fix: group flow for access requests

Author: sumedha-bhatt

Access/access_modules/base_email_access/access.py

@@ -174,6 +174,9 @@ def revoke(self, user, label):
     def get_extra_fields(self):
         return []
 
+    def can_auto_approve(self):
+        return False
+
     # return valid access label array which will be added in db or raise exception
     def validate_request(self, access_labels_data, request_user, is_group=False):
         valid_access_label_array = []

Access/accessrequest_helper.py

@@ -16,6 +16,7 @@
     User,
     GroupV2,
     AccessV2,
+    MembershipV2,
     ApprovalType,
 )
 from Access.background_task_manager import background_task, accept_request
@@ -283,9 +284,11 @@ def get_pending_accesses_from_modules(access_user):
         process_group_requests(pending_accesses["group_requests"], group_requests)
 
         logger.info(
-            "Time to fetch pending requests of access module: %s - %s "
-            % access_module_tag,
-            str(time.time() - access_module_start_time),
+            "Time to fetch pending requests of access module: %s - %s " %
+            (
+                access_module_tag,
+                str(time.time() - access_module_start_time)
+            ),
         )
 
     return individual_requests, list(group_requests.values())
@@ -382,7 +385,7 @@ def create_request(auth_user, access_request_form):
     for index1, access_type in enumerate(access_request["accessRequests"]):
         access_labels = validate_access_labels(
             access_labels_json=access_request["accessLabel"][index1],
-            access_type=access_type,
+            access_tag=access_type,
         )
         access_reason = access_request["accessReason"][index1]
 
@@ -399,17 +402,16 @@ def create_request(auth_user, access_request_form):
         }
 
         access_module = helper.get_available_access_modules()[access_type]
-        module_access_labels = access_module.validate_request(
-            access_labels, auth_user, is_group=False
-        )
-
         extra_field_labels = get_extra_field_labels(access_module)
-
         if extra_fields and extra_field_labels:
             for field in extra_field_labels:
-                module_access_labels[0][field] = extra_fields[0]
+                access_labels[0][field] = extra_fields[0]
                 extra_fields = extra_fields[1:]
 
+        module_access_labels = access_module.validate_request(
+            access_labels, auth_user, is_group=False
+        )
+
         for index2, access_label in enumerate(module_access_labels):
             request_id = request_id + "_" + str(index2)
             access_create_error = _create_access(
@@ -511,7 +513,10 @@ def get_extra_field_labels(access_module):
 def get_extra_fields(access_request):
     if "extraFields" in access_request:
         return access_request["extraFields"]
-    return []
+    elif "extraFields[]" in access_request:
+        return [access_request["extraFields[]"]]
+    else:
+        return []
 
 
 def _validate_access_request(access_request_form, user):
@@ -674,37 +679,49 @@ def run_accept_request_task(
 
 def decline_individual_access(request, access_type, request_id, reason):
     json_response = {}
-    access_mapping = UserAccessMapping.get_access_request(request_id)
+    access_mapping = {}
+    decline_new_group = False
+    if access_type == "declineNewGroup":
+        access_mapping = GroupV2.get_pending_group(request_id)
+        decline_new_group = True
+    else:
+        access_mapping = UserAccessMapping.get_access_request(request_id)
+
     if not is_request_valid(request_id, access_mapping):
         json_response["error"] = USER_REQUEST_IN_PROCESS_ERR_MSG.format(
             request_id=request_id,
         )
         return json_response
 
-    json_response = validate_approver_permissions(access_mapping, access_type, request)
-    if "error" in json_response:
-        return json_response
+    if not decline_new_group:
+        json_response = validate_approver_permissions(access_mapping, access_type, request)
+        if "error" in json_response:
+            return json_response
 
     with transaction.atomic():
         access_mapping.decline_access(reason)
         if hasattr(access_mapping, "approver_1"):
-            access_mapping.decline_reason = reason
             if access_mapping.approver_1 is not None:
                 access_mapping.approver_2 = request.user.user
             else:
                 access_mapping.approver_1 = request.user.user
         else:
-            access_mapping.reason = reason
-            access_mapping.approver = request.user.username
+            access_mapping.approver = request.user.user
 
         access_mapping.save()
 
-    access_module = helper.get_available_access_module_from_tag(access_type)
-    access_labels = [access_mapping.access.access_label]
-    description = access_module.combine_labels_desc(access_labels)
-    notifications.send_mail_for_request_decline(
-        request, description, request_id, reason, access_type
-    )
+    if not decline_new_group:
+        access_module = helper.get_available_access_module_from_tag(access_type)
+        access_labels = [access_mapping.access.access_label]
+        description = access_module.combine_labels_desc(access_labels)
+        notifications.send_mail_for_request_decline(
+            request, description, request_id, reason, access_type
+        )
+    else:
+        MembershipV2.update_membership(access_mapping, reason)
+        notifications.send_mail_for_request_decline(
+            request, "Group Creation", request_id, reason, access_type
+        )
 
     logger.debug(
         USER_REQUEST_DECLINE_MSG.format(

Access/group_helper.py

@@ -42,7 +42,7 @@
 
 LIST_GROUP_ACCESSES_GROUP_DONT_EXIST_ERROR = {
     "error_msg": "Invalid Group Name",
-    "msg": "A group with {group_name} doesn't exist.",
+    "msg": "A group with name {group_name} doesn't exist.",
 }
 
