dasch-swiss · jnussbaum · Aug 12, 2024 · Aug 9, 2024 · Aug 9, 2024 · Aug 9, 2024
diff --git a/dsp_permissions_scripts/ap/ap_set.py b/dsp_permissions_scripts/ap/ap_set.py
@@ -4,9 +4,13 @@
 from dsp_permissions_scripts.ap.ap_get import create_admin_route_object_from_ap
 from dsp_permissions_scripts.ap.ap_get import create_ap_from_admin_route_object
 from dsp_permissions_scripts.ap.ap_model import Ap
+from dsp_permissions_scripts.ap.ap_model import ApValue
 from dsp_permissions_scripts.models.errors import ApiError
+from dsp_permissions_scripts.models.group import Group
 from dsp_permissions_scripts.utils.dsp_client import DspClient
 from dsp_permissions_scripts.utils.get_logger import get_logger
+from dsp_permissions_scripts.utils.helpers import KNORA_ADMIN_ONTO_NAMESPACE
+from dsp_permissions_scripts.utils.project import get_project_iri_and_onto_iris_by_shortcode
 
 logger = get_logger(__name__)
 
@@ -36,3 +40,26 @@ def apply_updated_scopes_of_aps_on_server(aps: list[Ap], host: str, dsp_client:
         except ApiError as err:
             logger.error(err)
     logger.info(f"Finished updating scopes of {len(aps)} Administrative Permissions on {host}")
+
+
+def create_new_ap_on_server(
+    forGroup: Group,
+    shortcode: str,
+    hasPermissions: list[ApValue],
+    dsp_client: DspClient,
+) -> Ap | None:
+    proj_iri, _ = get_project_iri_and_onto_iris_by_shortcode(shortcode, dsp_client)
+    payload = {
+        "forGroup": forGroup.val.replace("knora-admin:", KNORA_ADMIN_ONTO_NAMESPACE),
+        "forProject": proj_iri,
+        "hasPermissions": [
+            {"additionalInformation": None, "name": ap_val.value, "permissionCode": None} for ap_val in hasPermissions
+        ],
+    }
+    try:
+        response = dsp_client.post("/admin/permissions/ap", data=payload)
+        logger.info(f"Successfully created new AP for group {forGroup.val}")
+        return create_ap_from_admin_route_object(response["administrative_permission"])
+    except ApiError:
+        logger.error(f"Could not create new AP for group {forGroup}")
+        return None
diff --git a/dsp_permissions_scripts/template.py b/dsp_permissions_scripts/template.py
@@ -6,6 +6,7 @@
 from dsp_permissions_scripts.ap.ap_model import ApValue
 from dsp_permissions_scripts.ap.ap_serialize import serialize_aps_of_project
 from dsp_permissions_scripts.ap.ap_set import apply_updated_scopes_of_aps_on_server
+from dsp_permissions_scripts.ap.ap_set import create_new_ap_on_server
 from dsp_permissions_scripts.doap.doap_get import get_doaps_of_project
 from dsp_permissions_scripts.doap.doap_model import Doap
 from dsp_permissions_scripts.doap.doap_serialize import serialize_doaps_of_project
@@ -78,6 +79,12 @@ def update_aps(host: str, shortcode: str, dsp_client: DspClient) -> None:
         forGroup=group.PROJECT_MEMBER,
         dsp_client=dsp_client,
     )
+    _ = create_new_ap_on_server(
+        forGroup=group.CREATOR,
+        shortcode=shortcode,
+        hasPermissions=[ApValue.ProjectResourceCreateAllPermission],
+        dsp_client=dsp_client,
+    )
     modified_aps = modify_aps(remaining_aps)
     if not modified_aps:
         logger.info("There are no APs to update.")

diff --git a/tests/test_ap.py → tests/test_ap_model.py b/tests/test_ap.py → tests/test_ap_model.py
diff --git a/tests/test_ap_set.py b/tests/test_ap_set.py
@@ -0,0 +1,52 @@
+from typing import Any
+from unittest.mock import Mock
+
+import pytest
+
+from dsp_permissions_scripts.ap import ap_set
+from dsp_permissions_scripts.ap.ap_model import ApValue
+from dsp_permissions_scripts.ap.ap_set import create_new_ap_on_server
+from dsp_permissions_scripts.models import group
+
+
+@pytest.fixture()
+def create_new_ap_request() -> dict[str, Any]:
+    return {
+        "forGroup": "http://www.knora.org/ontology/knora-admin#Creator",
+        # surprisingly, it also works with "knora-admin:Creator", without context.
+        "forProject": "http://rdfh.ch/projects/QykAkmHJTPS7ervbGynSHw",
+        "hasPermissions": [
+            {"additionalInformation": None, "name": "ProjectResourceCreateAllPermission", "permissionCode": None}
+        ],
+    }
+
+
+@pytest.fixture()
+def create_new_ap_response() -> dict[str, Any]:
+    return {
+        "administrative_permission": {
+            "iri": "http://rdfh.ch/permissions/4123/8WIp72-IQeKjwL5y7cpNPQ",
+            "forProject": "http://rdfh.ch/projects/QykAkmHJTPS7ervbGynSHw",
+            "forGroup": "http://www.knora.org/ontology/knora-admin#Creator",
+            "hasPermissions": [{"name": "ProjectResourceCreateAllPermission"}],
+        }
+    }
+
+
+def test_create_new_ap_on_server(create_new_ap_request: dict[str, Any], create_new_ap_response: dict[str, Any]) -> None:
+    ap_set.get_project_iri_and_onto_iris_by_shortcode = Mock(  # type: ignore[attr-defined]
+        return_value=("http://rdfh.ch/projects/QykAkmHJTPS7ervbGynSHw", None)
+    )
+    ap_set.create_ap_from_admin_route_object = Mock()  # type: ignore[attr-defined]
+    dsp_client = Mock()
+    dsp_client.post = Mock(return_value=create_new_ap_response)
+    _ = create_new_ap_on_server(
+        forGroup=group.CREATOR,
+        shortcode="0000",
+        hasPermissions=[ApValue("ProjectResourceCreateAllPermission")],
+        dsp_client=dsp_client,
+    )
+    dsp_client.post.assert_called_once_with("/admin/permissions/ap", data=create_new_ap_request)
+    ap_set.create_ap_from_admin_route_object.assert_called_once_with(  # type: ignore[attr-defined]
+        create_new_ap_response["administrative_permission"]
+    )