fix: group management fixes

There is no indication from the groups API that a user is
a superuser in a group and is therefore not deletable. Further
the standard group API returns unnecessary member information.

Author: rvowles

adks/e2e-sdk/app/steps/group.ts

@@ -52,22 +52,40 @@ When('I assign the superuser to the group', async function() {
   expect(response.data.members.find( p => p.id.id === userId)).to.not.be.undefined;
 });
 
-Then('I can delete the supergroup from the group', async function() {
+Then('I cannot delete the superuser from the group', async function() {
   const world = this as SdkWorld;
   const userResponse = await world.superuser.personApi.getPerson("self");
   const userId = (userResponse.data as Person).id.id;
-  const response = await world.superuser.groupApi.deletePersonFromGroup(world.group.id, userId, true);
-  expect(response.status).to.eq(200);
-  expect(response.data.members.find( p => p.id.id === userId)).to.be.undefined;
+  try {
+    await world.superuser.groupApi.deletePersonFromGroup(world.group.id, userId, false);
+    expect(true, `call succeeded to delete supergroup from portfolio group but should not have`).to.be.false;
+  } catch (e) {
+    expect(e.response.status).to.eq(404);
+  }
 });
 
-Then(/^the (superuser|user) is marked in the group as a (superuser|user)$/, async function(userSource: string, userType: string) {
+Then(/^the (superuser|user) (is|is not) in the group as a (superuser|user)$/, async function(userSource: string, isRule: string, userType: string) {
   const world = this as SdkWorld;
   const user = (userSource === 'superuser') ? world.superuser : world.user;
   expect(user.me).to.not.be.undefined;
   expect(world.group).to.not.be.undefined;
-  const suserValue = userType === 'superuser';
-  expect(world.group.sMembers.find(p => p.superuser === suserValue && p.person.id === user.personId))
+
+  const foundSuperuser = world.group.superMembers.find(p => p === user.personId);
+  const found = world.group.simpleMembers.find(p => p.id === user.personId);
+
+  if (userType === 'superuser') {
+    if (isRule === 'is') {
+      expect(foundSuperuser, `${userSource} not superuser in group ${world.group.name}`).to.not.be.undefined;
+    } else { // is not
+      expect(foundSuperuser, `${userSource} not superuser in in group ${world.group.name}`).to.be.undefined;
+    }
+  } else {
+    if (isRule === 'is') {
+      expect(found, `${userSource} in group ${world.group.name} and is not`).to.not.be.undefined;
+    } else { // is not
+      expect(found, `${userSource} in group ${world.group.name} and should not be`).to.be.undefined;
+    }
+  }
 });
 
 Then('I assign the new user to the new group', async function() {

adks/e2e-sdk/features/permission-check.feature

@@ -8,12 +8,13 @@ Feature: Certain permission combinations should work as expected
     And I create a new user
     And I assign the new user to the new group
     And I get the portfolio admin group
-    And the superuser is marked in the group as a superuser
-    And the user is marked in the group as a user
+    And the superuser is in the group as a superuser
+    And the superuser is in the group as a user
+    And the user is in the group as a user
+    And the user is not in the group as a superuser
 
   @delete-superuser-from-group
   Scenario: I add the superuser to the portfolio admin group and then remove them
     Given I create a new portfolio
     And I get the portfolio admin group
-    When I assign the superuser to the group
-    Then I can delete the supergroup from the group
+    Then I cannot delete the superuser from the group

