enhance: mark users that have been made explicit admins via config

Users that were made admins by the config when deploying Obot are now
marked. Additionally, it is an error to change their role to be
different from an admin.

Signed-off-by: Donnie Adams <[email protected]>

apiclient/types/user.go

@@ -16,11 +16,12 @@ func (u Role) HasRole(role Role) bool {
 
 type User struct {
 	Metadata
-	Username string `json:"username,omitempty"`
-	Role     Role   `json:"role,omitempty"`
-	Email    string `json:"email,omitempty"`
-	IconURL  string `json:"iconURL,omitempty"`
-	Timezone string `json:"timezone,omitempty"`
+	Username      string `json:"username,omitempty"`
+	Role          Role   `json:"role,omitempty"`
+	ExplicitAdmin bool   `json:"explicitAdmin,omitempty"`
+	Email         string `json:"email,omitempty"`
+	IconURL       string `json:"iconURL,omitempty"`
+	Timezone      string `json:"timezone,omitempty"`
 }
 
 type UserList List[User]

pkg/api/handlers/authorizations.go

@@ -104,7 +104,7 @@ func (a *AuthorizationHandler) ListAgentAuthorizations(req api.Context) error {
 		if err != nil {
 			log.Errorf("failed to get user for authorization list %s: %v", grant.Spec.UserID, err)
 		} else if user != nil {
-			auth.User = types2.ConvertUser(user)
+			auth.User = types2.ConvertUser(user, a.userClient.IsExplicitAdmin(user.Email))
 		}
 
 		result.Items = append(result.Items, auth)

pkg/gateway/client/client.go

@@ -26,6 +26,11 @@ func (c *Client) Close() error {
 	return c.db.Close()
 }
 
+func (c *Client) IsExplicitAdmin(email string) bool {
+	_, ok := c.adminEmails[email]
+	return ok
+}
+
 func firstValue(m map[string][]string, key string) string {
 	values := m[key]
 	if len(values) == 0 {

pkg/gateway/client/error.go

@@ -13,3 +13,11 @@ type AlreadyExistsError struct {
 func (e *AlreadyExistsError) Error() string {
 	return e.name + " already exists"
 }
+
+type ExplicitAdminError struct {
+	email string
+}
+
+func (e *ExplicitAdminError) Error() string {
+	return e.email + " has been marked explicitly as an admin"
+}

pkg/gateway/client/user.go

@@ -80,8 +80,12 @@ func (c *Client) UpdateUser(ctx context.Context, actingUserIsAdmin bool, updated
 
 		// Only admins can change user roles.
 		if actingUserIsAdmin {
-			// If the role is being changed from admin to non-admin, then ensure that this isn't the last admin.
 			if updatedUser.Role > 0 && existingUser.Role.HasRole(types2.RoleAdmin) && !updatedUser.Role.HasRole(types2.RoleAdmin) {
+				// If this user has been explicitly marked as an admin, then don't allow changing the role.
+				if c.IsExplicitAdmin(existingUser.Email) {
+					return &ExplicitAdminError{email: existingUser.Email}
+				}
+				// If the role is being changed from admin to non-admin, then ensure that this isn't the last admin.
 				var adminCount int64
 				if err := tx.Model(new(types.User)).Where("role = ?", types2.RoleAdmin).Count(&adminCount).Error; err != nil {
 					return err

pkg/gateway/server/user.go

@@ -29,7 +29,7 @@ func (s *Server) getCurrentUser(apiContext api.Context) error {
 		pkgLog.Warnf("failed to update profile icon for user %s: %v", user.Username, err)
 	}
 
-	return apiContext.Write(types.ConvertUser(user))
+	return apiContext.Write(types.ConvertUser(user, s.client.IsExplicitAdmin(user.Email)))
 }
 
 func (s *Server) getUsers(apiContext api.Context) error {
@@ -40,7 +40,7 @@ func (s *Server) getUsers(apiContext api.Context) error {
 
 	items := make([]types2.User, 0, len(users))
 	for _, user := range users {
-		items = append(items, *types.ConvertUser(&user))
+		items = append(items, *types.ConvertUser(&user, s.client.IsExplicitAdmin(user.Email)))
 	}
 
 	return apiContext.Write(types2.UserList{Items: items})
@@ -60,7 +60,7 @@ func (s *Server) getUser(apiContext api.Context) error {
 		return fmt.Errorf("failed to get user: %v", err)
 	}
 
-	return apiContext.Write(types.ConvertUser(user))
+	return apiContext.Write(types.ConvertUser(user, s.client.IsExplicitAdmin(user.Email)))
 }
 
 func (s *Server) updateUser(apiContext api.Context) error {
@@ -94,13 +94,15 @@ func (s *Server) updateUser(apiContext api.Context) error {
 			status = http.StatusNotFound
 		} else if lae := (*client.LastAdminError)(nil); errors.As(err, &lae) {
 			status = http.StatusBadRequest
+		} else if ea := (*client.ExplicitAdminError)(nil); errors.As(err, &ea) {
+			status = http.StatusBadRequest
 		} else if ae := (*client.AlreadyExistsError)(nil); errors.As(err, &ae) {
 			status = http.StatusConflict
 		}
 		return types2.NewErrHttp(status, fmt.Sprintf("failed to update user: %v", err))
 	}
 
-	return apiContext.Write(types.ConvertUser(existingUser))
+	return apiContext.Write(types.ConvertUser(existingUser, s.client.IsExplicitAdmin(existingUser.Email)))
 }
 
 func (s *Server) deleteUser(apiContext api.Context) error {
@@ -120,5 +122,5 @@ func (s *Server) deleteUser(apiContext api.Context) error {
 		return types2.NewErrHttp(status, fmt.Sprintf("failed to delete user: %v", err))
 	}
 
-	return apiContext.Write(types.ConvertUser(existingUser))
+	return apiContext.Write(types.ConvertUser(existingUser, s.client.IsExplicitAdmin(existingUser.Email)))
 }

pkg/gateway/types/users.go

@@ -20,7 +20,7 @@ type User struct {
 	Timezone  string      `json:"timezone"`
 }
 
-func ConvertUser(u *User) *types2.User {
+func ConvertUser(u *User, roleFixed bool) *types2.User {
 	if u == nil {
 		return nil
 	}
@@ -30,11 +30,12 @@ func ConvertUser(u *User) *types2.User {
 			ID:      fmt.Sprint(u.ID),
 			Created: *types2.NewTime(u.CreatedAt),
 		},
-		Username: u.Username,
-		Email:    u.Email,
-		Role:     u.Role,
-		IconURL:  u.IconURL,
-		Timezone: u.Timezone,
+		Username:      u.Username,
+		Email:         u.Email,
+		Role:          u.Role,
+		ExplicitAdmin: roleFixed,
+		IconURL:       u.IconURL,
+		Timezone:      u.Timezone,
 	}
 }