From 52bbe69ec63a75cb9739891bd40e1302469e22fa Mon Sep 17 00:00:00 2001 From: Josh Freda Date: Fri, 12 Apr 2024 11:50:04 -0500 Subject: [PATCH] Make group approvals conditional based on config (#674) * Update group approvals config format * Update docs to account for group approvals * Add property to Config; update API * Make approver groups conditional * Add dashboard announcement * Make Group callout conditional * Update groups API * Remove commented-out code --------- Co-authored-by: Jeff Daley --- README.md | 6 +-- configs/config.hcl | 11 ++++- internal/api/v2/groups.go | 17 ++++++- internal/config/config.go | 15 ++++++- .../dashboard/new-features-banner.hbs | 45 ++++++++++++------- .../dashboard/new-features-banner.ts | 9 +++- web/app/components/document/sidebar.hbs | 4 +- web/app/config/environment.d.ts | 1 + web/app/routes/authenticated/document.ts | 24 +++++----- web/app/services/config.ts | 1 + web/app/styles/components/dashboard.scss | 15 +++++++ web/mirage/utils.ts | 1 + web/web.go | 9 ++++ 13 files changed, 118 insertions(+), 40 deletions(-) diff --git a/README.md b/README.md index 0b99662bf..7f7a0ebdb 100644 --- a/README.md +++ b/README.md @@ -23,7 +23,7 @@ Hermes was created and is currently maintained by HashiCorp Labs, a small team i 1. Enable the following APIs for [Google Workspace APIs](https://developers.google.com/workspace/guides/enable-apis) - - Admin SDK API + - Admin SDK API (optional, if enabling Google Groups as document approvers) - Google Docs API - Google Drive API - Gmail API @@ -146,12 +146,12 @@ NOTE: when not using a Google service account, this will automatically open a br - Create a new key (JSON type) for the service account and download it. - Go to [Delegating domain-wide authority to the service account](https://developers.google.com/identity/protocols/oauth2/service-account#delegatingauthority) and follow the instructions to enter the OAuth scopes. -- Add the following OAuth scopes (comma-delimited list): +- Add the following OAuth scopes (if enabling group approvals, add `https://www.googleapis.com/auth/admin.directory.group.readonly` to the comma-delimited list): `https://www.googleapis.com/auth/directory.readonly,https://www.googleapis.com/auth/documents,https://www.googleapis.com/auth/drive,https://www.googleapis.com/auth/gmail.send` 1. Configure the service account in the `auth` block under the `google_workspace` config block. -More to come here... +1. If enabling group approvals, add the `https://www.googleapis.com/auth/admin.directory.group.readonly` role to the service user configured as the `subject` in the `auth` block (from previous step). ## Architecture diff --git a/configs/config.hcl b/configs/config.hcl index 0f9f2630d..f2b40b5a7 100644 --- a/configs/config.hcl +++ b/configs/config.hcl @@ -122,8 +122,15 @@ google_workspace { // drafts_folder contains all draft documents. drafts_folder = "my-drafts-folder-id" - // groups_prefix is the prefix to use when searching for Google Groups. - // groups_prefix = "team-" + // group_approvals is the configuration for using Google Groups as document + // approvers. + group_approvals { + // enabled enables using Google Groups as document approvers. + enabled = false + + // search_prefix is the prefix to use when searching for Google Groups. + // search_prefix = "team-" + } // If create_doc_shortcuts is set to true, shortcuts_folder will contain an // organized