Update roledefinition and matching

app/src/App/fhir-apps.tsx

@@ -216,15 +216,15 @@ const FHIRApps = () => {
         disableLoginProtection={DISABLE_LOGIN_PROTECTION}
         exact
         path={DATA_IMPORT_LIST_URL}
-        permissions={['WebDataImport.read']}
+        permissions={['DataImport.read']}
         component={DataImportList}
       />
       <PrivateComponent
         redirectPath={APP_CALLBACK_URL}
         disableLoginProtection={DISABLE_LOGIN_PROTECTION}
         exact
         path={`${DATA_IMPORT_CREATE_URL}`}
-        permissions={['WebDataImport.create']}
+        permissions={['DataImport.create']}
         component={StartDataImport}
       />
       <PrivateComponent
@@ -233,7 +233,7 @@ const FHIRApps = () => {
         exact
         path={`${DATA_IMPORT_DETAIL_URL}/:${'workflowId'}`}
         {...patientProps}
-        permissions={['WebDataImport.read']}
+        permissions={['DataImport.read']}
         component={ImportDetailViewDetails}
       />
       <PrivateComponent
@@ -242,7 +242,7 @@ const FHIRApps = () => {
         exact
         path={`${DATA_IMPORT_LIST_URL}/:${'workflowId'}`}
         {...patientProps}
-        permissions={['WebDataImport.read']}
+        permissions={['DataImport.read']}
         component={DataImportList}
       />
       <PrivateComponent
@@ -590,7 +590,7 @@ const FHIRApps = () => {
         exact
         path={APP_LOGIN_URL}
         render={() => {
-          window.location.href = OpenSRP;
+          window.location.href = `${OpenSRP}&kc_locale=fr`;
           return <></>;
         }}
       />

app/src/configs/dispatchConfig.ts

@@ -4,6 +4,7 @@ import {
   ProjectCode,
   setAllConfigs,
   getAllConfigs,
+  clientIdConfig,
 } from '@opensrp/pkg-config';
 import {
   BACKEND_ACTIVE,
@@ -17,6 +18,7 @@ import {
   AUTHZ_STRATEGY,
   COMMODITIES_LIST_RESOURCE_ID,
   FHIR_INVENTORY_LIST_ID,
+  OPENSRP_CLIENT_ID,
 } from './env';
 import { URL_BACKEND_LOGIN, URL_REACT_LOGIN } from '../constants';
 
@@ -26,6 +28,7 @@ const defaultvalues = getAllConfigs();
 
 const configObject: ConfigState = {
   ...defaultvalues,
+  [clientIdConfig]: OPENSRP_CLIENT_ID,
   languageCode: LANGUAGE_CODE as LanguageCode,
   projectCode: PROJECT_CODE as ProjectCode,
   appLoginURL: APP_LOGIN_URL,

app/src/routes/index.tsx

@@ -199,7 +199,7 @@ export function getRoutes(roles: string[], t: TFunction, userRole: UserRole): Ro
       title: t('Data Imports'),
       key: 'data-import',
       enabled: true,
-      permissions: ['WebDataImport.read'],
+      permissions: ['DataImport.read'],
       url: DATA_IMPORT_LIST_URL,
       isHomePageLink: true,
     },

packages/fhir-import/src/containers/ImportDetailView/index.tsx

@@ -80,6 +80,8 @@ export const ImportDetailViewDetails = (_: RouteComponentProps) => {
     [t('Author')]: data.author,
   };
 
+  console.log({pageTitle})
+
   return (
     <BodyLayout headerProps={headerProps}>
       <Helmet>

packages/fhir-import/src/containers/ImportDetailView/tests/index.test.tsx

@@ -4,7 +4,7 @@ import { authenticateUser } from '@onaio/session-reducer';
 import { Route, Router, Switch } from 'react-router';
 import nock from 'nock';
 import * as reactQuery from 'react-query';
-import { waitForElementToBeRemoved, render, cleanup } from '@testing-library/react';
+import { waitForElementToBeRemoved, render, cleanup, prettyDOM } from '@testing-library/react';
 import { store } from '@opensrp/store';
 import * as constants from '../../../constants';
 import { createMemoryHistory } from 'history';
@@ -100,10 +100,15 @@ describe('Care Teams list view', () => {
     await waitForElementToBeRemoved(document.querySelector('.ant-spin'));
     expect(nock.pendingMocks()).toEqual([]);
 
