OpenStackweb · smarcet · Aug 6, 2025 · Aug 5, 2025 · Aug 5, 2025 · Aug 6, 2025
diff --git a/app/Http/Controllers/Api/OAuth2/OAuth2UserApiController.php b/app/Http/Controllers/Api/OAuth2/OAuth2UserApiController.php
@@ -13,11 +13,16 @@
  **/
 
 use App\Http\Controllers\GetAllTrait;
+use App\Http\Controllers\Traits\RequestProcessor;
+use App\Http\Controllers\UserGroupsValidationRulesFactory;
 use App\Http\Controllers\UserValidationRulesFactory;
+use App\Http\Exceptions\HTTP403ForbiddenException;
 use App\Http\Utils\HTMLCleaner;
 use App\ModelSerializers\SerializerRegistry;
 use Auth\Repositories\IUserRepository;
+use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request as LaravelRequest;
+use Illuminate\Support\Facades\App;
 use Illuminate\Support\Facades\Auth;
 use Illuminate\Support\Facades\Request;
 use Illuminate\Support\Facades\Log;
@@ -27,6 +32,7 @@
 use models\exceptions\ValidationException;
 use OAuth2\Builders\IdTokenBuilder;
 use OAuth2\IResourceServerContext;
+use OAuth2\Models\IClient;
 use OAuth2\Repositories\IClientRepository;
 use OAuth2\ResourceServer\IUserService;
 use Utils\Http\HttpContentType;
@@ -41,6 +47,8 @@ final class OAuth2UserApiController extends OAuth2ProtectedController
 {
     use GetAllTrait;
 
+    use RequestProcessor;
+
     protected function getAllSerializerType(): string
     {
         return SerializerRegistry::SerializerType_Private;
@@ -324,4 +332,28 @@ public function get($id)
         }
     }
 
+    /**
+     * @param $user_id
+     * @return JsonResponse|mixed
+     */
+    public function updateUserGroups($user_id): mixed
+    {
+        return $this->processRequest(function() use($user_id) {
+            if(!Request::isJson()) return $this->error400();
+
+            $payload = Request::json()->all();
+            // Creates a Validator instance and validates the data.
+            $validation = Validator::make($payload, UserGroupsValidationRulesFactory::build($payload));
+            if ($validation->fails()) {
+                $ex = new ValidationException();
+                throw $ex->setMessages($validation->messages()->toArray());
+            }
+            $user_groups_payload = [
+                "groups" => $payload["groups"],
+            ];
+            $this->openid_user_service->update(intval($user_id), $user_groups_payload);
+            return $this->updated();
+        });
+    }
+
 }
diff --git a/app/Http/Controllers/Factories/UserGroupsValidationRulesFactory.php b/app/Http/Controllers/Factories/UserGroupsValidationRulesFactory.php
@@ -0,0 +1,39 @@
+<?php namespace App\Http\Controllers;
+/**
+ * Copyright 2025 OpenStack Foundation
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ **/
+use Auth\User;
+/**
+ * Class UserGroupsValidationRulesFactory
+ * @package App\Http\Controllers
+ */
+final class UserGroupsValidationRulesFactory
+{
+    /**
+     * @param array $data
+     * @param false $update
+     * @param User|null $currentUser
+     * @return string[]
+     */
+    public static function build(array $data, $update = false, ?User $currentUser = null){
+
+        if($update){
+            return  [
+                'groups' => 'sometimes|int_array',
+            ];
+        }
+
+        return [
+            'groups' => 'required|int_array',
+        ];
+    }
+}
diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php
@@ -76,5 +76,6 @@ class Kernel extends HttpKernel
         'openstackid.currentuser.serveradmin.json' => \App\Http\Middleware\CurrentUserIsOpenIdServerAdminJson::class,
         'oauth2.currentuser.allow.client.edition'  => \App\Http\Middleware\CurrentUserCanEditOAuth2Client::class,
         'oauth2.currentuser.owns.client'           => \App\Http\Middleware\CurrentUserOwnsOAuth2Client::class,
+        'service.account'                          => \App\Http\Middleware\EnsureServiceAccount::class,
     ];
 }
diff --git a/app/Http/Middleware/EnsureServiceAccount.php b/app/Http/Middleware/EnsureServiceAccount.php
@@ -0,0 +1,50 @@
+<?php namespace App\Http\Middleware;
+
+/**
+ * Copyright 2025 OpenStack Foundation
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ **/
+
+use Closure;
+use Illuminate\Support\Facades\App;
+use Illuminate\Support\Facades\Response;
+use OAuth2\IResourceServerContext;
+
+final class EnsureServiceAccount
+{
+    /**
+     * @var IResourceServerContext
+     */
+    private $context;
+
+    /**
+     * EnsureServiceAccount constructor.
+     * @param IResourceServerContext $context
+     */
+    public function __construct(IResourceServerContext $context)
+    {
+        $this->context = $context;
+    }
+
+    /**
+     * @param $request
+     * @param Closure $next
+     * @return \Illuminate\Http\JsonResponse|mixed
+     */
+    public function handle($request, Closure $next)
+    {
+        $application_type = $this->context->getApplicationType();
+        if ($application_type != IResourceServerContext::ApplicationType_Service) {
+            return Response::json(['error' => 'Only service accounts are allowed.'], 403);
+        }
+        return $next($request);
+    }
+}
diff --git a/app/libs/OAuth2/IUserScopes.php b/app/libs/OAuth2/IUserScopes.php
@@ -29,4 +29,5 @@ interface IUserScopes
     const MeRead = 'me/read';
     const MeWrite = 'me/write';
     const Write = 'users/write';
+    const UserGroupWrite = 'users/groups/write';
 }
diff --git a/app/libs/OpenId/Services/IUserService.php b/app/libs/OpenId/Services/IUserService.php
@@ -16,6 +16,8 @@
 use Illuminate\Http\UploadedFile;
 use models\exceptions\EntityNotFoundException;
 use models\exceptions\ValidationException;
+use models\utils\IEntity;
+
 /**
  * Interface IUserService
  * @package OpenId\Services
@@ -72,6 +74,15 @@ public function saveProfileInfo($user_id, $show_pic, $show_full_name, $show_emai
      */
     public function updateProfilePhoto($user_id, UploadedFile $file, $max_file_size = 10485760):User;
 
