feat: #1175 create application admin endpoint to only allow IDIR user (…

…#1188)

server/admin_management/api/app/repositories/application_admin_repository.py

@@ -79,13 +79,10 @@ def get_user_app_admin_grants(self, user_id: int) -> List[FamApplication]:
         """
         return (
             self.db.query(FamApplication)
-                .select_from(FamApplicationAdmin)
-                .join(FamApplicationAdmin.application)
-                .join(FamApplicationAdmin.user)
-                .filter(
-                    FamApplicationAdmin.user_id == user_id,
-                    FamUser.user_type_code == UserType.IDIR)
-                .order_by(FamApplication.application_id)
-                .all()
+            .select_from(FamApplicationAdmin)
+            .join(FamApplicationAdmin.application)
+            .join(FamApplicationAdmin.user)
+            .filter(FamApplicationAdmin.user_id == user_id)
+            .order_by(FamApplication.application_id)
+            .all()
         )
-

server/admin_management/api/app/routers/router_access_control_privilege.py

@@ -3,20 +3,24 @@
 
 from api.app import jwt_validation, schemas
 from api.app.models import model as models
-from api.app.routers.router_guards import (authorize_by_app_id,
-                                           authorize_by_application_role,
-                                           enforce_self_grant_guard,
-                                           get_current_requester)
+from api.app.routers.router_guards import (
+    authorize_by_app_id,
+    authorize_by_application_role,
+    enforce_self_grant_guard,
+    get_current_requester,
+)
 from api.app.routers.router_utils import (
-    access_control_privilege_service_instance, role_service_instance,
-    user_service_instance)
+    access_control_privilege_service_instance,
+    role_service_instance,
+    user_service_instance,
+)
 from api.app.schemas import Requester
-from api.app.services.access_control_privilege_service import \
-    AccessControlPrivilegeService
+from api.app.services.access_control_privilege_service import (
+    AccessControlPrivilegeService,
+)
 from api.app.services.role_service import RoleService
 from api.app.services.user_service import UserService
-from api.app.utils.audit_util import (AuditEventLog, AuditEventOutcome,
-                                      AuditEventType)
+from api.app.utils.audit_util import AuditEventLog, AuditEventOutcome, AuditEventType
 from fastapi import APIRouter, Depends, Request
 
 LOGGER = logging.getLogger(__name__)

server/admin_management/api/app/routers/router_application_admin.py

@@ -9,6 +9,7 @@
     get_current_requester,
     validate_param_application_admin_id,
     validate_param_application_id,
+    validate_param_user_type,
 )
 from api.app.routers.router_utils import (
     application_admin_service_instance,
@@ -49,12 +50,12 @@ async def get_application_admins(
         Depends(authorize_by_fam_admin),
         Depends(enforce_self_grant_guard),
         Depends(validate_param_application_id),
+        Depends(validate_param_user_type),
     ],
 )
 def create_application_admin(
     application_admin_request: schemas.FamAppAdminCreateRequest,
     request: Request,
-    db: Session = Depends(database.get_db),
     token_claims: dict = Depends(jwt_validation.authorize),
     requester: Requester = Depends(get_current_requester),
     application_admin_service: ApplicationAdminService = Depends(

server/admin_management/api/app/routers/router_guards.py

@@ -12,12 +12,8 @@
     get_request_cognito_user_id,
     validate_token,
 )
-from api.app.schemas import (
-    Requester,
-    TargetUser,
-    FamAppAdminCreateRequest,
-)
-from api.app.constants import AdminRoleAuthGroup
+from api.app.schemas import Requester, TargetUser, FamAppAdminCreateRequest
+from api.app.constants import AdminRoleAuthGroup, UserType
 from api.app.models.model import FamUser, FamRole
 from api.app.services.application_admin_service import ApplicationAdminService
 from api.app.services.access_control_privilege_service import (
@@ -37,6 +33,7 @@
 ERROR_REQUESTER_NOT_EXISTS = "requester_not_exists"
 ERROR_EXTERNAL_USER_ACTION_PROHIBITED = "external_user_action_prohibited"
 ERROR_INVALID_APPLICATION_ADMIN_ID = "invalid_application_admin_id"
+ERROR_NOT_ALLOWED_USER_TYPE = "user_type_not_allowed"
 