-    expect(document.querySelector('title')).toMatchInlineSnapshot(`
-      <title>
-        View details | 26aae779-0e6f-482d-82c3-a0fad1fd3689_orgToLocationAssignment 
-      </title>
+    console.log(prettyDOM(document));
+
+    expect(document.querySelector('.ant-page-header-heading-title')).toMatchInlineSnapshot(`
+      <span
+        class="ant-page-header-heading-title"
+        title="View details | 26aae779-0e6f-482d-82c3-a0fad1fd3689_orgToLocationAssignment"
+      >
+        View details | 26aae779-0e6f-482d-82c3-a0fad1fd3689_orgToLocationAssignment
+      </span>
     `);
 
     expect(

packages/fhir-import/src/containers/ImportListView/index.tsx

@@ -81,7 +81,7 @@ export const DataImportList = () => {
       // eslint-disable-next-line react/display-name
       render: (_: unknown, record: WorkflowDescription) => (
         <span className="d-flex align-items-center">
-          <RbacCheck permissions={['WebDataImport.read']}>
+          <RbacCheck permissions={['DataImport.read']}>
             <>
               <Link
                 to={`${DATA_IMPORT_DETAIL_URL}/${record.workflowId.toString()}`}
@@ -118,7 +118,7 @@ export const DataImportList = () => {
         <Col className="main-content">
           <div className="main-content__header">
             <div />
-            <RbacCheck permissions={['WebDataImport.create']}>
+            <RbacCheck permissions={['DataImport.create']}>
               <Link to={DATA_IMPORT_CREATE_URL}>
                 <Button type="primary" onClick={() => history.push(DATA_IMPORT_CREATE_URL)}>
                   <CloudUploadOutlined />

packages/fhir-import/src/containers/ImportListView/tests/__snapshots__/index.test.tsx.snap

@@ -50,6 +50,13 @@ exports[`Care Teams list view renders correctly: table row 1 page 1 6`] = `
 >
   <span
     class="d-flex align-items-center"
-  />
+  >
+    <a
+      class="m-0 p-1"
+      href="/importDetail/26aae779-0e6f-482d-82c3-a0fad1fd3689_orgToLocationAssignment"
+    >
+      View
+    </a>
+  </span>
 </td>
 `;

packages/pkg-config/src/configStore/index.ts

@@ -1,6 +1,6 @@
 /** stores configuration for any other package */
 import { createGlobalState } from 'react-hooks-global-state';
-import { USER_PREFERENCE_KEY } from '../constants';
+import { clientIdConfig, USER_PREFERENCE_KEY } from '../constants';
 import { PaginationProps } from 'antd/lib/pagination/Pagination';
 
 export const supportedLanguageCodes = ['en', 'sw', 'fr', 'ar', 'th', 'vi'] as const;
@@ -31,6 +31,7 @@ export interface TableState {
 
 /** interface for configs for this package */
 export interface ConfigState {
+  [clientIdConfig]?: string;
   languageCode?: LanguageCode;
   projectCode?: ProjectCode;
   appLoginURL?: string;
@@ -58,7 +59,8 @@ export enum PractToOrgAssignmentStrategy {
   ONE_TO_MANY = 'ONE_TO_MANY', // one practitioner assignable to multiple organizations
 }
 
-const defaultConfigs: GlobalState = {
+const defaultConfigs: Partial<GlobalState> = {
+  [clientIdConfig]: undefined,
   languageCode: 'en',
   appLoginURL: undefined,
   keycloakBaseURL: undefined,

packages/pkg-config/src/constants.ts

@@ -1,3 +1,7 @@
 export const SLICE_NOT_REGISTERED =
   'Looks like configuration slice is being used without having been yet registered to the store';
 export const USER_PREFERENCE_KEY = 'Preference';
+
+
+// magic strings
+export const clientIdConfig = "clientId" as const

packages/pkg-config/src/index.tsx

@@ -1 +1,2 @@
 export * from './configStore';
+export * from './constants';

