feat(connector_cloning): Create API for cloning connectors between merchants and profiles.

config/config.example.toml

@@ -1068,6 +1068,9 @@ billing_connectors_which_require_payment_sync = "stripebilling, recurly" # List
 enabled = true                          # Enable or disable Open Router
 url = "http://localhost:8080"           # Open Router URL
 
-
 [billing_connectors_invoice_sync]
-billing_connectors_which_requires_invoice_sync_call = "recurly" # List of billing connectors which has invoice sync api call
+billing_connectors_which_requires_invoice_sync_call = "recurly" # List of billing connectors which has invoice sync api call
+
+[clone_connector_allowlist]
+merchant_ids = "merchant_ids"           # Comma-separated list of allowed merchant IDs
+connector_names = "connector_names"     # Comma-separated list of allowed connector names

config/deployments/env_specific.toml

@@ -362,3 +362,7 @@ background_color = "#FFFFFF"                     # Background color of email bod
 
 [connectors.unified_authentication_service] #Unified Authentication Service Configuration
 base_url = "http://localhost:8000" #base url to call unified authentication service
+
+[clone_connector_allowlist]
+merchant_ids = "merchant_ids"           # Comma-separated list of allowed merchant IDs
+connector_names = "connector_names"     # Comma-separated list of allowed connector names

config/development.toml

@@ -1156,3 +1156,7 @@ click_to_pay = {connector_list = "adyen, cybersource"}
 [open_router]
 enabled = false
 url = "http://localhost:8080"
+
+[clone_connector_allowlist]
+merchant_ids = "merchant_123, merchant_234"     # Comma-separated list of allowed merchant IDs
+connector_names = "stripe, adyen"               # Comma-separated list of allowed connector names

config/docker_compose.toml

@@ -1051,3 +1051,7 @@ enabled = true
 
 [authentication_providers]
 click_to_pay = {connector_list = "adyen, cybersource"}
+
+[clone_connector_allowlist]
+merchant_ids = "merchant_123, merchant_234"     # Comma-separated list of allowed merchant IDs
+connector_names = "stripe, adyen"               # Comma-separated list of allowed connector names

crates/api_models/src/events/user.rs

@@ -11,7 +11,7 @@ use crate::user::{
         GetMetaDataRequest, GetMetaDataResponse, GetMultipleMetaDataPayload, SetMetaDataRequest,
     },
     AcceptInviteFromEmailRequest, AuthSelectRequest, AuthorizeResponse, BeginTotpResponse,
-    ChangePasswordRequest, ConnectAccountRequest, CreateInternalUserRequest,
+    ChangePasswordRequest, CloneConnectorRequest, ConnectAccountRequest, CreateInternalUserRequest,
     CreateTenantUserRequest, CreateUserAuthenticationMethodRequest, ForgotPasswordRequest,
     GetSsoAuthUrlRequest, GetUserAuthenticationMethodsRequest, GetUserDetailsResponse,
     GetUserRoleDetailsRequest, GetUserRoleDetailsResponseV2, InviteUserRequest,
@@ -71,7 +71,8 @@ common_utils::impl_api_event_type!(
         UpdateUserAuthenticationMethodRequest,
         GetSsoAuthUrlRequest,
         SsoSignInRequest,
-        AuthSelectRequest
+        AuthSelectRequest,
+        CloneConnectorRequest
     )
 );
 

crates/api_models/src/user.rs

@@ -108,11 +108,31 @@ pub struct SwitchProfileRequest {
     pub profile_id: id_type::ProfileId,
 }
 
+#[derive(Debug, serde::Deserialize, serde::Serialize)]
+pub struct CloneConnectorSource {
+    pub mca_id: id_type::MerchantConnectorAccountId,
+    pub merchant_id: id_type::MerchantId,
+}
+
+#[derive(Debug, serde::Deserialize, serde::Serialize)]
+pub struct CloneConnectorDestination {
+    pub connector_label: Option<String>,
+    pub profile_id: id_type::ProfileId,
+    pub merchant_id: id_type::MerchantId,
+}
+
+#[derive(Debug, serde::Deserialize, serde::Serialize)]
+pub struct CloneConnectorRequest {
+    pub source: CloneConnectorSource,
+    pub destination: CloneConnectorDestination,
+}
+
 #[derive(serde::Deserialize, Debug, serde::Serialize)]
 pub struct CreateInternalUserRequest {
     pub name: Secret<String>,
     pub email: pii::Email,
     pub password: Secret<String>,
+    pub role_id: String,
 }
 
