From a2d1ed82f40d96f50cdd1d2dabb6c21a735431db Mon Sep 17 00:00:00 2001
From: Travis Semple <travis8814@gmail.com>
Date: Wed, 18 Dec 2024 10:10:08 -0800
Subject: [PATCH] Move staff check above GOV ACCOUNT USER

---
 auth-api/src/auth_api/resources/v1/user.py | 9 ++++++++-
 auth-api/src/auth_api/services/keycloak.py | 4 ++--
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/auth-api/src/auth_api/resources/v1/user.py b/auth-api/src/auth_api/resources/v1/user.py
index 8f4d4a2724..44445b7919 100644
--- a/auth-api/src/auth_api/resources/v1/user.py
+++ b/auth-api/src/auth_api/resources/v1/user.py
@@ -15,7 +15,7 @@
 
 from http import HTTPStatus
 
-from flask import Blueprint, abort, g, jsonify, request
+from flask import Blueprint, abort, current_app, g, jsonify, request
 from flask_cors import cross_origin
 
 from auth_api.exceptions import BusinessException
@@ -29,6 +29,7 @@
 from auth_api.services.org import Org as OrgService
 from auth_api.services.user import User as UserService
 from auth_api.utils.auth import jwt as _jwt
+from auth_api.utils.constants import GROUP_GOV_ACCOUNT_USERS
 from auth_api.utils.endpoints_enums import EndpointEnum
 from auth_api.utils.enums import LoginSource, Status
 from auth_api.utils.roles import Role
@@ -108,6 +109,12 @@ def post_user():
             if not valid_format:
                 return {"message": schema_utils.serialize(errors)}, HTTPStatus.BAD_REQUEST
 
+        # Ensure STAFF doesn't have GOV_ACCOUNT_USER, otherwise they get extra permissions they shouldn't have.
+        roles = token.get("realm_access", {}).get("roles", [])
+        if Role.STAFF.name in roles and Role.GOV_ACCOUNT_USER.value in roles:
+            current_app.logger.info("Removing GOV_ACCOUNT_USER role from STAFF user")
+            KeycloakService.remove_user_from_group(token.get("sub"), GROUP_GOV_ACCOUNT_USERS)
+
         user = UserService.save_from_jwt_token(request_json)
         response, status = user.as_dict(), HTTPStatus.CREATED
         # Add the user to public_users group if the user doesn't have public_user group
diff --git a/auth-api/src/auth_api/services/keycloak.py b/auth-api/src/auth_api/services/keycloak.py
index ff0f31513b..22800e4e8c 100644
--- a/auth-api/src/auth_api/services/keycloak.py
+++ b/auth-api/src/auth_api/services/keycloak.py
@@ -228,7 +228,7 @@ def remove_from_account_holders_group(keycloak_guid: str = None, **kwargs):
             keycloak_guid: Dict = user_from_context.sub
 
         if Role.ACCOUNT_HOLDER.value in user_from_context.roles:
-            KeycloakService._remove_user_from_group(keycloak_guid, GROUP_ACCOUNT_HOLDERS)
+            KeycloakService.remove_user_from_group(keycloak_guid, GROUP_ACCOUNT_HOLDERS)
 
     @staticmethod
     @user_context
@@ -339,7 +339,7 @@ def add_user_to_group(user_id: str, group_name: str):
         response.raise_for_status()
 
     @staticmethod
-    def _remove_user_from_group(user_id: str, group_name: str):
+    def remove_user_from_group(user_id: str, group_name: str):
         """Remove user from the keycloak group."""
         config = current_app.config
         base_url = config.get("KEYCLOAK_BASE_URL")