Add allow_discord_access custom Okta Group profile attribute check (#195

)
discord · Nov 18, 2024 · cf695de · cf695de
1 parent f757ac0
commit cf695de
Show file tree

Hide file tree

Showing 3 changed files with 84 additions and 1 deletion.
diff --git a/api/config.py b/api/config.py
@@ -13,6 +13,9 @@
 OKTA_USE_GROUP_OWNERS_API = os.getenv("OKTA_USE_GROUP_OWNERS_API", "False") == "True"
 CURRENT_OKTA_USER_EMAIL = os.getenv("CURRENT_OKTA_USER_EMAIL", "[email protected]")
 
+# Optional env var to set a custom Okta Group Profile attribute for Access management inclusion/exclusion
+OKTA_GROUP_PROFILE_CUSTOM_ATTR = os.getenv("OKTA_GROUP_PROFILE_CUSTOM_ATTR")
+
 SQLALCHEMY_DATABASE_URI = os.getenv("DATABASE_URI")
 SQLALCHEMY_TRACK_MODIFICATIONS = False
 SQLALCHEMY_ECHO = ENV == "development"  # or ENV == "test"

diff --git a/api/services/okta_service.py b/api/services/okta_service.py
@@ -14,6 +14,7 @@
 from okta.models.user_schema import UserSchema as OktaUserSchemaType
 from okta.request_executor import RequestExecutor as OktaRequestExecutor
 
+from api.config import OKTA_GROUP_PROFILE_CUSTOM_ATTR
 from api.models import OktaGroup, OktaUser
 
 REQUEST_MAX_RETRIES = 3
@@ -534,5 +535,22 @@ def update_okta_group(
         return okta_group
 
 
-def is_managed_group(group: Group, group_ids_with_group_rules: dict[str, list[OktaGroupRuleType]]) -> bool:
+def is_managed_group(
+    group: Group,
+    group_ids_with_group_rules: dict[str, list[OktaGroupRuleType]],
+    custom_attr: Optional[str] = OKTA_GROUP_PROFILE_CUSTOM_ATTR,
+) -> bool:
+    # Check if OKTA_GROUP_PROFILE_CUSTOM_ATTR attribute exists as a custom Okta Group Profile attribute and retrieve its value
+    if custom_attr:
+        custom_manage_attr = getattr(group.profile, custom_attr, None)
+
+        # If OKTA_GROUP_PROFILE_CUSTOM_ATTR is explicitly set to False, the group should not be managed
+        if custom_manage_attr is False:
+            return False
+
+        # If OKTA_GROUP_PROFILE_CUSTOM_ATTR is True and the group type is OKTA_GROUP, it can be managed even if it has group rules
+        if custom_manage_attr is True and group.type == "OKTA_GROUP":
+            return True
+
+    # By default, the group should be of type OKTA_GROUP and should not have any group rules to be managed
     return (group.type == "OKTA_GROUP") and (group.id not in group_ids_with_group_rules)
diff --git a/tests/test_okta_service.py b/tests/test_okta_service.py
@@ -0,0 +1,62 @@
+from unittest.mock import MagicMock, patch
+
+from okta.models.group_rule import GroupRule as OktaGroupRuleType
+
+from api.services.okta_service import is_managed_group
+
+
+def test_is_managed_group_with_allow_discord_access_false() -> None:
+    """Test that is_managed_group returns False when allow_discord_access is False."""
+    with patch("api.config.OKTA_GROUP_PROFILE_CUSTOM_ATTR", "allow_discord_access"):
+        from api.config import OKTA_GROUP_PROFILE_CUSTOM_ATTR
+
+        # Create a mock of the Group class
+        group = MagicMock()
+        group.profile = MagicMock()
+        group.profile.allow_discord_access = False  # Set the profile attribute to False
+        group.type = "OKTA_GROUP"
+        group.id = "123456789"  # Example group ID
+
+        group_ids_with_group_rules: dict[str, list[OktaGroupRuleType]] = {}  # Empty dictionary for group rules
+
+        # Call the function and assert the expected result
+        result = is_managed_group(group, group_ids_with_group_rules, OKTA_GROUP_PROFILE_CUSTOM_ATTR)
+        assert result is False
+
+
+def test_is_managed_group_with_allow_discord_access_true() -> None:
+    """Test that is_managed_group returns True when allow_discord_access is True."""
+    with patch("api.config.OKTA_GROUP_PROFILE_CUSTOM_ATTR", "allow_discord_access"):
+        from api.config import OKTA_GROUP_PROFILE_CUSTOM_ATTR
+
+        # Create a mock of the Group class
+        group = MagicMock()
+        group.profile = MagicMock()
+        group.profile.allow_discord_access = True  # Set the profile attribute to True
+        group.type = "OKTA_GROUP"
+        group.id = "123456789"  # Example group ID
+
+        group_ids_with_group_rules: dict[str, list[OktaGroupRuleType]] = {}  # Empty dictionary for group rules
+
+        # Call the function and assert the expected result
+        result = is_managed_group(group, group_ids_with_group_rules, OKTA_GROUP_PROFILE_CUSTOM_ATTR)
+        assert result is True
+
+
+def test_is_managed_group_with_allow_discord_access_undefined() -> None:
+    """Test that is_managed_group returns True when the custom attribute is undefined."""
+    with patch("api.config.OKTA_GROUP_PROFILE_CUSTOM_ATTR", None):
+        from api.config import OKTA_GROUP_PROFILE_CUSTOM_ATTR
+
+        # Create a mock of the Group class
+        group = MagicMock()
+        group.profile = MagicMock()
+        group.profile.allow_discord_access = False  # Set the profile attribute to False
+        group.type = "OKTA_GROUP"
+        group.id = "123456789"  # Example group ID
+
+        group_ids_with_group_rules: dict[str, list[OktaGroupRuleType]] = {}  # Empty dictionary for group rules
+
+        # Call the function and assert the expected result
+        result = is_managed_group(group, group_ids_with_group_rules, OKTA_GROUP_PROFILE_CUSTOM_ATTR)
+        assert result is True