Merge 8fda973 into a05e54c

ssc-sp · Jan 6, 2025 · 8012c04 · 8012c04
2 parents a05e54c + 8fda973
commit 8012c04
Show file tree

Hide file tree

Showing 8 changed files with 128 additions and 60 deletions.
diff --git a/Portal/src/Datahub.Application/RoleManagement/RoleClaimTransformer.cs b/Portal/src/Datahub.Application/RoleManagement/RoleClaimTransformer.cs
@@ -29,12 +29,19 @@ public async Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal)
                 claims.AddClaim(new Claim(ClaimTypes.Role, "default"));
                 claims.AddClaim(new Claim(ClaimTypes.Role, userId));
 
+                // Ensure that the user can't be both approver and admin
+                bool alreadyAdded = claims.HasClaim(ClaimTypes.Role, RoleConstants.DATAHUB_ROLE_ADMIN_AS_GUEST) || claims.HasClaim(ClaimTypes.Role, RoleConstants.DATAHUB_APPROVER_ROLE);
+
                 foreach (var (role, project) in authorizedProjects)
                 {
-                    if (project.Project_Acronym_CD == RoleConstants.DATAHUB_ADMIN_PROJECT && serviceAuthManager.GetViewingAsGuest(userId))
+                    if (!alreadyAdded && project.Project_Acronym_CD == RoleConstants.DATAHUB_ADMIN_PROJECT && serviceAuthManager.GetViewingAsGuest(userId))
                     {
                         claims.AddClaim(new Claim(ClaimTypes.Role, RoleConstants.DATAHUB_ROLE_ADMIN_AS_GUEST));
                     }
+                    else if (!alreadyAdded && project.Project_Acronym_CD == RoleConstants.DATAHUB_APPROVER_PROJECT)
+                    {
+                        claims.AddClaim(new Claim(ClaimTypes.Role, RoleConstants.DATAHUB_APPROVER_ROLE));
+                    }
                     else
                     {
                         claims.AddClaim(new Claim(ClaimTypes.Role, $"{project.Project_Acronym_CD}{RoleConstants.GetRoleConstants(role)}"));

diff --git a/Portal/src/Datahub.Core/Components/AuthViews/DatahubAuthView.razor b/Portal/src/Datahub.Core/Components/AuthViews/DatahubAuthView.razor
@@ -48,6 +48,7 @@
         WorkspaceLead,
         DatahubAdminGuestView,
         DatahubSupport,
+        DatahubApprover,
         Unauthorized
     }
 
@@ -79,6 +80,7 @@
         var workspaceLeadRole = $"{ProjectAcronym}{RoleConstants.WORKSPACE_LEAD_SUFFIX}";
         var datahubSupportRole = RoleConstants.DATAHUB_ROLE_ADMIN;
         var datahubAdminAsGuestRole = RoleConstants.DATAHUB_ROLE_ADMIN_AS_GUEST;
+        var datahubApprover = RoleConstants.DATAHUB_APPROVER_ROLE;
 
         switch (AuthLevel)
         {
@@ -96,6 +98,8 @@
                 return $"{datahubSupportRole},{datahubAdminAsGuestRole}";
             case AuthLevels.DatahubSupport:
                 return datahubSupportRole;
+            case AuthLevels.DatahubApprover:
+                return datahubApprover;
             case AuthLevels.Unauthorized:
                 return "🏗️ Unauthorized";
             default:

diff --git a/Portal/src/Datahub.Core/Data/RoleConstants.cs b/Portal/src/Datahub.Core/Data/RoleConstants.cs
@@ -18,6 +18,9 @@ public static class RoleConstants
     public const string DATAHUB_ROLE_ADMIN = DATAHUB_ADMIN_PROJECT + ADMIN_SUFFIX;
     public const string DATAHUB_ROLE_ADMIN_AS_GUEST = DATAHUB_ADMIN_PROJECT + "-admin-as-guest";
 
