e10e60fc9e
- Introduced CRUD operations for user management, including create, invite, update, disable, and reactivate functionalities. - Enhanced user listing with filtering options based on status and search queries. - Implemented multi-service quota management for users, allowing specification of mail, drive, and photos storage limits. - Added audit log export functionality with validation for format and limit parameters. - Established strict RBAC for admin routes, ensuring proper permission checks for read and write operations. - Updated validation logic for user-related requests and improved error handling across the user management API. - Revised database schema to support new user status and quota fields, along with necessary migrations. - Updated project checklist to reflect the completion of user management and admin RBAC enhancements.
308 lines
8.5 KiB
Go
308 lines
8.5 KiB
Go
package admin
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
"log/slog"
|
|
"net/http"
|
|
"strings"
|
|
|
|
"github.com/go-chi/chi/v5"
|
|
"github.com/jackc/pgx/v5/pgxpool"
|
|
|
|
"github.com/ultisuite/ulti-backend/internal/api/apiresponse"
|
|
"github.com/ultisuite/ulti-backend/internal/api/apivalidate"
|
|
"github.com/ultisuite/ulti-backend/internal/api/middleware"
|
|
"github.com/ultisuite/ulti-backend/internal/api/query"
|
|
"github.com/ultisuite/ulti-backend/internal/permission"
|
|
"github.com/ultisuite/ulti-backend/internal/securityaudit"
|
|
)
|
|
|
|
type Handler struct {
|
|
svc *Service
|
|
logger *slog.Logger
|
|
}
|
|
|
|
func NewHandler(db *pgxpool.Pool, audit *securityaudit.Logger) *Handler {
|
|
return &Handler{
|
|
svc: NewService(db, audit),
|
|
logger: slog.Default().With("component", "admin-api"),
|
|
}
|
|
}
|
|
|
|
func (h *Handler) Routes() chi.Router {
|
|
r := chi.NewRouter()
|
|
read := middleware.RequireAdminScope(permission.AdminScopeRead)
|
|
write := middleware.RequireAdminScope(permission.AdminScopeWrite)
|
|
|
|
r.With(read).Get("/users", h.ListUsers)
|
|
r.With(read).Get("/users/{userID}", h.GetUser)
|
|
|
|
r.With(write).Post("/users", h.CreateUser)
|
|
r.With(write).Post("/users/invite", h.InviteUser)
|
|
r.With(write).Put("/users/{userID}", h.UpdateUser)
|
|
r.With(write).Post("/users/{userID}/disable", h.DisableUser)
|
|
r.With(write).Post("/users/{userID}/reactivate", h.ReactivateUser)
|
|
r.With(write).Put("/users/{userID}/quota", h.SetQuota)
|
|
r.With(write).Delete("/users/{userID}", h.DeleteUser)
|
|
|
|
r.With(read).Get("/audit", h.ListAuditLogs)
|
|
r.With(read).Get("/audit/export", h.ExportAuditLogs)
|
|
r.With(read).Get("/stats", h.GetStats)
|
|
|
|
return r
|
|
}
|
|
|
|
func (h *Handler) ListUsers(w http.ResponseWriter, r *http.Request) {
|
|
params, err := query.ParseListRequest(r)
|
|
if err != nil {
|
|
apivalidate.WriteQueryError(w, r, err)
|
|
return
|
|
}
|
|
status, verr := validateStatus(r.URL.Query().Get("status"))
|
|
if verr != nil {
|
|
apivalidate.WriteValidationError(w, r, verr)
|
|
return
|
|
}
|
|
|
|
result, err := h.svc.ListUsers(r.Context(), params, UserFilter{
|
|
Status: status,
|
|
Q: strings.TrimSpace(params.Q),
|
|
})
|
|
if err != nil {
|
|
h.logger.Error("list users", "error", err)
|
|
apivalidate.WriteInternal(w, r)
|
|
return
|
|
}
|
|
apiresponse.WriteJSON(w, http.StatusOK, result)
|
|
}
|
|
|
|
func (h *Handler) GetUser(w http.ResponseWriter, r *http.Request) {
|
|
userID := chi.URLParam(r, "userID")
|
|
if verr := validateUserID(userID); verr != nil {