+    /**
+     * @param int $id
+     * @param array $payload
+     * @return IEntity
+     * @throws ValidationException
+     * @throws EntityNotFoundException
+     */
+    public function update(int $id, array $payload): IEntity;
+
     /**
      * @param string $action
      * @param int $user_id

diff --git a/composer.json b/composer.json
@@ -89,6 +89,7 @@
       "Database\\Seeders\\": "database/seeders/"
     },
     "files": [
+      "app/Utils/helpers.php",
       "app/libs/Utils/Html/HtmlHelpers.php"
     ]
   },

diff --git a/database/migrations/Version20250805084926.php b/database/migrations/Version20250805084926.php
@@ -0,0 +1,61 @@
+<?php namespace Database\Migrations;
+/**
+ * Copyright 2025 OpenStack Foundation
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ **/
+
+use App\libs\OAuth2\IUserScopes;
+use Database\Seeders\SeedUtils;
+use Doctrine\Migrations\AbstractMigration;
+use Doctrine\DBAL\Schema\Schema as Schema;
+/**
+ * Class Version20250805084926
+ * @package Database\Migrations
+ */
+class Version20250805084926 extends AbstractMigration
+{
+    /**
+     * @param Schema $schema
+     */
+    public function up(Schema $schema):void
+    {
+        SeedUtils::seedScopes([
+            [
+                'name'               => IUserScopes::UserGroupWrite,
+                'short_description'  => 'Allows associate Users to Groups.',
+                'description'        => 'Allows associate Users to Groups.',
+                'system'             => false,
+                'default'            => false,
+                'groups'             => false,
+            ]
+        ], 'users');
+
+        SeedUtils::seedApiEndpoints('users', [
+            [
+                'name' => 'add-user-to-groups',
+                'active' => true,
+                'route' => '/api/v1/users/{id}/groups',
+                'http_method' => 'PUT',
+                'scopes' => [
+                    IUserScopes::UserGroupWrite
+                ],
+            ],
+        ]);
+    }
+
+    /**
+     * @param Schema $schema
+     */
+    public function down(Schema $schema):void
+    {
+
+    }
+}
diff --git a/database/seeds/ApiEndpointSeeder.php b/database/seeds/ApiEndpointSeeder.php
@@ -11,6 +11,8 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  **/
+
+use App\libs\OAuth2\IUserScopes;
 use Illuminate\Database\Seeder;
 use Illuminate\Support\Facades\DB;
 /**
@@ -119,6 +121,15 @@ private function seedUsersEndpoints()
                         \App\libs\OAuth2\IUserScopes::MeWrite
                     ],
                 ],
+                [
+                    'name' => 'add-user-to-groups',
+                    'active' => true,
+                    'route' => '/api/v1/users/{id}/groups',
+                    'http_method' => 'PUT',
+                    'scopes' => [
+                        \App\libs\OAuth2\IUserScopes::UserGroupWrite
+                    ],
+                ],
             ]
         );
     }

diff --git a/database/seeds/ApiScopeSeeder.php b/database/seeds/ApiScopeSeeder.php
@@ -91,6 +91,14 @@ private function seedUsersScopes(){
                 'system'             => false,
                 'default'            => false,
                 'groups'             => false,
+            ],
+            [
+                'name'               => IUserScopes::UserGroupWrite,
+                'short_description'  => 'Allows associate Users to Groups',
+                'description'        => 'Allows associate Users to Groups',
+                'system'             => false,
+                'default'            => false,
+                'groups'             => false,
             ]
         ], 'users');
 

diff --git a/routes/api.php b/routes/api.php
@@ -31,6 +31,7 @@
     Route::group(['prefix' => '{id}'], function () {
         Route::get('', 'OAuth2UserApiController@get');
         Route::put('', 'OAuth2UserApiController@update');
+        Route::put('groups', ['middleware' => 'service.account', 'uses' => 'OAuth2UserApiController@updateUserGroups']);
     });
 
     Route::group(['prefix' => 'me'], function () {