broadinstitute · davidangb · Jan 2, 2025 · Jan 3, 2025 · Jan 3, 2025 · Jan 3, 2025
@@ -146,6 +146,32 @@ paths:
             application/json:
               schema:
                 $ref: '#/components/schemas/UserStatus'
+  /api/admin/v1/user/email/{email}/supportSummary:
+    get:
+      tags:
+        - Admin
+      summary: Get information about a user useful for Terra support
+      operationId: getAdminUserSummaryInfo
+      parameters:
+        - name: email
+          in: path
+          description: Email address of user to check
+          required: true
+          schema:
+            type: string
+      responses:
+        200:
+          description: user summary information
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/SamUserSupportSummary'
+        500:
+          description: Internal Server Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ErrorReport'
   /api/admin/v2/users:
     get:
       tags:
@@ -4277,6 +4303,27 @@ components:
           items:
             type: string
           description: The parent groups of the group
+    SamUserSupportSummary:
+      type: object
+      properties:
+        additionalDetails:
+          type: object
+          description: >
+            additional details about the user, such as enterprise features they have access to example: '{ "enterpriseFeatures": ["feature1", "feature2"] }'
+        allowances:
+          $ref: '#/components/schemas/SamUserAllowances'
+        attributes:
+          $ref: '#/components/schemas/SamUserAttributes'
+        directGroupMembershipCount:
+          type: integer
+          description: number of groups to which this user is a direct member
+        indirectGroupMembershipCount:
+          type: integer
+          description: number of groups to which this user is a direct or indirect member
+        samUser:
+          $ref: '#/components/schemas/SamUserResponse'
+        termsOfServiceDetails:
+          $ref: '#/components/schemas/UserTermsOfServiceDetails'
     PolicyIdentifiers:
       required:
         - policyName

@@ -15,10 +15,11 @@ import org.broadinstitute.dsde.workbench.sam.model.api.SamJsonSupport._
 import org.broadinstitute.dsde.workbench.sam.model.SamResourceActions.{adminAddMember, adminReadPolicies, adminRemoveMember}
 import org.broadinstitute.dsde.workbench.sam.model.SamResourceTypes.resourceTypeAdminName
 import org.broadinstitute.dsde.workbench.sam.model._
-import org.broadinstitute.dsde.workbench.sam.model.api.{AccessPolicyMembershipRequest, AdminUpdateUserRequest, SamUser}
+import org.broadinstitute.dsde.workbench.sam.model.api.{AccessPolicyMembershipRequest, AdminUpdateUserRequest, SamUser, SamUserSupportSummaryResponse}
 import org.broadinstitute.dsde.workbench.sam.service.{ManagedGroupService, ResourceService}
 import org.broadinstitute.dsde.workbench.sam.util.SamRequestContext
 import spray.json.DefaultJsonProtocol._
+import spray.json.enrichAny
 import spray.json.JsBoolean
 import org.broadinstitute.dsde.workbench.sam.model.api.ManagedGroupModelJsonSupport._
 
@@ -48,13 +49,24 @@ trait AdminRoutes extends SecurityDirectives with SamRequestContextDirectives wi
   def adminUserRoutes(samUser: SamUser, samRequestContext: SamRequestContext): server.Route =
     pathPrefix("user") {
       asWorkbenchAdmin(samUser) {
-        path("email" / Segment) { email =>
+        pathPrefix("email" / Segment) { email =>
           val workbenchEmail = WorkbenchEmail(email)
-          getWithTelemetry(samRequestContext, emailParam(workbenchEmail)) {
-            complete {
-              userService
-                .getUserStatusFromEmail(workbenchEmail, samRequestContext)
-                .map(status => (if (status.isDefined) OK else NotFound) -> status)
+          pathEndOrSingleSlash {
+            getWithTelemetry(samRequestContext, emailParam(workbenchEmail)) {
+              complete {
+                userService
+                  .getUserStatusFromEmail(workbenchEmail, samRequestContext)
+                  .map(status => (if (status.isDefined) OK else NotFound) -> status)
+              }
+            }
+          } ~
+          pathPrefix("supportSummary") {
+            pathEndOrSingleSlash {
+              getWithTelemetry(samRequestContext, emailParam(workbenchEmail)) {
+                complete {
+                  getSamUserSupportSummary(workbenchEmail, samRequestContext)
+                }
+              }
             }
           }
         } ~
@@ -284,4 +296,33 @@ trait AdminRoutes extends SecurityDirectives with SamRequestContextDirectives wi
       user.id,
       samRequestContext
     )
+
+  private def getSamUserSupportSummary(workbenchEmail: WorkbenchEmail, samRequestContext: SamRequestContext) =
+    for {
+      samUserOption <- userService.getUserFromEmail(workbenchEmail, samRequestContext)
+      samUser = samUserOption.getOrElse(throw new RuntimeException("user not found"))
+      allowances <- userService.getUserAllowances(samUser, samRequestContext)
+      maybeAttributes <- userService.getUserAttributes(samUser.id, samRequestContext)
+      termsOfServiceDetails <- tosService.getTermsOfServiceDetailsForUser(samUser.id, samRequestContext)
+      enterpriseFeatures <- resourceService
+        .listResourcesFlat(
+          samUser.id,
+          Set(ResourceTypeName("enterprise-feature")),
+          Set.empty,
+          Set(ResourceRoleName("user")),
+          Set.empty,
+          includePublic = false,
+          samRequestContext
+        )
+      directGroupMemberships <- userService.countDirectGroupMemberships(samUser, samRequestContext)
+      indirectGroupMemberships <- userService.countIndirectGroupMemberships(samUser, samRequestContext)
+    } yield SamUserSupportSummaryResponse(
+      samUser,
+      allowances,
+      maybeAttributes,
+      termsOfServiceDetails.getOrElse(TermsOfServiceDetails(None, None, permitsSystemUsage = false, isCurrentVersion = false)),
+      Map("enterpriseFeatures" -> enterpriseFeatures.toJson),
+      directGroupMembershipCount = directGroupMemberships,
+      indirectGroupMembershipCount = indirectGroupMemberships
+    )
 }
@@ -82,6 +82,8 @@ trait DirectoryDAO {
 