+    public const string DATAHUB_APPROVER_PROJECT = "DHAPPRV"; // 7 character max
+    public const string DATAHUB_APPROVER_ROLE = DATAHUB_APPROVER_PROJECT + "-approver";
+
     public static string GetRoleConstants(Project_Role role)
     {
         return role.Id switch

diff --git a/Portal/src/Datahub.Portal/Pages/Help/HelpPage.razor b/Portal/src/Datahub.Portal/Pages/Help/HelpPage.razor
@@ -435,7 +435,7 @@
                     .Include(p => p.Resources)
                     .FirstOrDefault(p => p.Project_Acronym_CD == acronym);
 
-        dbContext.Projects.Update(WorkspaceSettingsPage.ExtendAdminAccess(project));
+        dbContext.Projects.Update(WorkspaceGrantSupportAccessControl.ExtendAdminAccess(project));
 
         await dbContext.SaveChangesAsync();
     }

diff --git a/Portal/src/Datahub.Portal/Pages/Workspace/Dashboard/WorkspaceDashboard.razor b/Portal/src/Datahub.Portal/Pages/Workspace/Dashboard/WorkspaceDashboard.razor
@@ -4,6 +4,8 @@
 @using Datahub.Shared.Entities
 @using Datahub.Application.Services.Notebooks
 @using Datahub.Portal.Pages.Workspace.Repositories
+@using Datahub.Portal.Pages.Account
+@using Datahub.Portal.Pages.Workspace.Settings
 
