Merge pull request #298 from kbss-cvut/impersonate-role

Impersonate role

Author: palagdan

deploy/internal-auth/db-server/import/record-manager-app/role-groups.trig

@@ -10,6 +10,7 @@
 @prefix ufo: <http://onto.fel.cvut.cz/ontologies/ufo/> .
 
 <http://onto.fel.cvut.cz/ontologies/record-manager/role-groups> {
+
     rm:admin-role-group rdf:type owl:NamedIndividual, rm:role-group;
         rm:has-role rm:read-all-records-role,
                     rm:write-all-records-role,
@@ -29,8 +30,25 @@
                     rm:read-all-organizations-role,
                     rm:write-all-organizations-role,
                     rm:read-action-history-role,
-                    rm:read-statistics-role;
+                    rm:read-statistics-role,
+                    rm:impersonate-role;
         rdfs:label "admin-role-group"@en .
+              
+    rm:data-collection-coordinator-impersonate-role-group rdf:type owl:NamedIndividual, rm:role-group;
+        rm:has-role rm:read-all-users-role,
+                     rm:write-all-users-role,
+                     rm:read-organization-users-role,
+                     rm:write-organization-users-role,
+                     rm:read-organization-role,
+                     rm:write-organization-role,
+                     rm:read-all-organizations-role,
+                     rm:write-all-organizations-role,
+                     rm:read-organization-records-role,
+                     rm:write-organization-records-role,
+                     rm:comment-record-questions-role,
+                     rm:complete-records-role,
+                     rm:impersonate-role;
+         rdfs:label "data-collection-coordinator-impersonate-role-group"@en .
 
     rm:data-collection-coordinator-role-group rdf:type owl:NamedIndividual, rm:role-group;
         rm:has-role rm:read-all-users-role,
@@ -45,9 +63,19 @@
                     rm:write-organization-records-role,
                     rm:comment-record-questions-role,
                     rm:complete-records-role;
-
         rdfs:label "data-collection-coordinator-role-group"@en .
 
+    rm:organization-manager-impersonate-role-group rdf:type owl:NamedIndividual, rm:role-group;
+        rm:has-role rm:read-organization-role,
+                    rm:write-organization-role,
+                    rm:read-organization-users-role,
+                    rm:write-organization-users-role,
+                    rm:read-organization-records-role,
+                    rm:write-organization-records-role,
+                    rm:comment-record-questions-role,
+                    rm:impersonate-role;
+        rdfs:label "organization-manager-impersonate-role-group"@en .
+
     rm:organization-manager-role-group rdf:type owl:NamedIndividual, rm:role-group;
         rm:has-role rm:read-organization-role,
                     rm:write-organization-role,
@@ -58,12 +86,25 @@
                     rm:comment-record-questions-role;
         rdfs:label "organization-manager-role-group"@en .
 
+    rm:entry-clerk-impersonate-role-group rdf:type owl:NamedIndividual, rm:role-group;
+            rm:has-role rm:read-organization-role,
+                        rm:read-organization-records-role,
+                        rm:comment-record-questions-role,
+                        rm:impersonate-role;
+            rdfs:label "entry-clerk-impersonate-role-group"@en .
+
     rm:entry-clerk-role-group rdf:type owl:NamedIndividual, rm:role-group;
             rm:has-role rm:read-organization-role,
                         rm:read-organization-records-role,
                         rm:comment-record-questions-role;
             rdfs:label "entry-clerk-role-group"@en .
 
+    rm:reviewer-impersonate-role-group rdf:type owl:NamedIndividual, rm:role-group;
+            rm:has-role rm:complete-records-role,
+                        rm:comment-record-questions-role,
+                        rm:impersonate-role;
+            rdfs:label "reviewer-role-group"@en .
+
     rm:reviewer-role-group rdf:type owl:NamedIndividual, rm:role-group;
             rm:has-role rm:complete-records-role,
                         rm:comment-record-questions-role;

deploy/keycloak-auth/keycloak-config/roles.tf

@@ -61,11 +61,30 @@ EOT
   }
 }
 
-
 resource "keycloak_role" "realm_roles" {
   for_each  = var.roles
 
   realm_id    = var.kc_realm
   name        = each.key
   description = length(each.value) > 0 ? each.value : null
-}
+}
+
+# --- Impersonation role composite ---
+data "keycloak_openid_client" "realm_management" {
+  realm_id = var.kc_realm
+  client_id = "realm-management"
+}
+
+data "keycloak_role" "realm_management_impersonation" {
+  realm_id  = var.kc_realm
+  client_id = data.keycloak_openid_client.realm_management.id
+  name      = "impersonation"
+}
+
+resource "keycloak_role" "impersonate_role_composite" {
+  realm_id = var.kc_realm
+  name     = "impersonate-role"
+  composite_roles = [
+    data.keycloak_role.realm_management_impersonation.id
+  ]
+}

