From 9f15a8b0230823a71f8a1d723db86921ec17aea8 Mon Sep 17 00:00:00 2001
From: Mike Friesen <mfriesen@gmail.com>
Date: Sat, 29 Jun 2024 16:33:35 -0500
Subject: [PATCH] update

---
 docs/openapi/openapi-iam.yaml                 |  1 +
 docs/openapi/openapi-jwt.yaml                 |  1 +
 docs/openapi/openapi-key.yaml                 |  1 +
 .../resources/cloudformation/openapi-iam.yaml |  1 +
 .../resources/cloudformation/openapi-jwt.yaml |  1 +
 .../resources/cloudformation/openapi-key.yaml |  1 +
 .../api/AbstractCoreRequestHandler.java       |  2 +
 .../api/handler/GroupRequestHandler.java      | 73 +++++++++++++++++++
 .../api/handler/GroupsRequestHandler.java     | 16 ----
 .../api/handler/CognitoRequestTest.java       | 22 ++++++
 10 files changed, 103 insertions(+), 16 deletions(-)
 create mode 100644 lambda-api/src/main/java/com/formkiq/stacks/api/handler/GroupRequestHandler.java

diff --git a/docs/openapi/openapi-iam.yaml b/docs/openapi/openapi-iam.yaml
index 87b1a2608..0b8e823e4 100644
--- a/docs/openapi/openapi-iam.yaml
+++ b/docs/openapi/openapi-iam.yaml
@@ -4259,6 +4259,7 @@
               - ApiAuthorization: []
               x-amazon-apigateway-integration:
                 $ref: '#/components/x-amazon-apigateway-integrations/lambdaApi200'
+          /groups/{groupName}:
             delete:
               operationId: DeleteGroup
               summary: Delete Group
diff --git a/docs/openapi/openapi-jwt.yaml b/docs/openapi/openapi-jwt.yaml
index 4c67252c4..5f56030a7 100644
--- a/docs/openapi/openapi-jwt.yaml
+++ b/docs/openapi/openapi-jwt.yaml
@@ -4259,6 +4259,7 @@
               - ApiAuthorization: []
               x-amazon-apigateway-integration:
                 $ref: '#/components/x-amazon-apigateway-integrations/lambdaApi200'
+          /groups/{groupName}:
             delete:
               operationId: DeleteGroup
               summary: Delete Group
diff --git a/docs/openapi/openapi-key.yaml b/docs/openapi/openapi-key.yaml
index 14cef24f2..1691b1256 100644
--- a/docs/openapi/openapi-key.yaml
+++ b/docs/openapi/openapi-key.yaml
@@ -4259,6 +4259,7 @@
               - ApiAuthorization: []
               x-amazon-apigateway-integration:
                 $ref: '#/components/x-amazon-apigateway-integrations/lambdaApi200'
+          /groups/{groupName}:
             delete:
               operationId: DeleteGroup
               summary: Delete Group
diff --git a/lambda-api-graalvm/src/main/resources/cloudformation/openapi-iam.yaml b/lambda-api-graalvm/src/main/resources/cloudformation/openapi-iam.yaml
index 12d45fa2d..4715ead1b 100644
--- a/lambda-api-graalvm/src/main/resources/cloudformation/openapi-iam.yaml
+++ b/lambda-api-graalvm/src/main/resources/cloudformation/openapi-iam.yaml
@@ -4287,6 +4287,7 @@ Resources:
               - ApiAuthorization: []
               x-amazon-apigateway-integration:
                 $ref: "#/components/x-amazon-apigateway-integrations/lambdaApi200"
+          /groups/{groupName}:
             delete:
               operationId: DeleteGroup
               summary: Delete Group
diff --git a/lambda-api-graalvm/src/main/resources/cloudformation/openapi-jwt.yaml b/lambda-api-graalvm/src/main/resources/cloudformation/openapi-jwt.yaml
index be8510cea..33b178dd1 100644
--- a/lambda-api-graalvm/src/main/resources/cloudformation/openapi-jwt.yaml
+++ b/lambda-api-graalvm/src/main/resources/cloudformation/openapi-jwt.yaml
@@ -4287,6 +4287,7 @@ Resources:
               - ApiAuthorization: []
               x-amazon-apigateway-integration:
                 $ref: "#/components/x-amazon-apigateway-integrations/lambdaApi200"
+          /groups/{groupName}:
             delete:
               operationId: DeleteGroup
               summary: Delete Group
diff --git a/lambda-api-graalvm/src/main/resources/cloudformation/openapi-key.yaml b/lambda-api-graalvm/src/main/resources/cloudformation/openapi-key.yaml
index 8532c29e6..729315d02 100644
--- a/lambda-api-graalvm/src/main/resources/cloudformation/openapi-key.yaml
+++ b/lambda-api-graalvm/src/main/resources/cloudformation/openapi-key.yaml
@@ -4287,6 +4287,7 @@ Resources:
               - ApiAuthorization: []
               x-amazon-apigateway-integration:
                 $ref: "#/components/x-amazon-apigateway-integrations/lambdaApi200"
+          /groups/{groupName}:
             delete:
               operationId: DeleteGroup
               summary: Delete Group
diff --git a/lambda-api/src/main/java/com/formkiq/stacks/api/AbstractCoreRequestHandler.java b/lambda-api/src/main/java/com/formkiq/stacks/api/AbstractCoreRequestHandler.java
index 823ae6e3e..e4b300a61 100644
--- a/lambda-api/src/main/java/com/formkiq/stacks/api/AbstractCoreRequestHandler.java
+++ b/lambda-api/src/main/java/com/formkiq/stacks/api/AbstractCoreRequestHandler.java
@@ -68,6 +68,7 @@
 import com.formkiq.stacks.api.handler.DocumentAttributesRequestHandler;
 import com.formkiq.stacks.api.handler.DocumentAttributesValueRequestHandler;
 import com.formkiq.stacks.api.handler.DocumentIdContentRequestHandler;
+import com.formkiq.stacks.api.handler.GroupRequestHandler;
 import com.formkiq.stacks.api.handler.GroupsUserRequestHandler;
 import com.formkiq.stacks.api.handler.PublicationsDocumentIdRequestHandler;
 import com.formkiq.stacks.api.handler.DocumentIdRequestHandler;
@@ -365,6 +366,7 @@ private static void addOnlyOfficeEndpoints() {
 
   private static void addGroupUsersEndpoints() {
     addRequestHandler(new GroupsRequestHandler());
+    addRequestHandler(new GroupRequestHandler());
     addRequestHandler(new GroupsUsersRequestHandler());
     addRequestHandler(new GroupsUserRequestHandler());
     addRequestHandler(new UsersRequestHandler());
diff --git a/lambda-api/src/main/java/com/formkiq/stacks/api/handler/GroupRequestHandler.java b/lambda-api/src/main/java/com/formkiq/stacks/api/handler/GroupRequestHandler.java
new file mode 100644
index 000000000..bdc3a6f9f
--- /dev/null
+++ b/lambda-api/src/main/java/com/formkiq/stacks/api/handler/GroupRequestHandler.java
@@ -0,0 +1,73 @@
+/**
+ * MIT License
+ * 
+ * Copyright (c) 2018 - 2020 FormKiQ
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+package com.formkiq.stacks.api.handler;
+
+import com.amazonaws.services.lambda.runtime.LambdaLogger;
+import com.formkiq.aws.cognito.CognitoIdentityProviderService;
+import com.formkiq.aws.services.lambda.ApiAuthorization;
+import com.formkiq.aws.services.lambda.ApiGatewayRequestEvent;
+import com.formkiq.aws.services.lambda.ApiGatewayRequestEventUtil;
+import com.formkiq.aws.services.lambda.ApiGatewayRequestHandler;
+import com.formkiq.aws.services.lambda.ApiMapResponse;
+import com.formkiq.aws.services.lambda.ApiPermission;
+import com.formkiq.aws.services.lambda.ApiRequestHandlerResponse;
+import com.formkiq.module.lambdaservices.AwsServiceCache;
+
+import java.util.Map;
+import java.util.Optional;
+
+import static com.formkiq.aws.services.lambda.ApiResponseStatus.SC_OK;
+
+/** {@link ApiGatewayRequestHandler} for "/groups/{groupName}". */
+public class GroupRequestHandler implements ApiGatewayRequestHandler, ApiGatewayRequestEventUtil {
