Derive Exec Group with Leads Group IDs (#311)

Author: devksingh4

package.json

@@ -32,7 +32,7 @@
     "test:e2e-ui": "playwright test --ui"
   },
   "dependencies": {
-    "@acm-uiuc/js-shared": "^2.3.0"
+    "@acm-uiuc/js-shared": "^2.4.0"
   },
   "devDependencies": {
     "@eslint/compat": "^1.3.2",

src/api/functions/entraId.ts

@@ -10,7 +10,6 @@ import {
 } from "../../common/config.js";
 import {
   BaseError,
-  DecryptionError,
   EntraFetchError,
   EntraGroupError,
   EntraGroupsFromEmailError,
@@ -574,10 +573,15 @@ export async function isUserInGroup(
 export async function getServicePrincipalOwnedGroups(
   token: string,
   servicePrincipal: string,
+  includeDynamicGroups: boolean,
 ): Promise<{ id: string; displayName: string }[]> {
   try {
-    // Selects only group objects and retrieves just their id and displayName
-    const url = `https://graph.microsoft.com/v1.0/servicePrincipals/${servicePrincipal}/ownedObjects/microsoft.graph.group?$select=id,displayName`;
+    // Include groupTypes in selection to filter dynamic groups if needed
+    const selectFields = includeDynamicGroups
+      ? "id,displayName,description"
+      : "id,displayName,description,groupTypes";
+
+    const url = `https://graph.microsoft.com/v1.0/servicePrincipals/${servicePrincipal}/ownedObjects/microsoft.graph.group?$select=${selectFields}`;
 
     const response = await fetch(url, {
       method: "GET",
@@ -589,9 +593,26 @@ export async function getServicePrincipalOwnedGroups(
 
     if (response.ok) {
       const data = (await response.json()) as {
-        value: { id: string; displayName: string }[];
+        value: {
+          id: string;
+          displayName: string;
+          groupTypes?: string[];
+          description?: string;
+        }[];
       };
-      return data.value;
+
+      // Filter out dynamic groups and admin lists if includeDynamicGroups is false
+      const groups = includeDynamicGroups
+        ? data.value
+        : data.value
+            .filter((group) => !group.groupTypes?.includes("DynamicMembership"))
+            .filter(
+              (group) =>
+                !group.description?.startsWith("[Managed by Core API]"),
+            );
+
+      // Return only id and displayName (strip groupTypes if it was included)
+      return groups.map(({ id, displayName }) => ({ id, displayName }));
     }
 
     const errorData = (await response.json()) as {
@@ -813,9 +834,11 @@ export async function createM365Group(
       mailEnabled: boolean;
       securityEnabled: boolean;
       groupTypes: string[];
+      description: string;
       "[email protected]"?: string[];
     } = {
       displayName: groupName,
+      description: "[Managed by Core API]",
       mailNickname: safeMailNickname,
       mailEnabled: true,
       securityEnabled: false,
@@ -898,3 +921,66 @@ export async function createM365Group(
     });
   }
 }
+
+/**
+ * Sets the dynamic membership rule for an Entra ID group.
+ * @param token - Entra ID token authorized to take this action.
+ * @param groupId - The group ID to update.
+ * @param membershipRule - The dynamic membership rule expression.
+ * @throws {EntraGroupError} If setting the membership rule fails.
+ * @returns {Promise<void>}
+ */
+export async function setGroupMembershipRule(
+  token: string,
+  groupId: string,
+  membershipRule: string,
+): Promise<void> {
+  if (!validateGroupId(groupId)) {
+    throw new EntraGroupError({
+      message: "Invalid group ID format",
+      group: groupId,
+    });
+  }
+
+  if (!membershipRule || membershipRule.trim().length === 0) {
+    throw new EntraGroupError({
+      message: "Membership rule cannot be empty",
+      group: groupId,
+    });
+  }
+
+  try {
+    const url = `https://graph.microsoft.com/v1.0/groups/${groupId}`;
+    const response = await fetch(url, {
+      method: "PATCH",
+      headers: {
+        Authorization: `Bearer ${token}`,
+        "Content-Type": "application/json",
+      },
+      body: JSON.stringify({
+        membershipRule,
+        membershipRuleProcessingState: "On",
+        groupTypes: ["DynamicMembership"],
+      }),
+    });
+
+    if (!response.ok) {
+      const errorData = (await response.json()) as {
+        error?: { message?: string };
+      };
+      throw new EntraGroupError({
+        message: errorData?.error?.message ?? response.statusText,
+        group: groupId,
+      });
+    }
+  } catch (error) {
+    if (error instanceof EntraGroupError) {
+      throw error;
+    }
+
+    throw new EntraGroupError({
+      message: error instanceof Error ? error.message : String(error),
+      group: groupId,
+    });
+  }
+}

