[ID-687] Handle Create Admin account API issue (#688)

* Update CHANGELOG.md

* Fix is in progress

* Do not pass parameter which is not used

* Check if the account exists for this app

* Determine operation

* App sign up is in progress

* App sign up is in progress

* Return account

* Once we have tenants accounts this means that phone is also valid

* In progress

* API is done

---------

Co-authored-by: Petyo Stoyanov <[email protected]>

Author: petyos

.secrets.baseline

@@ -136,7 +136,7 @@
         "filename": "core/auth/apis.go",
         "hashed_secret": "394e3412459f79523e12e1fa95a4cf141ccff122",
         "is_verified": false,
-        "line_number": 2103
+        "line_number": 2133
       }
     ],
     "core/auth/auth.go": [
@@ -166,7 +166,7 @@
         "filename": "core/auth/auth.go",
         "hashed_secret": "94a7f0195bbbd2260c4e4d02b6348fbcd90b2b30",
         "is_verified": false,
-        "line_number": 2539
+        "line_number": 2593
       }
     ],
     "core/auth/auth_type_email.go": [
@@ -364,5 +364,5 @@
       }
     ]
   },
-  "generated_at": "2023-11-29T10:56:59Z"
+  "generated_at": "2023-12-08T06:55:08Z"
 }

CHANGELOG.md

@@ -7,6 +7,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## Unreleased
 ### Fixed
+- Handle Create Admin account API issue [#687](https://github.com/rokwire/core-building-block/issues/687)
 - Fix storeSystemData [#685](https://github.com/rokwire/core-building-block/issues/685)
 
 ## [1.35.0] - 2023-12-01

core/auth/apis.go

@@ -578,42 +578,69 @@ func (a *Auth) CreateAdminAccount(authenticationType string, appID string, orgID
 	}
 
 	// create account
-	var accountAuthType *model.AccountAuthType
 	var newAccount *model.Account
 	var params map[string]interface{}
+
 	transaction := func(context storage.TransactionContext) error {
-		//1. check if the user exists
-		account, err := a.storage.FindAccount(context, appOrg.ID, authType.ID, identifier)
+		//find the account for the org and the user identity
+		foundedAccount, err := a.storage.FindAccountByOrgAndIdentifier(nil, appOrg.Organization.ID, authType.ID, identifier, appOrg.ID)
 		if err != nil {
 			return errors.WrapErrorAction(logutils.ActionFind, model.TypeAccount, nil, err)
 		}
-		if account != nil {
-			return errors.ErrorData(logutils.StatusFound, model.TypeAccount, &logutils.FieldArgs{"app_org_id": appOrg.ID, "auth_type": authType.Code, "identifier": identifier})
+
+		//check if the account exists for this app
+		if foundedAccount != nil && foundedAccount.HasApp(appID) {
+			return errors.Newf("there is already account for %s in %s application", identifier, appID)
 		}
 
-		//2. account does not exist, so apply sign up
-		profile.DateCreated = time.Now().UTC()
-		if authType.IsExternal {
-			externalUser := model.ExternalSystemUser{Identifier: identifier}
-			accountAuthType, err = a.applySignUpAdminExternal(context, *authType, *appOrg, externalUser, profile, privacy, username, permissions, roleIDs, groupIDs, scopes, creatorPermissions, clientVersion, l)
-			if err != nil {
-				return errors.WrapErrorAction(logutils.ActionRegister, "admin user", &logutils.FieldArgs{"auth_type": authType.Code, "identifier": identifier}, err)
-			}
-		} else {
-			authImpl, err := a.getAuthTypeImpl(*authType)
+		//determine operation - "org-sign-up" or "app-sign-up"
+		operation, err := a.determineOperation(foundedAccount, appOrg.ID, l)
+		if err != nil {
+			return errors.WrapErrorAction(logutils.ActionFind, model.TypeAccount, nil, err)
+		}
+
+		//apply operation
+		switch operation {
+		case "app-sign-up":
+			// account exists in the organization but not for the application
+
+			udatedAccount, err := a.appSignUp(context, *foundedAccount, *appOrg, permissions, roleIDs, groupIDs, clientVersion, creatorPermissions, l)
 			if err != nil {
-				return errors.WrapErrorAction(logutils.ActionLoadCache, typeExternalAuthType, nil, err)
+				return errors.WrapErrorAction("app sign up", "", nil, err)
 			}
 
