feat: adds functionality to view all users access lists (#54)

Users with specific permission can view all users access list.

Author: larsendsouza

Access/helpers.py

@@ -82,3 +82,4 @@ def getPossibleApproverPermissions():
         approver_permissions = each_module.fetch_approver_permissions()
         all_approver_permissions.extend(approver_permissions.values())
     return list(set(all_approver_permissions))
+

Access/models.py

@@ -233,6 +233,23 @@ def get_access_history(self, all_access_modules):
             )
 
         return access_history
+    
+    @staticmethod
+    def get_user_from_username(username):
+        try:
+            return User.objects.get(user__username=username)
+        except User.DoesNotExist:
+            return None
+
+    def get_accesses_by_access_tag_and_status(self, access_tag, status):
+        try:
+            user_identities = self.module_identity.filter(access_tag=access_tag)
+        except UserIdentity.DoesNotExist:
+            return None
+        return UserAccessMapping.objects.filter(
+            user_identity__in=user_identities,
+            access__access_tag=access_tag,
+            status__in=status)
 
     def __str__(self):
         return "%s" % (self.user)
@@ -636,19 +653,30 @@ def getAccessRequestDetails(self, access_module):
         # code metadata
         access_request_data["access_tag"] = access_tag
         # ui metadata
-        access_request_data["userEmail"] = self.user.email
+        access_request_data["user"] = self.user_identity.user.name
+        access_request_data["userEmail"] = self.user_identity.user.email
         access_request_data["requestId"] = self.request_id
         access_request_data["accessReason"] = self.request_reason
-        access_request_data["requested_on"] = self.requested_on
+        access_request_data["requested_on"] = str(self.requested_on)[:19] + "UTC" if self.updated_on else ""
 
-        access_request_data["accessType"] = access_module.access_desc()
+        access_request_data["access_desc"] = access_module.access_desc()
         access_request_data["accessCategory"] = access_module.combine_labels_desc(
             access_labels
         )
         access_request_data["accessMeta"] = access_module.combine_labels_meta(
             access_labels
         )
+        access_request_data["access_label"] = [key + "-" + str(val).strip("[]") 
+                                              for key,val in list(self.access.access_label.items()) 
+                                              if key != "keySecret"]
+        access_request_data["access_type"] = self.access_type
+        access_request_data["approver_1"] = self.approver_1.user.username
+        access_request_data["approver_2"] = self.approver_2.user.username
+        access_request_data["approved_on"] = self.approved_on
+        access_request_data["updated_on"] = str(self.updated_on)[:19] + "UTC" if self.updated_on else ""
         access_request_data["status"] = self.status
+        access_request_data["revoker"] = self.revoker.user.username
+        access_request_data["offboarding_date"] = str(self.user_identity.user.offbaord_date)[:19] + "UTC" if self.user_identity.user.offbaord_date else ""
         access_request_data["revokeOwner"] = ",".join(access_module.revoke_owner())
         access_request_data["grantOwner"] = ",".join(access_module.grant_owner())
 
@@ -663,6 +691,19 @@ def updateMetaData(self, key, data):
             mapping.save()
         return True
 
+    def revoke(self, revoker):
+        self.status = "Revoked"
+        self.revoker = revoker
+        self.save()
+
+    @staticmethod
+    def get_accesses_not_declined():
+        return UserAccessMapping.objects.exclude(status='Declined')
+
+    @staticmethod
+    def get_unrevoked_accesses_by_request_id(request_id):
+        return UserAccessMapping.objects.filter(request_id=request_id).exclude(status='Revoked')
+
     def is_approved(self):
         return self.status == "Approved"
 

