discord / access Goto Github PK
View Code? Open in Web Editor NEWAccess, a centralized portal for employees to transparently discover, request, and manage their access for all internal systems needed to do their jobs
License: Apache License 2.0
access's People
Contributors
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
Stargazers
Watchers
Forkers
sairam4123 hackermondev somethingnew2-0 box-of-code houey buddhanepal radsec avineshwar v-zer0 greendx ryvex0 3ur buggerman salecharohit frenchi robindev03 jessiejaymz810s ternera defconpro jonathanhle lelandparker optimadam colohr meech-io tnmdevteam finnthefoxxo stvnksslraccess's Issues
Argument 'postgresql_where' is not accepted by dialect 'postgresql' on behalf of <class 'sqlalchemy.sql.schema.UniqueConstraint'>
๐๐ป Hey guys, I saw your new blog and thought I should check it out.
๐ Upon setting up, while running the flask db upgrade command to seed the DB, it turns out that it throws up an error.
โ ๏ธ Error:
Traceback (most recent call last):
File "/home/scott/access/venv/bin/flask", line 8, in <module>
sys.exit(main())
^^^^^^
File "/home/scott/access/venv/lib/python3.11/site-packages/flask/cli.py", line 1107, in main
cli.main()
File "/home/scott/access/venv/lib/python3.11/site-packages/click/core.py", line 1078, in main
rv = self.invoke(ctx)
^^^^^^^^^^^^^^^^
File "/home/scott/access/venv/lib/python3.11/site-packages/click/core.py", line 1688, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/scott/access/venv/lib/python3.11/site-packages/click/core.py", line 1688, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/scott/access/venv/lib/python3.11/site-packages/click/core.py", line 1434, in invoke
return ctx.invoke(self.callback, **ctx.params)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/scott/access/venv/lib/python3.11/site-packages/click/core.py", line 783, in invoke
return __callback(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/scott/access/venv/lib/python3.11/site-packages/click/decorators.py", line 33, in new_func
return f(get_current_context(), *args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/scott/access/venv/lib/python3.11/site-packages/flask/cli.py", line 388, in decorator
return ctx.invoke(f, *args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/scott/access/venv/lib/python3.11/site-packages/click/core.py", line 783, in invoke
return __callback(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/scott/access/venv/lib/python3.11/site-packages/flask_migrate/cli.py", line 154, in upgrade
_upgrade(directory, revision, sql, tag, x_arg)
File "/home/scott/access/venv/lib/python3.11/site-packages/flask_migrate/__init__.py", line 111, in wrapped
f(*args, **kwargs)
File "/home/scott/access/venv/lib/python3.11/site-packages/flask_migrate/__init__.py", line 200, in upgrade
command.upgrade(config, revision, sql=sql, tag=tag)
File "/home/scott/access/venv/lib/python3.11/site-packages/alembic/command.py", line 403, in upgrade
script.run_env()
File "/home/scott/access/venv/lib/python3.11/site-packages/alembic/script/base.py", line 583, in run_env
util.load_python_file(self.dir, "env.py")
File "/home/scott/access/venv/lib/python3.11/site-packages/alembic/util/pyfiles.py", line 95, in load_python_file
module = load_module_py(module_id, path)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/scott/access/venv/lib/python3.11/site-packages/alembic/util/pyfiles.py", line 113, in load_module_py
spec.loader.exec_module(module) # type: ignore
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "<frozen importlib._bootstrap_external>", line 940, in exec_module
File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
File "/home/scott/access/migrations/env.py", line 92, in <module>
run_migrations_online()
File "/home/scott/access/migrations/env.py", line 86, in run_migrations_online
context.run_migrations()
File "<string>", line 8, in run_migrations
File "/home/scott/access/venv/lib/python3.11/site-packages/alembic/runtime/environment.py", line 948, in run_migrations
self.get_context().run_migrations(**kw)
File "/home/scott/access/venv/lib/python3.11/site-packages/alembic/runtime/migration.py", line 627, in run_migrations
step.migration_fn(**kw)
File "/home/scott/access/migrations/versions/d6db40b0805d_initial_migration.py", line 79, in upgrade
sa.UniqueConstraint("email", name=op.f('idx_email'), postgresql_where=sa.text("deleted_at IS NULL")),
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/scott/access/venv/lib/python3.11/site-packages/sqlalchemy/sql/schema.py", line 4340, in __init__
Constraint.__init__(
File "/home/scott/access/venv/lib/python3.11/site-packages/sqlalchemy/sql/schema.py", line 4117, in __init__
self._validate_dialect_kwargs(dialect_kw)
File "/home/scott/access/venv/lib/python3.11/site-packages/sqlalchemy/sql/base.py", line 618, in _validate_dialect_kwargs
raise exc.ArgumentError(
sqlalchemy.exc.ArgumentError: Argument 'postgresql_where' is not accepted by dialect 'postgresql' on behalf of <class 'sqlalchemy.sql.schema.UniqueConstraint'>
๐ก Keep in mind that I'm not very familiar with Python and databases. So I might be dumb at some times.
request to expose Group Active tags to Conditional Access Plugin
I'd like to make some conditional access decisions based on the tags that are applied to an Okta Group within Access.
I have an exploratory branch here if it's useful.
