Merge branch 'main' into fix_linter_issues_clone

Author: sharad-sharma

.github/workflows/semgrep.yml

@@ -8,7 +8,7 @@ on:
     - .github/workflows/semgrep.yml
   schedule:
     # random HH:MM to avoid a load spike on GitHub Actions at 00:00
-  - cron: 12 15 * * *
+  - cron: 0 7 * * *
 jobs:
   semgrep:
     name: Scan

.github/workflows/unit-tests.yml

@@ -19,12 +19,6 @@ jobs:
         pip install -r requirements.txt
     - name: Ensure Config
       run: cp config.json.sample config.json
-    - name: Ensure git pat token
-      shell: bash
-      env:
-        CUSTOM_GITHUB_ACTIONS_PAT: ${{ secrets.CUSTOM_GITHUB_ACTIONS_PAT }}
-      run: |
-        sed -i "s|https://github.com/browserstack/enigma-access-modules.git|https://qwe:[email protected]/browserstack/enigma-access-modules.git|g" config.json
     - name: Setup access modules code base
       run: python -m scripts.clone_access_modules
     - name: Ensure access modules dependencies

.semgrepignore

@@ -0,0 +1,3 @@
+*.md
+
+nginx.conf.sample

Access/accessrequest_helper.py

@@ -501,41 +501,48 @@ def _create_access(
         }
 
     access = AccessV2.get(access_tag=access_tag, access_label=access_label)
-    if access:
-        if user_identity.access_mapping_exists(access):
+    if not access:
+        try:
+            _create_access_mapping(
+                access_tag=access_tag,
+                access_label=access_label,
+                user_identity=user_identity,
+                request_id=request_id,
+                access_reason=access_reason,
+            )
+        except Exception:
             return {
-                "title": REQUEST_DUPLICATE_ERR_MSG["title"].format(
-                    access_tag=access.access_tag
-                ),
-                "msg": REQUEST_DUPLICATE_ERR_MSG["msg"].format(
-                    access_label=json.dumps(access.access_label)
-                ),
+                "title": REQUEST_DB_ERR_MSG["error_msg"],
+                "msg": REQUEST_DB_ERR_MSG["msg"],
             }
+        return {"title": "success", "msg": "success"}
 
-    try:
-        _create_access_mapping(
-            access=access,
-            user_identity=user_identity,
-            request_id=request_id,
-            access_reason=access_reason,
-        )
-    except Exception:
+    if user_identity.access_mapping_exists(access):
         return {
-            "title": REQUEST_DB_ERR_MSG["error_msg"],
-            "msg": REQUEST_DB_ERR_MSG["msg"],
+            "title": REQUEST_DUPLICATE_ERR_MSG["title"].format(
+                access_tag=access.access_tag
+            ),
+            "msg": REQUEST_DUPLICATE_ERR_MSG["msg"].format(
+                access_label=json.dumps(access.access_label)
+            ),
         }
+
+    user_identity.user_access_mapping.create(
+        request_id=request_id,
+        request_reason=access_reason,
+        access=access,
+    )
     return {"title": "success", "msg": "success"}
 
 
 @transaction.atomic
 def _create_access_mapping(
-    user_identity, access, request_id, access_reason
+    user_identity, access_tag, access_label, request_id, access_reason
 ):
     """ Create AccessV2 and UserAccessMapping in db """
-    if not access:
-        access = AccessV2.objects.create(
-            access_tag=access.access_tag, access_label=access.access_label
-        )
+    access = AccessV2.objects.create(
+        access_tag=access_tag, access_label=access_label
+    )
 
     user_identity.user_access_mapping.create(
         request_id=request_id, request_reason=access_reason, access=access
@@ -722,6 +729,41 @@ def run_accept_request_task(
     return json_response
 
 
+def decline_group_membership(request, access_type, request_id, reason):
+    """ Decline group membership """
+    json_response = {}
+    membership = MembershipV2.get_membership(request_id)
+
+    if not membership:
+        json_response["error"] = INVALID_REQUEST_ERROR_MSG
+        return json_response
+
+    if not is_request_valid(request_id, membership):
+        json_response["error"] = USER_REQUEST_IN_PROCESS_ERR_MSG.format(
+            request_id=request_id,
+        )
+        return json_response
+
+    membership.decline(reason, request.user.user)
+
+    notifications.send_mail_for_request_decline(
+        request, "Membership Creation", request_id, reason, access_type
+    )
+
+    logger.debug(
+        USER_REQUEST_DECLINE_MSG.format(
+            request_id=request_id,
+            decline_reason=reason,
+        )
+    )
+    json_response = {}
+    json_response["msg"] = USER_REQUEST_DECLINE_MSG.format(
+        request_id=request_id,
+        decline_reason=reason,
+    )
+    return json_response
+
+
 def decline_individual_access(request, access_type, request_id, reason):
     """ Decline individual access """
     json_response = {}
@@ -730,6 +772,8 @@ def decline_individual_access(request, access_type, request_id, reason):
     if access_type == "declineNewGroup":
         access_mapping = GroupV2.get_pending_group(request_id)
         decline_new_group = True
+    elif access_type == "declineMember":
+        return decline_group_membership(request, access_type, request_id, reason)
     else:
         access_mapping = UserAccessMapping.get_access_request(request_id)
         access_type = access_mapping.access.access_tag