 @inject IDbContextFactory<DatahubProjectDBContext> _dbContextFactory
 @inject ILogger<WorkspaceDashboard> _logger
@@ -31,6 +33,10 @@
         <WorkspaceInfo WorkspaceAcronym="@WorkspaceAcronym"/>
     </MudItem>
     <MudItem xs="12" sm="4">
+        <DatahubAuthView AuthLevel="DatahubAuthView.AuthLevels.DatahubApprover">
+            <MudText Typo="Typo.h2">Support Access Controls (Approver Only)</MudText>
+            <WorkspaceGrantSupportAccessControl WorkspaceAcronym="@WorkspaceAcronym" ElevatedWorkspaceAccessEnabled="@ElevatedWorkspaceAccessEnabled" />
+        </DatahubAuthView>
         <DatahubAuthView AuthLevel="DatahubAuthView.AuthLevels.WorkspaceAdmin" ProjectAcronym="@WorkspaceAcronym" ElevatedWorkspaceAccessEnabled="@ElevatedWorkspaceAccessEnabled">
             <WorkspaceAdminInfo WorkspaceAcronym="@WorkspaceAcronym"/>
         </DatahubAuthView>
@@ -166,5 +172,4 @@
         // if it's in the dictionary, return the type otherwise return null
         return _cardComponents.ContainsKey(resourceType) ? resourceType : null;
     }
-
 }
diff --git a/Portal/src/Datahub.Portal/Pages/Workspace/Settings/WorkspaceGrantSupportAccessControl.razor b/Portal/src/Datahub.Portal/Pages/Workspace/Settings/WorkspaceGrantSupportAccessControl.razor
@@ -0,0 +1,98 @@
+@using Datahub.Portal.Pages.Account
+@using Datahub.Core.Model.Projects
+
+@inject IDbContextFactory<DatahubProjectDBContext> _dbContextFactory
+@inject ISnackbar _snackbar
+
+<SettingsField Label="@Localizer["Grant Support Access"]" Description="@Localizer["This setting lets the FSDH Support Team add and remove users, edit settings, and access your tools."]">
+    <MudSwitch T="bool" Label="@Localizer["Enable Temporary Administrative Access to FSDH Support Team"]" Value="@ElevatedWorkspaceAccessEnabled" Color="Color.Primary" ValueChanged="@ToggleAdminAccess" Class="pb-2"/>
+    @if (ElevatedWorkspaceAccessEnabled)
+    {
+        <MudText Typo="Typo.body2">
+            @Localizer["FSDH Support Team access is enabled until {0}", _accessDate.ToString()]
+        </MudText>
+    }
+    else
+    {
+        <MudText Typo="Typo.body2">@Localizer["The FSDH Support Team does not have access to your workspace."]</MudText>
+    }
+</SettingsField>
+
+@code {
+    [Parameter]
+    public string WorkspaceAcronym { get; set; }
+
+    [Parameter]
+    public bool ElevatedWorkspaceAccessEnabled { get; set; } = false;
+
+    private DateTime _accessDate;
+
+    private Datahub_Project _workspace;
+
+    protected override async Task OnInitializedAsync()
+    {
+        await base.OnInitializedAsync();
+
+        await using var context = await _dbContextFactory.CreateDbContextAsync();
+        _workspace = await context.Projects
+            .AsNoTracking()
+            .FirstAsync(p => p.Project_Acronym_CD == WorkspaceAcronym);
+
+        _accessDate = _workspace.AllowDatahubSupport;
+    }
+
+    /// <summary>
+    /// Toggles admin access for the FSDH Support Team. If access is enabled, it will be disabled, and vice versa.
+    /// </summary>
+    /// <returns></returns>
+    private async Task ToggleAdminAccess()
+    {
+        await using var dbContext = await _dbContextFactory.CreateDbContextAsync();
+
+        var project = dbContext.Projects
+            .AsNoTracking()
+            .Include(p => p.Resources)
+            .FirstOrDefault(p => p.Project_Acronym_CD == WorkspaceAcronym);
+
+        if (WorkspacePage.DisplayToSupport(project))
+        {
+            dbContext.Projects.Update(CancelAdminAccess(project));
+            ElevatedWorkspaceAccessEnabled = false;
+            _snackbar.Add(Localizer["Support access has been revoked"], Severity.Success);
+        }
+        else
+        {
+            dbContext.Projects.Update(ExtendAdminAccess(project, 72));
+            ElevatedWorkspaceAccessEnabled = true;
+            _snackbar.Add(Localizer["Support access granted until {0}", project.AllowDatahubSupport.ToString()], Severity.Success);
+        }
+
+        await dbContext.SaveChangesAsync();
+
+        _accessDate = project.AllowDatahubSupport;
+    }
+
+    /// <summary>
+    /// Cancels the support access for the FSDH Support Team.
+    /// </summary>
+    /// <param name="project">The project to revoke support access to.</param>
+    /// <returns></returns>
+    public static Datahub_Project CancelAdminAccess(Datahub_Project project)
+    {
+        project.AllowDatahubSupport = DateTime.MinValue;
+        return project;
+    }
+
+    /// <summary>
+    /// Extends the support access for the FSDH Support Team by the specified number of hours.
+    /// </summary>
+    /// <param name="project">The project to be accessed.</param>
+    /// <param name="time">The number of hours to grant access for.</param>
+    /// <returns></returns>
+    public static Datahub_Project ExtendAdminAccess(Datahub_Project project, int time = 72)
+    {
+        var accessDate = DateTime.Now.AddHours(time);
+        project.AllowDatahubSupport = accessDate;
+        return project;
+    }
+}
diff --git a/Portal/src/Datahub.Portal/Pages/Workspace/Settings/WorkspaceSettingsPage.razor b/Portal/src/Datahub.Portal/Pages/Workspace/Settings/WorkspaceSettingsPage.razor
@@ -35,19 +35,11 @@
         }
     </MudStack>
     <MudStack>
-            <SettingsField Label="@Localizer["Grant Support Access"]" Description="@Localizer["This setting lets the FSDH Support Team add and remove users, edit settings, and access your tools."]">
-                <MudSwitch T="bool" Label="@Localizer["Enable Temporary Administrative Access to FSDH Support Team"]" Value="@ElevatedWorkspaceAccessEnabled" Color="Color.Primary" ValueChanged="@ToggleAdminAccess" Class="pb-2"/>
-                @if (ElevatedWorkspaceAccessEnabled)
-                {
-                    <MudText Typo="Typo.body2">
-                        @Localizer["FSDH Support Team access is enabled until {0}", _accessDate.ToString()]
-                    </MudText>
-                }
-                else
-                {
-                    <MudText Typo="Typo.body2">@Localizer["The FSDH Support Team does not have access to your workspace."]</MudText>
-                }
-            </SettingsField>
+        <DatahubAuthView AuthLevel="DatahubAuthView.AuthLevels.WorkspaceGuest" ProjectAcronym="@WorkspaceAcronym">
+            <Authorized>
+                <WorkspaceGrantSupportAccessControl WorkspaceAcronym="@WorkspaceAcronym" ElevatedWorkspaceAccessEnabled="@ElevatedWorkspaceAccessEnabled"/>
+            </Authorized>
+        </DatahubAuthView>
     </MudStack>
     <MudStack>
         <DatahubAuthView AuthLevel="DatahubAuthView.AuthLevels.WorkspaceLead" ProjectAcronym="@WorkspaceAcronym">
@@ -102,45 +94,4 @@
 