Access/notifications.py

@@ -56,8 +56,11 @@ def send_new_group_approved_notification(group, group_id, initial_member_names):
 
 def send_membership_accepted_notification(user, group, membership):
     subject = MEMBERSHIP_ACCEPTED_SUBJECT.format(user.name, group.name)
-    body = MEMBERSHIP_ACCEPTED_BODY.format(
-        user.name, group.name, membership.approver.name
+    body = helpers.generateStringFromTemplate(
+        filename="membershipAcceptedEmailBody.html",
+        user_name=user.name,
+        group_name=group.name,
+        approver=membership.approver.name,
     )
     destination = []
     destination.append(membership.requested_by.email)

Access/views.py

@@ -1,5 +1,9 @@
 from django.contrib.auth.decorators import login_required
 from django.core.exceptions import ValidationError
+from django.core.paginator import Paginator
+from django.contrib.auth.models import User as djangoUser
+from .models import UserAccessMapping
+from Access import views_helper
 from django.http import JsonResponse
 from django.shortcuts import render
 from rest_framework.authentication import TokenAuthentication, BasicAuthentication
@@ -22,7 +26,7 @@
 from Access.views_helper import render_error_message
 from BrowserStackAutomation.settings import PERMISSION_CONSTANTS
 
-INVALID_REQUEST_MESSAGE = "Error in request not found OR Invalid request type - "
+INVALID_REQUEST_MESSAGE = "Error in request not found OR Invalid request type"
 
 logger = logging.getLogger(__name__)
 
@@ -131,14 +135,6 @@ def createNewGroup(request):
         return render(request, "BSOps/createNewGroup.html", {})
 
