default::GROUP_API_ROLE)%'
 services:
     # default configuration for services in *this* file
     _defaults:
@@ -57,3 +59,8 @@ services:
                connection: default
         calls:
             - [ setAnnotationReader, [ "@annotation_reader" ] ]
+
+    App\Security\KeycloakAuthenticator:
+        arguments:
+            $groupApiUserId: '%group_api_user_id%'
+            $groupApiRole: '%group_api_role%'
diff --git a/src/Controller/SettingsController.php b/src/Controller/SettingsController.php
@@ -43,8 +43,7 @@ public function manage(
         $errors = array();
 
         if ($form->isSubmitted() && $form->isValid()) {
-            $newSettings = $form->getData();
-            $settings->setUseKeycloakGroups($newSettings->getUseKeycloakGroups());
+            $settings = $form->getData();
             $errors = $validator->validate($settings);
             if (count($errors) == 0) {
                 $em->persist($settings);

diff --git a/src/Controller/TeamController.php b/src/Controller/TeamController.php
@@ -348,15 +348,14 @@ public function edit(
 
         $availableTeams = $currentTeamService->getTeamsWithoutCurrentHierarchy($user, $team);
 
-        $form = $this->createForm(
-            TeamType::class,
-            $team,
-            ['teams' => $availableTeams,]
-        );
+        $form = $this->createForm(TeamType::class, $team, [
+            'teams' => $availableTeams,
+            'disabled' => $team->isImmutable(),
+        ]);
         $form->handleRequest($request);
 
         $errors = array();
-        if ($form->isSubmitted() && $form->isValid()) {
+        if ($form->isSubmitted() && $form->isValid() && !$team->isImmutable()) {
             $nTeam = $form->getData();
             $errors = $validator->validate($nTeam);
             if (count($errors) == 0) {
@@ -391,7 +390,7 @@ public function manage(
     {
         $user = $this->getUser();
         $settings = $settingsRepository->findOne();
-        $useKeycloakGroups = $settings ? $settings->getUseKeycloakGroups() : false;
+        $useKeycloakGroups = $settings && $settings->getUseKeycloakGroups();
 
         if (!$securityService->superAdminCheck($user)) {
             return $this->redirectToRoute('dashboard');
@@ -440,7 +439,7 @@ public function teamDelete(
         $teamId = $request->get('id');
         $team = $teamId ? $teamRepository->find($teamId) : $currentTeamService->getCurrentAdminTeam($user);
 
-        if ($securityService->superAdminCheck($user) === false) {
+        if ($securityService->superAdminCheck($user) === false || $team->isImmutable()) {
             return $this->redirectToRoute('dashboard');
         }
 

diff --git a/src/Controller/TeamMemberController.php b/src/Controller/TeamMemberController.php
@@ -198,7 +198,7 @@ public function mitgliederAdd(
         $teamId = $request->get('id');
         $currentTeam = null;
         $settings = $settingsRepository->findOne();
-        $useKeycloakGroups = $settings ? $settings->getUseKeycloakGroups() : false;
+        $useKeycloakGroups = $settings && $settings->getUseKeycloakGroups();
         $this->setBackButton($this->generateUrl('manage_teams'));
 
         if ($teamId) {

diff --git a/src/Entity/Settings.php b/src/Entity/Settings.php
@@ -3,31 +3,47 @@
 namespace App\Entity;
 
 use App\Repository\SettingsRepository;
-use Doctrine\Common\Collections\ArrayCollection;
-use Doctrine\Common\Collections\Collection;
 use Doctrine\ORM\Mapping as ORM;
 use Symfony\Component\Validator\Constraints as Assert;
 
 #[ORM\Entity(repositoryClass: SettingsRepository::class)]
 class Settings
 {
+    const NO_GROUP_MAPPING = 0;
+
+    const KEYCLOAK_GROUP_MAPPING = 1;
+
+    const API_GROUP_MAPPING = 2;
+
     #[ORM\Id]
     #[ORM\GeneratedValue]
     #[ORM\Column(type: 'integer')]
     private $id;
 
-    #[ORM\Column(type: 'boolean', nullable: true)]
-    private $useKeycloakGroups;
+    #[ORM\Column(options: [
+        'default' => 0,
+    ])]
+    #[Assert\Choice([
+        self::NO_GROUP_MAPPING,
+        self::KEYCLOAK_GROUP_MAPPING,
+        self::API_GROUP_MAPPING,
+    ])]
+    private int $groupMapping = 0;
 
-    public function getUseKeycloakGroups(): ?bool
+    public function getGroupMapping(): int
     {
-        return $this->useKeycloakGroups;
+        return $this->groupMapping;
     }
 
