save work, some UI and misc tests

Author: eguerrant

api/operations/create_role_request.py

@@ -13,11 +13,14 @@
     OktaGroup,
     OktaGroupTagMap,
     OktaUser,
+    OktaUserGroupMember,
     RoleGroup,
     RoleRequest,
+    Tag
 )
 from api.models.app_group import get_access_owners, get_app_managers
 from api.models.okta_group import get_group_managers
+from api.models.tag import coalesce_constraints
 from api.operations.approve_role_request import ApproveRoleRequest
 from api.operations.reject_role_request import RejectRoleRequest
 from api.plugins import get_conditional_access_hook, get_notification_hook
@@ -46,6 +49,13 @@ def __init__(
             self.requester_role = (
                 RoleGroup.query.filter(RoleGroup.deleted_at.is_(None)).filter(RoleGroup.id == requester_role).first()
             )
+            # self.requester_role = (
+            #     db.session.query(RoleGroup)
+            #     .options(joinedload(OktaUserGroupMember.user))
+            #     .filter(RoleGroup.deleted_at.is_(None))
+            #     .filter(RoleGroup.id == requester_role)
+            #     .first()
+            # )
         else:
             self.requester_role = requester_role
 
@@ -90,6 +100,37 @@ def execute(self) -> Optional[RoleRequest]:
         # Fetch the users to notify
         approvers = get_group_managers(self.requested_group.id)
 
+        requested_group_tags = [tm.tag for tm in self.requested_group.active_group_tags]
+
+        role_memberships = [u.user_id for u in (
+            OktaUserGroupMember.query.filter(OktaUserGroupMember.group_id == self.requester_role.id)
+            .filter(OktaUserGroupMember.is_owner.is_(False))
+            .filter(
+                db.or_(
+                    OktaUserGroupMember.ended_at.is_(None),
+                    OktaUserGroupMember.ended_at > db.func.now(),
+                )
+            )
+            .all()
+        )]
+
+        # If group tagged with disallow self add constraint, filter out approvers who are also members of the role
+        if self.request_ownership:
+            disallow_self_add_owner = coalesce_constraints(
+                constraint_key=Tag.DISALLOW_SELF_ADD_OWNERSHIP_CONSTRAINT_KEY,
+                tags=requested_group_tags,
+            )
+            if disallow_self_add_owner:
+                approvers = [a for a in approvers if a.id not in role_memberships]
+            
+        else:
+            disallow_self_add_member = coalesce_constraints(
+                constraint_key=Tag.DISALLOW_SELF_ADD_MEMBERSHIP_CONSTRAINT_KEY,
+                tags=requested_group_tags,
+            )
+            if disallow_self_add_member:
+                approvers = [a for a in approvers if a.id not in role_memberships]
+
         # If there are no approvers, try to get the app managers
         # or if the only approver is the requester, try to get the app managers
         if (

api/views/resources/role_request.py

@@ -114,7 +114,9 @@ def get(self, role_request_id: str) -> ResponseReturnValue:
     @FlaskApiSpecDecorators.response_schema(RoleRequestSchema)
     def put(self, role_request_id: str) -> ResponseReturnValue:
         role_request = (
-            RoleRequest.query.options(joinedload(RoleRequest.active_requested_group))
+            RoleRequest.query.options(
+                joinedload(RoleRequest.active_requested_group),
+                joinedload(RoleRequest.requester_role))
             .filter(RoleRequest.id == role_request_id)
             .first_or_404()
         )

src/pages/role_requests/Read.tsx

@@ -179,7 +179,7 @@ export default function ReadRoleRequest() {
 
   const roleRequest = data ?? ({} as RoleRequest);
 
-  console.log(roleRequest);
+  // console.log(roleRequest);
 
   const ownRequest = roleRequest.requester?.id == currentUser.id;
 
@@ -196,6 +196,7 @@ export default function ReadRoleRequest() {
         ? requestedUntilDelta.toString()
         : 'custom';
 
+  // TODO if owner can't add self constraint and owner member of role, set below to false and add note about constraint
   const requestedGroupManager = canManageGroup(currentUser, roleRequest.requested_group);
 
   const complete = (
@@ -229,7 +230,7 @@ export default function ReadRoleRequest() {
 
   const constraints = ComputeConstraints(roleRequest);
 
-  console.log(constraints);
+  // console.log(constraints);
 
   const timeLimit: number | null = constraints[0] as number | null;
   const reason: boolean = constraints[1] as boolean;
@@ -260,7 +261,9 @@ export default function ReadRoleRequest() {
     }));
   }
 
