capralifecycle
diff --git a/‎README.md‎
Lines changed: 117 additions & 54 deletions b/‎README.md‎
Lines changed: 117 additions & 54 deletions
diff --git a/‎architecture.png‎
-45.3 KB b/‎architecture.png‎
-45.3 KB
@@ -1,38 +1,51 @@
-A generic service featuring RBAC (Role Based Access Control).
+# User Roles
 
-## Documentation
+The User Roles Service is a core data service responsible for storing user roles for RBAC (
+Role-Based Access Control), and integrating with AWS Cognito to provide a user administration API.
 
-<!-- Optional links to other pages -->
-More information is found here:
+* [Documentation](#documentation)
+* [Architecture](#architecture)
+* [Endpoints](#endpoints)
+  * [Roles API](#roles-api)
+  * [Administration API](#administration-api)
+* [Deploying User Roles service in your project](#deploying-user-roles-service-in-your-project)
+* [Running locally](#running-locally)
+* [Linting](#linting)
 
-<!-- Add links that suits your project. These are just exammples: -->
+## Documentation
 
-- [Main confluence page](https://liflig.atlassian.net/wiki/x/AQC3)
+- [Main confluence page](https://liflig.atlassian.net/wiki/x/AQC3) (Liflig-internal)
 
-# Example architecture
+## Architecture
 
-Can be used in conjunction with e.g. AWS Cognito and
-a [pretoken generation trigger lambda](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html)
-to add custom claims to an identity token.
+The User Roles service has 2 modules:
 
-_Note that this repo only contains the User Roles service_
-![img.png](architecture.png)
+- The `roles` module provides simple CRUD on user roles
+- The `administration` module integrates with Cognito (the identity provider service from AWS), to
+  allow clients to do CRUD on users and their associated roles
 
-# Endpoints
+When verifying a user's JWT, only the roles module is used. An important design principle here is
+that authentication should not be blocked when there are problems in the administration module.
+Therefore, the User Roles service has been designed to make the roles module independent from the
+administration module. For example, if the administration module is misconfigured, then the service
+will still start, and only the administration API will respond with 500 Internal Server Error.
 
-## CRUD endpoints
+![Architecture diagram](architecture.svg)
 
-| Endpoint                     |                 What                 |
-|------------------------------|:------------------------------------:|
-| PUT /userroles/{username}    | create or update user roles for user |
-| GET /userroles/{username}    |       get user roles for user        |
-| DELETE /userroles/{username} |                                      |
+## Endpoints
 
-**NB!** Currently no support for post, but can be implemented later.
+### Roles API
 
-## Data structure for PUT and GET
+| Endpoint                                              |              What               |
+|-------------------------------------------------------|:-------------------------------:|
+| GET /api/userroles/{username}                         |       Get roles for user        |
+| PUT /api/userroles/{username}                         | Create or update roles for user |
+| DELETE /api/userroles/{username}                      |      Delete roles for user      |
+| GET /api/userroles?roleName={roleName}&orgId={orgId2} |      List/query user roles      |
 