src/components/user/User.jsx

@@ -13,7 +13,7 @@ import { FaRandom } from "react-icons/fa";
 import { isUsingOidcAuth } from "../../utils/OidcUtils";
 import IfInternalAuth from "../misc/oidc/IfInternalAuth.jsx";
 import RoleBadges from "../RoleBadges.jsx";
-import { canWriteUserInfo, getRoles, hasSupersetOfPrivileges, hasRole } from "../../utils/RoleUtils.js";
+import { canWriteUserInfo, getRoles, hasSupersetOfPrivileges, hasRole, canImpersonate } from "../../utils/RoleUtils.js";
 import RoleGroupsSelector from "../RoleGroupsSelector.jsx";
 import InstitutionSelector from "../institution/InstitutionSelector.jsx";
 
@@ -160,7 +160,7 @@ class User extends React.Component {
   _impersonateButton() {
     const { user, currentUser, handlers, impersonation } = this.props;
 
-    if (!user.isNew && hasSupersetOfPrivileges(currentUser, user) && currentUser.username !== user.username) {
+    if (!user.isNew && canImpersonate(currentUser, user)) {
       return (
         <Button
           style={{ margin: "0 0.3em 0 0" }}

src/constants/DefaultConstants.js

@@ -113,6 +113,9 @@ export const ROLE = {
   COMMENT_RECORD_QUESTIONS: "commentRecordQuestions",
   READ_ACTION_HISTORY: "readActionHistory",
   READ_STATISTICS: "readStatistics",
+
+  // Impersonate
+  IMPERSONATE: "impersonate",
 };
 
 // Default number of table elements per page.

src/utils/RoleUtils.js

@@ -102,6 +102,14 @@ export function canSelectInstitution(currentUser, user) {
   );
 }
 
+export function canImpersonate(currentUser, user) {
+  return (
+    hasRole(currentUser, ROLE.IMPERSONATE) &&
+    hasSupersetOfPrivileges(currentUser, user) &&
+    currentUser.username !== user.username
+  );
+}
+
 export function canCreateInstitution(currentUser) {
   return hasRole(currentUser, ROLE.WRITE_ALL_ORGANIZATIONS);
 }

tests/__tests__/components/User.spec.jsx

@@ -4,7 +4,7 @@ import User from "../../../src/components/user/User";
 import { describe, expect, it, vi, beforeEach } from "vitest";
 import { getMessageByKey, renderWithIntl } from "../../utils/utils.jsx";
 import { isUsingOidcAuth } from "../../../src/utils/OidcUtils.js";
-import { canWriteUserInfo, hasSupersetOfPrivileges } from "../../../src/utils/RoleUtils.js";
+import { canImpersonate, canWriteUserInfo, hasSupersetOfPrivileges } from "../../../src/utils/RoleUtils.js";
 import UserValidator from "../../../src/validation/UserValidator.jsx";
 import { ACTION_STATUS } from "../../../src/constants/DefaultConstants.js";
 
@@ -43,6 +43,7 @@ vi.mock("../../../src/utils/RoleUtils", () => ({
   getRoles: vi.fn(),
   hasRole: vi.fn(),
   hasSupersetOfPrivileges: vi.fn(),
+  canImpersonate: vi.fn(),
 }));
 
 vi.mock("../../../src/components/Loader", () => ({
@@ -76,6 +77,7 @@ describe("User", function () {
     canWriteUserInfo.mockReturnValue(true);
     hasSupersetOfPrivileges.mockReturnValue(true);
     UserValidator.isValid.mockReturnValue(true);
+    canImpersonate.mockReturnValue(true);
   });
 
   it("should render loading state when user is not provided", () => {
@@ -149,13 +151,13 @@ describe("User", function () {
     expect(screen.getByText(getMessageByKey("save-and-send-email"))).toBeDisabled();
   });
 
-  it("renders impersonate button when currentUser has superset of roles of another user", () => {
+  it("renders impersonate button when currentUser has canImpersonate permission", () => {
     renderComponent();
     expect(screen.getByText(getMessageByKey("user.impersonate"))).toBeInTheDocument();
   });
 
-  it("does not render impersonate button when currentUser lacks superset of roles of another user", () => {
-    hasSupersetOfPrivileges.mockReturnValue(false);
+  it("does not render impersonate button when currentUser lacks canImpersonate permission", () => {
+    canImpersonate.mockReturnValue(false);
     renderComponent();
     expect(screen.queryByText(getMessageByKey("user.impersonate"))).not.toBeInTheDocument();
   });