Merge pull request #845 from dod-ccpo/app-settings-role-id

Use role ID for app settings table
This commit is contained in:
dandds
2019-05-28 11:43:56 -04:00
committed by GitHub
11 changed files with 136 additions and 181 deletions

View File

@@ -57,7 +57,7 @@ class ApplicationRoles(object):
.one()
)
except NoResultFound:
raise NotFoundError("portfolio_role")
raise NotFoundError("application_role")
@classmethod
def update_permission_sets(cls, application_role, new_perm_sets_names):

View File

@@ -6,7 +6,7 @@ from atst.models.environment import Environment
from atst.models.environment_role import EnvironmentRole
from atst.models.application import Application
from atst.domain.environment_roles import EnvironmentRoles
from atst.domain.users import Users
from atst.domain.application_roles import ApplicationRoles
from .exceptions import NotFoundError
@@ -99,9 +99,9 @@ class Environments(object):
for member in team_roles:
new_role = member["role_name"]
user = Users.get(member["user_id"])
app_role = ApplicationRoles.get_by_id(member["application_role_id"])
Environments.update_env_role(
environment=environment, user=user, new_role=new_role
environment=environment, user=app_role.user, new_role=new_role
)
@classmethod
@@ -113,15 +113,6 @@ class Environments(object):
environment=environment, user=member, new_role=new_role
)
@classmethod
def get_members_by_role(cls, env, role):
return (
db.session.query(EnvironmentRole)
.filter(EnvironmentRole.environment_id == env.id)
.filter(EnvironmentRole.role == role)
.all()
)
@classmethod
def revoke_access(cls, environment, target_user):
EnvironmentRoles.delete(environment.id, target_user.id)

View File

@@ -6,7 +6,7 @@ from .data import ENV_ROLES, ENV_ROLE_NO_ACCESS as NO_ACCESS
class MemberForm(FlaskForm):
user_id = HiddenField()
application_role_id = HiddenField()
user_name = StringField()
role_name = RadioField(choices=ENV_ROLES, default=NO_ACCESS)

View File

@@ -1,12 +1,14 @@
from enum import Enum
from sqlalchemy import Index, ForeignKey, Column, Enum as SQLAEnum, Table
from sqlalchemy.dialects.postgresql import UUID
from sqlalchemy.orm import relationship
from sqlalchemy.orm import object_session, relationship
from sqlalchemy.event import listen
from atst.utils import first_or_none
from atst.models import Base, mixins
from atst.models.mixins.auditable import record_permission_sets_updates
from atst.models.environment import Environment
from atst.models.environment_role import EnvironmentRole
from .types import Id
@@ -91,6 +93,22 @@ class ApplicationRole(
"portfolio": self.application.portfolio.name,
}
@property
def environment_roles(self):
if getattr(self, "_environment_roles", None) is None:
roles = (
object_session(self)
.query(EnvironmentRole)
.join(Environment, Environment.application_id == self.application_id)
.filter(EnvironmentRole.environment_id == Environment.id)
.filter(EnvironmentRole.user_id == self.user_id)
.all()
)
setattr(self, "_environment_roles", roles)
return self._environment_roles
Index(
"application_role_user_application",

View File

@@ -10,7 +10,6 @@ from atst.forms.application import ApplicationForm, EditEnvironmentForm
from atst.forms.data import ENV_ROLE_NO_ACCESS as NO_ACCESS
from atst.domain.authz.decorator import user_can_access_decorator as user_can
from atst.models.environment_role import CSPRole
from atst.domain.exceptions import NotFoundError
from atst.models.permissions import Permissions
from atst.utils.flash import formatted_flash as flash
@@ -30,62 +29,54 @@ def get_environments_obj_for_app(application):
return environments_obj
def serialize_members(member_list, role):
serialized_list = []
for member in member_list:
serialized_list.append(
{
"user_id": str(member.user_id),
"user_name": member.user.full_name,
"role_name": role,
}
)
return serialized_list
def sort_env_users_by_role(env):
users_list = []
no_access_users = env.application.users - env.users
no_access_list = [
{"user_id": str(user.id), "user_name": user.full_name, "role_name": NO_ACCESS}
for user in no_access_users
]
users_list.append({"role": NO_ACCESS, "members": no_access_list})
for role in CSPRole:
users_list.append(
{
"role": role.value,
"members": serialize_members(
Environments.get_members_by_role(env, role.value), role.value
),
}
)
return users_list
def data_for_app_env_roles_form(application):
data = {"envs": []}
for environment in application.environments:
data["envs"].append(
{
"env_id": environment.id,
"team_roles": sort_env_users_by_role(environment),
}
)
csp_roles = [role.value for role in CSPRole]
csp_roles.insert(0, NO_ACCESS)
# dictionary for sorting application members by environments
# and roles within those environments
environments_dict = {
e.id: {role_name: [] for role_name in csp_roles}
for e in application.environments
}
for member in application.members:
env_ids = set(environments_dict.keys())
for env_role in member.environment_roles:
role_members_list = environments_dict[env_role.environment_id][
env_role.role
]
role_members_list.append(
{
"application_role_id": str(member.id),
"user_name": member.user_name,
"role_name": env_role.role,
}
)
env_ids.remove(env_role.environment_id)
return data
# any leftover environment IDs are ones the app member
# does not have access to
for env_id in env_ids:
role_members_list = environments_dict[env_id][NO_ACCESS]
role_members_list.append(
{
"application_role_id": str(member.id),
"user_name": member.user_name,
"role_name": NO_ACCESS,
}
)
# transform the data into the shape the form needs
nested_data = [
{
"env_id": env_id,
"team_roles": [
{"role": role, "members": members} for role, members in roles.items()
],
}
for env_id, roles in environments_dict.items()
]
def check_users_are_in_application(user_ids, application):
existing_ids = [str(role.user_id) for role in application.roles]
for user_id in user_ids:
if not user_id in existing_ids:
raise NotFoundError("application user", user_id)
return True
return {"envs": nested_data}
def render_settings_page(application, **kwargs):
@@ -210,22 +201,10 @@ def update_env_roles(environment_id):
if form.validate():
env_data = []
try:
for env in form.envs.data:
if env["env_id"] == str(environment.id):
for role in env["team_roles"]:
user_ids = [user["user_id"] for user in role["members"]]
check_users_are_in_application(user_ids, application)
env_data = env_data + role["members"]
except NotFoundError as err:
app.logger.warning(
"User {} requested environment role change for unauthorized user {} in application {}.".format(
g.current_user.id, err.resource_id, application.id
),
extra={"tags": ["update", "failure"], "security_warning": True},
)
raise (err)
for env in form.envs.data:
if env["env_id"] == str(environment.id):
for role in env["team_roles"]:
env_data = env_data + role["members"]
Environments.update_env_roles_by_environment(
environment_id=environment_id, team_roles=env_data