Merge branch 'main' into feat-group-mark-revoked

Author: niveshm

Access/models.py

@@ -251,6 +251,20 @@ def get_accesses_by_access_tag_and_status(self, access_tag, status):
             access__access_tag=access_tag,
             status__in=status)
 
+    def update_revoker(self, revoker):
+        self.revoker = revoker
+        self.save()
+
+    def offboard(self, revoker):
+        self.change_state("offboarding")
+        self.update_revoker(revoker)
+        self.offbaord_date = datetime.datetime.now()
+        self.user.is_active = False
+        self.save()
+    
+    def revoke_all_memberships(self):
+        self.membership_user.filter(status__in=["Pending", "Approved"]).update(status="Revoked")
+
     def __str__(self):
         return "%s" % (self.user)
 
@@ -345,7 +359,7 @@ def revoke_membership(self):
     @staticmethod
     def get_membership(membership_id):
         return MembershipV2.objects.get(membership_id=membership_id)
-    
+
     def __str__(self):
         return self.group.name + "-" + self.user.email + "-" + self.status
 
@@ -884,13 +898,23 @@ class Meta:
     )
 
     def deactivate(self):
-        self.status = 0
+        self.status = "Inactive"
         self.save()
 
     def get_active_access_mapping(self):
         return self.user_access_mapping.filter(
             status__in=["Approved", "Pending"], access__access_tag=self.access_tag
         )
+    
+    def get_all_granted_access_mappings(self):
+        return self.user_access_mapping.filter(status__in=["Approved", "Processing", "Offboarding"], access__access_tag=self.access_tag)
+
+    def get_all_non_approved_access_mappings(self):
+        return self.user_access_mapping.filter(status__in=[ 'approvefailed', 'pending', 'secondarypending', 'grantfailed' ], access__access_tag=self.access_tag)
+
+    def decline_all_non_approved_access_mappings(self):
+        user_mapping = self.get_all_non_approved_access_mappings()
+        user_mapping.update(status="Declined")
 
     def get_granted_access_mapping(self, access):
         return self.user_access_mapping.filter(

Access/userlist_helper.py

@@ -1,5 +1,7 @@
+import json
 from Access import helpers
-from Access.models import User
+from Access.background_task_manager import background_task
+from Access.models import MembershipV2, User
 import logging
 from . import helpers as helper
 from django.db import transaction
@@ -41,25 +43,25 @@ def get_identity_templates(auth_user):
     context["configured_identity_template"] = []
     context["unconfigured_identity_template"] = []
     all_modules = helper.get_available_access_modules()
-    # for user_identity in user_identities:
-    #     is_identity_configured = _is_valid_identity_json(identity=user_identity.identity)
-    #     if is_identity_configured:
-    #         module = all_modules[user_identity.access_tag]
-    #         context["configured_identity_template"].append(
-    #             {
-    #                 "accessUserTemplatePath": module.get_identity_template(), 
-    #                 "identity" : user_identity.identity
-    #             }            
-    #         )
-    #         all_modules.pop(user_identity.access_tag)
+    for user_identity in user_identities:
+        is_identity_configured = _is_valid_identity_json(identity=user_identity.identity)
+        if is_identity_configured:
+            module = all_modules[user_identity.access_tag]
+            context["configured_identity_template"].append(
+                {
+                    "accessUserTemplatePath": module.get_identity_template(), 
+                    "identity" : user_identity.identity
+                }            
+            )
+            all_modules.pop(user_identity.access_tag)
 
-    # for mod in all_modules.values():
-    #     context["unconfigured_identity_template"].append(
-    #         {
-    #             "accessUserTemplatePath": mod.get_identity_template(), 
-    #         }
-    #     )
-    # context["aws_username"] = "some name"
+    for mod in all_modules.values():
+        context["unconfigured_identity_template"].append(
+            {
+                "accessUserTemplatePath": mod.get_identity_template(), 
+            }
+        )
+    context["aws_username"] = "some name"
     return context
 
 def _is_valid_identity_json(identity):
@@ -166,7 +168,7 @@ def getallUserList(request):
                     "last_name": each_user.user.last_name,
                     "email": each_user.email,
                     "username": each_user.user.username,
-                    "git_username": each_user.gitusername,
+                    # "git_username": each_user.gitusername,
                     "is_active": each_user.user.is_active,
                     "offbaord_date": each_user.offbaord_date,
                     "state": each_user.current_state(),
@@ -185,3 +187,40 @@ def getallUserList(request):
         json_response = {}
         json_response["error"] = {"error_msg": str(e), "msg": ERROR_MESSAGE}
         return json_response
+
+
+def offboard_user(request):
+    if not (request.user.user.has_permission("VIEW_USER_LIST") and request.user.user.has_permission("ALLOW_USER_OFFBOARD")):
+        raise Exception("Requested User is unauthorised to offboard user.")
+    try:
+        offboard_user_email = request.POST.get("offboard_email")
+        if not offboard_user_email:
+            raise Exception("Invalid request, attribute not found")
+        
+        user = User.objects.filter(email=offboard_user_email).first()
+        if not user:
+            raise Exception("User not found")
+
+    except Exception as e:
+        logger.debug("Error in request, not found or Invalid request type")
+        logger.exception(str(e))
+        return {"error": ERROR_MESSAGE}
+    
+    user.offboard(request.user.user)
+    
+    module_identities = user.get_all_active_identity()
+
+    for module_identity in module_identities:  
+        module_identity.decline_all_non_approved_access_mappings()
+        access_mappings = module_identity.get_all_granted_access_mappings()
+
+        for access_mapping in access_mappings:
+            module_identity.offboarding_approved_access_mapping(access_mapping.access)
+            background_task("run_access_revoke", json.dumps({"request_id": access_mapping.request_id, "revoker_email": request.user.user.email}))
+        
+        module_identity.deactivate()
+    
+    user.revoke_all_memberships()
+
+    return {"message": "Successfully initiated Offboard user"}
+