 
 no_requester_exception = HTTPException(
@@ -257,7 +254,8 @@ async def validate_param_application_admin_id(
 
 
 async def validate_param_application_id(
-    application_admin_request: FamAppAdminCreateRequest, db: Session = Depends(database.get_db)
+    application_admin_request: FamAppAdminCreateRequest,
+    db: Session = Depends(database.get_db),
 ):
     application_service = ApplicationService(db)
     application = application_service.get_application(
@@ -272,3 +270,18 @@ async def validate_param_application_id(
             },
             headers={"WWW-Authenticate": "Bearer"},
         )
+
+
+async def validate_param_user_type(application_admin_request: FamAppAdminCreateRequest):
+    if (
+        not application_admin_request.user_type_code
+        or application_admin_request.user_type_code != UserType.IDIR
+    ):
+        raise HTTPException(
+            status_code=HTTPStatus.BAD_REQUEST,
+            detail={
+                "code": ERROR_NOT_ALLOWED_USER_TYPE,
+                "description": f"User type {application_admin_request.user_type_code} is not allowed",
+            },
+            headers={"WWW-Authenticate": "Bearer"},
+        )

server/admin_management/tests/constants.py

@@ -34,7 +34,7 @@
 TEST_APPLICATION_ADMIN_APPLICATION_ID = 3
 TEST_NEW_APPLICATION_ADMIN_USER_ID = 1
 TEST_NEW_APPLICATION_ADMIN = {
-    "user_type_code": famConstants.UserType.BCEID,
+    "user_type_code": famConstants.UserType.IDIR,
     "user_name": TEST_USER_NAME,
     "application_id": TEST_APPLICATION_ADMIN_APPLICATION_ID,
 }

server/admin_management/tests/routers/test_router_application_admin.py

@@ -3,16 +3,15 @@
 
 import starlette.testclient
 import tests.jwt_utils as jwt_utils
-from api.app.constants import AdminRoleAuthGroup
+from api.app.constants import AdminRoleAuthGroup, UserType
 from api.app.jwt_validation import ERROR_PERMISSION_REQUIRED
 from api.app.main import apiPrefix
 from api.app.routers.router_guards import (
     ERROR_INVALID_APPLICATION_ADMIN_ID,
     ERROR_INVALID_APPLICATION_ID,
+    ERROR_NOT_ALLOWED_USER_TYPE,
 )
 from tests.constants import (
-    INVALID_APPLICATION_ID,
-    TEST_APPLICATION_ADMIN_APPLICATION_ID,
     TEST_APPLICATION_NAME_FAM,
     TEST_FOM_DEV_ADMIN_ROLE,
     TEST_INVALID_USER_TYPE,
@@ -72,6 +71,20 @@ def test_create_application_admin(
     assert response.json() is not None
     assert str(response.json()["detail"]).find("Input should be 'I' or 'B'") != -1
 
+    # test not allowed user type, only allow IDIR
+    response = test_client_fixture.post(
+        f"{endPoint}",
+        json={
+            "user_type_code": UserType.BCEID,
+            "user_name": TEST_NEW_APPLICATION_ADMIN.get("user_name"),
+            "application_id": TEST_NEW_APPLICATION_ADMIN.get("application_id"),
+        },
+        headers=jwt_utils.headers(token),
+    )
+    assert response.status_code == 400
+    assert response.json() is not None
+    assert str(response.json()["detail"]).find(ERROR_NOT_ALLOWED_USER_TYPE) != -1
+
     # test create with non exists application id
     response = test_client_fixture.post(
         f"{endPoint}",