Add member to sig WIP

Author: CoderCCM

src/api/functions/siglead.ts

@@ -1,17 +1,28 @@
 import {
+  DeleteItemCommand,
   DynamoDBClient,
+  PutItemCommand,
   QueryCommand,
   ScanCommand,
 } from "@aws-sdk/client-dynamodb";
-import { unmarshall } from "@aws-sdk/util-dynamodb";
+import { marshall, unmarshall } from "@aws-sdk/util-dynamodb";
+import {
+  EntraFetchError,
+  EntraGroupError,
+  EntraPatchError,
+  NotImplementedError,
+} from "common/errors/index.js";
 import { OrganizationList } from "common/orgs.js";
 import {
   SigDetailRecord,
+  SigEntraRecord,
   SigMemberCount,
   SigMemberRecord,
 } from "common/types/siglead.js";
 import { transformSigLeadToURI } from "common/utils.js";
 import { string } from "zod";
+import { getEntraIdToken, modifyGroup } from "./entraId.js";
+import { EntraGroupActions } from "common/types/iam.js";
 
 export async function fetchMemberRecords(
   sigid: string,
@@ -62,14 +73,42 @@ export async function fetchSigDetail(
   return (result.Items || [{}]).map((item) => {
     const unmarshalledItem = unmarshall(item);
 
-    // Strip '#' from access field
     delete unmarshalledItem.leadGroupId;
     delete unmarshalledItem.memberGroupId;
 
     return unmarshalledItem as SigDetailRecord;
   })[0];
 }
 
+export async function fetchSigEntraDetail(
+  sigid: string,
+  tableName: string,
+  dynamoClient: DynamoDBClient,
+) {
+  const fetchSigDetail = new QueryCommand({
+    TableName: tableName,
+    KeyConditionExpression: "#sigid = :accessVal",
+    ExpressionAttributeNames: {
+      "#sigid": "sigid",
+    },
+    ExpressionAttributeValues: {
+      ":accessVal": { S: sigid },
+    },
+    ScanIndexForward: false,
+  });
+
+  const result = await dynamoClient.send(fetchSigDetail);
+
+  // Process the results
+  return (result.Items || [{}]).map((item) => {
+    const unmarshalledItem = unmarshall(item);
+
+    delete unmarshalledItem.description;
+
+    return unmarshalledItem as SigEntraRecord;
+  })[0];
+}
+
 // select count(sigid)
 // from table
 // groupby sigid
@@ -113,3 +152,46 @@ export async function fetchSigCounts(
   console.log(countsArray);
   return countsArray;
 }
+
+export async function addMemberRecordToSig(
+  newMemberRecord: SigMemberRecord,
+  sigMemberTableName: string,
+  dynamoClient: DynamoDBClient,
+  entraIdToken: string,
+) {
+  await dynamoClient.send(
+    new PutItemCommand({
+      TableName: sigMemberTableName,
+      Item: marshall(newMemberRecord),
+    }),
+  );
+  try {
+    const sigEntraDetails: SigEntraRecord = await fetchSigEntraDetail(
+      newMemberRecord.sigGroupId,
+      sigMemberTableName,
+      dynamoClient,
+    );
+    await modifyGroup(
+      entraIdToken,
+      newMemberRecord.email,
+      sigEntraDetails.memberGroupId,
+      EntraGroupActions.ADD,
+      dynamoClient,
+    );
+  } catch (e: unknown) {
+    // restore original Dynamo status if AAD update fails.
+    await dynamoClient.send(
+      new DeleteItemCommand({
+        TableName: sigMemberTableName,
+        Key: {
+          sigGroupId: { S: newMemberRecord.sigGroupId },
+          email: { S: newMemberRecord.email },
+        },
+      }),
+    );
+    throw new EntraPatchError({
+      message: "Could not add member to sig AAD group.",
+      email: newMemberRecord.email,
+    });
+  }
+}

src/api/routes/siglead.ts

@@ -1,4 +1,4 @@
-import { FastifyPluginAsync } from "fastify";
+import fastify, { FastifyPluginAsync } from "fastify";
 import { z } from "zod";
 import { AppRoles } from "../../common/roles.js";
 import {
@@ -22,12 +22,14 @@ import {
   TransactWriteItem,
   GetItemCommand,
   TransactionCanceledException,
+  InternalServerError,
 } from "@aws-sdk/client-dynamodb";
 import { CloudFrontKeyValueStoreClient } from "@aws-sdk/client-cloudfront-keyvaluestore";
 import {
   genericConfig,
   EVENT_CACHED_DURATION,
   LinkryGroupUUIDToGroupNameMap,
+  roleArns,
 } from "../../common/config.js";
 import { marshall, unmarshall } from "@aws-sdk/util-dynamodb";
 import rateLimiter from "api/plugins/rateLimiter.js";
@@ -44,13 +46,62 @@ import {
   SigMemberRecord,
 } from "common/types/siglead.js";
 import {
+  addMemberRecordToSig,
   fetchMemberRecords,
   fetchSigCounts,
   fetchSigDetail,
 } from "api/functions/siglead.js";
 import { intersection } from "api/plugins/auth.js";
+import {
+  FastifyZodOpenApiSchema,
+  FastifyZodOpenApiTypeProvider,
+} from "fastify-zod-openapi";
+import { withRoles, withTags } from "api/components/index.js";
+import { AnyARecord } from "dns";
+import { getEntraIdToken } from "api/functions/entraId.js";
+import { getRoleCredentials } from "api/functions/sts.js";
+import { SecretsManagerClient } from "@aws-sdk/client-secrets-manager";
+import { logger } from "api/sqs/logger.js";
+import fastifyStatic from "@fastify/static";
+
+const postAddSigMemberSchema = z.object({
+  sigGroupId: z.string().min(1),
+  email: z.string().min(1), // TODO: verify email and @illinois.edu
+  designation: z.string().min(1).max(1),
+  memberName: z.string().min(1),
+});
 