admin-frontend/open_admin_app/lib/routes/manage_group_route.dart

@@ -1,4 +1,5 @@
 import 'package:bloc_provider/bloc_provider.dart';
+import 'package:collection/collection.dart';
 import 'package:flutter/material.dart';
 import 'package:mrapi/api.dart';
 import 'package:open_admin_app/common/ga_id.dart';
@@ -145,22 +146,22 @@ class ManageGroupRouteState extends State<ManageGroupRoute> {
                                   label: Text(
                                       AppLocalizations.of(context)!.columnName),
                                   onSort: (columnIndex, ascending) {
-                                    onSortColumn(group.sMembers,
+                                    onSortColumn(group.simpleMembers,
                                         columnIndex, ascending);
                                   }),
                               DataColumn(
                                 label: Text(
                                     AppLocalizations.of(context)!.columnEmail),
                                 onSort: (columnIndex, ascending) {
-                                  onSortColumn(group.sMembers,
+                                  onSortColumn(group.simpleMembers,
                                       columnIndex, ascending);
                                 },
                               ),
                               DataColumn(
                                 label: Text(AppLocalizations.of(context)!
                                     .columnMemberType),
                                 onSort: (columnIndex, ascending) {
-                                  onSortColumn(group.sMembers,
+                                  onSortColumn(group.simpleMembers,
                                       columnIndex, ascending);
                                 },
                               ),
@@ -173,22 +174,22 @@ class ManageGroupRouteState extends State<ManageGroupRoute> {
                                   onSort: (i, a) => {}),
                             ],
                             rows: [
-                              for (GroupPerson member in group.sMembers)
+                              for (AnemicPerson member in group.simpleMembers)
                                 DataRow(cells: [
                                   DataCell(
-                                    Text(member.person.name ?? ''),
+                                    Text(member.name),
                                   ),
                                   DataCell(Text(
-                                      member.person.type == PersonType.person
-                                          ? member.person.email!
+                                      member.type == PersonType.person
+                                          ? member.email!
                                           : "")),
                                   DataCell(Text(
-                                      member.person.type == PersonType.person
+                                      member.type == PersonType.person
                                           ? AppLocalizations.of(context)!
                                               .memberTypeUser
                                           : AppLocalizations.of(context)!
                                               .memberTypeServiceAccount)),
-                                  DataCell(!member.superuser
+                                  DataCell((group.admin != true) || group.superMembers.firstWhereOrNull((s) => s == member.id) == null
                                       ? Tooltip(
                                           message: AppLocalizations.of(context)!
                                               .removeFromGroup,
@@ -197,13 +198,13 @@ class ManageGroupRouteState extends State<ManageGroupRoute> {
                                             onPressed: () async {
                                               try {
                                                 await bloc.removeFromGroup(
-                                                    group, member.person.id);
+                                                    group, member.id);
                                                 if (context.mounted) {
                                                   bloc.mrClient.addSnackbar(
                                                       Text(AppLocalizations.of(
                                                               context)!
                                                           .memberRemovedFromGroup(
-                                                              member.person.name,
+                                                              member.name,
                                                               group
                                                                   .name)));
                                                 }
@@ -230,39 +231,39 @@ class ManageGroupRouteState extends State<ManageGroupRoute> {
     );
   }
 
-  void onSortColumn(List<GroupPerson> people, int columnIndex, bool ascending) {
+  void onSortColumn(List<AnemicPerson> people, int columnIndex, bool ascending) {
     setState(() {
       if (columnIndex == 0) {
         if (ascending) {
           people.sort((a, b) {
-            return a.person.name.toLowerCase().compareTo(b.person.name!.toLowerCase());
+            return a.name.toLowerCase().compareTo(b.name.toLowerCase());
           });
         } else {
           people.sort((a, b) {
-            return b.person.name.toLowerCase().compareTo(a.person.name.toLowerCase());
+            return b.name.toLowerCase().compareTo(a.name.toLowerCase());
           });
         }
       }
       if (columnIndex == 1) {
         if (ascending) {
           people.sort((a, b) =>
-              a.person.email!.toLowerCase().compareTo(b.person.email!.toLowerCase()));
+              a.email!.toLowerCase().compareTo(b.email!.toLowerCase()));
         } else {
           people.sort((a, b) =>
-              b.person.email!.toLowerCase().compareTo(a.person.email!.toLowerCase()));
+              b.email!.toLowerCase().compareTo(a.email!.toLowerCase()));
         }
       }
       if (columnIndex == 2) {
         if (ascending) {
-          people.sort((a, b) => a.person.type
+          people.sort((a, b) => a.type
               .toString()
               .toLowerCase()
-              .compareTo(b.person.type.toString().toLowerCase()));
+              .compareTo(b.type.toString().toLowerCase()));
         } else {
-          people.sort((a, b) => b.person.type
+          people.sort((a, b) => b.type
               .toString()
               .toLowerCase()
-              .compareTo(a.person.type.toString().toLowerCase()));
+              .compareTo(a.type.toString().toLowerCase()));
         }
       }
       if (sortColumnIndex == columnIndex) {

admin-frontend/open_admin_app/lib/widgets/apps/manage_app_bloc.dart

@@ -275,15 +275,11 @@ class ManageAppBloc implements Bloc, ManagementRepositoryAwareBloc {
   }
 