-			profile.Email = identifier
-			params, accountAuthType, err = a.applySignUpAdmin(context, authImpl, account, *authType, *appOrg, identifier, "", profile, privacy, username, permissions, roleIDs, groupIDs, scopes, creatorPermissions, clientVersion, l)
-			if err != nil {
-				return errors.WrapErrorAction(logutils.ActionRegister, "admin user", &logutils.FieldArgs{"auth_type": authType.Code, "identifier": identifier}, err)
+			newAccount = udatedAccount
+			return nil
+		case "org-sign-up":
+			// account does not exist in the organization
+
+			var accountAuthType *model.AccountAuthType
+
+			profile.DateCreated = time.Now().UTC()
+			if authType.IsExternal {
+				externalUser := model.ExternalSystemUser{Identifier: identifier}
+				accountAuthType, err = a.applySignUpAdminExternal(context, *authType, *appOrg, externalUser, profile, privacy, username, permissions, roleIDs, groupIDs, scopes, creatorPermissions, clientVersion, l)
+				if err != nil {
+					return errors.WrapErrorAction(logutils.ActionRegister, "admin user", &logutils.FieldArgs{"auth_type": authType.Code, "identifier": identifier}, err)
+				}
+			} else {
+				authImpl, err := a.getAuthTypeImpl(*authType)
+				if err != nil {
+					return errors.WrapErrorAction(logutils.ActionLoadCache, typeExternalAuthType, nil, err)
+				}
+
+				profile.Email = identifier
+				params, accountAuthType, err = a.applySignUpAdmin(context, authImpl, *authType, *appOrg, identifier, "", profile, privacy, username, permissions, roleIDs, groupIDs, scopes, creatorPermissions, clientVersion, l)
+				if err != nil {
+					return errors.WrapErrorAction(logutils.ActionRegister, "admin user", &logutils.FieldArgs{"auth_type": authType.Code, "identifier": identifier}, err)
+				}
 			}
+
+			newAccount = &accountAuthType.Account
+			return nil
 		}
 
-		newAccount = &accountAuthType.Account
-		return nil
+		return errors.Newf("not supported operation - create account via admin API")
 	}
 
 	err = a.storage.PerformTransaction(transaction)
@@ -630,7 +657,10 @@ func (a *Auth) UpdateAdminAccount(authenticationType string, appID string, orgID
 	//TODO: when elevating existing accounts to application level admin, need to enforce any authentication policies set up for the app org
 	// when demoting from application level admin to standard user, may want to inform user of applicable authentication policy changes
 
-	if authenticationType != AuthTypeOidc && authenticationType != AuthTypeEmail && !strings.HasSuffix(authenticationType, "_oidc") {
+	if authenticationType != AuthTypeOidc &&
+		authenticationType != AuthTypeEmail &&
+		!strings.HasSuffix(authenticationType, "_oidc") &&
+		authenticationType != AuthTypeTwilioPhone { //Once we have tenants accounts this means that phone is also valid
 		return nil, nil, errors.ErrorData(logutils.StatusInvalid, "auth type", nil)
 	}
 
@@ -1779,7 +1809,7 @@ func (a *Auth) InitializeSystemAccount(context storage.TransactionContext, authT
 	privacy := model.Privacy{Public: false}
 	permissions := []string{allSystemPermission}
 
-	_, accountAuthType, err := a.applySignUpAdmin(context, authImpl, nil, authType, appOrg, email, password, profile, privacy, "", permissions, nil, nil, nil, permissions, &clientVersion, l)
+	_, accountAuthType, err := a.applySignUpAdmin(context, authImpl, authType, appOrg, email, password, profile, privacy, "", permissions, nil, nil, nil, permissions, &clientVersion, l)
 	if err != nil {
 		return "", errors.WrapErrorAction(logutils.ActionRegister, "initial system user", &logutils.FieldArgs{"email": email}, err)
 	}

core/auth/auth.go

@@ -809,7 +809,7 @@ func (a *Auth) applyOrgSignUp(authImpl authType, account *model.Account, authTyp
 	return message, accountAuthType, nil
 }
 