         SetFormPropertiesFromWorkspace();
     }
-
-    private async Task ToggleAdminAccess()
-    {
-        await using var dbContext = await _dbContextFactory.CreateDbContextAsync();
-
-        var project = dbContext.Projects
-            .AsNoTracking()
-            .Include(p => p.Resources)
-            .FirstOrDefault(p => p.Project_Acronym_CD == WorkspaceAcronym);
-
-        if (WorkspacePage.DisplayToSupport(project))
-        {
-            dbContext.Projects.Update(CancelAdminAccess(project));
-            ElevatedWorkspaceAccessEnabled = false;
-            _snackbar.Add(Localizer["Support access has been revoked"], Severity.Success);
-        }
-        else
-        {
-            dbContext.Projects.Update(ExtendAdminAccess(project));
-            ElevatedWorkspaceAccessEnabled = true;
-            _snackbar.Add(Localizer["Support access granted until {0}", project.AllowDatahubSupport.ToString()], Severity.Success);
-        }
-
-        await dbContext.SaveChangesAsync();
-
-        _accessDate = project.AllowDatahubSupport;
-    }
-
-    public static Datahub_Project CancelAdminAccess(Datahub_Project project)
-    {
-        project.AllowDatahubSupport = DateTime.MinValue;
-        return project;
-    }
-
-    public static Datahub_Project ExtendAdminAccess(Datahub_Project project)
-    {
-        // Set .AllowDatahubSupport to 3 days from now
-        var accessDate = DateTimeOffset.Now.AddDays(3).DateTime;
-        project.AllowDatahubSupport = accessDate;
-        return project;
-    }
 }
diff --git a/Portal/test/Datahub.SpecflowTests/Steps/SupportAccessToWorkspacesSteps.cs b/Portal/test/Datahub.SpecflowTests/Steps/SupportAccessToWorkspacesSteps.cs
@@ -48,7 +48,7 @@ public void WhenTheUserRequestsSupportForTheWorkspace()
     {
         // Act
         var workspace = scenarioContext.Get<Datahub_Project>();
-        workspace = WorkspaceSettingsPage.ExtendAdminAccess(workspace);
+        workspace = WorkspaceGrantSupportAccessControl.ExtendAdminAccess(workspace);
         scenarioContext.Set(workspace);
     }
 
@@ -73,7 +73,7 @@ public void GivenTheUserHasRequestedSupportForAWorkspace()
             AllowDatahubSupport = new DateTime(2000, 6, 5),
         };
 
-        workspace = WorkspaceSettingsPage.ExtendAdminAccess(workspace);
+        workspace = WorkspaceGrantSupportAccessControl.ExtendAdminAccess(workspace);
 
         scenarioContext.Set(workspace);
     }
@@ -83,7 +83,7 @@ public void WhenTheUserRevokesSupportForTheWorkspace()
     {
         // Act
         var workspace = scenarioContext.Get<Datahub_Project>();
-        workspace = WorkspaceSettingsPage.CancelAdminAccess(workspace);
+        workspace = WorkspaceGrantSupportAccessControl.CancelAdminAccess(workspace);
         scenarioContext.Set(workspace);
     }
 }