[#432] Implement credentials deletion and generation

apigee_edge.install

@@ -95,6 +95,9 @@ function apigee_edge_install() {
       'update own developer_app',
       'delete own developer_app',
       'analytics own developer_app',
+      'add_api_key own developer_app',
+      'revoke_api_key own developer_app',
+      'edit_api_products developer_app',
     ];
     user_role_grant_permissions(RoleInterface::AUTHENTICATED_ID, $authenticated_user_permissions);
   }
@@ -258,3 +261,16 @@ function apigee_edge_update_8102() {
   $last_installed_schema_repository->setLastInstalledFieldStorageDefinitions($entity_type_id, $original_storage_definitions);
 }
 
+/**
+ * Assign the "add_api_key own developer_app" permission to authenticated users.
+ */
+function apigee_edge_update_8103() {
+  if (\Drupal::moduleHandler()->moduleExists('user')) {
+    $authenticated_user_permissions = [
+      'add_api_key own developer_app',
+      'revoke_api_key own developer_app',
+      'edit_api_products developer_app',
+    ];
+    user_role_grant_permissions(RoleInterface::AUTHENTICATED_ID, $authenticated_user_permissions);
+  }
+}

apigee_edge.libraries.yml

@@ -61,6 +61,12 @@ apigee_edge.app_view:
     - core/drupal
     - core/drupalSettings
 
+apigee_edge.app_credential:
+  version: 1.0
+  css:
+    theme:
+      css/apigee_edge.app_credential.css: {}
+
 apiproduct_access_admin:
   version: 1.0
   js:

apigee_edge.module

@@ -382,17 +382,53 @@ function apigee_edge_entity_view(array &$build, EntityInterface $entity, EntityV
       $build['credentials'] = [
         '#type' => 'container',
       ];
+      $index = 0;
       foreach ($entity->getCredentials() as $credential) {
-        $build['credentials'][] = [
+        $build['credentials'][$credential->getStatus()][] = [
           '#type' => 'app_credential',
           '#credential' => $credential,
           '#app_name' => $entity->getName(),
           '#team_app_name' => isset($team_app_name) ? $team_app_name : '',
+          '#app' => $entity,
           '#attributes' => [
             'class' => 'items--inline',
+            'data-app' => $entity->getName(),
+            'data-team' => isset($team_app_name) ? $team_app_name : '',
+            'data-app-container-index' => $index,
           ],
         ] + $defaults;
+        $index++;
       }
+
+      // Hide revoked credentials in a collapsible section.
+      if (!empty($build['credentials'][AppCredentialInterface::STATUS_REVOKED])) {
+        $revoked_credentials = $build['credentials'][AppCredentialInterface::STATUS_REVOKED];
+        $build['credentials'][AppCredentialInterface::STATUS_REVOKED] = [
+          '#type' => 'details',
+          '#title' => t('Revoked keys (@count)', ['@count' => count($revoked_credentials)]),
+          '#weight' => 100,
+          'credentials' => $revoked_credentials,
+        ];
+      }
+    }
+
+    // Add link to add keys.
+    if($entity->access('add_api_key') && $entity->hasLinkTemplate('add-api-key-form')) {
+      $build['add_keys'] = Link::fromTextAndUrl(t('Add key'), $entity->toUrl('add-api-key-form', [
+        'attributes' => [
+          'data-dialog-type' => 'modal',
+          'data-dialog-options' => json_encode([
+            'width' => 500,
+            'height' => 250,
+            'draggable' => FALSE,
+            'autoResize' => FALSE,
+          ]),
+          'class' => [
+            'use-ajax',
+            'button',
+          ],
+        ],
+      ]))->toRenderable();
     }
   }
 }
@@ -457,6 +493,27 @@ function apigee_edge_api_product_access(EntityInterface $entity, $operation, Acc
   return $result->cachePerUser()->addCacheTags(['config:' . $config_name]);
 }
 
