25249 - Add/remove Contact Centre Staff and Maximus Staff (#3276)

Author: rodrigo-barraza

auth-api/migrations/versions/2025_03_03_61eb9f696d5e_rename_contact_center_staff_to_cc_staff_.py

@@ -0,0 +1,32 @@
+"""Rename CONTACT_CENTER_STAFF to CC_STAFF in org_types
+
+Revision ID: 61eb9f696d5e
+Revises: 7f48833011c3
+Create Date: 2025-03-03 11:28:30.538876
+
+"""
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision = '61eb9f696d5e'
+down_revision = '7f48833011c3'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    op.execute("""
+        UPDATE org_types
+        SET code = 'CC_STAFF'
+        WHERE code = 'CONTACT_CENTRE_STAFF';
+    """)
+
+
+def downgrade():
+    op.execute("""
+        UPDATE org_types
+        SET code = 'CONTACT_CENTRE_STAFF'
+        WHERE code = 'CC_STAFF';
+    """)

auth-api/src/auth_api/exceptions/errors.py

@@ -65,6 +65,10 @@ class Error(Enum):
     DELETE_FAILED_INACTIVE_USER = "User is already inactive", HTTPStatus.BAD_REQUEST
     CHANGE_ROLE_FAILED_ONLY_OWNER = "User is only Account Administrator in org", HTTPStatus.BAD_REQUEST
     OWNER_CANNOT_BE_REMOVED = "Account Administrator cannot be removed by anyone", HTTPStatus.BAD_REQUEST
+    MAX_NUMBER_OF_STAFF_ORGS_LIMIT = (
+        "Maximum number of staff organizations reached for this user",
+        HTTPStatus.BAD_REQUEST,
+    )
     MAX_NUMBER_OF_ORGS_LIMIT = "Maximum number of organisations reached", HTTPStatus.BAD_REQUEST
     ALREADY_CLAIMED_PASSCODE = "Passcode you entered has already been claimed", HTTPStatus.NOT_ACCEPTABLE
     ORG_CANNOT_BE_DISSOLVED = "Organization cannot be dissolved", HTTPStatus.NOT_ACCEPTABLE

auth-api/src/auth_api/models/membership.py

@@ -174,6 +174,18 @@ def find_memberships_by_user_ids(cls, user_id: int) -> List[Membership]:
 
         return records
 
+    @classmethod
+    def find_memberships_by_user_id_and_status(cls, user_id: int, status: str) -> List[Membership]:
+        """Get the memberships for the specified user ids."""
+        records = (
+            cls.query.filter(cls.user_id == int(user_id or -1))
+            .filter(cls.status == status)
+            .order_by(desc(Membership.created))
+            .all()
+        )
+
+        return records
+
     @classmethod
     def find_membership_by_user_and_org_all_status(cls, user_id: int, org_id: int) -> Membership:
         """Get the membership for the specified user and org with all membership statuses."""

auth-api/src/auth_api/models/org.py

@@ -124,6 +124,11 @@ def find_by_org_id(cls, org_id: int):
         """Find an Org instance that matches the provided id."""
         return cls.query.filter_by(id=int(org_id or -1)).first()
 
+    @classmethod
+    def find_by_org_ids_and_org_types(cls, org_ids: List[int], org_types: List[str]):
+        """Find all Org instances that match the provided ids and org types."""
+        return cls.query.filter(Org.id.in_(org_ids), Org.type_code.in_(org_types)).all()
+
     @classmethod
     def find_by_bcol_id(cls, bcol_account_id):
         """Find an Org instance that matches the provided id and not in INACTIVE status."""

auth-api/src/auth_api/services/keycloak.py

@@ -353,7 +353,7 @@ def remove_user_from_group(user_id: str, group_name: str):
         # Get the '$group_name' group
         group_id = KeycloakService._get_group_id(admin_token, group_name)
 
-        # Add user to the keycloak group '$group_name'
+        # Remove user from keycloak group '$group_name'
         headers = {"Content-Type": ContentType.JSON.value, "Authorization": f"Bearer {admin_token}"}
         remove_group_url = f"{base_url}/auth/admin/realms/{realm}/users/{user_id}/groups/{group_id}"
         response = requests.delete(remove_group_url, headers=headers, timeout=timeout)

auth-api/src/auth_api/services/membership.py

@@ -32,8 +32,9 @@
 from auth_api.models import Org as OrgModel
 from auth_api.models.dataclass import Activity
 from auth_api.schemas import MembershipSchema
-from auth_api.utils.enums import ActivityAction, LoginSource, NotificationType, Status
-from auth_api.utils.roles import ADMIN, ALL_ALLOWED_ROLES, COORDINATOR, STAFF
+from auth_api.utils.constants import GROUP_CONTACT_CENTRE_STAFF, GROUP_MAXIMUS_STAFF
+from auth_api.utils.enums import ActivityAction, LoginSource, NotificationType, OrgType, Status
+from auth_api.utils.roles import ADMIN, ALL_ALLOWED_ROLES, COORDINATOR, STAFF, USER
 from auth_api.utils.user_context import UserContext, user_context
 
 from ..utils.account_mailer import publish_to_mailer
@@ -47,6 +48,11 @@
 CONFIG = get_named_config()
 logger = StructuredLogging.get_logger()
 