src/api/functions/organizations.ts

@@ -1,6 +1,7 @@
 import { AllOrganizationList } from "@acm-uiuc/js-shared";
 import {
   QueryCommand,
+  ScanCommand,
   TransactWriteItemsCommand,
   type DynamoDBClient,
 } from "@aws-sdk/client-dynamodb";
@@ -367,3 +368,44 @@ export const removeLead = async ({
     },
   };
 };
+
+/**
+ * Returns the Microsoft 365 Dynamic User query to return all members of all lead groups.
+ * Currently used to setup the Exec member list.
+ * @param dynamoClient A DynamoDB client.
+ * @param includeGroupIds Used to ensure that a specific group ID is included (Scan could be eventually consistent.)
+ */
+export async function getLeadsM365DynamicQuery({
+  dynamoClient,
+  includeGroupIds,
+}: {
+  dynamoClient: DynamoDBClient;
+  includeGroupIds?: string[];
+}): Promise<string | null> {
+  const command = new ScanCommand({
+    TableName: genericConfig.SigInfoTableName,
+    IndexName: "LeadsGroupIdIndex",
+  });
+  const results = await dynamoClient.send(command);
+  if (!results || !results.Items || results.Items.length === 0) {
+    return null;
+  }
+  const entries = results.Items.map((x) => unmarshall(x)) as {
+    primaryKey: string;
+    leadsEntraGroupId: string;
+  }[];
+  const groupIds = entries
+    .filter((x) => x.primaryKey.startsWith("DEFINE#"))
+    .map((x) => x.leadsEntraGroupId);
+
+  if (groupIds.length === 0) {
+    return null;
+  }
+
+  const formattedGroupIds = [
+    ...new Set([...(includeGroupIds || []), ...groupIds]),
+  ]
+    .map((id) => `'${id}'`)
+    .join(", ");
+  return `user.memberOf -any (group.objectId -in [${formattedGroupIds}])`;
+}

src/api/routes/iam.ts

@@ -663,11 +663,12 @@ No action is required from you at this time.
         secretName: genericConfig.EntraSecretName,
         logger: request.log,
       });
-      // get groups, but don't show protected groups as manageable
+      // get groups, but don't show protected groups and app managed groups manageable
       const freshData = (
         await getServicePrincipalOwnedGroups(
           entraIdToken,
           fastify.environmentConfig.EntraServicePrincipalId,
+          false,
         )
       ).filter(
         (x) =>

src/api/routes/organizations.ts

@@ -1,5 +1,9 @@
 import { FastifyPluginAsync } from "fastify";
-import { AllOrganizationList } from "@acm-uiuc/js-shared";
+import {
+  ACMOrganization,
+  AllOrganizationList,
+  OrganizationShortIdentifierMapping,
+} from "@acm-uiuc/js-shared";
 import rateLimiter from "api/plugins/rateLimiter.js";
 import { withRoles, withTags } from "api/components/index.js";
 import { z } from "zod/v4";
@@ -19,6 +23,7 @@ import {
 } from "common/errors/index.js";
 import {
   addLead,
+  getLeadsM365DynamicQuery,
   getOrgInfo,
   removeLead,
   SQSMessage,
@@ -41,7 +46,11 @@ import { buildAuditLogTransactPut } from "api/functions/auditLog.js";
 import { Modules } from "common/modules.js";
 import { authorizeByOrgRoleOrSchema } from "api/functions/authorization.js";
 import { checkPaidMembership } from "api/functions/membership.js";
-import { createM365Group, getEntraIdToken } from "api/functions/entraId.js";
+import {
+  createM365Group,
+  getEntraIdToken,
+  setGroupMembershipRule,
+} from "api/functions/entraId.js";
 import { SecretsManagerClient } from "@aws-sdk/client-secrets-manager";
 import { getRoleCredentials } from "api/functions/sts.js";
 import { SQSClient } from "@aws-sdk/client-sqs";
@@ -402,14 +411,15 @@ const organizationsPlugin: FastifyPluginAsync = async (fastify, _options) => {
       });
 