+/**
+ * Implements hook_entity_access().
+ */
+function apigee_edge_entity_access(EntityInterface $entity, $operation, AccountInterface $account) {
+  if (!$entity->getEntityType()->entityClassImplements(AppInterface::class) || !in_array($operation, ['revoke_api_key', 'delete_api_key'])) {
+    return AccessResult::neutral();
+  }
+
+  /** @var \Drupal\apigee_edge\Entity\AppInterface $entity **/
+
+  $approved_credentials = array_filter($entity->getCredentials(), function (AppCredentialInterface $credential) {
+    return $credential->getStatus() === AppCredentialInterface::STATUS_APPROVED;
+  });
+
+  // Prevent revoking/deleting the only active key.
+  if (count($approved_credentials) <= 1) {
+    $action = $operation === "revoke_api_key" ? "revoke" : "delete";
+    return AccessResult::forbidden("You cannot $action the only active key.");
+  }
+}
+
 /**
  * Implements hook_form_FORM_ID_alter().
  */
@@ -1031,6 +1088,8 @@ function template_preprocess_app_credential_product_list(array &$variables) {
 function template_preprocess_app_credential(array &$variables) {
   /** @var \Apigee\Edge\Api\Management\Entity\AppCredentialInterface $credential */
   $credential = $variables['elements']['#credential'];
+  /** @var \Drupal\apigee_edge\Entity\AppInterface $app */
+  $app = $variables['elements']['#app'];
   /** @var \Drupal\Core\Datetime\DateFormatterInterface $dateFormatter */
   $dateFormatter = Drupal::service('date.formatter');
   $serializer = new AppCredentialSerializer();
@@ -1069,14 +1128,10 @@ function template_preprocess_app_credential(array &$variables) {
     '#type' => 'container',
     '#attributes' => [
       'class' => 'wrapper--primary app-details-wrapper',
-      'data-app' => $variables['elements']['#app_name'],
     ],
   ];
 
-  if (!empty($variables['elements']['#team_app_name'])) {
-    $variables['primary_wrapper']['#attributes']['data-team'] = $variables['elements']['#team_app_name'];
-  }
-
+  $index = 0;
   foreach ($properties_in_primary as $property => $def) {
     $variables['primary_wrapper'][$property] = [
       '#type' => 'container',
@@ -1120,6 +1175,7 @@ function template_preprocess_app_credential(array &$variables) {
         '#attributes' => [
           'class' => 'secret',
           'data-secret-type' => $property,
+          'data-app-index' => $index,
         ],
         '#value' => '',
       ];
@@ -1140,6 +1196,7 @@ function template_preprocess_app_credential(array &$variables) {
         '#markup' => Xss::filter($value),
       ];
     }
+    $index++;
   }
 
   $variables['secondary_wrapper'] = [
@@ -1160,6 +1217,27 @@ function template_preprocess_app_credential(array &$variables) {
 
   // Helpful $content variable for templates.
   $variables['content'] = $normalized;
+
+  // Add operations.
+  $variables['operations'] = [
+    '#type' => 'operations',
+  ];
+
+  if ($credential->getStatus() === AppCredentialInterface::STATUS_APPROVED && $app->access('revoke_api_key') && $app->hasLinkTemplate('revoke-api-key-form')) {
+    $variables['operations']['#links']['revoke'] = [
+      'title' => t('Revoke'),
+      'url' => $app->toUrl('revoke-api-key-form')
+        ->setRouteParameter('consumer_key', $credential->getConsumerKey()),
+    ];
+  }
+
+  if ($app->access('delete_api_key') && $app->hasLinkTemplate('delete-api-key-form')) {
+    $variables['operations']['#links']['delete'] = [
+      'title' => t('Delete'),
+      'url' => $app->toUrl('delete-api-key-form')
+        ->setRouteParameter('consumer_key', $credential->getConsumerKey()),
+    ];
+  }
 }
 
 /**

css/apigee_edge.app_credential.css

@@ -0,0 +1,26 @@
+/*
+ * Copyright 2020 Google Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License version 2 as published by the
+ * Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
+ * License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc., 51
+ * Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ */
+
+.app-credential {
+  position: relative;
+}
+
+.app-credential .dropbutton-wrapper {
+  position: absolute;
+  top: 0;
+  right: 20px;
+}

css/apigee_edge.components.css

@@ -45,6 +45,11 @@
   vertical-align: super;
 }
 
+/* This fixes the ui datepicker position when displayed in a modal. */
+.ui-datepicker {
+  z-index: 1500 !important;
+}
+
 @media screen and (min-width: 768px) {
   .apigee-edge--form .form-checkboxes .form-item {
     width: 49%;