-func (a *Auth) applySignUpAdmin(context storage.TransactionContext, authImpl authType, account *model.Account, authType model.AuthType, appOrg model.ApplicationOrganization, identifier string, password string,
+func (a *Auth) applySignUpAdmin(context storage.TransactionContext, authImpl authType, authType model.AuthType, appOrg model.ApplicationOrganization, identifier string, password string,
 	regProfile model.Profile, privacy model.Privacy, username string, permissions []string, roles []string, groups []string, scopes []string, creatorPermissions []string, clientVersion *string, l *logs.Log) (map[string]interface{}, *model.AccountAuthType, error) {
 
 	if username != "" {
@@ -1441,6 +1441,60 @@ func (a *Auth) getProfileBBData(authType model.AuthType, identifier string, l *l
 	return profile, preferences, nil
 }
 
+// sign up an account to a specific application in the organization
+//
+//	Input:
+//		account (Account): The account
+//		appOrg (ApplicationOrganization): The application organization where this account will be attached
+//		permissionNames ([]string): set of permissions to assign
+//		roleIDs ([]string): set of roles to assign
+//		groupIDs ([]string): set of groups to assign
+//		clientVersion (*string): client version
+//		creatorPermissions ([]string): creator permissions
+//	Returns:
+//		Updated account (Account): The updated account object
+func (a *Auth) appSignUp(context storage.TransactionContext, account model.Account, appOrg model.ApplicationOrganization,
+	permissionNames []string, roleIDs []string, groupIDs []string, clientVersion *string,
+	creatorPermissions []string,
+	l *logs.Log) (*model.Account, error) {
+
+	//check permissions, roles and groups
+	permissions, err := a.CheckPermissions(context, []model.ApplicationOrganization{appOrg}, permissionNames, creatorPermissions, false)
+	if err != nil {
+		return nil, errors.WrapErrorAction(logutils.ActionValidate, model.TypePermission, nil, err)
+	}
+
+	roles, err := a.CheckRoles(context, &appOrg, roleIDs, creatorPermissions, false)
+	if err != nil {
+		return nil, errors.WrapErrorAction(logutils.ActionValidate, model.TypeAppOrgRole, nil, err)
+	}
+
+	groups, err := a.CheckGroups(context, &appOrg, groupIDs, creatorPermissions, false)
+	if err != nil {
+		return nil, errors.WrapErrorAction(logutils.ActionGet, model.TypeAppOrgGroup, nil, err)
+	}
+
+	//create new app membership
+	rolesItems := model.AccountRolesFromAppOrgRoles(roles, true, true)
+	groupsItems := model.AccountGroupsFromAppOrgGroups(groups, true, true)
+	newAppMembership := model.OrgAppMembership{ID: uuid.NewString(), AppOrg: appOrg,
+		Permissions: permissions, Roles: rolesItems, Groups: groupsItems, MostRecentClientVersion: clientVersion}
+
+	//add it to the account
+	account.OrgAppsMemberships = append(account.OrgAppsMemberships, newAppMembership)
+
+	//save the account
+	err = a.storage.SaveAccount(context, &account)
+	if err != nil {
+		return nil, err
+	}
+
+	//set current membership
+	account.SetCurrentMembership(newAppMembership)
+
+	return &account, nil
+}
+
 // registerUser registers account for an organization in an application
 //
 //	Input:

core/model/user.go

@@ -158,6 +158,16 @@ func (a Account) GetApps() []Application {
 	return res
 }
 
+// SetCurrentMembership sets current membership
+func (a *Account) SetCurrentMembership(current OrgAppMembership) {
+	a.AppOrg = current.AppOrg
+	a.Permissions = current.Permissions
+	a.Roles = current.Roles
+	a.Groups = current.Groups
+	a.Preferences = current.Preferences
+	a.MostRecentClientVersion = current.MostRecentClientVersion
+}
+
 // GetAccountAuthTypeByID finds account auth type by id
 func (a Account) GetAccountAuthTypeByID(ID string) *AccountAuthType {
 	for _, aat := range a.AuthTypes {