25704 - Add org types for readonly staff (#3270)

Author: Jxio

auth-api/migrations/versions/2025_02_19_7f48833011c3_add_org_types.py

@@ -0,0 +1,40 @@
+"""Add org types for read-only staff.
+
+Revision ID: 7f48833011c3
+Revises: 63cfd9b160d7
+Create Date: 2025-02-19 15:54:22.459049
+
+"""
+from alembic import op
+from sqlalchemy import Boolean, String
+from sqlalchemy.sql import column, table
+
+
+# revision identifiers, used by Alembic.
+revision = '7f48833011c3'
+down_revision = '63cfd9b160d7'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    op.alter_column('org_types', 'code', type_=String(30))
+
+    org_type_table = table('org_types',
+                        column('code', String),
+                        column('description', String),
+                        column('default', Boolean)
+                    )
+
+    op.bulk_insert(
+        org_type_table,
+        [
+            {'code': 'MAXIMUS_STAFF', 'description': 'Maximus Staff', 'default': False},
+            {'code': 'CONTACT_CENTRE_STAFF', 'description': 'Contact Centre Staff', 'default': False},
+        ]
+    )
+
+
+def downgrade():
+    op.execute('delete from org_types where code=\'MAXIMUS_STAFF\'')
+    op.execute('delete from org_types where code=\'CONTACT_CENTRE_STAFF\'')

auth-api/src/auth_api/exceptions/errors.py

@@ -25,6 +25,7 @@ class Error(Enum):
 
     INVALID_ORG = "The organization ID is in an incorrect format.", HTTPStatus.BAD_REQUEST
     INVALID_INPUT = "Invalid input, please check.", HTTPStatus.BAD_REQUEST
+    INSUFFICIENT_PERMISSION = "Insufficient permissions.", HTTPStatus.BAD_REQUEST
     DATA_NOT_FOUND = "No matching record found.", HTTPStatus.NOT_FOUND
     DATA_ALREADY_EXISTS = "The data you want to insert already exists.", HTTPStatus.BAD_REQUEST
     INVALID_USER_CREDENTIALS = "Invalid user credentials.", HTTPStatus.UNAUTHORIZED

auth-api/src/auth_api/models/org.py

@@ -30,7 +30,7 @@
 from auth_api.utils.enums import AccessType, InvitationStatus, InvitationType
 from auth_api.utils.enums import OrgStatus as OrgStatusEnum
 from auth_api.utils.enums import OrgType as OrgTypeEnum
-from auth_api.utils.roles import EXCLUDED_FIELDS, VALID_STATUSES
+from auth_api.utils.roles import EXCLUDED_FIELDS, INVALID_ORG_CREATE_TYPE_CODES, VALID_STATUSES
 
 from .base_model import BaseModel
 from .contact import Contact
@@ -348,8 +348,8 @@ def reset(self):
 def receive_before_insert(mapper, connection, target):  # pylint: disable=unused-argument; SQLAlchemy callback signature
     """Rejects invalid type_codes on insert."""
     org = target
-    if org.type_code in (OrgTypeEnum.SBC_STAFF.value, OrgTypeEnum.STAFF.value):
-        raise BusinessException(Error.INVALID_INPUT, None)
+    if org.type_code in INVALID_ORG_CREATE_TYPE_CODES:
+        raise BusinessException(Error.INSUFFICIENT_PERMISSION, None)
 
 
 @event.listens_for(Org, "before_update", raw=True)

auth-api/src/auth_api/utils/enums.py

@@ -97,10 +97,13 @@ class PaymentAccountStatus(Enum):
 class OrgType(Enum):
     """Org types."""
 
+    PUBLIC = "PUBLIC"
     PREMIUM = "PREMIUM"
     BASIC = "BASIC"
     STAFF = "STAFF"
     SBC_STAFF = "SBC_STAFF"
+    MAXIMUS_STAFF = "MAXIMUS_STAFF"
+    CONTACT_CENTRE_STAFF = "CONTACT_CENTRE_STAFF"
 
 
 class DocumentType(Enum):

auth-api/src/auth_api/utils/roles.py

@@ -70,6 +70,12 @@ class Role(Enum):
     ProductSubscriptionStatus.PENDING_STAFF_REVIEW.value,
     ProductSubscriptionStatus.REJECTED.value,
 )
+INVALID_ORG_CREATE_TYPE_CODES = (
+    OrgType.SBC_STAFF.value,
+    OrgType.STAFF.value,
+    OrgType.MAXIMUS_STAFF.value,
+    OrgType.CONTACT_CENTRE_STAFF.value,
+)
 
 CLIENT_ADMIN_ROLES = (COORDINATOR, ADMIN)
 CLIENT_AUTH_ROLES = (*CLIENT_ADMIN_ROLES, USER)

auth-api/tests/unit/models/test_org.py

@@ -16,11 +16,16 @@
 Test suite to ensure that the Org model routines are working as expected.
 """
 
+import pytest
+
+from auth_api.exceptions.errors import Error
+from auth_api.exceptions.exceptions import BusinessException
 from auth_api.models import Org as OrgModel
 from auth_api.models import OrgStatus as OrgStatusModel
 from auth_api.models import OrgType as OrgTypeModel
 from auth_api.models import PaymentType as PaymentTypeModel
 from auth_api.utils.enums import OrgStatus as OrgStatusEnum
+from auth_api.utils.enums import OrgType as OrgTypeEnum
 from tests.utilities.factory_utils import factory_user_model
 
 
@@ -187,3 +192,17 @@ def test_delete(session):  # pylint:disable=unused-argument
     org.delete()
     assert org
     assert org.status_code == OrgStatusEnum.INACTIVE.value
+
+
+def test_invalid_org_create_type_code(session):
+    """Test that creating an Org with an invalid type code is rejected."""
+    invalid_type_code = OrgTypeEnum.CONTACT_CENTRE_STAFF.value
+
+    org_info = {"name": "Invalid Org", "type_code": invalid_type_code}
+
+    with pytest.raises(BusinessException) as excinfo:
+        org = OrgModel.create_from_dict(org_info)
+        session.add(org)
+        session.commit()
+
+    assert excinfo.value.code == Error.INSUFFICIENT_PERMISSION.name

auth-api/tests/unit/services/test_org.py

@@ -826,7 +826,7 @@ def test_create_staff_org_failure(session, keycloak_mock, staff_org, monkeypatch
     patch_token_info({"sub": user.keycloak_guid, "idp_userid": user.idp_userid}, monkeypatch)
     with pytest.raises(BusinessException) as exception:
         OrgService.create_org(TestOrgInfo.staff_org, user.id)
-    assert exception.value.code == Error.INVALID_INPUT.name
+    assert exception.value.code == Error.INSUFFICIENT_PERMISSION.name
 
 
 @mock.patch("auth_api.services.affiliation_invitation.RestService.get_service_account_token", mock_token)