fix: revoking and approving access on identity change (#72)

Kartikkumar-Shetty · web-flow · commit 9458e7f74132 · 2023-02-17T12:41:12.000+05:30
revoking and approving the access when changing the access
adding a new method for the grant and revoke access
changing the off-board method, adding transactions and calling the new revoke method
diff --git a/Access/background_task_manager.py b/Access/background_task_manager.py
@@ -9,11 +9,12 @@
 from Access import helpers
 from bootprocess import general
 from BrowserStackAutomation.settings import AUTOMATED_EXEC_IDENTIFIER
-from Access.models import UserAccessMapping, User
+from Access.models import UserAccessMapping, ApprovalType
 from Access import notifications
 
 logger = logging.getLogger(__name__)
 
+
 with open("config.json") as data_file:
     background_task_manager_type = json.load(data_file)["background_task_manager"][
         "type"
@@ -30,7 +31,8 @@ def background_task(func, *args):
         elif func == "run_accept_request":
             run_accept_request.delay(*args)
         elif func == "run_access_revoke":
-            run_access_revoke.delay(*args)
+            request_id = args[0]
+            run_access_revoke.delay(request_id)
     else:
         if func == "run_access_grant":
             request_id = args[0]
@@ -56,7 +58,7 @@ def background_task(func, *args):
 )
 def run_access_grant(request_id):
     user_access_mapping = UserAccessMapping.get_access_request(request_id=request_id)
-    access_type = user_access_mapping.access.access_tag
+    access_tag = user_access_mapping.access.access_tag
     user = user_access_mapping.user_identity.user
     approver = user_access_mapping.approver_1.user.username
     message = ""
@@ -75,6 +77,10 @@ def run_access_grant(request_id):
         user_access_mapping.grant_fail_access(
             fail_reason="Failed since identity is blank for user identity"
         )
+        notifications.send_mail_for_request_granted_failure(
+            user, approver, access_tag, request_id
+        )
+
         logger.debug(
             {
                 "requestId": request_id,
@@ -85,7 +91,7 @@ def run_access_grant(request_id):
         )
         return False
 
-    access_module = helpers.get_available_access_module_from_tag(access_type)
+    access_module = helpers.get_available_access_module_from_tag(access_tag)
     if not access_module:
         return False
 
@@ -132,10 +138,10 @@ def run_access_grant(request_id):
             }
         )
         try:
-            destination = access_module.access_mark_revoke_permission(access_type)
+            destination = access_module.access_mark_revoke_permission(access_tag)
             notifications.send_mail_for_access_grant_failed(
                 destination,
-                access_type.upper(),
+                access_tag.upper(),
                 user.email,
                 request_id=request_id,
                 message=message,
@@ -157,37 +163,36 @@ def run_access_grant(request_id):
 @shared_task(
     autoretry_for=(Exception,), retry_kwargs={"max_retries": 3, "countdown": 5}
 )
-def run_access_revoke(data):
-    data = json.loads(data)
-    access_mapping = UserAccessMapping.get_access_request(data["request_id"])
+def run_access_revoke(request_id):
+    access_mapping = UserAccessMapping.get_access_request(request_id=request_id)
     if not access_mapping:
         # TODO: Have to add the email targets for failure
         targets = []
         message = "Request not found"
         notifications.send_revoke_failure_mail(
-            targets, data["request_id"], data["revoker_email"], 0, message
+            targets, request_id, access_mapping.revoker.email, 0, message
         )
-        return {"status": False}
+        return False
     elif access_mapping.status == "Revoked":
-        return {"status": True}
+        return True
     access = access_mapping.access
     user_identity = access_mapping.user_identity
 
-    revoker = User.get_user_by_email(data["revoker_email"])
+    revoker = access_mapping.revoker
     if not revoker:
         # TODO: Have to add the email targets for failure
         targets = []
         message = "Revoker not found"
         notifications.send_revoke_failure_mail(
             targets,
-            data["request_id"],
-            data["revoker_email"],
+            request_id,
+            access_mapping.revoker.email,
             0,
             message,
             access.access_tag,
         )
         user_identity.mark_revoke_failed_for_approved_access_mapping(access)
-        return {"status": False}
+        return False
 
     access_modules = helpers.get_available_access_modules()
 
@@ -227,7 +232,7 @@ def run_access_revoke(data):
             user_identity.mark_revoke_failed_for_approved_access_mapping(access)
         raise Exception("Failed to revoke the access due to: " + str(message))
 
-    return {"status": True}
+    return True
 
 
 @task_success.connect(sender=run_access_grant)
@@ -278,6 +283,7 @@ def run_accept_request(data):
     result = background_task("run_access_grant", request_id)
     if result:
         return {"status": True}
+
     notifications.send_mail_for_request_granted_failure(
         user, approver, access_type, request_id
     )
@@ -291,3 +297,38 @@ def run_accept_request(data):
     )
 
