Support group approvals

README.md

@@ -23,6 +23,7 @@ Hermes was created and is currently maintained by HashiCorp Labs, a small team i
 
 1. Enable the following APIs for [Google Workspace APIs](https://developers.google.com/workspace/guides/enable-apis)
 
+   - Admin SDK API
    - Google Docs API
    - Google Drive API
    - Gmail API

internal/api/v2/approvals.go

@@ -15,87 +15,104 @@ import (
 
 func ApprovalsHandler(srv server.Server) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		switch r.Method {
-		case "DELETE":
-			// Validate request.
-			docID, err := parseResourceIDFromURL(r.URL.Path, "approvals")
-			if err != nil {
-				srv.Logger.Error("error parsing document ID",
-					"error", err,
-					"method", r.Method,
-					"path", r.URL.Path,
-				)
-				http.Error(w, "Document ID not found", http.StatusNotFound)
-				return
-			}
+		// Validate request.
+		docID, err := parseResourceIDFromURL(r.URL.Path, "approvals")
+		if err != nil {
+			srv.Logger.Error("error parsing document ID",
+				"error", err,
+				"method", r.Method,
+				"path", r.URL.Path,
+			)
+			http.Error(w, "Document ID not found", http.StatusNotFound)
+			return
+		}
 
-			// Check if document is locked.
-			locked, err := hcd.IsLocked(docID, srv.DB, srv.GWService, srv.Logger)
-			if err != nil {
-				srv.Logger.Error("error checking document locked status",
-					"error", err,
-					"path", r.URL.Path,
-					"method", r.Method,
-					"doc_id", docID,
-				)
-				http.Error(w, "Error getting document status", http.StatusNotFound)
-				return
-			}
-			// Don't continue if document is locked.
-			if locked {
-				http.Error(w, "Document is locked", http.StatusLocked)
-				return
-			}
+		// Check if document is locked.
+		locked, err := hcd.IsLocked(docID, srv.DB, srv.GWService, srv.Logger)
+		if err != nil {
+			srv.Logger.Error("error checking document locked status",
+				"error", err,
+				"path", r.URL.Path,
+				"method", r.Method,
+				"doc_id", docID,
+			)
+			http.Error(w, "Error getting document status", http.StatusNotFound)
+			return
+		}
+		// Don't continue if document is locked.
+		if locked {
+			http.Error(w, "Document is locked", http.StatusLocked)
+			return
+		}
 
-			// Get document from database.
-			model := models.Document{
+		// Get document from database.
+		model := models.Document{
+			GoogleFileID: docID,
+		}
+		if err := model.Get(srv.DB); err != nil {
+			srv.Logger.Error("error getting document from database",
+				"error", err,
+				"path", r.URL.Path,
+				"method", r.Method,
+				"doc_id", docID,
+			)
+			http.Error(w, "Error accessing document",
+				http.StatusInternalServerError)
+			return
+		}
+
+		// Get reviews for the document.
+		var reviews models.DocumentReviews
+		if err := reviews.Find(srv.DB, models.DocumentReview{
+			Document: models.Document{
 				GoogleFileID: docID,
-			}
-			if err := model.Get(srv.DB); err != nil {
-				srv.Logger.Error("error getting document from database",
-					"error", err,
-					"path", r.URL.Path,
-					"method", r.Method,
-					"doc_id", docID,
-				)
-				http.Error(w, "Error accessing document",
-					http.StatusInternalServerError)
-				return
-			}
+			},
+		}); err != nil {
+			srv.Logger.Error("error getting reviews for document",
+				"error", err,
+				"method", r.Method,
+				"path", r.URL.Path,
+				"doc_id", docID,
+			)
+			return
+		}
 
-			// Get reviews for the document.
-			var reviews models.DocumentReviews
-			if err := reviews.Find(srv.DB, models.DocumentReview{
-				Document: models.Document{
-					GoogleFileID: docID,
-				},
-			}); err != nil {
-				srv.Logger.Error("error getting reviews for document",
-					"error", err,
-					"method", r.Method,
-					"path", r.URL.Path,
-					"doc_id", docID,
-				)
-				return
-			}
+		// Get group reviews for the document.
+		var groupReviews models.DocumentGroupReviews
+		if err := groupReviews.Find(srv.DB, models.DocumentGroupReview{
+			Document: models.Document{
+				GoogleFileID: docID,
+			},
+		}); err != nil {
+			srv.Logger.Error("error getting group reviews for document",
+				"error", err,
+				"method", r.Method,
+				"path", r.URL.Path,
+				"doc_id", docID,
+			)
+			return
+		}
 
-			// Convert database model to a document.
-			doc, err := document.NewFromDatabaseModel(
-				model, reviews)
-			if err != nil {
-				srv.Logger.Error("error converting database model to document type",
-					"error", err,
-					"method", r.Method,
-					"path", r.URL.Path,
-					"doc_id", docID,
-				)
-				http.Error(w, "Error accessing document",
-					http.StatusInternalServerError)
-				return
-			}
+		// Convert database model to a document.
+		doc, err := document.NewFromDatabaseModel(
+			model, reviews, groupReviews)
+		if err != nil {
+			srv.Logger.Error("error converting database model to document type",
+				"error", err,
+				"method", r.Method,
+				"path", r.URL.Path,
+				"doc_id", docID,
+			)
+			http.Error(w, "Error accessing document",
+				http.StatusInternalServerError)
+			return
+		}
+
+		userEmail := r.Context().Value("userEmail").(string)
 
