[BACK-2780] Add new user profiles endpoint.

auth/service/api/v1/permission.go

@@ -0,0 +1,67 @@
+package v1
+
+import (
+	"net/http"
+
+	"github.com/ant0ine/go-json-rest/rest"
+
+	"github.com/tidepool-org/platform/request"
+	"github.com/tidepool-org/platform/service/api"
+)
+
+// requireUserHasCustodian aborts with an error if a a request isn't
+// authenticated as a user and the user does not have custodian access to the
+// user with the id defined in the url param targetParamUserID
+func (r *Router) requireUserHasCustodian(targetParamUserID string, handlerFunc rest.HandlerFunc) rest.HandlerFunc {
+	fn := func(res rest.ResponseWriter, req *rest.Request) {
+		if handlerFunc != nil && res != nil && req != nil {
+			targetUserID := req.PathParam(targetParamUserID)
+			responder := request.MustNewResponder(res, req)
+			ctx := req.Context()
+			details := request.GetAuthDetails(ctx)
+			hasPerms, err := r.PermissionsClient().HasCustodianPermissions(ctx, details.UserID(), targetUserID)
+			if err != nil {
+				responder.InternalServerError(err)
+				return
+			}
+			if !hasPerms {
+				responder.Empty(http.StatusForbidden)
+				return
+			}
+			handlerFunc(res, req)
+		}
+	}
+	return api.RequireUser(fn)
+}
+
+// requireWriteAccess aborts with an error if the request isn't a server request
+// or the authenticated user doesn't have access to the user id in the url param,
+// targetParamUserID
+func (r *Router) requireWriteAccess(targetParamUserID string, handlerFunc rest.HandlerFunc) rest.HandlerFunc {
+	return func(res rest.ResponseWriter, req *rest.Request) {
+		if handlerFunc != nil && res != nil && req != nil {
+			targetUserID := req.PathParam(targetParamUserID)
+			responder := request.MustNewResponder(res, req)
+			ctx := req.Context()
+			details := request.GetAuthDetails(ctx)
+			if details == nil {
+				responder.Empty(http.StatusUnauthorized)
+				return
+			}
+			if details.IsService() {
+				handlerFunc(res, req)
+				return
+			}
+			hasPerms, err := r.PermissionsClient().HasWritePermissions(ctx, details.UserID(), targetUserID)
+			if err != nil {
+				responder.InternalServerError(err)
+				return
+			}
+			if !hasPerms {
+				responder.Empty(http.StatusForbidden)
+				return
+			}
+			handlerFunc(res, req)
+		}
+	}
+}