packages/rbac/src/adapters/keycloakAdapter.ts

@@ -1,11 +1,7 @@
-import {
-  AuthZResource,
-  KeycloakDefinedResource,
-  KeycloakDefinedResources,
-  Permit,
-} from '../constants';
+import { AllSupportedRoles, allSupportedRoles, Permit } from '../constants';
 import { RbacAdapter } from '../helpers/types';
 import { UserRole } from '../roleDefinition';
+import { clientIdConfig, getConfig } from '@opensrp/pkg-config';
 
 const fhirVerbToPermitLookup: Record<string, Permit> = {
   GET: Permit.READ,
@@ -15,8 +11,8 @@ const fhirVerbToPermitLookup: Record<string, Permit> = {
   MANAGE: Permit.MANAGE,
 };
 
-const getFhirResourceString = (rawResourceString: string): KeycloakDefinedResource | undefined => {
-  const matchedResource = KeycloakDefinedResources.filter(
+const getFhirResourceString = (rawResourceString: string): AllSupportedRoles | undefined => {
+  const matchedResource = allSupportedRoles.filter(
     (resource) => resource.toUpperCase() === rawResourceString.toUpperCase()
   );
   return matchedResource[0];
@@ -37,24 +33,43 @@ export const parseFHirRoles = (role: string) => {
   const permit = fhirVerbToPermitLookup[verb.toUpperCase()];
   // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition
   if (resource && permit) {
-    return new UserRole(resource as AuthZResource, permit);
+    return new UserRole(resource as AllSupportedRoles, permit);
   }
 };
 
-const keycloakRoleMappings: Record<string, UserRole> = {
-  'realm-admin': new UserRole(['iam_group', 'iam_role', 'iam_user'], Permit.MANAGE),
-  'view-users': new UserRole(['iam_user'], Permit.READ),
-  'manage-users': UserRole.combineRoles([
-    new UserRole(['iam_user'], Permit.MANAGE),
-    new UserRole(['iam_role', 'iam_group'], Permit.READ),
-  ]),
-  'query-groups': new UserRole(['iam_group'], Permit.READ),
-  'view-groups': new UserRole(['iam_group'], Permit.READ),
-  'query-users': new UserRole(['iam_user'], Permit.READ),
-};
+export const parseKeycloakClientRoles = (scope: string, stringRole: string) => {
+  const configuredClientId = getConfig(clientIdConfig) ?? '';
+  const keycloakRoleMappings: Record<string, Record<string, UserRole> | undefined> = {
+    'realm-management': {
+      'realm-admin': new UserRole(
+        ['iam_group', 'iam_role', 'iam_user', 'iam_realm'],
+        Permit.MANAGE
+      ),
+      'manage-realm': new UserRole(
+        ['iam_group', 'iam_role', 'iam_user', 'iam_realm'],
+        Permit.MANAGE
+      ),
+      'view-realm': new UserRole(['iam_group', 'iam_role', 'iam_user', 'iam_realm'], Permit.READ),
+      'query-realm': new UserRole(['iam_group', 'iam_role', 'iam_user', 'iam_realm'], Permit.READ),
+      'view-users': new UserRole(['iam_user'], Permit.READ),
+      'query-users': new UserRole(['iam_user'], Permit.READ),
+      'manage-users': UserRole.combineRoles([new UserRole(['iam_user'], Permit.MANAGE)]),
+      'query-groups': new UserRole(['iam_group'], Permit.READ),
+      'view-groups': new UserRole(['iam_group'], Permit.READ),
+    },
+    account: {
+      'manage-account': new UserRole(
+        ['account_user', 'account_application', 'account_group'],
+        Permit.MANAGE
+      ),
+      'view-groups': new UserRole(['account_group'], Permit.READ),
+    },
+  };
 
-export const parseKeycloakRoles = (stringRole: string) => {
-  const lookedURole = keycloakRoleMappings[stringRole] as UserRole | undefined;
+  if (scope === configuredClientId) {
+    return parseFHirRoles(stringRole);
+  }
+  const lookedURole = keycloakRoleMappings[scope]?.[stringRole] as UserRole | undefined;
   return lookedURole;
 };
 