 #[derive(serde::Deserialize, Debug, serde::Serialize)]

crates/common_enums/src/enums.rs

@@ -7214,6 +7214,7 @@ pub enum PermissionGroup {
     ReconReportsManage,
     ReconOpsView,
     ReconOpsManage,
+    InternalManage,
 }
 
 #[derive(Clone, Debug, serde::Serialize, PartialEq, Eq, Hash, strum::EnumIter)]
@@ -7226,6 +7227,7 @@ pub enum ParentGroup {
     ReconOps,
     ReconReports,
     Account,
+    Internal,
 }
 
 #[derive(Debug, Clone, Copy, Eq, PartialEq, Hash, serde::Serialize)]
@@ -7255,6 +7257,7 @@ pub enum Resource {
     RunRecon,
     ReconConfig,
     RevenueRecovery,
+    InternalConnector,
 }
 
 #[derive(Debug, Clone, Copy, Eq, PartialEq, Ord, PartialOrd, serde::Serialize, Hash)]

crates/common_utils/src/consts.rs

@@ -127,6 +127,8 @@ pub const ROLE_ID_ORGANIZATION_ADMIN: &str = "org_admin";
 pub const ROLE_ID_INTERNAL_VIEW_ONLY_USER: &str = "internal_view_only";
 /// Role ID for Internal Admin
 pub const ROLE_ID_INTERNAL_ADMIN: &str = "internal_admin";
+/// Role ID for Internal Demo
+pub const ROLE_ID_INTERNAL_DEMO: &str = "internal_demo";
 
 /// Max length allowed for Description
 pub const MAX_DESCRIPTION_LENGTH: u16 = 255;

crates/router/src/configs/secrets_transformers.rs

@@ -536,5 +536,6 @@ pub(crate) async fn fetch_raw_secrets(
         platform: conf.platform,
         authentication_providers: conf.authentication_providers,
         open_router: conf.open_router,
+        clone_connector_allowlist: conf.clone_connector_allowlist,
     }
 }

crates/router/src/configs/settings.rs

@@ -153,13 +153,24 @@ pub struct Settings<S: SecretState> {
     pub platform: Platform,
     pub authentication_providers: AuthenticationProviders,
     pub open_router: OpenRouter,
+    pub clone_connector_allowlist: Option<CloneConnectorAllowlistConfig>,
 }
 
 #[derive(Debug, Deserialize, Clone, Default)]
 pub struct OpenRouter {
     pub enabled: bool,
     pub url: String,
 }
+
+#[derive(Debug, Deserialize, Clone, Default)]
+#[serde(default)]
+pub struct CloneConnectorAllowlistConfig {
+    #[serde(deserialize_with = "deserialize_merchant_ids")]
+    pub merchant_ids: HashSet<id_type::MerchantId>,
+    #[serde(deserialize_with = "deserialize_hashset")]
+    pub connector_names: HashSet<enums::Connector>,
+}
+
 #[derive(Debug, Deserialize, Clone, Default)]
 pub struct Platform {
     pub enabled: bool,

crates/router/src/core/errors/user.rs

@@ -110,6 +110,10 @@ pub enum UserErrors {
     MissingEmailConfig,
     #[error("Invalid Auth Method Operation: {0}")]
     InvalidAuthMethodOperationWithMessage(String),
+    #[error("Invalid Clone Connector Operation: {0}")]
+    InvalidCloneConnectorOperation(String),
+    #[error("Error cloning connector: {0}")]
+    ErrorCloningConnector(String),
 }
 