       // Create Entra group if it doesn't exist and we're adding leads
-      if (!entraGroupId && add.length > 0) {
+      const shouldCreateNewEntraGroup = !entraGroupId && add.length > 0;
+      if (shouldCreateNewEntraGroup) {
         request.log.info(
           `No Entra group exists for ${request.params.orgId}. Creating new group...`,
         );
 
         try {
-          const displayName = `${request.params.orgId} Admin List`;
-          const mailNickname = `${request.params.orgId.toLowerCase()}-adm`;
+          const displayName = `${request.params.orgId} Admin`;
+          const mailNickname = `${OrganizationShortIdentifierMapping[request.params.orgId as keyof typeof OrganizationShortIdentifierMapping]}-adm`;
           const memberUpns = add.map((u) =>
             u.username.replace("@illinois.edu", "@acm.illinois.edu"),
           );
@@ -471,6 +481,20 @@ const organizationsPlugin: FastifyPluginAsync = async (fastify, _options) => {
             message: "Failed to create Entra group for organization leads.",
           });
         }
+        // get the new dynamic membership query
+        const newQuery = await getLeadsM365DynamicQuery({
+          dynamoClient: fastify.dynamoClient,
+          includeGroupIds: [entraGroupId],
+        });
+        if (newQuery) {
+          const groupToUpdate =
+            fastify.runEnvironment === "prod"
+              ? execCouncilGroupId
+              : execCouncilTestingGroupId;
+          request.log.info("Changing Exec group membership dynamic query...");
+          await setGroupMembershipRule(entraIdToken, groupToUpdate, newQuery);
+          request.log.info("Changed Exec group membership dynamic query!");
+        }
       }
 
       const commonArgs = {

src/ui/config.ts

@@ -1,10 +1,3 @@
-import {
-  commChairsGroupId,
-  commChairsTestingGroupId,
-  execCouncilGroupId,
-  execCouncilTestingGroupId,
-} from "@common/config";
-
 export const runEnvironments = ["dev", "prod", "local-dev"] as const;
 // local dev should be used when you want to test against a local instance of the API
 

terraform/modules/dynamo/main.tf

@@ -318,6 +318,10 @@ resource "aws_dynamodb_table" "sig_info" {
     name = "entryId"
     type = "S"
   }
+  attribute {
+    name = "leadsEntraGroupId"
+    type = "S"
+  }
   attribute {
     name = "username"
     type = "S"
@@ -328,4 +332,10 @@ resource "aws_dynamodb_table" "sig_info" {
     range_key       = "primaryKey"
     projection_type = "KEYS_ONLY"
   }
+  global_secondary_index {
+    name            = "LeadsGroupIdIndex"
+    hash_key        = "leadsEntraGroupId"
+    range_key       = "primaryKey"
+    projection_type = "KEYS_ONLY"
+  }
 }

yarn.lock

@@ -2,10 +2,10 @@
 # yarn lockfile v1
 
 
-"@acm-uiuc/js-shared@^2.3.0":
-  version "2.3.0"
-  resolved "https://registry.yarnpkg.com/@acm-uiuc/js-shared/-/js-shared-2.3.0.tgz#5cc865e60218749ec71afaa220647e2bf6869dc0"
-  integrity sha512-9t3033IegfdPo2DmQfMQT0nk2GfwJfFdUA8U/uS3+uy9q1tvTF2OcVjaUJt97ZjJYMV/6Iic2qP5Rcs40o18Uw==
+"@acm-uiuc/js-shared@^2.4.0":
+  version "2.4.0"
+  resolved "https://registry.yarnpkg.com/@acm-uiuc/js-shared/-/js-shared-2.4.0.tgz#c8a28c8189c7a3847d8a06cb918b9f4ce256f8de"
+  integrity sha512-hAjns2jT0MXUdtYuxVEn3ob/sTPnCsOeBeJXt+PgRQqhg+Cu09E82Y/68FNbTPlKi/YSzhQEToDXRuQtGM+VRA==
 
 "@adobe/css-tools@^4.4.0":
   version "4.4.3"