 const sigleadRoutes: FastifyPluginAsync = async (fastify, _options) => {
+  const getAuthorizedClients = async () => {
+    if (roleArns.Entra) {
+      fastify.log.info(
+        `Attempting to assume Entra role ${roleArns.Entra} to get the Entra token...`,
+      );
+      const credentials = await getRoleCredentials(roleArns.Entra);
+      const clients = {
+        smClient: new SecretsManagerClient({
+          region: genericConfig.AwsRegion,
+          credentials,
+        }),
+        dynamoClient: new DynamoDBClient({
+          region: genericConfig.AwsRegion,
+          credentials,
+        }),
+      };
+      fastify.log.info(
+        `Assumed Entra role ${roleArns.Entra} to get the Entra token.`,
+      );
+      return clients;
+    } else {
+      fastify.log.debug(
+        "Did not assume Entra role as no env variable was present",
+      );
+      return {
+        smClient: fastify.secretsManagerClient,
+        dynamoClient: fastify.dynamoClient,
+      };
+    }
+  };
   const limitedRoutes: FastifyPluginAsync = async (fastify) => {
     /*fastify.register(rateLimiter, {
       limit: 30,
@@ -163,6 +214,81 @@ const sigleadRoutes: FastifyPluginAsync = async (fastify, _options) => {
         reply.code(200).send(sigMemCounts);
       },
     );
+    fastify.withTypeProvider<FastifyZodOpenApiTypeProvider>().post(
+      "/addMember/:sigid",
+      {
+        schema: withRoles(
+          [AppRoles.SIGLEAD_MANAGER],
+          withTags(["Sigid"], {
+            // response: {
+            //   201: z.object({
+            //     id: z.string(),
+            //     resource: z.string(),
+            //   }),
+            // },
+            body: postAddSigMemberSchema,
+            summary: "Add a member to a sig.",
+          }),
+        ) satisfies FastifyZodOpenApiSchema,
+        onRequest: fastify.authorizeFromSchema,
+      },
+      async (request, reply) => {
+        const { sigGroupId, email, designation, memberName } = request.body;
+        const tableName = genericConfig.SigleadDynamoSigMemberTableName;
+
+        // First try-catch: See if the member already exists
+        let sigMembers: SigMemberRecord[];
+        try {
+          sigMembers = await fetchMemberRecords(
+            sigGroupId,
+            tableName,
+            fastify.dynamoClient,
+          );
+        } catch (error) {
+          request.log.error(
+            `Could not verify the member does not already exist in the sig: ${error instanceof Error ? error.toString() : "Unknown error"}`,
+          );
+          throw new DatabaseFetchError({
+            message: "Failed to fetch sig member records from Dynamo table.",
+          });
+        }
+
+        for (const sigMember of sigMembers) {
+          if (sigMember.email === email) {
+            throw new ValidationError({
+              message: "Member already exists in sig.",
+            });
+          }
+        }
+
+        const newMemberRecord: SigMemberRecord = request.body;
+        // Second try-catch: Try to add the member to Dynamo and AAD, rolling back if failure
+        try {
+          //FIXME: this is failing due to auth
+          const entraIdToken = await getEntraIdToken(
+            await getAuthorizedClients(),
+            fastify.environmentConfig.AadValidClientId,
+          );
+
+          await addMemberRecordToSig(
+            newMemberRecord,
+            tableName,
+            fastify.dynamoClient,
+            entraIdToken,
+          );
+        } catch (error: any) {
+          request.log.error(
+            `Error while adding member to sig: ${error instanceof Error ? error.toString() : "Unknown error"}`,
+          );
+          throw error;
+        }
+
+        // Send the response
+        reply.code(200).send({
+          message: "Added member to sig.",
+        });
+      },
+    );
   };
 
   fastify.register(limitedRoutes);

src/common/types/siglead.ts

@@ -4,6 +4,13 @@ export type SigDetailRecord = {
   description: string;
 };
 
+export type SigEntraRecord = {
+    sigid: string;
+    signame: string;
+    leadGroupId: string;
+    memberGroupId: string;
+  };
+
 export type SigMemberRecord = {
   sigGroupId: string;
   email: string;