   Future<Group?> updateGroupWithEnvironmentRoles(String? gid, Group group) async {
-    // make sure members are null or they all get removed
-    group.members = [];
-
     try {
       final updatedGroup = await _groupServiceApi
-          .updateGroupOnPortfolio(portfolio!.id, group,
+          .updateGroupOnPortfolio(portfolio!.id, UpdateGroup(id: group.id, version: group.version,
+          applicationRoles: group.applicationRoles, environmentRoles: group.environmentRoles),
           includeGroupRoles: true,
-          includeMembers: false,
-          updateMembers: false,
           applicationId: applicationId,
           updateApplicationGroupRoles: true,
           updateEnvironmentGroupRoles: true);

admin-frontend/open_admin_app/lib/widgets/group/group_bloc.dart

@@ -107,8 +107,8 @@ class GroupBloc implements Bloc {
       groupToUpdate.name = name;
 
       final newGroup = await _groupServiceApi.updateGroupOnPortfolio(
-          mrClient.currentPortfolio!.id, groupToUpdate,
-          includeMembersV2: true, updateMembers: false);
+          mrClient.currentPortfolio!.id, UpdateGroup(id: groupToUpdate.id, version: groupToUpdate.version, name: name),
+          includeMembersV2: true);
 
       // tell the portfolio groups to update as the name has changed.
       await getGroups(focusGroup: groupToUpdate);
@@ -121,7 +121,7 @@ class GroupBloc implements Bloc {
       await mrClient.dialogError(e, s,
           messageTitle: 'Failed to update group',
           messageBody:
-              'Failed to update group because of a duplicate or other conflict.');
+              'Failed to update group because of a duplicate or other update conflict.');
       return false;
     }
   }

backend/mr-api/mr-api.yaml

@@ -468,12 +468,6 @@ paths:
           required: false
           schema:
             type: boolean
-        - name: updateMembers
-          description: "update members, deleting those that are not passed"
-          in: query
-          schema:
-            type: boolean
-          required: false
         - name: updateEnvironmentGroupRoles
           description: "update environment group roles, deleting any not passed"
           in: query
@@ -498,7 +492,7 @@ paths:
         content:
           application/json:
             schema:
-              $ref: "#/components/schemas/Group"
+              $ref: "#/components/schemas/UpdateGroup"
       responses:
         200:
           description: "Resulting group"
@@ -2173,65 +2167,6 @@ paths:
           description: "forbidden"
         404:
           description: "not found"
-    put:
-      deprecated: true
-      security:
-        - bearerAuth: [ ]
-      tags:
-        - GroupService
-      description: "Update a group"
-      operationId: updateGroup
-      parameters:
-        - name: updateMembers
-          description: "update members, deleting those that are not passed"
-          in: query
-          schema:
-            type: boolean
-          required: false
-        - name: updateEnvironmentGroupRoles
-          description: "update environment group roles, deleting any not passed"
-          in: query
-          schema:
-            type: boolean
-          required: false
-        - name: updateApplicationGroupRoles
-          description: "update application group roles, deleting any not passed"
-          in: query
-          schema:
-            type: boolean
-          required: false
-        - name: applicationId
-          description: "if updating the application group roles, and the application id is passed, then the changes are limited to that application"
-          in: query
-          schema:
-            type: string
-            format: uuid
-          required: false
-      requestBody:
-        required: true
-        content:
-          application/json:
-            schema:
-              $ref: "#/components/schemas/Group"
-      responses:
-        200:
-          description: "Resulting group"
-          content:
-            application/json:
-              schema:
-                $ref: "#/components/schemas/Group"
-        400:
-          description: "Bad Request"
-        401:
-          description: "no permission"
-        403:
-          description: "forbidden"
-        404:
-          description: "not found"
-        409:
-          description: "duplicate user or duplicate group"
-        422:
-          description: "version conflict"
     delete:
       security:
         - bearerAuth: [ ]
@@ -3996,6 +3931,34 @@ components:
           default: []
           items:
             $ref: "#/components/schemas/ApplicationGroupRole"
+    UpdateGroup:
+      type: object
+      required:
+        - id
+      properties:
+        id:
+          type: string
+          format: uuid
+          nullable: false
+        name:
+          type: string
+          maxLength: 255
+          nullable: true
+        version:
+          type: integer
+          format: int64
+          nullable: false
+        applicationRoles:
+          nullable: true
+          type: array
+          default: []
+          items:
+            $ref: "#/components/schemas/ApplicationGroupRole"
+        environmentRoles:
+          type: array
+          default: []
+          items:
+            $ref: "#/components/schemas/EnvironmentGroupRole"
     Group:
       allOf:
         - $ref: "#/components/schemas/Audit"
@@ -4028,11 +3991,18 @@ components:
               type: string
               minLength: 1
               maxLength: 255
-            sMembers:
+            superMembers:
+              description: "This indicates which ids in the simpleMembers are superusers. It is a read only field and is ignored if it is passed back."
+              type: array
+              default: []
+              items:
+                type: string
+                format: uuid
+            simpleMembers:
               type: array
               default: []
               items:
-                $ref: "#/components/schemas/GroupPerson"
+                $ref: "#/components/schemas/AnemicPerson"
             members:
               type: array
               default: []