Access/views.py

@@ -22,7 +22,15 @@
     create_request,
 )
 from Access.models import User
-from Access.userlist_helper import getallUserList, get_identity_templates, create_identity, NEW_IDENTITY_CREATE_ERROR_MESSAGE, IDENTITY_UNCHANGED_ERROR_MESSAGE, IdentityNotChangedException
+from Access.userlist_helper import (
+    getallUserList,
+    get_identity_templates,
+    create_identity,
+    offboard_user,
+    NEW_IDENTITY_CREATE_ERROR_MESSAGE,
+    IDENTITY_UNCHANGED_ERROR_MESSAGE,
+    IdentityNotChangedException
+)
 from Access.views_helper import render_error_message
 from BrowserStackAutomation.settings import PERMISSION_CONSTANTS
 
@@ -141,6 +149,16 @@ def allUsersList(request):
     return render(request, "BSOps/allUsersList.html", context)
 
 
+def user_offboarding(request):
+    try:
+        response = offboard_user(request)
+        if "error" in response:
+            return JsonResponse(response, status=400)
+        return JsonResponse(response)
+    except Exception as e:
+        logger.exception(str(e))
+        return JsonResponse({"error": "Failed to offboard User"})
+
 @login_required
 def requestAccess(request):
     if request.POST:

BrowserStackAutomation/urls.py

@@ -19,6 +19,7 @@
 from django.urls import re_path, include
 from Access.views import (
     revoke_group_access,
+    user_offboarding,
     showAccessHistory,
     pendingRequests,
     pendingFailure,
@@ -39,7 +40,7 @@
     update_group_owners,
     remove_group_member,
 )
-# from Access.helpers import getAvailableAccessModules
+from Access.helpers import get_available_access_modules
 
 urlpatterns = [
     re_path(r"^admin/", admin.site.urls),
@@ -58,6 +59,7 @@
     re_path(r"^group/dashboard/$", groupDashboard, name="groupDashboard"),
     re_path(r"^access/userAccesses$", all_user_access_list, name="allUserAccessList"),
     re_path(r"^access/usersList$", allUsersList, name="allUsersList"),
+    re_path(r"^user/offboardUser$", user_offboarding, name="offboarding_user"),
     re_path(r"^access/requestAccess$", requestAccess, name="requestAccess"),
     re_path(r"^group/requestAccess$", group_access, name="groupRequestAccess"),
     re_path(
@@ -85,5 +87,5 @@
     re_path(r"^group/revokeAccess", revoke_group_access, name="revoke_group_access")
 ]
 
-# for each_module in getAvailableAccessModules():
-#     urlpatterns.extend(each_module.urlpatterns)
+for tag, each_module in get_available_access_modules().items():
+    urlpatterns.extend(each_module.urlpatterns)

templates/BSOps/allUsersList.html

@@ -48,7 +48,7 @@
   message_text_div.append("Offboarding user with email " + offboard_email + ". Please wait");
   $('#alert-space').html(custom_alert);
 
-  $.ajax("{% url 'allUsersList' %}", {
+  $.ajax("{% url 'offboarding_user' %}", {
     type: "POST",
     data: { "offboard_email": offboard_email, 'csrfmiddlewaretoken': '{{ csrf_token }}' },
     success: function(data) {
@@ -175,7 +175,7 @@ <h4 class="modal-title"></h4>
   		<tr>
         <th data-placeholder="Search">Name</th>
         <th data-placeholder="Search">Email</th>
-        <th data-placeholder="Search">Github Username</th>
+        <!-- <th data-placeholder="Search">Github Username</th> -->
         <th class="filter-select filter-exact" data-placeholder="ALL">Is Active</th>
         <th class="filter-select filter-exact" data-placeholder="ALL">Current State</th>
         <th data-placeholder="Search">Accesses List</th>
@@ -210,7 +210,7 @@ <h4 class="modal-title"></h4>
       <tr class="userList">
         <td>{{ item.first_name }} {{ item.last_name }}</td>
         <td>{{ item.email }}</td>
-        <td>{{ item.git_username }}</td>
+        <!-- <td>{{ item.git_username }}</td> -->
         <td>{{ item.is_active }}</td>
         <td>{{ item.state }}</td>
         <td>