 
-@api_view(["GET"])
-@login_required
-@user_with_permission(["VIEW_USER_ACCESS_LIST"])
-@authentication_classes((TokenAuthentication, BasicAuthentication))
-def allUserAccessList(request, load_ui=True):
-    return False
-
-
 @login_required
 def allUsersList(request):
     context = getallUserList(request)
@@ -260,9 +256,9 @@ def accept_bulk(request, selector):
         context["returnIds"] = returnIds
         return JsonResponse(context, status=200)
     except Exception as e:
-        logger.debug(INVALID_REQUEST_MESSAGE + str(str(e)))
+        logger.debug(INVALID_REQUEST_MESSAGE + " - " + str(str(e)))
         json_response = {}
-        json_response["error"] = INVALID_REQUEST_MESSAGE + str(str(e))
+        json_response['error'] = INVALID_REQUEST_MESSAGE + " - " + str(str(e))
         json_response["success"] = False
         json_response["status_code"] = 401
         return JsonResponse(json_response, status=json_response["status_code"])
@@ -277,3 +273,125 @@ def remove_group_member(request):
     except Exception as e:
         logger.exception(str(e))
         return JsonResponse({"error": "Failed to remove the user"}, status=400)
+
+
+@api_view(['GET'])
+@login_required
+@user_with_permission(["VIEW_USER_ACCESS_LIST"])
+@authentication_classes((TokenAuthentication, BasicAuthentication))
+def all_user_access_list(request, load_ui=True):
+    user = None
+    page = 1
+    try:
+        if request.GET.get('username'):
+            username = request.GET.get('username')
+            user = djangoUser.objects.get(username=username)
+    except Exception as e:
+        # show all
+        logger.exception(e)
+
+    try:
+        data_list = []
+        last_page = 1
+        show_tabs = False
+        username = ""
+        generic_accesses = UserAccessMapping.get_accesses_not_declined()
+        response_type = request.GET.get('responseType', "ui")
+        load_ui = request.GET.get('load_ui', "true").lower() == "true"
+        record_date = request.GET.get('recordDate', None)
+
+        if user:
+            generic_accesses = generic_accesses.filter(
+                user_identity__user=user.user).order_by("-requested_on")
+            show_tabs = True
+            username = user.username
+        elif "usersearch" in request.GET:
+            generic_accesses = generic_accesses.filter(
+                user_identity__user__user__username__icontains=request.GET.get('usersearch')) \
+                .order_by("user_identity__user__user__username")
+        else:
+            generic_accesses = generic_accesses.order_by("user_identity__user__user__username")
+
+        filters = views_helper.get_filters_for_access_list(request)
+        generic_accesses = generic_accesses.filter(**filters)
+
+        page = int(request.GET.get('page', 1))
+
+        if load_ui and response_type != "csv":
+            paginator_obj = Paginator(generic_accesses, 10)
+            last_page = paginator_obj.num_pages
+            page = min(page, last_page) if page > last_page else page
+            paginator = paginator_obj.page(page)
+        else:
+            paginator = generic_accesses
+
+        access_types = list(set(generic_accesses.values_list("access__access_tag", flat=True)))
+
+        data_list = views_helper.prepare_datalist(paginator=paginator, record_date=record_date)
+
+        context = {}
+        logger.debug(data_list)
+
+        data_dict = {
+            'dataList': data_list,
+            'last_page': last_page,
+            'current_page': page,
+            'access_types': sorted(access_types, key=str.casefold),
+            'show_tabs': show_tabs,
+            'username': username
+        }
+
+        context.update(data_dict)
+
+        if response_type == "json":
+            return JsonResponse(context, status=200)
+        elif response_type == "csv":
+            return views_helper.gen_all_user_access_list_csv(data_list=data_list)
+        if load_ui:
+            return render(request, 'BSOps/allUserAccessList.html', context)
+        else:
+            return JsonResponse(context)
+
+    except Exception as e:
+        logger.debug("Error in request not found OR Invalid request type")
+        logger.exception(e)
+        json_response = {}
+        json_response['error'] = {'error_msg': str(e), 'msg': INVALID_REQUEST_MESSAGE}
+        return render(request, 'BSOps/accessStatus.html', json_response)
+
+
+@login_required
+@user_with_permission(["VIEW_USER_ACCESS_LIST"])
+def mark_revoked(request):
+    json_response = {}
+    status = 200
+    request_id = None
+    try:
+        request_id = request.GET.get("requestId")
+        if request_id.startswith("module-"):
+            username = request.GET.get("username")
+            if not username:
+                json_response["error"] = "Username is invalid!"
+                status = 403
+                return JsonResponse(json_response, status=status)
+            access_tag = request_id.split("-", 1)[1]
+            user = User.get_user_from_username(username=username)
+            if user:
+                requests = user.get_accesses_by_access_tag_and_status(access_tag=access_tag, status=["Approved", "Offboarding"])
+            else:
+                raise User.DoesNotExist(f"User with username '{username}' does not exist")
+        else:
+            requests = UserAccessMapping.get_unrevoked_accesses_by_request_id(request_id=request_id)
+        success_list = []
+        for mapping_object in requests:
+            logger.info("Marking access revoke - %s by user %s "
+                        % (mapping_object.request_id, request.user.user))
+            mapping_object.revoke(revoker=request.user.user)
+            success_list.append(mapping_object.request_id)
+        json_response["msg"] = "Success"
+        json_response["request_ids"] = success_list
+    except Exception as e:
+        logger.exception(str(e))
+        json_response["error"] = str(e)
+        status = 403
+    return JsonResponse(json_response, status=status)

Access/views_helper.py

@@ -1,8 +1,10 @@
 from django.shortcuts import render
+from django.http import HttpResponse
 import datetime
 import logging
 import traceback
 