   def setUserAzureB2CId(userId: WorkbenchUserId, b2cId: AzureB2CId, samRequestContext: SamRequestContext): IO[Unit]
 
+  def loadUserByEmail(email: WorkbenchEmail, samRequestContext: SamRequestContext): IO[Option[SamUser]]
+
   def updateUserEmail(userId: WorkbenchUserId, email: WorkbenchEmail, samRequestContext: SamRequestContext): IO[Unit]
 
   def deleteUser(userId: WorkbenchUserId, samRequestContext: SamRequestContext): IO[Unit]
@@ -98,6 +100,10 @@ trait DirectoryDAO {
 
   def listFlattenedGroupMembers(groupName: WorkbenchGroupName, samRequestContext: SamRequestContext): IO[Set[WorkbenchUserId]]
 
+  def countDirectGroupMemberships(samUser: SamUser, samRequestContext: SamRequestContext): IO[Int]
+
+  def countIndirectGroupMemberships(samUser: SamUser, samRequestContext: SamRequestContext): IO[Int]
+
   def enableIdentity(subject: WorkbenchSubject, samRequestContext: SamRequestContext): IO[Unit]
 
   def disableIdentity(subject: WorkbenchSubject, samRequestContext: SamRequestContext): IO[Unit]

@@ -528,6 +528,20 @@ class PostgresDirectoryDAO(protected val writeDbRef: DbReference, protected val
       }
     }
 
+  override def loadUserByEmail(email: WorkbenchEmail, samRequestContext: SamRequestContext): IO[Option[SamUser]] =
+    readOnlyTransaction("loadUserByEmail", samRequestContext) { implicit session =>
+      val userTable = UserTable.syntax
+
+      val loadUserQuery = samsql"""select ${userTable.resultAll}
+                                    from ${UserTable as userTable}
+                                    where ${userTable.email} = ${email}"""
+      loadUserQuery
+        .map(UserTable(userTable))
+        .single()
+        .apply()
+        .map(UserTable.unmarshalUserRecord)
+    }
+
   override def updateUserEmail(userId: WorkbenchUserId, email: WorkbenchEmail, samRequestContext: SamRequestContext): IO[Unit] = IO.unit
 
   override def updateUser(samUser: SamUser, userUpdate: AdminUpdateUserRequest, samRequestContext: SamRequestContext): IO[Option[SamUser]] =
@@ -718,6 +732,28 @@ class PostgresDirectoryDAO(protected val writeDbRef: DbReference, protected val
     }
   }
 