js/apigee_edge.app_view.js

@@ -32,7 +32,7 @@
   Drupal.apigeeEdgeDetails = {
     editActions: function (context, settings) {
       var secrets = $('.secret', context);
-      var appElWrapper = '.app-details-wrapper';
+      var appElWrapper = '.app-credential';
       var showHideEl = 'a.secret-show-hide';
       var pClass = 'processing';
       var loader = '<img src="' + drupalSettings.path.baseUrl + 'core/misc/throbber-active.gif" border="0" />';
@@ -54,8 +54,8 @@
             $(this).parent().parent(),
             $wrapper.data('team'),
             $wrapper.data('app'),
-            $wrapper.closest('fieldset').parent().find('fieldset').index($(this).closest('fieldset')),
-            $wrapper.find(showHideEl).index(this)
+            $wrapper.data('app-container-index'),
+            $(this).closest('.secret').data('app-index')
           );
         }
       });
@@ -81,7 +81,7 @@
    */
   function callEndpoint(teamApp,  app, callback) {
     var endpoint = drupalSettings.path.baseUrl + 'user/' + drupalSettings.currentUser + '/apps/' + app + '/api-keys';
-    if (teamApp !== undefined) {
+    if (teamApp !== undefined && teamApp !== 0 && teamApp !== '') {
       endpoint = drupalSettings.path.baseUrl + 'teams/' + teamApp + '/apps/' + app + '/api-keys';
     }
     $.get(endpoint, function(data) {

modules/apigee_edge_actions/tests/src/Kernel/Plugin/RulesEvent/EdgeEntityRemoveProductEventTest.php

@@ -108,11 +108,6 @@ public function testEvent() {
         'product' => $api_product,
       ],
     ]);
-    $this->stack->queueMockResponse([
-      'get_developer_apps' => [
-        'apps' => [$developer_app]
-      ],
-    ]);
     $app_credential_controller->deleteApiProduct($consumer_key, $api_product->id());
 
     $this->assertLogsContains("Event apigee_edge_actions_entity_remove_product:developer_app was dispatched.");

modules/apigee_edge_teams/apigee_edge_teams.install

@@ -59,3 +59,20 @@ function apigee_edge_teams_requirements($phase) {
 
   return $requirements;
 }
+
+/**
+ * Assign "add_api_key", "revoke_api_key" and "edit_api_products" permissions to team administrators.
+ */
+function apigee_edge_teams_update_8701() {
+  $role = 'admin';
+  $api_key_permissions = [
+    'team_app_add_api_key',
+    'team_app_edit_api_products',
+    'team_app_revoke_api_key',
+  ];
+  /** @var \Drupal\apigee_edge_teams\Entity\Storage\TeamRoleStorageInterface $storage */
+  $storage = Drupal::entityTypeManager()->getStorage('team_role');
+  /** @var \Drupal\apigee_edge_teams\Entity\TeamRoleInterface $admin_role */
+  $admin_role = $storage->load($role);
+  $storage->changePermissions($role, $admin_role->getPermissions() + array_combine($api_key_permissions, $api_key_permissions));
+}

modules/apigee_edge_teams/config/install/apigee_edge_teams.team_role.admin.yml

@@ -8,3 +8,6 @@ permissions:
   - team_manage_members
   - team_app_delete
   - team_app_update
+  - team_app_add_api_key
+  - team_app_edit_api_products
+  - team_app_revoke_api_key

modules/apigee_edge_teams/src/DefaultTeamPermissionsProvider.php

@@ -74,6 +74,10 @@ public function permissions(): array {
           'update' => $this->t('Edit any Team Apps'),
           'delete' => $this->t('Delete any Team Apps'),
           'analytics' => $this->t('View analytics of any Team Apps'),
+          'add_api_key' => $this->t('Add API key to Team Apps'),
+          'revoke_api_key' => $this->t('Revoke API key from Team Apps'),
+          'delete_api_key' => $this->t('Delete API key from Team Apps'),
+          'edit_api_products' => $this->t('Edit API products for Team Apps'),
         ],
       ],
       'api_product' => [

modules/apigee_edge_teams/src/Entity/Form/TeamAppEditForm.php

@@ -23,6 +23,7 @@
 use Drupal\apigee_edge\Entity\Controller\AppCredentialControllerInterface;
 use Drupal\apigee_edge\Entity\Form\AppEditForm;
 use Drupal\apigee_edge_teams\Entity\Controller\TeamAppCredentialControllerFactoryInterface;
+use Drupal\apigee_edge_teams\TeamPermissionHandlerInterface;
 use Drupal\Core\Entity\EntityTypeManagerInterface;
 use Drupal\Core\Form\FormStateInterface;
 use Drupal\Core\Render\Element;
@@ -44,6 +45,13 @@ class TeamAppEditForm extends AppEditForm {
    */
   protected $appCredentialControllerFactory;
 
