add PUT /vaults/{vaultId}/members

Author: overheadhunter

backend/src/main/java/org/cryptomator/hub/api/VaultResource.java

@@ -65,7 +65,9 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
+import java.util.Set;
 import java.util.UUID;
+import java.util.function.Predicate;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
@@ -77,20 +79,29 @@ public class VaultResource {
 
 	@Inject
 	AccessToken.Repository accessTokenRepo;
+
 	@Inject
 	Group.Repository groupRepo;
+
 	@Inject
 	User.Repository userRepo;
+
+	@Inject
+	Authority.Repository authorityRepo;
+
 	@Inject
 	EffectiveVaultAccess.Repository effectiveVaultAccessRepo;
+
 	/**
 	 * @deprecated to be removed in <a href="https://github.com/cryptomator/hub/issues/333">#333</a>
 	 */
 	@Inject
 	@Deprecated(since = "1.3.0", forRemoval = true)
 	LegacyAccessToken.Repository legacyAccessTokenRepo;
+
 	@Inject
 	Vault.Repository vaultRepo;
+
 	@Inject
 	VaultAccess.Repository vaultAccessRepo;
 
@@ -173,6 +184,62 @@ public List<MemberDto> getDirectMembers(@PathParam("vaultId") UUID vaultId) {
 		}).toList();
 	}
 
+	@PUT
+	@Path("/{vaultId}/members")
+	@RolesAllowed("user")
+	@VaultRole(value = VaultAccess.Role.OWNER, bypassForEmergencyAccess = true) // may throw 403
+	@Transactional
+	@Consumes(MediaType.APPLICATION_JSON)
+	@Operation(summary = "set vault members", description = "replaces all direct vault members with the given ones")
+	@APIResponse(responseCode = "204", description = "members updated")
+	@APIResponse(responseCode = "400", description = "invalid members in request body")
+	@APIResponse(responseCode = "403", description = "not a vault owner")
+	@APIResponse(responseCode = "404", description = "vault not found")
+	public Response setDirectMembers(@PathParam("vaultId") UUID vaultId, @NotEmpty Map<String, VaultAccess.Role> memberRoles) {
+		var vault = vaultRepo.findById(vaultId);
+		if (vault == null) {
+			throw new NotFoundException("Vault not found.");
+		}
+		var newVaultAccess = authorityRepo.findAllInList(memberRoles.keySet()).map(authority -> {
+			assert memberRoles.containsKey(authority.getId());
+			return VaultAccess.create(vault, authority, memberRoles.get(authority.getId()));
+		}).toList();
+		if (newVaultAccess.isEmpty()){
+			throw new BadRequestException("No (valid) members given.");
+		}
+		var oldVaultAccess = vaultAccessRepo.forVault(vaultId).toList();
+
+		// determine diff:
+		Set<VaultAccess.Id> newIds = newVaultAccess.stream().map(VaultAccess::getId).collect(Collectors.toSet());
+		Set<VaultAccess.Id> oldIds = oldVaultAccess.stream().map(VaultAccess::getId).collect(Collectors.toSet());
+		Predicate<VaultAccess> isNew = va -> newIds.contains(va.getId());
+		Predicate<VaultAccess> isOld = va -> oldIds.contains(va.getId());
+		Predicate<VaultAccess> hasChangedRole = va -> memberRoles.get(va.getId().getAuthorityId()) != va.getRole();
+		var addedMembers = newVaultAccess.stream()
+				.filter(isOld.negate())
+				.peek(va -> eventLogger.logVaultMemberAdded(jwt.getSubject(), vaultId, va.getId().getAuthorityId(), va.getRole()));
+		var removedMemberIds = oldVaultAccess.stream()
+				.filter(isNew.negate())
+				.peek(va -> eventLogger.logVaultMemberRemoved(jwt.getSubject(), vaultId, va.getId().getAuthorityId()))
+				.map(VaultAccess::getId)
+				.map(VaultAccess.Id::getAuthorityId);
+		var updatedMembers = oldVaultAccess.stream()
+				.filter(isNew)
+				.filter(hasChangedRole)
+				.peek(va -> va.setRole(memberRoles.get(va.getId().getAuthorityId())))
+				.peek(va -> eventLogger.logVaultMemberUpdated(jwt.getSubject(), vaultId, va.getId().getAuthorityId(), va.getRole()))
+				.toList();
+
+		// replace all:
+		vaultAccessRepo.delete(vaultId, removedMemberIds.toList());
+		vaultAccessRepo.persist(addedMembers);
+		vaultAccessRepo.persist(updatedMembers);
+
+		return Response.noContent().build();
+	}
+
+
+
 	@PUT
 	@Path("/{vaultId}/users/{userId}")
 	@RolesAllowed("user")