+org_type_to_group_mapping = {
+    OrgType.MAXIMUS_STAFF.value: GROUP_MAXIMUS_STAFF,
+    OrgType.CONTACT_CENTRE_STAFF.value: GROUP_CONTACT_CENTRE_STAFF,
+}
+
 
 class Membership:  # pylint: disable=too-many-instance-attributes,too-few-public-methods
     """Manages all aspects of the Membership Entity.
@@ -214,6 +220,10 @@ def update_membership(self, updated_fields, **kwargs):
         logger.debug("<update_membership")
         user_from_context: UserContext = kwargs["user_context"]
         check_auth(org_id=self._model.org_id, one_of_roles=(COORDINATOR, ADMIN, STAFF))
+        updated_membership_status = updated_fields.get("membership_status")
+
+        # When adding to organization, check if user is already in an ACTIVE STAFF org, if so raise exception
+        Membership._check_if_add_user_has_active_staff_org(updated_membership_status, self._model.user.id)
 
         # bceid Members cant be ADMIN's.Unless they have an affidavit approved.
         # TODO when multiple teams for bceid are present , do if the user has affidavit present check
@@ -225,8 +235,8 @@ def update_membership(self, updated_fields, **kwargs):
         if self._model.membership_type.code == COORDINATOR and updated_fields.get("membership_type", None) == ADMIN:
             check_auth(org_id=self._model.org_id, one_of_roles=(ADMIN, STAFF))
 
-        updated_membership_status = updated_fields.get("membership_status")
         admin_getting_removed: bool = False
+
         # Admin can be removed by other admin or staff. #4909
         if (
             updated_membership_status
@@ -317,14 +327,41 @@ def _add_or_remove_group(model: MembershipModel):
         """Add or remove the user from/to account holders / product keycloak group."""
         if model.membership_status.id == Status.ACTIVE.value:
             KeycloakService.join_account_holders_group(model.user.keycloak_guid)
-        elif (
-            model.membership_status.id == Status.INACTIVE.value
-            and len(MembershipModel.find_orgs_for_user(model.user.id)) == 0
-        ):
+        elif model.membership_status.id == Status.INACTIVE.value:
             # Check if the user has any other active org membership, if none remove from the group
-            KeycloakService.remove_from_account_holders_group(model.user.keycloak_guid)
+            if len(MembershipModel.find_orgs_for_user(model.user.id)) == 0:
+                KeycloakService.remove_from_account_holders_group(model.user.keycloak_guid)
+
+        # Add or Remove from STAFF group in keycloak
+        Membership._add_or_remove_group_for_staff(model)
         ProductService.update_users_products_keycloak_groups([model.user.id])
 
+    @staticmethod
+    def _add_or_remove_group_for_staff(model: MembershipModel):
+        mapping_group = org_type_to_group_mapping.get(model.org.type_code)
+        if not mapping_group:
+            return
+
+        user_groups = KeycloakService.get_user_groups(model.user.keycloak_guid)
+        is_in_group = any(group["name"] == mapping_group for group in user_groups)
+
+        if model.membership_status.id == Status.ACTIVE.value and not is_in_group:
+            KeycloakService.add_user_to_group(model.user.keycloak_guid, mapping_group)
+        elif model.membership_status.id == Status.INACTIVE.value and is_in_group:
+            KeycloakService.remove_user_from_group(model.user.keycloak_guid, mapping_group)
+
+    @staticmethod
+    def _check_if_add_user_has_active_staff_org(updated_membership_status, user_id):
+        """Check if user is already associated with an active STAFF org."""
+        staff_org_types = list(org_type_to_group_mapping.keys())
+        memberships = MembershipModel.find_memberships_by_user_id_and_status(user_id, Status.ACTIVE.value)
+        staff_orgs = OrgModel.find_by_org_ids_and_org_types(
+            org_ids=[membership.org_id for membership in memberships], org_types=staff_org_types
+        )
+
+        if updated_membership_status and updated_membership_status.id == Status.ACTIVE.value and len(staff_orgs) > 0:
+            raise BusinessException(Error.MAX_NUMBER_OF_STAFF_ORGS_LIMIT, None)
+
     @staticmethod
     def get_membership_for_org_and_user(org_id, user_id):
         """Get the membership for the given org and user id."""

auth-api/src/auth_api/utils/constants.py

@@ -20,6 +20,8 @@
 GROUP_GOV_ACCOUNT_USERS = "gov_account_users"
 GROUP_API_GW_USERS = "api_gateway_users"
 GROUP_API_GW_SANDBOX_USERS = "api_gateway_sandbox_users"
+GROUP_MAXIMUS_STAFF = "maximus_staff"
+GROUP_CONTACT_CENTRE_STAFF = "contact_centre_staff"
 
 # Affidavit folder
 AFFIDAVIT_FOLDER_NAME = "Affidavits"

auth-api/src/auth_api/utils/enums.py

@@ -103,7 +103,7 @@ class OrgType(Enum):
     STAFF = "STAFF"
     SBC_STAFF = "SBC_STAFF"
     MAXIMUS_STAFF = "MAXIMUS_STAFF"
-    CONTACT_CENTRE_STAFF = "CONTACT_CENTRE_STAFF"
+    CONTACT_CENTRE_STAFF = "CC_STAFF"
 
 
 class DocumentType(Enum):

auth-web/package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "auth-web",
-  "version": "2.8.15",
+  "version": "2.8.16",
   "appName": "Auth Web",
   "sbcName": "SBC Common Components",
   "private": true,