[NOBUG] fix user group on update user (#686)

Author: tolkamps1

compliance-api/src/compliance_api/services/authorize_service/auth_service.py

@@ -91,6 +91,12 @@ def update_user_group(auth_user_guid: str, payload: dict):
                 f"Update group in the auth server failed for user : {auth_user_guid}"
             )
 
+        # Invalidate auth caches for this specific user
+        AuthService._invalidate_auth_user_cache(auth_user_guid)
+
+        # Invalidate the "all users by app" cache since this user's groups changed
+        AuthService._invalidate_auth_users_by_app_cache()
+
         # Invalidate ALL staff caches since permissions changed
         CachedStaffUserService.invalidate_staff_cache(auth_user_guid)
 
@@ -110,11 +116,51 @@ def delete_user_group(auth_user_guid: str, group: str, del_sub_group_mappings=Tr
         if delete_response.status_code != 204:
             raise BusinessError("Delete group mapping failed")
 
+        # Invalidate auth caches for this specific user
+        AuthService._invalidate_auth_user_cache(auth_user_guid)
+
+        # Invalidate the "all users by app" cache since this user's groups changed
+        AuthService._invalidate_auth_users_by_app_cache()
+
         # Invalidate ALL staff caches since permissions changed
         CachedStaffUserService.invalidate_staff_cache(auth_user_guid)
 
         return delete_response
 
+    @staticmethod
+    def _invalidate_auth_user_cache(auth_user_guid: str):
+        """
+        Invalidate the individual auth user cache.
+
+        Since cache keys include token hashes, we can't delete all variations.
+        Instead, we use a pattern-based approach or accept that cache will expire naturally.
+        """
+        from compliance_api.services.cached_staff_user import CachedStaffUserService
+
+        # Get current token hash
+        token_hash = CachedStaffUserService._get_token_hash()
+        cache_key = f"auth_user:{auth_user_guid}:{token_hash}"
+
+        cache.delete(cache_key)
+        current_app.logger.info(f"Invalidated auth user cache for {auth_user_guid}")
+
+    @staticmethod
+    def _invalidate_auth_users_by_app_cache():
+        """
+        Invalidate the "all users by app" cache.
+
+        Since cache keys include token hashes, we can't delete all variations.
+        Instead, we delete for the current token.
+        """
+        from compliance_api.services.cached_staff_user import CachedStaffUserService
+
+        # Get current token hash
+        token_hash = CachedStaffUserService._get_token_hash()
+        cache_key = f"auth_users_app:{AUTH_APP}:{token_hash}"
+
+        cache.delete(cache_key)
+        current_app.logger.info("Invalidated auth users by app cache")
+
 
 def _request_auth_service(
     relative_url, http_method: HttpMethod = HttpMethod.GET, data=None

compliance-api/src/compliance_api/services/cached_staff_user.py

@@ -16,6 +16,7 @@ class CachedStaffUserService:
     STAFF_CACHE_KEY_PREFIX = "staff_user:"
     ALL_STAFF_CACHE_KEY = "all_staff_users"
     ALL_STAFF_WITH_AUTH_PREFIX = "all_staff_with_auth:"
+    CACHE_VERSION_KEY = "all_staff_with_auth_version"
 
     @classmethod
     def exists_staff_by_auth_guid(cls, auth_guid: str) -> bool:
@@ -62,13 +63,13 @@ def get_all_staff_users_with_auth():
         # pylint: disable=import-outside-toplevel
         from compliance_api.services.staff_user import _set_permission_level_in_compliance_user_obj
 
-        # Create cache key that includes token hash for security
-        token_hash = CachedStaffUserService._get_token_hash()
-
-        version = cache.get("all_staff_with_auth_version")
+        # Get current version
+        version = cache.get(CachedStaffUserService.CACHE_VERSION_KEY)
         if version is None:
             version = 0
 
+        # Create cache key that includes token hash AND version
+        token_hash = CachedStaffUserService._get_token_hash()
         cache_key = (
             f"{CachedStaffUserService.ALL_STAFF_WITH_AUTH_PREFIX}"
             f"{token_hash}:v{version}"
@@ -120,13 +121,22 @@ def invalidate_staff_cache(auth_guid: str = None):
 
     @staticmethod
     def _invalidate_all_staff_with_auth_cache():
+        """
+        Invalidate all staff+auth cache by bumping version number.
+
+        This invalidates cache for all tokens/users since the version
+        is part of every cache key.
+        """
         try:
-            current_version = cache.get("all_staff_with_auth_version")
+            current_version = cache.get(CachedStaffUserService.CACHE_VERSION_KEY)
             if current_version is None:
                 current_version = 0
 
-            cache.set("all_staff_with_auth_version", current_version + 1)
-            current_app.logger.info("Bumped staff+auth cache version")
+            new_version = current_version + 1
+            cache.set(CachedStaffUserService.CACHE_VERSION_KEY, new_version)
+            current_app.logger.info(
+                f"Bumped staff+auth cache version from {current_version} to {new_version}"
+            )
         except (AttributeError, RuntimeError) as e:
             current_app.logger.error(f"Error invalidating staff+auth cache: {e}")
 

compliance-api/src/compliance_api/services/staff_user.py

@@ -88,7 +88,7 @@ def create_user(user_data):
                 # Update user group in auth service
                 AuthService.update_user_group(
                     auth_user_guid,
-                    {"group": permission, "app_name": AUTH_APP}
+                    {"group_name": permission, "app_name": AUTH_APP}
                 )
             except (AttributeError, RuntimeError) as e:
                 # Log the error but don't fail the user creation
@@ -127,6 +127,19 @@ def update_user(user_id, user_data):
         updated_user = StaffUserModel.update_staff(user_id, user_data)
 
         if updated_user:
+            # Handle permission (group) assignment
+            permission = user_data.get("permission")
+            if permission:
+                auth_guid_to_update = new_auth_guid if new_auth_guid else existing_user.auth_user_guid
+                try:
+                    # Update user group
+                    AuthService.update_user_group(
+                        auth_guid_to_update,
+                        {"group_name": permission, "app_name": AUTH_APP}
+                    )
+                except (AttributeError, RuntimeError) as e:
+                    logging.error("Failed to update user group in auth service: %s", e)
+
             # Invalidate caches for both old and new auth_guid (if changed)
             CachedStaffUserService.invalidate_staff_cache(existing_user.auth_user_guid)