     return {"status": False}
+
+
+def accept_request(user_access_mapping, approval_type="", approver=None):
+    result = None
+
+    if approval_type == ApprovalType.Primary:
+        user_access_mapping.approver_1 = approver
+    elif approval_type == ApprovalType.Secondary:
+        user_access_mapping.approver_2 = approver
+    elif user_access_mapping.approver_1 or user_access_mapping.approver_2:
+        raise Exception("Request Not approved")
+
+    user_access_mapping.processing()
+    try:
+        result = run_access_grant.delay(user_access_mapping.request_id)
+    except Exception:
+        user_access_mapping.grant_fail_access(fail_reason="Task could not be queued")
+
+    if result:
+        return True
+    return False
+
+
+def revoke_request(user_access_mapping, revoker=None):
+    result = None
+    # change the status to revoke processing
+    user_access_mapping.revoking(revoker)
+    try:
+        result = run_access_revoke.delay(user_access_mapping.request_id)
+    except Exception:
+        user_access_mapping.RevokeFailed(fail_reason="Task could not be queued")
+
+    if result:
+        return True
+    return False
diff --git a/Access/group_helper.py b/Access/group_helper.py
@@ -738,9 +738,7 @@ def remove_member(request):
             "run_access_revoke",
             json.dumps(
                 {
-                    "request_id": user_identity.get_granted_access_mapping(access)
-                    .first()
-                    .request_id,
+                    "request_id": request_id,
                     "revoker_email": request.user.user.email,
                 }
             ),
diff --git a/Access/models.py b/Access/models.py
@@ -2,8 +2,14 @@
 from django.db import models, transaction
 from BrowserStackAutomation.settings import USER_STATUS_CHOICES, PERMISSION_CONSTANTS
 import datetime
+import enum
 
 
+class ApprovalType(enum.Enum):
+    Primary = "Primary"
+    Secondary = "Secondary"
+    
+
 class Permission(models.Model):
     """
     Permission to perform actions on enigma
@@ -793,6 +799,9 @@ def is_pending(self):
     def is_secondary_pending(self):
         return self.status == "SecondaryPending"
 
+    def is_grantfailed(self):
+        return self.status == "GrantFailed"
+
     def decline_access(self, decline_reason=None):
         self.status = "Declined"
         self.decline_reason = decline_reason
@@ -815,11 +824,26 @@ def grant_fail_access(self, fail_reason=None):
         self.fail_reason = fail_reason
         self.save()
 
+    def revoke_failed(self, fail_reason=None):
+        self.status = "RevokeFailed"
+        self.fail_reason = fail_reason
+        self.save()
+
+    def decline_access(self, decline_reason=None):
+        self.status = "Declined"
+        self.decline_reason = decline_reason
+        self.save()
+
     def approve_access(self):
         self.status = "Approved"
         self.save()
 
-    def set_processing(self):
+    def revoking(self, revoker):
+        self.revoker = revoker
+        self.status = "ProcessingRevoke"
+        self.save()        
+
+    def processing(self):
         self.status = "Processing"
         self.save()
 
@@ -1081,13 +1105,12 @@ def get_all_granted_access_mappings(self):
 
     def get_all_non_approved_access_mappings(self):
         return self.user_access_mapping.filter(
-            status__in=["approvefailed", "pending", "secondarypending", "grantfailed"],
-            access__access_tag=self.access_tag,
+            status__in=["approvefailed", "pending", "secondarypending", "grantfailed"]
         )
 
-    def decline_all_non_approved_access_mappings(self):
+    def decline_all_non_approved_access_mappings(self, decline_reason):
         user_mapping = self.get_all_non_approved_access_mappings()
-        user_mapping.update(status="Declined")
+        user_mapping.update(status="Declined", decline_reason = decline_reason)
 
     def get_granted_access_mapping(self, access):
         return self.user_access_mapping.filter(
@@ -1099,10 +1122,10 @@ def get_non_approved_access_mapping(self, access):
             status__in=["approvefailed", "pending", "secondarypending", "grantfailed"],
             access=access,
         )
-
-    def decline_non_approved_access_mapping(self, access):
+    
+    def decline_non_approved_access_mapping(self, access, decline_reason):
         user_mapping = self.get_non_approved_access_mapping(access)
-        user_mapping.update(status="Declined")
+        user_mapping.update(status="Declined", decline_reason = decline_reason)
 
     def offboarding_approved_access_mapping(self, access):
         user_mapping = self.get_granted_access_mapping(access)
@@ -1133,7 +1156,7 @@ def replicate_active_access_membership_for_module(
         for i, user_access in enumerate(existing_user_access_mapping):
             base_datetime_prefix = datetime.datetime.utcnow().strftime("%Y%m%d%H%M%S")
             request_id = (
-                self.user.username
+                self.user.user.username
                 + "-"
                 + user_access.access_type
                 + "-"
@@ -1148,7 +1171,6 @@ def replicate_active_access_membership_for_module(
             new_user_access_mapping.append(
                 self.user_access_mapping.create(
                     request_id=request_id,
-                    user=self,
                     access=user_access.access,
                     approver_1=user_access.approver_1,
                     approver_2=user_access.approver_2,
@@ -1157,7 +1179,6 @@ def replicate_active_access_membership_for_module(
                     status=access_status,
                 )
             )
-            user_access.deactivate()
         return new_user_access_mapping
 
     def create_access_mapping(
diff --git a/Access/userlist_helper.py b/Access/userlist_helper.py

Original file line number	Diff line number	Diff line change
`@@ -738,9 +738,7 @@ def remove_member(request):`
`738`	`738`	`"run_access_revoke",`
`739`	`739`	`json.dumps(`
`740`	`740`	`{`
`741`		`- "request_id": user_identity.get_granted_access_mapping(access)`
`742`		`- .first()`
`743`		`- .request_id,`
	`741`	`+ "request_id": request_id,`
`744`	`742`	`"revoker_email": request.user.user.email,`
`745`	`743`	`}`
`746`	`744`	`),`