Access/models.py

@@ -435,6 +435,15 @@ def approve_membership(membership_id, approver):
         membership = MembershipV2.objects.get(membership_id=membership_id)
         membership.approve(approver=approver)
 
+    def decline(self, reason, decliner):
+        self.status = "Declined"
+        self.decline_reason = reason
+        self.approver = decliner
+        self.save()
+
+    def is_already_processed(self):
+        return self.status in ["Declined", "Approved", "Processing", "Revoked"]
+
     def revoke_membership(self):
         self.status = "Revoked"
         self.save()
@@ -1200,7 +1209,10 @@ def deactivate(self):
 
     def get_active_access_mapping(self):
         return self.user_access_mapping.filter(
-            status__in=["Approved", "Pending"], access__access_tag=self.access_tag
+            status__in=["Approved", "Pending",
+                        "SecondaryPending",
+                        "GrantFailed"],
+            access__access_tag=self.access_tag
         )
 
     def get_all_granted_access_mappings(self):
@@ -1211,7 +1223,7 @@ def get_all_granted_access_mappings(self):
 
     def get_all_non_approved_access_mappings(self):
         return self.user_access_mapping.filter(
-            status__in=["approvefailed", "pending", "secondarypending", "grantfailed"]
+            status__in=["Pending", "SecondaryPending", "GrantFailed"]
         )
 
     def decline_all_non_approved_access_mappings(self, decline_reason):
@@ -1225,7 +1237,7 @@ def get_granted_access_mapping(self, access):
 
     def get_non_approved_access_mapping(self, access):
         return self.user_access_mapping.filter(
-            status__in=["approvefailed", "pending", "secondarypending", "grantfailed"],
+            status__in=["Pending", "SecondaryPending", "GrantFailed"],
             access=access,
         )
 

Access/views.py

@@ -424,6 +424,7 @@ def _get_request_ids_for_bulk_processing(posted_request_ids, selector):
 
 
 @login_required
+@user_any_approver
 def decline_access(request, access_type, request_id):
     """Decline an access request.
 

Makefile

@@ -4,12 +4,14 @@ setup_mounts:
 	@mkdir -p mounts/db
 	@mkdir -p mounts/mysql_db
 	@mkdir -p mounts/logs
-	@mkdir -p mounts/modules
+	@mkdir -p mounts/modules_web
+	@mkdir -p mounts/modules_celery
 	@mkdir -p Access/access_modules
 	@chown $(APP_UID) mounts/db
 	@chown $(APP_UID) mounts/mysql_db
 	@chown $(APP_UID) mounts/logs
-	@chown $(APP_UID) mounts/modules
+	@chown $(APP_UID) mounts/modules_web
+	@chown $(APP_UID) mounts/modules_celery
 	@chown $(APP_UID) Access/access_modules
 
 ## make all : Run service, test and linter

README.md

@@ -1,4 +1,4 @@
-## Enigma Access Management
+# Enigma Access Management
 
 ![BrowserStack Logo](https://d98b8t1nnulk5.cloudfront.net/production/images/layout/logo-header.png?1469004780)
 
@@ -8,70 +8,97 @@
 [![Security Scan](https://github.com/browserstack/enigma/actions/workflows/semgrep.yml/badge.svg)](https://github.com/browserstack/enigma/actions/workflows/semgrep.yml)
 
 
+Manage access to tools through a single portal.
 
-This tool consists of 2 different components: a central webserver and pluggable access modules.
+## What is Enigma?
+
+Enigma is a web-based internal Access Management Tool that:
+* helps employees get access to various in-house and third-party systems and components like git repositories, cloud machines (via ssh), and dashboards.
+* facilitates book-keeping.
+* helps with compliance.
+* manages the inventory of all the tools in one place.
+
+
+This tool consists of 2 different components: a central web server and pluggable access modules.
 
 This repo is the code-base for the central webserver.
 Refer to [this](https://github.com/browserstack/enigma-access-modules) for published access modules with this tool.
 
 Refer to [this doc](/docs/%E2%80%9CHow-to%E2%80%9D%20guides/Adding%20Modules.md) on how to create custom access modules
 
+### Problems Solved
+
+Enigma access management tool was developed internally at BrowserStack to solve some of the problems we observed around access management for employees
+
+* No single portal for an individual to view their access across tools
+* No single portal to manage access for employees across vendors
+* No central audit trail across tools for access granted and revoked for employees
+* Repetitive Ops for DevOps teams and tool owners for access grant and revoke requests
+* No standardized SOC2-compliant and GDPR-compliant method for managing individual and admin access for external tools
+* No simple consolidated pipeline to trigger offboarding an exit-ing employee to revoke all employee access across tools
+* No way for an individual to maintain separate identity per tool
+  * Individuals might have multiple accounts for a single tool, there can be multiple org-wide domains for certain tools
+* No way to request, audit and track employee access outside of org-team hierarchy. Adhoc teams / groups support is needed.
+  * employees might migrate across teams, sometimes access are needed for temporary projects which are not required for the whole team
+* No way of listing a bunch of access to grant to employees working on a project
+  * In case an individual is added to a project, access request for all relavant tools should be raised with a single click (based on knowledge-base build on other individuals working on the project)
+
 ## Usage
 
 The following steps are for hosting Enigma locally from published docker container images.
 