backend/src/main/java/org/cryptomator/hub/entities/Authority.java

@@ -12,6 +12,7 @@
 import jakarta.persistence.NamedQuery;
 import jakarta.persistence.Table;
 
+import java.util.Collection;
 import java.util.List;
 import java.util.Objects;
 import java.util.stream.Stream;
@@ -86,7 +87,7 @@ public Stream<Authority> byName(String name) {
 			return find("#Authority.byName", Parameters.with("name", '%' + name.toLowerCase() + '%')).stream();
 		}
 
-		public Stream<Authority> findAllInList(List<String> ids) {
+		public Stream<Authority> findAllInList(Collection<String> ids) {
 			return find("#Authority.allInList", Parameters.with("ids", ids)).stream();
 		}
 	}

backend/src/main/java/org/cryptomator/hub/entities/VaultAccess.java

@@ -30,6 +30,12 @@
 				INNER JOIN FETCH va.authority
 				WHERE va.id.vaultId = :vaultId
 				""")
+@NamedQuery(name = "VaultAccess.deleteForVault",
+		query = """
+				DELETE FROM VaultAccess va
+				WHERE va.id.vaultId = :vaultId
+				AND va.id.authorityId IN :authorityIds
+				""")
 public class VaultAccess {
 
 	@EmbeddedId
@@ -93,6 +99,15 @@ public void setRole(Role role) {
 		this.role = role;
 	}
 
+	public static VaultAccess create(Vault vault, Authority authority, Role role) {
+		VaultAccess entity = new VaultAccess();
+		entity.setId(new Id(vault.getId(), authority.getId()));
+		entity.setVault(vault);
+		entity.setAuthority(authority);
+		entity.setRole(role);
+		return entity;
+	}
+
 	@Embeddable
 	public static class Id implements Serializable {
 
@@ -155,5 +170,9 @@ public static class Repository implements PanacheRepositoryBase<VaultAccess, Id>
 		public Stream<VaultAccess> forVault(UUID vaultId) {
 			return find("#VaultAccess.forVault", Parameters.with("vaultId", vaultId)).stream();
 		}
+
+		public long delete(UUID vaultId, Iterable<String> authorityIds) {
+			return delete("#VaultAccess.deleteForVault", Parameters.with("vaultId", vaultId).and("authorityIds", authorityIds));
+		}
 	}
 }

backend/src/test/java/org/cryptomator/hub/api/VaultResourceIT.java

@@ -4,6 +4,7 @@
 import com.auth0.jwt.algorithms.Algorithm;
 import io.agroal.api.AgroalDataSource;
 import io.quarkus.narayana.jta.QuarkusTransaction;
+import io.quarkus.test.InjectMock;
 import io.quarkus.test.junit.QuarkusTest;
 import io.quarkus.test.security.TestSecurity;
 import io.quarkus.test.security.oidc.Claim;
@@ -14,6 +15,8 @@
 import jakarta.validation.Validator;
 import org.cryptomator.hub.entities.EffectiveVaultAccess;
 import org.cryptomator.hub.entities.Vault;
+import org.cryptomator.hub.entities.VaultAccess;
+import org.cryptomator.hub.entities.events.EventLogger;
 import org.cryptomator.hub.rollback.DBRollbackAfter;
 import org.cryptomator.hub.rollback.DBRollbackBefore;
 import org.flywaydb.core.Flyway;
@@ -32,6 +35,7 @@
 import org.junit.jupiter.api.TestMethodOrder;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.CsvSource;
+import org.mockito.Mockito;
 
 import java.security.GeneralSecurityException;
 import java.security.KeyFactory;
@@ -56,13 +60,15 @@
 import static org.hamcrest.Matchers.comparesEqualTo;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.hasSize;
-import static org.hamcrest.Matchers.nullValue;
 import static org.hamcrest.text.IsEqualIgnoringCase.equalToIgnoringCase;
 