 impl common_utils::errors::ErrorSwitch<api_models::errors::types::ApiErrorResponse> for UserErrors {
@@ -285,6 +289,15 @@ impl common_utils::errors::ErrorSwitch<api_models::errors::types::ApiErrorRespon
             Self::InvalidAuthMethodOperationWithMessage(_) => {
                 AER::BadRequest(ApiError::new(sub_code, 57, self.get_error_message(), None))
             }
+            Self::InvalidCloneConnectorOperation(_) => {
+                AER::BadRequest(ApiError::new(sub_code, 58, self.get_error_message(), None))
+            }
+            Self::ErrorCloningConnector(_) => AER::InternalServerError(ApiError::new(
+                sub_code,
+                59,
+                self.get_error_message(),
+                None,
+            )),
         }
     }
 }
@@ -355,6 +368,12 @@ impl UserErrors {
             Self::InvalidAuthMethodOperationWithMessage(operation) => {
                 format!("Invalid Auth Method Operation: {}", operation)
             }
+            Self::InvalidCloneConnectorOperation(operation) => {
+                format!("Invalid Clone Connector Operation: {}", operation)
+            }
+            Self::ErrorCloningConnector(error_message) => {
+                format!("Error cloning connector: {}", error_message)
+            }
         }
     }
 }

crates/router/src/core/user.rs

@@ -7,9 +7,9 @@ use api_models::{
     payments::RedirectionResponse,
     user::{self as user_api, InviteMultipleUserResponse, NameIdUnit},
 };
-use common_enums::{EntityType, UserAuthType};
+use common_enums::{connector_enums, EntityType, UserAuthType};
 use common_utils::{
-    type_name,
+    fp_utils, type_name,
     types::{keymanager::Identifier, user::LineageContext},
 };
 #[cfg(feature = "email")]
@@ -128,7 +128,8 @@ pub async fn get_user_details(
             .unwrap_or(&state.tenant.tenant_id),
     )
     .await
-    .change_context(UserErrors::InternalServerError)?;
+    .change_context(UserErrors::InternalServerError)
+    .attach_printable("Failed to retrieve role information")?;
 
     let key_manager_state = &(&state).into();
 
@@ -1365,6 +1366,15 @@ pub async fn create_internal_user(
     state: SessionState,
     request: user_api::CreateInternalUserRequest,
 ) -> UserResponse<()> {
+    let role_info = roles::RoleInfo::from_predefined_roles(request.role_id.as_str())
+        .ok_or(UserErrors::InvalidRoleId)?;
+
+    fp_utils::when(
+        role_info.is_internal().not()
+            || request.role_id == common_utils::consts::ROLE_ID_INTERNAL_ADMIN,
+        || Err(UserErrors::InvalidRoleId),
+    )?;
+
     let key_manager_state = &(&state).into();
     let key_store = state
         .store
@@ -1430,10 +1440,7 @@ pub async fn create_internal_user(
         .map(domain::user::UserFromStorage::from)?;
 
     new_user
-        .get_no_level_user_role(
-            common_utils::consts::ROLE_ID_INTERNAL_VIEW_ONLY_USER.to_string(),
-            UserStatus::Active,
-        )
+        .get_no_level_user_role(role_info.get_role_id().to_string(), UserStatus::Active)
         .add_entity(domain::MerchantLevel {
             tenant_id: default_tenant_id,
             org_id: internal_merchant.organization_id,
@@ -3637,3 +3644,119 @@ pub async fn switch_profile_for_user_in_org_and_merchant(
 
