Add validation for duplicated access requests (#252)

Co-authored-by: vassalo <[email protected]>
strongdm · May 23, 2022 · f259bf0 · f259bf0
1 parent 9031e42
commit f259bf0
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 0 deletions.
diff --git a/e2e/slack/test_accessbot_slack_access.py b/e2e/slack/test_accessbot_slack_access.py
@@ -225,6 +225,14 @@ def test_access_command_grant_with_strange_casing(self, mocked_testbot):
         assert "access request" in mocked_testbot.pop_message()
         assert "Granting" in mocked_testbot.pop_message()
 
+    def test_access_command_fails_when_duplicating_request(self, mocked_testbot):
+        mocked_testbot.push_message(f"access to {resource_name}")
+        mocked_testbot.push_message(f"access to {resource_name}")
+        assert "valid request" in mocked_testbot.pop_message()
+        assert "access request" in mocked_testbot.pop_message()
+        assert "already have a pending grant request" in mocked_testbot.pop_message()
+
+
 class Test_access_flow_from_access_form(ErrBotExtraTestSettings):
 
     @pytest.fixture

diff --git a/plugins/sdm/accessbot.py b/plugins/sdm/accessbot.py
@@ -178,6 +178,7 @@ def access_resource(self, message, match):
         try:
             self.get_arguments_helper().check_required_flags(flags_validators.keys(), self.config['REQUIRED_FLAGS'], flags)
             self.check_requester_flag(message, flags.get('requester'))
+            self.__grant_requests_helper.check_request_already_exists(resource_name, GrantRequestType.ACCESS_RESOURCE, message.frm.person)
         except Exception as e:
             yield str(e)
             return
@@ -193,6 +194,11 @@ def assign_role(self, message, match):
             return
         self.increment_metrics([MetricGaugeType.TOTAL_RECEIVED_MESSAGES, MetricGaugeType.TOTAL_ACCESS_REQUESTS])
         role_name = re.sub(ASSIGN_ROLE_REGEX, "\\1", match.string.replace("*", ""), flags=re.IGNORECASE)
+        try:
+            self.__grant_requests_helper.check_request_already_exists(role_name, GrantRequestType.ASSIGN_ROLE, message.frm.person)
+        except Exception as e:
+            yield str(e)
+            return
         yield from self.get_role_grant_helper().request_access(message, role_name)
         self.__update_metric(MetricGaugeType.TOTAL_CONSECUTIVE_ERRORS, 0)
 

diff --git a/plugins/sdm/lib/helper/grant_request_helper.py b/plugins/sdm/lib/helper/grant_request_helper.py
@@ -87,5 +87,13 @@ def remove(self, request_id: str):
         self.__grant_requests.pop(request_id, None)
         self.__save_state()
 
+    def check_request_already_exists(self, sdm_object_name: str, grant_request_type: GrantRequestType, user: str):
+        for grant_request in self.__grant_requests.values():
+            if grant_request["type"] == grant_request_type.value and grant_request["message"].frm.person == user \
+                    and grant_request["sdm_object"].name.lower() == sdm_object_name.lower():
+                obj_type_name = "resource" if grant_request_type == GrantRequestType.ACCESS_RESOURCE else "role"
+                raise Exception(
+                    f"You already have a pending grant request for that {obj_type_name}. Please, wait for an admin evaluation.")
+
     def __sdm_model_to_dict(self, object):
         return object if type(object) is dict else object.to_dict()
diff --git a/plugins/sdm/lib/helper/test_grant_request_helper.py b/plugins/sdm/lib/helper/test_grant_request_helper.py
@@ -1,3 +1,4 @@
+import pytest
 from errbot import Message
 import sys
 from unittest.mock import MagicMock, patch, mock_open
@@ -43,6 +44,23 @@ def test_restore_state_when_has_stored_requests(self):
             assert helper.get(request_id) is None
             assert not helper.exists(request_id)
 
+    def test_raise_exception_when_add_duplicated_request(self):
+        bot = get_mock_bot()
+        with patch("builtins.open", mock_open(read_data=mock_file_data)) as handle:
+            helper = GrantRequestHelper(bot)
+            assert helper.get(request_id) is not None
+            assert helper.exists(request_id)
+            assert len(helper.get_request_ids()) == 1
+            file = handle()
+            file.read.assert_called_once()
+            with pytest.raises(Exception) as e:
+                helper.add(request_id, get_mock_message(), get_mock_sdm_object(), get_mock_sdm_account(),
+                           GrantRequestType.ACCESS_RESOURCE)
+                assert "already have a pending grant request" in e.value
+            helper.remove(request_id)
+            assert helper.get(request_id) is None
+            assert not helper.exists(request_id)
+
 
 def get_mock_bot():
     mock = MagicMock()