hierarchy of folders and shortcuts to published files that can be diff --git a/internal/api/v2/groups.go b/internal/api/v2/groups.go index 1d36c6d74..ce0bd2988 100644 --- a/internal/api/v2/groups.go +++ b/internal/api/v2/groups.go @@ -47,6 +47,14 @@ func GroupsHandler(srv server.Server) http.Handler { return } + // Respond with error if group approvals are not enabled. + if srv.Config.GoogleWorkspace.GroupApprovals == nil || + !srv.Config.GoogleWorkspace.GroupApprovals.Enabled { + http.Error(w, + "Group approvals have not been enabled", http.StatusUnprocessableEntity) + return + } + switch r.Method { case "POST": // Decode request. @@ -73,11 +81,16 @@ func GroupsHandler(srv server.Server) http.Handler { ) // Retrieve groups with prefix, if configured. - if srv.Config.GoogleWorkspace.GroupsPrefix != "" { + searchPrefix := "" + if srv.Config.GoogleWorkspace.GroupApprovals != nil && + srv.Config.GoogleWorkspace.GroupApprovals.SearchPrefix != "" { + searchPrefix = srv.Config.GoogleWorkspace.GroupApprovals.SearchPrefix + } + if searchPrefix != "" { maxNonPrefixGroups = maxGroupResults - maxPrefixGroupResults prefixQuery := fmt.Sprintf( - "%s%s", srv.Config.GoogleWorkspace.GroupsPrefix, query) + "%s%s", searchPrefix, query) prefixGroups, err = srv.GWService.AdminDirectory.Groups.List(). Domain(srv.Config.GoogleWorkspace.Domain). MaxResults(maxPrefixGroupResults). diff --git a/internal/config/config.go b/internal/config/config.go index 9144e8f48..29e3a3ced 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -219,8 +219,9 @@ type GoogleWorkspace struct { // DraftsFolder is the folder that contains all document drafts. DraftsFolder string `hcl:"drafts_folder"` - // GroupsPrefix is the prefix to use when searching for Google Groups. - GroupsPrefix string `hcl:"groups_prefix,optional"` + // GoogleWorkspaceGroupApprovals is the configuration for using Google Groups as + // document approvers. + GroupApprovals *GoogleWorkspaceGroupApprovals `hcl:"group_approvals,block"` // OAuth2 is the configuration to use OAuth 2.0 to access Google Workspace // APIs. @@ -241,6 +242,16 @@ type GoogleWorkspace struct { UserNotFoundEmail *GoogleWorkspaceUserNotFoundEmail `hcl:"user_not_found_email,block"` } +// GoogleWorkspaceGroupApprovals is the configuration for using Google Groups as +// document approvers. +type GoogleWorkspaceGroupApprovals struct { + // Enabled enables using Google Groups as document approvers. + Enabled bool `hcl:"enabled,optional"` + + // SearchPrefix is the prefix to use when searching for Google Groups. + SearchPrefix string `hcl:"search_prefix,optional"` +} + // GoogleWorkspaceOAuth2 is the configuration to use OAuth 2.0 to access Google // Workspace APIs. type GoogleWorkspaceOAuth2 struct { diff --git a/web/app/components/dashboard/new-features-banner.hbs b/web/app/components/dashboard/new-features-banner.hbs index 339a81d8d..de1ebe51b 100644 --- a/web/app/components/dashboard/new-features-banner.hbs +++ b/web/app/components/dashboard/new-features-banner.hbs @@ -3,28 +3,39 @@ data-test-new-features-banner @type="inline" @color="highlight" - @icon="folder-star" + {{! Icon is hidden by CSS; See `dashboard.scss` }} @onDismiss={{this.dismiss}} class="mb-10" as |A| > - Introducing Projects! + What's new in Hermes - Projects are a new way to organize documents and links around an effort. -
- - or - -
+
    + {{#if this.configSvc.config.group_approvals}} +
  • + +

