feat(admin): add edit flows for all catalogs and member authentik sync

backend/app/api/admin_catalog.py

@@ -1,6 +1,7 @@
 from fastapi import APIRouter, Depends, HTTPException, Query, status
 from sqlalchemy.orm import Session
 
+from app.core.config import get_settings
 from app.db.session import get_db
 from app.models.api_client import ApiClient
 from app.repositories.companies_repo import CompaniesRepository
@@ -12,18 +13,26 @@ from app.repositories.users_repo import UsersRepository
 from app.schemas.catalog import (
     CompanyCreateRequest,
     CompanyItem,
+    CompanyUpdateRequest,
     MemberItem,
+    MemberUpdateRequest,
+    MemberUpsertRequest,
     ModuleCreateRequest,
     ModuleItem,
+    ModuleUpdateRequest,
     PermissionGroupCreateRequest,
     PermissionGroupItem,
+    PermissionGroupUpdateRequest,
     SiteCreateRequest,
     SiteItem,
+    SiteUpdateRequest,
     SystemCreateRequest,
     SystemItem,
+    SystemUpdateRequest,
 )
 from app.schemas.permissions import PermissionGrantRequest, PermissionRevokeRequest
 from app.security.api_client_auth import require_api_client
+from app.services.authentik_admin_service import AuthentikAdminService
 
 router = APIRouter(prefix="/admin", tags=["admin"])
 
@@ -57,6 +66,26 @@ def _resolve_scope_ids(db: Session, scope_type: str, scope_id: str) -> tuple[str
     raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="invalid_scope_type")
 
 
+def _sync_member_to_authentik(
+    *,
+    authentik_sub: str,
+    email: str | None,
+    display_name: str | None,
+    is_active: bool,
+) -> dict[str, str | int]:
+    if not email:
+        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="email_required_for_authentik_sync")
+    settings = get_settings()
+    service = AuthentikAdminService(settings=settings)
+    result = service.ensure_user(
+        sub=authentik_sub,
+        email=email,
+        display_name=display_name,
+        is_active=is_active,
+    )
+    return {"authentik_user_id": result.user_id, "sync_action": result.action}
+
+
 @router.get("/systems")
 def list_systems(
     _: ApiClient = Depends(require_api_client),
@@ -82,6 +111,21 @@ def create_system(
     return SystemItem(id=row.id, system_key=row.system_key, name=row.name, status=row.status)
 
 
+@router.patch("/systems/{system_key}", response_model=SystemItem)
+def update_system(
+    system_key: str,
+    payload: SystemUpdateRequest,
+    _: ApiClient = Depends(require_api_client),
+    db: Session = Depends(get_db),
+) -> SystemItem:
+    repo = SystemsRepository(db)
+    row = repo.get_by_key(system_key)
+    if not row:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="system_not_found")
+    row = repo.update(row, name=payload.name, status=payload.status)
+    return SystemItem(id=row.id, system_key=row.system_key, name=row.name, status=row.status)
+
+
 @router.get("/modules")
 def list_modules(
     _: ApiClient = Depends(require_api_client),
@@ -128,6 +172,22 @@ def create_module(
     return ModuleItem(id=row.id, system_key=payload.system_key, module_key=row.module_key, name=row.name, status=row.status)
 
 
+@router.patch("/modules/{module_key}")
+def update_module(
+    module_key: str,
+    payload: ModuleUpdateRequest,
+    _: ApiClient = Depends(require_api_client),
+    db: Session = Depends(get_db),
+) -> ModuleItem:
+    modules_repo = ModulesRepository(db)
+    row = modules_repo.get_by_key(module_key)
+    if not row:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="module_not_found")
+    row = modules_repo.update(row, name=payload.name, status=payload.status)
+    system_key = row.module_key.split(".", 1)[0] if "." in row.module_key else None
+    return ModuleItem(id=row.id, system_key=system_key, module_key=row.module_key, name=row.name, status=row.status)
+
+
 @router.get("/companies")
 def list_companies(
     _: ApiClient = Depends(require_api_client),
@@ -154,6 +214,21 @@ def create_company(
     return CompanyItem(id=row.id, company_key=row.company_key, name=row.name, status=row.status)
 
 
+@router.patch("/companies/{company_key}", response_model=CompanyItem)
+def update_company(
+    company_key: str,
+    payload: CompanyUpdateRequest,
+    _: ApiClient = Depends(require_api_client),
+    db: Session = Depends(get_db),
+) -> CompanyItem:
+    repo = CompaniesRepository(db)
+    row = repo.get_by_key(company_key)
+    if not row:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="company_not_found")
+    row = repo.update(row, name=payload.name, status=payload.status)
+    return CompanyItem(id=row.id, company_key=row.company_key, name=row.name, status=row.status)
+
+
 @router.get("/sites")
 def list_sites(
     _: ApiClient = Depends(require_api_client),
@@ -210,6 +285,33 @@ def create_site(
     return SiteItem(id=row.id, site_key=row.site_key, company_key=payload.company_key, name=row.name, status=row.status)
 