|
|
apivalidate.WriteValidationError(w, r, verr)
|
|
return
|
|
}
|
|
|
|
user, err := h.svc.GetUser(r.Context(), userID)
|
|
if err != nil {
|
|
if errors.Is(err, ErrNotFound) {
|
|
apivalidate.WriteNotFound(w, r, "not found")
|
|
return
|
|
}
|
|
h.logger.Error("get user", "error", err)
|
|
apivalidate.WriteInternal(w, r)
|
|
return
|
|
}
|
|
apiresponse.WriteJSON(w, http.StatusOK, user)
|
|
}
|
|
|
|
func (h *Handler) CreateUser(w http.ResponseWriter, r *http.Request) {
|
|
claims := middleware.ClaimsFromContext(r.Context())
|
|
|
|
var req createUserRequest
|
|
if err := apivalidate.DecodeJSON(w, r, maxQuotaRequestBody, &req); err != nil {
|
|
return
|
|
}
|
|
if verr := validateCreateUser(&req); verr != nil {
|
|
apivalidate.WriteValidationError(w, r, verr)
|
|
return
|
|
}
|
|
|
|
user, err := h.svc.CreateUser(r.Context(), claims.Sub, req)
|
|
if err != nil {
|
|
h.logger.Error("create user", "error", err)
|
|
apivalidate.WriteInternal(w, r)
|
|
return
|
|
}
|
|
apiresponse.WriteJSON(w, http.StatusCreated, user)
|
|
}
|
|
|
|
func (h *Handler) InviteUser(w http.ResponseWriter, r *http.Request) {
|
|
claims := middleware.ClaimsFromContext(r.Context())
|
|
|
|
var req inviteUserRequest
|
|
if err := apivalidate.DecodeJSON(w, r, maxQuotaRequestBody, &req); err != nil {
|
|
return
|
|
}
|
|
if verr := validateInviteUser(&req); verr != nil {
|
|
apivalidate.WriteValidationError(w, r, verr)
|
|
return
|
|
}
|
|
|
|
user, err := h.svc.InviteUser(r.Context(), claims.Sub, req)
|
|
if err != nil {
|
|
h.logger.Error("invite user", "error", err)
|
|
apivalidate.WriteInternal(w, r)
|
|
return
|
|
}
|
|
apiresponse.WriteJSON(w, http.StatusCreated, user)
|
|
}
|
|
|
|
func (h *Handler) UpdateUser(w http.ResponseWriter, r *http.Request) {
|
|
userID := chi.URLParam(r, "userID")
|
|
if verr := validateUserID(userID); verr != nil {
|
|
apivalidate.WriteValidationError(w, r, verr)
|
|
return
|
|
}
|
|
claims := middleware.ClaimsFromContext(r.Context())
|
|
|
|
var req updateUserRequest
|
|
if err := apivalidate.DecodeJSON(w, r, maxQuotaRequestBody, &req); err != nil {
|
|
return
|
|
}
|
|
if verr := validateUpdateUser(&req); verr != nil {
|
|
apivalidate.WriteValidationError(w, r, verr)
|
|
return
|
|
}
|
|
|
|
user, err := h.svc.UpdateUser(r.Context(), claims.Sub, userID, req)
|
|
if err != nil {
|
|
if errors.Is(err, ErrNotFound) {
|
|
apivalidate.WriteNotFound(w, r, "not found")
|
|
return
|
|
}
|
|
h.logger.Error("update user", "error", err)
|
|
apivalidate.WriteInternal(w, r)
|
|
return
|
|
}
|
|
apiresponse.WriteJSON(w, http.StatusOK, user)
|
|
}
|
|
|
|
func (h *Handler) SetQuota(w http.ResponseWriter, r *http.Request) {
|
|
userID := chi.URLParam(r, "userID")
|
|
if verr := validateUserID(userID); verr != nil {
|
|
apivalidate.WriteValidationError(w, r, verr)
|
|
return
|
|
}
|
|
claims := middleware.ClaimsFromContext(r.Context())
|
|
|
|
var req setQuotaRequest
|
|
if err := apivalidate.DecodeJSON(w, r, maxQuotaRequestBody, &req); err != nil {
|
|
return
|
|
}
|
|
if verr := validateSetQuota(&req); verr != nil {
|
|
apivalidate.WriteValidationError(w, r, verr)
|
|
return
|
|
}
|
|
|
|
if err := h.svc.SetQuota(r.Context(), claims.Sub, userID, req); err != nil {
|
|
if errors.Is(err, ErrNotFound) {
|
|
apivalidate.WriteNotFound(w, r, "not found")
|
|
return
|
|
}
|
|
h.logger.Error("set quota", "error", err)
|
|
apivalidate.WriteInternal(w, r)
|
|
return
|
|
}
|
|
w.WriteHeader(http.StatusNoContent)
|