-```
+#### Data structure of user role
+
+```json
 {
   "username": "user123",
   "roles": [
@@ -50,7 +63,7 @@ _Note that this repo only contains the User Roles service_
       "applicationName": "application2",
       "orgId": "orgId3",
       "roleName": "orgMember",
-      "roleValue": "{"boards": [1,2,3]}"
+      "roleValue": "<value>"
     },
     {
       "roleName": "admin"
@@ -59,45 +72,95 @@ _Note that this repo only contains the User Roles service_
 }
 ```
 
-## Query endpoints
-
-| Endpoint                                          |                      What                      |
-|---------------------------------------------------|:----------------------------------------------:|
-| GET /userroles                                    |                 List all users                 |
-| GET /userroles?orgId={orgId1}                     | List users with access to a given organization |
-| GET /userroles?roleName=admin                     |          List users with a given role          |
-| GET /userroles?roleName={roleName}&orgId={orgId2} |          List users with a given role          |
-
-## Running locally
-
-1. Start the database
-
-   ```bash
-   docker-compose up -d
-   ```
+### Administration API
 
-1. Build and run the application
+When referring to “our identity provider” below, we mean AWS Cognito. But User Roles may be expanded
+in the future to support other identity providers.
 
-   All of these will skip tests to be quick.
+The user administration API does not take responsibility for verifying that a requesting user is
+authorized to assign the given roles. That is the responsibility of the BFF (Backend-For-Frontend)
+service in your project. This is because the User Roles service does not know the content or
+hierarchy of roles in your project, so only a project-specific service has the knowledge to perform
+authorization.
 
-1. Option 1: In IDE
+| Endpoint                                                                                                                                                                                                                                                                        | What                                                                                                                                                                                                                                                                                                       | Cognito API used                                                                                                                            |
+|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------|
+| GET /api/administration/users/{username}                                                                                                                                                                                                                                        | Get user data from our identity provider along with their roles                                                                                                                                                                                                                                            | [AdminGetUser](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminGetUser.html)                           |
+| POST /api/administration/users                                                                                                                                                                                                                                                  | Register user in our identity provider, along with roles                                                                                                                                                                                                                                                   | [AdminCreateUser](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminCreateUser.html)                     |
+| PUT /api/administration/users                                                                                                                                                                                                                                                   | Update existing user in our identity provider, along with their roles                                                                                                                                                                                                                                      | [AdminUpdateUserAttributes](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html) |
+| DELETE /api/administration/users/{username}                                                                                                                                                                                                                                     | Delete user in our identity provider, along with their roles                                                                                                                                                                                                                                               | [AdminDeleteUser](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminDeleteUser.html)                     |
+| POST /api/administration/users/{username}/reset-password                                                                                                                                                                                                                        | Reset a user's password                                                                                                                                                                                                                                                                                    | [AdminResetUserPassword](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminResetUserPassword.html)       |
+| GET /api/administration/users<br/>?limit={page size}<br/>&cursor={nextCursor from previous response}<br/>&searchString={searchString}<br/>&searchField={USERNAME \| EMAIL \| etc.}<br/>&orgId={role orgId}<br/>&applicationName={role applicationName}<br/>&roleName={roleName} | List/query users from our identity provider, along with their roles.<br/><br/>Uses cursor-based pagination: The response body includes a `nextCursor` field, which can be passed in the `cursor` query parameter to get the next page. When `nextCursor` is `null`, then there are no more users to fetch. | [ListUsers](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ListUsers.html)                                 |             
 
-   Run the `Main` file.
+#### Data structure of user data with roles
 
-1. Option 2: Via Maven
-
-   ```bash
-   ./build-and-run.sh
-   ```
+```json
+{
+  "username": "test.testesen",
+  "userId": "4b670e7f-0ae9-4ce8-9a8b-b27d00d2f31d",
+  "email": {
+    "value": "test@example.org",
+    "verified": true
+  },
+  "phoneNumber": {
+    "value": "12345678",
+    "verified": false
+  },
+  "userStatus": "CONFIRMED",
+  "enabled": true,
+  "createdAt": "2025-12-04T07:25:11Z",
+  "attributes": {
+    // Attributes are arbitrary key-value data submitted by your BFF.
+    // Cognito supports certain standard attributes, such as "name".
+    "name": "Test Testesen"
+  },
+  "roles": [
+    {
+      "applicationName": "test-application",
+      "orgId": "liflig",
+      "roleName": "admin",
+      "roleValue": null
+    }
+  ]
+}
+```
 
-1. Option 3: Package and run with the actual Docker image
+## Deploying User Roles service in your project
+
+- Set up a Cognito user pool
+- Deploy User Roles service, using Docker image published on GitHub, along with a Postgres database
+- For the user administration module to be enabled, the service needs the following:
+  - Config parameter `aws.cognito.userPoolId`
+  - These permissions:
+    - `cognito-idp:AdminGetUser`
+    - `cognito-idp:AdminCreateUser`
+    - `cognito-idp:AdminUpdateUserAttributes`
+    - `cognito-idp:AdminDeleteUser`
+    - `cognito-idp:AdminResetUserPassword`
+    - `cognito-idp:ListUsers`
+- Implement a "pre-token generation lambda" that fetches roles from User Roles to populate Cognito
+  JWTs
+- Implement JWT verification and role parsing for authentication and authorization in your APIs
+- For the user administration module:
+  - Implement an API client in your BFF that calls the administration API of the User Roles service
+    - Your BFF should verify that the requesting user has permission to update roles. This is where
+      you enforce your project’s hierarchy of roles (i.e., which roles are allowed to change other
+      roles)
+  - Implement UI for user management
+
+For example implementations of the points above, see the
+[Liflig-internal Confluence page](https://liflig.atlassian.net/wiki/spaces/CALS/pages/16164029/User+Roles+Service#Deploying-User-Roles-service-in-your-project).
 
-   ```bash
-   # See the script for details.
-   ./build-and-run-docker.sh
-   ```
+## Running locally
 
-1. Access the service at http://localhost:8080/health
+<!-- @formatter:off -->
+1. Start the database: `docker-compose up -d`
+2. Build and run the application
+   - Option 1: Run the `Main.kt` file from your IDE
+   - Option 2: Via Maven, `./build-and-run.sh`
+   - Option 3: Package and run with the actual Docker image, `./build-and-run-docker.sh`
+3. Access the service at http://localhost:8080/health
+<!-- @formatter:on -->
 
 ## Linting