+  override def countDirectGroupMemberships(samUser: SamUser, samRequestContext: SamRequestContext): IO[Int] =
+    readOnlyTransaction("countDirectGroupMemberships", samRequestContext) { implicit session =>
+      val query = samsql"""select count(distinct g.id) directMembershipCount
+                          from sam_group g
+                          join sam_group_member gm on g.id = gm.group_id
+                          where g.synchronized_date is not null
+                          and gm.member_user_id = ${samUser.id}"""
+
+      query.map(rs => rs.int(1)).single().apply().getOrElse(0)
+    }
+
+  override def countIndirectGroupMemberships(samUser: SamUser, samRequestContext: SamRequestContext): IO[Int] =
+    readOnlyTransaction("countDirectGroupMemberships", samRequestContext) { implicit session =>
+      val query = samsql"""select count(distinct g.id) indirectMembershipCount
+                          from sam_group g
+                          join sam_group_member_flat gmf on g.id = gmf.group_id
+                          where g.synchronized_date is not null
+                          and gmf.member_user_id = ${samUser.id}"""
+
+      query.map(rs => rs.int(1)).single().apply().getOrElse(0)
+    }
+
   override def enableIdentity(subject: WorkbenchSubject, samRequestContext: SamRequestContext): IO[Unit] =
     subject match {
       case userId: WorkbenchUserId =>

diff --git a/...scala/org/broadinstitute/dsde/workbench/sam/model/api/SamUserSupportSummaryResponse.scala b/...scala/org/broadinstitute/dsde/workbench/sam/model/api/SamUserSupportSummaryResponse.scala
@@ -0,0 +1,21 @@
+package org.broadinstitute.dsde.workbench.sam.model.api
+
+import org.broadinstitute.dsde.workbench.sam.model.api.SamJsonSupport._
+import org.broadinstitute.dsde.workbench.sam.model.api.SamUserAllowances.SamUserAllowedResponseFormat
+import org.broadinstitute.dsde.workbench.sam.model.api.SamUserAttributes.SamUserAttributesFormat
+import org.broadinstitute.dsde.workbench.sam.model.TermsOfServiceDetails
+import spray.json.DefaultJsonProtocol._
+import spray.json._
+
+object SamUserSupportSummaryResponse {
+  implicit val SamUserSupportSummaryResponseFormat: RootJsonFormat[SamUserSupportSummaryResponse] = jsonFormat7(SamUserSupportSummaryResponse.apply)
+}
+final case class SamUserSupportSummaryResponse(
+    samUser: SamUser,
+    allowances: SamUserAllowances,
+    attributes: Option[SamUserAttributes],
+    termsOfServiceDetails: TermsOfServiceDetails,
+    additionalDetails: Map[String, JsValue],
+    directGroupMembershipCount: Int,
+    indirectGroupMembershipCount: Int // TODO: for clarity, should this be "directAndIndirectGroup..."?
+)
@@ -279,6 +279,9 @@ class UserService(
   def getUserFromPetManagedIdentity(petManagedIdentityObjectId: ManagedIdentityObjectId, samRequestContext: SamRequestContext): IO[Option[SamUser]] =
     directoryDAO.getUserFromPetManagedIdentity(petManagedIdentityObjectId, samRequestContext)
 
+  def getUserFromEmail(email: WorkbenchEmail, samRequestContext: SamRequestContext): IO[Option[SamUser]] =
+    directoryDAO.loadUserByEmail(email, samRequestContext)
+
   def getSubjectFromGoogleSubjectId(googleSubjectId: GoogleSubjectId, samRequestContext: SamRequestContext): IO[Option[WorkbenchSubject]] =
     directoryDAO.loadSubjectFromGoogleSubjectId(googleSubjectId, samRequestContext)
   def getSubjectFromEmail(email: WorkbenchEmail, samRequestContext: SamRequestContext): IO[Option[WorkbenchSubject]] =
@@ -505,6 +508,12 @@ class UserService(
       case None => IO.raiseError(new WorkbenchExceptionWithErrorReport(ErrorReport(StatusCodes.NotFound, s"User $workbenchUserId not found")))
     }
   }
+
+  def countDirectGroupMemberships(samUser: SamUser, samRequestContext: SamRequestContext): IO[Int] =
+    directoryDAO.countDirectGroupMemberships(samUser, samRequestContext)
+
+  def countIndirectGroupMemberships(samUser: SamUser, samRequestContext: SamRequestContext): IO[Int] =
+    directoryDAO.countIndirectGroupMemberships(samUser, samRequestContext)
 }
 
 object UserService {

@@ -338,6 +338,10 @@ class MockDirectoryDAO(val groups: mutable.Map[WorkbenchGroupIdentity, Workbench
   override def listFlattenedGroupMembers(groupName: WorkbenchGroupName, samRequestContext: SamRequestContext): IO[Set[WorkbenchUserId]] =
     IO(listGroupUsers(groupName, Set.empty))
 
+  override def countDirectGroupMemberships(samUser: SamUser, samRequestContext: SamRequestContext): IO[Int] = ???
+
+  override def countIndirectGroupMemberships(samUser: SamUser, samRequestContext: SamRequestContext): IO[Int] = ???
+
   override def loadUserByAzureB2CId(userId: AzureB2CId, samRequestContext: SamRequestContext): IO[Option[SamUser]] =
     IO.pure(users.values.find(_.azureB2CId.contains(userId)))
 
