From 8e1b6020f24385eff0b9bad4a9bd25202c6b5931 Mon Sep 17 00:00:00 2001
From: Saranya Jena <saranya.jena@harness.io>
Date: Fri, 11 Aug 2023 14:57:27 +0800
Subject: [PATCH] Added user level RBACs, updated swagger json (#4118)

* Added user level RBACs in auth APIs

Signed-off-by: Saranya-jena <saranya.jena@harness.io>

* Updated required parameters in api responses in swagger

Signed-off-by: Saranya-jena <saranya.jena@harness.io>

* minor change in swagger

Signed-off-by: Saranya-jena <saranya.jena@harness.io>

* minor change in swagger

Signed-off-by: Saranya-jena <saranya.jena@harness.io>

* minor change in swagger

Signed-off-by: Saranya-jena <saranya.jena@harness.io>

---------

Signed-off-by: Saranya-jena <saranya.jena@harness.io>
Co-authored-by: Hrishav <hrishav.kumar@harness.io>
---
 .../api/handlers/rest/user_handlers.go        | 21 +++++++++++++++++++
 .../authentication/pkg/user/repository.go     |  2 ++
 mkdocs/docs/auth/v3.0.0/auth-api.json         | 16 ++++++++++++++
 3 files changed, 39 insertions(+)

diff --git a/chaoscenter/authentication/api/handlers/rest/user_handlers.go b/chaoscenter/authentication/api/handlers/rest/user_handlers.go
index 8ec412c7948..26db2389ecd 100644
--- a/chaoscenter/authentication/api/handlers/rest/user_handlers.go
+++ b/chaoscenter/authentication/api/handlers/rest/user_handlers.go
@@ -127,6 +127,12 @@ func GetUser(service services.ApplicationService) gin.HandlerFunc {
 
 func FetchUsers(service services.ApplicationService) gin.HandlerFunc {
 	return func(c *gin.Context) {
+		userRole := c.MustGet("role").(string)
+
+		if entities.Role(userRole) != entities.RoleAdmin {
+			c.AbortWithStatusJSON(utils.ErrorStatusCodes[utils.ErrUnauthorized], presenter.CreateErrorResponse(utils.ErrUnauthorized))
+			return
+		}
 		users, err := service.GetUsers()
 		if err != nil {
 			log.Error(err)
@@ -295,6 +301,13 @@ func UpdatePassword(service services.ApplicationService) gin.HandlerFunc {
 
 func ResetPassword(service services.ApplicationService) gin.HandlerFunc {
 	return func(c *gin.Context) {
+		userRole := c.MustGet("role").(string)
+
+		if entities.Role(userRole) != entities.RoleAdmin {
+			c.AbortWithStatusJSON(utils.ErrorStatusCodes[utils.ErrUnauthorized], presenter.CreateErrorResponse(utils.ErrUnauthorized))
+			return
+		}
+
 		var userPasswordRequest entities.UserPassword
 		err := c.BindJSON(&userPasswordRequest)
 		if err != nil {
@@ -338,6 +351,14 @@ func ResetPassword(service services.ApplicationService) gin.HandlerFunc {
 
 func UpdateUserState(service services.ApplicationService) gin.HandlerFunc {
 	return func(c *gin.Context) {
+
+		userRole := c.MustGet("role").(string)
+
+		if entities.Role(userRole) != entities.RoleAdmin {
+			c.AbortWithStatusJSON(utils.ErrorStatusCodes[utils.ErrUnauthorized], presenter.CreateErrorResponse(utils.ErrUnauthorized))
+			return
+		}
+
 		var userRequest entities.UpdateUserState
 		err := c.BindJSON(&userRequest)
 		if err != nil {
diff --git a/chaoscenter/authentication/pkg/user/repository.go b/chaoscenter/authentication/pkg/user/repository.go
index 24175ddc54a..194cd689130 100644
--- a/chaoscenter/authentication/pkg/user/repository.go
+++ b/chaoscenter/authentication/pkg/user/repository.go
@@ -236,10 +236,12 @@ func (r repository) UpdateUserState(username string, isDeactivate bool, deactiva
 	if isDeactivate {
 		_, err = r.Collection.UpdateOne(context.Background(), bson.M{"username": username}, bson.M{"$set": bson.M{
 			"deactivated_at": deactivateTime,
+			"is_removed":     true,
 		}})
 	} else {
 		_, err = r.Collection.UpdateOne(context.Background(), bson.M{"username": username}, bson.M{"$set": bson.M{
 			"deactivated_at": nil,
+			"is_removed":     false,
 		}})
 	}
 
diff --git a/mkdocs/docs/auth/v3.0.0/auth-api.json b/mkdocs/docs/auth/v3.0.0/auth-api.json
index cadc7f1c1ee..2f8dfe585cc 100644
--- a/mkdocs/docs/auth/v3.0.0/auth-api.json
+++ b/mkdocs/docs/auth/v3.0.0/auth-api.json
@@ -1170,6 +1170,13 @@
     },
     "LoginResponse": {
       "type": "object",
+      "required": [
+        "accessToken",
+        "expiresIn",
+        "projectID",
+        "projectRole",
+        "type"
+      ],
       "properties": {
         "accessToken": {
           "type": "string"
@@ -1204,6 +1211,7 @@
     },
     "User": {
       "type": "object",
+      "required": ["userID", "username", "role", "isRemoved"],
       "properties": {
         "userID": {
           "type": "string"
@@ -1245,6 +1253,7 @@
     },
     "ProjectMember": {
       "type": "object",
+      "required": ["userID", "username", "invitation", "role"],
       "properties": {
         "userID": {
           "type": "string"
@@ -1273,6 +1282,12 @@
     },
     "GetInvitationResponse": {
       "type": "object",
+      "required": [
+        "projectID",
+        "projectName",
+        "invitationRole",
+        "projectOwner"
+      ],
       "properties": {
         "projectName": {
           "type": "string"
@@ -1291,6 +1306,7 @@
     },
     "Project": {
       "type": "object",
+      "required": ["projectID", "name", "members"],
       "properties": {
         "updatedBy": {
           "$ref": "#/definitions/ActionBy"