+  /**
+   * The team permission handler.
+   *
+   * @var \Drupal\apigee_edge_teams\TeamPermissionHandlerInterface
+   */
+  protected $teamPermissionHandler;
+
   /**
    * Constructs TeamAppEditForm.
    *
@@ -53,10 +61,16 @@ class TeamAppEditForm extends AppEditForm {
    *   The renderer service.
    * @param \Drupal\apigee_edge_teams\Entity\Controller\TeamAppCredentialControllerFactoryInterface $app_credential_controller_factory
    *   The team app credential controller factory.
+   * @param \Drupal\apigee_edge_teams\TeamPermissionHandlerInterface $team_permission_handler
+   *   The team permission handler.
    */
-  public function __construct(EntityTypeManagerInterface $entity_type_manager, RendererInterface $renderer, TeamAppCredentialControllerFactoryInterface $app_credential_controller_factory) {
+  public function __construct(EntityTypeManagerInterface $entity_type_manager, RendererInterface $renderer, TeamAppCredentialControllerFactoryInterface $app_credential_controller_factory, TeamPermissionHandlerInterface $team_permission_handler = NULL) {
+    if (!$team_permission_handler) {
+      $team_permission_handler = \Drupal::service('apigee_edge_teams.team_permissions');
+    }
     parent::__construct($entity_type_manager, $renderer);
     $this->appCredentialControllerFactory = $app_credential_controller_factory;
+    $this->teamPermissionHandler = $team_permission_handler;
   }
 
   /**
@@ -66,7 +80,8 @@ public static function create(ContainerInterface $container) {
     return new static(
       $container->get('entity_type.manager'),
       $container->get('renderer'),
-      $container->get('apigee_edge_teams.controller.team_app_credential_controller_factory')
+      $container->get('apigee_edge_teams.controller.team_app_credential_controller_factory'),
+      $container->get('apigee_edge_teams.team_permissions')
     );
   }
 
@@ -99,4 +114,15 @@ protected function getRedirectUrl(): Url {
     return parent::getRedirectUrl();
   }
 
+  /**
+   * {@inheritdoc}
+   */
+  protected function canEditApiProducts(): bool {
+    if (($team_name = $this->entity->getAppOwner()) && $team = $this->entityTypeManager->getStorage('team')->load($team_name)) {
+      return in_array('team_app_edit_api_products', $this->teamPermissionHandler->getDeveloperPermissionsByTeam($team, $this->currentUser()));
+    }
+
+    return parent::canEditApiProducts();
+  }
+
 }

modules/apigee_edge_teams/src/Entity/TeamApp.php

@@ -50,6 +50,9 @@
  *       "edit" = "Drupal\apigee_edge_teams\Entity\Form\TeamAppEditForm",
  *       "delete" = "Drupal\apigee_edge_teams\Entity\Form\TeamAppDeleteForm",
  *       "analytics" = "Drupal\apigee_edge_teams\Form\TeamAppAnalyticsForm",
+ *       "add_api_key" = "Drupal\apigee_edge_teams\Form\TeamAppApiKeyAddForm",
+ *       "delete_api_key" = "Drupal\apigee_edge_teams\Form\TeamAppApiKeyDeleteForm",
+ *       "revoke_api_key" = "Drupal\apigee_edge_teams\Form\TeamAppApiKeyRevokeForm",
  *     },
  *     "list_builder" = "Drupal\apigee_edge_teams\Entity\ListBuilder\TeamAppListBuilder",
  *     "view_builder" = "Drupal\apigee_edge\Entity\AppViewBuilder",
@@ -67,6 +70,9 @@
  *     "delete-form" = "/teams/{team}/apps/{app}/delete",
  *     "analytics"  = "/teams/{team}/apps/{app}/analytics",
  *     "api-keys"  = "/teams/{team}/apps/{app}/api-keys",
+ *     "add-api-key-form" = "/teams/{team}/apps/{app}/api-keys/add",
+ *     "delete-api-key-form" = "/teams/{team}/apps/{app}/api-keys/{consumer_key}/delete",
+ *     "revoke-api-key-form" = "/teams/{team}/apps/{app}/api-keys/{consumer_key}/revoke",
  *   },
  *   entity_keys = {
  *     "id" = "appId",