+import csv
 from . import helpers as helper
 from .models import UserAccessMapping, GroupAccessMapping
 from bootprocess import general
@@ -70,7 +72,10 @@ def executeGroupAccess(userMappingsList):
             if "other" in mappingObj.request_id:
                 decline_group_other_access(mappingObj)
             else:
-                background_task("run_access_grant", (mappingObj.request_id, mappingObj, accessType, user, approver))
+                background_task("run_access_grant",
+                                (mappingObj.request_id,
+                                 mappingObj, accessType,
+                                 user, approver))
                 logger.debug(
                     "Successful group access grant for " + mappingObj.request_id
                 )
@@ -109,3 +114,56 @@ def render_error_message(request, log_message, user_message, user_message_descri
             "msg": user_message_description,
         }
     })
+
+
+def get_filters_for_access_list(request):
+    filters = {}
+    if "accessTag" in request.GET:
+        filters['access__access_tag__icontains'] = request.GET.get('accessTag')
+    if "accessTagExact" in request.GET:
+        filters['access__access_tag'] = request.GET.get('accessTagExact')
+    if "status" in request.GET:
+        filters['status__icontains'] = request.GET.get('status')
+    if "type" in request.GET:
+        filters['access_type__icontains'] = request.GET.get('type')
+    return filters
+
+
+def prepare_datalist(paginator, record_date):
+    data_list = []
+    for each_access_request in paginator:
+        if record_date is not None and record_date != str(each_access_request.updated_on)[:10]:
+            continue
+        access_details = get_generic_user_access_mapping(each_access_request)
+        data_list.append(access_details)
+    return data_list
+
+
+def gen_all_user_access_list_csv(data_list):
+    logger.debug("Processing CSV response")
+    response = HttpResponse(content_type='text/csv')
+    filename = "AccessList-" + str(datetime.datetime.now().strftime('%Y-%m-%d_%H:%M:%S')) + ".csv"
+    response['Content-Disposition'] = 'attachment; filename="' + filename + '"'
+
+    writer = csv.writer(response)
+    writer.writerow(['User', 'AccessType', 'Access', 'AccessStatus',
+                     'RequestDate', 'Approver', 'GrantOwner',
+                     'RevokeOwner', 'Type'])
+    for data in data_list:
+        access_status = data["status"]
+        if len(data["revoker"]) > 0:
+            access_status += " by - " + data["revoker"]
+        writer.writerow([data['user'], data['access_desc'],
+                         (", ".join(data["access_label"])),
+                         access_status, data["requested_on"],
+                         data["approver_1"], data["grantOwner"],
+                         data["revokeOwner"], data["access_type"]])
+    return response
+
+def get_generic_user_access_mapping(user_access_mapping):
+    access_module = helper.get_available_access_module_from_tag(
+        user_access_mapping.access.access_tag)
+    if access_module:
+        access_details = user_access_mapping.getAccessRequestDetails(access_module)
+    logger.debug("Generic access generated: " + str(access_details))
+    return access_details

BrowserStackAutomation/urls.py

@@ -25,7 +25,8 @@
     updateUserInfo,
     saveIdentity,
     createNewGroup,
-    allUserAccessList,
+    all_user_access_list,
+    mark_revoked,
     allUsersList,
     requestAccess,
     group_access,
@@ -44,6 +45,7 @@
     re_path(r"^$", dashboard, name="dashboard"),
     re_path(r"^login/$", auth_views.LoginView.as_view(), name="login"),
     re_path(r"^logout/$", logout_view, name="logout"),
+    re_path(r"^access/markRevoked", mark_revoked, name="markRevoked"),
     re_path(r"^oauth/", include("social_django.urls", namespace="social")),
     re_path(r"^access/showAccessHistory$", showAccessHistory, name="showAccessHistory"),
     re_path(r"^access/pendingRequests$", pendingRequests, name="pendingRequests"),
@@ -53,7 +55,7 @@
     re_path(r"^user/saveIdentity/", saveIdentity, name="saveIdentity"),
     re_path(r"^group/create$", createNewGroup, name="createNewGroup"),
     re_path(r"^group/dashboard/$", groupDashboard, name="groupDashboard"),
-    re_path(r"^access/userAccesses$", allUserAccessList, name="allUserAccessList"),
+    re_path(r"^access/userAccesses$", all_user_access_list, name="allUserAccessList"),
     re_path(r"^access/usersList$", allUsersList, name="allUsersList"),
     re_path(r"^access/requestAccess$", requestAccess, name="requestAccess"),
     re_path(r"^group/requestAccess$", group_access, name="groupRequestAccess"),