 NON_OWNER_PERMISSION_DENIED_ERROR = {
@@ -129,6 +129,7 @@ def create_group(request):
         requester=request.user.user,
         description=reason,
         needsAccessApprove=needs_access_approve,
+        date_time=base_datetime_prefix,
     )
 
     new_group.add_member(
@@ -183,7 +184,9 @@ def get_group_access_list(auth_user, group_name):
         context = {
             "error": {
                 "error_msg": LIST_GROUP_ACCESSES_GROUP_DONT_EXIST_ERROR["error_msg"],
-                "msg": LIST_GROUP_ACCESSES_GROUP_DONT_EXIST_ERROR["msg"],
+                "msg": LIST_GROUP_ACCESSES_GROUP_DONT_EXIST_ERROR["msg"].format(
+                    group_name=group_name
+                ),
             }
         }
         return context
@@ -236,7 +239,9 @@ def update_owners(request, group_name):
         context = {
             "error": {
                 "error_msg": LIST_GROUP_ACCESSES_GROUP_DONT_EXIST_ERROR["error_msg"],
-                "msg": LIST_GROUP_ACCESSES_GROUP_DONT_EXIST_ERROR["msg"],
+                "msg": LIST_GROUP_ACCESSES_GROUP_DONT_EXIST_ERROR["msg"].format(
+                    group_name=group_name
+                ),
             }
         }
         return context
@@ -441,8 +446,8 @@ def add_user_to_group(request):
                         reason=data["memberReason"][0],
                         date_time=base_datetime_prefix,
                     )
+                    membership_id = membership.membership_id
                     if not group.needsAccessApprove:
-                        membership_id = membership.membership_id
                         context = {}
                         context["accessStatus"] = {
                             "msg": REQUEST_PROCESSING.format(requestId=membership_id),
@@ -609,6 +614,7 @@ def get_group_access(form_data, auth_user):
     )
     if validation_error:
         context["status"] = validation_error
+        return context
 
     access_module_list = data["accessList"]
     for module_value in access_module_list:
@@ -656,14 +662,15 @@ def save_group_access_request(form_data, auth_user):
         extra_fields = accessrequest_helper.get_extra_fields(access_request)
         extra_field_labels = accessrequest_helper.get_extra_field_labels(access_module)
 
-        module_access_labels = access_module.validate_request(
-            access_labels, auth_user, is_group=False
-        )
         if extra_fields and extra_field_labels:
             for field in extra_field_labels:
-                module_access_labels[0][field] = extra_fields[0]
+                access_labels[0][field] = extra_fields[0]
                 extra_fields = extra_fields[1:]
 
+        module_access_labels = access_module.validate_request(
+            access_labels, auth_user, is_group=False
+        )
+
         request_id = (
             auth_user.username
             + "-"
@@ -697,15 +704,15 @@ def save_group_access_request(form_data, auth_user):
                             "msg": "Access already exists" + json.dumps(access_label),
                         }
                     )
-        email_destination = access_module.get_approvers()
-        member_list = group.get_all_approved_members()
-        notifications.send_group_access_add_email(
-            destination=email_destination,
-            group_name=group_name,
-            requester=auth_user.user.email,
-            request_id=request_id,
-            member_list=member_list,
-        )
+        # email_destination = access_module.get_approvers()
+        # member_list = group.get_all_approved_members()
+        # notifications.send_group_access_add_email(
+        #     destination=email_destination,
+        #     group_name=group_name,
+        #     requester=auth_user.user.email,
+        #     request_id=request_id,
+        #     member_list=member_list,
+        # )
     return context
 
 
@@ -731,7 +738,7 @@ def validate_group_access_create_request(group, auth_user):
         logger.exception("This Group is not yet approved")
         return {"title": "Permisison Denied", "msg": "This Group is not yet approved"}
 
-    if not (group.is_owner(auth_user.user) or auth_user.is_superuser):
+    if not auth_user.user.is_allowed_admin_actions_on_group(group):
         logger.exception("Permission denied, you're not owner of this group")
         return {"title": "Permision Denied", "msg": "You're not owner of this group"}
     return None

Access/models.py

@@ -400,6 +400,10 @@ def revoke_membership(self):
         self.status = "Revoked"
         self.save()
 