@@ -72,28 +87,33 @@ export const adapter: RbacAdapter = (roles: KeycloakRoleData = defaultRoleData)
   /**
     parse each role, figure out which resource and verb permission it maps to and add that to the permission object
    */
-
-  let allRoleStrings = roles.realmAccess ?? [];
-  const invalidRoleStrings: string[] = [];
-  Object.values(roles.clientRoles ?? {}).forEach((roleArray) => {
-    allRoleStrings = [...allRoleStrings, ...roleArray];
-  });
-
+  const allRoleStrings = roles.realmAccess ?? [];
   const allRoles: UserRole[] = [];
-
-  allRoleStrings.forEach((role) => {
-    // check if we can first get a hit from keycloak default roles.
-    let asRole = parseKeycloakRoles(role);
-
-    if (asRole === undefined) {
-      asRole = parseFHirRoles(role);
-    }
-    if (asRole) {
-      allRoles.push(asRole);
+  const invalidRoleStrings: string[] = [];
+  for (const role of allRoleStrings) {
+    const asRoleDef = parseFHirRoles(role);
+    if (asRoleDef) {
+      allRoles.push(asRoleDef);
     } else {
       invalidRoleStrings.push(role);
     }
+  }
+  Object.entries(roles.clientRoles ?? {}).forEach(([scope, roleArray]) => {
+    roleArray.forEach((role) => {
+      // check if we can first get a hit from keycloak default roles.
+      let asRole = parseKeycloakClientRoles(scope, role);
+
+      if (asRole === undefined) {
+        asRole = parseFHirRoles(role);
+      }
+      if (asRole) {
+        allRoles.push(asRole);
+      } else {
+        invalidRoleStrings.push(role);
+      }
+    });
   });
+
   if (invalidRoleStrings.length > 0) {
     /* eslint-disable no-console */
     console.warn(`Could not understand the following roles: ${invalidRoleStrings.join(', ')}`);

packages/rbac/src/constants.ts

@@ -8,18 +8,21 @@ export enum Permit {
   MANAGE = 0b1111,
 }
 
-/**
- * Authorization server resources that this web client is familiar with, thus we can enforce rbac for permissions on views that
- * deal with the below resource.
- */
-export const IamResources = ['iam_user', 'iam_role', 'iam_group'] as const;
-export type IamResource = typeof IamResources[number];
+/** Resources that the web client understands */
+
+/** Resources that relate with user self administration like deleting own account */
+export const accountClientResources = ['account_user', 'account_application', 'account_group'] as const
+export type AccountClientResources = typeof accountClientResources[number]
+
+/** Resources that relate to the realm administration like managing other users accounts */
+export const realmClientResources = ['iam_user', 'iam_realm', 'iam_group', 'iam_role'] as const
+export type RealmClientResources = typeof realmClientResources[number]
 
 /**
  * fhir hapi Server resources that this web client is familiar with, thus we can enforce rbac for permissions on views that
  * deal with the below resource.
  */
-export const FhirResources = [
+export const fhirResources = [
   'Patient',
   'Practitioner',
   'PractitionerRole',
@@ -42,22 +45,20 @@ export const FhirResources = [
   'Encounter',
   'Flag',
 ] as const;
-export type FhirResource = typeof FhirResources[number];
+export type FhirResources = typeof fhirResources[number];
 
 /**
  * Roles for Situations where we have views that are not directly tied to any of the native fhir resources.
  * These are custom and only relevant for the web. These should also be defined and parsed in a similar design as
  * FhirResources
  */
-export const WebCustomResources = ['WebDataImport'] as const;
-
-export type WebCustomResource = typeof WebCustomResources[number];
+export const webClientRoles = ['DataImport'] as const;
+export type WebClientRoles = typeof webClientRoles[number];
 
-export const KeycloakDefinedResources = [...FhirResources, ...WebCustomResources] as const;
-export type KeycloakDefinedResource = typeof KeycloakDefinedResources[number];
+export const allSupportedRoles = [...fhirResources, ...accountClientResources, ...realmClientResources, ...webClientRoles];
+export type AllSupportedRoles = typeof allSupportedRoles[number];
 
-export type AuthZResource = IamResource | FhirResource | WebCustomResource;
 export type BinaryNumber = number;
 export type PermitKey = keyof typeof Permit;
 export type PermitKeyValues = Valueof<typeof Permit>;
-export type ResourcePermitMap = Map<AuthZResource, number>;
+export type ResourcePermitMap = Map<AllSupportedRoles, number>;