+
+  /** {@link GroupRequestHandler} URL. */
+  public static final String URL = "/groups/{groupName}";
+
+  @Override
+  public Optional<Boolean> isAuthorized(final AwsServiceCache awsServiceCache, final String method,
+      final ApiGatewayRequestEvent event, final ApiAuthorization authorization) {
+    boolean access = authorization.getPermissions().contains(ApiPermission.ADMIN);
+    return !"get".equalsIgnoreCase(method) ? Optional.of(access) : Optional.empty();
+  }
+
+  @Override
+  public String getRequestUrl() {
+    return URL;
+  }
+
+  @Override
+  public ApiRequestHandlerResponse delete(final LambdaLogger logger,
+      final ApiGatewayRequestEvent event, final ApiAuthorization authorization,
+      final AwsServiceCache awsservice) throws Exception {
+
+    String groupName = event.getPathParameters().get("groupName");
+    CognitoIdentityProviderService service =
+        awsservice.getExtension(CognitoIdentityProviderService.class);
+    service.deleteGroup(groupName);
+
+    ApiMapResponse resp = new ApiMapResponse(Map.of("message", "Group " + groupName + " deleted"));
+    return new ApiRequestHandlerResponse(SC_OK, resp);
+  }
+}
diff --git a/lambda-api/src/main/java/com/formkiq/stacks/api/handler/GroupsRequestHandler.java b/lambda-api/src/main/java/com/formkiq/stacks/api/handler/GroupsRequestHandler.java
index 43da88d7a..52185f61c 100644
--- a/lambda-api/src/main/java/com/formkiq/stacks/api/handler/GroupsRequestHandler.java
+++ b/lambda-api/src/main/java/com/formkiq/stacks/api/handler/GroupsRequestHandler.java
@@ -103,20 +103,4 @@ public ApiRequestHandlerResponse post(final LambdaLogger logger,
         new ApiMapResponse(Map.of("message", "Group " + request.getGroupName() + " created"));
     return new ApiRequestHandlerResponse(SC_OK, resp);
   }
-
-  @Override
-  public ApiRequestHandlerResponse delete(final LambdaLogger logger,
-      final ApiGatewayRequestEvent event, final ApiAuthorization authorization,
-      final AwsServiceCache awsservice) throws Exception {
-
-    AddGroupRequest request = fromBodyToObject(event, AddGroupRequest.class);
-
-    CognitoIdentityProviderService service =
-        awsservice.getExtension(CognitoIdentityProviderService.class);
-    service.deleteGroup(request.getGroupName());
-
-    ApiMapResponse resp =
-        new ApiMapResponse(Map.of("message", "Group " + request.getGroupName() + " deleted"));
-    return new ApiRequestHandlerResponse(SC_OK, resp);
-  }
 }
diff --git a/lambda-api/src/test/java/com/formkiq/stacks/api/handler/CognitoRequestTest.java b/lambda-api/src/test/java/com/formkiq/stacks/api/handler/CognitoRequestTest.java
index e35b7f5ca..1a6e22c19 100644
--- a/lambda-api/src/test/java/com/formkiq/stacks/api/handler/CognitoRequestTest.java
+++ b/lambda-api/src/test/java/com/formkiq/stacks/api/handler/CognitoRequestTest.java
@@ -264,4 +264,26 @@ public void testPutUserOperation01() {
           e.getResponseBody());
     }
   }
+
+  /**
+   * DELETE /groups/{groupName} only allowed by admin.
+   *
+   */
+  @Test
+  public void testDeleteGroup01() {
+    // given
+    setBearerToken("security");
+
+    // when
+    try {
+      this.userManagementApi.deleteGroup("test");
+      fail();
+    } catch (ApiException e) {
+      // then
+      assertEquals(ApiResponseStatus.SC_UNAUTHORIZED.getStatusCode(), e.getCode());
+      assertEquals(
+          "{\"message\":\"fkq access denied " + "(groups: security (DELETE,READ,WRITE))\"}",
+          e.getResponseBody());
+    }
+  }
 }