@@ -347,6 +351,9 @@ class MockDirectoryDAO(val groups: mutable.Map[WorkbenchGroupIdentity, Workbench
     } yield users += user.id -> user.copy(azureB2CId = Option(b2CId))
   }
 
+  override def loadUserByEmail(email: WorkbenchEmail, samRequestContext: SamRequestContext): IO[Option[SamUser]] =
+    IO.pure(users.values.find(_.email.equals(email)))
+
   override def checkStatus(samRequestContext: SamRequestContext): IO[Boolean] = IO(passStatusCheck)
 
   override def loadUserByGoogleSubjectId(userId: GoogleSubjectId, samRequestContext: SamRequestContext): IO[Option[SamUser]] =

@@ -708,6 +708,52 @@ class PostgresDirectoryDAOSpec extends RetryableAnyFreeSpec with Matchers with B
       }
     }
 
+    "countDirectGroupMemberships" - {
+      "calculate the direct count" in {
+        assume(databaseEnabled, databaseEnabledClue)
+
+        val subGroupId = WorkbenchGroupName("subGroup")
+        val subGroup = BasicWorkbenchGroup(subGroupId, Set(defaultUser.id), WorkbenchEmail("subGroup@foo.com"))
+        val parentGroupId = WorkbenchGroupName("parentGroup")
+        val parentGroup = BasicWorkbenchGroup(parentGroupId, Set(subGroupId), WorkbenchEmail("parentGroup@foo.com"))
+
+        val createdUser = dao.createUser(defaultUser, samRequestContext).unsafeRunSync()
+        dao.createGroup(subGroup, samRequestContext = samRequestContext).unsafeRunSync()
+        dao.createGroup(parentGroup, samRequestContext = samRequestContext).unsafeRunSync()
+
+        // countDirectGroupMemberships() only counts synchronized groups;
+        // update the sync date for the groups we just created
+        dao.updateSynchronizedDateAndVersion(subGroup, samRequestContext).unsafeRunSync()
+        dao.updateSynchronizedDateAndVersion(parentGroup, samRequestContext).unsafeRunSync()
+
+        val directCount = dao.countDirectGroupMemberships(defaultUser, samRequestContext).unsafeRunSync()
+        directCount shouldBe 1
+      }
+    }
+
+    "countIndirectGroupMemberships" - {
+      "calculate the indirect count" in {
+        assume(databaseEnabled, databaseEnabledClue)
+
+        val subGroupId = WorkbenchGroupName("subGroup")
+        val subGroup = BasicWorkbenchGroup(subGroupId, Set(defaultUser.id), WorkbenchEmail("subGroup@foo.com"))
+        val parentGroupId = WorkbenchGroupName("parentGroup")
+        val parentGroup = BasicWorkbenchGroup(parentGroupId, Set(subGroupId), WorkbenchEmail("parentGroup@foo.com"))
+
+        dao.createUser(defaultUser, samRequestContext).unsafeRunSync()
+        dao.createGroup(subGroup, samRequestContext = samRequestContext).unsafeRunSync()
+        dao.createGroup(parentGroup, samRequestContext = samRequestContext).unsafeRunSync()
+
+        // countIndirectGroupMemberships() only counts synchronized groups;
+        // update the sync date for the groups we just created
+        dao.updateSynchronizedDateAndVersion(subGroup, samRequestContext).unsafeRunSync()
+        dao.updateSynchronizedDateAndVersion(parentGroup, samRequestContext).unsafeRunSync()
+
+        val indirectCount = dao.countIndirectGroupMemberships(defaultUser, samRequestContext).unsafeRunSync()
+        indirectCount shouldBe 2
+      }
+    }
+
     "createPetServiceAccount" - {
       "create pet service accounts" in {
         assume(databaseEnabled, databaseEnabledClue)
@@ -1710,6 +1756,15 @@ class PostgresDirectoryDAOSpec extends RetryableAnyFreeSpec with Matchers with B
       }
     }
 
+    "loadUserByEmail" - {
+      "load a user from their email" in {
+        assume(databaseEnabled, databaseEnabledClue)
+        dao.createUser(defaultUser, samRequestContext).unsafeRunSync()
+
+        dao.loadUserByEmail(defaultUser.email, samRequestContext).unsafeRunSync() shouldBe Some(defaultUser)
+      }
+    }
+
     "createPetManagedIdentity" - {
       "create pet managed identity" in {
         assume(databaseEnabled, databaseEnabledClue)