auth/service/api/v1/profile.go

@@ -0,0 +1,146 @@
+package v1
+
+import (
+	stdErrs "errors"
+	"net/http"
+
+	"github.com/ant0ine/go-json-rest/rest"
+
+	"github.com/tidepool-org/platform/request"
+	"github.com/tidepool-org/platform/service/api"
+	structValidator "github.com/tidepool-org/platform/structure/validator"
+	"github.com/tidepool-org/platform/user"
+)
+
+func (r *Router) ProfileRoutes() []*rest.Route {
+	return []*rest.Route{
+		rest.Get("/v1/users/:userId/profile", api.RequireAuth(r.GetProfile)),
+		rest.Get("/v1/users/legacy/:userId/profile", api.RequireAuth(r.GetLegacyProfile)),
+		// The following modification routes required custodian access in seagull, but I'm not sure that's quite right - it seems it should be if the user can modify the userId.
+		rest.Put("/v1/users/:userId/profile", r.requireWriteAccess("userId", r.UpdateProfile)),
+		rest.Put("/v1/users/legacy/:userId/profile", r.requireWriteAccess("userId", r.UpdateLegacyProfile)),
+		rest.Delete("/v1/users/:userId/profile", r.requireWriteAccess("userId", r.DeleteProfile)),
+		rest.Delete("/v1/users/legacy/:userId/profile", r.requireWriteAccess("userId", r.DeleteProfile)),
+	}
+}
+
+func (r *Router) GetProfile(res rest.ResponseWriter, req *rest.Request) {
+	responder := request.MustNewResponder(res, req)
+	ctx := req.Context()
+	details := request.GetAuthDetails(ctx)
+	userID := req.PathParam("userId")
+
+	if details.IsUser() {
+		hasPerms, err := r.PermissionsClient().HasMembershipRelationship(ctx, details.UserID(), userID)
+		if err != nil {
+			responder.InternalServerError(err)
+			return
+		}
+		if !hasPerms {
+			responder.Empty(http.StatusForbidden)
+			return
+		}
+	}
+
+	user, err := r.UserAccessor().FindUserById(ctx, userID)
+	if err != nil {
+		responder.Error(http.StatusBadRequest, err)
+		return
+	}
+	if user == nil || user.Profile == nil {
+		responder.Empty(http.StatusNotFound)
+		return
+	}
+
+	responder.Data(http.StatusOK, user.Profile)
+}
+
+func (r *Router) GetLegacyProfile(res rest.ResponseWriter, req *rest.Request) {
+	responder := request.MustNewResponder(res, req)
+	ctx := req.Context()
+	details := request.GetAuthDetails(ctx)
+	userID := req.PathParam("userId")
+
+	if details.IsUser() {
+		hasPerms, err := r.PermissionsClient().HasMembershipRelationship(ctx, details.UserID(), userID)
+		if err != nil {
+			responder.InternalServerError(err)
+			return
+		}
+		if !hasPerms {
+			responder.Empty(http.StatusForbidden)
+			return
+		}
+	}
+
+	user, err := r.UserAccessor().FindUserById(ctx, userID)
+	if err != nil {
+		responder.Error(http.StatusBadRequest, err)
+		return
+	}
+	if user == nil || user.Profile == nil {
+		responder.Empty(http.StatusNotFound)
+		return
+	}
+
+	responder.Data(http.StatusOK, user.Profile.ToLegacyProfile())
+}
+
+func (r *Router) UpdateProfile(res rest.ResponseWriter, req *rest.Request) {
+	responder := request.MustNewResponder(res, req)
+
+	profile := &user.UserProfile{}
+	if err := request.DecodeRequestBody(req.Request, profile); err != nil {
+		responder.Error(http.StatusBadRequest, err)
+		return
+	}
+	r.updateProfile(res, req, profile)
+}
+
+func (r *Router) UpdateLegacyProfile(res rest.ResponseWriter, req *rest.Request) {
+	responder := request.MustNewResponder(res, req)
+
+	profile := &user.LegacyUserProfile{}
+	if err := request.DecodeRequestBody(req.Request, profile); err != nil {
+		responder.Error(http.StatusBadRequest, err)
+		return
+	}
+	r.updateProfile(res, req, profile.ToUserProfile())
+}
+
+func (r *Router) updateProfile(res rest.ResponseWriter, req *rest.Request, profile *user.UserProfile) {
+	responder := request.MustNewResponder(res, req)
+	ctx := req.Context()
+	userID := req.PathParam("userId")
+	if err := structValidator.New().Validate(profile); err != nil {
+		responder.Error(http.StatusBadRequest, err)
+		return
+	}
+	err := r.UserAccessor().UpdateUserProfile(ctx, userID, profile)
+	if stdErrs.Is(err, user.ErrUserNotFound) {
+		responder.Empty(http.StatusNotFound)
+		return
+	}
+	if err != nil {
+		responder.InternalServerError(err)
+		return
+	}
+	responder.Empty(http.StatusOK)
+}
+
+func (r *Router) DeleteProfile(res rest.ResponseWriter, req *rest.Request) {
+	responder := request.MustNewResponder(res, req)
+	ctx := req.Context()
+	userID := req.PathParam("userId")
+
+	err := r.UserAccessor().DeleteUserProfile(ctx, userID)
+	if stdErrs.Is(err, user.ErrUserNotFound) {
+		responder.Empty(http.StatusNotFound)
+		return
+	}
+	if err != nil {
+		responder.InternalServerError(err)
+		return
+	}
+	responder.Empty(http.StatusOK)
+}

auth/service/api/v1/router.go

@@ -27,6 +27,7 @@ func (r *Router) Routes() []*rest.Route {
 		r.ProviderSessionsRoutes(),
 		r.RestrictedTokensRoutes(),
 		r.DeviceCheckRoutes(),
+		r.ProfileRoutes(),
 	}
 	acc := make([]*rest.Route, 0)
 	for _, r := range routes {

auth/service/service.go

@@ -4,10 +4,12 @@ import (
 	"context"
 
 	"github.com/tidepool-org/platform/apple"
+	"github.com/tidepool-org/platform/user"
 
 	confirmationClient "github.com/tidepool-org/hydrophone/client"
 
 	"github.com/tidepool-org/platform/auth/store"
+	permission "github.com/tidepool-org/platform/permission"
 	"github.com/tidepool-org/platform/provider"
 	"github.com/tidepool-org/platform/service"
 	"github.com/tidepool-org/platform/task"
@@ -18,6 +20,8 @@ type Service interface {
 
 	Domain() string
 	AuthStore() store.Store
+	UserAccessor() user.UserAccessor
+	PermissionsClient() permission.Client
 