 For development setup, follow this [doc](/docs/one-click-dev.md)
 
-### Pre-requisistes
+#### Pre-requisites
 
 You will need to have docker daemon running locally to run the published containers.
 If you don't have docker setup, follow the guidelines [here](https://docs.docker.com/get-docker/)
 
-### Steps
+#### Steps
 
 1. Ensure you have a valid `config.json` present locally.
 
 The default [config.json.sample](https://github.com/browserstack/enigma/blob/main/config.json.sample) should be sufficient to start.
 
-You can then add module-specific configuration for the modules you want integrated with Enigma.
+You can then add module-specific configuration for the modules you want to be integrated with Enigma.
 For detailed instructions on configuration, follow [this doc](/docs/Configuration%20Guide.md)
 
-2. Run the enigma docker container by mounting the downloaded config to the container
+2. Run the Enigma docker container by mounting the downloaded config to the container
 
 ```bash
 docker run --rm --name enigma -p 8000:8000 -v "$(pwd)/config.json":/srv/code/dev/config.json browserstack/enigma:v1
 ```
 
-Ensure that you 8000 port is free to use, and ensure that path to config.json is correct.
+Ensure that the 8000 port is free to use, and ensure that path to config.json is correct.
 
 That's it! Enigma should be running locally on port 8000
 
 
 For first time user sign-in, follow [this doc](/docs/%E2%80%9CHow-to%E2%80%9D%20guides/User%20Guides/First%20User%20Setup.md)
 
 
-## Contributing code
+## Contributing to this tool
 
-- Python 3.11.0
-- pre-commit (see rules [below](#rules-enforced-by-the-pre-commit-hooks))
+- The codebase is tested for Python 3.11.0
+- Setup pre-commit hooks for development (see rules [below](#rules-enforced-by-the-pre-commit-hooks))
   - run: `npm install @commitlint/cli @commitlint/config-conventional`
   - run: `pip install pre-commit==2.21.0`
   - run: `pre-commit install --install-hooks --overwrite` in the base directory of this project
   - run: `pre-commit autoupdate`
   - run: `pre-commit run --all-files --show-diff-on-failure --color always`
 
-### Commit Message Guideline
+#### Commit Message Guideline
 
 Format: `<type>(<scope>): <subject>`
 
 `<scope>` is optional
 
-`Type` can be of following type:
+`Type` can be of the following type:
 
 - `feat`: new feature for the user, not a new feature for build script
 - `fix`: bug fix for the user, not a fix to a build script
 - `docs`: changes to the documentation
-- `style`: formatting, missing semi colons, etc; no production code change
+- `style`: formatting, missing semi-colons, etc; no production code change
 - `refactor`: refactoring production code, eg. renaming a variable
 - `test`: adding missing tests, refactoring tests; no production code change
 - `chore`: updating grunt tasks etc; no production code change
@@ -81,20 +108,20 @@ Format: `<type>(<scope>): <subject>`
 - `perf`: a code change that improves performance
 - `revert`: revert to a commit
 
-### Example
+#### Example
 
 ```
 feat: add hat wobble
 ^--^  ^------------^
 |     |
-|     +-> Summary in present tense.
+|     +-> Summary in the present tense.
 |
 +-------> Type: Feature addition
 
 fix: fixes #xxx
 ^--^  ^------------^
 |     |
-|     +-> Reference to the github issue.
+|     +-> Reference to the GitHub issue.
 |
 +-------> Type: Bug fix
 ```
@@ -108,4 +135,4 @@ References:
 
 
 ##  License
-See [LICENSE.md](.github/LICENSE.md)
+See [LICENSE.md](/LICENSE.md)

docs/https-nginx-setup.md docs/HTTPS setup/https-nginx-setup.mddocs/https-nginx-setup.md renamed to docs/HTTPS setup/https-nginx-setup.md

@@ -6,7 +6,7 @@ Following are the steps to Setup Nginx in enigma
     - Should have a host(domain) with ssl certificats that can be attached to nginx.
     - Make sure the host points the public IP of the machine in which enigma is running on. (i.e., create an dns A record with host pointing to public IP of machine)
 2. Create a folder in the root folder of enigma named `certs` which contains ssl certificate and key.
-3. Copy `nginx.conf.sample` file to `nginx.conf`
+3. Copy `nginx.conf.sample` file in this folder to `nginx.conf`
 3. Configure `nginx.conf` file.
     - update the hostname in the `nginx.conf` file
       ```diff