 
+@router.patch("/sites/{site_key}", response_model=SiteItem)
+def update_site(
+    site_key: str,
+    payload: SiteUpdateRequest,
+    _: ApiClient = Depends(require_api_client),
+    db: Session = Depends(get_db),
+) -> SiteItem:
+    companies_repo = CompaniesRepository(db)
+    sites_repo = SitesRepository(db)
+    row = sites_repo.get_by_key(site_key)
+    if not row:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="site_not_found")
+    company_id = None
+    company_key = None
+    if payload.company_key is not None:
+        company = companies_repo.get_by_key(payload.company_key)
+        if not company:
+            raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="company_not_found")
+        company_id = company.id
+        company_key = company.company_key
+    row = sites_repo.update(row, company_id=company_id, name=payload.name, status=payload.status)
+    if company_key is None:
+        current_company = companies_repo.get_by_id(row.company_id)
+        company_key = current_company.company_key if current_company else ""
+    return SiteItem(id=row.id, site_key=row.site_key, company_key=company_key, name=row.name, status=row.status)
+
+
 @router.get("/members")
 def list_members(
     _: ApiClient = Depends(require_api_client),
@@ -223,6 +325,80 @@ def list_members(
     return {"items": [MemberItem(id=i.id, authentik_sub=i.authentik_sub, email=i.email, display_name=i.display_name, is_active=i.is_active).model_dump() for i in items], "total": total, "limit": limit, "offset": offset}
 
 
+@router.post("/members/upsert", response_model=MemberItem)
+def upsert_member(
+    payload: MemberUpsertRequest,
+    _: ApiClient = Depends(require_api_client),
+    db: Session = Depends(get_db),
+) -> MemberItem:
+    users_repo = UsersRepository(db)
+    authentik_user_id = None
+    if payload.sync_to_authentik:
+        sync = _sync_member_to_authentik(
+            authentik_sub=payload.authentik_sub,
+            email=payload.email,
+            display_name=payload.display_name,
+            is_active=payload.is_active,
+        )
+        authentik_user_id = int(sync["authentik_user_id"])
+    row = users_repo.upsert_by_sub(
+        authentik_sub=payload.authentik_sub,
+        email=payload.email,
+        display_name=payload.display_name,
+        is_active=payload.is_active,
+        authentik_user_id=authentik_user_id,
+    )
+    return MemberItem(
+        id=row.id,
+        authentik_sub=row.authentik_sub,
+        email=row.email,
+        display_name=row.display_name,
+        is_active=row.is_active,
+    )
+
+
+@router.patch("/members/{authentik_sub}", response_model=MemberItem)
+def update_member(
+    authentik_sub: str,
+    payload: MemberUpdateRequest,
+    _: ApiClient = Depends(require_api_client),
+    db: Session = Depends(get_db),
+) -> MemberItem:
+    users_repo = UsersRepository(db)
+    row = users_repo.get_by_sub(authentik_sub)
+    if not row:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="user_not_found")
+
+    next_email = payload.email if payload.email is not None else row.email
+    next_display_name = payload.display_name if payload.display_name is not None else row.display_name
+    next_is_active = payload.is_active if payload.is_active is not None else row.is_active
+
+    authentik_user_id = row.authentik_user_id
+    if payload.sync_to_authentik:
+        sync = _sync_member_to_authentik(
+            authentik_sub=row.authentik_sub,
+            email=next_email,
+            display_name=next_display_name,
+            is_active=next_is_active,
+        )
+        authentik_user_id = int(sync["authentik_user_id"])
+
+    row = users_repo.upsert_by_sub(
+        authentik_sub=row.authentik_sub,
+        email=next_email,
+        display_name=next_display_name,
+        is_active=next_is_active,
+        authentik_user_id=authentik_user_id,
+    )
+    return MemberItem(
+        id=row.id,
+        authentik_sub=row.authentik_sub,
+        email=row.email,
+        display_name=row.display_name,
+        is_active=row.is_active,
+    )
+
+
 @router.get("/permission-groups")
 def list_permission_groups(
     _: ApiClient = Depends(require_api_client),
@@ -248,6 +424,21 @@ def create_permission_group(
     return PermissionGroupItem(id=row.id, group_key=row.group_key, name=row.name, status=row.status)
 
 
+@router.patch("/permission-groups/{group_key}", response_model=PermissionGroupItem)
+def update_permission_group(
+    group_key: str,
+    payload: PermissionGroupUpdateRequest,
+    _: ApiClient = Depends(require_api_client),
+    db: Session = Depends(get_db),
+) -> PermissionGroupItem:
+    repo = PermissionGroupsRepository(db)
+    row = repo.get_by_key(group_key)
+    if not row:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="group_not_found")
+    row = repo.update(row, name=payload.name, status=payload.status)
+    return PermissionGroupItem(id=row.id, group_key=row.group_key, name=row.name, status=row.status)
+
+
 @router.post("/permission-groups/{group_key}/members/{authentik_sub}")
 def add_group_member(
     group_key: str,