# Auto Approve if "AutoApproval" is applied to Group
if not access_request.request_ownership and "AutoApproval" in group_tags:
logger.info(f"Auto-approving access request {access_request.id} to group {group.name}")
return ConditionalAccessResponse(
approved=True,
reason="Group membership auto-approved based on AutoApproval tag",
ending_at=access_request.request_ending_at,
)
use Okta's response headers for rate limits
transcript of (Gabriel's half of) a conversation with @somethingnew2-0
why do u use exponential backoff when Okta tells you when u can retry the api call?
access/api/services/okta_service.py
Lines 41 to 66 in 40d8c0b
if u get a 429 error that tells u when to retry, why not look at those headers?
eg (and this isn't perfect, but...)
https://github.com/gabrielsroka/gabrielsroka.github.io/blob/master/console/index.html#L169-L187
ie, if u reach the rate limit at 10:00:00 and it tells u to retry at 10:01:00, there's no point in retrying at 10:00:01.2, 10:00:02.4, 10:00:04.8. ur just gonna get more errors
Okta provides three headers in each response to report on both concurrent and org-wide rate limits.
For org-wide rate limits, the three headers show the limit that is being enforced, when it resets, and how close you are to hitting the limit:
X-Rate-Limit-Limit - the rate limit ceiling that is applicable for the current request.
X-Rate-Limit-Remaining - the number of requests left for the current rate-limit window.
X-Rate-Limit-Reset - the time at which the rate limit resets, specified in UTC epoch time (in seconds).
Exceptional work! ๐คฉ
As a fellow security engineer who works on GitHub's open source IAM system (entitlements), this is really awesome work!
can't compare offset-naive and offset-aware datetimes in tag.py
Issue with datetime object comparisons related to timezone awareness and comparison. Report on CloudSec Slack forum as well.
Issue appears when testing the Conditional Access plugin and adding any Group tag to the "Auto-Approved-Group".
File "/Users/jonathan.le/dev/jonathanhle/access/api/operations/approve_access_request.py", line 122, in execute
ModifyGroupUsers(
File "/Users/jonathan.le/dev/jonathanhle/access/api/operations/modify_group_users.py", line 56, in __init__
self.members_added_ended_at = coalesce_ended_at(
^^^^^^^^^^^^^^^^^^
File "/Users/jonathan.le/dev/jonathanhle/access/api/models/tag.py", line 43, in coalesce_ended_at
return min(constraint_ended_at, initial_ended_at)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: can't compare offset-naive and offset-aware datetimes
retry on resp.next()
more converstaions with @somethingnew2-0
i noticed this "pattern" 4 times (paginating thru a given api)
access/api/services/okta_service.py
Lines 96 to 105 in 7fda498
don't u need to
retry the next(), too?
i use async generators for it. write it once, factor it out, reuse it everywhere. something like
import asyncio
from okta.client import Client as OktaClient
async def get_applications():
async with OktaClient() as okta_client:
filter = {'filter': 'status eq "ACTIVE"'}
async for app in get_objects(okta_client.list_applications(filter)):
print(f"Application Name: {app.name}")
print(f"Application ID: {app.id}")
async for app_user in get_objects(okta_client.list_application_users(app.id)):
print(app_user.id)
print()
async def get_objects(coro):
objects, resp, _ = await coro
while objects:
for object in objects:
yield object
objects, _ = await resp.next() if resp.has_next() else (None, None)
asyncio.run(get_applications())but that might not work here. i wrote it a while ago. maybe i should rewrite it
On an unmodified new clone of Access, non-Okta Admin users are unable to cancel their own Pending Access requests
Hello! I just came back from a short break and am poking around at Discord Access again. I'm not sure when, but there seems to be some sort of regression (at least on my local) where non-Okta Admin users are unable to cancel their own Pending Access Requests:
-
What I see in the UI
-
What I see running in local dev mode in the Terminal
-
It's running under
Python 3.12.3on my Intel Mac in a VENV (just following the setup on the README).
What I just did 5 minutes ago:
gh repo clone discord/access access-unchanged- copy my .env setup from my other dev fork over to this new one. I had an Okta Admin user in the .env for
CURRENT_OKTA_USER_EMAIL - Follow the README as is
python3 -m venv venv
. venv/bin/activate
pip install -r requirements.txt
flask db upgrade
flask init <YOUR_OKTA_USER_EMAIL> #where I init with and Okta Admin User
export CURRENT_OKTA_USER_EMAIL="[email protected]". #i switch over with an ENV VAR over to a Okta NonAdmin User
- Create a request under the nonAdmin and then run into the issue trying to cancel it but bump into the error.
- Exit the app, export CURRENT_OKTA_USER_EMAIL to an Okta Admin user, flask run. After this, I'm able to create new access requests to the same group but also cancel them (when pending).
I'm pretty sure I tested non-Okta Admin users being able to cancel their own requests before - is this a regression?
Help with SQLAlchemy error
Hi!
I've got a kubernetes deployment of access and I'm getting a blank page when trying to access the UI. Digging into the logs, below is what I'm getting. Can you assist with this?
Thanks!
kubectl -n dev-access logs -f -l app=dev-access
WHERE okta_user.email ILIKE %(email_1)s AND okta_user.deleted_at IS NULL
LIMIT %(param_1)s
2024-05-17 19:53:15,123 INFO sqlalchemy.engine.Engine [cached since 264.8s ago] {'email_1': '[email protected]', 'param_1': 1}
[cached since 264.8s ago] {'email_1': '[email protected]', 'param_1': 1}
2024-05-17 19:53:15,125 INFO sqlalchemy.engine.Engine ROLLBACK
ROLLBACK
[17/May/2024:19:53:15 +0000] "GET /manifest.json HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15"
2024-05-17 19:53:15,127 INFO sqlalchemy.engine.Engine ROLLBACK
ROLLBACK
[17/May/2024:19:53:15 +0000] "GET /static/js/main.764bef9b.js HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15"
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.