    + Google Groups can be added as document approvers +

    +
  • + {{/if}} +
  • + +

    + Document ownership can be transferred between users +

    +
  • +
  • + +

    + We've improved owner filtering on the + + All Docs + + view +

    +
  • +
{{/if}} diff --git a/web/app/components/dashboard/new-features-banner.ts b/web/app/components/dashboard/new-features-banner.ts index dc0d8a54e..f9e18de35 100644 --- a/web/app/components/dashboard/new-features-banner.ts +++ b/web/app/components/dashboard/new-features-banner.ts @@ -2,15 +2,22 @@ import Component from "@glimmer/component"; import { tracked } from "@glimmer/tracking"; import window from "ember-window-mock"; import { action } from "@ember/object"; +import { inject as service } from "@ember/service"; +import ConfigService from "hermes/services/config"; export const NEW_FEATURES_BANNER_LOCAL_STORAGE_ITEM = - "jan-18-2024-newFeatureBannerIsShown"; + "apr-12-2024-newFeatureBannerIsShown"; interface DashboardNewFeaturesBannerSignature { Args: {}; } export default class DashboardNewFeaturesBanner extends Component { + /** + * Used to determine whether the Google Groups callout should be shown. + */ + @service("config") declare configSvc: ConfigService; + @tracked protected isDismissed = false; /** diff --git a/web/app/components/document/sidebar.hbs b/web/app/components/document/sidebar.hbs index 21569e3a2..d7ec892f2 100644 --- a/web/app/components/document/sidebar.hbs +++ b/web/app/components/document/sidebar.hbs @@ -289,7 +289,7 @@ @onSave={{perform this.saveApprovers}} @isSaving={{this.saveIsRunning}} @isReadOnly={{this.editingIsDisabled}} - @includeGroupsInPeopleSelect={{true}} + @includeGroupsInPeopleSelect={{this.configSvc.config.group_approvals}} {{! Provide the document to the `has-approved-doc` helper }} @document={{@document}} /> @@ -767,7 +767,7 @@ r); - - const allowed = resp?.headers.get("allowed"); - - if (allowed?.includes("POST")) { - viewerIsGroupApprover = true; + if (this.configSvc.config.group_approvals) { + const resp = await this.fetchSvc + .fetch( + `/api/${this.configSvc.config.api_version}/approvals/${params.document_id}`, + { method: "OPTIONS" }, + ) + .then((r) => r); + + const allowed = resp?.headers.get("allowed"); + + if (allowed?.includes("POST")) { + viewerIsGroupApprover = true; + } } const typedDoc = doc as HermesDocument; diff --git a/web/app/services/config.ts b/web/app/services/config.ts index 454bfca7f..3226908b9 100644 --- a/web/app/services/config.ts +++ b/web/app/services/config.ts @@ -18,6 +18,7 @@ export default class ConfigService extends Service { support_link_url: config.supportLinkURL, version: config.version, short_revision: config.shortRevision, + group_approvals: config.groupApprovals, }; setConfig(param: HermesConfig) { diff --git a/web/app/styles/components/dashboard.scss b/web/app/styles/components/dashboard.scss index 9becc6679..5250f4343 100644 --- a/web/app/styles/components/dashboard.scss +++ b/web/app/styles/components/dashboard.scss @@ -68,3 +68,18 @@ @apply mt-0; } } + +.hds-alert--color-highlight { + @apply pl-5; + + .hds-alert__icon { + @apply hidden; + } +} + +.icon-list { + li { + @apply grid items-center gap-2.5 py-0.5 pl-1; + grid-template-columns: 16px 1fr; + } +} diff --git a/web/mirage/utils.ts b/web/mirage/utils.ts index 5bd4ed332..128e3a3c6 100644 --- a/web/mirage/utils.ts +++ b/web/mirage/utils.ts @@ -50,6 +50,7 @@ export const TEST_WEB_CONFIG = { google_doc_folders: "", short_link_base_url: TEST_SHORT_LINK_BASE_URL, skip_google_auth: false, + group_approvals: true, google_analytics_tag_id: undefined, support_link_url: TEST_SUPPORT_URL, version: "1.2.3", diff --git a/web/web.go b/web/web.go index 363a8fc63..c8a18e199 100644 --- a/web/web.go +++ b/web/web.go @@ -64,6 +64,7 @@ type ConfigResponse struct { GoogleAnalyticsTagID string `json:"google_analytics_tag_id"` GoogleOAuth2ClientID string `json:"google_oauth2_client_id"` GoogleOAuth2HD string `json:"google_oauth2_hd"` + GroupApprovals bool `json:"group_approvals"` JiraURL string `json:"jira_url"` ShortLinkBaseURL string `json:"short_link_base_url"` SkipGoogleAuth bool `json:"skip_google_auth"` @@ -120,6 +121,13 @@ func ConfigHandler( createDocsAsUser = true } + // Set GroupApprovals if enabled in the config. + groupApprovals := false + if cfg.GoogleWorkspace.GroupApprovals != nil && + cfg.GoogleWorkspace.GroupApprovals.Enabled { + groupApprovals = true + } + // Set JiraURL if enabled in the config. jiraURL := "" if cfg.Jira != nil && cfg.Jira.Enabled { @@ -136,6 +144,7 @@ func ConfigHandler( GoogleAnalyticsTagID: cfg.GoogleAnalyticsTagID, GoogleOAuth2ClientID: cfg.GoogleWorkspace.OAuth2.ClientID, GoogleOAuth2HD: cfg.GoogleWorkspace.OAuth2.HD, + GroupApprovals: groupApprovals, JiraURL: jiraURL, ShortLinkBaseURL: shortLinkBaseURL, SkipGoogleAuth: skipGoogleAuth,