 @QuarkusTest
 @DisplayName("Resource /vaults")
 public class VaultResourceIT {
 
+	@InjectMock
+	EventLogger eventLogger;
+
 	@Inject
 	AgroalDataSource dataSource;
 	@Inject
@@ -344,7 +350,7 @@ public void testUpdateVault() {
 	}
 
 	@Nested
-	@DisplayName("As vault admin user1")
+	@DisplayName("As vault owner user1")
 	@TestSecurity(user = "User Name 1", roles = {"user"})
 	@OidcSecurity(claims = {
 			@Claim(key = "sub", value = "user1")
@@ -565,12 +571,52 @@ public void testRevokeAccess() { // previously added in testGrantAccess()
 
 		@Test
 		@Order(14)
+		@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-000100002222/members adds, removes and updates members")
+		public void setMembersOfVault2() {
+			given().when().contentType(ContentType.JSON).body("""
+							{
+								"user1": "MEMBER",
+								"user2": "OWNER",
+								"group2": "MEMBER"
+							}
+							""").put("/vaults/{vaultId}/members", "7E57C0DE-0000-4000-8000-000100002222")
+					.then().statusCode(204);
+			var vaultId = UUID.fromString("7E57C0DE-0000-4000-8000-000100002222");
+			Mockito.verify(eventLogger).logVaultMemberAdded("user2", vaultId, "user1", VaultAccess.Role.MEMBER);
+			Mockito.verify(eventLogger).logVaultMemberAdded("user2", vaultId, "user2", VaultAccess.Role.OWNER);
+			Mockito.verify(eventLogger).logVaultMemberRemoved("user2", vaultId, "group1");
+			Mockito.verify(eventLogger).logVaultMemberUpdated("user2", vaultId, "group2", VaultAccess.Role.MEMBER);
+		}
+
+		@Test
+		@Order(15)
+		@DisplayName("PUT /vaults/7E57C0DE-0000-4000-8000-000100002222/members restores original members")
+		public void restoreOriginalMembersOfVault2() { // as defined in V9999__Tst_Data.sql
+			given().when().contentType(ContentType.JSON).body("""
+							{
+								"group1": "MEMBER",
+								"group2": "OWNER"
+							}
+							""").put("/vaults/{vaultId}/members", "7E57C0DE-0000-4000-8000-000100002222")
+					.then().statusCode(204);
+			var vaultId = UUID.fromString("7E57C0DE-0000-4000-8000-000100002222");
+			Mockito.verify(eventLogger).logVaultMemberRemoved("user2", vaultId, "user1");
+			Mockito.verify(eventLogger).logVaultMemberRemoved("user2", vaultId, "user2");
+			Mockito.verify(eventLogger).logVaultMemberAdded("user2", vaultId, "group1", VaultAccess.Role.MEMBER);
+			Mockito.verify(eventLogger).logVaultMemberUpdated("user2", vaultId, "group2", VaultAccess.Role.OWNER);
+
+		}
+
+		@Test
+		@Order(16)
 		@DisplayName("GET /vaults/7E57C0DE-0000-4000-8000-000100002222/members does not contain user2")
 		@DBRollbackAfter
 		public void getMembersOfVault2c() {
 			given().when().get("/vaults/{vaultId}/members", "7E57C0DE-0000-4000-8000-000100002222")
 					.then().statusCode(200)
-					.body("id", not(hasItems("user2")));
+					.body("id", not(hasItems("user2")))
+					.body("id", hasItems("group1", "group2"))
+			;
 		}
 	}
 
@@ -1078,6 +1124,7 @@ public class AsAnonymous {
 				"GET, /vaults/accessible",
 				"GET, /vaults/7E57C0DE-0000-4000-8000-000100001111",
 				"GET, /vaults/7E57C0DE-0000-4000-8000-000100001111/members",
+				"PUT, /vaults/7E57C0DE-0000-4000-8000-000100001111/members",
 				"PUT, /vaults/7E57C0DE-0000-4000-8000-000100001111/users/user1",
 				"DELETE, /vaults/7E57C0DE-0000-4000-8000-000100001111/authority/user1",
 				"GET, /vaults/7E57C0DE-0000-4000-8000-000100001111/users-requiring-access-grant",