 	ProviderFactory() provider.Factory
 

auth/service/service/service.go

@@ -9,6 +9,8 @@ import (
 
 	"github.com/tidepool-org/platform/apple"
 	"github.com/tidepool-org/platform/auth"
+	"github.com/tidepool-org/platform/user"
+	"github.com/tidepool-org/platform/user/keycloak"
 
 	eventsCommon "github.com/tidepool-org/go-common/events"
 
@@ -28,6 +30,8 @@ import (
 	"github.com/tidepool-org/platform/errors"
 	"github.com/tidepool-org/platform/events"
 	logInternal "github.com/tidepool-org/platform/log"
+	"github.com/tidepool-org/platform/permission"
+	permissionClient "github.com/tidepool-org/platform/permission/client"
 	"github.com/tidepool-org/platform/platform"
 	"github.com/tidepool-org/platform/provider"
 	providerFactory "github.com/tidepool-org/platform/provider/factory"
@@ -56,6 +60,8 @@ type Service struct {
 	authClient         *Client
 	userEventsHandler  events.Runner
 	deviceCheck        apple.DeviceCheck
+	userAccessor       user.UserAccessor
+	permsClient        *permissionClient.Client
 }
 
 func New() *Service {
@@ -108,6 +114,12 @@ func (s *Service) Initialize(provider application.Provider) error {
 	if err := s.initializeDeviceCheck(); err != nil {
 		return err
 	}
+	if err := s.initializeUserAccessor(); err != nil {
+		return err
+	}
+	if err := s.initializePermissionsClient(); err != nil {
+		return err
+	}
 	return s.initializeUserEventsHandler()
 }
 
@@ -152,6 +164,13 @@ func (s *Service) DeviceCheck() apple.DeviceCheck {
 	return s.deviceCheck
 }
 
+func (s *Service) UserAccessor() user.UserAccessor {
+	return s.userAccessor
+}
+
+func (s *Service) PermissionsClient() permission.Client {
+	return s.permsClient
+}
 func (s *Service) Status(ctx context.Context) *service.Status {
 	return &service.Status{
 		Version: s.VersionReporter().Long(),
@@ -325,6 +344,25 @@ func (s *Service) initializeTaskClient() error {
 	return nil
 }
 
+func (s *Service) initializePermissionsClient() error {
+	s.Logger().Debug("Loading permission client config")
+
+	cfg := platform.NewConfig()
+	cfg.UserAgent = s.UserAgent()
+	reporter := s.ConfigReporter().WithScopes("permission", "client")
+	loader := platform.NewConfigReporterLoader(reporter)
+	if err := cfg.Load(loader); err != nil {
+		return errors.Wrap(err, "unable to load permission client config")
+	}
+
+	permsClient, err := permissionClient.New(cfg, platform.AuthorizeAsService)
+	if err != nil {
+		return errors.Wrap(err, "unable to create permission client")
+	}
+	s.permsClient = permsClient
+	return nil
+}
+
 func (s *Service) terminateTaskClient() {
 	if s.taskClient != nil {
 		s.Logger().Debug("Destroying task client")
@@ -416,6 +454,18 @@ func (s *Service) initializeUserEventsHandler() error {
 	return nil
 }
 
+func (s *Service) initializeUserAccessor() error {
+	s.Logger().Debug("Initializing user accessor")
+
+	config := &keycloak.KeycloakConfig{}
+	if err := config.FromEnv(); err != nil {
+		return err
+	}
+	s.userAccessor = keycloak.NewKeycloakUserAccessor(config)
+
+	return nil
+}
+
 func (s *Service) initializeDeviceCheck() error {
 	s.Logger().Debug("Initializing device check")
 

auth/service/test/service.go

@@ -4,6 +4,7 @@ import (
 	"context"
 
 	"github.com/tidepool-org/platform/apple"
+	"github.com/tidepool-org/platform/user"
 
 	"github.com/onsi/gomega"
 
@@ -12,6 +13,7 @@ import (
 	"github.com/tidepool-org/platform/auth/service"
 	"github.com/tidepool-org/platform/auth/store"
 	authStoreTest "github.com/tidepool-org/platform/auth/store/test"
+	"github.com/tidepool-org/platform/permission"
 	"github.com/tidepool-org/platform/provider"
 	providerTest "github.com/tidepool-org/platform/provider/test"
 	serviceTest "github.com/tidepool-org/platform/service/test"
@@ -79,6 +81,14 @@ func (s *Service) DeviceCheck() apple.DeviceCheck {
 	return nil
 }
 
+func (s *Service) UserAccessor() user.UserAccessor {
+	return nil
+}
+
+func (s *Service) PermissionsClient() permission.Client {
+	return nil
+}
+
 func (s *Service) Status(ctx context.Context) *service.Status {
 	s.StatusInvocations++