-  const ownerships = groupBy(group.active_user_ownerships, (m) => m.active_user?.id);
+  // TODO if owner can't add self constraint, filter ownerships to remove roleRequest.requester_role?.active_user_memberships
+
+  let ownerships = groupBy(group.active_user_ownerships, (m) => m.active_user?.id);
 
   const {data: appData} = useGetAppById(
     {
@@ -436,11 +439,11 @@ export default function ReadRoleRequest() {
                         <Box component="span" sx={{color: 'primary.main', fontWeight: 'bold'}}>
                           <> ownership </>
                         </Box>{' '}
+                        of
                       </>
                     ) : (
-                      ' membership '
+                      ' membership to '
                     )}
-                    of
                   </Typography>
                   <Typography variant="h4">
                     {(roleRequest.requested_group?.deleted_at ?? null) != null ? (

tests/test_role_request.py

@@ -1,4 +1,4 @@
-from datetime import datetime, timedelta
+from datetime import datetime, timedelta, timezone
 from typing import Any
 
 from flask import Flask, url_for
@@ -641,6 +641,64 @@ def test_get_all_possible_role_request_approvers(app: Flask, mocker: MockerFixtu
     assert users[2] in approvers
 
 
+def test_role_request_approvers_tagged(
+    app: Flask,
+    db: SQLAlchemy,
+    role_group: RoleGroup,
+    okta_group: OktaGroup,
+    user: OktaUser,
+    tag: Tag,
+    mocker: MockerFixture,
+) -> None:
+    access_owner = OktaUser.query.filter(OktaUser.email == app.config["CURRENT_OKTA_USER_EMAIL"]).first()
+
+    user2 = OktaUserFactory.create()
+    user3 = OktaUserFactory.create()
+    db.session.add(user)
+    db.session.add(user2)
+    db.session.add(user3)
+    db.session.add(okta_group)
+    db.session.commit()
+
+    # Add role group that user owns
+    db.session.add(role_group)
+    db.session.commit()
+
+    ModifyGroupUsers(group=role_group, members_to_add=[user2.id], owners_to_add=[user.id], sync_to_okta=False).execute()
+    ModifyGroupUsers(group=okta_group, owners_to_add=[user2.id, user3.id], sync_to_okta=False).execute()
+
+    # Add tag
+    tag.constraints = {
+        Tag.DISALLOW_SELF_ADD_MEMBERSHIP_CONSTRAINT_KEY: True,
+    }
+    db.session.add(tag)
+    db.session.commit()
+
+    db.session.add(OktaGroupTagMap(group_id=okta_group.id, tag_id=tag.id))
+    db.session.commit()
+
+    hook = get_notification_hook()
+    request_created_notification_spy = mocker.patch.object(hook, "access_role_request_created")
+    request_completed_notification_spy = mocker.patch.object(hook, "access_role_request_completed")
+
+    role_request = CreateRoleRequest(
+        requester_user=user,
+        requester_role=role_group,
+        requested_group=okta_group,
+        request_reason="test reason",
+    ).execute()
+
+    assert role_request is not None
+    assert request_created_notification_spy.call_count == 1
+    _, kwargs = request_created_notification_spy.call_args
+    assert kwargs["role_request"] == role_request
+    assert kwargs["role"] == role_group
+    assert kwargs["group"] == okta_group
+    assert kwargs["requester"] == user
+    assert len(kwargs["approvers"]) == 1
+    assert user3 in kwargs["approvers"]
+
+
 def test_resolve_app_role_request_notification(
     app: Flask,
     db: SQLAlchemy,
@@ -952,6 +1010,166 @@ def test_auto_resolve_create_role_request_with_time_limit_constraint_tag(
     assert tag in kwargs["group_tags"]
 