-    public function setUseKeycloakGroups(?bool $useKeycloakGroups): self
+    public function setGroupMapping(int $groupMapping): static
     {
-        $this->useKeycloakGroups = $useKeycloakGroups;
+        $this->groupMapping = $groupMapping;
 
         return $this;
     }
+
+    public function getUseKeycloakGroups(): bool
+    {
+        return $this->groupMapping === self::KEYCLOAK_GROUP_MAPPING;
+    }
 }
diff --git a/src/Entity/Team.php b/src/Entity/Team.php
@@ -13,7 +13,6 @@
 use Doctrine\Common\Collections\Collection;
 use Doctrine\ORM\Mapping as ORM;
 use Gedmo\Tree\Entity\Repository\NestedTreeRepository;
-use phpDocumentor\Reflection\Types\Boolean;
 use Symfony\Bridge\Doctrine\Validator\Constraints\UniqueEntity;
 use Symfony\Component\Validator\Constraints as Assert;
 use Gedmo\Mapping\Annotation as Gedmo;
@@ -233,6 +232,11 @@ class Team
     #[ORM\ManyToMany(targetEntity: AuditTomZiele::class, mappedBy: 'ignoredInTeams')]
     private $ignoredAuditGoals;
 
+    #[ORM\Column(options: [
+        'default' => 0,
+    ])]
+    private bool $immutable = false;
+
     public function __construct()
     {
         $this->members = new ArrayCollection();
@@ -1393,9 +1397,11 @@ public function getRoot(): ?self
         return $this->root;
     }
 
-    public function setParent(self $parent = null): void
+    public function setParent(self $parent = null): static
     {
         $this->parent = $parent;
+
+        return $this;
     }
 
     public function getParent(): ?self
@@ -1659,4 +1665,16 @@ public function removeIgnoredProduct(Produkte $product): self
 
         return $this;
     }
+
+    public function isImmutable(): bool
+    {
+        return $this->immutable;
+    }
+
+    public function setImmutable(bool $immutable): static
+    {
+        $this->immutable = $immutable;
+
+        return $this;
+    }
 }
diff --git a/src/Form/Type/SettingsType.php b/src/Form/Type/SettingsType.php
@@ -8,18 +8,10 @@
 
 namespace App\Form\Type;
 
-use App\Entity\AuditTom;
-use App\Entity\AuditTomAbteilung;
-use App\Entity\AuditTomStatus;
-use App\Entity\AuditTomZiele;
 use App\Entity\Settings;
-use Symfony\Bridge\Doctrine\Form\Type\EntityType;
 use Symfony\Component\Form\AbstractType;
-use Symfony\Component\Form\Extension\Core\Type\CheckboxType;
 use Symfony\Component\Form\Extension\Core\Type\ChoiceType;
 use Symfony\Component\Form\Extension\Core\Type\SubmitType;
-use Symfony\Component\Form\Extension\Core\Type\TextareaType;
-use Symfony\Component\Form\Extension\Core\Type\TextType;
 use Symfony\Component\Form\FormBuilderInterface;
 use Symfony\Component\OptionsResolver\OptionsResolver;
 
@@ -28,8 +20,22 @@ class SettingsType extends AbstractType
     public function buildForm(FormBuilderInterface $builder, array $options)
     {
         $builder
-            ->add('useKeycloakGroups', CheckboxType::class, ['label' => 'useKeycloakGroups', 'help'=> 'useKeycloakGroupsHelp', 'required' => false, 'translation_domain' => 'form'])
-            ->add('save', SubmitType::class, ['attr' => array('class' => 'btn'),'label' => 'save', 'translation_domain' => 'form']);
+            ->add('groupMapping', ChoiceType::class, [
+                'label' => 'groupMapping',
+                'help'=> 'groupMappingHelp',
+                'translation_domain' => 'form',
+                'expanded' => true,
+                'choices' => [
+                    'noGroupMapping' => Settings::NO_GROUP_MAPPING,
+                    'useKeycloakGroups' => Settings::KEYCLOAK_GROUP_MAPPING,
+                    'useApiGroups' => Settings::API_GROUP_MAPPING,
+                ]
+            ])
+            ->add('save', SubmitType::class, [
+                'attr' => array('class' => 'btn'),
+                'label' => 'save',
+                'translation_domain' => 'form'
+            ]);
     }
 
     public function configureOptions(OptionsResolver $resolver)

diff --git a/src/Migrations/Version20240807153157.php b/src/Migrations/Version20240807153157.php
@@ -0,0 +1,37 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * Auto-generated Migration: Please modify to your needs!
+ */
+final class Version20240807153157 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'Add API group mapping option';
+    }
+
+    public function up(Schema $schema): void
+    {
+        // this up() migration is auto-generated, please modify it to your needs
+        $this->addSql('ALTER TABLE settings ADD group_mapping INT DEFAULT 0 NOT NULL');
+        $this->addSql('UPDATE settings SET group_mapping = use_keycloak_groups WHERE use_keycloak_groups IS NOT NULL');
+        $this->addSql('ALTER TABLE settings DROP use_keycloak_groups');
+        $this->addSql('ALTER TABLE team ADD immutable TINYINT(1) DEFAULT 0 NOT NULL');
+    }
+
+    public function down(Schema $schema): void
+    {
+        // this down() migration is auto-generated, please modify it to your needs
+        $this->addSql('ALTER TABLE settings ADD use_keycloak_groups TINYINT(1) DEFAULT NULL');
+        $this->addSql('UPDATE settings SET use_keycloak_groups = group_mapping WHERE group_mapping = 1');
+        $this->addSql('ALTER TABLE settings DROP group_mapping');
+        $this->addSql('ALTER TABLE team DROP immutable');
+    }
+}