feat(conditional-access): changed this to work with tags as well as g…

…roup names (#200)

examples/plugins/conditional_access/Readme.md

@@ -0,0 +1,31 @@
+# Conditional Access Plugin
+
+This plugin will allow you to automatically approve or deny access requests based on the group or tag membership of the group.
+
+## Installation
+
+Add the below to your Dockerfile to install the plugin. You can put it before the ENV section at the bottom of the file.
+```
+# Add the specific plugins and install conditional access plugin
+WORKDIR /app/plugins
+ADD ./examples/plugins/conditional_access ./conditional_access
+RUN pip install -r ./conditional_access/requirements.txt && pip install ./conditional_access
+
+# Reset working directory
+WORKDIR /app
+```
+
+Build and run your docker container as normal.
+
+
+## Configuration
+
+You can set the following environment variables to configure the plugin but note that neither are required by default. If you only want to use the specific tag `Auto-Approve` then no environment variables are required. You must however create the tag within the Access Application.
+
+- `AUTO_APPROVED_GROUP_NAMES`: A comma-separated list of group names that will be auto-approved.
+- `AUTO_APPROVED_TAG_NAMES`: A comma-separated list of tag names that will be auto-approved.
+
+
+## Usage
+
+The plugin will automatically approve access requests to the groups or tags specified in the environment variables by running a check on each access request that is processed. If neither the group name nor the tag name match, then a log line stating manual approval is required will be output.

examples/plugins/conditional_access/conditional_access.py

@@ -1,6 +1,7 @@
 from __future__ import print_function
 
 import logging
+import os
 from typing import List, Optional
 
 import pluggy
@@ -11,18 +12,34 @@
 request_hook_impl = pluggy.HookimplMarker("access_conditional_access")
 logger = logging.getLogger(__name__)
 
+# Constants for auto-approval conditions (not required if you only want to use the Auto-Approval TAG)
+# Example of how to set this in an environment variable in your .env.production file:
+# AUTO_APPROVED_GROUP_NAMES="Group1,Group2,Group3"
+AUTO_APPROVED_GROUP_NAMES = (
+    os.getenv("AUTO_APPROVED_GROUP_NAMES", "").split(",") if os.getenv("AUTO_APPROVED_GROUP_NAMES") else []
+)
+
+# Example of how to set this in an environment variable in your .env.production file:
+# AUTO_APPROVED_TAG_NAMES="Tag1,Tag2,Tag3"
+AUTO_APPROVED_TAG_NAMES = os.getenv("AUTO_APPROVED_TAG_NAMES", "Auto-Approve").split(",")
+
 
 @request_hook_impl
 def access_request_created(
     access_request: AccessRequest, group: OktaGroup, group_tags: List[Tag], requester: OktaUser
 ) -> Optional[ConditionalAccessResponse]:
     """Auto-approve memberships to the Auto-Approved-Group group"""
 
-    if not access_request.request_ownership and group.name == "Auto-Approved-Group":
-        logger.info(f"Auto-approving access request {access_request.id} to group {group.name}")
-        return ConditionalAccessResponse(
-            approved=True, reason="Group membership auto-approved", ending_at=access_request.request_ending_at
-        )
+    if not access_request.request_ownership:
+        # Check either group name or tag for auto-approval
+        is_auto_approved_name = group.name in AUTO_APPROVED_GROUP_NAMES
+        is_auto_approved_tag = any(tag.name in AUTO_APPROVED_TAG_NAMES for tag in group_tags)
+
+        if is_auto_approved_name or is_auto_approved_tag:
+            logger.info(f"Auto-approving access request {access_request.id} to group {group.name}")
+            return ConditionalAccessResponse(
+                approved=True, reason="Group membership auto-approved", ending_at=access_request.request_ending_at
+            )
 
     logger.info(f"Access request {access_request.id} to group {group.name} requires manual approval")