|
}
|
|
|
|
func (h *Handler) DisableUser(w http.ResponseWriter, r *http.Request) {
|
|
userID := chi.URLParam(r, "userID")
|
|
if verr := validateUserID(userID); verr != nil {
|
|
apivalidate.WriteValidationError(w, r, verr)
|
|
return
|
|
}
|
|
claims := middleware.ClaimsFromContext(r.Context())
|
|
if err := h.svc.DisableUser(r.Context(), claims.Sub, userID); err != nil {
|
|
if errors.Is(err, ErrNotFound) {
|
|
apivalidate.WriteNotFound(w, r, "not found")
|
|
return
|
|
}
|
|
h.logger.Error("disable user", "error", err)
|
|
apivalidate.WriteInternal(w, r)
|
|
return
|
|
}
|
|
w.WriteHeader(http.StatusNoContent)
|
|
}
|
|
|
|
func (h *Handler) ReactivateUser(w http.ResponseWriter, r *http.Request) {
|
|
userID := chi.URLParam(r, "userID")
|
|
if verr := validateUserID(userID); verr != nil {
|
|
apivalidate.WriteValidationError(w, r, verr)
|
|
return
|
|
}
|
|
claims := middleware.ClaimsFromContext(r.Context())
|
|
if err := h.svc.ReactivateUser(r.Context(), claims.Sub, userID); err != nil {
|
|
if errors.Is(err, ErrNotFound) {
|
|
apivalidate.WriteNotFound(w, r, "not found")
|
|
return
|
|
}
|
|
h.logger.Error("reactivate user", "error", err)
|
|
apivalidate.WriteInternal(w, r)
|
|
return
|
|
}
|
|
w.WriteHeader(http.StatusNoContent)
|
|
}
|
|
|
|
func (h *Handler) DeleteUser(w http.ResponseWriter, r *http.Request) {
|
|
userID := chi.URLParam(r, "userID")
|
|
if verr := validateUserID(userID); verr != nil {
|
|
apivalidate.WriteValidationError(w, r, verr)
|
|
return
|
|
}
|
|
claims := middleware.ClaimsFromContext(r.Context())
|
|
if err := h.svc.DeleteUser(r.Context(), claims.Sub, userID); err != nil {
|
|
if errors.Is(err, ErrNotFound) {
|
|
apivalidate.WriteNotFound(w, r, "not found")
|
|
return
|
|
}
|
|
h.logger.Error("delete user", "error", err)
|
|
apivalidate.WriteInternal(w, r)
|
|
return
|
|
}
|
|
w.WriteHeader(http.StatusNoContent)
|
|
}
|
|
|
|
func (h *Handler) ListAuditLogs(w http.ResponseWriter, r *http.Request) {
|
|
params, err := query.ParseListRequest(r)
|
|
if err != nil {
|
|
apivalidate.WriteQueryError(w, r, err)
|
|
return
|
|
}
|
|
|
|
result, err := h.svc.ListAuditLogs(r.Context(), params)
|
|
if err != nil {
|
|
h.logger.Error("list audit logs", "error", err)
|
|
apivalidate.WriteInternal(w, r)
|
|
return
|
|
}
|
|
apiresponse.WriteJSON(w, http.StatusOK, result)
|
|
}
|
|
|
|
func (h *Handler) ExportAuditLogs(w http.ResponseWriter, r *http.Request) {
|
|
format, verr := validateExportFormat(r.URL.Query().Get("format"))
|
|
if verr != nil {
|
|
apivalidate.WriteValidationError(w, r, verr)
|
|
return
|
|
}
|
|
limit, verr := validateExportLimit(r.URL.Query().Get("limit"))
|
|
if verr != nil {
|
|
apivalidate.WriteValidationError(w, r, verr)
|
|
return
|
|
}
|
|
|
|
payload, err := h.svc.ExportAuditLogs(r.Context(), format, limit)
|
|
if err != nil {
|
|
h.logger.Error("export audit logs", "error", err)
|
|
apivalidate.WriteInternal(w, r)
|
|
return
|
|
}
|
|
|
|
w.Header().Set("Content-Type", payload.ContentType)
|
|
w.Header().Set("Content-Disposition", fmt.Sprintf(`attachment; filename="%s"`, payload.FileName))
|
|
w.WriteHeader(http.StatusOK)
|
|
_, _ = w.Write(payload.Content)
|
|
}
|
|
|
|
func (h *Handler) GetStats(w http.ResponseWriter, r *http.Request) {
|
|
stats, err := h.svc.GetStats(r.Context())
|
|
if err != nil {
|
|
h.logger.Error("get stats", "error", err)
|
|
apivalidate.WriteInternal(w, r)
|
|
return
|
|
}
|
|
apiresponse.WriteJSON(w, http.StatusOK, stats)
|
|
}
|