+    def update_membership(group, reason):
+        membership = MembershipV2.objects.filter(group=group)
+        membership.update(status="Declined", decline_reason=reason)
+
     @staticmethod
     def get_membership(membership_id):
         try:
@@ -500,6 +504,14 @@ def add_members(self, users=None, requested_by=None, reason="", date_time=""):
     def getPendingMemberships():
         return MembershipV2.objects.filter(status="Pending", group__status="Approved")
 
+    def is_already_processed(self):
+        return self.status in ['Declined','Approved','Processing','Revoked']
+
+    def decline_access(self, decline_reason=None):
+        self.status = "Declined"
+        self.decline_reason = decline_reason
+        self.save()
+
     @staticmethod
     def getPendingCreation():
         new_group_pending = GroupV2.objects.filter(status="Pending")
@@ -597,7 +609,9 @@ def unapprove_memberships(self):
 
     def is_owner(self, user):
         return (
-            self.membership_group.filter(is_owner=True).filter(user=user).first()
+            self.membership_group.filter(is_owner=True)
+            .filter(user=user)
+            .first()
             is not None
         )
 

Access/views.py

@@ -232,6 +232,8 @@ def group_access(request):
         return render(request, "BSOps/accessStatus.html", context)
 
     context = group_helper.get_group_access(request.GET, request.user)
+    if "status" in context:
+        return render(request, 'BSOps/accessStatus.html',context)
     return render(request, "BSOps/groupAccessRequestForm.html", context)
 
 

BrowserStackAutomation/settings.py

@@ -240,7 +240,7 @@
     'disable_existing_loggers': False,
     'formatters': {
         'verbose': {
-            'format': "[cid: %(cid)s]:{\"meta\":{\"timestamp\":\"%(asctime)s.%(msecs)03dZ\",\"component\":\"django\",\"application\":\"enigma\",\"team\":\"core\"},\"log\":{\"kind\":\"ENIGMA_APP\",\"dynamic_data\":\"[%(name)s:%(funcName)s:%(lineno)s] --- %(message)s\",\"level\":\"%(levelname)s\"}}",
+            'format': "{\"meta\":{\"timestamp\":\"%(asctime)s.%(msecs)03dZ\",\"component\":\"django\",\"application\":\"enigma\",\"team\":\"core\"},\"log\":{\"kind\":\"ENIGMA_APP\",\"dynamic_data\":\"[%(name)s:%(funcName)s:%(lineno)s] --- %(message)s\",\"level\":\"%(levelname)s\"}}",
             'datefmt': "%Y-%m-%dT%H:%M:%S"
         }
     },

BrowserStackAutomation/urls.py

@@ -63,27 +63,27 @@
     re_path(r"^access/requestAccess$", request_access, name="requestAccess"),
     re_path(r"^group/requestAccess$", group_access, name="groupRequestAccess"),
     re_path(
-        r"^group/access/list/(?P<groupName>[\w -]+)$",
+        r"^group/access/list/(?P<group_name>[\w -]+)$",
         group_access_list,
         name="groupAccessList",
     ),
     re_path(
         r"^group/new/accept/(?P<requestId>.*)$", approve_new_group, name="approveNewGroup"
     ),
     re_path(
-        r"^group/adduser/(?P<groupName>[\w -]+)$",
+        r"^group/adduser/(?P<group_name>[\w -]+)$",
         add_user_to_group,
         name="addUserToGroup",
     ),
     re_path(
-        r"^group/updateOwners/(?P<groupName>[\w -]+)$",
+        r"^group/updateOwners/(?P<group_name>[\w -]+)$",
         update_group_owners,
         name="updateGroupOwners",
     ),
     re_path(r"^access/pendingRequests$", pending_requests, name="pendingRequests"),
     re_path(r"^accept_bulk/(?P<selector>[\w-]+)", accept_bulk, name="accept_bulk"),
     re_path(
-        r"^decline/(?P<accessType>[\w-]+)/(?P<requestId>.*)$",
+        r"^decline/(?P<access_type>[\w-]+)/(?P<request_id>.*)$",
         decline_access,
         name="decline",
     ),

templates/BSOps/pendingRequests.html

@@ -321,15 +321,6 @@
 
         $(".bulkAcceptAll-checkbox").change(function () {
             let bulkCheckValue = $(this).prop('checked');
-            // for ssh
-            // sshCheckedAllOption = $("#dropdownMenuButton").text()
-
-            // if (sshCheckedAllOption === "Production") {
-            //   checkSSHCardWithTitle("prod", bulkCheckValue)
-            // }
-            // else if (sshCheckedAllOption === "Staging") {
-            //   checkSSHCardWithTitle("staging", bulkCheckValue)
-            // }
 
             let selector = $(this).val()
             $(`.${selector}`).each(function (idx, elem) {