     auth::cookies::set_cookie_response(response, token)
 }
+
+#[cfg(feature = "v1")]
+pub async fn clone_connector(
+    state: SessionState,
+    request: user_api::CloneConnectorRequest,
+) -> UserResponse<api_models::admin::MerchantConnectorResponse> {
+    let Some(allowlist) = &state.conf.clone_connector_allowlist else {
+        return Err(UserErrors::InvalidCloneConnectorOperation(
+            "Cloning is not allowed".to_string(),
+        )
+        .into());
+    };
+
+    fp_utils::when(
+        allowlist
+            .merchant_ids
+            .contains(&request.source.merchant_id)
+            .not(),
+        || {
+            Err(UserErrors::InvalidCloneConnectorOperation(
+                "Cloning is not allowed from this merchant".to_string(),
+            ))
+        },
+    )?;
+
+    let key_manager_state = &(&state).into();
+
+    let source_key_store = state
+        .store
+        .get_merchant_key_store_by_merchant_id(
+            key_manager_state,
+            &request.source.merchant_id,
+            &state.store.get_master_key().to_vec().into(),
+        )
+        .await
+        .to_not_found_response(UserErrors::InvalidCloneConnectorOperation(
+            "Source merchant account not found".to_string(),
+        ))?;
+
+    let source_mca = state
+        .store
+        .find_by_merchant_connector_account_merchant_id_merchant_connector_id(
+            key_manager_state,
+            &request.source.merchant_id,
+            &request.source.mca_id,
+            &source_key_store,
+        )
+        .await
+        .to_not_found_response(UserErrors::InvalidCloneConnectorOperation(
+            "Source merchant connector account not found".to_string(),
+        ))?;
+
+    let source_mca_name = source_mca
+        .connector_name
+        .parse::<connector_enums::Connector>()
+        .change_context(UserErrors::InternalServerError)
+        .attach_printable("Invalid connector name received")?;
+
+    fp_utils::when(
+        allowlist.connector_names.contains(&source_mca_name).not(),
+        || {
+            Err(UserErrors::InvalidCloneConnectorOperation(
+                "Cloning is not allowed for this connector".to_string(),
+            ))
+        },
+    )?;
+
+    let merchant_connector_create = utils::user::build_cloned_connector_create_request(
+        source_mca,
+        Some(request.destination.profile_id.clone()),
+        request.destination.connector_label,
+    )
+    .await?;
+
+    let destination_key_store = state
+        .store
+        .get_merchant_key_store_by_merchant_id(
+            key_manager_state,
+            &request.destination.merchant_id,
+            &state.store.get_master_key().to_vec().into(),
+        )
+        .await
+        .to_not_found_response(UserErrors::InvalidCloneConnectorOperation(
+            "Destination merchant account not found".to_string(),
+        ))?;
+
+    let destination_merchant_account = state
+        .store
+        .find_merchant_account_by_merchant_id(
+            key_manager_state,
+            &request.destination.merchant_id,
+            &destination_key_store,
+        )
+        .await
+        .to_not_found_response(UserErrors::InvalidCloneConnectorOperation(
+            "Destination merchant account not found".to_string(),
+        ))?;
+
+    let destination_context = domain::MerchantContext::NormalMerchant(Box::new(domain::Context(
+        destination_merchant_account,
+        destination_key_store,
+    )));
+
+    admin::create_connector(
+        state,
+        merchant_connector_create,
+        destination_context,
+        Some(request.destination.profile_id),
+    )
+    .await
+    .map_err(|e| {
+        let message = e.current_context().error_message();
+        e.change_context(UserErrors::ErrorCloningConnector(message))
+    })
+    .attach_printable("Failed to create cloned connector")
+}

crates/router/src/core/user_role.rs

@@ -40,6 +40,8 @@ pub async fn get_authorization_info_with_groups(
     Ok(ApplicationResponse::Json(
         user_role_api::AuthorizationInfoResponse(
             info::get_group_authorization_info()
+                .ok_or(UserErrors::InternalServerError)
+                .attach_printable("No visible groups found")?
                 .into_iter()
                 .map(user_role_api::AuthorizationInfo::Group)
                 .collect(),
@@ -60,10 +62,12 @@ pub async fn get_authorization_info_with_group_tag(
                 },
             )
             .into_iter()
-            .map(|(name, value)| user_role_api::ParentInfo {
-                name: name.clone(),
-                description: info::get_parent_group_description(name),
-                groups: value,
+            .filter_map(|(name, value)| {
+                Some(user_role_api::ParentInfo {
+                    name: name.clone(),
+                    description: info::get_parent_group_description(name)?,
+                    groups: value,
+                })
             })
             .collect()
     });
@@ -99,6 +103,7 @@ pub async fn get_parent_group_info(
         role_info.get_entity_type(),
         PermissionGroup::iter().collect(),
     )
+    .unwrap_or_default()
     .into_iter()
     .map(|(parent_group, description)| role_api::ParentGroupInfo {
         name: parent_group.clone(),