 
+def test_time_limit_constraint_tag(
+    app: Flask,
+    db: SQLAlchemy,
+    access_app: App,
+    role_group: RoleGroup,
+    app_group: AppGroup,
+    user: OktaUser,
+    tag: Tag,
+    mocker: MockerFixture,
+) -> None:
+    access_owner = OktaUser.query.filter(OktaUser.email == app.config["CURRENT_OKTA_USER_EMAIL"]).first()
+
+    # Add User
+    db.session.add(user)
+    db.session.commit()
+
+    # Add app group that no one owns
+    app_group.app_id = access_app.id
+    app_group.is_owner = False
+    db.session.add(app_group)
+
+    db.session.commit()
+
+    # Add role group that user owns
+    db.session.add(role_group)
+    db.session.commit()
+
+    ModifyGroupUsers(group=role_group, members_to_add=[user.id], owners_to_add=[user.id], sync_to_okta=False).execute()
+
+    # Add tag
+    tag.constraints = {
+        Tag.MEMBER_TIME_LIMIT_CONSTRAINT_KEY: THREE_DAYS_IN_SECONDS,
+    }
+    db.session.add(tag)
+    db.session.commit()
+
+    db.session.add(OktaGroupTagMap(group_id=app_group.id, tag_id=tag.id))
+    db.session.commit()
+
+    hook = get_notification_hook()
+    request_created_notification_spy = mocker.patch.object(hook, "access_role_request_created")
+
+    # Make request for more than time limit
+    role_request = CreateRoleRequest(
+        requester_user=user,
+        requester_role=role_group,
+        requested_group=app_group,
+        request_reason="test reason",
+    ).execute()
+
+    assert role_request is not None
+    assert request_created_notification_spy.call_count == 1
+    _, kwargs = request_created_notification_spy.call_args
+    assert kwargs["role_request"] == role_request
+    # Ending time is None (more than time limit)
+    assert kwargs["role_request"].request_ending_at == None
+    assert kwargs["role"] == role_group
+    assert kwargs["group"] == app_group
+    assert kwargs["requester"] == user
+
+    # Try to approve for more than time limit
+    ApproveRoleRequest(
+        role_request=role_request,
+        approver_user=access_owner,
+        ending_at=datetime.now()+timedelta(seconds=SEVEN_DAYS_IN_SECONDS)
+    ).execute()
+
+    # Should only be approved for time limit if approved time is higher
+    approval = RoleGroupMap.query.filter(RoleGroupMap.role_group == role_group).first()
+    # Make sure approval time is correct (could be a couple milliseconds off from calculated which is okay)
+    approval_time = approval.ended_at.replace(tzinfo=timezone.utc)
+    expected_approval_time = datetime.now(timezone.utc) + timedelta(seconds=THREE_DAYS_IN_SECONDS)
+    assert expected_approval_time > approval_time
+    assert expected_approval_time - approval_time < timedelta(minutes=1)
+
+
+def test_owner_cant_add_self_constraint_tag(
+    app: Flask,
+    db: SQLAlchemy,
+    access_app: App,
+    role_group: RoleGroup,
+    app_group: AppGroup,
+    user: OktaUser,
+    tag: Tag,
+    mocker: MockerFixture,
+) -> None:
+    access_owner = OktaUser.query.filter(OktaUser.email == app.config["CURRENT_OKTA_USER_EMAIL"]).first()
+
+    # Add Users
+    user2 = OktaUserFactory.create()
+    db.session.add(user)
+    db.session.add(user2)
+    db.session.commit()
+
+    # Add app group that no one owns
+    app_group.app_id = access_app.id
+    app_group.is_owner = False
+    db.session.add(app_group)
+
+    db.session.commit()
+
+    # Add role group that user owns
+    db.session.add(role_group)
+    db.session.commit()
+
+    ModifyGroupUsers(group=role_group, members_to_add=[user.id, user2.id], owners_to_add=[user.id], sync_to_okta=False).execute()
+    ModifyGroupUsers(group=app_group, owners_to_add=[user2.id], sync_to_okta=False).execute()
+
+    # Add tag
+    tag.constraints = {
+        Tag.DISALLOW_SELF_ADD_MEMBERSHIP_CONSTRAINT_KEY: True,
+    }
+    db.session.add(tag)
+    db.session.commit()
+
+    db.session.add(OktaGroupTagMap(group_id=app_group.id, tag_id=tag.id))
+    db.session.commit()
+
+    hook = get_notification_hook()
+    request_created_notification_spy = mocker.patch.object(hook, "access_role_request_created")
+    request_completed_notification_spy = mocker.patch.object(hook, "access_role_request_completed")
+    add_membership_spy = mocker.patch.object(okta, "async_add_user_to_group")
+
+    role_request = CreateRoleRequest(
+        requester_user=user,
+        requester_role=role_group,
+        requested_group=app_group,
+        request_reason="test reason",
+    ).execute()
+
+    assert role_request is not None
+    assert request_created_notification_spy.call_count == 1
+    _, kwargs = request_created_notification_spy.call_args
+    assert kwargs["role_request"] == role_request
+    assert kwargs["role"] == role_group
+    assert kwargs["group"] == app_group
+    assert kwargs["requester"] == user
+
+    # user2 owns the group and is a member of the requester role, should fail
+    should_fail = ApproveRoleRequest(
+        role_request=role_request,
+        approver_user=user2,
+    ).execute()
+    assert should_fail.status == AccessRequestStatus.PENDING
+
+    should_pass = ApproveRoleRequest(
+        role_request=role_request,
+        approver_user=access_owner,
+    ).execute()
+    assert should_pass.status == AccessRequestStatus.APPROVED
+
+    assert add_membership_spy.call_count == 2
+    assert request_completed_notification_spy.call_count == 1
+    _, kwargs = request_completed_notification_spy.call_args
+    assert kwargs["role_request"] == should_pass
+    assert kwargs["role"] == role_group
+    assert kwargs["group"] == app_group
+    assert kwargs["requester"] == user
+
+
 def test_role_request_approval_via_direct_add(
     client: FlaskClient,
     app: Flask,