+		switch r.Method {
+		case "DELETE":
 			// Authorize request.
-			userEmail := r.Context().Value("userEmail").(string)
 			if doc.Status != "In-Review" {
 				http.Error(w,
 					"Can only request changes of documents in the \"In-Review\" status",
@@ -311,74 +328,60 @@ func ApprovalsHandler(srv server.Server) http.Handler {
 				}
 			}()
 
-		case "POST":
-			// Validate request.
-			docID, err := parseResourceIDFromURL(r.URL.Path, "approvals")
-			if err != nil {
-				srv.Logger.Error("error parsing document ID from approvals path",
-					"error", err,
-					"method", r.Method,
-					"path", r.URL.Path,
-				)
-				http.Error(w, "Document ID not found", http.StatusNotFound)
+		case "OPTIONS":
+			// Document is not in review or approved status.
+			if doc.Status != "In-Review" && doc.Status != "Approved" {
+				w.Header().Set("Allowed", "")
 				return
 			}
 
-			// Check if document is locked.
-			locked, err := hcd.IsLocked(docID, srv.DB, srv.GWService, srv.Logger)
-			if err != nil {
-				srv.Logger.Error("error checking document locked status",
-					"error", err,
-					"path", r.URL.Path,
-					"method", r.Method,
-					"doc_id", docID,
-				)
-				http.Error(w, "Error getting document status", http.StatusNotFound)
-				return
-			}
-			// Don't continue if document is locked.
-			if locked {
-				http.Error(w, "Document is locked", http.StatusLocked)
+			// Document already approved by user.
+			if contains(doc.ApprovedBy, userEmail) {
+				w.Header().Set("Allowed", "")
 				return
 			}
 
-			// Get document from database.
-			model := models.Document{
-				GoogleFileID: docID,
-			}
-			if err := model.Get(srv.DB); err != nil {
-				srv.Logger.Error("error getting document from database",
+			// User is not an approver or in an approver group.
+			inApproverGroup, err := isUserInGroups(
+				userEmail, doc.ApproverGroups, srv.GWService)
+			if err != nil {
+				srv.Logger.Error("error calculating if user is in an approver group",
 					"error", err,
-					"path", r.URL.Path,
 					"method", r.Method,
+					"path", r.URL.Path,
 					"doc_id", docID,
 				)
 				http.Error(w, "Error accessing document",
 					http.StatusInternalServerError)
 				return
 			}
-
-			// Get reviews for the document.
-			var reviews models.DocumentReviews
-			if err := reviews.Find(srv.DB, models.DocumentReview{
-				Document: models.Document{
-					GoogleFileID: docID,
-				},
-			}); err != nil {
-				srv.Logger.Error("error getting reviews for document",
-					"error", err,
-					"method", r.Method,
-					"path", r.URL.Path,
-					"doc_id", docID,
-				)
+			if !contains(doc.Approvers, userEmail) && !inApproverGroup {
+				w.Header().Set("Allowed", "")
 				return
 			}
 
-			// Convert database model to a document.
-			doc, err := document.NewFromDatabaseModel(
-				model, reviews)
+			// User can approve.
+			w.Header().Set("Allowed", "POST")
+			return
+
+		case "POST":
+			// Authorize request.
+			if doc.Status != "In-Review" && doc.Status != "Approved" {
+				http.Error(w,
+					`Document status must be "In-Review" or "Approved" to approve`,
+					http.StatusBadRequest)
+				return
+			}
+			if contains(doc.ApprovedBy, userEmail) {
+				http.Error(w,
+					"Document already approved by user",
+					http.StatusBadRequest)
+				return
+			}
+			inApproverGroup, err := isUserInGroups(
+				userEmail, doc.ApproverGroups, srv.GWService)
 			if err != nil {
-				srv.Logger.Error("error converting database model to document type",
+				srv.Logger.Error("error calculating if user is in an approver group",
 					"error", err,
 					"method", r.Method,
 					"path", r.URL.Path,
@@ -388,27 +391,12 @@ func ApprovalsHandler(srv server.Server) http.Handler {
 					http.StatusInternalServerError)
 				return
 			}
-
-			// Authorize request.
-			userEmail := r.Context().Value("userEmail").(string)
-			if doc.Status != "In-Review" && doc.Status != "Approved" {
-				http.Error(w,
-					`Document status must be "In-Review" or "Approved" to approve`,
-					http.StatusBadRequest)
-				return
-			}
-			if !contains(doc.Approvers, userEmail) {
+			if !contains(doc.Approvers, userEmail) && !inApproverGroup {
 				http.Error(w,
 					"Not authorized as a document approver",
 					http.StatusUnauthorized)
 				return
 			}
-			if contains(doc.ApprovedBy, userEmail) {
-				http.Error(w,
-					"Document already approved by user",
-					http.StatusBadRequest)
-				return
-			}
 
 			// Add email to slice of users who have approved the document.
 			doc.ApprovedBy = append(doc.ApprovedBy, userEmail)